The Expressway-C and Expressway-E pair deployment allows calls to and from the Internet using firewall traversal technologies. This deployment is what securely takes your on-premises call control and ties it in to Cisco Spark through the Cisco Collaboration Cloud.
The Expressway-C and Expressway-E don't require any inbound port to be opened in the demilitarized zone (DMZ) firewall because of the firewall traversal architecture. But TCP SIP signaling ports and UDP media ports must be opened inbound on the Internet firewall to let incoming calls come through. You must allow time to have the appropriate port opened on your enterprise firewall.
The firewall traversal architecture is shown in the following diagram:
For example, for inbound business-to-business (B2B) calls using SIP protocol, TCP ports 5060 and 5061 (5061 is used for SIP TLS) must be opened on the external firewall, together with UDP media ports used for services such as voice, video, content sharing, dual video, and so on. Which media ports to open depends on the number of concurrent calls and the number of services.
You can configure the SIP listening port on Expressway to be any value between 1024 to 65534. At the same time, this value and the protocol type must be advertised in the public DNS SRV records, and that same value must be opened on the Internet firewall.
Though the standard for SIP TCP is 5060 and for SIP TLS 5061, nothing prevents use of different ports, as the following example shows.
In this example, we assume that port 5062 is used for inbound SIP TLS calls.
The DNS SRV record for a cluster of two Expressway servers looks like this:
- _sips._tcp.example.com SRV service location:
priority = 10
weight = 10
port = 5062
svr hostname = us-expe1.example.com
_sips._tcp.example.com SRV service location:
priority = 10
weight = 10
port = 5062
svr hostname = us-expe2.example.com
These records mean that calls are directed to us-expe1.example.com and us-expe2.example.com with equal load sharing (priority and weight) using TLS as the transport type and 5062 as the listening port number.
A device that is external to the network (on the Internet) and that makes a SIP call to a user of the corporate domain (email@example.com) must query the DNS to understand which transport type to use, the port number, how to load-share the traffic, and which SIP servers to send the call to.
If the DNS entry includes _sips._tcp, the entry specifies SIP TLS.
TLS is a client-server protocol and, in the most common implementations, uses certificates for authentication. In a business-to-business call scenario, the TLS client is the calling device, and the TLS server is the called device. With TLS, the client checks the certificate of the server, and if the certificate check fails, it disconnects the call. The client doesn't need a certificate.
TLS handshake is shown in the following diagram:
However, the TLS specification states that the server can also check the client certificate by sending a Certificate Request message to the client during TLS handshake protocol. This message is helpful on a server-to-server connection, such as on call that is established between Expressway-E and the Cisco Collaboration Cloud. This concept is called TLS with mutual authentication and is required when integrating with Cisco Spark.
Both the calling and called parties check the certificate of the other peer, as the following diagram shows:
The cloud checks the Expressway identity, and Expressway checks the cloud identity. For example, if the cloud identity in the certificate (CN or SAN) doesn't match what's configured on Expressway, the connection is dropped.
If mutual authentication is turned on, Expressway-E always requests the client certificate. As a result, Mobile and Remote Access (MRA) won't work, because in most cases certificates are not deployed on Jabber clients. In a business-to-business scenario, if the calling entity is not able to provide a certificate, the call is disconnected.
We recommend that you use a value other than 5061 for TLS with mutual authentication, such as port 5062. Cisco Spark Hybrid Services use the same SIP TLS record used for B2B. In the case of port 5061, some other services that cannot provide a TLS client certificate won't work.