Beruflich Dokumente
Kultur Dokumente
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Target Architecture
Enterprise Network DMZ Outside Network
Expressway-C Standard client
1st try SIP/H.323 Use standard DNS SRV with SIP/H.323
Unified 2nd try MS variant
CM
Internet
2nd try SIP MS signaling and Expressway-E MS client
to CMS media conversion
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Expressway Introduction
• Business-to-business Architecture
• Signaling Encryption
• Media Encryption
• B2B Interop with Microsoft
• Dial Plan
Jabber
Guest/WebRTC B2C
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Endpoint
Cisco video and registration
3rd party devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
Cisco video and registration
3rd party devices
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Routing
1° Step: Call enters into Expressway
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Expressway Zone Example For
Your
Reference
Expressway-C 10.10.10.10
Call From (IP/port) To (IP/port) Mapped
Neighbor Zone A to Neighbor Zone B to 1 to
192.168.10.10/5061 192.168.10.11/5061
5 Inbound 192.168.10.11/40307 10.10.10.10/5061 1
call on -C
Expressway-E 10.10.10.11
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Expressway Zone Concept
• When a call or reaches Expressway, Expressway classifies it based on source
and destination address and port
• Based on classification, the call is sent to a specific «zone».
• Except for the Local Zone (not covered here), the other zones connects to
remote systems as in the case of a SIP Trunk on CUCM
• Different policies can be applied per zone, such as:
• signaling and media encryption
• protocol usage (i.e. SIP and/or H.323)
• message authentication (PAI header for SIP)
• use of TLS with Mutual Authentication
• Others
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Most common used zones on Expressway
• Neighbor Zone: this is the zone most similar to a SIP Trunk
• Traversal Zone: it’s a special neighbor zone with firewall traversal capabilities
• DNS Zone: it’s a special neighbor zone used for outbound B2B calls supporting
DNS SRV
• Default Zone: it’s a special neighbor zone used for inbound B2B calls
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco Expressway Connectivity Overview
Most used zones on Unified CM-centric Architecture
Unified CM MRA
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
2° Step: Call is routed
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Expressway Routing Expressway
receives alias
No
Protocol
Selection SIP/H.323/SIP Variants If “allow”
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Protocol Selection Configuration
Found
SIP Place Call
Not found
Found
H.323 Place Call
Not found
Use SIP MS
Variant Place Call
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Pattern Matching
Regular Expressions (RegEx)
• A standard notation (POSIX), used in Unix and Linux editors
• Provide a concise and flexible means for matching and transforming strings
• Used simply, it is simple, but powerful
• One of the techniques available in Expressway for matching calls in zones
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
For
Your
Cisco Expressway Family Overview Reference
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Most common used Regex on Expressway
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Proxy and B2BUA
SIP Proxy or SIP B2BUA?
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Proxy Without B2BUA Engagement
Expressway
• Single call leg
Media leg
• No media termination
Exp-C/E Proxy • B2B call traverses the
Process Expressways
• Under the following
conditions:
1. SIP/RTP 1. SIP/RTP
2. H.323 2. H.323
3. SIP/SRTP 3. SIP/SRTP
Exp-C/E B2BUA 4. IPv4
4. IPv4
Process
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
B2BUA engagement for Media: "Encrypt on behalf of"
Expressway-C/E
RTP SRTP
Media leg 1 Exp-C/E Proxy Media leg 4
Process
• The diagram shows the working
principle
Media leg 2 Media leg 3 • In most cases the B2BUA talks
directly to the endpoint or end
system without going back to the
Exp-C/E B2BUA Proxy
Cisco Unified CM Process
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Dual Network Deployment for Firewall
Traversal
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Call Flow
Cisco SRV Records for business-to-business
SRV record format for SIP and H.323
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
B2B Call Flow
Stark Industries ACME Corp.
Calls bob@acme.com
Media
acme.com?
sip1.acme.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Business-to-Business
Architecture
Signaling
H.323/SIP Protocol Selection Algorithm
• H.323 and SIP enabled globally and at zone-level
• H.323/SIP protocol selection: native protocol first, alternative protocol as backup.
• Interworking has to be enabled
• SIP to H.323 interworking with media handling
• Protocol selection can be changed with search rules
Expressway-C
1. SIP VCS-C
SIP 2. H.323
H.323 endpoint BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
TLS: Certificate Check on Expressway
• During validity check, standard browsers make sure that hostname matches
SAN/CN, and that the cert has been signed by a trusted CA
• On Expressway this is optional and activated by the TLS verify mode set to “On”
and configurable per zone
• Consequences: if you don’t setup TLS verification, TLS can be setup with self-
signed certificate
• In both cases the call will be encrypted, but TLS verify mode set to “On”
authenticates the other peer
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
TLS verify set to “Off”
Traversal Zone Example
Expressway-C connecting to Expressway-E via traversal zone
Peer1 certificate SAN:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:expe.example.com
• If TLS verify mode is set to “Off”: Expressway won’t check hostname and that
the cert is properly signed
• IP addresses can be used
• Note that IP address is not included in SAN of the remote peer (Expressway-E)
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
TLS verify set to “On”
Neighbor zone example: connection to UCM
• TLS Verify Mode triggers MTLS
• Certificate CN or SAN is matched against the Peer Address
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Outbound B2B calls on Expressway-E with TLS
DNS Zone (outbound)
1
• TLS verify set to “On” checks expe.example.com
Client hello
video federation 3
• If TLS verify subject name is not
known in advance (open video
federation), TLS verify mode host.mypreferredpartner.com
must be turned off CERTIFICATE
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
‘TLS verify’ Summary for B2B Calls
• TLS Verify increases security by checking the certificate (signature, hostname,
etc.) for the called.TLS verify requires to know the DNS hostname of the remote
peer included in the certificate
• Recommended to turn it on on Traversal Zones and Neighbor Zones
• If the hostnames in the DMZ uses a separate DNS and IP addresses are used instead
of DNS names, TLS verify must be turned off
• Closed video federation (B2B communications with selected partners): turn TLS
verify on (remote peers and certs are known; neighbor zone can be created)
• Open video federation (standard B2B): turn TLS verify off (remote peers and
certs are not known)
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
TLS vs TLS with Mutual Authentication (MTLS)
Client hello
TLS
Server hello
followed by certificate Expressway-E
Client hello
Server hello
MTLS followed by certificate
Certificate Request
Expressway-E
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Open B2B Federation with MTLS and Certificate Check
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Certificate Check with MTLS and Open Video Federation
• Turning off TLS verify prevents for any sort of certificate check
• MTLS on port 5061 can be used to turn on certificate verification withouth
specifying the TLS verify name
• Caveat: MRA is not compatible with MTLS on port 5061
• Caveat: doesn’t work B2BUA on Expressway-E
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
MTLS and Default Zone Access Rules
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
MTLS and Default Zone Access Rules Use
• If the calling doesn’t present a valid certificate, the connection will be rejected
before any SIP message is sent
• If some partners don’t have a valid certificate, it’s possible to upload the self-
signed certificate into the Expressway-E trust list. Not possible to use a
certificate signed by a temporary CA.
• If a remote host is sending spam calls, the certificate will show in the log and it
will be possible to create a rule to stop those calls
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Media Encryption Policy
• Expressway Media Encryption Mode
Applies to:
• Neighbor, DNS, Traversal,
and Default Zones
• SIP and H.323 calls interworked to SIP
• Does NOT apply to H.323 (only) calls
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Media Encryption – Auto Example
Inbound zone
Default Zone
CUCM Expressway-C Expressway-E Not configurable
CM Neighbor Traversal Traversal Auto
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Auto Auto
DNS Zone RTP/SRTP
TLS with SRTP or RTP Not configurable
based on endpoints Auto
negotiation
Internet
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Media encryption – Lock icon
Optimization of previous example Inbound zone
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Best Effort Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TLS/SRTP TLS/SRTP
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
B2B Interop with Microsoft Lync
Terminology
Traffic Classification
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Traffic Classification and Search Rules
Similarly to H.323/SIP calls we can’t know upfront if a destination address is “Microsoft flavor”
or “Standard SIP”, we must try both.
Interoperability and interworking rely on “fallback mechanisms”. When a user places a call,
Expressway searches for it as SIP/H.323/MSFT-SIP (plus several tcp/tls/udp transport
protocols).
An administrator can decide the priority order. Typically Standard SIP/H.323 first and, if it’s not
found, we continue by involving CMS for transcoding. Expressway-E will then search for the
Microsoft SRV Record for that domain. This order can be inverted or both can be tried at the
same time (call forking).
Starting with X8.9+ Expressway-E DNS Enhanced zone is now able to lookup for the Microsoft
SRV Record (_sipfederationtls._tcp.company.com)
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Traffic Classification and Search Rules
continue
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Traffic Classification and Search Rules
continue
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Traffic Classification and Search Rules
continue
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Traffic Classification and Search Rules
1 2 3 4 5
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
SRV Records and Certificates
SRV Records in use (inbound traffic)
There’s a common misunderstanding about overlapping SRV Records we now must demystify:
• Microsoft SIP Federations require an SRV targeting _sipfederationtls._tcp.company.com
• Standard SIP Federations require two SRV records _sip._tcp.company.com; _sips._tcp.company.com
There are NO overlapping SIP SRV Records between our Cisco solution and any Microsoft Lync/Skype for
Business environment.
Confusion comes from an SRV record used by OCS R1 (10 years ago) for _sip._tcp.<domain> - for external
TCP connections.
This SRV record may be present in your customer environment but it’s not needed anymore and they can
remove it. Microsoft documentation is pretty clear about that.
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
SRV Records and Certificates
Certificate Requirements
If the Expressway-E is not clustered:
• Subject Common Name = FQDN of Expressway-E
• Subject Alternate Names = FQDN of Expressway-E
NOTE: Expressway-E FQDN (A-record) must be part of the SIP domain(s)*. You’ll need an alias for
EVERY SIP domain (i.e. expressway-e.sipdomain.com; expressway-e.sipdomain2.com; etc)
*this is a Microsoft requirement.
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SRV Records and Certificates
Example
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SRV Records and Certificates
Example
FQDN of Expressway-E
FQDN of Expressway-E cluster
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Business to Business Architecture for MS Interop
Outbound calls example
Standard SIP
Microsoft SIP
Endpoints XMPP/SIP: company.com XMPP
CUCM Cluster MS SIP SIMPLE
CUCM
CUCM IM&P
TURN WebRTC
Server
Business
Partner/MRA
Internet
Standard Endpoints
Expressway-E
Expressway-C
Business Partner
Lync/SfB Clients
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Traffic Classification and Search Rules
Dialplan Example – Expressway-C
A basic B2B interop federation scenario requires at least 6 Search Rules on Expressway-C:
• 3 Search Rules for Video - 2 Outbound; 1 Inbound
• 3 Search Rules for IM&P – 1 Outbound; 2 Inbound
65
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic Classification and Search Rules
Dialplan Example – Expressway-E
• A basic B2B interop federation scenario requires no specific Search Rules on Expressway-E.
Rules can match “any” SIP Variant. Satisfying Standard AND Microsoft traffic routing at the same time.
• However, in order to make configurations “clean” and “easy to manage”, one could create rules based on
specific SIP Variants. I.e. Standards-based; Microsoft Video; Microsoft IM&P
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Traffic Classification and Search Rules
Dialplan Example – Video Outbound
Expressway-C
1 3 2
Cisco User John calls a Business Partner: jane.doe@federateddomain.com (Skype for Business)
MS client
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Traffic Classification and Search Rules
Dialplan Example – Video Outbound
Expressway-E
5 5 5 5 6 4
MS client
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Traffic Classification and Search Rules
Dialplan Example – Video Outbound
Expressway-C
7
7 9 8
11 10
7. Expressway-C will match the next relevant rule (in priority order)
8. Traffic is still classified as “Standards-based”
9. As sort of “fallback mechanism” we now hit a Search Rule involving CMS for transcoding
10. CMS generates a new call leg, now transcoded to Microsoft AV&Share traffic.
11. According to the call parameters a “Target Zone” is determined
Call is now routed to Expressway-E as “Microsoft AV&Share
Standard Client
2nd try MS variant
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Traffic Classification and Search Rules
Dialplan Example – Video Outbound
Expressway-E
13 13 13 13 14 12
Standard Client
2nd try MS variant
Use MS DNS SRV with MS variant
2nd try SIP
MS signaling and media MS client
to CMS
conversion
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Business to Business Architecture for MS Interop
Inbound calls example
Standard SIP
Microsoft SIP
Endpoints XMPP/SIP: company.com XMPP
CUCM Cluster MS SIP SIMPLE
CUCM
CUCM IM&P
TURN WebRTC
Server
Business
Partner/MRA
Internet
Standard Endpoints
Expressway-E
Cisco Meeting Server Expressway-C
Business Partner
XMPP/SIP: company.com
Lync/SfB Clients
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
SRV (among others):
B2B Architecture for MS Interop _h323xs._tcp.company.com - B2B Standard Federations
_sip._tcp.company.com - B2B Standard Federations
SRV and combined features _sips._tcp.company.com - B2B Standard Federations
_xmpp-server._tcp.company.com - XMPP Federations
_collab-edge._tls.company.com – MRA
_xmpp-client._ tcp.example.com – CMA registration
Endpoints XMPP/SIP: company.com
_sipfederationtls._tcp.company.com - MSFT Interop
CUCM Cluster
CUCM
CUCM IM&P
WebRTC
TURN
Server
Business
Partner/MRA
Internet
Standard Endpoints
Cisco Meeting Server Expressway-C Expressway-E
Business Partner
Lync/SfB Clients
A single pair of Expressway-C/E can provide all federation, calling and registration services
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Licensing for B2B Federations – quick overview
Every B2B call consumes 1 RMS on Expressway-E node
Audio only calls and Audio/Video calls consume 1 RMS each
VCS Control & VCS Expressway still consume Traversal call licenses
CMS needs SMP/PMP licenses for video transcoding
GENERAL RULE: All B2B calls are handled the same way.
We don’t care if it is Audio/Video/Standard/Microsoft: It’s 1 RMS for each call.
In B2B scenarios all the hard work is done by CMS. So, no need for Microsoft Interop Option Key on
Expressway/VCS. Expressway/VCS just do call routing and possibly, interworking (i.e. H323/SIP;
encryption on-behalf of)
IM&P traffic doesn’t consume call licenses. It doesn’t require any specific license at all.
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Dial Plan
Standard Dial Plan For
Your
Priority Regex Target Priority Regex Target Reference
Expressway-C Expressway-E
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Standard Dial Plan with Microsoft Interop: Outbound For
Your
Reference
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Expressway
Policy Protection
Example of unauthorized access attempts on Expressway-E
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Expressway – Mitigating Toll Fraud
Zone authentication policy
Traversal Zone
Authenticated Unauthenticated
Expressway-C Expressway-E
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Call Policy Rules with X8.9.1+
From Rule Applies To Source Destination Action
Source Type Address Pattern Pattern
Authenticated vs Configurable Configurable with Allow/Reject
unauthenticated with Regex Regex
traffic
• If source type is selected the CPL applies for all calls coming from a specific
zone that match the configured called ID pattern (no calling ID)
• With «from address», it is possible to specify both the calling and the called ID
pattern. However, this traffic will apply to authenticated or unauthenticated calls
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Checking the calling alias
• Calling alias of a call hitting the Default Zone (B2B) shouldn’t contain:
• Corporate domain (example.com)
• Expressway IPs
• Enterprise Cisco Spark domains
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Checking the called alias
• Block PSTN access
• Block any numeric range that is not supposed to receive B2B calls (if esists)
• Allow any other destination that contains the domain
• Final deny-all
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
What’s the final result?
Routing stops
immediately since CPL {IP Addr/port No}
• Outbound calls can be directed by UCM to the Expressway that is nearest the
calling endpoint by using CSS and Partitions
• Inbound calls can be delivered by using two mechanisms:
• Geo DNS
• Directory Expressway
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Global Deployment Topology & Geo DNS
SIP Trunk
US Europe
SIP Line
Expressway
Expressway Asia Traversal
edge access
Unified CM
regional
clusters RTP PAR LON TKY
SJC BGL
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Geo DNS Setup Example with two Expressway Clusters
SRV Record Priority Weight Expressway-E
_sips._tcp.example.com
_sip._tcp.example.com 10 10 us-expe1.example.com us-expe default for
calling devices in
Location: US 10 10 us-expe2.example.com US
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Directory Expressway Architecture: 2 Sites
4
ucm2endpoint@domain.com
UCM2
UCM1
Inbound CSS trunks doesn’t
Inbound CSS trunks doesn’t include the partition for the
include the partition for the Route Route Pattern to remote
Pattern to remote cluster. Works cluster. Works with Directory
with Directory URI with ILS Expressway-C2
URI with ILS. 3
Expressway-C12
2
Expressway-E1 Expressway-E2
Call:
ucm2endpoint@domain.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Directory Expressway Architecture: 3+ Sites
4
ucm2endpoint@domain.com
UCM2
UCM1
Inbound CSS trunks doesn’t
Inbound CSS trunks doesn’t include the partition for the
include the partition for the Route Route Pattern to remote
Pattern to remote cluster. Works cluster. Works with Directory
with Directory URI with ILS Expressway-C2
URI with ILS. 3
Expressway-C13
Call:
ucm2endpoint@domain.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Minimizing UDP Ports open to
Expressway-E
Filtering ACLs for B2B calls: External Firewall Port
Requirements
Based on medium/small OVA with non-specific configured Transport
Source IP Source Port Dest. IP Dest. port
multiplexed ports Protocol
H.323 calls using Assent (Natted endpoints)
Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776
RTP Assent Any >=1024 UDP ExpE LAN2 36000*
RTCP Assent Any >=1024 UDP ExpE LAN2 36001*
H.323 endpoints with public IP addresses or
remote Edge systems
Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720
H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
SIP endpoints or remote Edge systems
SIP TCP Any >=1024 TCP ExpE LAN2 5060
SIP UDP Any >=1024 UDP ExpE LAN2 5060
SIP TLS Any >=1024 TCP ExpE LAN2 5061
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Business-to-business Access Media Traversal
• Traversal Media Port Range is set on Configuration > Traversal Subzone menu
on both Expressway C & E, defaults to 36000 – 59999
• B2BUA could be engaged on Expressway-C and/or Expressway-E in order to
perform encrypted to unencrypted call
• The proxy component is always used on both Expressway-C and Expressway-E
• This media port range is divided and shared
• 1st half goes to Proxy
• 2nd half goes to B2BUA
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
B2BUA Impact on Firewall Ports
• When Proxy only is engaged (all zones set to “auto”) on Expressway-E the
number of ports is reduced by a half compared to the situation where B2BUA
and Proxy are engaged
• Enabling encryption on Expressway-C instead of Expressway-E reduces the
number of ports opened on external firewall
• With B2BUA: 24 ports engaged per call
• Without B2BUA: 12 ports engaged
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Example
• 50 concurrent B2B calls
• Total 600 (50x12) ports on external FW without B2BUA
• Ports to be opened on external FW without B2BUA engaged
• Range configured on Expressway: 1200 ports, from 50000 to 51199
• First half goes to Proxy: 50000 to 50599. These ports will be opened on external FW
• Important Note: If you are restricting media ports on Expressway-E make sure
that B2BUA is not engaged on Expressway-E, but on Expressway-C
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Summary
• B2B architectures for single edge Expressway-C and Expressway-E with dual
network interfaces
• SIP Variants
• How to protect the dialplan
• How to minimize ports opened on external firewall
• Quick overview on multiple Expressway deployment options
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Thank you
101
BRKCOL-2018
Use a IPS to Block Spam and Scan
Calls from the Internet
To make Expressway invisible, use an IPS to
block unwanted traffic Expressway-E Expressway-C
NGIPS
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Customized Rules offset
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
FW Traversal: SIP Signaling
Expressway-C Expressway-E
SIP TLS
OPTIONS PING
Source Port Dest Port 200 OK Destination Port Source Port
25026 7999 25026 7999
SIP INVITE
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
FW Traversal Using Assent: Media
Expressway-C Expressway-E
SIP INVITE
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Match the internal dial plan
To be used to allow calls only if they are using a legal internal SIP address
• UserID rule: from 2 to 8 digits, starting with a letter, ending with a letter or a
number. Might include .cmr for personal CMR
• [a-z]{2,7}[a-z0-9](\.cmr)?@example\.com
• UserID rule: name.surname. Might include an ending letter to distinguish
between users with the same userID
»[a-z]+\.[a-z]+[0-9](\.cmr)?@example\.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
DNS SRV Records for B2B
SRV record format for SIP and H.323 (RFC 2782)
_sips. _tcp.example.com 86400 IN SRV 10 60 5061 expe.example.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
_sips._tcp.example.com?
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe1.example.com.
expe3.example.com
expe2.example.com
33%
33%
expe1.example.com
33% SIP Server
Dial:
abc@example.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Expressway Dual Network Deployment Model
• Recommended solution
• Expressway-E LAN1 interface (internal) is used for clustering
• Expressway-E LAN1 interface can be translated by static NAT
• Expressway-E LAN2 interface (external) can be translated by static NAT
• Expressway-C interface can be translated by NAT
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Business-to-business Architecture
• Expressway Protocol Selection
• Expressway Transport Protocol Selection
• Encryption for Signaling
• Encryption for Media
• Encryption and lock icon
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
SIP Transport Protocol Signaling Interworking
SIP Transport Protocol Protocol Selection
• Neighbor zones and Traversal zones: interworks if the outgoing transport type is
different from the incoming
UCM ExpC ExpE
SIP/TLS SIP/TLS/TCP/UDP
• DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first
UCM ExpE
ExpC 1. SIP/TLS
SIP/TLS
2. SIP/TCP
Traversal zone set to TLS
3. SIP/UDP
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TCP/RTP or
TLS/RTP TLS/SRTP Remote Edge
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
SIP Trunk Between CUCM and
Expressway-C
Neighboring Expressway-C to Unified CM w/ SIP TLS
• This check box enables Secure Real-Time Protocol (SRTP) SIP Trunk
connections and also allows the SIP trunk to fall back to Real-Time Protocol
(RTP) if the endpoints do not support SRTP.
• In order for this check box to be effective, Cisco Unified CM must be in mixed
mode
• SIP TLS trunk doesn’t require mixed mode if RTP only is used
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
SIP Trunk Destination and SIP Trunk Security Profile
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Directory Expressway Architecture
4
ucm2endpoint@domain.com
UCM2
UCM1
Inbound CSS trunks doesn’t
Inbound CSS trunks doesn’t include the partition for the
include the partition for the Route Route Pattern to remote
Pattern to remote cluster. Works cluster. Works with Directory
with Directory URI with ILS Expressway-C2
URI with ILS. 3
Expressway-C13
Call:
ucm2endpoint@domain.com
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Directory Expressway Architecture
License Optimization
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123