A. Cisco Virtual Office Express is a solution that provides secure, rich network services to workers at locations outside of the traditional corporate office, including teleworkers and small-office and mobile workers.
Compared to Cisco Virtual Office, Cisco Virtual Office Express has a simplified headend and management architecture, thus enabling a faster way to deploy the virtual-office solution. It facilitates rapid deployment, at both the headend and the spoke side, without compromising on the richness of features and security provided.
Q. What applications does Cisco Virtual Office Express support?
A. Cisco Virtual Office Express supports applications such as secure voice, video, and wireless.
Q. What components are required to deploy the Cisco Virtual Office Express?
A. For a home or small office, a Cisco integrated services router with Cisco IOS® Software is needed. Typical models are the Cisco 800 and 1800 Series Integrated Services Routers. At the remote location, a way to connect to the Internet through Ethernet (or DSL or third-generation cellular network (commonly known as 3G) access on supported series routers) is required. In addition, an IP phone is commonly included.
On the headend side, a Cisco router is required for VPN aggregation, Cisco IOS Software-based Secure Device Provisioning (for Cisco Virtual Office Zero-Touch Deployment) is required, and a certificate authority infrastructure must be provided. In addition, an authentication, authorization, and accounting (AAA) server is required for the initial provisioning and for device and user authentication.
Q. How does Cisco Virtual Office Express work?
A. For a home office, you simply plug the router into your Internet access device. The router automatically receives the appropriate configuration that is required based on the services that you need. Your IP phone automatically registers with the Cisco Unified Communications Manager on your organization's network if its MAC address was registered for you.
For the corporate headquarters, Cisco Virtual Office Express uses Cisco IOS Software at the remote site to manage a digital certificate infrastructure and for VPN concentration.
To provision a new home office, user and device profiles are created on the back-end Cisco Secure Access Control Server (ACS), the AAA server. After you receive the Cisco Virtual Office Express home router and connect it to the Internet, type the URL provided by your organization into a browser (for example, https://join-my-company-cvoexpress.company.com) to authenticate your one-time password (OTP) AAA credentials (or whatever authentication policy is defined by company policy). This process triggers router configuration. The router automatically receives the appropriate configuration that is required based on the services needed. The IP phone automatically registers with the Cisco Unified Communications Manager on the organization's network if its MAC address was registered.
Q. Who can benefit from Cisco Virtual Office Express?
A. Cisco Virtual Office Express is applicable to all industries (financial, healthcare, government, retail, education, biotechnology, and more). It is beneficial to organizations in terms of productivity, business resilience, and reduced costs, as well as to end users in terms of offering time flexibility and a rich, office-caliber experience without the need to travel to the corporate office.
Cisco Virtual Office Express is distinct in its ability to quickly set up the secured connections between home and office networks. This feature is very beneficial for small and midsize deployments where there is no need for a comprehensive set of management tools. It has a reduced number of management components, thus providing rich functions while keeping network operations costs low.
Q. Does Cisco Virtual Office Express offer the same features as Cisco Virtual Office in terms of security?
A. Yes. Cisco Virtual Office Express provides layered secure identity, meaning that the different layers of connections have secure authentication mechanisms-and a two-factor authentication form is highly recommended. Family or guests are allowed to connect to the Internet over the remote Cisco Virtual Office Express router; you can use the 802.1x standard to securely segment access over separate VLANs. In addition, a Layer 3 web authentication mechanism is available to keep guests from gaining access to corporate resources.
For encryption, Cisco Virtual Office Express uses IP Security (IPsec) with Triple Digital Encryption Standard (3DES) or Advanced Encryption Standard (AES).
Also, Cisco recommends using a public key infrastructure (PKI), which is usually installed at the beginning of the Cisco Virtual Office Express deployment, because PKI is a much better security solution than preshared keys and is also easy to manage with Cisco Virtual Office Express.
Q. What is the difference between using Cisco Virtual Office Express and using a software-based remote-access VPN?
A. There are significant differences between Cisco Virtual Office and a software-based VPN. Compared to a software-based VPN, Cisco Virtual Office Express provides faster access times because it implements hardware VPN. In addition, it provides Low Latency Queuing (LLQ) for quality of service (QoS) and Network-Based Application Recognition (NBAR), which are essential components to guarantee very good voice and video call support.
Q. What are the differences between Cisco Virtual Office Express and Cisco Virtual Office?
A. The primary difference is that Cisco Virtual Office Express implements a server-side push of VPN parameters to the remote site, thus simplifying the initial configuration of remote sites, because all can have the same configuration, except for the hostname and unique PKI certificate. In addition, Cisco Virtual Office features such as Active-Active High Availability through routing protocols and support for multicast traffic and Web2.0 applications such as peer-to-peer applications are not available in Cisco Virtual Office Express.
Q. How does Cisco Virtual Express simplify the management architecture?
A. Cisco Virtual Office Express uses Cisco Enhanced Easy VPN technology, which allows spokes to automatically request Internet Security Association and Key Management Protocol (ISAKMP) and IPsec polices from the server, as well as a routable IP address. In this mode, there is no need to manage the IP address space in the local LAN behind the remote-access router-the same local IP Dynamic Host Configuration Protocol (DHCP) server pool can be configured on all routers. Hence, the need for tools such as Cisco Security Manager to manage the different policies for the end devices is eliminated.
Q. What are the different ways to do a Cisco IOS Software or configuration update with Cisco Virtual Office Express?
A. For basic Cisco IOS Software configuration updates, Cisco Virtual Office Express uses the pushing of a configuration URL through an ISAKMP Mode-Configuration Exchange feature. Using this method, routers get updated configurations every time they connect to the server.
For advanced Cisco IOS Software configuration and software updates, Cisco Virtual Office Express uses the Cisco Configuration Engine product. The Cisco Configuration Engine automates configuration updates by generating device-specific configuration changes, sending them to the device, executing the configuration change, and logging the results.
Q. What are the unique advantages of Cisco Virtual Office Express compared to other teleworker solutions?
A. The unique advantages of Cisco Virtual Office Express follow:
• Lower initial investment due to reduced number of management components
• Simplified setup because all configurations can quickly be defined with the Cisco Virtual Office Express configuration tool
• Ability to rapidly deploy a very large number of remote users without any additional IT administrator intervention
Q. How do I install Cisco Virtual Office Express?
A. The installation of Cisco Virtual Office Express involves two sides: the corporate and the end user. The corporate side consists of a VPN headend, which can be deployed and configured by Cisco or one of our approved partners.
The end-user side is typically installed by the end user, following simple instructions. The end-user equipment consists of a router (Cisco 871, 881, 891, or 1811 Integrated Services Router, etc.), and it is deployed using an administrator zero-touch deployment method. In simple terms, the end user invokes the configuration procedure by establishing a HTTPS connection to the provision server, and upon valid authentication the Cisco Virtual Office Express end-user router is configured automatically.
Q. Does Cisco Virtual Office Express support private Internet use as well as corporate use?
A. Yes. Corporate and "family traffic" are separated by two different VLANs. Family or guest traffic is sent directly to the Internet. Corporate traffic is securely routed to a corporate data center. Depending on your company's information systems security policies, split tunneling is enabled for corporate users, so that Internet traffic is routed directly to the Internet.
Q. What do I need in order to use an IP phone? Does it have to be a Cisco phone?
A. Cisco IP phones are ready to use, but they need to be configured for your telephone number in the corporate Cisco Unified Communications Manager. Depending on how Cisco Virtual Office Express is deployed, the IP phone can be preconfigured from IT or added later on.
Power over Ethernet (PoE) is required in the Cisco 881 for the IP phone to draw power from the Ethernet connection. You can also use a power supply to power the IP phone.
You can connect Cisco IP phones to any LAN port in the Cisco Virtual Office Express router as they are auto detected and then assigned to the voice VLAN.
You can also use third-party phones, such as generic Session Initiation Protocol (SIP) phones. These phones are not automatically detected, and they need to be connected to a port designated for voice-only traffic. Cisco routers also support SIP Application Layer Gateway code, which allows third-party SIP phones to sit behind the router and register with their SIP proxy server.
Q. Does Cisco Virtual Office Express support wireless?
A. Cisco Virtual Office Express supports wireless services such as wireless LANs (WLANs), wireless IP telephony (IPT), and unified wireless services. The Cisco 880 Series Integrated Services Routers have Lightweight Access Point Protocol (LWAPP) support, and soon will have Control and Provisioning of Wireless Access Points (CAPWAP) support.
You can deploy Cisco Virtual Office Express for both corporate and family wireless, because the Cisco Virtual Office Express router supports multiple Service Set Identifiers (SSIDs). For the corporate wireless, policies are typically the same as in the corporate headquarters. For family wireless, Wireless Equivalent Privacy (WEP)-based SSIDs or Wi-Fi Protected Access (WPA) can typically be preconfigured. In the future, you will be able to have local login to a family wireless tool to change the personal wireless parameters.
The most common WPA-enterprise and WPA-personal methods are supported. Digital certificates, Extensible Authentication Protocol-Protected Extensible Authentication Protocol [EAP-PEAP] with Transport Layer Security [TLS]) is also supported.
Q. What is zero-touch deployment, and how does it apply to Cisco Virtual Office Express?
A. Traditionally, for client VPN routers, the IT staff preconfigures the VPN router first and then ships it to you for installation. This process is very "manpower-intensive". For Cisco Virtual Office Express, after the framework is in place at the central site, a ready-to-use router with a factory default configuration is securely provisioned automatically by the Cisco Virtual Office Express system. You just plug in the router to your Internet connection and follow the secure device provisioning steps sent by the IT administrator. Basically, you are asked to connect a PC to the router and type in the URL of the provisioning server. This URL uses Secure Sockets Layer (SSL) or HTTPS to make the connection secure. The provisioning server then asks you for the corporate credentials and username and password; if authentication is successful, the router is configured in a few minutes.
Q. I want to be able to browse the Internet for my personal use, as well as access the corporate network. How does Cisco Virtual Office Express separate the two activities?
A. Split tunneling and two separate VLANs separate the two kinds of traffic. The remote device learns the corporate routes from the headend by using Enhanced Easy VPN; only traffic going to the corporate network is routed to the tunnel interface. The remaining traffic goes through the default gateway, which points to the Internet service provider (ISP).
In some cases split tunneling is disabled, depending on your company's information systems security rules. In that case, when the corporate user is connected to the Cisco Virtual Office Express router, all traffic comes through the corporate data center, including Internet traffic.
Personal devices are placed on a separate guest VLAN, where all traffic is routed to the ISP's default gateway.
Q. Do I need to use a VPN client after I have Cisco Virtual Office Express set up?
A. No. The wired and wireless connections are already encrypted through a hardware-based VPN. A VPN client is not required.
Q. How does Cisco Virtual Office Express prevent teleworker family members from accessing the corporate network?
A. The noncorporate PC gets an IP address from a local pool that does not have access to the VPN. Only PCs that pass 802.1x authentication (or web-auth proxy authentication) can access the corporate network. Before your machine gets access to the corporate network, you have to enter credentials and get access. Corporate users and family members are placed in separate VLANs based on their authentication.
Q. What are my options for voice-over-IP (VoIP) support?
A. Cisco Virtual Office Express supports physical VoIP phones, wireless VoIP phones (Skinny Client Control Protocol [SCCP] and SIP), and the Cisco IP Communicator for secure VoIP.
Q. What kind of video support does Cisco Virtual Office Express provide?
A. The Cisco Unified Video Advantage solution facilitates personal video telephony using a Cisco camera connected to Cisco IP phones.
Also, both Cisco Virtual Office Express and the Cisco Unified Communications Manager support the Cisco Unified IP Phone 7985G, a "Tandberg"-like video IP phone.
Q. What is the minimum bandwidth required at the telecommuter site for IP phone functions?
A. A minimum bandwidth of 256 kbps is required at the telecommuter site for voice and data functions. For video, voice, and data, you need 700 kbps from your ISP.
Q. Does Cisco Virtual Office Express provide QoS? How?
A. Yes, Cisco Virtual Office Express does provide QoS.
Hierarchical QoS provides shaping and LLQ, allowing for simultaneous use of voice and data services without compromising on the quality of either of them, and allowing for prioritization of real-time and latency-sensitive traffic such as voice and video.
Also, NBAR performs deep packet analysis to determine what protocol is used (SIP, SCCP, H.323, Skype, etc.). With NBAR combined with QoS, the Cisco Virtual Office Express router makes sure that gaming and peer-to-peer applications are not wrongly prioritized, because these types of applications often mask differentiated-services-code-point (DSCP) bits to gain network benefits.
Q. How do bandwidth-heavy applications affect Cisco Virtual Office Express voice quality?
A. Because of QoS guarantees provided by Cisco Virtual Office Express, external bandwidth-heavy applications do not cause degradation of the quality of voice in the application. Because NBAR recognizes voice traffic, it can guarantee that type of traffic a minimum amount of bandwidth, policy routing, and preferential treatment.
Q. Can I have wireless access for family members?
A. Yes. Cisco Virtual Office Express allows family members to use the Internet wirelessly. Because the traffic is on separate VLANs, family members cannot access the corporate network.
Q. Can I connect third-party devices to the small office or home office (SOHO) router?
A. Yes. Cisco Virtual Office Express provides end-host support for PCs, Macs, laptops, UNIX, and Linux. You can also connect third-party phones to the teleworker router. When you use 802.1x or web-auth proxy, you need to bypass authentication for some devices, such as IP phones.
Q. I have my own router at home connected to the cable modem. Where does the Cisco Virtual Office Express router sit?
A. Your Cisco Virtual Office Express router should be connected directly to the modem that gives you access to the Internet. The family router should be connected to the Cisco Virtual Office Express router.
You can also connect the Cisco Virtual Office Express router to the intermediate router. We, however, do not recommend this design because Cisco Virtual Office Express cannot perform QoS in the family router, and family traffic can impair voice and video quality.
Q. Can I use a network printer with Cisco Virtual Office Express?
A. Yes. You can use a network printer with Cisco Virtual Office Express by connecting it to a nonsecure port on the router. However, you need to enable split tunneling, and your specific firewall rule needs to allow access to the local printer.
Q. How do I order Cisco Virtual Office Express?
A. To determine what you need for your remote sites, headend aggregation, and management location(s), consult your Cisco representative, who can determine your specifications with the help of an ordering guide.
Q. Which router platforms and which IP phone models are supported?
A. The supported router platforms include Cisco 870, 880, 890, 1800, 1900 Series Integrated Services Routers on the remote side, and Cisco 2800, 2900,
3800, and 3900 Series Integrated Services Routers on the headend side. For larger scalability and performance, we recommend the Cisco 7206VXR Router with the Cisco 7200 Series NPE G2 Network Processing Engine and the Cisco VPN Services Adapter or the Cisco ASR 1000 Series Aggregation Services Router.
With regard to IP phone models, Cisco Virtual Office Express supports any Cisco wired phone and the Cisco Unified IP Phone 7985G and Cisco IP Communicator, using SCCP or SIP.
Typically, the same desktop IP phone is used at home as in the office. For example, the Cisco Unified IP Phone 7961G is a common office desktop IP phone as well as a Cisco Virtual Office Express IP Phone.