You are on page 1of 129

Technical Overview

of the Preferred
Architecture for
Enterprise
Collaboration 11.6
Matt Jordy, Technical Marketing Engineer
BRKCOL-2614
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click Join the Discussion
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKCOL-2614


available until July 3, 2017.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKCOL-2614
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Dont forget: Cisco Live sessions will be


available for viewing on demand after the
event at www.CiscoLive.com/Online.

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKCOL-2614: Cisco Enterprise Mobile Collaboration
Session Logistics
Attendees should have some familiarity with Cisco collaboration solutions.
More slides in Appendix + For
= homework
Your
Reference

Please consult the latest applicable


Session time: 120 minutes product documentation for specific
Please ask questions as we go feature, software version, and
hardware version support requirements
Questions I'll answer
Questions I'll defer to later in the session
Questions I don't know the answer to, outside the scope of our session, or those that
consume too much time

Come see me after the session, send me an email, or Spark message


(mjordy@cisco.com) with your question and I will get back to you.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
What is the Preferred Architecture?
Call Control
Conferencing
Collaboration Edge
Unified Messaging
Collaboration Management Services
Simplified Sizing
Bandwidth Management
Security
Future Evolution of the PA
What is the Preferred Architecture?
Collaboration Preferred Architecture (CPA)
What products to use to enable users for Collaboration and
Unified Communications for simple deployments.
Prescriptive Concise Tested best
recommendations Documents practices

Preferred Architecture provides prescriptive design guidance that simplifies


and drives design consistency for Cisco Collaboration deployments
Preferred Architecture can be used as a design base for any customer using a
modular and scalable approach
Preferred Architecture assumes greenfield deployment, but is still relevant to
existing deployments for migration towards the target architecture
Preferred Architecture team provides feedback on solution level gaps to product
teams
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Preferred Architecture Process
Figure it out:
Define Collaboration
Preferred Architecture

Feedback: Build and


Feed gaps found validate:
during the build and
validate phase back Build it in the lab and
into product teams validate concepts

Write it down: Extend:


Move it into system
Document Preferred
test beds, Cisco on
Architectures for the
Cisco, Alpha and
field and partners
EFT process
Define:
Define additional
Preferred Architectures
(Voice, Video, Hybrid)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Collaboration Preferred Architectures & CVDs
Available at www.cisco.com/go/cvd/collaboration !

PA CVD PA Applications CVD


PA Overview (Cisco Validated Design) (Cisco Validated Design)

Pre-Sales Post-Sales Post-Sales


Process process Process
Design Overview Document Detailed Design and Deployment Detailed Design and Deployment
Guidance Guidance
Targeted to Pre-Sales
Post Sales Design and Post Sales Design and
Summarizes Solution and
Deployment Deployment
Components
Process Driven Guide Process Driven Guide
BRKCOL-2614
Plugs into the PA CVD
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Collaboration Preferred Architecture for the Enterprise
Current PA version
is 11.6 aligned with
the CSR 11.6

Includes:
Unified CM / IM&P 11.5(1) SU2
Unity Connection 11.5(1) SU2
Expressway X8.9(1)
Cisco Meeting Server 2.1
ENDPOINTS & FW VERSIONS
For more information about Cisco Jabber 11.8
7811/88xx 11.7(1)
components and versions, 8831 10.3(1)
refer to the product list at: DX70/80 CE 8.3(1)
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/ MX / SX series CE 8.3(1)
enterprise/11x/116/collbcvd/appendix.html IX Series IX 8.2

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
New Chapters & Updates for 11.6 Collaboration PA
Conferencing chapter update
Removed TelePresence Server & Conductor,
replaced with Cisco Meeting Server
New chapters:
Collaboration Management
Services
Prime Collaboration Deployment
Prime License Manager, and
Prime Collaboration Provisioning
Security
Security in Layers (including
Toll Fraud), Encryption and
Authentication, and Certificate
Management
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Preferred Architecture for Collaboration For
Enterprise Cisco Validated Design (CVD) Your
Reference

CALL CONTROL Functions: Dial Plan (Dialing Habits, Endpoints/


Unified CM, IM&P, ISR / CUBE (PSTN) ILS/GDPR), Trunking, SRST, CTI, Provisioning

CONERENCING Functions: Instant, Permanent, Scheduled


Unified CM, TP Management Suite, Cisco Meeting Server
Architecture:
EDGE Functions: Mobile Remote Access (MRA), B2B,
IM&P Federation, PSTN Access, ISDN Video
Component S
Unified CM, Expressway, CUBE / ISR Role, HA, i
PRIME SERVICES MANAGEMENT Functions: Deployment, Licensing, Monitoring Scalability
z
Prime Collab Deployment, License Manager, & Provisioning and Troubleshooting i
UNIFIED MESSAGING Functions: Unified Messaging Deployment: n
Unity Connection Process and g
Configuration
BANDWIDTH MANAGEMENT Functions: QoS and Admission Control High Level
Unified CM, Endpoint Firmware, IOS / IOS-XE / AireOS
SECURITY Functions: Infrastructure/Network Security, DoS,
All Components Toll-Fraud, Encryption, Certificate Management
SIZING Functions: Sizing numbers for products built on
Endpoints, Users, Calls, and Virtual Machines a set of calculated assumptions

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Usage of the Collaboration Preferred Architecture
Collaboration Preferred Architecture assumes greenfield enterprise collaboration
deployments
However, this isnt the only usage of the architecture
Guideline for updating brownfield collaboration deployments - architecture target
Training for new collaboration engineers

Answers the question:

Whats the best way to design your collaboration deployment?

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Call Control
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Collaboration Edge
Call Control
Unity Cisco Meeting Server
Connection Remote Site
PSTN

TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration


Deployment License Provisioning
Manager

Collaboration Management Services


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Call Control Functions Endpoints

User / endpoint identities and status IM and


Presence
DMZ

Single cluster for call routing and IM&P Expressway-C Expressway-E

with 1:1 redundancy


Central Dial Plan authority E.164 Unified
Communications Collaboration Edge
MRA
Endpoints
dial plan Manager
SIP
Centralized SIP endpoint registration Cisco Meeting Server

and management Call Control

SIP application integration APIs TelePresence


Conferencing Management Suite
Expressway for firewall traversal and
mobile and remote access (MRA) Prime
Prime Prime Unity
License Connection
Provisioning
Management and third-party Deployment Manager

interoperability with APIs


LDAP provisioning and authentication Collaboration Management Services Voice Messaging

Unified Communications Manager is the Heart of the Architecture.


The Glue that binds it all together.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
IM and Unified
Presence Communications
Manager

Call Control
Call Control
Core Components / Roles Key Benefits

Unified CM provides call control, Call control is centralized at a single


location that serves multiple remote
endpoint registration and sites.
configuration, call admission
control, codec negotiation, trunk Management and administration are
protocol translation, and CTI centralized.
Common telephony features are
Unified CM IM and Presence available across voice and video
Service provides on-premises endpoints.
instant messaging and presence
Single call control and a unified dial
Cisco Integrated Services plan are provided for voice and video
Router (ISR) provides PSTN endpoints.
connectivity and remote site Critical business applications are highly
survivability (SRST) available and redundant.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Unified CM with IM & Presence Cluster
Unified CM Cluster IM & Presence Cluster
DB Sync Two databases
Each DB has:
DB Publisher SOAP / XML
Publisher Subscriber One publisher
Call Processing Multiple subscribers
SIP
TFTP 1 CTI/QBE CM subscriber:
Primary Secondary
Call processing pairs
TFTP 2 Subscriber Subscriber TFTP pairs
Call Processing
... IM&P publisher part
of pair
Primary Secondary
Up to 6 nodes
...
Up to 21 nodes

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Preferred Architecture Clustering Guidelines
Call Processing Subscribers always added in pairs
1:1 redundancy only
Single TFTP Subscriber pair
Call Processing Subscriber and IM&P pairs added to match scale requirements
Music on Hold function co-located with Call Processing Subscribers

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
DNS A Fundamental Solution Requirement
Domain Name Service (DNS) is Critical for Collaboration Solutions
Forward and Reverse Lookup
SRV for Redundancy and Load Balancing
DNS for User Data Service (UDS) and Certificate Validity
Recommendation:
Enable DNS forward (A record) and reverse (PTR record) lookup for all UC
servers and applications
Dedicated zone for cluster simplifies configuration of cluster fully qualified
domain name (CFQDN Enterprise Parameter): *.us-uc.ent-pa.com
SRV record for each Unified CM node
Best load balancing of initial UDS requests during registration
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
For

Deployment Considerations: Numeric Dial Plan Your


Reference

Use +E.164 as DN addressing


Benefit: Ensure uniform phone number formatting across all enterprise contacts
Use XXXX abbreviated intra-site dialing
Benefit: Allow abbreviated dialing for intra-site calls
Use site-code based abbreviated inter-site dialing
e.g.: 8+<site code>+<extension>
Benefit: Use a normalized approach for inter-site calls

Non-DID addresses in line with site-code based abbreviated inter-site dialing


Unique addresses
Additional site-codes per site or non-overlapping extensions

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SIP Trunking Recommendations
Use Best Effort Early Offer on ALL Trunks
Minimize number of SIP profiles
Consider default profiles first
Avoid per-trunk SIP profiles
Provision SIP profile per group of equivalent trunks
Recommended SIP profile settings:
Use Fully Qualified Domain Name in SIP Requests set on all trunks and
for video enabled endpoints; prevents IP address of Unified CM to show up
in host portion of URIs in calling identity headers
Enable SIP OPTION ping for real-time status monitoring
SIP trunk redundancy achieved by provisioning
multiple peer user agents per trunk
(Cisco Meeting Server, Unity Connection, Expressway-C, etc.)
Avoids multiple trunk configurations

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Multi-cluster Support SIP
XMPP
CLUSTER 1 CLUSTER 2 CLUSTER 3

IM&P UCM IM&P UCM IM&P UCM

Branch1 Branch2 Branch1 Branch2 Branch1 Branch2

Recommendation: Centralized Call Processing Model (Single Call Processing Cluster)


Full-Mesh Distributed Call Processing Deployment Model when required. This
model is based on multiple iterations of the Centralized Call Processing
Deployment Model. Session Management Edition is out of scope for the PA.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Business-to-Business
Communications
BRKUCC-2008 Enterprise Dial Plan Fundamentals
- Tuesday, Jun 27, 8:00 am
Conferencing
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server


Connection Remote Site

NEW PSTN

TelePresence
Voice Messaging Management Suite
Conferencing
Cisco Prime Collaboration
Deployment License Provisioning
Manager

Collaboration Management Services


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco Meeting Server

Conferencing TelePresence
Management Suite
Conferencing
Core Components Key Benefits
Simplified, optimal user experience
Cisco Meeting Server for audio
and video conference resources Flexible, extendable architecture that supports
and resource management deployment of one or more permanent,
scheduled, and/or instant conference resources
Cisco TelePresence
Dynamic optimization of conference resources
Management Suite (TMS) for
conference provisioning, High availability of conference resources
monitoring, and scheduling Media resilience and rate adaptation in the video
TMSXE for interfacing with Microsoft network
Exchange room and resource
calendars A single tool for hosts to schedule participants
and conference rooms for a meeting
Multiparty licensing that enables full access to all
conference resources on the bridge
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Conferencing Architecture
Conferencing with Cisco Meeting Server
Unified Communications
Manager
Expressway-C Expressway-E
DMZ
Internet

TMS
How to deploy the components (Call
Bridge, Web Bridge, XMPP, Database)
Support for multiple Conference types
(Instant, Permanent, Scheduled)
Instant, Permanent
and Scheduled

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Cisco Meeting Server Spaces
Spaces are virtual meeting Go to URL: https://join.ent-pa.com
rooms that have audio, video
And enter Conference ID or User Credentials
and content sharing capability CMS
and are accessible using
Space URI, directory number Immersive WebRTC
or URL. Endpoints
Dial URI user.space@cms.ent-pa.com or
DN 8801000 WebRTC
Spaces
CMA

Non-Immersive
Endpoints

Permanent and Scheduled Meetings

Dial: +1(408)555-5555
phone Enter IVR plus Space Call ID
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Conferences Instant vs Schedule/Permanent
High-Level Configuration Steps
Instant Conference (Ad hoc: +(Add) or Conference Sofktey)

Conferencing Media Resource Media Resource


SIP Trunk to CMS
Bridge Group Group List

POINTS TO

Permanent and Scheduled Conferences (URI or DN)

Route Pattern Route Group Route List SIP Trunk to CMS

CONTAINS

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
TMS Scheduled Meeting Components / Roles
Active Nodes
CMS TMS TMSXE

HTTPS/REST

Single virtual
IP address

Active
tms.ent-pa.com Network Load
SQL Directory
Balancer

SSH keep-alive between


1. FQDN of TMS is configured in Active/Passive nodes
Managed TMS Network Settings
Devices
2. The FQDN should resolve to the
NLB virtual IP for TMS
TMS TMSXE
3. TMS will send managed devices
FQDN that resolves to NLB for Passive Nodes
communications with TMS
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
TMS Scheduling Request Components / Roles

5
Managed
Devices
CMS
Outlook Scheduling
TMS TMSXE Request
HTTPS/REST

1. Outlook scheduling request 1


3
2. Exchange uses Exchange Web Services
(EWS) to sync request with TMSXE via the 4 2
Network Load Balancer (NLB)

3. TMSXE sync directly with Exchange MS Exchange


4
4. TMSXE routes request to Active TMS via 2
NLB
Network Load
Balancer
5. TMS sends confirmation email to user
Single virtual
IP address
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cisco Meeting Server Architecture
Scalable and Resilient Deployment

Resiliency
Web Bridge Call Bridge
Scale Web Bridge Call Bridge
XMPP Server Database
XMPP Server Database

San Francisco

RTP

Cluster of 3
Servers
Call Bridge
Richardson

XMPP Server Database

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Collaboration
Edge
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control
Collab Edge
Unity Cisco Meeting Server
Connection Remote Site
PSTN

TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration


Deployment License Provisioning
Manager

Collaboration Management Services


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Integrated/Aggregated Expressway-C
Expressway-E
Services Router

Collaboration Edge Collab Edge DMZ

Core Components Key Benefits


Cisco Expressway-C and Connect to customers and partners,
Expressway-E, for Internet independent of the technology they
connectivity and firewall traversal are implementing and the public
network they are using.
for voice and video
Provide for a resilient, flexible and
Cisco Unified Border Element, extendable architecture.
for audio PSTN connectivity via IP
trunks Provide any hardware and software
client with the ability to access any
PSTN Voice Gateway (IOS), for public network (Internet and PSTN).
direct audio PSTN connectivity Provide secure VPN-less access to
collaboration services for Cisco
mobile and remote clients and
endpoints.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Mobile and Remote Access (MRA)
Expressway for Internet Connectivity (MRA / B2B)
Enterprise Network DMZ Outside Network

Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Expressway Mobile and Remote Access Capabilities
Three key capabilities when enabling Expressway Mobile and Remote Access:
XCP Router for XMPP traffic (IM&P)
HTTPS Reverse proxy (provisioning and other services)
Proxy SIP registration to Unified CM Unity Connection

Unified CM XMPP (IM&P)

HTTPs (provisioning, visual voicemail,


directory)

SIP (audio, video)

IM and Presence

Expressway C Firewall Expressway E


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Mobile & Remote Access Protocol Workload Summary
Inside firewall DMZ Outside firewall
(Intranet) (Public Internet) Protocol Security Service

Session Establishment
Collaboration SIP TLS
Internet Register, Invite, etc.
Services
Audio, Video, Content
Media SRTP
Unified CM Expressway Expressway Share
C E
Logon, Provisioning /
Unified CM IM&P HTTPS TLS Configuration, Contact
Search, Visual Voicemail

XMPP TLS Instant Messaging,


Unity Connection
Presence

Conferencing Resources

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Split DNS SRV Record Requirements
_collab-edge record needs to be available only in public DNS
Multiple SRV records (and Expressway-E hosts) should be deployed for HA
_collab-edge._tls.example.com. SRV 10 10 8443 expwy1.ent-pa.com.
_collab-edge._tls.example.com. SRV 10 10 8443 expwy2.ent-pa.com.
A GEO DNS service can be used to provide unique DNS responses by
geographic region

_cisco-uds record needs to be available only in internal DNS


_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm1.ent-pa.com.
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm2.ent-pa.com.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Expressway MRA and Jabber Service Discovery

DNS SRV lookup _cisco-uds._tcp.example.com


Inside firewall DMZ Outside firewall


(Intranet) (Public Internet)
Not Found

Collaboration
Services DNS SRV lookup _collab-edge._tls.example.com
Public DNS


Unified
CM Expressway Expressway expwyNYC.example.com
C E

TLS Handshake, trusted certificate verification

HTTPS:
get_edge_config?service_name=_cisco-
uds&service_name=_cuplogin

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Device Mobility for Expressway MRA
Expressway-E Expressway-C Device Mobility
RTP 1. Register me with
Location
10.10.20.50

SRST Reference
Local Route Group
2. Device in RTP Media Resources
.
Expressway-E Expressway-C
3. Register me with
RCD 10.10.30.50
Device Mobility
IP Subnet Device Pool Location
Info

4. Device in RCD 10.10.20.50 RTP_EXP1_DMI RTP_EXP_DP RTP

10.10.30.50 RCD_EXP1_DMI RCD_EXP_DP RCD

10.10.40.50 SJC_EXP1_DMI SJC_EXP_DP SJC

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Device Mobility for Expressway MRA Redundancy
Device
Device Pool Location
Mobility Info

RTP_EXP1_DMI
Redundant 10.10.20.50/32
Expressway-C RTP_EXP_DP RTP
Pairs @ RTP RTP_EXP2_DMI
10.10.20.51/32

RCD_EXP1_DMI
Redundant 10.10.30.50/32
Expressway-C RDC_EXP_DP RCD
Pairs @ RCD RCD_EXP2_DMI
10.10.30.51/32

SJC_EXP1_DMI
Redundant 10.10.40.50/32
Expressway-C SJC_EXP_DP SJC
Pairs @ SJC SJC_EXP2_DMI
10.10.40.51/32

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Business-to-Business
Communications
BRKCOL-2018 Best Practices for Business to Business
Video Collaboration - Wednesday, June 28, 8:00 am
Unified
Messaging
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server


Connection Remote Site
PSTN

TelePresence
Unified Conferencing Management Suite
Messaging
Cisco Prime Collaboration
Deployment License Provisioning
Manager

Collaboration Management Services


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Unity
Connection

Unified Messaging
Unified
Core Components Key Benefits Messaging

Cisco Unity Connection, for Users can access the voicemail


voice and unified messaging system and retrieve their messages
service to Unified CM registered using their IP phones, mobile devices,
endpoints or email client applications with either
a dialed number or a SIP URI.
Microsoft Exchange and Active
Directory, for email and directory Users are able to customize personal
integrations settings from a web browser.
Offers a natural and robust speech-
activated user interface that allows
users to browse and manage voice
messages using simple and natural
speech command.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Unified Messaging
Cisco Unity Connection: Architecture
Directory Redundant Unity Connection nodes
Voicemail Unity Connection SIP Trunk integration to Unified CM
Publisher Directory Microsoft

Unified CM
synchronization Active
Directory
Integrations to directory and mail:
Microsoft Active Directory
PIN Sync Messaging Microsoft Exchange
Subscriber (On-Premise or
Cloud-Based)
Call forwarding to Unity Connection
Mailbox
SIP synchronization
Microsoft
Direct call to voicemail or visual
Voicemail access
Exchange mailbox navigation (Visual Voicemail)
via VoIP to TUI or
via REST/HTTPS
Email access to voicemail (Single Inbox)
(Visual Voicemail)
SIP
11.6 Update PIN
Email access to
VoIP or synchronization between Unified
voicemail
(Single Inbox)
REST/HTTPS CM and Unity Connection
Email
(SMTP/HTTPS)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Collaboration Management Services

NEW
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server


Connection Remote Site
PSTN

TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration


Deployment License Provisioning
Manager

NEW
Collaboration Management Services BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cisco Prime Collaboration
Deployment License Provisioning
Manager

Core Applications
Collaboration Management Services
Core Components Key Benefits
Cisco Prime License Manager Single tool to enable license
(PLM) management of user-based workflows and manage licensing for
licensing, including license fulfillment. collaboration infrastructure
components.
Cisco Prime Collaboration
Deployment (PCD) deploys new Eases deployment of new
clusters of Unified CM and IM and infrastructure components, enabling
Presence servers and Unity faster initial setup
Connection
Rapid and automated user/endpoint
Cisco Prime Collaboration enablement along with moves, adds,
Provisioning (PCP) provisions and changes and deletions (MACD)
configures users and endpoints

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Cisco Prime Collaboration Deployment
Cisco Prime Collaboration Deployment: Architecture
UCM_Pub VM IM&P_Pub VM UCxn_Pub VM

Cisco collaboration application .iso install


UCM_Sub VM IM&P_Sub VM UCxn_Sub VM

VMWare files located on Prime Collaboration


ESXi Deployment (PCD).
Host UCM_Sub VM IM&P_Sub VM

PCD network file system (NFS) mount on


ESXi host(s) to facilitate .iso file access.
Collaboration application node virtual
machines (VMs) manually created on the
.iso ESXi host.
.iso
.iso
SFTP PCD installs collaboration application
Prime Collaboration Deployment clusters on the target VMs.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cisco Prime License Manager
Cisco Prime License Manager: Architecture
Unified CM Unity Connection
Cisco Prime License Manager (PLM) enables
license fulfillment:

Publisher
Electronic [requires Internet connectivity]
Publisher
OR
Manual license file request

Licenses received (over the network or via


email)
Licenses applied to system and propagated
Cisco.com to synchronized application instances.
Prime License
Manager
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Cisco Prime Collaboration Provisioning
Application Program
Interface (API)

Unified CM

Unified IM&P AXL SOAP


over HTTP(S)
Prime
Provisioning

Unity
Connection
Directory

REST/SQL LDAP over


HTTP(S) Microsoft
over HTTP(S) Active
Directory

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cisco Prime Collaboration Provisioning (MACD)
On-boarding / Off-boarding of Users
US Cluster EMEA Cluster

3 Importing users from Active IM&P CUC IM&P CUC


Directory into Prime Collaboration
Provisioning triggers Automatic 1
UCM UCM
Service Provisioning Users imported from
Active Directory to
Unified CM
3 1

2
2 Users imported from Active
Cisco Prime Directory to Prime Microsoft Active
Directory
Collaboration Collaboration Provisioning
Provisioning
4 Help desk administrators log into Cisco Prime Collaboration
Provisioning for configuration updates (MACDs)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Simplified Sizing
PA Simplified Sizing vs. Collaboration Sizing Tool
Deployment within the Preferred
Architecture Sizing Assumptions?

Use PA Use Collaboration


Simplified Sizing Sizing Tool

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Sizing Cisco Unified CM for the Preferred Architecture
< 5,000 devices and users Between 5,000 and 10,000
Publisher
devices and users
TFTP 1 TFTP 2 Publisher
TFTP 1 TFTP 2

Call Processing subscriber pair


Call Processing subscriber pair

7,500 OVA (2 vCPUs) is used for both Call Processing subscriber pair
deployments
7,500 OVA supported on BE7000M or larger
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Sizing Unified CM PA Assumptions
1:1 Server Redundancy
Simplified User Sizing
Sizing Assumptions for Unified CM:
Average up to 4 BHCA per user
Average up to 2 DNs per device
Extension Mobility for ALL Users
Up to 500 Shared Lines per Call Processing Pair
Up to 500 CTI ports and 100 CTI Route Points per Call Processing pair
Up to 3,000 Partitions, 6,000 Calling Search Spaces, 12,000 Translation Patterns
Up to 40,000 users synched with AD (5,000 or 10,000 active)
Refer to the Preferred Architecture CVD for the complete list of assumptions
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbcvd.html

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
For

Sizing IM & Presence for the Preferred Architecture Your


Reference

In the PA, IM & Presence is deployed with 2 servers


The number of users (full UC) dictate which OVA is used

Less than Between Between


2,000 users 2,000 and 5,000 users 5,000 and 15,000 users

2,000-user OVA 5,000-user OVA 15,000-user OVA


(1 vCPU) (2 vCPUs) (4 vCPUs)

These 3 OVAs are supported on BE7000M or larger

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
For

Sizing TMS for the Preferred Architecture Your


Reference

TelePresence Management Suite (TMS) < 5,000 controlled systems


< 200 controlled systems < 1,800 concurrent participants
< 100 concurrent participants < 250 concurrent ongoing scheduled
< 50 concurrent ongoing scheduled conference
conference < 48,000 Collaboration Meeting Rooms
<1000 Collaboration Meeting Rooms
TMS/TMSPE TMS/TMSPE

TMS/ TMS/
TMSPE/TMSXE TMSPE/TMSXE

TMSXE TMSXE

Regular Deployment (1 vCPU OVA)

All OVAs are supported on BE6000M or larger


Large Deployment (4 vCPUs OVAs)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
For

Sizing Unity Connection for the Preferred Architecture Your


Reference

Cisco Unity Connection is deployed with 2 servers in an active/active mode


The number of users dictate which OVA is used

Between Between
1,000 and 5,000 users 5,000 and 10,000 users

5,000-user OVA 10,000-user OVA


(2 vCPUs) (4 vCPUs)

Both OVAs are supported on BE7000M or larger

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Deployment Example with 5,000 Users / Devices

BE7KM

BE7KM

CMS 1000 /
BE7KM CMS 2000

349651
BE7KM
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco Meeting Server Platforms and Capacities For
Your
Reference

Cisco Meeting Cluster HD 1080p30 HD 720p30 SD 480p


Server Platform 1 Support Port Capacity 2 Port Capacity 2 Port Capacity 2

Yes, up to 8 nodes
Cisco Meeting
for a standard 48 96 192
Server 1000
cluster

Yes, up to 8 nodes
Cisco Meeting
for a standard 250 500 1000
Server 2000
cluster

1.CiscoMeeting Servers support a maximum of 3,000 audio connections for any standalone
deployment or cluster with any audio codec.
2.Assumes content sharing at 720p resolution and 5 frames per second (fps).

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Bandwidth
Management
Managed vs. Unmanaged Networks
Where do your media packets go?

On-premise Call Control


UC Services How do you preserve user
Central
experience when media
Site traverses the Internet?
Cloud Services
B2B
QoS-
capable
B2C
Managed
WAN Internet
MPLS DMVPN
VPN

Remote Sites Home/Mobile Users


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Our Strategy
Smart Media Techniques QoS Tools Design & Deployment
LTRF1 LTRF1

P1 P3
P2 P4
P5
P1
P5 EF Audio
P2 P4
... ... ... ... Queue
Encoder
?
Decoder
EF
AF42

WAN Link
OOS (P4) ACK LTRF1

AF42 Video
Encoder Decoder
Queue
AF41

R1 FEC
AF41
LTRF 0111010001
1000011001

Repair-P R1 0001100
1001000100
0011001011
1011110
FEC
1110010101

... ... R2 1011010010


1010010

R2

Leverage media resilience and


Consolidate mechanisms to
rate adaptation to enable
Use media resilience to
identify Collaboration media pervasive video deployments
reduce impact of packet loss through:
Apply rate adaptation to Evolve classification and Simplified provisioning
reduce network congestion scheduling recommendations
Optimized bandwidth
utilization
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
DSCP Class DSCP ToS Prec.
Classification: DSCP Classes none
CS1
0
8
0
1
AF11 10 1
EF: Expedited Forwarding (PQ) AF12 12 1
Used for voice media AF13 14 1
CS2 16 2
AF: Assured Forwarding (CWBFQ) AF21 18 2
AF22 20 2
Used for video media AF23 22 2
SIP
Signaling CS3 24 3
CS: Class Selector AF31 26 3
Used for signaling AF32 28 3
AF33 30 3
Priority video media CS4 32 4
(TelePresence, desktop) AF41 34 4
AF42 36 4
Opportunistic video AF43 38 4
media (Jabber) CS5 40 5
EF 46 5
Voice
CS6 48 6
media CS7 56 7
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
WAN Queuing Considerations
Single Video Queue, Dual QoS Markings

Opportunistic Video and Prioritized Audio Map audio streams of voice and
AF41 WRED thresholds
video calls (EF) to a priority queue
(i.e., drop AF41 last)
Map video streams of video calls
EF
Audio of (AF41 and AF42) to a single class-
IP Phone
EF PQ based queue with WRED:
Audio of Video EF
AF41: higher drop thresholds

BW Assigned to LLQ Classes


Audio of Jabber EF (e.g., 50-100% of queue depth)
AF42: lower drop thresholds
Video of Video AF41 (e.g., 15-35% of queue depth)
Video
CBWFQ
During congestion, AF42 traffic
other queues

Video of Jabber AF42 (opportunistic video) is dropped first:


Packet loss triggers rate adaptation
Opportunistic video
Media resilience limits the impact
AF42 WRED thresholds
(i.e., drop AF42 first)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
WAN Queuing Considerations Coming
Soon
Single Video Queue, Single QoS Marking

Single QoS Marking for Video Map audio streams of voice and
with Prioritized Audio video calls (EF) to a priority queue
In deployments where dual QoS
EF
Audio of marking is not practical, map
IP Phone
EF PQ video streams of all video calls
Audio of Video EF (desktop/TelePresence and

BW Assigned to LLQ Classes


Audio of Jabber EF Jabber) to a single class-based
queue
Video of Video
AF41 Video
AF41: Marking for all video
CBWFQ
During congestion, if traffic is
other queues

All video

Video of Jabber
AF41 dropped:
Packet loss triggers rate adaptation
Media resilience limits the impact

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Summary
Combine QoS tools, media resilience and dynamic adaptation to build a self-
regulating system that makes optimal use of available network resources
Leverage rate adaptation and media resilience mechanisms in managed
network to deploy pervasive video. Prioritized video for room system and
hard endpoints, opportunistic video for Jabber endpoints.
Use CAC when and where needed
When managing bandwidth with Media Resilience and Rate Adaptation techniques is
not an option (i.e. extreme contention on WAN bandwidth)

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Security

NEW
Examples of IP Communications Threats
Denial of Service (DoS) Eavesdropping
Affecting call quality or ability to place calls Listening to anothers call or Theft of
intellectual property
SPAM
SPIM, SPIT, and more SPAM
Media tampering

Toll fraud Data Modification


Unauthorized or unbillable resource Impersonating others
utilization
Identity Theft
Learning private information
Session replay
Password/accounts, Caller ID, DTMF,
calling patterns, presence information Replay a session, such as a bank transaction

Man-in-the-middle attacks Virus and malware


Insertion of rogue user/device to intercept
traffic and communications

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Prevent Unauthorized Access - Platforms
Hardened Platform: Unified CM, IM & P, Unity Connection, Expressway
Host-based intrusion protection (SELinux),
not enabled by default on Expressway
Host-based firewall (iptables), firewall
rules (Expressway)
3rd party software installation not allowed
Software digitally signed, OS and applications software
digitally signed and installed with a single package
Root account disabled
Secure management interfaces (HTTPS, SSH, SFTP)
Audit logging
Additional by Configuration
If applicable, change default passwords (e.g. Expressway)
Complex password/credentials policy
Disable unnecessary protocols
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Prevent Unauthorized Access - Endpoints
Security features by default
Authenticates the firmware/configuration and protects against
tampering
Signed firmware (.sbn extension)
Signed configuration files (<devicename>.cnf.xml.sgn)*

Additional by Configuration
Physically secure the phones
Disable gratuitous ARP
Configure 802.1X
Disable web access / SSH access. Or configure ACL
Disable PC port if not needed
Optionally enable TFTP configuration file encryption*
* With Jabber, Unified CM needs to be in Mixed-Mode for secure and encrypted config (CTL required)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
For
Your

Toll Fraud Mitigation Reference

Unified CM
Calling Search Space (CSS) / Partitions for dial-plan segmentation, transfer back to
PSTN
Unity Connection
CSS and Rerouting CSS on Unity SIP Trunk to include only the required partitions
Restriction Tables (phone numbers): Transfer, message notification, etc.

Unified Border Element / IOS Gateway


For Toll Fraud and Performance use the telephony denial-of-service (TDoS) attack
mitigation feature: Prevents responding to SIP requests arriving from untrusted IP
addresses
Expressway
Call Policy Rules (CPL) to allow or reject calls from the Default Zone. For example a
CPL to reject any B2B calls with 9 as a prefix to avoid unauthorized calls to the PSTN.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
1010 1000101010101000111

Encryption 011 01011011101001 00010

NEW
Enable Encryption
Protect against eavesdropping, data modification, session replay,
impersonation
Provides privacy, integrity, and authentication
Authentication provided through certificates
Can be one-way authentication or mutual authentication (MTLS)

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SIP trunk encryption is recommended
Encrypted Links - UCM Unified CM mixed-mode not required
SIP Trunk
SIP trunks
SRTP Allowed checked
Endpoint Encryption SIP destination port(s) 5061
SIP Trunk Security Profile
Security mode Encrypted with transport type TLS
X.509 Subject Name set to CN of remote cert and
incoming port set to 5061 (MTLS)

Enable
Cisco Meeting Server
encryption
using TLS
Unity Connection
CN of remote
party
Expressway

Use a different port (e.g. 5561) for CUBE / Voice Gateway


Expressway when both B2B and MRA are
enabled. (No SIP trunk for MRA-only).
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Encrypted Links - Endpoints Mixed-Mode

SIP trunks
SRTP
Endpoint Encryption
Encryption for the phone media and
signaling requires Unified CM to be in
Mixed-Mode
Requires Export Restricted version of
Unified CM
IM messages are encrypted by default
and do not required mixed-mode
Secure call has a lock icon shown on the
endpoint display

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Unified CM: Non-Secure vs. Mixed-Mode
Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration * |
Signed & Encrypted Phone Configs New in
Unified
Signed Phone Firmware CM 11.5

Secure Phone Services (HTTPS)


CAPF + LSC
IP VPN Phone
SIP Trunk encryption
Secure Endpoints (TLS & SRTP)
* Unified CM versions prior to 11.5
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Unified CM Mixed-Mode
Enable Mixed-Mode

PA

Hardware Security Token


Tokenless CTL
(USB Security Tokens)

Migration
See Unified CM Security Guide and TAC note
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Encrypted Endpoint Basic Configuration

With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the
endpoints download the CTL (Certificate Trust List) file
Notes:
Phone security profile independent from the phone type: Universal Device Template. Useful when
deploying MRA
Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed
Certificate (MIC) (requires CAPF enrollment)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Certificate Management

NEW
Why Do We Need Certificates?
What is a Digital Certificate?
Includes public key and name of the certificate holder, signature
Goal
Authentication and encryption
Two types of authentication
One-way authentication
With Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual
voice mail)
Two-way authentication
Endpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to
Expressway)

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Endpoint Certificates - MIC vs. LSC
MIC: Out of box certificate. Proves the phone is a genuine Cisco phone
But
MIC is not specific to your Unified CM cluster. It does not prove the phone is part of
your Unified CM cluster
MIC cannot be customized/updated/deleted

Recommendation:
PA Use MIC certificates to authenticate with CAPF for LSC certificate installation
Use LSC for everything else (SIP TLS, VPN, 802.1X*)

* The LSC is not used for wireless 802.1x. Wirelessly connected endpoints requires a
user installed certificate for 802.1X (via web interface).
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Server Certificates CA-signed
If using self-signed certificates: Must import remote
certificate in the local trust store. Otherwise, warning
message is displayed or connection is NOT established
Importing self-signed certificates creates excessive
management overhead particularly with large deployments containing many service nodes
If using certificates signed by an external Certification Authority (CA), only the CA root
certificate/certificate chain needs to be imported into the trust store,simplifying management.
Recommendation:
Use CA-signed certificates for:
PA Tomcat (Unified CM, IM & P, Unity Connection)
CallManager, CUP-XMPP, CUP-XMPP-S2S, Expressway-C/E Server, Cisco Meeting
Server Shared server and Database Client
Note: All certificates do NOT need to be CA-signed (e.g. Unified CM TVS, CAPF, and ITLRecovery, IM&P CUP)
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Multi-Server Certificate Support
Unified CM Cluster

One CA-signed Multi-Server certificate for


the entire Unified CM cluster
Unified CM nodes IM&P nodes

To simplify certificate management in clustered environments


One single CA signed certificate and private key across all nodes in a cluster
Each Unified CM / IM & P and Unity Connection cluster nodes FQDN included
as Subject Alternative Name (SAN) in a single certificate, custom SANs can also
be included
Recommendation:
Use Multi-Server certificates wherever available:
PA
Tomcat (Unified CM, IM & P, Unity Connection)
CallManager, CUP-XMPP, CUP-XMPP-S2S
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Public CA v. Private CA
Certificates for Cisco collaboration infrastructure or application service nodes may be
signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an
organizations private CA (Microsoft CA, openssl, etc.).
The tradeoff between the two options typically comes down to cost
Public CAs have a higher cost per certificate, but are broadly trusted in browsers,
MRA-capable endpoint firmware, most mobile devices and desktop operating systems.
Your organizations private CA typically has a minimal cost per cert (if not $0) but are
not broadly trusted, cost involves maintaining the CA and distributing CA certificate to
end users and devices via MDM, MS Group Policy, etc.
Recommendation:
PA Public CA for Expressway-E certificates (required for hardware endpoints)
Public or Private CA for other certificates (Tomcat, CallManager, CUP-XMPP/
XMPP-S2S, Expressway-C, Cisco Meeting Server)

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Business-to-Business
BRKUCC-2501 Cisco UC Manager Security & Certificate
Communications
Deep Dive Monday, Jun 26, 8:00 am
LTRCOL-2130 Collaboration Security for the Enterprise
Preferred Architecture Thursday, June 29, 8:00 am
Future Evolution of PA
Cisco Spark Hybrid Services for the
Collaboration Preferred Architecture

NEW
Cisco Spark Hybrid Services for the Collaboration PA
Collaboration Preferred Architecture maroon document NEW

Cisco Spark Hybrid Services Design Guide


https://www.cisco.com/c/en/us/td/docs/solutions/PA/maroon/spark/hybdsrvs.html
AVAILABLE
Builds upon the Enterprise Collaboration Preferred Architecture TODAY

Includes coverage for:


Cisco Directory Connector with Active Directory for enterprise
directory integration
Cisco Calendar Connector with Microsoft Exchange for enterprise calendar integration
Cisco Call Connector with Unified CM for enterprise call control integration,
leveraging Expressway-C/E for enterprise firewall traversal.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cisco Spark Hybrid Services PA Architecture
Expressway-C
with Connectors
Microsoft
Exchange Management Connector
Calendar Connector
Call Connector

Active Directory Directory Connector

Management Connector
Calendar Connector
Call Connector
Directory Connector
Expressway-C Expressway-E
SIP signaling and media
Internal FW DMZ FW

Unified Internet
CM

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Business-to-Business
Communications
BRKCOL-2202 Cisco Spark Hybrid Services
Architectural Design - Thursday, June 29, 8:30 am
Collaboration Preferred Architecture
Roadmap

Subject
to
Change
Preferred Architecture: Cisco Spark Hybrid Services
Cisco Preferred COMING
Headquarters

Architecture for SOON Expressway-E

Cisco Spark Hybrid


Services Endpoints
DMZ
Expressway-C
Unified Hybrid Media
Both PA Overview Communications
Manager
Node

and PA CVD Mobile/Teleworker

Expressway-C
Connector Host
Expected content: Call Control Hybrid Media
Internet

Cisco Directory Microsoft


Directory, Calendar, Call Connector Active Directory Third-Party Solution
Integrated/Aggregated

Connector integrations* Services Router


MPLS WAN
Integrated
Services
Hybrid media services with Directory
Router
Collaboration Edge
Hybrid Media Node
Microsoft PSTN Enterprise Branch
Exchange
Spark Call for Enterprise Branch
Subject
to
Calendar
Change
* Already available in the Cisco Spark
Hybrid Services Design Guide (to be deprecated) BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Preferred Architecture: Enterprise Collaboration 12.0
Cisco Preferred Headquarters
UPDATE
Architecture for COMING Cisco Prime Cisco Prime
Expressway-E
SOON Collaboration Collaboration
Enterprise Deployment Provisioning

Collaboration 12.0 DMZ


Mobile/Teleworker

Collaboration Management Services Expressway-C


Both PA Overview and PA CVD
IM and
Unified
Communications
Internet
Presence Manager
Expected updates: Integrated/Aggregated
Services Router
Third-Party Solution

Cisco Smart Licensing to replace MPLS WAN


Integrated
Services
Router
Cisco Prime License Manager Call Control Collaboration Edge

Unity Cisco Meeting Server


Transport Layer Security (TLS) 1.2 Connection Remote Site
PSTN
Jabber iOS APNS
TelePresence


Voice Messaging Conferencing Management Suite

Subject
to
Change Endpoints

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Learn More
Preferred Architectures Links
Contact us via email: pa-feedback@cisco.com
Mid-Market and Enterprise PA Documents:
https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html
Cisco Preferred Architecture for Enterprise Collaboration 11.6, Design Overview February 2017
https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/enterprise/11x/clbpa116.pdf
Cisco Preferred Architecture for Enterprise Collaboration 11.6, CVD February 2017
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbcvd.html
dCloud: Cisco Preferred Architecture for Enterprise Collaboration 11.0 Lab v1
https://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise
Collaboration 11.0 Lab v1
Cisco Spark Hybrid Services Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/PA/maroon/spark/hybdsrvs.html

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Dont forget: Cisco Live sessions will be


available for viewing on demand after the
event at www.CiscoLive.com/Online.

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Thank you
Collaboration Cisco Education Offerings
Course Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE Collaboration
collaboration networks

Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.

Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.

Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.

Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)

Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA Collaboration
(CICD) Manager and Cisco Unified Communications Manager.

Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.

For more details, please visit: http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
APPENDIX
Example Dialing Habits/Numbering
Non-DID Addressing Based on Dialing Habits

Site +E.164 Abbr. Intra-Site* Call Conferencing***


Park**
SFO +14085559XXX 9XXX 4XXX 8 099 [12]XXX
NYC +12125551XXX 1XXX 4XXX 8099[12]XXX
RTP +19195551XXX 1XXX 4XXX 8099[12]XXX

* site specific translation patterns in site specific partition mapping to +E.164


** single call park range in global partition or site specific call park ranges in site
specific partitions
***single dialing habit (single route pattern) in global partition
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Reference +E.164 Dial Plan
For
Your
Reference
CSSs Partitions Route Lists Route Groups

DN
Line CSS SJCInternational All IP Phone DNs (+E.164), urgent

All dialing normalisation is NOT


CoS specific!
SJCtoE164 All normalisation patterns can be
DN
1XXX, Prefix +1408555
re-used

9.[2-9]XXXXXX, Pre-Dot, Prefix +1408

UStoE164 LRG based egress GW selection


9011.!, Urgent, Pre-Dot, Prefix +
9011.!#, Urgent, Pre-Dot, Prefix +
9.1[2-9]XX[2-9]XXXXXX, XYZ RG
Pre-Dot, Prefix +

Routing is CoS specific.


Site specificity only on site PSTNInternational
specific CoS (like local) USPSTNNational Local
Route
SJCPSTNLocal LOC RL Group
\+1408[2-9]XXXXXX, Urgent

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Cisco Meeting App (CMA)
CMA can be a native desktop app, mobile app or a WebRTC supported browser
application.
With CMA, users can login and join the conference with audio and video along
with content sharing.
With the WebRTC browser client, users without an account in CMS can join the
conference as a guest. In addition, users can use CMA to run their meetings
such as view participants, mute and remove participants, start and stop
recording as well as create and edit their own Spaces.

Note: Cisco Meeting App can be deployed inside or outside of the enterprise
network to join a conference but only the former is covered in the PA.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Instant Conference Call Flow
Unified CM Unified CM routes
Unified CM selects the call to the CMS
Endpoint selects initiates the CMS creates a
MRGL/MRG of the bridge hosting the
conference or conference to CMS temporary space
device to locate the relevant
join/merge button via HTTP (XML- for the conference
conference bridge. conference space
RPC)
via the SIP Trunk

Other
Participants

Unified CM
Host (UCM) CMS

CMS creates
Instant Conference Instant Conference conference space on
Request Initiated by UCM bridge

UCM Routes call(s) to


CMS Space
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Scheduled Conference Call Flow
Endpoint dials a CMS matches the
scheduled Unified CM matches called number to
At scheduled time Unified CM routes
conference alias the dialed string to a the user portion of
TMS activates the call to CMS via
(URI or DN) (SIP) route pattern the space URI and
space on CMS the SIP trunk
provided by TMS or route string creates the
through the Invite conference

Unified CM
Host TMS CMS
(UCM)

At scheduled time TMS


activates space on CMS
Dial conference alias
(URI or DN) Alias matched
Participants
Unified CM routes call(s) to CMS Space

Dial conference alias Unified CM routes call(s) to CMS Space

Dial conference alias Unified CM routes call(s) to CMS Space


BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
For

Cisco Meeting Server Port Capacity (Based on Video Quality) Your


Reference

Cisco Meeting Server


1080p Ports 2 720p Ports 2 480p Ports 2
Capacity Unit 1

4 2 4 8
8 4 8 16
12 6 12 24
24 12 24 48
48 24 48 96

1.The number of capacity units that can be deployed on a Cisco Meeting Server depends on
the platform.
2.Assumes a separate content channel sharing at a maximum of 720p resolution and 5 fps.

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Toll Fraud Mitigation: Unified CM (1)
Deny unauthorized calls
Partitions and Calling search spaces provide dial plan segmentation and
access control
Example: Avoid Unified CM sending back to the PSTN a call coming from the
PSTN
Dont include in Trunk CSS the partition for
route patterns to PSTN Voice or
Video GW
4
3

2 PSTN
Unified CM
Inbound CSS
signaling
1
PSTN access partition
X DN partition
Multiparty meeting
media

partition
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Toll Fraud Mitigation: Unified CM (2)
Block offnet to offnet transfer (CallManager service parameter)

Unified CM Voice or
Video GW
4

3 PSTN
2 1
signaling
media

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Toll Fraud Mitigation: Unified CM (3)
Auto-registration: Create dedicated Calling Search Space to limit access to
dial plan
Employ Time of day routing to deactivate segments of the dial plan after hours
Require Forced Authentication Codes on route patterns to restrict access on
long distance or international calls.
Drop Ad hoc Conferences (CallManager Service Parameter)
Monitor Call Detail Records
Employ Multilevel Administration

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Toll Fraud Mitigation: Unity Connection
Unity Connection could be used to transfer a call
Recommendations
Use restriction tables to allow or block call
patterns (Unity Connection)
Change partition/PSTN route pattern access
from the Rerouting CSS on SIP trunk to
Unity Connection (Unified CM)
Reference
Cisco Unity Connection Security Guide:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.html

Troubleshoot Toll Fraud via Unity Connection TAC tech note:


https://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337-technote-cuc-00.html

System Administration guide:


https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag/b_cucsag_chapter_0101.html

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Toll Fraud Mitigation: Edge
CUBE
Call Source Authentication (IOS 15.1(2)T feature) enabled by default.
Do not disable via no ip address trusted authenticate Example:

Only calls from trusted source IP addresses will be voice service voip
ip address trusted list
accepted ipv4 10.10.1.10
ipv4 10.10.2.10

Expressway
Call Policy Rules (CPL)

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Encrypted Links
Administrative and user interfaces
SIP trunks
Endpoint Encryption

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Encrypted Links
Administrative and user interfaces
SIP trunks
Endpoint Encryption

Most interfaces are encrypted by default (e.g. Unified


CM admin web interface and end-user portal)
Ensure passwords are not sent in clear
Set LDAP port If integrated with LDAP, configure LDAP over SSL
to 636 and
check the (import LDAP certificate into Tomcat-trust store)
Use TLS box

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Expressway

Encrypted Links - Expressway


Expressway Unified CM
server configuration for MRA
Server Certificate SAN:
X509v3 Subject Alternative Name: TLS verify mode
DNS:ent-pa.com, DNS:us-cm-pub.ent-pa.com triggers MTLS

Use a port other than 5061 (e.g. 5561)


for Unified CM Neighbor Zone for
Expressway B2B
Expressway Neighbor Zone
Enable TLS
to Unified CM for B2B MTLS
Peer 1 certificate SAN:
X509v3 Subject Alternative Name:
DNS:ent-pa.com, DNS:us-cm-pub.ent-pa.com
Certificate CN or SAN is matched
against the peer address
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Unity
Connection

Encrypted Links Unity Connection


Enable SIP signaling encryption between Unified CM and Unity Connection
Enable media and signaling encryption between endpoints and Unity
Connection voicemail ports
Configure Unity Connection SIP Security
Profile for TLS on port 5061
Enable TLS
Enable Next Generation Encryption with with SIP port
Secure RTP on the Port Group 5061

(Unified CM mixed-mode required)


Add Unified CM TFTP servers under
Unity Connection Port Group to TLS Security
Enable NGE and
automatically download the CallManager Secure RTP Profile
certs to the local CallManager-trust
store on Port Group reset

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
For
Your

USB Security Tokens vs. Tokenless PA


Reference

Hardware Security Token


Tokenless
(USB Security Tokens)

Pros:
Pros:
Private keys never change: less situations where
endpoints loose trust relationship with Unified CM Easier to manage: No need to purchase USB security
and easier to recover from this scenario tokens, no need to install CTL client, easier to update
CTL file
Can be used across multiple Unified CM clusters
and facilitates migration between clusters SAST Key length can be 2048 bits or even higher
Once Unified CM is in mixed mode, the tokens are Cons:
off-line Private keys are regenerated when the admin renews
Cons: the certs: more situations where endpoints loose trust
relationship with Unified CM and more complex to
Have to purchase 2+ USB Security tokens
recover from this scenario
Requires CTL Client installation on a Windows box
Requires more steps when migrating clusters
Loose USB keys => Loose trust
Not full feature parity: ASA or other certificates (phone
SAST Key length only 1024 bits, SHA1 CTL trust).

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Expressway MRA Voice/Video Encryption
Voice/video streams always SRTP encrypted between Expressway-C MRA client
SIP TLS always enforced between MRA clients and Expressway-E,
Expressway-C and Expressway-E
* Unified CM mixed-mode (and security profile with encryption enabled) required to achieve
SRTP on internal network and SIP TLS between Expressway-C and Unified CM
Media and Signaling always encrypted

SIP TLS *
SIP TLS SIP TLS
SIP TCP
SRTP
Expressway-C DMZ Expressway-E External
Firewall Firewall

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Endpoint Certificates
Certificate Type

MIC LSC
Manufacturer Installed Certificate Locally Significant Certificate

Required for Media/Signaling encryption and TFTP config file encryption


Also can be used for phone VPN and 802.1x
When both LSC and MIC are installed on a device, LSC takes preference

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Monitor Certificate Expiration
Monitor the server certificate expiration (OS Administration page)

Monitor LSC certificate


expiration

BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Receive Certificate Expiration Notifications

Receive email notifications when certificates are about to expire


For server certificates and for LSC certificates
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129