advertisement
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview
Configuration Overview
This section summarizes the steps to configure your Unified Communications system for Mobile and Remote Access.
It assumes that the following items are already set up:
■
A basic Expressway-C and Expressway-E configuration, as specified in
Expressway Basic Configuration
Deployment Guide
. (This document contains information about the different networking options for deploying the Expressway-E in the DMZ.)
■
Unified CM and IM and Presence Service are configured as specified in Configuration and Administration of IM
and Presence Service on Cisco Unified Communications Manager (for your version), at Cisco Unified
Communications Manager Configuration Guides
Prerequisites
■
Expressway X8.1.1 or later (this document describes X8.9.1)
■
Unified CM 10.0 or later
■
IM and Presence Service 10.0 or later
■
Cisco Unity Connection 10.0 or later
IP Addresses
You must assign separate IP addresses to the Expressway-C and the Expressway-E. Do not use a shared address for both elements, as the firewall will not be able to distinguish between them.
Supported Clients when Using Mobile and Remote Access
Expressway X8.1.1 and later:
■
Cisco Jabber for Windows 9.7 or later
■
Cisco Jabber for iPhone and iPad 9.6.1 or later
■
Cisco Jabber for Android 9.6 or later
■
Cisco Jabber for Mac 9.6 or later
■
Cisco TelePresence endpoints/codecs running TC7.0.1 or later firmware
Expressway X8.6 and later:
Mobile and Remote Access (MRA) is now officially supported with the Cisco IP Phone 78/8800 Series**, when the phones are running firmware version 11.0(1) or later. We recommend Expressway X8.7 or later for use with these phones.
■
Cisco IP Phone 8800 Series
■
Cisco IP Phone 7800 Series
MRA is officially supported with the Cisco DX Series endpoints running firmware version 10.2.4(99) or later. This support was announced with Expressway version X8.6.
■
Cisco DX650
■
Cisco DX80
■
Cisco DX70
When deploying DX Series or IP Phone 78/8800 Series endpoints to register with Cisco Unified Communications
Manager through MRA, you need to be aware of the following:
15
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview
■
Phone security profile:
If the phone security profile for any of these endpoints has TFTP Encrypted Config checked, you will not be able to use the endpoint through MRA. This is because the MRA solution does not support devices interacting with CAPF (Certificate Authority Proxy Function).
■
Trust list:
You cannot modify the root CA trust list on these endpoints. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the endpoints trust, and that the CA is trusted by the
Expressway-C and the Expressway-E.
■
Bandwidth restrictions:
The Maximum Session Bit Rate for Video Calls on the default region on Cisco
Unified Communications Manager is 384 kbps by default. The Default call bandwidth on Expressway-C is also
384 kbps by default. These settings may be too low to deliver the expected video quality for the DX Series.
■
Off-hook dialling:
The way KPML dialing works between these endpoints and Unified CM means that you need CUCM 10.5(2)SU2 or later to be able to do off-hook dialing via MRA. You can work around this dependency by using on-hook dialing.
** Except the Cisco Unified IP Conference Phone 8831. This IP phone uses a different firmware to the rest of the series.
Configuration Summary
EX/MX/SX Series Endpoints (Running TC Software)
Ensure that the provisioning mode is set to Cisco UCM via Expressway.
On Unified CM, you need to ensure that the IP Addressing Mode for these endpoints is set to IPV4_ONLY.
These endpoints must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.
These endpoints ship with a list of default CAs which cover the most common providers (Verisign, Thawte, etc). If the relevant CA is not included, it must be added. See 'Managing the list of trusted certificate authorities' in the endpoint's administrator guide.
Mutual authentication is optional; these endpoints are not required to provide client certificates. If you do want to configure mutual TLS, you cannot use CAPF enrolment to provision the client certificates; you must manually apply the certificates to the endpoints. The client certificates must be signed by an authority that is trusted by the
Expressway-E.
Jabber Clients
Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate.
To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.
Jabber uses the underlying operating system's certificate mechanism:
■
Windows: Certificate Manager
■
MAC OS X: Key chain access
■
IOS: Trust store
■
Android: Location & Security settings
Jabber client configuration details for Mobile and Remote Access is provided in the installation and configuration guide for the relevant client:
■
Cisco Jabber for Windows
■
Cisco Jabber for iPad
■
Cisco Jabber for Android
■
Cisco Jabber for Mac
(requires X8.2 or later)
16
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview
DNS Records
This section summarizes the public (external) and local (internal) DNS requirements. For more information, see the
Cisco Jabber Planning Guide (for your version) on the Jabber Install and Upgrade Guides page .
Public DNS
The public (external) DNS must be configured with
_collab-edge._tls.<domain>
SRV records so that endpoints can discover the Expressway-Es to use for Mobile and Remote Access. SIP service records are also required (for general deployment, not specifically for Mobile and Remote Access). For example, for a cluster of 2 Expressway-E systems:
Domain example.com
example.com
example.com
example.com
Service collab-edge collab-edge sips sips
Protocol tls tls tcp tcp
Priority
10
10
10
10
Weight
10
10
10
10
Port
8443
8443
5061
5061
Target host expe1.example.com
expe2.example.com
expe1.example.com
expe2.example.com
Local DNS
The local (internal) DNS requires
_cisco-uds._tcp.<domain>
SRV records. For example:
Domain example.com
example.com
Service cisco-uds cisco-uds
Protocol tcp tcp
Priority
10
10
Weight
10
10
Port
8443
8443
Target host cucmserver1.example.com
cucmserver2.example.com
Notes:
■
Important! From version X8.8 onward, you must create forward and reverse DNS entries for all
Expressway-E systems, so that systems making TLS connections to them can resolve their FQDNs and validate their certificates.
■
Ensure that the
cisco-uds
SRV records are NOT resolvable outside of the internal network, otherwise the
Jabber client will not start Mobile and Remote Access negotiation via the Expressway-E.
■
You must create internal DNS records, for both forward and reverse lookups, for all Unified Communications nodes used with Mobile and Remote Access. This allows Expressway-C to find the nodes when IP addresses or hostnames are used instead of FQDNs.
Firewall
■
Ensure that the relevant ports have been configured on your firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ and
the public internet. See Mobile and Remote Access Port Reference, page 47
for more information.
■
Do not use a shared address for the Expressway-E and the Expressway-C, as the firewall cannot distinguish between them. If you use static NAT for IP addressing on the Expressway-E, make sure that any NAT operation on the Expressway-C does not resolve to the same traffic IP address. We do not support shared NAT addresses between Expressway-E and Expressway-C.
17
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview
■
If your Expressway-E has one NIC enabled and is using static NAT mode, note that:
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN, rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the Expressway-
E's external FQDN. This is known as NAT reflection, and may not be supported by all types of firewalls.
See the Advanced network deployments appendix, in the
Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment Guide
, for more information.
Unified CM
1.
If you have multiple Unified CM clusters, you must confgure ILS (Intercluster Lookup Service) on all of the clusters.
This is because the Expressway needs to communicate with each user's home Unified CM cluster, and to discover the home cluster it sends a UDS (User Data Service) query to any one of the Unified CM nodes.
Search for "Intercluster Lookup Service" in the Unified CM documentation for your version.
2.
Ensure that the Maximum Session Bit Rate for Video Calls between and within regions (System > Region
Information > Region) is set to a suitable upper limit for your system, for example 6000 kbps.
See
Region setup
for more information.
18
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview
3.
The Phone Security Profiles in Unified CM (System > Security > Phone Security Profile) that are configured for TLS and are used for devices requiring remote access must have a Name in the form of an FQDN that includes the enterprise domain, for example jabber.secure.example.com. (This is because those names must be present in the list of Subject Alternate Names in the Expressway-C's server certificate.)
Note:
Your secure profiles must set Device Security Mode to Encrypted because the Expressway does not allow unencrypted TLS connections. When Device Security Mode is set to Authenticated, Unified CM only offers the NULL-SHA cipher suite, which the Expressway rejects.
4.
If Unified CM servers (System > Server) are configured by Host Name (rather than IP address), then ensure that those host names are resolvable by the Expressway-C.
5.
If you are using secure profiles, ensure that the root CA of the authority that signed the Expressway-C certificate is installed as a CallManager-trust certificate (Security > Certificate Management in the Cisco
Unified OS Administration application).
6.
Ensure that the Cisco AXL Web Service is active on the Unified CM publishers you will be using to discover the Unified CM servers that are to be used for remote access. To check this, select the Cisco Unified
Serviceability application and go to Tools > Service Activation.
7.
We recommend that remote and mobile devices are configured (either directly or by Device Mobility) to use publicly accessible NTP servers.
a.
Configure a public NTP server System > Phone NTP Reference.
b.
Add the Phone NTP Reference to a Date/Time Group (System > Date/Time Group).
c.
Assign the Date/Time Group to the Device Pool of the endpoint (System > Device Pool).
IM and Presence Service
Ensure that the Cisco AXL Web Service is active on the IM and Presence Service publishers that will discover other
IM and Presence Service nodes for remote access. To check this, select the Cisco Unified Serviceability application and go to Tools > Service Activation.
19
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 Preface
- 5 Change History
- 6 Related Documentation
- 7 Mobile and Remote Access Overview
- 8 Deployment Scope
- 8 Jabber Client Connectivity Without VPN
- 8 Deployment Scenarios
- 9 Single Network Elements
- 10 Single Clustered Network Elements
- 10 Multiple Clustered Network Elements
- 11 Hybrid Deployment
- 11 Unsupported Deployments
- 13 Unsupported Features When Using Mobile and Remote Access
- 13 Unsupported Endpoint Features
- 14 Unsupported Expressway Features and Limitations
- 14 Unsupported Contact Center Features
- 15 Configuration Overview
- 15 Prerequisites
- 16 Configuration Summary
- 20 Unified Communications Prerequisites
- 20 Configuring a Secure Traversal Zone Connection for Unified Communications
- 22 Server Certificate Requirements for Unified Communications
- 25 Configuring Mobile and Remote Access on Expressway
- 25 Installing Expressway Security Certificates and Setting Up a Secure Traversal...
- 25 Setting Up the Expressway-C
- 28 Discover Unified Communications Servers and Services
- 32 About the HTTP Server Allow List on Expressway-C
- 34 Setting Up the Expressway-E
- 35 Using Deployments to Partition Unified Communications Services
- 37 Single Sign-On (SSO) Over the Collaboration Edge
- 38 Single Sign-On Prerequisites
- 39 High Level Task List
- 40 Importing the SAML Metadata from the IdP
- 40 Associating Domains with an IdP
- 41 Exporting the SAML Metadata from the Expressway-C
- 41 Configuring IDPs
- 42 Enabling Single Sign-On at the Edge
- 44 Dial via Office-Reverse through MRA
- 47 Checking the Status of Unified Communications Services
- 47 Mobile and Remote Access Port Reference
- 49 Additional Information
- 49 Maintenance Mode on the Expressway
- 49 Unified CM Dial Plan
- 49 Deploying Unified CM and Expressway in Different Domains
- 50 SIP Trunks Between Unified CM and Expressway-C
- 50 Configuring Secure Communications
- 51 Media Encryption
- 51 Limitations
- 52 Protocol Summary
- 52 Clustered Expressway Systems and Failover Considerations
- 52 Authorization Rate Control
- 53 Credential Caching
- 53 Unified CM Denial of Service Threshold
- 53 Expressway Automated Intrusion Protection
- 54 Partial Support for Cisco Jabber SDK
- 54 Appendix 1: Troubleshooting
- 54 General Techniques
- 57 Expressway Certificate / TLS Connectivity Issues
- 57 Cisco Jabber Sign In Issues
- 58 Expressway Returns 401 Unauthorized Failure Messages
- 59 Call Failures due to 407 Proxy Authentication Required or 500 Internal Server...
- 59 Call Bit Rate is Restricted to 384 kbps / Video Issues when Using BFCP (Prese...
- 59 Endpoints Cannot Register to Unified CM
- 59 IM and Presence Service Realm Changes
- 59 No Voicemail Service (403 Forbidden Response)
- 59 403 Forbidden Responses for Any Service Requests
- 60 Client HTTPS Requests are Dropped by Expressway
- 60 Unable to Configure IM&P Servers for Remote Access
- 60 Invalid SAML Assertions
- 60 502 Next Hop Connection Failed Messages
- 60 Allow List Rules File Reference
- 61 Allow List Tests File Reference
- 63 Cisco Legal Information