Professional Documents
Culture Documents
William Bell
Hao Tran
February 18, 2015
1
Copyright 2015
Customer Condential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Mobile and Remote Access (MRA)
Overview
MRA Implementation
Q&A
2
Copyright 2015
Customer Condential
Introductions
William Bell, CCIE #38914
Williams background spans an array of technical disciplines including application
development, network infrastructure, protocol analysis, virtualization, and UC. He leads
the UC&C practice and works with customers on architecting solutions that align with
core business drivers. Bill is a regular contributor on the Cisco Support Community, a 3time Cisco Designated VIP, and blogs on the NetCraftsmen and UC Guerrilla sites.
Copyright 2015
Customer Condential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Mobile and Remote Access (MRA)
Overview
MRA Implementation
Q&A
4
Copyright 2015
Customer Condential
Cloud Services
Flexible and scalable, pay as
you go shared resources
WebEx, WebEx Enabled
Telepresence
Interoperability
Mobile and
Remote Access
Investment
protection with
existing 3rd party and
legacy
communication
solutions
IPv4-v6, H323-SIP,
Standards Based
video
Ubiquitous user
experience Any
Device, Anywhere
Jabber Mobile &
Desktop /
TelePresence
Copyright 2015
Customer Condential
Collaboration Edge
Architecture Components
Enterprise
UC Infrastructure
Copyright 2015
Customer Condential
Collaboration Edge
Architecture Components
Enterprise
UC Infrastructure
Collab Edge
PSTN
TDM Voice
ISDN Video
CUBE/SBC
SIP PSTN
Phone Proxy
Cisco Expressway
Mobile and Remote Access
B2B Video
XMPP Federation
Jabber Guest
7
Copyright 2015
Customer Condential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Mobile and Remote Access (MRA)
Overview
MRA Implementation
Q&A
8
Copyright 2015
Customer Condential
Copyright 2015
Customer Condential
MRA
Business Drivers
BYOD
Solution Benets
Borderless workforce
Contractors, teleworkers
Signicant cost savings
CapEx-Yes, OpEx-Maybe
Employee productivity
24x7x365 Anytime, Anywhere
MRA is an enabler
Feature continuity and
transparency
Borderless communications
Secure communications
Cloud services support
Teleworking
Cost savings
OpEx Infrastructure cost reduction
Employee satisfaction and retention
- 2012 40% of US working pop
telecommutes at least part time
- Work-Life Integration
Employee productivity
10
Copyright 2015
Customer Condential
Cisco UCM
UDS Provisioning
End user authentication
Client registration
Voice/Video Call Control
11
Copyright 2015
Customer Condential
12
Copyright 2015
Customer Condential
13
Copyright 2015
Customer Condential
Introduced mid-2014
Initial VCS/Expressway version X8.1
Based on the Cisco Video Communications Server (VCS)
Cisco VCS
Expressway
Designed for UCM 9.1+
Virtual Machine only
No cost licensing for MRA
functionality
Subset of platform feature set
Two versions:
Core (Expressway-C)
Edge (Expressway-E)
14
Copyright 2015
Customer Condential
Expressway-C
Enterprise
UC Network
Jabber
1 2
4
Expressway-E
Internet
Expressway-C (Core)
Expressway-E (Edge)
Traversal client
Proxy endpoint registration
Traversal server
Hosts external client
connections
SIP to UCM
XMPP to IM/P
HTTP to VM and directory
Traversal Basics
1.
2.
3.
4.
Copyright 2015
Customer Condential
Supplementary Services
Domain Name Services (DNS)
Perimeter Firewall(s)
Certicate Services
Internal Enterprise Hosts
Externally Accessible Hosts
Copyright 2015
Customer Condential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Mobile and Remote Access (MRA)
Overview
MRA Implementation
Q&A
17
Copyright 2015
Customer Condential
MRA Implementation
UC Infrastructure Provisioning
Expressway and the DMZ
Certicate Provisioning
Copyright 2015
Customer Condential
MRA Implementation
Infrastructure Provisioning
19
Copyright 2015
Customer Condential
Infrastructure Provisioning
Expressway and the DMZ
Expressway-C
Always deployed on the internal LAN
Uses a Firewall Traversal mechanism to communicate with Expressway-E
Expressway-E
Typically deployed in the DMZ
Can adapt to a variety of DMZ environments
Supports Static NAT (SNAT) using Advanced Networking Option
Supports dual network connections using DUAL NIC feature (part of
Advanced Networking Option)
Firewall
Various deployment options are supported
ALG is not a viable option w/ MRA solution
20
Copyright 2015
Customer Condential
Infrastructure Provisioning
Enterprise
UC Network
Internet
LAN1
LAN2
10.3.20.5
SNAT 64.10.0.10
10.3.10.5
Expressway-E
Static Routes
Deployment Scenario
uc-expe-01
A: uc-expe-01.domain.com
-> 64.10.0.10
Jabber @ Anywhere
Expressway-C
Traversal Zone
Expressway-E Cong
Internet Zone
21
Copyright 2015
Customer Condential
Infrastructure Provisioning
Expressway and the DMZ DUAL
Enterprise
UC Network
Internet
LAN1
LAN2
64.10.0.10
10.3.10.5
Expressway-E
Static Routes
Deployment Scenario
uc-expe-01
A: uc-expe-01.domain.com
-> 64.10.0.10
Jabber @ Anywhere
Expressway-C
Traversal Zone
Expressway-E Cong
Internet Zone
Copyright 2015
Customer Condential
Infrastructure Provisioning
Internet
DMZ-toUntrusted
DMZ-toTrusted
Deployment Scenario
LAN1
10.3.10.5
SNAT 64.10.0.10
Traversal Zone
Expressway-E Cong
A: uc-expe-01.domain.com
-> 64.10.0.10
Jabber @ Anywhere
Expressway-C
Internet Zone
Copyright 2015
Customer Condential
Infrastructure Provisioning
Internet
FW1
FW2
LAN1
10.3.10.5
SNAT 64.10.0.10
Static Routes
Deployment Scenario
Traversal Zone
Expressway-E Cong
Advanced Networking enabled
A: uc-expe-01.domain.com
-> 64.10.0.10
Jabber @ Anywhere
Expressway-C
Internet Zone
Copyright 2015
Customer Condential
Infrastructure Provisioning
Internet
LAN1
LAN2
64.10.0.10 OR SNAT
10.3.10.5
Expressway-E
Jabber @ Anywhere
Expressway-C
uc-expe-01
Deployment Scenario
Considerations
But, it works...
25
Copyright 2015
Customer Condential
Infrastructure Provisioning
Certicate Provisioning - Overview
Jabber @ work
LDAP
PKI
Web
Expressway-C
Internet
Expressway-E
Cisco UCM
IM &
Presence
Jabber @ Anywhere
Unity
Connection
26
Copyright 2015
Customer Condential
Infrastructure Provisioning
Certicate
Considerations
Cisco UCM
Tomcat (HTTP)
Cisco IM&P
Tomcat (HTTP)
XCP Router (XMPP)
Unity Connection
Tomcat (HTTP)
Expressway-E
Server Cert
WebEx Services
CAS, WAPI
General Considerations
Client will prompt user when cert is not trusted
To avoid identity mismatch, congure UC applications to use FQDN
qCisco UCM: System servers and UC service proles
qCisco IM/P: Cluster topology, TFTP servers, CCMCIP proles
Public CAs do not support IP address, non-FQDN, or bogus FQDN in CSR
27
Copyright 2015
Customer Condential
Infrastructure Provisioning
Certicate Provisioning - Expressway
Server Certicates
X.509 Extended Key usage: TLS Web Client Auth + TLS Web Server Auth
No support for wildcard certicates
No requirement to add Expressway certs to CTL (for UCM Mixed Mode)
Expressway-E Certicates
Server Certicate should be signed by Public CA
All service discovery domains need to added as SANs in the CSR
Expressway-C Certicates
Recommend using Enterprise CA but can use Public CA
For UCM Mixed Mode - add phone security proles as SANs in CSR
Other Considerations
XMPP Federations and Federated Group chat SAN requirements
Expressway Cluster considerations
28
Copyright 2015
Customer Condential
Infrastructure Provisioning
Expressway Certicate Trust Store
Certicate Type
Yes
Yes
Yes
Yes
Yes
No
No
No
Yes
29
Copyright 2015
Customer Condential
MRA Implementation
Service Discovery
30
Copyright 2015
Customer Condential
Service Discovery
Process Overview
Edge Discovery
Client queries DNS SRV records to determine service location
Attempt to discovery internal services then fallback to Edge Discovery
Copyright 2015
Customer Condential
Service Discovery
Edge Discovery
(1)
(2a):_cisco-uds._tcp.netcraftsmen.com
(2b):_cuplogin._tcp.netcraftsmen.com
_cisco-uds._tcp.netcraftsmen.com
_cuplogin._tcp.netcraftsmen.com
(4c):_collab-edge._tls.netcraftsmen.com
(2a)
(4c)
(3)
(5)
UID:
wjb@netcraftsmen.com
(2b)
UID:
wjb@netcraftsmen.com
Process
Considerations
1.
2.
3.
4.
_cisco-uds._tcp.<domain>
_cuplogin._tcp.<domain>
External Record:
_collab-edge._tls.<domain>
Copyright 2015
Customer Condential
Service Discovery
Get Edge Conguration
(2d) (2f)
Cisco UCM
(2e)
LDAP
Authentication
(2c)
(2b)
(1)
Expressway-E
(2a)
SRV: _cisco-uds._tcp.<domain>
SRV: _cisco-phone-tftp._tcp.<domain>
SRV: _cuplogin._tcp.<domain>
A records (as needed)
Internet
Jabber @ Anywhere
Expressway-C
Process
1. Jabber establishes TLS connection
Copyright 2015
Customer Condential
Service Discovery
Get Edge Conguration
(3)
(3)
(3)
Internet
Cisco UCM
(4)
(4)
(4)
Expressway-E
Considerations
Process
1. Jabber establishes TLS connection
2. Jabber requests Edge conguration
3. UCM responds with 200 OK
Firewall Rules
Server Certicates
Jabber @ Anywhere
Expressway-C
34
q Expressway-E
q Cisco UCM
q LDAP (optional)
Copyright 2015
Customer Condential
Service Discovery
Expressway-C
Internet
Expressway-E
Cisco UCM
Process
IM &
Presence
Unity
Connection
Visual voicemail
Copyright 2015
Customer Condential
MRA Implementation
Deployment Considerations
36
Copyright 2015
Customer Condential
Deployment Considerations
Multi-Domain Deployment
Expressway-C
uc-expc.internal.local
Jabber @ Anywhere
<host>.internal.local
Internet
Cisco UCM
Expressway-E
uc-expe.public.com
JID:
wjb@internal.local
Considerations
XMPP Domain
<host>.internal.local internal.local
IM&P
Solution
Leverage Split-DNS
Modify jabber-cong.xml
VoiceServicesDomain = public.com
Copyright 2015
Customer Condential
Deployment Considerations
Cisco WebEx Cloud
Copyright 2015
Customer Condential
Deployment Considerations
Customizing Service Discovery
Methodology
J4W: Can push conguration parameters during MSI install
All Clients: Leverage Conguration URL
Copyright 2015
Customer Condential
Deployment Considerations
Expressway
VCS
Yes
Yes
Yes
Yes
Yes
Yes
Video Interworking
(IPv4-IPv6, H323-SIP, MS H264 SVC-AVC, Standards based 3rd party)
Yes
Yes
No
Yes
No
Yes
Yes*
Yes
No
Yes
Copyright 2015
Customer Condential
Deployment Considerations
Minimum Software Requirements
Feature
Call Processing
IM/Presence
Voicemail
Collaboration
Edge
Clients*
UC Solution Component
Minimum Version
Cisco Unied CM
9.1(2)SU1
9.1.1
8.6(1)
Cisco Expressway or
X8.1.1
Cisco VCS
Jabber for Windows
9.7
9.6(1)
9.6
9.6
TC 7.1
* Expressway X8.5 Preview Feature: Support for Cisco DX, 7800, and 8800 endpoints
41
Copyright 2015
Customer Condential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Mobile and Remote Access (MRA)
Overview
MRA Implementation
Q&A
42
Copyright 2015
Customer Condential
Telephone: 888-804-1717
E-mail: info@netcraftsmen.com
43
Copyright 2015
Customer Condential