The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Preferred Architecture for Cisco Collaboration 12.x On-Premises Deployments
Documentation for Cisco Collaboration On-Premises Preferred Architecture
Cisco Integrated Services Routers and Aggregation Services Routers
Cisco Unified Survivable Remote Site Telephony
Multi-Cluster Deployment Considerations
Audio and Video Instant Conferences
Permanent Conferences with Cisco Meeting Server Spaces
Support for Multiple Call Processing Sites
Midmarket Audio-Only Conferencing
Collaboration Management Services
Cisco Prime Collaboration Deployment
Cisco Prime Collaboration Provisioning
Secure Infrastructure Recommendations
Device Hardening Recommendations
Bandwidth Management Architecture for Collaboration
Cisco Unified Contact Center Express
Cisco Prime Collaboration Provisioning Standard
First Published: June 14, 2016
Cisco Preferred Architectures provide tested and recommended deployment models for specific market segments based on common use cases. They incorporate a subset of products from the Cisco Collaboration portfolio that is best suited for the targeted market segment and defined use cases. These deployment models are prescriptive, out-of-the-box, and built to scale with an organization as its business needs change. This prescriptive approach simplifies the integration of multiple system-level components and enables an organization to select the deployment model that best addresses its business needs.
This document provides a high-level overview of the Preferred Architecture (PA) for on-premises deployments of Cisco Collaboration System Release (CSR) 12. x. It is intended for use in pre-sales discussions and decision making by:
This guide simplifies the design and sales process by:
This guide describes the Cisco Collaboration on-premises Preferred Architecture for two main market segments:
Readers of this guide should have a general knowledge of Cisco Voice, Video, and Collaboration products and a basic understanding of how to deploy these products. For detailed information about configuring, deploying, and implementing this architecture, consult the Cisco Validated Design (CVD) guides listed in the next section on Documentation for Cisco Collaboration On-Premises Preferred Architecture.
Figure 1 illustrates the various documents available for this Preferred Architecture (PA):
Preferred Architecture for Cisco Collaboration 12.x On-Premises Deployments (this document)
– Enterprise deployments (more than 1,000 users)
Preferred Architecture for Cisco Collaboration 12.x Enterprise On-Premises Deployments
– Midmarket deployments (up to 1,000 users)
Unified Communications Using Cisco Business Edition 6000
Video Conferencing and Recording Using Cisco Business Edition 6000
Collaboration Edge Using Cisco Business Edition 6000
The latest versions of these documents are available at: https://www.cisco.com/go/pa.
Figure 1 Preferred Architecture Documentation
In addition to the above documents for this Preferred Architecture, Cisco Solution Reference Network Design (SRND) guides provide detailed guidelines and recommendations to help customers and sales teams design collaboration solutions for deployments that have requirements outside the scope of the Preferred Architecture. The SRND guides are available at: https://www.cisco.com/go/srnd.
In recent years, many new collaborative tools have been introduced to the market, enabling organizations to extend collaboration outside the walls of their businesses. Providing access to collaborative tools for employees outside the office is no longer a luxury; it is mandatory for businesses to stay relevant in today's market. Today's users expect immediate access to these tools from a wide variety of portable and mobile devices. Many of these same tools can be extended to customers and partners, helping strengthen these relationships.
Organizations realize the added value that collaboration applications bring to their businesses through increased employee productivity and enhanced customer relationships. Not long ago, interoperability among collaboration applications was sparse, and applications were difficult to deploy and use. Since then, significant advances have been made in the collaboration space, simplifying deployment, improving interoperability, and enhancing the overall user experience. Additionally, individuals have adopted a wide variety of smart phones, social media, and collaboration applications in their personal lives.
Organizations can now feel comfortable providing collaboration applications that employees will quickly adopt and that provide maximum value. These new collaboration tools enhance an organization's overall business processes, make its employees more productive, and open the door to new and innovative ways for communicating with business partners and customers. Today's collaboration solutions offer organizations the ability to integrate video, audio, and web participants into a single, unified meeting experience.
Organizations want to streamline their business processes, optimize employee productivity, and enhance relationships with partners and customers. The Cisco Collaboration on-premises Preferred Architecture (PA) delivers capabilities that enable organizations to realize immediate gains in productivity and enhanced relationships. Additionally, the following technology use cases offer organizations opportunities to develop new, advanced business processes that deliver even more value in these areas:
Information about Cisco Collaboration Technologies and use cases is available on Cisco.com.
The Cisco Collaboration on-premises Preferred Architecture provides end-to-end collaboration targeted for a wide range of customers. This architecture incorporates high availability for critical applications. The consistent user experience provided by the overall architecture facilitates quick user adoption. Additionally, this architecture supports an advanced set of collaboration services that extend to mobile workers, partners, and customers through the following key services:
Because of the adaptable nature of Cisco endpoints and their support for IP networks, this architecture enables an organization to use its current data network to support both voice and video calls. The Preferred Architecture provides a holistic approach to bandwidth management, incorporating an end-to-end Quality of Service (QoS) architecture, call admission control, and video rate adaptation and resiliency mechanisms to ensure the best possible user experience for deploying pervasive video over managed and unmanaged networks.
The Cisco Collaboration on-premises PA, shown in Figure 2 and Figure 3, provides highly available and secure centralized services for enterprise and midmarket deployments. These services extend easily to remote offices and mobile workers, providing availability of critical services even if communication to headquarters is lost. Centralized services also simplify management and administration of an organization's collaboration deployment.
Figure 2 Cisco Collaboration On-Premises Preferred Architecture for Enterprise
Figure 3 Cisco Collaboration On-Premises Preferred Architecture for Midmarket
Table 1 lists the products in this architecture. For simplicity, products are grouped into modules to help categorize and define their roles. The content in this guide is organized in the same modules.
Cisco IP Phones, Cisco TelePresence video endpoints, and Cisco Jabber
Enable real-time voice, video, and instant messaging communications for users
Provides endpoint registration, call processing, and media resource management
Cisco Unified Communications Manager IM and Presence Service
Provides Survivable Remote Site Telephony (SRST) functionality
Provides audio and video conferencing capabilities as well as conference resource management
Provides scheduling, web conferencing integration, and other advanced video features
Enables interoperability with third-party systems and firewall traversal
Supports remote endpoint registration to Cisco Unified CM and enables business-to-business communications
Provides either public switched telephone network (PSTN) or Cisco Unified Border Element (CUBE) connectivity
Assists in the management of Cisco Unified Communications applications by enabling administrators to perform tasks such as migration of older software versions of clusters to new virtual machines, fresh installs, and upgrades on existing clusters
Enables rapid configuration of collaboration systems by providing a centralized template-based console for device provisioning and simplified moves, adds, and changes
Internet-based web portal providing administrators with a single management point for the Cisco Unified CM and Cisco Unity Connection licenses within a deployment
Provides administrative functions (provisioning) for Cisco Unified Communications applications
Cisco Business Edition 7000 (BE7000) serves organizations with 1,000 or more users, and it is the foundation of the Cisco Collaboration on-premises PA for enterprise deployments. The Cisco BE7000 is built on a Cisco Unified Computing System (UCS) that ships ready-for-use with a pre-installed virtualization hypervisor and application installation files. The Cisco BE7000 solution offers premium voice, video, messaging, instant messaging and presence, and contact center features on a single, integrated platform. For more information about the Cisco BE7000, see the data sheet.
Cisco Business Edition (BE) 6000M and 6000H are packaged systems designed specifically for organizations with up to 1,000 users, and they are the foundation of the Cisco Collaboration on-premises PA for midmarket deployments. The Cisco BE6000M and BE6000H are built on a virtualized Cisco Unified Computing System (UCS) that is prepared and ready for use, with a pre-installed virtualization hypervisor and application installation files. The Cisco BE6000M or BE6000H solution offers premium voice, video, messaging, instant messaging and presence, and contact center features on a single, integrated platform. For these reasons the BE6000M and BE6000H are ideal platforms for the Cisco Collaboration on-premises PA for midmarket deployments. For more information about the Cisco BE6000M and BE6000H, consult the data sheet.
In this Cisco Collaboration on-premises PA, the following applications are deployed on multiple Cisco Unified Computing System (UCS) servers to provide hardware and software redundancy:
We recommend always deploying redundant components and configurations to provide the highest availability for critical business applications. We also recommend deploying Cisco Meeting Server on a dedicated server.
The Cisco Collaboration on-premises PA provides high availability for all deployed applications by means of the underlying clustering mechanism present in all Cisco Unified Communications applications.
Clustering replicates the administration and configuration of deployed applications to backup instances of those applications. If an instance of an application fails, Cisco Unified Communications services – such as endpoint registration, call processing, messaging, business-to-business communication, and many others – continue to operate on the remaining instance(s) of the application. This failover process is transparent to the users. In addition to clustering, the Cisco Collaboration on-premises PA provides high availability through the use of redundant power supplies, network connectivity, and disk arrays.
Details about the individual licenses for the endpoints and infrastructure components in the Cisco Collaboration on-premises PA are beyond the scope of this document. Information about Cisco Collaboration licensing is available at
The Cisco Integrated Services Router (ISR) and Aggregation Services Router (ASR) provide Wide Area Network (WAN) and Cisco Unified Communications services in a single platform. In the Cisco Collaboration on-premises Preferred Architecture, the Cisco ISR and ASR can provide the following functions (Figure 4):
Figure 4 Cisco ISR and ASR Functions
The Cisco ISR and ASR have additional slots that support add-on modules such as wireless controllers. Deployments can use various Cisco ISR and ASR models to support different features, to scale, and to accommodate additional services. Their modular design enables the Cisco ISR and ASR to be deployed at headquarters, remote locations, or branch locations. For more information about these routers, see the Cisco ISR and Cisco ASR data sheets.
Cisco Collaboration endpoints provide a wide range of features, functionality, and user experiences. Because Cisco endpoints range from low-cost, single-line phones and soft clients to three-screen Cisco TelePresence endpoints, an organization can deploy the right variety of endpoints to meet users' needs (Figure 5). Additionally, these devices enable users to access multiple communication services such as:
Figure 5 Architecture for Endpoints
Cisco Unified Communications Manager (Unified CM) is the call control server for the Cisco Collaboration on-premises Preferred Architecture. Cisco IP Phones, Jabber clients, and TelePresence video endpoints use SIP to register directly to Cisco Unified CM. The Unified CM cluster's failover mechanism provides endpoint registration redundancy. If a WAN failure occurs and endpoints at remote locations cannot register to Unified CM, they use SRST functionality for local and PSTN calls, but some services such as voicemail and presence might not be available.
We recommend the endpoints listed in the following tables because they provide optimal features for this design. Cisco has a range of endpoints with various features and functionality that an organization can also use to address its business needs.
Public space, general office use, single-line and multi-line phones
Cisco Webex DX801
Soft client with integrated voice, video, voicemail, instant messaging, and presence functionality for mobile devices and personal computers
Call control is the core element for any communications deployment. It provides endpoint registration, call processing, and call admission control. Call control design considerations include the dial plan, endpoint addressing scheme, calling party presentation, call admission control, codec selection, PSTN connectivity, and general trunking requirements, as well as other factors.
Cisco Unified Communications Manager (Unified CM) provides a common call control platform for all Cisco Collaboration deployments (Figure 6). Having a highly available and common call control component for a communications infrastructure is crucial to provide consistent services for all devices and communication types and to preserve a uniform dial plan and a consistent feature set across the deployment.
Adding the IM and Presence Service to a Cisco Unified CM deployment provides instant messaging, network-based presence, and federation for third-party chat servers, and it enables the use of Cisco Jabber for instant messaging, presence, and audio and video communications.
Figure 6 Architecture for Call Control
Table 6 lists the roles of the call control components in this architecture and the services they provide.
Provides call routing and services, dial plan, and bandwidth management; and enables Cisco Jabber desk phone control
Cisco Unified Communications Manager IM and Presence Service
Provides Cisco Jabber support for instant messaging and user-based presence and third-party federation
Provides Survivable Remote Site Telephony (SRST) to support call control functions during a WAN outage
For call control in the Cisco Collaboration on-premises Preferred Architecture, we recommend the following:
Cisco Unified CM and IM and Presence support clustering, which is the grouping of nodes that work together as a single logical entity. The publisher node contains the cluster's configuration database, which is replicated to the call processing subscriber nodes and TFTP nodes in the cluster.
Clustering provides an automatic redundancy mechanism for endpoints and for Cisco Unified CM services, such as the ability to receive and process incoming calls. To provide 1:1 redundancy, deploy call processing subscribers and TFTP nodes in pairs. (Figure 7) While the call processing subscribers provide endpoint registration and call processing capabilities, the TFTP nodes provide configuration and firmware updates to endpoints.
All the TFTP nodes and subscriber nodes periodically receive updates of the configuration database from the publisher node. These database updates enable all the subscriber nodes to operate in a consistent configuration state.
To provide load balancing of call processing services across the subscribers and to reduce failover response times, deploy each call processing subscriber pair in an active/active redundancy scheme.
For IM and Presence, we recommend deploying a minimum of one IM and Presence publisher and one subscriber. The IM and Presence publisher is not a dedicated node, and the publisher and subscriber provide redundancy for each other. (Figure 7)
For enterprise deployments, add more pairs of IM and Presence subscribers or Unified CM call processing nodes as needed to accommodate more users.
Note Clustering for scalability does not apply to midmarket deployments, which are based on Cisco Business Edition 6000 (BE6000). Adding more nodes to a BE6000 cluster will not increase the capacity of the cluster.
Figure 7 Cisco Unified CM Cluster
Use SIP trunks from Cisco Unified CM to communicate with all the components in the Cisco Collaboration on-premises Preferred Architecture, including external entities such as third-party systems. SIP trunks offer the following benefits:
The Cisco Survivable Remote Site Telephony (SRST) feature is critical for remote sites that require continuation of voice services during WAN outages. SRST runs on the same Cisco ISR that provides WAN and PSTN connectivity for the remote site. Deploy SRST on the Cisco ISR in the following cases:
To avoid interruption of external voice services if a WAN outage occurs, provide local PSTN connectivity at the remote site. SRST is required only if the remote site's WAN reliability does not match that site's required service level for voice service availability.
If a WAN failure occurs at a site with SRST and local PSTN access, the following services will still be available:
Note SRST is not available for Cisco DX, MX, SX, or Webex Room Series endpoints. See Table 5 for information about endpoints that support SRST.
A structured, well-designed dial plan is essential to successful deployment of any call control system. When designing a dial plan, consider the following main factors:
Dialing habits describe what end users can dial to reach various types of destinations. Dialing habits can first be classified as numeric dialing (for example, 914085550123) or alphanumeric dialing (for example, email@example.com). Typically, different types of destinations require support for different dialing habits. Further dialing habits might have to be defined for services such as call pick-up, voicemail, and others. Also, future growth should be considered so that more users and more sites can be added as needed without redesigning the dial plan. Some dialing habits, typically PSTN dialing habits in particular, need to follow country-specific requirements or established dialing procedures. Identifying dialing habits is most important when defining an enterprise dial plan in order to avoid overlaps between any two dialing habits.
Each endpoint registered with the enterprise call control must have a unique numeric address. Endpoint addresses in Cisco Unified CM are equivalent to the directory numbers provisioned on the lines of the endpoints. Use fully qualified PSTN numbers (E.164 numbers) with a leading "+" as endpoint addresses. This format is typically referred to as +E.164 format. The benefits of using +E.164 endpoint addresses include:
The routing portion of the dial plan enables users to reach the correct destinations when they use the defined dialing habits.
The primary numeric routing is based on +E.164 numbers. External routes to other transport networks such as the PSTN also use the +E.164 scheme. Endpoint addresses in +E.164 provide +E.164 on-net dialing without any further configuration. All other numeric dialing habits, such as abbreviated inter-site and intra-site dialing, are implemented as overlays by adding the appropriate translation patterns to the dial plan to map from the implemented dialing habit to the +E.164 global routing address format. This allows users to reach the same endpoint by means of different dialing habits, depending on user preference.
Alpha-numeric URIs, as aliases for numeric addresses, provide an alternative means of reaching endpoints. The benefits of URI dialing and routing include:
To enable users to search contacts and dial from the directory, integrate Cisco Unified CM with the organization's LDAP directory. Although Unified CM allows the creation of local user contacts, LDAP directory integration is required when using Cisco Jabber because it provides a single location for directory management and enables users to authenticate to Cisco Unified CM and Cisco Jabber by using their LDAP directory credentials.
Cisco Unified CM pulls user and contact information from LDAP directories and synchronizes user parameters – name, surname, username, telephone number, and SIP URI – when changes occur. The IM and Presence Service pulls user and contact information from Cisco Unified CM.
Classes of service define which users can access which services, such as allowing only emergency and local calls from lobby phones while allowing unrestricted calls from executive phones. The complexity of the dial plan is directly related to the number of differentiated classes of service it supports.
To define classes of service, configure partitions and calling search spaces in Cisco Unified CM. The number of classes of services supported by a dial plan depends on the granularity and complexity of the classes. For more information about classes of service and details on enterprise dial plan design, see the Cisco Collaboration SRND.
Consider deploying more than one Cisco Unified CM cluster if you have any of the following requirements:
In a multi-cluster deployment, interconnect all the individual Unified CM clusters through SIP trunks. To avoid session traversal through individual clusters, deploy a full mesh of SIP trunks. With four or more clusters, deploy Cisco Unified CM Session Management Edition to centralize the dial plan and trunking and to avoid the complexity of a full-mesh SIP trunk topology.
In multi-cluster deployments, use Global Dial Plan Replication (GDPR) to replicate dial plan information between clusters. GDPR can advertise a +E.164 number, one enterprise significant number (ESN), and up to five alpha-numeric URIs per directory number. An ESN is the abbreviated inter-site dialing equivalent of a directory number. The information advertised and learned through GDPR enables deterministic intercluster routing for these dialing habits:
This deployment provides the following benefits:
The ability for three or more people to communicate in real time by using voice and video technologies is a core component of collaboration. Cisco rich media conferencing builds upon existing infrastructure in place for point-to-point calls, offering users a consistent voice and video experience (Figure 8).
Figure 8 Architecture for Conferencing
Table 7 lists the roles of the conferencing components in this architecture and the services they provide.
Provides voice and video conferencing with content sharing
Provides conference scheduling and device management capabilities
There are three types of conferences:
For audio and video conferencing in the Cisco Collaboration on-premises Preferred Architecture, we recommend the following:
For instant audio and video conferences, use Cisco Meeting Server on-premises as the media resource. Cisco Unified CM has the HTTPS and SIP trunk interfaces to Cisco Meeting Server inside the instant conference bridges. HTTPS is used for conference control, while a SIP trunk is used for call signaling. These conference bridges are assigned to media resource group lists (MRGLs) and media resource groups (MRGs) in Unified CM. Unified CM uses MRGLs and MRGs to prioritize and allocate media resources such as conference bridges, music on hold sources, annunciators, transcoders, and media termination points (MTPs).
If endpoints have access to the appropriate MRGL, they can request these resources. Resources local to the initiating endpoint are preferred over remote resources (Figure 9).
Figure 9 Media Resource Group List (MRGL) Example
Permanent conferences are deployed using Cisco Meeting Server Spaces. A Meeting Server Space is a virtual persistent meeting room that anyone can join and that has support for video, voice, and content sharing. A Space is automatically created for a user when the user is imported into Cisco Meeting Server from Microsoft Active Directory configured in the web administrative interface. Each Space is associated with a few attributes (for example, Username, Space name, and so forth) and can be accessed using a video address URI or numeric alias. These attributes are configured by the administrator through the Field Mapping Expressions. After the Space has been created, the administrator can further customize the Spaces by specifying a default layout or guest access code for each user. The Space owner can log into the Cisco Meeting Application to create a team Space and invite others to join for collaboration.
For scheduled video conferences, use the same Cisco Meeting Server as for non-scheduled conferences to provide the conferencing resource. Integrate the Cisco Meeting Server to Cisco Unified CM with SIP trunks, and manage it through Cisco TelePresence Management Suite.
Cisco TelePresence Management Suite (TMS) runs on a Microsoft Windows server and utilizes the Microsoft SQL database to store information about users, controlled devices, and scheduled conferences. User profiles are imported from Microsoft Active Directory, and the permissions model allows for access control to various components and configured systems. Deploy Cisco TMS with Cisco TMSXE to provide Microsoft Exchange integration.
A single deployment of TMS is required for each organization. Leverage the integrated system navigator folder structure to organize all endpoints and infrastructure devices. Even multinational and global organizations can benefit from a single deployment of TMS to facilitate video connections.
Redundancy for TMS and its supporting extensions is different from other components in the Cisco Collaboration on-premises Preferred Architecture. TMS and its components operate in an active/passive model instead of clustering. A single instance of TMS consists of a Network Load Balancer, two servers hosting TMS, two servers hosting the TMSXE application, and the SQL database (Figure 10). The licensing for the instance is maintained in the SQL database, so separate licensing is not required for each node. Only one server for each application is active at any moment, with the web pages and services of the passive (inactive) node locked down to refuse all other incoming traffic. All servers must be members of the same domain.
Figure 10 Cisco TMS Redundancy Model
Deploy the Microsoft SQL database separately from the TMS server. The instance of SQL may be shared by other applications within the organization, and it should be a high-availability deployment in accordance with Microsoft's recommendations.
Organizations may choose to implement more than one Cisco Meeting Server cluster (Figure 11) for any of the following reasons:
However, when multiple Cisco Unified CM clusters are deployed, we recommend deploying a single Cisco Meeting Server cluster with one call bridge group dedicated for each Unified CM cluster. The call bridges within the group should be deployed in the same data center as the corresponding Unified CM cluster. Using a single Cisco Meeting Server cluster enables users to access the same conference using the same video address regardless of which Unified CM cluster they dial from.
Figure 11 Multiple Call Processing Sites with Conferencing
This deployment provides the following benefits:
If you already have Cisco Integrated Services Routers (ISRs) in a midmarket deployment and want very basic audio-only conferencing without investing in additional hardware, you can deploy the ISRs as conference bridges (Figure 12).
Figure 12 Architecture for Audio-Only Conferencing
Table 8 lists the roles of the audio conferencing components in this architecture and the services they provide.
There are two types of audio conferences:
For instant and permanent audio conferences, use a Cisco ISR with dedicated packet voice digital signal processor module (PVDM) resources as the audio conference bridges. The Cisco ISR requires a PVDM to support audio conferences, voice interfaces (T1, E1, FXO, FXS), and audio transcoding.
Using Cisco ISRs for a variety of functions such as voice gateway, SRST, conferencing, and WAN connectivity, and combining these voice services into a single platform offers significant cost savings over individual components. For additional deployment flexibility, PVDMs are available in various densities and support a range of codecs of different complexities.
Permanent audio conferences rely on Cisco Unified CM's Meet-Me feature. This feature requires a set of directory numbers (DNs) allocated exclusively for permanent audio conferences. Users invoke the feature by pressing the Meet-Me softkey on their audio endpoints and then dialing a DN within the predetermined range. Subsequent attendees dial the predetermined number directly to join the conference. Configure your dial plan to control access to these DNs. Permanent audio conferences are hosted on the same Cisco ISR PVDM resources as instant audio conferences.
Instant audio conference resources register with Cisco Unified CM and are controlled by media resource groups (MRGs) and media resource group lists (MRGLs). Endpoints invoke these resources if their assigned device pool has access to the appropriate MRGL. We recommend configuring MRGLs to select conference resources local to the initiating endpoint in preference to other resources.
Figure 13 Media Resource Group List (MRGL) Example
The decision to integrate conferencing resources into an existing router depends on the voice capacity and overall performance of that router. We recommend a standalone gateway if your existing router:
This deployment architecture provides the following benefits:
Business demand for connectivity between organizations by leveraging the Internet has increased significantly over the past few years. For many organizations, this connectivity is a fundamental requirement for conducting day-to-day activities. Moreover, securely connecting mobile workers and remote sites to each other and to headquarters is critical functionality that enables organizations to accomplish their business goals. The Cisco Collaboration on-premises Preferred Architecture addresses these needs with the Collaboration Edge architecture shown in Figure 14.
Figure 14 Architecture for Collaboration Edge
Table 9 lists the roles of the Collaboration Edge components in this architecture and the services they provide.
The traversal server that enables secure VPN-less mobile and remote access for TelePresence endpoints and Jabber clients. The traversal server resides in the DMZ. The solution also provides business-to-business calling, protocol interworking, and cloud connectivity.
The traversal client that creates a secure, trusted connection through the firewall to Expressway-E. The traversal client resides inside the organization’s network. The solution provides mobile and remote access, business-to-business calling, protocol interworking, and cloud connectivity.
Cisco Integrated Services Router (ISR) or Aggregation Services Router (ASR) with PSTN interfaces
Cisco ISR or ASR with Cisco Unified Border Element (CUBE) software
Enables connectivity from an organization's network to the service provider network for SIP trunks via CUBE
We recommend the following Collaboration Edge solution for the Cisco Collaboration on-premises Preferred Architecture:
Cisco Expressway provides secure firewall and NAT traversal for mobile or remote Cisco Jabber and TelePresence video endpoints (Figure 15), and it provides secure business-to-business communications (Figure 16). Cisco Expressway consists of two applications: Expressway-C and Expressway-E.
Deploy Cisco Expressway-C inside the network, and deploy Expressway-E in the demilitarized zone (DMZ) by connecting separate network ports on Expressway-E to the organization's network and to the DMZ.
Cisco fully supports a virtualized Expressway-E in the DMZ; however, a dedicated server can be deployed based on the company's security requirements.
Figure 15 Traversal for Endpoint Registrations Through Firewall with Expressway-C and Expressway-E
Figure 16 Traversal for Business-to-Business Calls Through Firewall with Expressway-C and Expressway-E
Place Expressway-C in the trusted network inside the organization. Deploy Expressway-C to:
Because Expressway-E is reachable directly from the untrusted external network, it should be placed in a DMZ for security. The organization's firewall policies control communications to and from this server. Deploy Expressway-E to:
Because landlines and mobile phones use the PSTN for local and international calls, external connectivity to the PSTN from an organization's IP telephony network is a requirement (Figure 17).
Use a Cisco ISR or ASR with a time-division multiplexing (TDM) module as the PSTN gateway at headquarters. This configuration enables the gateway to implement media interworking for the organization's incoming and outgoing PSTN calls.
At remote sites, deploy a Cisco ISR for local PSTN connectivity using voice modules. For more information about Cisco ISR, see the data sheet.
Redundancy is achieved by deploying multiple ISRs or ASRs. Cisco Unified CM has the ability to route traffic to the closest available router.
If SIP trunks are used to connect to a service provider for voice calls, enable Cisco Unified Border Element (CUBE) functionality on the Cisco ISR that is deployed at headquarters, and deploy CUBE in the demilitarized zone (DMZ). Cisco Unified CM routes calls through SIP trunks to gateways, CUBE, or Cisco Expressway based on the dial plan. For dial plan recommendations, see the Call Control section.
This deployment provides the following benefits:
Voice messaging is considered to be a basic requirement and essential service for any collaboration deployment. Cisco Unity Connection enables users to access and manage voice messages from their email inbox, web browser, Cisco Jabber client, Cisco Unified IP Phone, or TelePresence endpoint. The Cisco Collaboration on-premises Preferred Architecture includes Cisco Unity Connection to enable voice messaging for the collaboration solution (Figure 18).
Figure 18 Architecture for Voice Messaging
Table 10 lists the roles of the voice messaging components in this architecture and the services they provide.
Cisco Unity Connection supports a cluster configuration in active/active mode to provide both high availability and redundancy. As depicted in Figure 19, a Unity Connection cluster consists of a maximum of two nodes, one publisher and one subscriber (#1). If one of the Unity Connection nodes fails, the other active node in the cluster handles all the calls and HTTP requests for the Unity Connection cluster. Each server in the Unity Connection cluster must have enough voice messaging ports to handle all calls for the cluster.
As shown in Figure 19, the integration between Cisco Unified CM and Unity Connection relies on SIP for communications (#1). In addition, hardware and software endpoints are able to access voice messaging services through VoIP communications or via REST-based HTTPS communications (#2). The voicemail pilot number designates the directory number that users dial to access their voice messages. Unified CM automatically dials the voice messaging number when users press the Messages button on their phone (VoIP). Visual Voicemail allows users to access voicemail from the graphical interface on the IP phone or Jabber client (HTTPS). Users can view a list of messages and play messages from the list. Users can also compose, reply to, forward, and delete messages. Each voicemail message displays data that includes the date and time when the message was left, urgency level, and message length.
Figure 19 Unified Messaging Architecture
In summary, we recommend deploying Cisco Unity Connection as follows:
For more information about Cisco Unity Connection, refer to the product documentation.
This deployment architecture provides the following benefits:
System management and software licensing are important functions in a collaboration system environment. The Cisco Collaboration on-premises Preferred Architecture includes the following Cisco core management applications that are considered to be a basic requirement and foundational to any collaboration solution (Figure 20):
Figure 20 Architecture for Collaboration Management Services
Table 11 lists the roles of the application components in this architecture and the services they provide.
Assists the administrator by automating many of the steps necessary to install a Cisco Unified CM cluster with IM and Presence Service and a Cisco Unity Connection cluster
Enables rapid deployment of collaboration systems by providing a template-driven console for device provisioning as well as moves, adds, and changes
Internet-based Cisco web portal that provides administrators with a single management point for the Cisco Unified CM and Cisco Unity Connection licenses used in a deployment
Cisco Prime Collaboration Deployment assists the administrator by automating many of the primary steps necessary to configure and install Cisco Collaboration applications.
Cisco Prime Collaboration Deployment supports the following applications in the Cisco Collaboration on-premises Preferred Architecture:
Figure 21 illustrates the following recommended architecture for Cisco Prime Collaboration Deployment:
Figure 21 Architecture for Cisco Prime Collaboration Deployment
Cisco Prime Collaboration Deployment provides the following benefits:
– Network services (time, domain name)
– Administrative accounts and passwords
Cisco Prime Collaboration Provisioning provides a scalable web-based solution to help administrators manage the provisioning needs of an integrated IP telephony, video, voicemail, and unified messaging environment. Cisco Prime Collaboration Provisioning assists the administrator with user and device provisioning, thereby enabling rapid deployment. After the initial configuration and provisioning, Cisco Prime Collaboration Provisioning simplifies moves, adds, and changes, as well as the configuration and deployment of new features. An intuitive user interface provides a single consolidated view of users and their services.
Cisco Prime Collaboration Provisioning is available in two versions:
For midmarket deployments, we recommend Cisco Prime Collaboration Provisioning Standard (see the section on Cisco Prime Collaboration Provisioning Standard). For enterprise deployments, we recommend Cisco Prime Collaboration Provisioning Standard for single-cluster deployments and Cisco Prime Collaboration Provisioning Advanced for multi-cluster deployments, as described in the next two sections.
Cisco Prime Collaboration supports high availability (HA) through the VMware vSphere HA feature. You do not need an additional Cisco Prime Collaboration license to configure HA, and HA is highly recommended to increase uptime in case of a failure of the host on which Prime Collaboration Provisioning resides. Small and medium deployments need only one virtual machine for Cisco Prime Collaboration Provisioning Standard. For large and very large deployments, the Cisco Prime Collaboration Provisioning Advanced database and application must be configured on separate virtual machines.
Figure 22 provides an example on how to group users and components for site-based provisioning. Figure 22 also shows the recommended deployment for Cisco Prime Collaboration Provisioning Advanced with integration to LDAP. All users in the organization are brought into Cisco Prime Collaboration Provisioning from LDAP. This architecture allows the synchronization and authentication of users to be decoupled within Cisco Unified CM. This setup also allows the administrator to leverage Automatic Service Provisioning, which provisions a bundle of services when a new employee is added into the LDAP server and also de-provisions those services when an employee is deleted from the LDAP server.
Figure 22 Architecture for Cisco Prime Collaboration Provisioning Advanced
We highly recommend performing regular backups to an external FTP server and taking periodic VM snapshots because a considerable amount of time and effort is required to configure the system and get it running initially. These processes also help retain the logs and order history for each user and help restore data in case of a catastrophic failure.
Cisco Prime Collaboration Provisioning provides the following features and benefits:
The Cisco Smart Software Manager is an Internet-based web portal that provides simplified and flexible enterprise-wide management of software licensing. Cisco Smart Software Manager simplifies licenses and software activation as well as reconciliation of licenses across supported products, and it provides enterprise-level reporting of usage and entitlement. Cisco Smart Software Manager also supports deployments with multiple clusters.
Cisco Smart Software Manager supports the following applications in the Cisco Collaboration on-premises Preferred Architecture:
We recommend direct or proxy communications between the web-based Cisco Smart Software Manager and your on-premises Unified CM and Unity Connection cluster publisher nodes. This does require outbound HTTPS communications from the Unified CM and Unity Connection publisher nodes through your organization’s firewall to the web-based Cisco Smart Software Manager service. If your organization does not enable direct outbound web communications, you should direct cluster publisher nodes to a standard HTTP/HTTPS proxy server within your organization to enable firewall traversal and access to the web-based Cisco Smart Software service.
Cisco Smart Software Manager provides the following benefits:
As with almost everything today, it is important to secure your collaboration deployment. A collaboration deployment is subject to threats such as denial of service, unauthorized access, toll fraud, and eavesdropping. It is important to protect your collaboration deployment against these threats. Take a layered security approach by securing various network levels: secure physical access, network infrastructure, collaboration applications, and collaboration endpoints (Figure 23).
Solely following the recommendations in this section does not guarantee a secure environment, nor will it prevent all penetration attacks on a network. You can achieve reasonable security by establishing a good security policy, following that security policy, staying up-to-date on the latest developments in the hacker and security communities, and maintaining and monitoring all systems with sound system administration practices.
Figure 23 Secure All Components of the Enterprise Collaboration Preferred Architecture
We recommend the following general security practices for the Cisco Collaboration on-premises Preferred Architecture:
On Cisco Unified CM, several mechanisms can be used to prevent toll fraud. Partitions and calling search spaces (CSS) provide segmentation and access control to the directory number that can be called or the device or line that is placing the call. As a best practice, apply the most restrictive class of service possible (for example, no access to PSTN routes for calls coming in from the PSTN) based on partitions and calling search spaces. Other mechanisms can also be used, such as time-of-day routing, enabling the Block OffNet to OffNet Transfer service parameter, forced authentication code (FAC), and route filters.
On Cisco Expressway-E, use Call Processing Language (CPL) rules to block fraudulent attempts.
On Cisco Unified Border Element, configure protection mechanisms against toll fraud; for example, configure an IP trust list and explicit incoming and outgoing dial peers.
Simplify certificate management with certification authority (CA) signed certificates. By default, server certificates are self-signed. To establish trust with a service based on a self-signed certificate, the self-signed certificate must be imported into the trust store of all entities requiring secure connections to the service. If the certificate are not imported, the communication can fail or warning messages about the certificate might appear, as with Jabber for example. Importing certificates can be handled if the set of communicating parties is small, but it becomes more difficult for large numbers of communication peers. For this reason, we recommend having some of the certificates signed by a certification authority (CA) and extending trust to the CA. This is especially important for certificates such as the Tomcat certificates for Cisco Unified CM with IM and Presence Service and Cisco Unity Connection, as well as the XMPP certificate for IM and Presence.
For Cisco Expressway-E servers, use certificates that are signed by a public CA.
Use multi-server certificates wherever possible, especially for the Cisco Unified CM and Unified CM IM and Presence Tomcat certificates. Multi-server certificates allow the administrator to assign a single certificate for a given service across multiple servers in a cluster in order to further simplify certificate management.
On the endpoints, in general, two types of certificates are available: Manufactured-Installed Certificate (MIC) and Local Significant Certificate (LSC). Endpoint certificates are used for encryption of the signaling and media and for the optional encryption of TFTP phone configuration files. We recommend using LSC certificates instead of MIC certificates.
Provide encryption for the following:
SIP trunks connect Cisco Unified CM with other servers such as Cisco Unity Connection, IM and Presence, Cisco Meeting Server, Cisco Unified Border Element, business-to-business Collaboration Edge, and voice gateways.
Use HTTPS instead of HTTP for all application connections. For example, use HTTPS with Extension Mobility.
With a Cisco Unified CM multi-cluster deployment, also enable encryption for:
To protect sensitive voice and video communications, enable endpoint encryption for signaling and media. This is especially important if your network is not entirely trusted and secure. This requires enabling mixed-mode in Cisco Unified CM. With mixed mode, you can select which endpoints are configured to use signaling and media encryption and which are not.
These security recommendations provide the following benefits:
Bandwidth management is about ensuring the best possible user experience end-to-end for all voice and video endpoints, clients, and applications in the Collaboration solution. The Cisco Collaboration on-premises Preferred Architecture provides a holistic approach to bandwidth management that incorporates an end-to-end Quality of Service (QoS) architecture, call admission control, and video rate adaptation and resiliency mechanisms to ensure the best possible user experience for deploying pervasive video over managed and unmanaged networks.
With recent increases in the number of interactive applications – particularly voice and video applications – real-time services are often required from the network. Because these resources are finite, they must be managed efficiently and effectively. If the number of flows contending for such priority resources were not limited, then as those resources become oversubscribed, the quality of all real-time traffic flows would degrade, eventually to the point of becoming useless. To address this requirement the Cisco Collaboration on-premises Preferred Architecture provides a strategy that leverages "intelligent" media techniques, QoS, and admission control to prevent real-time applications and their related media from oversubscribing the network and the bandwidth provisioned for those applications, thus ensuring efficient use of bandwidth resources.
Figure 24 illustrates the approach to bandwidth management used in the Cisco Collaboration on-premises Preferred Architecture. This approach consists of the following phases:
Figure 24 Architecture for Bandwidth Management
The concepts applied to the bandwidth management strategy illustrated in Figure 24 include:
The following sections describe these concepts briefly.
A self-regulating video network leverages intelligent media techniques and rate adaptation along with proper provisioning and QoS to allow the video endpoints to maximize their video resolution during times when video bandwidth is not fully utilized in the network and to rate adapt or throttle down their bit rate to accommodate more video flows during the busy hour of the day.
Prioritized audio for both audio-only calls and audio of video calls ensures that all audio is prioritized in the network and is thus not impacted by any loss that might occur in the video queues. Prioritizing voice from all types of collaboration media ensures that, even during times of extreme congestion when video is experiencing packet loss and adjusting to that loss, the audio streams will not suffer packet loss and will enable the users to have an uninterrupted audio experience.
Opportunistic video allows for a group of video endpoints to be strategically marked with a lower class of video, thus allowing them to use available bandwidth opportunistically for optimal video resolution during times when the network is less busy and more bandwidth is available. Conversely, the lower class of video endpoints can throttle down their video bit rate more aggressively than the prioritized class of video during times of congestion when the network is in its busy hour. This concept of opportunistic video, coupled with prioritized audio, maintains an acceptable video experience while simultaneously ensuring that voice media for the opportunistic video calls is not compromised. This, of course, applies to the managed network, since an unmanaged network such as the Internet is not QoS-enabled and thus provides no guarantees with regard to packet loss. Nevertheless, the media resiliency and rate adaptation mechanisms also attempt to ensure that media over unmanaged networks has the best possible quality in the face of packet loss, delay, and jitter.
– Mark all audio with Expedited Forwarding class EF (includes all audio for voice-only and video calls).
– Mark all critical desktop and room system video with an Assured Forwarding class of AF41.
– Mark all Jabber, Mobile and Remote Access (MRA), and Edge video with an Assured Forwarding class of AF42.
Note This creates a class of video endpoints and video call flows that are opportunistic in nature. (For more details, see Opportunistic Video.) If AF42 marking and scheduling are not possible due to limitations on customer edge equipment or other reasons, then AF41 can be used for all video traffic. If that is the case, then the benefits of Opportunistic Video will be minimized. With only AF41 marking, all video traffic will compete equally for resources and rate adapt based on utilization in a self-regulating video network.
– Configure QoS on all media originating and terminating applications and MCUs across the solution.
– WAN edge ingress re-marking policy
This deployment provides the following benefits:
The following applications, illustrated in Figure 25, provide additional features and services for midmarket deployments of the Cisco Collaboration on-premises Preferred Architecture:
Figure 25 Architecture for Midmarket Applications
Table 12 lists the roles of the application components in this architecture and the services they provide.
Provides administrative functions (provisioning) for Cisco Unified Communications applications
Cisco Unified Contact Center Express (Unified CCX) enables organizations to provide powerful agent queuing and interactive voice response (IVR) services to internal and external customers. These services enable customers to connect easily with the right employees in an organization for sales inquiries or product support.
Deploy two Unified CCX servers for high availability, with one active node and one standby node to provide services in case of component failure (Figure 26). Also configure a primary and a backup Cisco BE6000 server for the JTAPI interface of the Telephony and Resource Manager-Contact Manager (RmCm) subsystems in Unified CCX.
Note If full redundancy is not required, a single server may be deployed without loss of functionality.
Figure 26 Cisco Unified Contact Center Express Cluster
As with the other components in the Cisco Collaboration on-premises Preferred Architecture, Unified CCX should be deployed with high availability that includes active and standby nodes. Unified CCX downloads the end-user information from Unified CM that is synchronized with the organization's LDAP directory. This minimal configuration enables external callers to dial a single number into the organization and then use simple dial-by-name or dial-by-extension functionality without the need for telephone operators to connect external calls. Depending on the organization's structure and business model, Unified CCX could also be used for the following additional work-flow functions:
These automated, call-directed work flows provide value to the organization by quickly and easily connecting a person with a need to the appropriate resource within the organization for assistance.
For contact center deployments, use Cisco Finesse as the agent and supervisor desktop. Cisco Finesse is a browser-based application implemented through a Web 2.0 interface with no client-side installation required, and it is highly customizable. In addition, Cisco Finesse supports +E.164, which adheres to the dial plan design recommendations discussed in the Call Control section.
For additional information about Cisco Unified Contact Center Express, see the latest data sheet.
Cisco Prime Collaboration Provisioning Standard provides a centralized provisioning interface that simplifies administration of day-to-day activities such as moves, adds, changes, and deletions (MACD) of user devices and services in an organization (Figure 27).
Figure 27 Cisco Prime Collaboration Provisioning Standard
Deploy Cisco Prime Collaboration Provisioning Standard on the primary Cisco BE6000 server. A single instance of Cisco Prime Collaboration Provisioning Standard is supported per organization.
Cisco Prime Collaboration Provisioning Standard provides the following benefits: