Professional Documents
Culture Documents
Tobias Neumann
Technical Solutions Architect
Cisco Collaboration Central EMEAR
tneumann@cisco.com
Agenda
Terminology Introduction
Expressway Mobile & Remote Access Solution Overview
Product Line Options, Licensing, Scalability
Design and Deployment Considerations
Expressway Configuration
UCM Requirements
Security
Expressway Server Certificates
Closing Remarks
Q & A
BRKUCC-2801
Cisco Public
Terminology Introduction
3
Mobile
Workers
Teleworkers
TDM or
IP PBX
B2B
PSTN or
IP PSTN
Consumers
Branch
Office
3rd
Parties
Cloud
Services
BRKUCC-2801
Analog
Devices
Cisco Public
Cisco Expressway
A new gateway solving & simplifying business relevant use cases
Mobile
Workers
Teleworkers
TDM or
IP PBX
B2B
PSTN or
IP PSTN
Consumers
Branch
Office
3rd
Parties
Cloud
Services
Analog
Devices
Cisco Public
VCS
VCS Control
No Change
New
Offering
VCS Expressway
No Change
Expressway
Expressway C
Or Core
Expressway E
Or Edge
Cisco Public
Cisco VCS
Existing product line option providing advanced video and TelePresence applications
Includes VCS Control and VCS Expressway
Cisco Expressway
New product line option for UCM customers, providing firewall traversal & video interworking
Includes Expressway Core and Expressway Edge
Cisco Public
DMZ
Outside firewall
Expressway
Collaboration
Services
Internet
Jabber @
Home
Jabber @
work
Jabber @
SFO, LHR
or PVG
Fixed Remote Endpoints
(TC Series)
BRKUCC-2801
Standards-based
Interoperability, Widely Adopted
Protocols
Application Driven Security:
Allow the application to establish
security associations it needs
Cisco Public
AnyConnect
VPN
Unified CM
Expressway
Firewall
Traversal
BRKUCC-2801
Access visual
voicemail
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Instant Message
and Presence
Internet
Expressway
C
Expressway
E
BRKUCC-2801
Cisco Public
DMZ
Outside Network
Internet
UCM
Expressway
C
Firewall
Expressway
E
Firewall
Signaling
Media
1.
Expressway E is the traversal server installed in DMZ. Expressway C is the traversal client installed inside the
enterprise network.
2.
Expressway C initiates traversal connections outbound through the firewall to specific ports on Expressway E with
secure login credentials.
3.
Once the connection has been established, Expressway C sends keep-alive packets to Expressway E to maintain the
connection
4.
When Expressway E receives an incoming call, it issues an incoming call request to Expressway C.
5.
Expressway C then routes the call to UCM to reach the called user or endpoint
6.
The call is established and media traverses the firewall securely over an existing traversal connection
BRKUCC-2801
Cisco Public
Firewall
BRKUCC-2801
Cisco Public
Expressway
E
Projected Availability
X8.1
Available
X8.1.1 (MR)
Q1CY14
UCM
9.1(2) SU1
Available
UCM IM&P
9.1
Available
Unity Connection
8.6(1)
Available
9.7
Q1CY14
9.6.1
Q1CY14
TBD
TBD
9.6
Q1CY14
TC7.0.1
Available
BRKUCC-2801
Cisco Public
VCS
VCS Control
No Change
New
Offering
VCS Expressway
No Change
Expressway
Expressway C
Or Core
Expressway E
Or Edge
Cisco Public
Cisco VCS
Family
Video Interworking (IPv4 to IPv6, H.323-SIP, MS H.264 SVCAVC, Standards-based 3rd Party Video endpoints)
Feature Comparison
BRKUCC-2801
Cisco Public
Unified CM
9.1.2 or
higher
Expressway
C
Expressway
E
Internet
BRKUCC-2801
Cisco Public
BRKUCC-2801
Cisco Public
19
Session-Expires: 1800
Allow-Events: dialog Recv-Info: x-cisco-conference
Content-Type: application/sdp
Content-Length: 237
v=0
o=tandberg 7 3 IN IP4 182.16.1.115
s=c=IN IP4 182.16.1.115
b=AS:64
t=0 0
Cisco Public
20
Appliance Support
Existing VCS Appliance
OVA Size
vCPU
Reserved
RAM
Disk
Space
vNIC(s)
Small
2 x 1.8
GHz
4GB
132GB
1Gb
Medium
2 x 2.4
GHz
6GB
132GB
1Gb
Large
8 x 3.3
GHz
8GB
132GB
10Gb
CE 500
BRKUCC-2801
CE 1000
New
Offering
Cisco Public
Cluster
Proxied
Registrations
Video Calls
Audio Only
Calls
Proxied
Registrations
Video Calls
Audio Only
Calls
Large OVA
5,000
500
1,000
20,000
2,000
4,000
Medium OVA
2,500
100
200
10,000
400
800
Small OVA
(BE6K)
2,500
100
200
2,500
100
200
VCS
Appliance
2,500
100
200
10,000
400
800
Platform
Note: Expressway C&E or VCS-C can be clustered across multiple BE6000s for
redundancy purposes, but with no additional scale benefit
BRKUCC-2801
Cisco Public
Cisco Public
23
PID
Expressway C
Expressway E
(EXPWY-VE-C-K9)
(EXPWY-VE-E-K9)
X8 Release Key
LIC-SW-EXP-K9
Included
Included
Expressway Series
LIC-EXP-SERIES
Included
Included
LIC-EXP-GW
Included
Included
LIC-EXP-E
N/A
Included
LIC-EXP-AN
N/A
Included
TURNBRKUCC-2801
Relay Option
LIC-EXP-TURN
N/A
Cisco Public
Included
Optional
Optional
Optional
N/A
LIC-EXP-MSFT
24
DMZ
Outside firewall
(Public Internet)
Collaboration
Services
Public DNS
UCM
Expressway Expressway
C
E
Not Found
expwyNYC.example.com
TLS Handshake, trusted certificate verification
BRKUCC-2801
HTTPS: get_edge_config?
service_name=_ciscouds&service_name=_cuplogin
Cisco Public
BRKUCC-2801
Cisco Public
Not a general purpose reverse proxy, intended for Cisco clients only!
BRKUCC-2801
Cisco Public
UCM 10.0
BRKUCC-2801
Cisco Public
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Protocol
Security
Service
SIP
TLS
Session Establishment
Register, Invite, etc. via UCM
Media
SRTP
HTTPS
TLS
Logon, Provisioning/
Configuration, Contact Search,
Visual Voicemail
XMPP
TLS
Internet
Expressway
C
Expressway
E
Unified CM IM&P
Conference Resources
Other UC Infrastructure &
Resources
BRKUCC-2801
Cisco Public
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Protocol
Security
Service
SIP
TLS
Session Establishment
Register, Invite, etc. via UCM
Media
SRTP
HTTPS
TLS
Logon, Provisioning/
Configuration, Contact Search,
Visual Voicemail
XMPP
TLS
Internet
Expressway
C
Expressway
E
webex
Messenger
Conference Resources
Other UC Infrastructure &
Resources
BRKUCC-2801
Cisco Public
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Internet
Expressway
C
exported to WebEx
Messenger cloud
Expressway
E
webex
Messenger
LDAP
BRKUCC-2801
Cisco Public
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Internet
Expressway
C
UDS
Expressway
E
EDI/BDI
LDAP
BRKUCC-2801
Cisco Public
B
Inside firewall
(Intranet)
DMZ
Collaboration
Services
C calls B off-premise
Internet
UCM Expressway
C
Expressway C de-multiplexes
media and forwards toward A
Media Relay
Outside firewall
Expressway
E
B calls D off-premise
SIGNALING
MEDIA
Cisco Public
Cisco Public
2+
2+
Comments
2+
2+
2+
Cisco Public
Regional Expressway
deployments providing remote
access to multiple UCM Clusters
expwy.us.example.com
US
Geo DNS
Europe
Asia
expwy.jp.example.com
expwy.uk.example.com
SIP Trunk
SIP Line
Expressway
Traversal
Expressway
edge access
Asia SME
SME global
aggregation
EU SME
US SME
UCM regional
clusters
RTP
SJC
DFW
BRKUCC-2801
PAR
LON
TKY
AMS
2014 Cisco and/or its affiliates. All rights reserved.
BGL
HKG
Cisco Public
Unsupported Features
Mobile & Remote Access
CTI phone control
CAPF client certificate provisioning
Jabber file transfer (supported only in hybrid IM&P deployment)
Jabber Mobile features include DVO-R, GSM handoff, session persistency
TC Endpoint OBTP
TC Endpoint management (SNMP, SSH/HTTP access)
Media Path Optimization (ICE)
BRKUCC-2801
Cisco Public
38
DMZ
Outside firewall
(Public Internet)
Collaboration
Services
Unified
CM
Expressway Expressway E
C
Cluster A
Internet
Expressway E
Cluster B
BRKUCC-2801
access requires a
Expressway C cluster for
each Expressway E cluster
Cisco Public
DMZ
B
DMZ
A
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Internet
Expressway Expressway Expressway
C
E
E
Traversal
Client
Traversal
Server &
Traversal
Client
Traversal
Server
BRKUCC-2801
Cisco Public
Cisco Public
Collaboration
Services
VCS-C
UCM
VCS-E
Expressway
E
Cisco Public
Cisco Public
43
Expressway Configuration
Cisco Public
BRKUCC-2801
Cisco Public
BRKUCC-2801
Cisco Public
Cisco Public
48
BRKUCC-2801
Cisco Public
49
BRKUCC-2801
Cisco Public
50
Cisco Public
BRKUCC-2801
Cisco Public
52
UCM Requirements
BRKUCC-2801
Cisco Public
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Outside firewall
(Public Internet)
Internet
Unified
CM
VCS
Control
VCS
Expressway
H.323 Video
Endpoints
BRKUCC-2801
Cisco Public
UCM clusters support 80K end users, and can scale as high as 160K with BU
megacluster approval
BRKUCC-2801
Cisco Public
BRKUCC-2801
Cisco Public
BRKUCC-2801
SFTP
Server
Cisco Public
BRKUCC-2801
Cisco Public
Security
Cisco Public
BRKUCC-2801
Cisco Public
Upon upgrading to X8.1 the traversal media ports are automatically migrated to
the first 2 ports in the current media port range (details on previous slide)
Customers will need to coordinate X8.1 upgrade with firewall port change
New X8.1 installs on the Large OVA will use UDP 36000 36011, the
expanded port range is required to support scalability improvements
BRKUCC-2801
Cisco Public
SIP
SIP Digest authentication used to authenticate the users registering on tcp
5061
Mutual TLS can be enforced on Expressway E by enabling default zone access
rules
BRKUCC-2801
Cisco Public
Cisco Public
Public CA signed certificates allow Jabber clients and endpoints to validate the
server certificate without a CTL
Jabber clients with a CTL will not use the CTL to validate Expressway
certificate - no requirement to include Expressway certs in CTL
No support for wildcard certificates
Dont upload stacked certificates, separate signed server cert from CA chain
BRKUCC-2801
Cisco Public
Build Expressway E Traversal Server zone with the TLS verify subject name
set to Cluster FQDN
BRKUCC-2801
Cisco Public
BRKUCC-2801
Cisco Public
This domain is used for SRV lookups and extracted from here
This is a security measure that allows clients to verify
connections to edge servers authoritative for their domain
(RFC 6125)
Similar usage exists with UCM IM&P XMPP certificates
BRKUCC-2801
Cisco Public
Cisco Public
There will be 1 chat node alias per deployed UCM IM&P server
Expressway XMPP federation is still a roadmap feature, but this inclusion will
potentially save customers from having to get new certificates signed in the
future when deploying XMPP federation
BRKUCC-2801
Cisco Public
BRKUCC-2801
Cisco Public
Expressway C
Expressway E
Comments
Required to establish Traversal Zone
connections
Closing Thoughts
BRKUCC-2801
Cisco Public
Key Takeaways
Cisco Expressway: a new product offering specifically for UCM 9.1+ customers
available today!
Expressway is easy to deploy with no added costs for mobile & remote users
Provide simple and secure Jabber VPN-less access with Expressway Mobile &
Remote Access
Cisco VCS includes the superset of X8 software features
Cisco Expressway includes a subset of X8 software features
AnyConnect and Expressway are complementary remote access solutions that
can co-exist
BRKUCC-2801
Cisco Public
77
Q&A