Preferred Architecture for Cisco Webex Hybrid Services
First Published: June 14, 2016
Last Updated: September 14, 2018
Cisco Preferred Architectures provide tested and recommended deployment models for specific market segments based on common use cases. They incorporate a subset of products from the Cisco Collaboration portfolio that is best suited for the targeted market segment and defined use cases. These deployment models are prescriptive, out-of-the-box, and built to scale with an organization as its business needs change. This prescriptive approach simplifies the integration of multiple system-level components and enables an organization to select the deployment model that best addresses its business needs.
Documentation for Preferred Architectures
The following types of Cisco documents describe and explain the Preferred Architectures:
Preferred Architecture (PA) Design Overview guides help customers and sales teams select the appropriate architecture based on an organization's business requirements; understand the products that are used within the architecture; and obtain general design best practices. These guides support pre-sales processes.
Solution Reference Network Design (SRND) guides provide detailed design options for Cisco Collaboration. The SRND should be referenced when design requirements are outside the scope of Cisco Preferred Architectures.
Previously the Cisco Collaboration portfolio included two separate platforms: Cisco WebEx and Cisco Spark. Cisco has now converged those two collaboration products into a single platform that is simpler to use and provides a more uniform and enjoyable user experience than the two separate platforms, with new and enhanced features as well. This new collaboration platform is called Cisco Webex.
The Cisco Spark application that has been incorporated into Webex is called Webex Teams. Some of the features and functions described in this document still use the Cisco Spark name and terminology, but that terminology will change with future releases of Cisco Webex.
More and more, organizations are choosing collaboration services from the cloud because cloud services:
Are easier and faster to deploy
Don't require the upfront capital investment of on-premises systems
Provide predictable recurring expenditures through subscription-based user licensing
Can free up IT staff to focus on other priorities
Many organizations, however, are unable or unwilling to move all their services to the cloud. Often, they are not ready to replace everything they have on-premises, or they simply want to augment their current collaboration tools with those from the cloud. But having tools from both the cloud and the premises can create inconsistent, disjointed user experiences.
Cisco solves this problem with Webex Hybrid Services. These services connect what you have on-premises with Webex Teams in the cloud to provide a single integrated experience. If you like the capabilities of Webex Teams, you can integrate those capabilities with what you currently have deployed for an even better end-user and administrator experience.
The Preferred Architecture (PA) for Webex Hybrid Services is a Cisco Validated Design (CVD) in the Preferred Architectures umbrella that was created as a supplement to the PA for Cisco Collaboration Enterprise on-premises deployments. It requires many of the same products and infrastructure as well as the architecture and planning incorporated in the PA for on-premises deployments. Therefore we expect you to follow and implement the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments, available at https://www.cisco.com/go/pa, prior to deploying the PA for Webex Hybrid Services.
As part of implementing the PA for Webex Hybrid Services, there are a number of products and integrations covered in the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments that overlap with, and thus are not part of, the PA for Webex Hybrid Services. The areas of overlap include Cisco Meeting Server, Cisco Unified Communications Manager IM and Presence Service, and Cisco Jabber. This does not mean that these products and services cannot be deployed in an environment with Webex Hybrid Services, but that this PA for Webex Hybrid Services will not discuss or treat any design considerations around these on-premises products and services when they overlap with those included in the Webex Hybrid Services solution.
Technology Use Cases
Organizations want to streamline their business processes, optimize employee productivity, and enhance relationships with partners and customers. The Preferred Architecture (PA) for Cisco Webex Hybrid Services delivers capabilities that enable organizations to realize immediate gains in productivity and enhanced relationships. Additionally, the following technology use cases offer organizations opportunities to develop new, advanced business processes that deliver even more value in these areas:
Meetings — Bring people together to create, communicate, and collaborate in one continuous work stream before, during, and after the meeting so that teams can be more effective while using any mobile or video device. Invite others to join meetings from their desk, a branch office, their homes, or the road with Webex Teams or on their Cisco on-premises endpoint or room device.
Messaging — Exchange messages and share files with another person or a group of people. Message anyone; choose someone from your company directory or simply enter an email address and start messaging customers, partners, or anyone you need to work with.
Calling — Webex Teams includes cloud-based calling. With Webex Teams, you can make calls to any other Webex Teams user in any company via SIP dialing, as well as calls to any endpoint or room device deployed in your Cisco Enterprise on-premises solution. You can make and receive calls from a phone connected to the Webex Teams service in the office or from the Webex Teams application on your mobile phone or desktop. When integrated with Webex Hybrid Services, Webex Teams applications also support enterprise dialing habits such as numerical dialing to on-premises endpoints and the PSTN. (PSTN connectivity is provided through Cisco Unified Communications Manager deployed on the enterprise premises.)
Enhanced user experience — The Webex Teams application is central to Webex Teams. The application gives the user the ability to access, use, and control the meetings, messaging, white boarding, and calling capabilities of Webex Teams, depending on the user's license entitlement. Users can also share content when in a meeting, when messaging, or while on a call. The Webex Teams application is how users access the service on their smartphones, via a browser, or via a dedicated application on their Mac or Windows PC.
Incorporate video, desktop sharing, and persistent messaging into meetings — Improve communications, relationships, and productivity by making it easier to meet face-to-face over distance.
Extend telephony with video — Facilitate face-to-face video communications directly from end-user phones or softphone applications.
Support teleworkers and branch offices — Let employees work from multiple locations, whether satellite offices, home offices, or over the Internet when mobile.
Collaborate with external organizations — Easily share information, interact in real time, and communicate using technologies beyond email and phones.
Create flexible work areas and office spaces — Scale office space and create work areas that foster employee inclusiveness, collaboration, innovation, and teamwork.
The Benefits of Webex Hybrid Services
Cisco Webex Hybrid Services provide:
Consistent, unified user experience — End users and IT administrators get the best of cloud and on-premises technology. Webex Hybrid Services combine the cloud and on-premises services for an integrated experience. Examples include the ability to share your desktop instantly, automatic directory synchronization, and simplified scheduling of meetings.
Easier transition to the cloud — Webex Hybrid Services help your organization take advantage of Cisco Collaboration cloud-based services without discarding your existing on-premises investments. Instead, you can integrate them together for a better user experience, and move to cloud services as and when you like.
High level of security — Security is integral to Webex Teams and its hybrid services. Cisco has used its extensive experience gained from securing the world's largest networks. Combining this knowledge with the hardware and the software elements of our market-leading communications and cloud services, we've built Webex Teams and its hybrid capabilities to be secure from the ground up.
The Preferred Architecture (PA) for Cisco Webex Hybrid Services provides end-to-end collaboration targeted for deployments where a Cisco Collaboration solution based on Cisco Unified Communications Manager has been deployed. This architecture incorporates high availability for critical applications. The consistent user experience provided by the overall architecture facilitates quick user adoption. Additionally, the architecture supports an advanced set of collaboration services that extend to mobile workers, partners, and customers through the following key services:
Voice and video communications
Meetings that incorporate high-definition video, web conferencing, and content sharing capabilities
Services for mobile and remote workers
Because of the adaptable nature of Cisco endpoints and their support for IP networks, this architecture enables an organization to use its current data network and the Internet to support both voice and video calls. The Preferred Architecture (PA) provides a holistic approach to bandwidth management, incorporating an end-to-end QoS architecture and video rate adaptation and resiliency mechanisms to ensure the best possible user experience for deploying pervasive video over managed and unmanaged networks.
The PA for Webex Hybrid Services, illustrated in Figure 2, provides highly available and centralized on-premises and cloud services. These services extend easily to remote offices and mobile workers, providing availability of critical services even if communication to headquarters is lost. Centralized on-premises and cloud-based services also simplify management and administration of an organization's collaboration deployment.
Figure 2 Preferred Architecture for Cisco Webex Hybrid Services
Table 1 lists the products in this architecture. For simplicity, products are grouped into modules to help categorize and define their roles. The content in this guide is organized in the same modules.
Table 1 Components of the Preferred Architecture for Cisco Webex Hybrid Services
Web portal that enables provisioning and management of Webex Teams users and services, registration of the Expressway-C Connector Host to Webex, Expressway connector upgrades, and registration of Webex calling devices
Cisco Webex Teams Messaging
Provides persistent messaging and content sharing
Cisco Webex Meetings
Provides audio/video meetings, with content sharing and web conferencing capabilities for meetings
Provides endpoint registration, call processing, and media resource management
Cisco Expressway-C Connector Host Call Connector
Provides integration between on-premises call processing services and Webex
Cisco Expressway-C and Expressway-E
Enable interoperability and firewall traversal with Webex
The PA for Webex Hybrid Services provides high availability for all deployed on-premises applications by means of the underlying clustering mechanism present in all Cisco Unified Communications applications. Clustering replicates the administration and configuration of deployed applications to backup instances of those applications. Likewise, cloud services are natively redundant by virtue of elastic computing and highly available service distribution within the cloud platform.
If an instance of an application or service fails, Cisco on-premises and cloud-based services (such as endpoint registration, call processing, messaging, and many others) continue to operate on the remaining instance(s) of the application or service. This failover process is transparent to the users. In addition to clustering, the PA for Webex Hybrid Services provides high availability through the use of redundant power, network connectivity, and elastic storage.
In the PA for Webex Hybrid Services, the following cloud services are deployed redundantly:
Details about the individual licenses for the endpoints and infrastructure components in the Preferred Architecture for Webex Hybrid Services are beyond the scope of this document. For information about licensing, see the Cisco Collaboration Flex Plan.
Cisco Collaboration endpoints provide a wide range of features, functionality, and user experiences. Because Cisco endpoints range from low-cost, single-line phones and soft clients to presentation, white board, and multi-screen Cisco TelePresence endpoints, an organization can deploy the right variety of endpoints to meet users' needs (Figure 3). Additionally, these devices enable users to access multiple communication services such as:
Voice and video calling
Desktop and content sharing
Figure 3 Architecture for Endpoints
In the PA for Webex Hybrid Services, both Cisco Unified Communications Manager (Unified CM) on-premises call control and Cisco Webex provide endpoint registration and collaboration services.
We recommend the endpoints listed in the following tables because they provide optimal features for this design. Cisco has a range of Collaboration Endpoints with various features and functionality that an organization can also use to address its business needs.
Table 2 Cisco IP Phones – Unified CM Only
Cisco IP Phone 8800 Series
General office use, multiple-line phone
Cisco IP Phone 8832
On-premises IP conference phone
Table 3 Cisco TelePresence and Video Endpoints – Unified CM or Cisco Webex Room Device
2.Only the Cisco IP Phones 8845 and 8865 support video.
3.While cloud registration is supported with these endpoints, for the purposes of this PA these endpoints register to Cisco Unified CM.
4.Cisco Webex Room Series endpoints support 4K video resolution.
5.View capability only.
Cisco Webex Core Services
The PA for Cisco Webex Hybrid Services includes the following foundational functionality and services that underlie the entire Webex Hybrid Services solution:
Cisco Webex Control Hub
The web-hosted online Webex Control Hub, available at https://admin.webex.com/, is used to administer and manage the organization's Webex Hybrid Services.
Cisco Webex Teams Messaging
This basic feature of the Webex Teams application and the Webex platform provides one-to-one and group messaging with file sharing. This feature delivers persistent instant messaging with Webex Teams spaces, where users can message and share files.
Cisco Webex Meetings
Webex Meetings provides audio and video conferencing with content sharing by leveraging the Webex conferencing service. Webex Meetings builds upon the messaging and file sharing capabilities of Webex Teams Messaging. Webex Meetings also enables advanced features such as meeting recording and permanent Personal Meeting Rooms (PMR) to provide users with personalized permanent voice and video meeting spaces. Users can join conferences using Webex Teams devices as well as Webex Teams and Webex Meetings applications.
The Cisco Expressway-C Connector Host is a standard Cisco Expressway-C server deployed within the customer's organization to provide an integration point between the on-premises and cloud collaboration services. The integration between the Cisco Expressway-C server and Cisco Webex is facilitated via micro-services installed and managed on the Expressway-C Connector Host by Webex. These micro-services enable hybrid services integration.
The Management Connector is included in the Expressway-C base software and is used by the administrator to register Expressway to Webex and to link the Expressway interface with the Webex management interfaces.
All of these services and components are relevant for the deployment of the PA for Webex Hybrid Services and will be referenced as appropriate in the remainder of this document.
Cisco Webex Hybrid Directory Service
Cisco Webex Hybrid Directory Service is the common identity component for any hybrid deployment. It provides user synchronization between on-premises Microsoft Active Directory and Cisco Webex.
Cisco Directory Connectors are deployed on-premises. They communicate and synchronize over the enterprise network with Microsoft Active Directory, and they communicate over the Internet to Webex (Figure 4).
Figure 4 Architecture for Cisco Webex Hybrid Directory Service
Table 7 lists the roles of the Cisco Webex Hybrid Directory Service components in this architecture and the services they provide.
Table 7 Components for Cisco Webex Hybrid Directory Service
Cisco Webex Hybrid Directory Service
Cisco Directory Connector
Provides user synchronization between Microsoft Active Directory and Cisco Webex
Microsoft Active Directory
Provides the full list of corporate users and their attributes
Webex Hybrid Directory Service enables an administrator to populate the common identity store of their company's Webex Teams organization with users from their corporate Microsoft Active Directory. Once the cloud identity store for the company's organization has been populated, administrators can easily manage Webex Teams corporate user accounts. Administrators may configure user accounts, enable specific features, and provision users for collaboration services within the Webex Teams organization.
As shown in Figure 5, Cisco Directory Connectors synchronize with Microsoft Active Directory using Microsoft application programming interfaces (APIs) over the on-premises network. At the same time, Cisco Directory Connectors push directory data and communicate over the Internet through the secure enterprise boundary and corporate firewall with the cloud identity service within Webex. HTTPS is used for communications between Cisco Directory Connectors and Cisco Webex.
Figure 5 Hybrid Enterprise Directory Integration
The Directory Connector servers run on Microsoft Windows Servers and must be actively joined to the Active Directory domain. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) A read-only administrator account is used to authenticate the Directory Connector to the Windows domain.
The customer organization administrator must log in to the Webex Control Hub and download the Directory Connector software to the Windows servers. Once Directory Connectors are installed and configured, synchronization will take place and users will be pushed to the Webex identity store for the customer's organization through HTTPS connections. Because these are outbound connections from the Cisco Directory Connectors to the Internet, they do not require any inbound ports to be opened on the internal or external firewall.
Directory Connectors are configured to pull user information from the Microsoft Active Directory. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) User information can be pulled from the entire domain or from specific containers and organizational units. It is also possible to create LDAP filters if more granularity is needed.
Users log in to Webex Teams via their email address, which corresponds to the mail LDAP attribute. Once provisioned for Webex Teams Messaging, each user receives an automatic email from Webex and is prompted to confirm their email address and specify a password.
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the following:
Webex Teams users correlate to Cisco Unified CM end users by means of email addresses. For this reason, make sure that the end-user account mail ID field in the Unified CM End User database contains the user's email address. With LDAP directory integration, the mail ID field for Unified CM end users is typically mapped from the mail field of the LDAP directory during synchronization.
Install Directory Connectors and Active Directory Domain Service or Active Directory Lightweight Directory Services on separate Windows servers.
After the Directory Connector installations finish, run a first synchronization. Then configure full synchronization and incremental synchronization schedules to keep the Directory Connectors (and in turn Webex) updated when user information changes (user update, deletion, or addition) within Microsoft Active Directory.
Cisco Webex Hybrid Calendar Service
Cisco Webex Hybrid Calendar Service enables enterprise calendar integration with Webex collaboration services. It provides calendar synchronization between on-premises Microsoft Exchange and Cisco Webex.
Cisco Calendar Connector is deployed on the Cisco Expressway-C Connector Host on-premises. It communicates and synchronizes over the enterprise network with Microsoft Exchange, and it communicates over the Internet to Webex (Figure 6).
Figure 6 Architecture for Cisco Webex Hybrid Calendar Service
Provides integration between the enterprise calendaring application and Webex
Provides corporate calendaring services
Webex Hybrid Calendar Service enables a tight integration between the user's enterprise Microsoft Exchange calendar, Microsoft Outlook invitations, and Webex Teams Messaging. The Calendar Connector service provides two key features:
When @meet is added to the location field of an Outlook calendar invitation, Calendar Connector and the cloud calendar service create a Webex Teams meeting and a new Webex Teams collaboration space with a name that matches the invitation subject. All users in the calendar invitation are added to the Webex Teams space and are invited to the meeting. This facilitates collaboration and allows the meeting organizer and attendees to communicate and share material prior to, during, and even after the meeting. If a calendar invitation includes a distribution list, users on the distribution list will not be added to the Webex Teams space automatically; however, they will receive the meeting invitation.
When @webex is added to the location field of an Outlook calendar invitation, Calendar Connector automatically populates the invitation with the user's Webex Personal Room information.
Hybrid calendar integration also enables:
Synchronization of users' Microsoft Exchange enterprise calendar with their Webex Teams application calendar and meeting list
Sharing of users' out-of-office status from Microsoft Outlook with Webex Teams
As shown in Figure 7, the Cisco Calendar Connector service running on the Expressway-C Connector Host synchronizes with Microsoft Exchange using Exchange Web Services (EWS) over the on-premises network. At the same time, Cisco Calendar Connector pushes calendar data and communicates over the Internet through the secure enterprise boundary and corporate firewall with the calendar service within Webex. Cisco Calendar Connector also integrates with Webex Personal Rooms for @webex functionality. HTTPS is used for communications between Cisco Calendar Connector on the Expressway-C Connector Host and Webex. Because this is an outbound connection from the Cisco Calendar Connector to the Internet, it does not require any inbound ports to be opened on the internal or external firewall.
Figure 7 Hybrid Enterprise Calendar Integration
Note As shown in Figure 7, the Expressway-C Connector Host does not pair with the Expressway-E server and, in the case of hybrid calendar integration, does not rely on Expressway-C and Expressway-E firewall traversal capabilities to communicate with Webex.
Calendar Connector is configured to pull calendar and meeting information from Microsoft Exchange using an impersonation account. (For the latest version support information, see the Deployment Guide for Cisco Webex Hybrid Calendar Service.) This meeting information is used to create the appropriate Webex Teams meeting and space with all invitees (@meet) and a Webex personal meeting room (@webex).
To deploy Webex Hybrid Calendar Service in the PA for Webex Hybrid Services, we recommend the following:
Deploy a pair of dedicated Cisco Expressway-C hosts using the Expressway-C OVA. They will serve as your Cisco Expressway-C Connector Hosts. These Expressway-C servers do not pair with Expressway-E servers and, in the case of hybrid calendar integration, do not rely on Expressway-C and Expressway-E firewall traversal.
The application impersonation role must be configured in Microsoft Exchange and is used in the Exchange Calendar Connector configuration on the Expressway-C interface. The application impersonation management role in Microsoft Exchange enables applications to impersonate users in an organization to perform tasks on behalf of the users. The impersonation account does not have to be an administrator, but it must have a mailbox.
Cisco Webex Video Mesh
Cisco Webex Video Mesh is a component of the PA for Cisco Webex Hybrid Services that enables organizations to deploy an instance of media processing on-premises. This means that Webex Teams room devices and clients, as well as Unified CM registered endpoints dialing into Webex meetings, can terminate media on-premises instead of sending all media to the cloud.
The benefits of Webex Video Mesh include:
Improved call quality because media stays local, which reduces latency and packet loss
Reduced consumption of Internet bandwidth
Simplified on-premises deployment via Webex Control Hub
Reduced utilization of Expressway for Unified CM registered endpoints connecting to Webex Meetings
The PA for Webex Hybrid Services addresses these needs with the Webex Video Mesh architecture shown in Figure 8.
The central component of Webex Video Mesh is the Video Mesh Node. Webex Video Mesh can be deployed as a virtual machine on a Cisco Unified Computing System (UCS) server or on specifications-based hardware in the organization’s data center(s). (See the Cisco Webex Video Mesh Data Sheet for more information.) The Video Mesh Node registers to Webex, and most management tasks are performed from the Webex Control Hub. The Webex Control Hub also provides automatic software updates and usage reports.
Figure 8 Architecture for Cisco Webex Video Mesh
Table 9 lists the components and roles of Cisco Webex Video Mesh.
Table 9 Components for Cisco Webex Video Mesh
Cisco Webex Video Mesh
Cisco Webex Video Mesh Node
Provides on-premises media processing capabilities for Webex Meetings. This includes voice, video, and desktop sharing.
Cisco Webex Control Hub
Provides central administration for Webex Teams components.
Every Webex Teams call is considered to be a meeting. In a Webex Teams meeting, signaling and media are sent to and from Webex. For example, Figure 9 shows a three-party Webex Teams meeting. Each party in the meeting sends and receives media to and from Webex via the Internet. As the number of concurrent calls increases, the organization’s bandwidth usage to the Internet increases. The three-party Webex Teams call in Figure 9 uses up to 7 MB of the organization’s Internet bandwidth (client bandwidth requirements shown in this example are average values).
Figure 9 Media Path of a Webex Teams Meeting
The Video Mesh Node bridges the media locally, resulting in network edge bandwidth savings as well as decreased overall latency. Figure 10 shows the same three-party call with the media bridged locally on the Video Mesh Node within the enterprise, resulting in no bandwidth utilization for media over the Internet.
Figure 10 Media Path of a Webex Teams Meeting with Video Mesh Node
Video Mesh Node Discovery Process
When a Webex Teams endpoint starts up, it registers to Cisco Webex. Webex provides the endpoint with a list of cloud-based media services and available on-premises Video Mesh clusters associated with that Webex Teams organization. (Clusters are groups of nodes that are used in the same region.) The Webex Teams endpoint then performs two tests to decide which media node cluster it should use for calls:
A Serial Tunneling (STUN) test to check if the media nodes are reachable
A latency test to measure the round-trip delay between the endpoint and each media node
The Webex Teams endpoint performs these tests whenever there is a network change event on the local device or when the cache expires.
The Webex Teams endpoint will choose to send media to the media node with the lowest round-trip delay (RTD) duration. A Video Mesh Node that is reachable should have the lowest RTD for a Webex Teams endpoint that is on the corporate network.
A single Video Mesh Node can accommodate up to 100 concurrent calls. Video can scale up to 1080p at 30 frames per second. If a Video Mesh cluster is full, the next Webex Teams endpoint in the organization that joins the meeting will send its media to Webex, and the Video Mesh Node will cascade the call to the cloud media services. The cascade link carries up to 6 HD streams, which allows picture-in-picture and layout controls on specific endpoints.
A cascade link is created when a remote participant joins the call and their Webex Teams endpoint may not be able to reach the Video Mesh Node. In this scenario, shown in Figure 11, the remote Webex Teams endpoint sends media to the cloud media services, and a cascade link is created between that cloud media services and the Video Mesh Node hosting the call.
Figure 11 Cascading the Call to the Cloud for External Participants
The Video Mesh Node can host Webex meetings that include both Webex Teams endpoints and clients as well as Unified CM registered endpoints. Webex Video Mesh bridges on-premises Unified CM registered endpoints in meetings with Webex Teams endpoints and applications. Unified CM communicates to the Video Mesh Node via SIP trunking, thus allowing on-premises registered endpoints to join Webex Meetings with media termination at the Webex Video Mesh Node. (See Figure 12.)
Figure 12 Media Path of a Webex Teams Meeting with Video Mesh Node and Unified CM Registered Endpoints
The Video Mesh Node can be deployed on the corporate network or in the DMZ. We recommend deploying the Video Mesh Node on the corporate network. With this deployment model, internal Webex Teams endpoints will connect to available Video Mesh Nodes and external Webex Teams endpoints will connect to the cloud media services. Calls will be cascaded from Video Mesh Nodes to the cloud when Webex Teams endpoints from outside the organization’s network connect to a call with internal participants.
We recommend that you deploy Video Mesh Nodes only in large campus sites that have direct Internet access (DIA), as shown in Figure 13. This will ensure that the Video Mesh Nodes are available for large user populations. It will also ensure that media will cascade from the Video Mesh Nodes directly to the cloud instead of traveling across a WAN to another site with direct Internet access.
Figure 13 Video Mesh Nodes Deployed in a Large Site with Direct Internet Access (DIA)
We recommend deploying Video Mesh Nodes in clusters. This provides high availability for internal users in case a single Video Mesh Node becomes unavailable. It also allows Webex Teams endpoints to overflow to a Video Mesh Node on the corporate network instead of overflowing to the cloud, thus saving bandwidth on the corporate network Internet edge (see Figure 14).
Figure 14 Multiple Video Mesh Clusters Cascading a Call to Webex
We recommend sizing the Video Mesh cluster based on the number of calls expected for the organization’s site. There is no maximum size for a Video Mesh cluster, and each Video Mesh Node can support up to 100 concurrent calls. Avoid clustering Video Mesh Nodes over the WAN. Clustering Video Mesh Nodes over the WAN could lead to excessive consumption of WAN bandwidth as call are cascaded between nodes over the WAN.
The Video Mesh Node requires a number of open firewall ports to enable cloud management, signaling, and media traffic flow. We recommend opening media ports for both TCP and UDP traffic flows. Ensure that media is marked with appropriate QoS markings to improve call quality on the corporate network. (See the Bandwidth Management section for details.)
Cisco Webex Hybrid Call Service
Cisco Webex Hybrid Call Service provides the integration of Cisco Unified Communications call services with Webex call services. The PA for Webex Hybrid Services includes Cisco Unified Communications Manager (Unified CM), Cisco Expressway-C and Expressway-E, and the Expressway-C Connector Host for the Hybrid Call Service solution (Figure 15).
Figure 15 Architecture for Cisco Webex Hybrid Call Service
Table 10 lists the roles of the components in this architecture and the services they provide.
Table 10 Components for Cisco Webex Hybrid Call Service
Cisco Webex Hybrid Call Service
Cisco Unified Communications Manager (Unified CM)
Provides endpoint registration, call processing, and media resource management
Cisco Expressway-C Connector Host Call Connector
Provides integration between on-premises call processing services and Webex
Cisco Expressway-C and Expressway-E
Enables interoperability and firewall traversal with Webex services
A key component of the Webex Hybrid Call Service is the Call Connector, hosted on the Cisco Expressway-C Connector Host. Call Connector provides the following services:
The Call Connector on Cisco Expressway-C notifies Webex when two Webex Teams users are engaged in the same call with their on-premises devices, so that their respective Webex Teams applications can offer the option to start desktop sharing. Call Service Aware does not require any media traversal capability or license. Expressway-C communicates with Webex using an outbound HTTPS connection; Expressway-E is not involved.
The Call Connector on Expressway-C integrates with Cisco Unified Communications Manager through specific APIs that allow for configuration reading and writing (AXL) and device monitoring (CTI-QBE).
When a user of Webex is enabled for Call Service Aware, the Call Connector uses AXL connectivity to find devices associated to that user on Cisco Unified Communications Manager (Unified CM), and then it sends this information to Webex.
For all line appearances monitored by the Call Connector, Cisco Unified CM sends notifications to the Call Connector, which then relays this information to Webex. This way Webex always knows if a specific user's device is engaged on a call or not. Based on this information, a one-to-one Webex Teams space is created or pushed to the top of the list in Webex Teams applications of users in a one-to-one call on their Unified CM registered endpoints. This one-to-one space presents the option to add desktop sharing capabilities to both users involved in the call.
With Call Service Aware, desktop sharing is available to all physical devices (either audio or video-based) registered to Cisco Unified CM.
Figure 16 illustrates the Call Service Aware architecture
Figure 16 Webex Call Service Aware Used for Desktop Sharing
Call Service Connect
Call Service Connect allows integration between Webex Teams and Cisco Unified Communications Manager (Unified CM). A prerequisite for Call Service Connect is that Call Service Aware must be deployed and configured.
If a user has an endpoint registered to Cisco Unified CM and a Webex Teams application, both the endpoint and the Webex Teams application will receive the call regardless of whether the call is initiated by another Webex Teams application or any other endpoint. Call Service Connect not only enables ringing on Webex Teams and Cisco Unified CM, but also allows Webex Teams users to place calls using enterprise dialing habits.
In order to achieve this, Expressway-C and Expressway-E must be deployed for firewall traversal, so that secure communications to and from the cloud will always be possible. In order to account for security requirements, the call will always be encrypted for both signaling and media.
Figure 17 illustrates the architecture for Call Service Connect and Call Service Aware.
Figure 17 Architecture for Webex Hybrid Call Service Connect and Call Service Aware
The following guidelines apply to the architecture shown in Figure 17:
Cisco Unified CM connects to Expressway-C for firewall traversal using SIP.
The same Expressway-C can be used as the Connector Host and for the hybrid SIP signaling and media traffic to and from Expressway-C in the following cases:
– Up to 500 users with Cisco Business Edition 6000 (BE6000)
– Up to 2,000 users with Cisco Business Edition 7000 (BE7000) in a redundant deployment
In all other cases, a dedicated Cisco Expressway-C runs the Call Connector, as shown in Figure 17.
Call Connector can be co-resident with Calendar Connector.
Cisco Unified CM connects to Expressway-C Call Connector using CTI-QBE and AXL.
We recommend deploying redundant configurations of Cisco Unified CM, Cisco Expressway-C Connector Host, and firewall traversal with Expressway-C, and Expressway-E.
Call Service Connect Architecture
Call Service Connect enables ringing on both Webex Teams and Cisco Unified CM devices associated with the same user. In addition, it keeps the user experience consistent so that the user of Webex Teams has the same dialing habits, calling ID, and unified call history as any other user on Cisco Unified CM. To achieve this consistent user experience, Cisco Unified CM and Webex perform the following operations:
For every call received on Cisco Unified CM for a specific user, the call is extended to Webex through Expressway-C and Expressway-E.
For every call received on the Webex Teams application, the call is extended to Cisco Unified CM through Expressway-E and Expressway-C.
When the call reaches Cisco Unified CM, Unified CM changes the calling ID to match the enterprise calling ID. Thus, when the call is delivered to the destination, the called user does not know if the call is coming from Webex Teams or from an internal endpoint.
When the call reaches Cisco Unified CM, Unified CM recognizes that it is a Webex Hybrid Call Service call for a specific Unified CM registered user, and Unified CM assigns the call to the class of services (CoS) associated with that user. In this way, if a Cisco Unified CM user is not entitled to call specific destinations, this limitation is also extended to the Webex Teams application.
Cisco Unified CM dialing habits (including PSTN access codes) are preserved for Webex Teams users.
Figure 18 shows the global reachability on both the Webex Teams application and the Cisco Unified CM device when a user is provisioned for Call Service Connect.
Figure 18 Reachability of Webex Teams and Unified CM Destinations with Call Service Connect
Media is encrypted with Secure Real-time Transport Protocol (SRTP) between Cisco Webex and Cisco Expressway. Depending on the configuration, different scenarios can be achieved:
This requires Cisco Unified CM to be in mixed mode and the endpoints and the SIP trunk to Expressway to be provisioned for encryption.
If Cisco Unified CM is not in mixed mode and uses non-encrypted RTP media traffic to send the call to Expressway-C, then Expressway-C can terminate the RTP connection from the Unified CM endpoint and open another call leg using SRTP to Webex. Any time Cisco Expressway performs RTP-to-SRTP conversion, it engages a back-to-back user agent (B2BUA). If Cisco Expressway performs RTP-to-SRTP conversion, we recommend enabling it on Expressway-C instead of Expressway-E so that the traffic in the DMZ will be encrypted.
Figure 19 illustrates these two encryption options.
Figure 19 Webex Hybrid Services: Expressway Media Encryption Options
Considerations for Deploying Multiple Unified CM Clusters
Webex Hybrid Call Service supports multiple Cisco Unified CM clusters. However, due to the call routing method used by Webex Hybrid Services, the calls are always sent to the Cisco Unified CM cluster where the calling user is registered, before being sent to the destination. This is called home cluster routing and is necessary for the preservation of class of service (CoS) and calling ID.
Bandwidth management is about providing the best possible user experience end-to-end for all media capable endpoints, clients, and applications in the collaboration solution. The Preferred Architecture for Cisco Webex Hybrid Services incorporates a holistic approach to bandwidth management that includes an end-to-end Quality of Service (QoS) architecture with video rate adaptation and resiliency mechanisms to provide the best possible user experience for deploying pervasive video over managed and unmanaged networks.
Architecture for Webex Hybrid Services: QoS, Media Assure, and the Self-Regulating Video Network
QoS ensures reliable, high-quality voice and video by reducing delay, packet loss, and jitter for media endpoints and applications. QoS provides a foundational network infrastructure technology that is required to support the transparent convergence of voice, video, and data networks. The bandwidth management strategy for Webex Hybrid Services includes identifying and marking Webex Room Device and Webex Teams client signaling and media traffic as well as updating the QoS policies in the LAN, WAN, and Internet edge equipment in the on-premises solution.
Overview of Preferred Architecture On-Premises Bandwidth Management Solution Concepts and Strategy
With the increasing amount of interactive applications – particularly voice, video, and immersive applications – real-time services are often required from the network. Because these resources are finite, they must be managed efficiently and effectively. If the number of flows contending for such priority resources were not limited, then as those resources become oversubscribed, the quality of all real-time traffic flows would degrade, eventually to the point of becoming useless. The intelligent media techniques used for media resiliency and rate adaptation in all Cisco endpoints, clients, and conferencing architecture – referred to as Media Assure – coupled with QoS, ensure that real-time applications and their related media do not oversubscribe the network or the bandwidth provisioned for those applications, thus providing efficient use of bandwidth resources.
The self-regulating video network, prioritized audio, and opportunistic video are all bandwidth management concepts as well as a combined QoS strategy. A self-regulating video network consists of leveraging the intelligent media techniques and rate adaptation mentioned previously, along with proper provisioning and QoS to allow the video endpoints to maximize their video resolution during times when video bandwidth is not fully utilized in the network and to rate-adapt or throttle down their bit rate to accommodate more video flows during the busy hour of the day. Prioritized audio for both audio-only and audio of video calls ensures that all audio is prioritized in the network and is thus not impacted by any loss that can occur in the video queues. Prioritizing voice from all types of collaboration media ensures that, even during times of extreme congestion when video is experiencing packet loss and adjusting to that loss, the audio streams are not experiencing packet loss and are allowing the users to have an uninterrupted audio experience. In addition, opportunistic video allows for a group of video endpoints to be strategically marked with a lower class of video, thus enabling them to use available bandwidth opportunistically for optimal video resolution during times when the network is less busy and more bandwidth is available, or conversely to down-speed their video more aggressively than the prioritized class of video during times of congestion when the network is in its busy hour. This concept of opportunistic video coupled with prioritized audio maintains an acceptable video experience while simultaneously ensuring that voice media for these opportunistic video calls is not compromised. This, of course, applies to the managed network, since an unmanaged network such as the Internet is not QoS-enabled and thus provides no guarantees with regard to packet loss. Nevertheless, the media resiliency and rate adaptation mechanisms also attempt to ensure that media over unmanaged networks such as the Internet has the best possible quality in the face of packet loss, delay, and jitter.
Figure 20 illustrates the approach to QoS used in the PA for the Cisco Collaboration Enterprise on-premises solution and that is followed in this Webex Hybrid Services solution:
Classification and marking — Refers to concepts for identifying media and signaling for endpoints. It also includes the process of mapping the identified traffic to the correct DSCP to provide the media and signaling with the correct per-hop behavior end-to-end across the network.
Queuing and scheduling — Consists of general WAN queuing and scheduling, the various types of queues, and recommendations for ensuring that collaboration media and signaling are correctly queued on egress to the WAN.
Provisioning and admission control — Refers to provisioning the bandwidth in the network and determining the maximum bit rate that groups of endpoints will utilize.
Monitoring, troubleshooting, and optimization — Ensures the proper operation and management of voice and video across the network.
Figure 20 Architecture for Bandwidth Management
To deploy bandwidth management in the PA for Webex Hybrid Services, we recommend the following:
Identify Webex Teams traffic.
Configure an on-premises LAN QoS policy for Webex Teams traffic classification and marking:
– Mark all audio with Expedited Forwarding class EF. (This includes all audio of both voice-only and video calls.)
– Mark all video from clients, desktop and room devices, as well as Expressway Edge components with an Assured Forwarding class of AF41 for prioritized video or AF42 for opportunistic video. (This will depend on the strategy taken in the on-premises solution configuration.)
Update the WAN Edge policies for identifying, classifying, marking, and queuing Cisco Collaboration traffic with Webex Teams information: