Best Practice For B2B Expressway

BRKCOL-2018
Best Practices for Business-

to-Business Video
Collaboration
Luca Pellegrini - Technical Marketing Engineer

Davide Preti - Technical Marketing Engineer
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Target Architecture
Enterprise Network DMZ Outside Network
Expressway-C Standard client
1st try SIP/H.323 Use standard DNS SRV with SIP/H.323
Unified 2nd try MS variant
CM
Internet
2nd try SIP MS signaling and Expressway-E MS client
to CMS media conversion
Cisco Meeting Server
• B2B Scenario including MS interop

• Security, FW traversal, Certificates, TLS, MTLS, Reduced number of ports on external FW
• Spam calls
• Multiple edges not covered here:
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbc
vd/edge.html
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Expressway Introduction
• Business-to-business Architecture
• Signaling Encryption
• Media Encryption
• B2B Interop with Microsoft
• Dial Plan
• Expressway Policy Protection

• Global Deployment Overview
• Minimizing or reducing UDP ports opened in the Internet firewall
Expressway Introduction
Cisco Expressway
Cisco Expressway
Jabber
Guest/WebRTC B2C
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Endpoint
Cisco video and registration
3rd party devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
• CTI and AXL
connection to UCM
• EWS connection to
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
• CTI and AXL
connection to UCM
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
• CTI and AXL
connection to UCM
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
• CTI and AXL
connection to UCM
Exchange
Jabber
Guest/WebRTC B2C
Spark B2B Open Video

Connector Federation
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
3rd party devices
Signaling and media

gateway
Licensing and Consumption
Call scenarios that require Rich Media Session licenses to proceed
Business to Business Business to Customer Interoperability
Calls Calls Gateway Calls
Firewall Traversal Calls Jabber Guest Calls i.e. MS Interop calls,

consume 1 x RMS on consume 1 x RMS on consume 1 x RMS on
Expressway-E Expressway-E Expressway-C Gateway
Registered Calls (no RMS required)

Calls between endpoints registered to Cisco Call control services 1
Calls to Cisco conferencing infrastructure2 or cloud services3
Routing
1° Step: Call enters into Expressway
Expressway Zone Example For
Your
Reference
Expressway-C 10.10.10.10
Call From (IP/port) To (IP/port) Mapped
Neighbor Zone A to Neighbor Zone B to 1 to
192.168.10.10/5061 192.168.10.11/5061
5 Inbound 192.168.10.11/40307 10.10.10.10/5061 1
call on -C
B2B Traversal from UC Traversal from Inbound 10.10.10.11/7001 10.10.10.10/26202

call on -C 2
10.10.10.10/26202 to 10.10.10.10/26209 to
10.10.10.11/7001 10.10.10.11/7002 Inbound 10.10.10.10/26209 10.10.10.11/7002
2 3
call on -E
Inbound 172.19.100.100/32001 10.10.10.11/5061
call on -E
4
3
B2B Traversal from UC Traversal from
10.10.10.11/7001 to 10.10.10.11/7002 to Call Routing Rule To (IP/port) Mapped
10.10.10.10/26202 10.10.10.10/26209 to
4 Outbound Send 8XXX to 192.168.10.10/5061
Default 5
Zone call on -C Neighbor Zone A
Expressway-E 10.10.10.11
Expressway Zone Concept
• When a call or reaches Expressway, Expressway classifies it based on source
and destination address and port
• Based on classification, the call is sent to a specific «zone».
• Except for the Local Zone (not covered here), the other zones connects to
remote systems as in the case of a SIP Trunk on CUCM
• Different policies can be applied per zone, such as:
• signaling and media encryption
• protocol usage (i.e. SIP and/or H.323)
• message authentication (PAI header for SIP)
• use of TLS with Mutual Authentication
• Others
Most common used zones on Expressway
• Neighbor Zone: this is the zone most similar to a SIP Trunk
• Traversal Zone: it’s a special neighbor zone with firewall traversal capabilities
• DNS Zone: it’s a special neighbor zone used for outbound B2B calls supporting
DNS SRV
• Default Zone: it’s a special neighbor zone used for inbound B2B calls
Cisco Expressway Connectivity Overview
Most used zones on Unified CM-centric Architecture
B2B Traversal B2B Traversal

Client Zone H323 and SIP (B2B) Server Zone
Expressway-C UC Traversal
Expressway-E
UC Traversal
Zone SIP TLS and SRTP Zone
mandatory (MRA)
Cloud Traversal Cloud Traversal
Client Zone SIP TLS and SRTP Server Zone
recommended (Spark)
Neighbor ENUM
Neighbor Zone
Zone
Zone
Default DNS B2B DNS Spark
Default ENUM DNS
Zone Zone Zone
Zone Zone Zone
UCM SIP B2B Outbound
Trunk B2B Inbound calls
calls
Spark Hybrid
Calls
Unified CM MRA
2° Step: Call is routed
Expressway Routing Expressway
receives alias
Yes Does the alias Forbidden

Apply
match a
Transform
transform?
If “reject”
No
Does calling or Yes Allow/
called match a
Reject
CPL rule?
No
Protocol
Selection SIP/H.323/SIP Variants If “allow”
No Does the alias

match a
search rule?
Next lower-
priority rule until Yes
end of rules or
the alias is found
Is the alias
Yes Send call to
found? target Zone
Protocol Selection Configuration
From CPL Logic
Found
SIP Place Call
Not found
Found
H.323 Place Call
Not found
Use SIP MS
Variant Place Call
Pattern Matching
Regular Expressions (RegEx)
• A standard notation (POSIX), used in Unix and Linux editors
• Provide a concise and flexible means for matching and transforming strings
• Used simply, it is simple, but powerful
• One of the techniques available in Expressway for matching calls in zones
For
Your
Cisco Expressway Family Overview Reference
Key RegEx Metacharacters

. Any single character
\d Single digit ≡ [0-9]
* 0 or more repetitions of previous character or expression
+ 1 or more repetitions of previous character or expression
? 0 or 1 repetitions of previous character or expression
{n} n repetitions of previous character or expression
[abc] A character from this set of characters
[1-4] A character from this range of characters
[^def] A character NOT including these characters
^ Start of line
$ End of line
\ Literalize, e.g. \* really is the * (asterisk character)
| ‘or’ – match (wxy|wyx)
( ) Group digits and store in store id \n
Most common used Regex on Expressway
Regex Meaning Replacement Result/Meaning
.* Any string of any length
.*@example\.com Internal domain
(?!.*@example\.com.*$).* All external (non-corporate)

domains
[09]\d*@example.com PSTN Access number
(8000\d{4})(@.*)? 8-digits internal dialplan \1@example.com 8000XXXX@example.com
Proxy and B2BUA
SIP Proxy or SIP B2BUA?
• Proxy functionality is the native functionality of Expressway

• B2BUA is a process internal to Expressway-C and Expressway-E,
invoked by configuration
• B2BUA fully terminates a call leg and establishes a new call leg. The two
call legs are then bridged together and count as two different calls
• B2BUA are of different kinds
• 1.B2BUA for MRA and Business-to-Business
• 2.B2BUA for SIP to H.323 Interworking
• 3.B2BUA for MS Interop
• If not explicitely stated, this presentation refers to B2BUA as to the 1st type
Proxy Without B2BUA Engagement
Expressway
• Single call leg
Media leg
• No media termination
Exp-C/E Proxy • B2B call traverses the
Process Expressways
• Under the following
conditions:
1. SIP/RTP 1. SIP/RTP
2. H.323 2. H.323
3. SIP/SRTP 3. SIP/SRTP
Exp-C/E B2BUA 4. IPv4
4. IPv4
Process
B2BUA engagement for Media: "Encrypt on behalf of"
Expressway-C/E
RTP SRTP
Media leg 1 Exp-C/E Proxy Media leg 4
Process
• The diagram shows the working
principle
Media leg 2 Media leg 3 • In most cases the B2BUA talks
directly to the endpoint or end
system without going back to the
Exp-C/E B2BUA Proxy
Cisco Unified CM Process
Dual Network Deployment for Firewall
Traversal
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
Call Flow
Cisco SRV Records for business-to-business
SRV record format for SIP and H.323
SIP B2B _sips._tcp.domain 5061 TLS
_sip._tcp.domain 5060 TCP
_sip._udp.domain 5060 UDP
H.323 B2B _h323ls._udp.domain 1719 RAS
_h323cs._tcp.domain 1720 H.225
B2B Call Flow
Stark Industries ACME Corp.
Calls bob@acme.com
Media
acme.com?
sip1.acme.com
INVITE sip: bob@acme.com

to sip2.acme.com
Cisco Unified CM Expressway-C Expressway-E sip2.acme.com
Business-to-Business
Architecture
Signaling
H.323/SIP Protocol Selection Algorithm
• H.323 and SIP enabled globally and at zone-level
• H.323/SIP protocol selection: native protocol first, alternative protocol as backup.
• Interworking has to be enabled
• SIP to H.323 interworking with media handling
• Protocol selection can be changed with search rules
Expressway-C
1. SIP VCS-C
SIP 2. H.323
SIP to H323 B2BUA H.323

for signaling and media
H.323 endpoint BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
TLS: Certificate Check on Expressway
• During validity check, standard browsers make sure that hostname matches
SAN/CN, and that the cert has been signed by a trusted CA
• On Expressway this is optional and activated by the TLS verify mode set to “On”
and configurable per zone
• Consequences: if you don’t setup TLS verification, TLS can be setup with self-
signed certificate
• In both cases the call will be encrypted, but TLS verify mode set to “On”
authenticates the other peer
TLS verify set to “Off”
Traversal Zone Example
Expressway-C connecting to Expressway-E via traversal zone
Peer1 certificate SAN:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:expe.example.com
• If TLS verify mode is set to “Off”: Expressway won’t check hostname and that
the cert is properly signed
• IP addresses can be used
• Note that IP address is not included in SAN of the remote peer (Expressway-E)
TLS verify set to “On”
Neighbor zone example: connection to UCM
• TLS Verify Mode triggers MTLS
• Certificate CN or SAN is matched against the Peer Address
Peer1 certificate SAN:

X509v3 Subject Alternative Name:
DNS:example.com, DNS:us-cm-srv1.example.com
Outbound B2B calls on Expressway-E with TLS
DNS Zone (outbound)
1
• TLS verify set to “On” checks expe.example.com
Client hello
the certificate. Good for closed host.mypreferredpartner.com
video federation 3
• If TLS verify subject name is not
known in advance (open video
federation), TLS verify mode host.mypreferredpartner.com
must be turned off CERTIFICATE
<Public Key> 2 Third-party

Expressway-E Server hello Edge
‘TLS verify’ Summary for B2B Calls
• TLS Verify increases security by checking the certificate (signature, hostname,
etc.) for the called.TLS verify requires to know the DNS hostname of the remote
peer included in the certificate
• Recommended to turn it on on Traversal Zones and Neighbor Zones
• If the hostnames in the DMZ uses a separate DNS and IP addresses are used instead
of DNS names, TLS verify must be turned off
• Closed video federation (B2B communications with selected partners): turn TLS
verify on (remote peers and certs are known; neighbor zone can be created)
• Open video federation (standard B2B): turn TLS verify off (remote peers and
certs are not known)
TLS vs TLS with Mutual Authentication (MTLS)
Client hello
TLS
Server hello
followed by certificate Expressway-E
Client hello
Server hello
MTLS followed by certificate
Certificate Request
Expressway-E
Open B2B Federation with MTLS and Certificate Check
• Turn off SIP UDP

• Turn off SIP TCP
• Turn off H.323
• Enable TLS with Mutual Authentication
Certificate Check with MTLS and Open Video Federation
• Turning off TLS verify prevents for any sort of certificate check
• MTLS on port 5061 can be used to turn on certificate verification withouth
specifying the TLS verify name
• Caveat: MRA is not compatible with MTLS on port 5061
• Caveat: doesn’t work B2BUA on Expressway-E
MTLS and Default Zone Access Rules
MTLS and Default Zone Access Rules Use
• If the calling doesn’t present a valid certificate, the connection will be rejected
before any SIP message is sent
• If some partners don’t have a valid certificate, it’s possible to upload the self-
signed certificate into the Expressway-E trust list. Not possible to use a
certificate signed by a temporary CA.
• If a remote host is sending spam calls, the certificate will show in the log and it
will be possible to create a rule to stop those calls
Media Encryption Policy
• Expressway Media Encryption Mode
Applies to:
• Neighbor, DNS, Traversal,
and Default Zones
• SIP and H.323 calls interworked to SIP
• Does NOT apply to H.323 (only) calls
Auto: No media encryption policy applied by Expressway

Best Effort: Use encryption if available otherwise fallback to unencrypted
Force Encrypted: All media must be encrypted
Force Unencrypted: All outgoing media will be unencrypted
Media Encryption – Auto Example
Inbound zone
Default Zone
CUCM Expressway-C Expressway-E Not configurable
CM Neighbor Traversal Traversal Auto
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Auto Auto
DNS Zone RTP/SRTP
TLS with SRTP or RTP Not configurable
based on endpoints Auto
negotiation
Internet
3rd Party SIP Server

• Auto: doesn’t engage B2BUA
• No control of media status; endpoints decide encryption settings
Media encryption – Lock icon
Optimization of previous example Inbound zone
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Best Effort Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TLS/SRTP TLS/SRTP
3rd Party SIP Server

• Lock icon shows closed because the first 2 call legs are encrypted
B2B Interop with Microsoft Lync
Terminology
Traffic Classification
• Traffic Classification is a new powerful tool of Expressway X8.9+

• Traffic is recognized and classified in “SIP Variants”
• Traffic can be routed based on these 4 classifications:
• Standard-based
• All Microsoft Variants
• Microsoft AV&Share only
• Microsoft SIP IM&P only
Traffic Classification and Search Rules
Similarly to H.323/SIP calls we can’t know upfront if a destination address is “Microsoft flavor”
or “Standard SIP”, we must try both.
Interoperability and interworking rely on “fallback mechanisms”. When a user places a call,
Expressway searches for it as SIP/H.323/MSFT-SIP (plus several tcp/tls/udp transport
protocols).
An administrator can decide the priority order. Typically Standard SIP/H.323 first and, if it’s not
found, we continue by involving CMS for transcoding. Expressway-E will then search for the
Microsoft SRV Record for that domain. This order can be inverted or both can be tried at the
same time (call forking).
Starting with X8.9+ Expressway-E DNS Enhanced zone is now able to lookup for the Microsoft
SRV Record (_sipfederationtls._tcp.company.com)
NOTE: CMS is also required for MS B2B Video Federations.
continue
continue
continue
1 2 3 4 5
Search Rules consider FIVE parameters to determine a destination zone (target):

1. Protocol (i.e. SIP/H.323)
2. Source zone (i.e. a trunk)
3. Authentication (yes/no)
4. Pattern string (i.e. destination domain)
5. SIP Variant (key element for Microsoft Interop Federations)
TIP: Always specify Source Zones to avoid loops and make troubleshooting easier
SRV Records and Certificates
SRV Records in use (inbound traffic)
There’s a common misunderstanding about overlapping SRV Records we now must demystify:
• Microsoft SIP Federations require an SRV targeting _sipfederationtls._tcp.company.com
• Standard SIP Federations require two SRV records _sip._tcp.company.com; _sips._tcp.company.com
There are NO overlapping SIP SRV Records between our Cisco solution and any Microsoft Lync/Skype for
Business environment.
Confusion comes from an SRV record used by OCS R1 (10 years ago) for _sip._tcp.<domain> - for external
TCP connections.
This SRV record may be present in your customer environment but it’s not needed anymore and they can
remove it. Microsoft documentation is pretty clear about that.
Certificate Requirements
If the Expressway-E is not clustered:
• Subject Common Name = FQDN of Expressway-E
• Subject Alternate Names = FQDN of Expressway-E
If the Expressway is clustered, with individual certificates per Expressway:

• Subject Common Name = FQDN of Expressway-E
• Subject Alternate Names = FQDN of Expressway; FQDN of cluster;
NOTE: Expressway-E FQDN (A-record) must be part of the SIP domain(s)*. You’ll need an alias for
EVERY SIP domain (i.e. expressway-e.sipdomain.com; expressway-e.sipdomain2.com; etc)
*this is a Microsoft requirement.
Example
Example
FQDN of Expressway-E
FQDN of Expressway-E cluster
Business to Business Architecture for MS Interop
Outbound calls example
Standard SIP
Microsoft SIP
Endpoints XMPP/SIP: company.com XMPP
CUCM Cluster MS SIP SIMPLE
CUCM
CUCM IM&P
TURN WebRTC
Server
Business
Partner/MRA
Internet
Standard Endpoints
Expressway-E
Expressway-C
Business Partner
Lync/SfB Clients
Dialplan Example – Expressway-C
A basic B2B interop federation scenario requires at least 6 Search Rules on Expressway-C:
• 3 Search Rules for Video - 2 Outbound; 1 Inbound
• 3 Search Rules for IM&P – 1 Outbound; 2 Inbound
65
BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dialplan Example – Expressway-E
• A basic B2B interop federation scenario requires no specific Search Rules on Expressway-E.
Rules can match “any” SIP Variant. Satisfying Standard AND Microsoft traffic routing at the same time.
• However, in order to make configurations “clean” and “easy to manage”, one could create rules based on
specific SIP Variants. I.e. Standards-based; Microsoft Video; Microsoft IM&P
Dialplan Example – Video Outbound
Expressway-C
1 3 2
Cisco User John calls a Business Partner: jane.doe@federateddomain.com (Skype for Business)
1. John’s device is registered to CUCM. CUCM sends SIP invite to Expressway-C

2. Expressway-C recognizes this as “Standards-based” SIP Variant
3. According to the 5 parameters (protocol; source; authentication, pattern string and SIP Variant) a “Target Zone” is determined.
Call is then routed to Expressway-E
1st try SIP/H.323 Standard Client
MS client
Expressway-E
5 5 5 5 6 4
4. Expressway-E recognizes the call as “Standards-based” SIP Variant

5. According to the call parameters a “Target Zone” is determined
6. The call is routed to the DNZ Zone
• Expressway-E will then lookup for “Standard SRV records” (i.e. _sips._tcp.federateddomain.com)
• It won’t find the destination user/domain returning a “404 – Not Found” back to the Expressway-C.
1st try SIP/H.323 Use standard DNS SRV with SIP/H.323

Standard Client
MS client
Expressway-C
7
7 9 8
11 10
7. Expressway-C will match the next relevant rule (in priority order)
8. Traffic is still classified as “Standards-based”
9. As sort of “fallback mechanism” we now hit a Search Rule involving CMS for transcoding
10. CMS generates a new call leg, now transcoded to Microsoft AV&Share traffic.
Call is now routed to Expressway-E as “Microsoft AV&Share
Standard Client
2nd try MS variant
2nd try SIP

MS signaling and media MS client
to CMS
conversion
Expressway-E
13 13 13 13 14 12
12. Expressway-E recognizes the call as “Microsoft AV&Share” SIP Variant

14. The call is routed to the DNZ Zone
Expressway-E will now lookup for the “Microsoft SRV Record” (i.e. _sipfederationtls._tcp.federateddomain.com)
Jane.doe@federateddomain.com is found.
Standard Client
2nd try MS variant
Use MS DNS SRV with MS variant
2nd try SIP
MS signaling and media MS client
to CMS
conversion
Business to Business Architecture for MS Interop
Inbound calls example
Standard SIP
Microsoft SIP
Endpoints XMPP/SIP: company.com XMPP
CUCM Cluster MS SIP SIMPLE
CUCM
CUCM IM&P
TURN WebRTC
Server
Business
Partner/MRA
Internet
Standard Endpoints
Expressway-E
Cisco Meeting Server Expressway-C
Business Partner
XMPP/SIP: company.com
Lync/SfB Clients
SRV (among others):
B2B Architecture for MS Interop _h323xs._tcp.company.com - B2B Standard Federations
_sip._tcp.company.com - B2B Standard Federations
SRV and combined features _sips._tcp.company.com - B2B Standard Federations
_xmpp-server._tcp.company.com - XMPP Federations
_collab-edge._tls.company.com – MRA
_xmpp-client._ tcp.example.com – CMA registration
Endpoints XMPP/SIP: company.com
_sipfederationtls._tcp.company.com - MSFT Interop
CUCM Cluster
CUCM
CUCM IM&P
WebRTC
TURN
Server
Business
Partner/MRA
Internet
Standard Endpoints
Cisco Meeting Server Expressway-C Expressway-E
Business Partner
Lync/SfB Clients
A single pair of Expressway-C/E can provide all federation, calling and registration services
Licensing for B2B Federations – quick overview
Every B2B call consumes 1 RMS on Expressway-E node
Audio only calls and Audio/Video calls consume 1 RMS each
VCS Control & VCS Expressway still consume Traversal call licenses
CMS needs SMP/PMP licenses for video transcoding
GENERAL RULE: All B2B calls are handled the same way.
We don’t care if it is Audio/Video/Standard/Microsoft: It’s 1 RMS for each call.
In B2B scenarios all the hard work is done by CMS. So, no need for Microsoft Interop Option Key on
Expressway/VCS. Expressway/VCS just do call routing and possibly, interworking (i.e. H323/SIP;
encryption on-behalf of)
IM&P traffic doesn’t consume call licenses. It doesn’t require any specific license at all.
Dial Plan
Standard Dial Plan For
Your
Priority Regex Target Priority Regex Target Reference
60 .*@example.com.* UCM Zone 60 .*@example.com.* B2B Traversal

Server Zone
65 (?!.*@example.com. B2B Traversal Client 65 (?!.*@example.com. B2B DNS Zone

*$).* Zone *$).*
UCM
• –E to –C and –C to UCM for all calls matching the

internal domain
• UCM routes outbound any URI different from
Directory URI and not included in ILS table
• Expressway-C and –E route outbound any URI not
matching the internal domain
Standard Dial Plan with Microsoft Interop: Inbound For
Your
Reference
Priority Regex Source SIP Variant Target Continue

Zone
60 .*@example.com.* Traversal Standards-based UCM Zone No

Client
60 .*@example.com.* Traversal Microsoft AV CMS Zone No

No
Expressway-C Client
Yes
65 (?!.*@example.com.*$).* UCM Zone Standards-based Traversal Yes
Client
MS?
70 (?!.*@example.com.*$).* UCM Zone Standards-based CMS Zone No
75 (?!.*@example.com.*$).* CMS Zone Microsoft AV Traversal No

Client
Priority Regex Source Zone SIP Variant Target Continue
60 .*@example.com.* Default Zone All SIP Traversal No

Expressway-E Variants Server
65 (?!.*@example.com.*$). Traversal All SIP DNS Zone Yes

* Server Variants
Standard Dial Plan with Microsoft Interop: Outbound For
Your
Reference
Priority Regex Source SIP Variant Target Continue

Zone
60 .*@example.com.* Traversal Standards-based UCM Zone No

Client
60 .*@example.com.* Traversal Microsoft AV CMS Zone No
Expressway-C Client
65 (?!.*@example.com.*$).* UCM Zone Standards-based Traversal Yes

Client No
First
70 (?!.*@example.com.*$).* UCM Zone Standards-based CMS Zone No try
75 (?!.*@example.com.*$).* CMS Zone Microsoft AV Traversal No
Client Yes
Priority Regex Source Zone SIP Variant Target Continue Standard MS

60 .*@example.com.* Default Zone All SIP Traversal No
Expressway-E Variants Server
65 (?!.*@example.com.*$).* Traversal All SIP DNS Zone Yes

Server Variants
Expressway
Policy Protection
Example of unauthorized access attempts on Expressway-E
Access codes to PSTN (0,9) and to internal

numbering plan (80…)
Expressway – Mitigating Toll Fraud
Zone authentication policy
Traversal Zone
Authenticated Unauthenticated
Call policy rules applied to the source zone or to unauthenticated traffic
Call Policy Rules with X8.9.1+
From Rule Applies To Source Destination Action
Source Type Address Pattern Pattern
Authenticated vs Configurable Configurable with Allow/Reject
unauthenticated with Regex Regex
traffic
Zone Originating Zone Destination Pattern Action
Drop-down menu Configurable with Regex Allow/reject
• If source type is selected the CPL applies for all calls coming from a specific
zone that match the configured called ID pattern (no calling ID)
• With «from address», it is possible to specify both the calling and the called ID
pattern. However, this traffic will apply to authenticated or unauthenticated calls
Checking the calling alias
• Calling alias of a call hitting the Default Zone (B2B) shouldn’t contain:
• Corporate domain (example.com)
• Expressway IPs
• Enterprise Cisco Spark domains
From Rule Applies To Source Pattern Destination Action Example

Address Pattern
Unauthenticated (.*)@example\.com.* .* Reject Call from 100@example.com rejected
Unauthenticated (.*)@10\.10\.10\.1[12] .* Reject Call from user@10.10.10.11 or

200@10.10.10.12 rejected
Checking the called alias
• Block PSTN access
• Block any numeric range that is not supposed to receive B2B calls (if esists)
• Allow any other destination that contains the domain
• Final deny-all
Zone Originating Zone Destination Pattern Action Example
Default [09]\d+@example\.com.* Reject 0003939012345678@example.com
Default Zone 8001\d{4}@example\.com.* Reject 80010123@example.com
Default Zone (.*)@example\.com.* Allow <anything>@example.com
Default Zone .* Reject Anything else
What’s the final result?
Routing stops
immediately since CPL {IP Addr/port No}
are the first checked

… If you want to be invisible you
have to deploy an IPS. Details in
the Appendix
Global Deployment
Overview
Multiple Expressways
• Outbound calls can be directed by UCM to the Expressway that is nearest the
calling endpoint by using CSS and Partitions
• Inbound calls can be delivered by using two mechanisms:
• Geo DNS
• Directory Expressway
Global Deployment Topology & Geo DNS
SIP Trunk
US Europe
SIP Line
Expressway
Expressway Asia Traversal
edge access
SME global EU SME Asia SME

aggregation US SME
Unified CM
regional
clusters RTP PAR LON TKY
SJC BGL
DFW AMS HKG
Geo DNS Setup Example with two Expressway Clusters
SRV Record Priority Weight Expressway-E
_sips._tcp.example.com
_sip._tcp.example.com 10 10 us-expe1.example.com us-expe default for
calling devices in
Location: US 10 10 us-expe2.example.com US
20 10 emea-expe1.example.com emea-expe as backup

for calling devices in
20 10 emea-expe2.example.com US
10 10 emea-expe1.example.com emea-expe default

Location: EMEA
for calling devices
10 10 emea-expe2.example.com in EMEA
20 10 us-expe1.example.com us-expe as backup

for calling devices
20 10 us-expe2.example.com in EMEA
Directory Expressway Architecture: 2 Sites
4
ucm2endpoint@domain.com
UCM2
UCM1
Inbound CSS trunks doesn’t
Inbound CSS trunks doesn’t include the partition for the
include the partition for the Route Route Pattern to remote
Pattern to remote cluster. Works cluster. Works with Directory
with Directory URI with ILS Expressway-C2
URI with ILS. 3
Expressway-C12
2
Expressway-E1 Expressway-E2
Call:
Directory Expressway Architecture: 3+ Sites
4
UCM2
UCM1
URI with ILS. 3
Expressway-C13
Expressway-E1 Directory Expressway-E Expressway-E2

2 2
1
Call:
Minimizing UDP Ports open to
Expressway-E
Filtering ACLs for B2B calls: External Firewall Port
Requirements
Based on medium/small OVA with non-specific configured Transport
Source IP Source Port Dest. IP Dest. port
multiplexed ports Protocol
H.323 calls using Assent (Natted endpoints)
Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776
RTP Assent Any >=1024 UDP ExpE LAN2 36000*
RTCP Assent Any >=1024 UDP ExpE LAN2 36001*
H.323 endpoints with public IP addresses or
remote Edge systems
Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720
H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
SIP endpoints or remote Edge systems
SIP TCP Any >=1024 TCP ExpE LAN2 5060
SIP UDP Any >=1024 UDP ExpE LAN2 5060
SIP TLS Any >=1024 TCP ExpE LAN2 5061
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
- On large systems, default allocation for multiplexed media is 36000 to 36011

- On small/medium systems, two configurable ports are allocated for multimedia traffic. Defaults are 2776 and 2777 and
might be changed, but if admin chooses not to configure those ports, Expressway will listen to 36000 and 36001
Business-to-business Access Media Traversal
• Traversal Media Port Range is set on Configuration > Traversal Subzone menu
on both Expressway C & E, defaults to 36000 – 59999
• B2BUA could be engaged on Expressway-C and/or Expressway-E in order to
perform encrypted to unencrypted call
• The proxy component is always used on both Expressway-C and Expressway-E
• This media port range is divided and shared
• 1st half goes to Proxy
• 2nd half goes to B2BUA
• The following example is taken with a port range 36000 to 59999:

36000 to 47999 goes to Proxy
48000 to 59999 goes to B2BUA
B2BUA Impact on Firewall Ports
• When Proxy only is engaged (all zones set to “auto”) on Expressway-E the
number of ports is reduced by a half compared to the situation where B2BUA
and Proxy are engaged
• Enabling encryption on Expressway-C instead of Expressway-E reduces the
number of ports opened on external firewall
• With B2BUA: 24 ports engaged per call
• Without B2BUA: 12 ports engaged
Example
• 50 concurrent B2B calls
• Total 600 (50x12) ports on external FW without B2BUA
• Ports to be opened on external FW without B2BUA engaged
• Range configured on Expressway: 1200 ports, from 50000 to 51199
• First half goes to Proxy: 50000 to 50599. These ports will be opened on external FW
• Important Note: If you are restricting media ports on Expressway-E make sure
that B2BUA is not engaged on Expressway-E, but on Expressway-C
Summary
• B2B architectures for single edge Expressway-C and Expressway-E with dual
network interfaces
• SIP Variants
• How to protect the dialplan
• How to minimize ports opened on external firewall
• Quick overview on multiple Expressway deployment options
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2018
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
101
BRKCOL-2018
Use a IPS to Block Spam and Scan
Calls from the Internet
To make Expressway invisible, use an IPS to
block unwanted traffic Expressway-E Expressway-C
NGIPS
- Traffic analysis based on (customized) signature

- Inspects packets
- Drop unwanted traffic before it reaches Expressway-E
- Drop traffic that doesn’t match the internal dial plan
- As an example: userID of 8 characters, might end with a digit, needs to have the
domain
- Block SIP OPTIONS and SIP INVITE that don’t match the internal dial plan
- Added as an example only. Currently not supported!
Customized Rules offset
1. SIP TCP RULE FOR INVITE:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100001; msg:"SIP SPAM - invalid INVITE Request URI with
metadata:service sip"; rev:8; resp:reset_both; content:"INVITE|20|sip:"; nocase; distance:-11; pcre:!"/sip:[a-z]{2,7}[a-z0-
9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
2. SIP UDP RULE FOR INVITE:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100006; msg:"SIP SPAM - invalid INVITE UDP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"INVITE|20|sip:"; nocase; content:"INVITE|20|"; distance:-11; pcre:!"/sip:[a-
z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
3. SIP TCP RULE FOR SIP OPTIONS:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100007; msg:"SIP SPAM - invalid OPTIONS TCP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12;
pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
4. SIP UDP RULE FOR SIP OPTIONS:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100008; msg:"SIP SPAM - invalid OPTIONS UDP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12;
pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
CURRENTLY NOT SUPPORTED! SHOWN AS REFERENCE ONLY
FW Traversal: SIP Signaling
TCP 25026 TCP (SYN SYN/ACK ACK) + MTLS TCP 7999
SIP TLS
OPTIONS PING
Source Port Dest Port 200 OK Destination Port Source Port
25026 7999 25026 7999
SIP INVITE
FW Traversal Using Assent: Media
SIP INVITE
Source Port Dest Port

UDP connection
48210 RTP audio
48211 RTCP audio
48212 RTP video Probes to 2776/2777
48213 RTCP video
48214 RTP duo video 2776 RTP
48215 RTCP duo video 2777 RTCP
48216 BFCP Destination Port Source Port
48217 (not used)
48218 iX 48210 RTP audio
48219 RTCP iX 48211 RTCP audio
48212 RTP video
48213 RTCP video
Return Traffic 48214 RTP duo video 2776 RTP
48215 RTCP duo video 2777 RTCP
48216 BFCP
48217 (not used)
Media flows bidirectionally 48218 iX
48219 RTCP iX
Match the internal dial plan
To be used to allow calls only if they are using a legal internal SIP address
• UserID rule: from 2 to 8 digits, starting with a letter, ending with a letter or a
number. Might include .cmr for personal CMR
• [a-z]{2,7}[a-z0-9](\.cmr)?@example\.com
• UserID rule: name.surname. Might include an ending letter to distinguish
between users with the same userID
»[a-z]+\.[a-z]+[0-9](\.cmr)?@example\.com
DNS SRV Records for B2B
SRV record format for SIP and H.323 (RFC 2782)
_sips. _tcp.example.com 86400 IN SRV 10 60 5061 expe.example.com
DNS Class. Always

Protocol and “IN”
domain name
(TCP, UDP...)
Priority: Lowest priority
Name of the means “preferred”.
service
Port: TCP or
Weight: load-
UDP port for the
balances records
service
with same priority
DNS Time-To-Live: how much

time the server caches the record
before it flushes the cache Targed: hostname or
IP Address for the host
Providing the service
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
_sips._tcp.example.com?
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe1.example.com.
Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe2.example.com.

_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe3.example.com.
expe3.example.com
expe2.example.com
33%
33%
expe1.example.com
33% SIP Server
Dial:
abc@example.com
Expressway Dual Network Deployment Model
• Recommended solution
• Expressway-E LAN1 interface (internal) is used for clustering
• Expressway-E LAN1 interface can be translated by static NAT
• Expressway-E LAN2 interface (external) can be translated by static NAT
• Expressway-C interface can be translated by NAT
Business-to-business Architecture
• Expressway Protocol Selection
• Expressway Transport Protocol Selection
• Encryption for Signaling
• Encryption for Media
• Encryption and lock icon
SIP Transport Protocol Signaling Interworking
SIP Transport Protocol Protocol Selection
• Neighbor zones and Traversal zones: interworks if the outgoing transport type is
different from the incoming
UCM ExpC ExpE
SIP/TLS SIP/TLS/TCP/UDP
UCM zone set Traversal zone Expressway-E Default

to TCP set to TLS Zone accepts SIP
TLS to TCP UDP/TCP/TLS
• DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first
UCM ExpE
ExpC 1. SIP/TLS
SIP/TLS
2. SIP/TCP
Traversal zone set to TLS
3. SIP/UDP
• In case of TLS/TCP protocol translation, B2BUA is not engaged

Media encryption – Best Effort example
Optimization of previous example Inbound zone
Default Zone
Not configurable
CM Neighbor Traversal Traversal Best Effort
Auto Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TCP/RTP or
TLS/RTP TLS/SRTP Remote Edge
• Best Effort-Auto example: 3 call legs due to “3-in-a-row” rule optimization

Minimizes number of ports open on external firewall
SIP Trunk Between CUCM and
Expressway-C
Neighboring Expressway-C to Unified CM w/ SIP TLS
Neighbor Zone to Unified CM
Turn off H.323
Set port other than 5061 if Expressway

if shared between MRA and B2B. TLS
verify mode triggers Mutual TLS.
Best Effort: Expressway will try SRTP

first and RTP if the remote endpoint is
non-encrypted. Mixed mode required
on Unified CM
Neighboring Expressway to Cisco Unified CM
Zone Configuration
• DNS names mandatory
if TLS verification is set
to “on” (MTLS). They
will be checked against
the certificate SAN. IP
addresses require TLS
verify mode set to “off”
• OPTIONS PING to
monitor status
Documentation says
to create a custom
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway zone with Call
/config_guide/X8-8/Cisco-Expressway-SIP-Trunk-to-Unified-CM-
Deployment-Guide-CUCM-8-9-10-11-and-X8-8.pdf signaling routed
mode set to “always”
CUCM SIP Trunk to Expressway-C
• This check box enables Secure Real-Time Protocol (SRTP) SIP Trunk
connections and also allows the SIP trunk to fall back to Real-Time Protocol
(RTP) if the endpoints do not support SRTP.
• In order for this check box to be effective, Cisco Unified CM must be in mixed
mode
• SIP TLS trunk doesn’t require mixed mode if RTP only is used
SIP Trunk Destination and SIP Trunk Security Profile
SIP Trunk settings
Mutual TLS: has to match with the SANs

of the remote system cert
Unified CM listening port. Has to match
the port on the Unified CM neighbor
zone configured on Expressway
CPL design
• Note: CPL are analyzed top-down
• 1. Reject malformed calling aliases
• 2. Reject forbidden destinations in called aliases
• PSTN access
• Specific numeric ranges not allowed from B2B
• 3. Allow for called destination matching the internal domain

• 4. Deny all
• Point 3. could be much more granular than this! i.e.
• Allow [a-z]*\.[a-z]*(\d)?@ent-pa\.com
• Allow 8002[12]\d{3}@example\.com
Directory Expressway Architecture
4
UCM2
UCM1
URI with ILS. 3
Expressway-C13
Expressway-E1 Directory Expressway-E Expressway-E2

2 2
1
Call:
Directory Expressway Architecture
License Optimization
Expe1 Expe2 Expe3 Expe4
TLS Dir Expe • When an Expressway performs TCP to TLS

Neighbor
TLS/TCP interworking, Expressway can’t remove itself for
Zones
Default Zone the signaling path
TLS media
Media: Auto Not configurable • Media will flow around if default and neighbors are
TCP
Media: Auto set to “auto”, but signaling will flow through
• No licensing optimization happens in this case:
DirExpe license is engaged for the rest of the call
• Optimization happens for TCP or TLS only

Best Practice For B2B Expressway

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Best Practice For B2B Expressway

Hochgeladen von

Copyright:

Verfügbare Formate

BRKCOL-2018

Best Practices for Business-

Luca Pellegrini - Technical Marketing Engineer

Cisco Meeting Server

• B2B Scenario including MS interop

• Expressway Policy Protection

Signaling and media

Signaling and media

Signaling and media

Signaling and media

Spark B2B Open Video

Signaling and media

Firewall Traversal Calls Jabber Guest Calls i.e. MS Interop calls,

Registered Calls (no RMS required)

B2B Traversal from UC Traversal from Inbound 10.10.10.11/7001 10.10.10.10/26202

B2B Traversal B2B Traversal

Yes Does the alias Forbidden

No Does the alias

From CPL Logic

Key RegEx Metacharacters

Regex Meaning Replacement Result/Meaning

.* Any string of any length

.*@example\.com Internal domain

(?!.*@example\.com.*$).* All external (non-corporate)

(8000\d{4})(@.*)? 8-digits internal dialplan \1@example.com 8000XXXX@example.com

• Proxy functionality is the native functionality of Expressway

SIP B2B _sips._tcp.domain 5061 TLS

_sip._tcp.domain 5060 TCP

_sip._udp.domain 5060 UDP

H.323 B2B _h323ls._udp.domain 1719 RAS

_h323cs._tcp.domain 1720 H.225

INVITE sip: bob@acme.com

SIP to H323 B2BUA H.323

Peer1 certificate SAN:

the certificate. Good for closed host.mypreferredpartner.com

<Public Key> 2 Third-party

• Turn off SIP UDP

Auto: No media encryption policy applied by Expressway

3rd Party SIP Server

3rd Party SIP Server

• Traffic Classification is a new powerful tool of Expressway X8.9+

NOTE: CMS is also required for MS B2B Video Federations.

Search Rules consider FIVE parameters to determine a destination zone (target):

If the Expressway is clustered, with individual certificates per Expressway:

1. John’s device is registered to CUCM. CUCM sends SIP invite to Expressway-C

1st try SIP/H.323 Standard Client

4. Expressway-E recognizes the call as “Standards-based” SIP Variant

1st try SIP/H.323 Use standard DNS SRV with SIP/H.323

2nd try SIP

12. Expressway-E recognizes the call as “Microsoft AV&Share” SIP Variant

60 .*@example.com.* UCM Zone 60 .*@example.com.* B2B Traversal

65 (?!.*@example.com. B2B Traversal Client 65 (?!.*@example.com. B2B DNS Zone

• –E to –C and –C to UCM for all calls matching the

Priority Regex Source SIP Variant Target Continue

60 .*@example.com.* Traversal Standards-based UCM Zone No

60 .*@example.com.* Traversal Microsoft AV CMS Zone No

75 (?!.*@example.com.*$).* CMS Zone Microsoft AV Traversal No

Priority Regex Source Zone SIP Variant Target Continue

60 .*@example.com.* Default Zone All SIP Traversal No

65 (?!.*@example.com.*$). Traversal All SIP DNS Zone Yes

Priority Regex Source SIP Variant Target Continue

60 .*@example.com.* Traversal Standards-based UCM Zone No

65 (?!.*@example.com.*$).* UCM Zone Standards-based Traversal Yes

(?!.@example\.com.$).* All external (non-corporate)

60 .@example.com. UCM Zone 60 .@example.com. B2B Traversal

65 (?!.@example.com. B2B Traversal Client 65 (?!.@example.com. B2B DNS Zone

60 .@example.com. Traversal Standards-based UCM Zone No

60 .@example.com. Traversal Microsoft AV CMS Zone No

75 (?!.@example.com.$).* CMS Zone Microsoft AV Traversal No

60 .@example.com. Default Zone All SIP Traversal No

65 (?!.@example.com.$). Traversal All SIP DNS Zone Yes

60 .@example.com. Traversal Standards-based UCM Zone No

65 (?!.@example.com.$).* UCM Zone Standards-based Traversal Yes

65 (?!.@example.com.$).* Traversal All SIP DNS Zone Yes

Unauthenticated (.)@10\.10\.10\.1[12] . Reject Call from user@10.10.10.11 or

Default Zone (.)@example\.com. Allow <anything>@example.com