Mobile and Remote Access via Cisco Expressway Deployment Guide

Mobile and Remote Access Through Cisco Expressway Deployment Guide

Configuration Overview

Configuration Overview

This section summarizes the steps to configure your Unified Communications system for Mobile and Remote Access.

It assumes that the following items are already set up:

 

■

A basic Expressway-C and Expressway-E configuration, as specified in

Expressway Basic Configuration

Deployment Guide

. (This document contains information about the different networking options for deploying the Expressway-E in the DMZ.)

 

■

Unified CM and IM and Presence Service are configured as specified in Configuration and Administration of IM

and Presence Service on Cisco Unified Communications Manager (for your version), at Cisco Unified

Communications Manager Configuration Guides

Prerequisites

 

■

Expressway X8.1.1 or later (this document describes X8.9.1)

 

■

Unified CM 10.0 or later

 

■

IM and Presence Service 10.0 or later

 

■

Cisco Unity Connection 10.0 or later

IP Addresses

You must assign separate IP addresses to the Expressway-C and the Expressway-E. Do not use a shared address for both elements, as the firewall will not be able to distinguish between them.

Supported Clients when Using Mobile and Remote Access

Expressway X8.1.1 and later:

 

■

Cisco Jabber for Windows 9.7 or later

 

■

Cisco Jabber for iPhone and iPad 9.6.1 or later

 

■

Cisco Jabber for Android 9.6 or later

 

■

Cisco Jabber for Mac 9.6 or later

 

■

Cisco TelePresence endpoints/codecs running TC7.0.1 or later firmware

Expressway X8.6 and later:

Mobile and Remote Access (MRA) is now officially supported with the Cisco IP Phone 78/8800 Series**, when the phones are running firmware version 11.0(1) or later. We recommend Expressway X8.7 or later for use with these phones.

 

■

Cisco IP Phone 8800 Series

 

■

Cisco IP Phone 7800 Series

MRA is officially supported with the Cisco DX Series endpoints running firmware version 10.2.4(99) or later. This support was announced with Expressway version X8.6.

 

■

Cisco DX650

 

■

Cisco DX80

 

■

Cisco DX70

When deploying DX Series or IP Phone 78/8800 Series endpoints to register with Cisco Unified Communications

Manager through MRA, you need to be aware of the following:

15

Mobile and Remote Access Through Cisco Expressway Deployment Guide

Configuration Overview

 

■

Phone security profile:

If the phone security profile for any of these endpoints has TFTP Encrypted Config checked, you will not be able to use the endpoint through MRA. This is because the MRA solution does not support devices interacting with CAPF (Certificate Authority Proxy Function).

 

■

Trust list:

You cannot modify the root CA trust list on these endpoints. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the endpoints trust, and that the CA is trusted by the

Expressway-C and the Expressway-E.

 

■

Bandwidth restrictions:

The Maximum Session Bit Rate for Video Calls on the default region on Cisco

Unified Communications Manager is 384 kbps by default. The Default call bandwidth on Expressway-C is also

384 kbps by default. These settings may be too low to deliver the expected video quality for the DX Series.

 

■

Off-hook dialling:

The way KPML dialing works between these endpoints and Unified CM means that you need CUCM 10.5(2)SU2 or later to be able to do off-hook dialing via MRA. You can work around this dependency by using on-hook dialing.

** Except the Cisco Unified IP Conference Phone 8831. This IP phone uses a different firmware to the rest of the series.

Configuration Summary

EX/MX/SX Series Endpoints (Running TC Software)

Ensure that the provisioning mode is set to Cisco UCM via Expressway.

On Unified CM, you need to ensure that the IP Addressing Mode for these endpoints is set to IPV4_ONLY.

These endpoints must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

These endpoints ship with a list of default CAs which cover the most common providers (Verisign, Thawte, etc). If the relevant CA is not included, it must be added. See 'Managing the list of trusted certificate authorities' in the endpoint's administrator guide.

Mutual authentication is optional; these endpoints are not required to provide client certificates. If you do want to configure mutual TLS, you cannot use CAPF enrolment to provision the client certificates; you must manually apply the certificates to the endpoints. The client certificates must be signed by an authority that is trusted by the

Expressway-E.

Jabber Clients

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate.

To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

Jabber uses the underlying operating system's certificate mechanism:

 

■

Windows: Certificate Manager

 

■

MAC OS X: Key chain access

 

■

IOS: Trust store

 

■

Android: Location & Security settings

Jabber client configuration details for Mobile and Remote Access is provided in the installation and configuration guide for the relevant client:

 

■

Cisco Jabber for Windows

 

■

Cisco Jabber for iPad

 

■

Cisco Jabber for Android

 

■

Cisco Jabber for Mac

(requires X8.2 or later)

16

Mobile and Remote Access Through Cisco Expressway Deployment Guide

Configuration Overview

DNS Records

This section summarizes the public (external) and local (internal) DNS requirements. For more information, see the

Cisco Jabber Planning Guide (for your version) on the Jabber Install and Upgrade Guides page .

Public DNS

The public (external) DNS must be configured with

_collab-edge._tls.<domain>

SRV records so that endpoints can discover the Expressway-Es to use for Mobile and Remote Access. SIP service records are also required (for general deployment, not specifically for Mobile and Remote Access). For example, for a cluster of 2 Expressway-E systems:

Domain example.com

example.com

example.com

example.com

Service collab-edge collab-edge sips sips

Protocol tls tls tcp tcp

Priority

10

10

10

10

Weight

10

10

10

10

Port

8443

8443

5061

5061

Target host expe1.example.com

expe2.example.com

expe1.example.com

expe2.example.com

Local DNS

The local (internal) DNS requires

_cisco-uds._tcp.<domain>

SRV records. For example:

Domain example.com

example.com

Service cisco-uds cisco-uds

Protocol tcp tcp

Priority

10

10

Weight

10

10

Port

8443

8443

Target host cucmserver1.example.com

cucmserver2.example.com

Notes:

 

■

Important! From version X8.8 onward, you must create forward and reverse DNS entries for all

Expressway-E systems, so that systems making TLS connections to them can resolve their FQDNs and validate their certificates.

 

■

Ensure that the

cisco-uds

SRV records are NOT resolvable outside of the internal network, otherwise the

Jabber client will not start Mobile and Remote Access negotiation via the Expressway-E.

 

■

You must create internal DNS records, for both forward and reverse lookups, for all Unified Communications nodes used with Mobile and Remote Access. This allows Expressway-C to find the nodes when IP addresses or hostnames are used instead of FQDNs.

Firewall

 

■

Ensure that the relevant ports have been configured on your firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ and

the public internet. See Mobile and Remote Access Port Reference, page 47

for more information.

 

■

Do not use a shared address for the Expressway-E and the Expressway-C, as the firewall cannot distinguish between them. If you use static NAT for IP addressing on the Expressway-E, make sure that any NAT operation on the Expressway-C does not resolve to the same traffic IP address. We do not support shared NAT addresses between Expressway-E and Expressway-C.

17

Mobile and Remote Access Through Cisco Expressway Deployment Guide

Configuration Overview

 

■

If your Expressway-E has one NIC enabled and is using static NAT mode, note that:

You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.

This also means that the external firewall must allow traffic from the Expressway-C to the Expressway-

E's external FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.

See the Advanced network deployments appendix, in the

Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment Guide

, for more information.

Unified CM

 

1.

If you have multiple Unified CM clusters, you must confgure ILS (Intercluster Lookup Service) on all of the clusters.

This is because the Expressway needs to communicate with each user's home Unified CM cluster, and to discover the home cluster it sends a UDS (User Data Service) query to any one of the Unified CM nodes.

Search for "Intercluster Lookup Service" in the Unified CM documentation for your version.

 

2.

Ensure that the Maximum Session Bit Rate for Video Calls between and within regions (System > Region

Information > Region) is set to a suitable upper limit for your system, for example 6000 kbps.

See

Region setup

for more information.

18

Mobile and Remote Access Through Cisco Expressway Deployment Guide

Configuration Overview

 

3.

The Phone Security Profiles in Unified CM (System > Security > Phone Security Profile) that are configured for TLS and are used for devices requiring remote access must have a Name in the form of an FQDN that includes the enterprise domain, for example jabber.secure.example.com. (This is because those names must be present in the list of Subject Alternate Names in the Expressway-C's server certificate.)

Note:

 Your secure profiles must set Device Security Mode to Encrypted because the Expressway does not allow unencrypted TLS connections. When Device Security Mode is set to Authenticated, Unified CM only offers the NULL-SHA cipher suite, which the Expressway rejects.

 

4.

If Unified CM servers (System > Server) are configured by Host Name (rather than IP address), then ensure that those host names are resolvable by the Expressway-C.

 

5.

If you are using secure profiles, ensure that the root CA of the authority that signed the Expressway-C certificate is installed as a CallManager-trust certificate (Security > Certificate Management in the Cisco

Unified OS Administration application).

 

6.

Ensure that the Cisco AXL Web Service is active on the Unified CM publishers you will be using to discover the Unified CM servers that are to be used for remote access. To check this, select the Cisco Unified

Serviceability application and go to Tools > Service Activation.

 

7.

We recommend that remote and mobile devices are configured (either directly or by Device Mobility) to use publicly accessible NTP servers.

 

a.

Configure a public NTP server System > Phone NTP Reference.

 

b.

Add the Phone NTP Reference to a Date/Time Group (System > Date/Time Group).

 

c.

Assign the Date/Time Group to the Device Pool of the endpoint (System > Device Pool).

IM and Presence Service

Ensure that the Cisco AXL Web Service is active on the IM and Presence Service publishers that will discover other

IM and Presence Service nodes for remote access. To check this, select the Cisco Unified Serviceability application and go to Tools > Service Activation.

19