Aurus Blog

This blog is to share our expertise in Cisco UCM, UCCX/UCCE and Cisco Meeting Server

  • Archive

    «   October 2021   »
    M T W T F S S
            1 2 3
    4 5 6 7 8 9 10
    11 12 13 14 15 16 17
    18 19 20 21 22 23 24
    25 26 27 28 29 30 31
                 

Cisco Expressway 12.5.5. Remote Videoconferencing without VPN (Part 2)

Certificates

Expressway servers need certificates to communicate with each other. That’s why root and intermediate certificates of the CAs that issued certificates for your servers must be listed as trusted.

Proceed to Maintenance menu > Security > Trust CA certificate. Upload those root and intermediate certificates.

In our case, the certificate for Expressway-C was issued by a local CA, which is equivalent to self-signed, and Expressway-E has a certificate issued by Let’s Encrypt (a free certificate that must be renewed every 3 months). Expressway has an auto renewal feature that will be described below.

Concerning the free Let’s Encrypt certificates:

  • Open intermediate certificate and root certificate links.
  • To be accepted by Expressway, a .p7b chain must be converted into a root certificate.
    In Windows 10:
    a. Right click on this file and select Open with > Crypto Shell Extensions
    b. Right click on DST Root CA X3, select All Tasks, Export and Save.
    In Linux, convert p7b to pem using this command:
    openssl pkcs7 -inform der -in dstrootcax3.p7c -print_certs -out dstrootcax3.pem
  • Copy the internals of an intermediate certificate into notepad and save it.
  • Upload both certificates to Expressway-E, Trust CA section.

Root and intermediate certificates of a local CA are marked in red.

Root and intermediate certificates of Let’s Encrypt CA are marked in blue.

  • Generate a certificate signing request for Expressway-C.

No subject alternative names are needed for Expressway-C.

In Unified CM phone security profile names, you should enter the Phone Security Profiles created in Unified CM, but this setting is only needed for TLS interactions between Expressway-C and CUCM. In our scenario, it is not needed.

  • Send the request to the private CA, get a certificate and upload it to Expressway-C.
  • Generate a certificate signing request for Expressway-E in a similar way. Add a SAN: join.example.com, example.com or collab-edge.example.com, if there’s a DNS A record for example.com pointing at your corporate website IP address. You also have to create a DNS A record for collab-edge.example.com in the external DNS server, or the request will be rejected.

Without example.com or collab-edge.example.com, Cisco Jabber clients will give you ‘unreliable certificate’ warnings.

  • Click Deploy Pending Cert.
  • If everything has been done correctly, it should look like this.

Note: in version 12.5.6, there’s a BUG concerning this matter. Versions 12.5.7 and 12.5.8 have been retracted due to security problems, so please upgrade to 12.5.9.

Zones

A zone is an abstract set of anything (domains, IP addresses, devices, services) with a certain set of rules. You can use zones to configure bandwidth, call routing and authentication, and apply these settings to everything within a zone. When you create Dial plans, you select zones the call should be passed to/from (instead of selecting domains).

There are several types of zones.

  • Neighbor — a zone for connectivity with CMS, CUCM or other Expressway-C.
  • Localzone — a zone including devices registered to Expressways.
  • ENUM — for E.164 requests.
  • DNS — for DNS requests.
  • Webex — for scenarios with calls being passed from a corporate network to the Internet and then to a cloud. Similarly, calls from a Webex meeting are routed through the Internet and passed to the local routing system.
  • Traversal (Client, Server) — for firewall traversal during call routing between Expressway-C and Expressway-E.
  • UC Traversal — for Jabber with all its features to be reachable from the Internet.
  • Default — whatever doesn’t belong to any other zone, falls here and works according to Default zone rules (if you have no rules, everything will be rejected).

So, let’s proceed to Expressway-C and create Neighbor zones for CUCM and Cisco Meeting Server.

Zones for CUCM

There should be a separate zone for each of CUCM servers in publisher and subscriber cluster(s). If you create a single zone and specify all servers in address fields, then only one in N calls will pass, with N standing for the number of servers in the CUCM cluster. Same for CMS.

In our case, there are only two servers.

The first zone:

The second zone:

You should also create a SIP Trunk Security Profile and a Trunk from CUCM to Expressway.

SIP Trunk Security Profile

Please note that you should set the incoming port to 5065, or it won’t work.

Trunk

Now you should set the port number to 5060. If you use 5065, it will work, but the trunk’s status won’t change to Full Services and will always stay Unknown. You should also specify the correct CSS (depending on your configuration), and set the previously created SIP Trunk Security Profile and Standard SIP Profile for Cisco VCS as SIP Profiles.

Zones for CMS

If it’s just a single server and not a cluster, you can leave the Zone Profile Default.

If you have a cluster, you should fill the address fields with FQDNs of all clustered servers and set Meeting Server load balancing to ON.

UC Traversal Zone (Expressway-C)

In our case, H.323 protocols are not used, so we create a UC Traversal Zone, not just Traversal.

On Expressway-C, configure a client connection in UC Traversal zone. In relation to traversal tunnel between Expressway-C and Expressway-E, Expressway-C is a client. It establishes a tunnel from local network to Expressway-E (which is in DMZ), so that signaling can be passed through the corporate firewall in both ways. That’s why we should enter the login/password that will be created on Expressway-E (where we configure the server part of UC Traversal zone).

Now, on Expressway-C, it should look like this:

Neighbor zones (and rules for that zones) CEtcp… will be created automatically if you explicitly set a CUCM in Expressway-C (Configuration > Unified Communications > Unified CM servers).

In CUCM 12.5, an Expressway will be created automatically as well.

UC Traversal Zone (Expressway-E)

Usually, Expressway-E is located in the DMZ and has an interface that is accessible from the Internet (sometimes this interface address is behind NAT). Most firewall policies don’t allow incoming connections from the DMZ to the local network. However, most firewall policies allow outgoing connections from the local network to the DMZ and the Internet. Expressway-E is configured as a traversal server, being able to accept connections from firewall traversal clients (such as Expressway-C) which are inside the local network. These connections are used for two-way communication between Expressway-E and Expressway-C.

On Expressway-E, you should create a user for the traversal connection. Let’s call it uctraversal.

Configure the UC Traversal Zone.

DNS Zone

First of all, DNS Zone is for searching DNS SRV records in order to find the destination for a called domain. For SIP, it looks for _sips._tcp. domain and/or _sip.tcp. domain, depending on encryption and security settings. You can configure Expressway to perform standard A record requests, too, in order to find a call's destination if a search for SRV records fails. Such calls make it possible for Expressway to route calls to destinations that aren’t defined explicitly. You can simply register the corresponding DNS SRV records in a public DNS server, and then get calls from external clients automatically and/or call them if they have performed the same action. That’s called open federation or Business-to-Business (B2B) calls.

In the next part of this article, we’ll talk about TURN configuration and Business to Business (B2B) calls.

Read also:

Cisco Expressway 12.5.5. Remote Videoconferencing without VPN (Part 1)

It’s time to make corporate communication services available remotely with no additional efforts like using Cisco Anyconnect and/or creating VPN tunnels.

In this article, we’ll tell you how to configure Cisco Expressway server to make videoconferencing work from outside your office as well.

Cisco Expressway provides a secure firewall for voice and video sharing, and supports many features, such as B2B calls, mobile and remote access (MRA), and also TURN server capabilities (Traversal Using Relay NAT). So, this can be called a Single Edge solution which is a preferable borderline solution for unified communications and Cisco Meeting Server.

Licensing

Cisco Expressway servers can be deployed as Core (Expressway-C) and Edge (Expressway-E). If they are being deployed from scratch, they are not Expressways at first, they are simply VCS servers. You must install the required licenses to make them Expressway servers.

Each server (no matter Edge or Core) requires a LIC-SW-EXP-K9 license (to put it simple, a Release key).

Core servers require the following licenses:

  • LIC-EXP-GW
  • LIC-EXP-SERIES

Edge servers require the following licenses:

  • LIC-EXP-GW
  • LIC-EXP-SERIES
  • LIC-EXP-E
  • LIC-EXP-TURN

Optionally, you can add the following licenses:

  • LIC-EXP-MSFT-PMP — Microsoft Interoperability Option (for Expressway-C), it is required for interactions with Skype for Business;
  • LIC-EXP-RMS-PMP — Rich Media Session licenses (for both Expressway-C and Expressway-Е);
  • LIC-EXP-DSK — Expressway Desktop Endpoint license (for Expressway-C), to register personal endpoints to Expressway;
  • LIC-EXP-ROOM — Expressway ROOM license (to register video codecs to Expressway);
  • LIC-TP-ROOM — to register codecs to CUCM (optionally includes LIC-EXP-ROOM);
  • LIC-EXP-AN — Advanced Networking option, an additional network interface (for both Expressway-C and Expressway-Е)

Rich Media Session license consumption depends on the connection type:

  • Connections to/from Expressway Registered Endpoints;
  • Connections to/from Expressway Non-Registered Endpoints;
  • Connections to/from through Traversal Zone;
  • Connections to/from Cisco Cloud Service;
  • Connections to/from UCM, Conductor, CMS or Expressway through Neighbor Zone.

In my case, the virtual machines have been already deployed and network interfaces have been configured.

Looking forward, there are different scenarios of Expressway-C and Expressway-E bundle deployment.

In terms of domains, there are two options:

1. Single domain (if you have a single domain, e.g. example.com, to be used both inside and outside your network).

2. Dual domain (internal domain is example.local, external domain is example.com).

In terms of topology, it’s recommended to use two network interfaces, one for each separate DMZ. However, we’ll consider two options:

1. DMZ with a single local network interface for Expressway-E.

You can use a public IP address given by your internet provider. No need to configure NAT Reflection at your firewall to make Cisco Meeting Server work outside your network.

2. DMZ with two local network interfaces for Expressway-E.

To use this feature, you should have Advanced Networking option active in Option keys section.

Besides, in both cases you have to specify whether this IP address will be visible from outside the NAT.

DNS

You should create the following external/internal DNS records (depending on whether you are deploying a clustered or non-clustered, Single or Dual Domain server):

Single Domain

DNSTYPERecordPurpose
ExternalAexp-e. external-example.comExpressway-E internet address. You can use any other name.
ExternalAjoin. external-example.comPoints to Expressway-E address. Required for connecting to CMS conference via WebRTC.
ExternalSRV_collab-edge._tls. external-example.comPoints to Expressway-E address. Required for telephony, messenger and voice mail services to be discovered by Jabber client app. Port 8443.
ExternalSRV_sip._tcp. external-example.comPoints to Expressway-E address. Required for incoming calls. Port 5060.
ExternalSRV_sip._udp. external-example.comPoints to Expressway-E address. Required for incoming calls. Port 5060.
ExternalSRV_sips._tcp. external-example.comPoints to Expressway-E address. Required for encrypted incoming calls. Port 5061.
InternalSRV_cisco-uds._tcp. internal-example.comPoints to Cisco UCM’s A record. Required for telephony services to be discovered by Jabber client app. Port 8443.
InternalSRV_cuplogin._tcp. internal-example.comPoints to Cisco UP’s A record. Required for messenger services to be discovered by Jabber client app. Port 8443.
InternalSRV_xmpp-client._tcp. external-example.comPoints to Cisco Meeting Server’s A record. Required for clients to find XMPP server.
InternalSRV_xmpp-server._tcp. external-example.comPoints to Cisco Meeting Server’s A record. Required for CallBridges to find XMPP server.

Dual Domain

DNSTYPERecordPurpose
ExternalAexp-e. external-example.comExpressway-E internet address. You can use any other name.
ExternalAjoin. external-example.comPoints to Expressway-E address. Required for connecting to CMS conference via WebRTC.
ExternalSRV_collab-edge._tls. external-example.comPoints to Expressway-E address. Required for telephony, messenger and voice mail services to be discovered by Jabber client app. Port 8443.
ExternalSRV_sip._tcp. external-example.comPoints to Expressway-E address. Required for incoming calls. Port 5060.
ExternalSRV_sip._udp. external-example.comPoints to Expressway-E address. Required for incoming calls. Port 5060.
ExternalSRV_sips._tcp. external-example.comPoints to Expressway-E address. Required for encrypted incoming calls. Port 5061.
InternalSRV_cisco-uds._tcp. internal-example.comPoints to Cisco UCM’s A record. Required for telephony services to be discovered by Jabber client app. Port 8443.
InternalSRV_cisco-uds._tcp. external-example.comPoints to Cisco UCM’s A record. Required for telephony services to be discovered by Jabber client app. Port 8443.
InternalSRV_cuplogin._tcp. internal-example.comPoints to Cisco UP’s A record. Required for messenger services to be discovered by Jabber client app. Port 8443.
InternalSRV_cuplogin._tcp. external-example.comPoints to Cisco UP’s A record. Required for messenger services to be discovered by Jabber client app. Port 8443.
InternalSRV_xmpp-client._tcp. external-example.comPoints to Cisco Meeting Server’s A record. Required for clients to find XMPP server.
InternalSRV_xmpp-server._tcp. external-example.comPoints to Cisco Meeting Server’s A record. Required for CallBridges to find XMPP server.

Please note that if you have a Dual Domain server, you should create a zone with an external domain in your internal DNS, and then create the red-marked records in it. So, the users will be able to use the same login for their Cisco Jabber apps, whether they are logging in from inside or outside the corporate network (with an external domain, login names usually coincide with corporate email addresses).

You should also create domains and select the services to be supported for this domains.

Services

  • SIP registrations and provisioning on Expressway — indicates if Expressway is trusted for this SIP domain. Expressway acts as a SIP registrar and presence server for this domain, and also accepts registration requests from all SIP clients trying to register with an alias that includes this domain.
  • SIP registrations and provisioning on Unified CM — indicates if Expressway acts as a gateway for CUCM to provide safe pass through a firewall and support endpoint registration to CUCM.
  • IM and Presence Service — indicates if Expressway acts as a gateway for IMP and supports messenger and presence services.
  • XMPP federation — for a local domain that requires XMPP federation services (a domain that participates in federation with any other domains).

Please note that if you need static routes for federated external domains, they should be configured on Expressway-E.

If you are using Dual Domain scenario, you should enter both domain names in Expressway-C and Expressway-E configuration sections (or all domain names, if there are more than two of them).

In the next part of this article, we’ll go on with Expressway configuration (specifically, we’ll talk about certificates and zones).

Read also: