CMUG

Cisco Collaboration Edge William Bell

Architecture Hao Tran
February 18, 2015
Copyright 2015
1
Customer Confidential
 Agenda
Introductions

Collaboration Edge
Architecture Overview

Mobile and Remote Access (MRA)

Overview
MRA Implementation

Q&A

Copyright 2015
2
Customer Confidential
Introductions
•  William Bell, CCIE #38914
William’s background spans an array of technical disciplines including application
development, network infrastructure, protocol analysis, virtualization, and UC. He leads
the UC&C practice and works with customers on architecting solutions that align with
core business drivers. Bill is a regular contributor on the Cisco Support Community, a 3-
time Cisco Designated VIP, and blogs on the NetCraftsmen and UC Guerrilla sites.

•  Hao Tran, CCNP/CCNP-V

A senior unified communications engineer with over 14 years of experience, with a
deep focus in both VoIP and networking technologies. Hao is a CCNP in both network
and voice and is currently pursuing the CCIE in collaboration. He is part of the
NetCraftsmen senior engineering team and supports customers in deployment,
troubleshooting, and operational readiness.

•  Jeff Chun (Cisco), CCNP/CCNP-V

With 10+ years of experience in Consulting and Sales, Jeff’s drive is to create solutions
that solve business challenges. His focus is on deploying Cisco Collaboration solutions
throughout the Enterprise, Commercial, and Federal space. Currently at Cisco, I work
with partners and customers to provide best in class solutions in our Borderless
Networks, Collaboration and Data Center spaces.
Copyright 2015
3
Customer Confidential
 Agenda
Introductions

Collaboration Edge
Architecture Overview

Mobile and Remote Access (MRA)

Overview
MRA Implementation

Q&A

Copyright 2015
4
Customer Confidential
 Collaboration Edge – Solution Overview
Business to
Business (B2B)
Secure communications with
partners, customers &
suppliers over the internet
Video, URI Dialing,
Federation
Mobile and
Remote Access
Ubiquitous user
experience – Any
Device, Anywhere
Jabber Mobile &
Desktop /
TelePresence
Business to Consumer (B2C) Cloud Services
Browser based communications with
consumers, interview candidates, potential
Flexible and scalable, “pay as
you go” shared resources
customers Jabber Guest
WebEx, WebEx Enabled
Telepresence
Interoperability
Investment
protection with
existing 3rd party and
legacy
communication
solutions
IPv4-v6, H323-SIP,
Standards Based
video
Copyright 2015
5
Customer Confidential
Collaboration Edge
Architecture Components
Enterprise
UC Infrastructure

Copyright 2015
6
Customer Confidential
Collaboration Edge
Architecture Components
PSTN
Enterprise ü  TDM Voice
UC Infrastructure Collab Edge ü  ISDN Video

CUBE/SBC
ü  SIP PSTN
ü  Phone Proxy

Cisco Expressway
ü  Mobile and Remote Access
ü  B2B Video
ü  XMPP Federation
ü  Jabber Guest

Copyright 2015
7
Customer Confidential
 Agenda
Introductions

Collaboration Edge
Architecture Overview

Mobile and Remote Access (MRA)

Overview
MRA Implementation

Q&A

Copyright 2015
8
Customer Confidential
 Mobile and Remote Access (MRA)
Solution Overview

Allows the UC infrastructure to provide client registration,

call control, provisioning, messaging, and IM/P services to
endpoints and software clients that are not connected to
the enterprise network.

Provides a secure, VPN-less communication solution for

mobile devices and teleworkers.

Copyright 2015
9
Customer Confidential
MRA
Business Drivers

BYOD Solution Benefits

ü  Borderless workforce ü  MRA is an “enabler”
Contractors, teleworkers ü  Feature continuity and
ü  Significant cost savings transparency
CapEx-Yes, OpEx-Maybe ü  Borderless communications
ü  Employee productivity ü  Secure communications
24x7x365 –Anytime, Anywhere ü  Cloud services support
Teleworking
ü  Cost savings
OpEx – Infrastructure cost reduction
ü  Employee satisfaction and retention
- 2012 – 40% of US working pop
telecommutes at least part time
- Work-Life Integration
ü  Employee productivity
Copyright 2015
10
Customer Confidential
MRA Solution Components
Cisco UCM

Cisco UCM
•  UDS Provisioning
•  End user authentication
•  Client registration
•  Voice/Video Call Control

Copyright 2015
11
Customer Confidential
MRA Solution Components
Cisco IM&P

Cisco IM & Presence

•  XMPP Client connection
•  Messaging service
•  Presence / Contact
Management

Copyright 2015
12
Customer Confidential
MRA Solution Components
Cisco Unity Connection

Cisco Unity Connection

•  Visual Voice Messaging

Copyright 2015
13
Customer Confidential
 MRA Solution Components
Cisco Expressway
•  Introduced mid-2014
•  Initial VCS/Expressway version X8.1
•  Based on the Cisco Video Communications Server (VCS)

Cisco VCS Expressway

•  Specialized video applications
•  Used for video only customer
base
•  Virtual Machine or HW appliance
•  Superset of platform feature set
•  Two versions:
ü  VCS Control (VCS-C)
ü  VCS Expressway (VCS-E)
•  Designed for UCM 9.1+
•  Virtual Machine only
•  No cost licensing for MRA
functionality
•  Subset of platform feature set
•  Two versions:
ü  “Core” (Expressway-C)
ü  “Edge” (Expressway-E)

Copyright 2015
14
Customer Confidential
 MRA Solution Components
Cisco Expressway
Expressway-C
Jabber
Enterprise
UC Network Internet
1 2
4 3
Expressway-E

Expressway-C (Core) Expressway-E (Edge)

•  Traversal client •  Traversal server
•  Proxy endpoint registration •  Hosts external client
ü  SIP to UCM connections
ü  XMPP to IM/P
ü  HTTP to VM and directory

Traversal Basics
1.  Core initiates client connection to Edge
2.  Once connected, Core sends keep-alive packets to Edge
3.  Edge receives incoming requests from clients
4.  The traversal connection is used to signal client request to Core

Copyright 2015
15
Customer Confidential
MRA Solution Components
Supplementary Services

Supplementary Services
•  Domain Name Services (DNS)
•  Perimeter Firewall(s)
•  Certificate Services
ü  Internal Enterprise Hosts
ü  Externally Accessible Hosts
•  Intranet Web Server

Copyright 2015
16
Customer Confidential
 Agenda
Introductions

Collaboration Edge
Architecture Overview

Mobile and Remote Access (MRA)

Overview
MRA Implementation

Q&A

Copyright 2015
17
Customer Confidential
MRA Implementation
•  UC Infrastructure Provisioning
ü  Expressway and the DMZ
ü  Certificate Provisioning

•  Service Discovery and Client Registration

ü  DNS Provisioning
ü  Edge Discovery
ü  Service Discovery
ü  DNS Considerations
ü  Client Registration

•  Deployment Considerations (Time Permitting)

Copyright 2015
18
Customer Confidential
MRA Implementation

Infrastructure Provisioning

Copyright 2015
19
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ
•  Expressway-C
ü  Always deployed on the internal LAN
ü  Uses a Firewall Traversal mechanism to communicate with Expressway-E

•  Expressway-E
ü  Typically deployed in the DMZ
ü  Can adapt to a variety of DMZ environments
ü  Supports Static NAT (SNAT) using Advanced Networking Option
ü  Supports dual network connections using DUAL NIC feature (part of
Advanced Networking Option)

•  Firewall
ü  Various deployment options are supported
ü  ALG is not a viable option w/ MRA solution

Copyright 2015
20
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – DUAL + SNAT
Expressway-C Cert CN: uc-expe-01.domain.com

Jabber @ Anywhere
Enterprise
UC Network
Internet

1 2
LAN2
LAN1 10.3.20.5
A: uc-expe-01.domain.com -> 10.3.10.5 10.3.10.5 SNAT 64.10.0.10
Expressway-E A: uc-expe-01.domain.com
Static Routes
uc-expe-01 -> 64.10.0.10

•  Deployment Scenario •  Traversal Zone

ü  Two separate DMZ subnets ü  Edge-LAN1 is not NATted
ü  No routing between DMZ subnets ü  Core establishes connection to
ü  Expressway-C on internal LAN Edge-LAN1 IP address
ü  Two physical firewalls ü  FQDN and Cert CN considerations

•  Expressway-E Config •  Internet “Zone”

ü  Dual NIC enabled ü  Edge-LAN2 uses Static NAT (SNAT)

ü  LAN1 is bridged to LAN2 ü  FW responsible for Layer 3 SNAT

ü  Static routes to internal subnets ü  External DNS resolves to public IP
manually added on Edge ü  FQDN and Cert CN considerations

Copyright 2015
21
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – DUAL
Expressway-C Cert CN: uc-expe-01.domain.com

Jabber @ Anywhere
Enterprise
UC Network
Internet

1 2
LAN2
LAN1 64.10.0.10
A: uc-expe-01.domain.com -> 10.3.10.5 10.3.10.5
Expressway-E A: uc-expe-01.domain.com
Static Routes
uc-expe-01 -> 64.10.0.10

•  Deployment Scenario •  Traversal Zone

ü  Two separate DMZ subnets ü  Edge-LAN1 is not NATted
ü  No routing between DMZ subnets ü  Core establishes connection to
ü  Expressway-C on internal LAN Edge-LAN1 IP address
ü  Two physical firewalls ü  FQDN and Cert CN considerations

•  Expressway-E Config •  Internet “Zone”

ü  Dual NIC enabled ü  Edge-LAN2 uses public IP

ü  LAN1 is bridged to LAN2 ü  External DNS resolves to public IP

ü  Static routes to internal subnets ü  FQDN and Cert CN considerations
manually added on Edge
Copyright 2015
22
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – Single FW w/SNAT
Expressway-C

Jabber @ Anywhere
Enterprise
UC Network
Internet

DMZ-to- DMZ-to-
Trusted Untrusted
A: uc-expe-01.domain.com -> 64.10.0.10 LAN1
10.3.10.5 A: uc-expe-01.domain.com
SNAT 64.10.0.10 -> 64.10.0.10

•  Deployment Scenario •  Traversal Zone

ü  Single DMZ subnet
ü  Expressway-C on internal LAN
ü  One firewall (or HA Pair)
ü  A static 1:1 NAT configured on FW
•  Expressway-E Config
ü  Advanced Networking enabled
ü  LAN1 configured with SNAT
*NOTE: This works w/o SNAT as well
If not using SNAT, Advanced Networking not required
ü  Core establishes connection to
LAN1 NATted IP address
ü  Requires that FW support NAT
Reflection
•  Internet “Zone”
ü  External DNS resolves to public IP
ü  Jabber connects to NATted IP
address

Copyright 2015
23
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – Two Firewalls, SNAT
Expressway-C

Jabber @ Anywhere
Enterprise
UC Network
Internet

FW1 FW2
A: uc-expe-01.domain.com -> 64.10.0.10 LAN1
10.3.10.5 A: uc-expe-01.domain.com
Static Routes SNAT 64.10.0.10 -> 64.10.0.10

•  Deployment Scenario •  Traversal Zone

ü  Single DMZ subnet
ü  Expressway-C on internal LAN
ü  Internal and External firewalls
ü  Static 1:1 NAT configured on FW2
•  Expressway-E Config
ü  Advanced Networking enabled
ü  LAN1 configured with SNAT
ü  (optional) Static routes to internal
subnets manually added on Edge
ü  Core establishes connection to LAN1
NATted IP address
ü  Requires that FW support NAT
Reflection
ü  Design Consideration: Asymmetric
routing
•  Internet “Zone”
ü  External DNS resolves to public IP
ü  Jabber connects to NATted IP address
*NOTE: This works w/o SNAT as well
If not using SNAT, Advanced Networking not required
Copyright 2015
24
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – DUAL w/o Internal FW
Expressway-C

Jabber @ Anywhere
Enterprise
UC Network
Internet

1 2
LAN2
LAN1 64.10.0.10 OR SNAT
10.3.10.5
Expressway-E
uc-expe-01

•  Deployment Scenario Considerations

ü  One DMZ subnet ü  From the Expressway-E
ü  Edge LAN1 on internal LAN perspective, this is identical to the
ü  Core on internal LAN previous scenario
ü  No routing between DMZ and ü  Same considerations for certs and
internal LAN DNS resolution
ü  One firewall (or HA pair) ü  This is not one of Cisco’s reference
configurations
ü  But, it works...

Copyright 2015
25
Customer Confidential
 Infrastructure Provisioning
Certificate Provisioning - Overview

LDAP PKI Web

Jabber @ work

Expressway-C

Internet

Cisco UCM Expressway-E

IM & Jabber @ Anywhere

Unity
Presence
Connection

Copyright 2015
26
Customer Confidential
Infrastructure Provisioning
Certificate Provisioning – Jabber Considerations
•  Jabber clients enforce certificate validation
Certificates Affected
Application Certificate Considerations
Cisco UCM Tomcat (HTTP) Secure Phone Profiles for Mixed mode
Tomcat (HTTP)
Cisco IM&P XMPP domain added as SAN
XCP Router (XMPP)
Unity Connection Tomcat (HTTP)
Expressway-E Server Cert UCM Mixed Mode: no impact
SAN: service discovery domains
*When using OCSP or CRL: Required RTT <= 5s
WebEx Services CAS, WAPI Meeting Center, WebEx Messenger

•  General Considerations
ü  Client will prompt user when cert is not trusted
ü  To avoid identity mismatch, configure UC applications to use FQDN
q Cisco UCM: System servers and UC service profiles
q Cisco IM/P: Cluster topology, TFTP servers, CCMCIP profiles
ü  Public CAs do not support IP address, non-FQDN, or bogus FQDN in CSR
Copyright 2015
27
Customer Confidential
Infrastructure Provisioning
Certificate Provisioning - Expressway
•  Server Certificates
ü  X.509 Extended Key usage: TLS Web Client Auth + TLS Web Server Auth
ü  No support for wildcard certificates
ü  No requirement to add Expressway certs to CTL (for UCM Mixed Mode)
•  Expressway-E Certificates
ü  Server Certificate should be signed by Public CA
ü  All service discovery domains need to added as SANs in the CSR

•  Expressway-C Certificates
ü  Recommend using Enterprise CA but can use Public CA
ü  For UCM Mixed Mode - add phone security profiles as SANs in CSR

•  Other Considerations
ü  XMPP Federations and Federated Group chat SAN requirements
ü  Expressway Cluster considerations
Copyright 2015
28
Customer Confidential
Infrastructure Provisioning
Expressway Certificate Trust Store

Certificate Type Core Edge Comments

Public CA chain used to sign Expressway-E Yes Yes Required to establish traversal zone
(Edge) server certificate

Public (or Enterprise) CA chain used to sign

Yes Yes Required to establish traversal zone
Expressway-C (Core) server certificate

UCM Tomcat certificate or CA cert chain Yes No For MRA only required when TLS
verify mode is used
UCM CallManager service certificate or CA cert Yes No Only required when UCM is
chain provisioned for Mixed-Mode

IM/P Tomcat and XCP certificate or cert chain Yes No For MRA only required when TLS
verify mode is used

Copyright 2015
29
Customer Confidential
MRA Implementation

Service Discovery

Copyright 2015
30
Customer Confidential
Service Discovery
Process Overview
•  Determine Service Domain
ü  Leverage JID or read from configuration
ü  Example: user@ company.com

•  Edge Discovery
ü  Client queries DNS SRV records to determine service location
ü  Attempt to discovery internal services then fallback to Edge Discovery

•  Determine if enterprise has a WebEx Cloud account

We’ll come back to this later

•  Get Edge Configuration

ü  Client establishes secure connection to Expressway-E (“Edge”)
ü  Leverage UDS to determine user and device configuration

•  Client Registers to Cisco UCM, IM&P, and Voicemail

Copyright 2015
31
Customer Confidential
 Service Discovery
Edge Discovery
(2a):_cisco-uds._tcp.netcraftsmen.com (1) _cisco-uds._tcp.netcraftsmen.com
_cuplogin._tcp.netcraftsmen.com
(2b):_cuplogin._tcp.netcraftsmen.com
(4c):_collab-edge._tls.netcraftsmen.com

(2a)
(4c)
(3) (5)

UID:
wjb@netcraftsmen.com

(2b) UID:
wjb@netcraftsmen.com

Process Considerations
1.  Jabber leverages DNS for discovery ü  Leverage “Split-
2.  Internal client DNS SRV query Horizon” DNS
3.  If SRV query resolves then start TCP HS ü  Internal records:
4.  If internal SRV queries fail then query for _cisco-uds._tcp.<domain>
_cuplogin._tcp.<domain>
external SRV
ü  External Record:
5.  If SRV query resolves then start TLS _collab-edge._tls.<domain>
Copyright 2015
32
Customer Confidential
 Service Discovery
Get Edge Configuration

Jabber @ Anywhere
Expressway-C
(2d) (2f) (2b) (1)
Internet
(2a)
Cisco UCM Expressway-E
(2c)
(2e) SRV: _cisco-uds._tcp.<domain>
LDAP
SRV: _cisco-phone-tftp._tcp.<domain>
Authentication
SRV: _cuplogin._tcp.<domain>
A records (as needed)

Process
1.  Jabber establishes TLS connection
ü  Client/Server Hello + cert exchange w/Edge
2.  Jabber requests Edge configuration
a)  HTTPS request to Edge w/Authentication
b)  Edge proxies request to Core (over traversal)
c)  If not cached, Core sends DNS queries
d)  HTTPS/UDS request for user object to UCM
e)  UCM Authenticates User (TLS recommended)
f)  HTTPS/UDS request to Get Device configs
Copyright 2015
33
Customer Confidential
 Service Discovery
Get Edge Configuration

Jabber @ Anywhere
Expressway-C

(3) (3) (3)

Internet
(4) (4) (4)
Cisco UCM Expressway-E
Edge Config Response: -  XMPP Edge
- UCM, IM/P, TFTP SRV -  HTTP Edge
-  SIP edge -  Etc.
-  List of UDS servers

Process Considerations
1.  Jabber establishes TLS connection ü  Firewall Rules
2.  Jabber requests Edge configuration ü  Server Certificates
3.  UCM responds with 200 OK q  Expressway-E
ü  Response is relayed: Core->Edge->Client q  Cisco UCM
ü  Response contains device and service config q  LDAP (optional)
4.  Retrieve Configuration Files
ü  HTTPS: Get /jabber-config.xml, CTLSEP<csf>.tlv,
SEP<csf>.cnf.xml
ü  Dial Rules, Directory Lookup Rules, etc.
Copyright 2015
34
Customer Confidential
Service Discovery
MRA Jabber Client Registration

Jabber @ Anywhere
Expressway-C

Internet

Cisco UCM Expressway-E

Process
IM & 1.  Jabber initiates SIP registration process
Unity
Presence
Connection ü  SIP REFER/REGISTER/etc. sent to Edge
ü  Edge challenges client for authentication
ü  Edge proxies client request (PAI) to Core
ü  Core proxies request to Cisco UCM
2.  Jabber establishes XMPP connection
ü  Client request proxied - similar to SIP
ü  HTTPS used for provisioning
3.  Jabber establishes HTTPS connection to
Unity Connection
ü  Visual voicemail
Copyright 2015
35
Customer Confidential
MRA Implementation

Deployment Considerations

Copyright 2015
36
Customer Confidential
 Deployment Considerations
Multi-Domain Deployment
Expressway-C
<host>.internal.local

Jabber @ Anywhere
uc-expc.internal.local

Internet

Expressway-E
Cisco UCM
uc-expe.public.com
JID:
wjb@internal.local

Considerations
IM&P XMPP Domain ü  Service discovery will fail
<host>.internal.local internal.local ü  External DNS servers can’t
resolve internal.local
•  Public domain: public.com
ü  Public CA won’t allow FQDNs in
ü  Expressway-E internal.local
•  Internal domain: internal.local Solution
ü  Cisco UCM, IM&P, and UC hosts ü  Leverage Split-DNS
ü  Expressway-C ü  Modify jabber-config.xml
ü  User service domain VoiceServicesDomain = public.com
ü  Jabber must login locally first
Copyright 2015
37
Customer Confidential
Deployment Considerations
Cisco WebEx Cloud
•  IM&P Functionality Provided by WebEx Messenger
–  CUCM IM/P Service not required

•  WebEx Cloud and Service Discovery

-  Client queries for SRV records: _cisco-uds, _cuplogin, _collab-edge
-  Determine whether domain is registered to WebEx
http://loginp.webexconnect.com/cas/FederatedSSO?org=<domain>
-  If WebEx discovered:
-  Challenge user with WebEx credentials
-  Proceed with Enterprise sign-in on CUCM and Unity Connection

-  If no WebEx account then discovery proceeds as normal

•  What if you have a mixed environment?

–  WebEx can be excluded from the Service Discovery process

Copyright 2015
38
Customer Confidential
Deployment Considerations
Customizing Service Discovery
•  Methodology
–  J4W: Can push configuration parameters during MSI install
–  All Clients: Leverage “Configuration URL”

•  Service Discovery Options

-  Exclude WebEx:
-  Client Does not check WebEx cloud
-  SRV queries: (a) _cisco-uds, (b) _cuplogin, (c) _collab-edge
-  Exclude CUCM:
-  Client does check WebEx but does not query for _cisco-uds
-  SRV queries: (a) _cuplogin and (b) _collab-edge
-  Exclude CUP:
-  I think you get the idea... [no _cuplogin, yes everything else]

Copyright 2015
39
Customer Confidential
Deployment Considerations
Interoperability of Collaboration Edge Features

Feature Expressway VCS

Mobile and Remote Access Yes Yes

Business to Business Video Yes Yes

Business to Consumer / Jabber Guest** Yes Yes

Video Interworking
Yes Yes
(IPv4-IPv6, H323-SIP, MS H264 SVC-AVC, Standards based 3rd party)

Video / TelePresence Device Registration + Provisioning No Yes

Video Session Management + Call Control No Yes

WebEx Enabled TelePresence Yes* Yes

Enhanced Security (e.g. JITC) No Yes

* TelePresence MCU must be trunked to the Cisco UCM

** Jabber Guest and MRA cannot run co-resident (due to TURN requirements)

Copyright 2015
40
Customer Confidential
Deployment Considerations
Minimum Software Requirements
Feature UC Solution Component Minimum Version

Cisco Unified CM 9.1(2)SU1

Call Processing
Cisco Unified CM Business Edition

Unified Presence 9.1.1

IM/Presence
WebEx Connect service Server 7.6 and later

Voicemail Cisco Unity Connection 8.6(1)

Cisco Expressway or X8.1.1

Collaboration
Edge Cisco VCS

Clients* Jabber for Windows 9.7

Jabber for iPhone/iPad 9.6(1)
Jabber for Mac 9.6
Jabber for Android 9.6
EX/MX/SX/C Series Endpoints TC 7.1

* Expressway X8.5 Preview Feature: Support for Cisco DX, 7800, and 8800 endpoints

Copyright 2015
41
Customer Confidential
 Agenda
Introductions

Collaboration Edge
Architecture Overview

Mobile and Remote Access (MRA)

Overview
MRA Implementation

Q&A

Copyright 2015
42
Customer Confidential
Telephone: 888-804-1717
E-mail: info@netcraftsmen.com

Copyright 2015
43
Customer Confidential