Professional Documents
Culture Documents
Collaboration Edge
Architecture Overview
Q&A
Copyright 2015
2
Customer Confidential
Introductions
• William Bell, CCIE #38914
William’s background spans an array of technical disciplines including application
development, network infrastructure, protocol analysis, virtualization, and UC. He leads
the UC&C practice and works with customers on architecting solutions that align with
core business drivers. Bill is a regular contributor on the Cisco Support Community, a 3-
time Cisco Designated VIP, and blogs on the NetCraftsmen and UC Guerrilla sites.
Collaboration Edge
Architecture Overview
Q&A
Copyright 2015
4
Customer Confidential
Collaboration Edge – Solution Overview
Business to Business to Consumer (B2C) Cloud Services
Business (B2B) Browser based communications with
consumers, interview candidates, potential
Flexible and scalable, “pay as
you go” shared resources
Secure communications with customers Jabber Guest
partners, customers &
suppliers over the internet WebEx, WebEx Enabled
Video, URI Dialing, Telepresence
Federation
Copyright 2015
5
Customer Confidential
Collaboration Edge
Architecture Components
Enterprise
UC Infrastructure
Copyright 2015
6
Customer Confidential
Collaboration Edge
Architecture Components
PSTN
Enterprise ü TDM Voice
UC Infrastructure Collab Edge ü ISDN Video
CUBE/SBC
ü SIP PSTN
ü Phone Proxy
Cisco Expressway
ü Mobile and Remote Access
ü B2B Video
ü XMPP Federation
ü Jabber Guest
Copyright 2015
7
Customer Confidential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Q&A
Copyright 2015
8
Customer Confidential
Mobile and Remote Access (MRA)
Solution Overview
Copyright 2015
9
Customer Confidential
MRA
Business Drivers
Cisco UCM
• UDS Provisioning
• End user authentication
• Client registration
• Voice/Video Call Control
Copyright 2015
11
Customer Confidential
MRA Solution Components
Cisco IM&P
Copyright 2015
12
Customer Confidential
MRA Solution Components
Cisco Unity Connection
Copyright 2015
13
Customer Confidential
MRA Solution Components
Cisco Expressway
• Introduced mid-2014
• Initial VCS/Expressway version X8.1
• Based on the Cisco Video Communications Server (VCS)
Copyright 2015
14
Customer Confidential
MRA Solution Components
Cisco Expressway
Expressway-C
Jabber
Enterprise
UC Network Internet
1 2
4 3
Expressway-E
Traversal Basics
1. Core initiates client connection to Edge
2. Once connected, Core sends keep-alive packets to Edge
3. Edge receives incoming requests from clients
4. The traversal connection is used to signal client request to Core
Copyright 2015
15
Customer Confidential
MRA Solution Components
Supplementary Services
Supplementary Services
• Domain Name Services (DNS)
• Perimeter Firewall(s)
• Certificate Services
ü Internal Enterprise Hosts
ü Externally Accessible Hosts
• Intranet Web Server
Copyright 2015
16
Customer Confidential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Q&A
Copyright 2015
17
Customer Confidential
MRA Implementation
• UC Infrastructure Provisioning
ü Expressway and the DMZ
ü Certificate Provisioning
Copyright 2015
18
Customer Confidential
MRA Implementation
Infrastructure Provisioning
Copyright 2015
19
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ
• Expressway-C
ü Always deployed on the internal LAN
ü Uses a Firewall Traversal mechanism to communicate with Expressway-E
• Expressway-E
ü Typically deployed in the DMZ
ü Can adapt to a variety of DMZ environments
ü Supports Static NAT (SNAT) using Advanced Networking Option
ü Supports dual network connections using DUAL NIC feature (part of
Advanced Networking Option)
• Firewall
ü Various deployment options are supported
ü ALG is not a viable option w/ MRA solution
Copyright 2015
20
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – DUAL + SNAT
Expressway-C Cert CN: uc-expe-01.domain.com
Jabber @ Anywhere
Enterprise
UC Network
Internet
1 2
LAN2
LAN1 10.3.20.5
A: uc-expe-01.domain.com -> 10.3.10.5 10.3.10.5 SNAT 64.10.0.10
Expressway-E A: uc-expe-01.domain.com
Static Routes
uc-expe-01 -> 64.10.0.10
Copyright 2015
21
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – DUAL
Expressway-C Cert CN: uc-expe-01.domain.com
Jabber @ Anywhere
Enterprise
UC Network
Internet
1 2
LAN2
LAN1 64.10.0.10
A: uc-expe-01.domain.com -> 10.3.10.5 10.3.10.5
Expressway-E A: uc-expe-01.domain.com
Static Routes
uc-expe-01 -> 64.10.0.10
Jabber @ Anywhere
Enterprise
UC Network
Internet
DMZ-to- DMZ-to-
Trusted Untrusted
A: uc-expe-01.domain.com -> 64.10.0.10 LAN1
10.3.10.5 A: uc-expe-01.domain.com
SNAT 64.10.0.10 -> 64.10.0.10
Copyright 2015
23
Customer Confidential
Infrastructure Provisioning
Expressway and the DMZ – Two Firewalls, SNAT
Expressway-C
Jabber @ Anywhere
Enterprise
UC Network
Internet
FW1 FW2
A: uc-expe-01.domain.com -> 64.10.0.10 LAN1
10.3.10.5 A: uc-expe-01.domain.com
Static Routes SNAT 64.10.0.10 -> 64.10.0.10
Jabber @ Anywhere
Enterprise
UC Network
Internet
1 2
LAN2
LAN1 64.10.0.10 OR SNAT
10.3.10.5
Expressway-E
uc-expe-01
Copyright 2015
25
Customer Confidential
Infrastructure Provisioning
Certificate Provisioning - Overview
Expressway-C
Internet
Copyright 2015
26
Customer Confidential
Infrastructure Provisioning
Certificate Provisioning – Jabber Considerations
• Jabber clients enforce certificate validation
Certificates Affected
Application Certificate Considerations
Cisco UCM Tomcat (HTTP) Secure Phone Profiles for Mixed mode
Tomcat (HTTP)
Cisco IM&P XMPP domain added as SAN
XCP Router (XMPP)
Unity Connection Tomcat (HTTP)
Expressway-E Server Cert UCM Mixed Mode: no impact
SAN: service discovery domains
*When using OCSP or CRL: Required RTT <= 5s
WebEx Services CAS, WAPI Meeting Center, WebEx Messenger
• General Considerations
ü Client will prompt user when cert is not trusted
ü To avoid identity mismatch, configure UC applications to use FQDN
q Cisco UCM: System servers and UC service profiles
q Cisco IM/P: Cluster topology, TFTP servers, CCMCIP profiles
ü Public CAs do not support IP address, non-FQDN, or bogus FQDN in CSR
Copyright 2015
27
Customer Confidential
Infrastructure Provisioning
Certificate Provisioning - Expressway
• Server Certificates
ü X.509 Extended Key usage: TLS Web Client Auth + TLS Web Server Auth
ü No support for wildcard certificates
ü No requirement to add Expressway certs to CTL (for UCM Mixed Mode)
• Expressway-E Certificates
ü Server Certificate should be signed by Public CA
ü All service discovery domains need to added as SANs in the CSR
• Expressway-C Certificates
ü Recommend using Enterprise CA but can use Public CA
ü For UCM Mixed Mode - add phone security profiles as SANs in CSR
• Other Considerations
ü XMPP Federations and Federated Group chat SAN requirements
ü Expressway Cluster considerations
Copyright 2015
28
Customer Confidential
Infrastructure Provisioning
Expressway Certificate Trust Store
Public CA chain used to sign Expressway-E Yes Yes Required to establish traversal zone
(Edge) server certificate
UCM Tomcat certificate or CA cert chain Yes No For MRA only required when TLS
verify mode is used
UCM CallManager service certificate or CA cert Yes No Only required when UCM is
chain provisioned for Mixed-Mode
IM/P Tomcat and XCP certificate or cert chain Yes No For MRA only required when TLS
verify mode is used
Copyright 2015
29
Customer Confidential
MRA Implementation
Service Discovery
Copyright 2015
30
Customer Confidential
Service Discovery
Process Overview
• Determine Service Domain
ü Leverage JID or read from configuration
ü Example: user@ company.com
• Edge Discovery
ü Client queries DNS SRV records to determine service location
ü Attempt to discovery internal services then fallback to Edge Discovery
(2a)
(4c)
(3) (5)
UID:
wjb@netcraftsmen.com
(2b) UID:
wjb@netcraftsmen.com
Process Considerations
1. Jabber leverages DNS for discovery ü Leverage “Split-
2. Internal client DNS SRV query Horizon” DNS
3. If SRV query resolves then start TCP HS ü Internal records:
4. If internal SRV queries fail then query for _cisco-uds._tcp.<domain>
_cuplogin._tcp.<domain>
external SRV
ü External Record:
5. If SRV query resolves then start TLS _collab-edge._tls.<domain>
Copyright 2015
32
Customer Confidential
Service Discovery
Get Edge Configuration
Jabber @ Anywhere
Expressway-C
(2d) (2f) (2b) (1)
Internet
(2a)
Cisco UCM Expressway-E
(2c)
(2e) SRV: _cisco-uds._tcp.<domain>
LDAP
SRV: _cisco-phone-tftp._tcp.<domain>
Authentication
SRV: _cuplogin._tcp.<domain>
A records (as needed)
Process
1. Jabber establishes TLS connection
ü Client/Server Hello + cert exchange w/Edge
2. Jabber requests Edge configuration
a) HTTPS request to Edge w/Authentication
b) Edge proxies request to Core (over traversal)
c) If not cached, Core sends DNS queries
d) HTTPS/UDS request for user object to UCM
e) UCM Authenticates User (TLS recommended)
f) HTTPS/UDS request to Get Device configs
Copyright 2015
33
Customer Confidential
Service Discovery
Get Edge Configuration
Jabber @ Anywhere
Expressway-C
Process Considerations
1. Jabber establishes TLS connection ü Firewall Rules
2. Jabber requests Edge configuration ü Server Certificates
3. UCM responds with 200 OK q Expressway-E
ü Response is relayed: Core->Edge->Client q Cisco UCM
ü Response contains device and service config q LDAP (optional)
4. Retrieve Configuration Files
ü HTTPS: Get /jabber-config.xml, CTLSEP<csf>.tlv,
SEP<csf>.cnf.xml
ü Dial Rules, Directory Lookup Rules, etc.
Copyright 2015
34
Customer Confidential
Service Discovery
MRA Jabber Client Registration
Jabber @ Anywhere
Expressway-C
Internet
Process
IM & 1. Jabber initiates SIP registration process
Unity
Presence
Connection ü SIP REFER/REGISTER/etc. sent to Edge
ü Edge challenges client for authentication
ü Edge proxies client request (PAI) to Core
ü Core proxies request to Cisco UCM
2. Jabber establishes XMPP connection
ü Client request proxied - similar to SIP
ü HTTPS used for provisioning
3. Jabber establishes HTTPS connection to
Unity Connection
ü Visual voicemail
Copyright 2015
35
Customer Confidential
MRA Implementation
Deployment Considerations
Copyright 2015
36
Customer Confidential
Deployment Considerations
Multi-Domain Deployment
Expressway-C
<host>.internal.local
Jabber @ Anywhere
uc-expc.internal.local
Internet
Expressway-E
Cisco UCM
uc-expe.public.com
JID:
wjb@internal.local
Considerations
IM&P XMPP Domain ü Service discovery will fail
<host>.internal.local internal.local ü External DNS servers can’t
resolve internal.local
• Public domain: public.com
ü Public CA won’t allow FQDNs in
ü Expressway-E internal.local
• Internal domain: internal.local Solution
ü Cisco UCM, IM&P, and UC hosts ü Leverage Split-DNS
ü Expressway-C ü Modify jabber-config.xml
ü User service domain VoiceServicesDomain = public.com
ü Jabber must login locally first
Copyright 2015
37
Customer Confidential
Deployment Considerations
Cisco WebEx Cloud
• IM&P Functionality Provided by WebEx Messenger
– CUCM IM/P Service not required
Copyright 2015
38
Customer Confidential
Deployment Considerations
Customizing Service Discovery
• Methodology
– J4W: Can push configuration parameters during MSI install
– All Clients: Leverage “Configuration URL”
Copyright 2015
39
Customer Confidential
Deployment Considerations
Interoperability of Collaboration Edge Features
Video Interworking
Yes Yes
(IPv4-IPv6, H323-SIP, MS H264 SVC-AVC, Standards based 3rd party)
Copyright 2015
40
Customer Confidential
Deployment Considerations
Minimum Software Requirements
Feature UC Solution Component Minimum Version
* Expressway X8.5 Preview Feature: Support for Cisco DX, 7800, and 8800 endpoints
Copyright 2015
41
Customer Confidential
Agenda
Introductions
Collaboration Edge
Architecture Overview
Q&A
Copyright 2015
42
Customer Confidential
Telephone: 888-804-1717
E-mail: info@netcraftsmen.com
Copyright 2015
43
Customer Confidential