Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Deployment Guide for Calling in Webex Teams (Unified CM)

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Deployment Guide for Calling in Webex Teams (Unified CM)

Chapter Title

Prepare Your Environment for Calling in Webex Teams (Unified CM)

Results

Updated:
November 15, 2019

Chapter: Prepare Your Environment for Calling in Webex Teams (Unified CM)

Prepare Your Environment for Calling in Webex Teams (Unified CM)

Requirements for Calling in Webex Teams (Unified CM)

Unified CM and Expressway Call Control Requirements for Calling in Webex Teams (Unified CM)

To enable Calling in Webex Teams (Unified CM), you must use one of the supported Unified CM-based Cisco call control solutions, and ensure that you're on the minimum supported version or later.

Unified-CM Based Call Control Solution Version
Cisco Unified Communications Manager

Release 11.5(1) SU3 and later; we recommend the latest SU release.

Release 12.5(1) and later for SIP Oath encrypted calls support.

Cisco Business Edition

Check the software load summary documentation for BE6K and BE7K to ensure the solution is running a supported version of Unified CM.

Cisco Hosted Collaboration Solution (check to see if your provider is offering Cisco Webex Hybrid Services)

11.5 and later at a minimum.

12.5 and later for for SIP Oath encrypted calls support.

For Mobile and Remote Access (MRA) support (so Webex Teams can be used in softphone mode outside the corporate network), you must use a Cisco Expressway traversal pair, and ensure that you're on the minimum supported version or later.

Requirements Version
Cisco Expressway E and C traversal pair for Mobile and Remote Access

X8.11.4 or later is required for Calling in Webex Teams (Unified CM). See the "Important Information" section in the Expressway Release Notes for more information. This release and later provide added security.

See the Mobile and Remote Access via Expressway Deployment Guide for more information.

Certificate Requirements for Calling in Webex Teams (Unified CM)

Unified CM Certificates (No MRA)

To establish a secure connection with Unified CM, Webex Teams validates the certificate that is presented by the server during the connection process. Unlike Jabber, Webex Teams does not prompt users with the option to accept an untrusted certificate.

Unified CM must be configured with certificates that Webex Teams can validate, preferably a CA root that signed the tomcat certificate (which is known to the operating system that Webex Teams is on, Windows or MacOS by default). or a self-signed trusted certificate (which must be deployed to the OS in advance by the enterprise administrator).


Note

The Tomcat certificate is also used for secure SIP when Webex Teams is enabled for encrypted calls (SIP Oauth operates on the default port 5090). See "Configure the Phone Security Profile for Encrypted Calls" in this guide for more details.

Certificates issued with a deprecated signature algorithm (such as SHA-1) do not work; you must use a supported secure signature algorithm such as SHA-256 or later, as documented in the Certificates chapter in the Administration Guide for Cisco Unified Communications Manager.


Note

The certificates that are deployed on Unified CM servers must include the fully qualified domain name (FQDN) as the server identity rather than a simple hostname or IP address (for example, cucm-server-1.example.com rather than cucm-server-1 or 203.0.113.1).

In Cisco Unified CM Administration > System > Server, the Unified CM server names must be defined as FQDN.

See High Level View of Certificates and Authorities in CUCM and CUCM Certificate Management and Change Notification for information about certificate management in Unified CM.

Unified CM Certificates (With MRA)

The Unified CM Tomcat certificate is significant for Mobile and Remote Access. This certificate is automatically installed on the Cisco Unified Communications Manager. By default, it is self-signed and has the same common name (CN).


Note

The Tomcat certificate is also used for secure SIP when Webex Teams is enabled for encrypted calls (SIP Outh operates on the default port 5091 for MRA). See "Configure the Phone Security Profile for Encrypted Calls" in this guide for more details.

We recommend using CA-signed certificates. However, if you do use self-signed certificates, the two certificates must have different common names. The Expressway does not allow two self-signed certificates with the same CN. So if the CallManager and tomcat self-signed certificates have the same CN in the Expressway's trusted CA list, the Expressway can only trust one of them. This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.

Expressway Certificates (With MRA)

The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant Subject Alternative Name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.

The following table shows which CSR alternative name elements apply to which Unified Communications features.

Table 1. CSR Alternative Name Element and Mobile Remote Access

Add These Items as Subject Alternative Names

When Generating a CSR For Mobile Remote Access

Unified CM registrations domains (despite their name, these have more in common with service discovery domains than with Unified CM Unified CM SIP registration domains)

Required on Expressway-E only

Unified CM phone security profile names

Required on Expressway-C only

(Clustered systems only) Expressway cluster name

Required on Expressway-C only

  • You may need to produce a new server certificate for the Expressway-C if chat node aliases are added or renamed. Or when new TLS phone security profiles are added.

  • You must restart the Expressway for any new uploaded server certificate to take effect.

Expressway-C Server Certificate Requirements

The Expressway-C server certificate needs to include the following element in its list of subject alternate names:

  • Unified CM phone security profile names: the names of the Phone Security Profiles in Unified CM that are configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and separate multiple entries with commas.

    Having the secure phone profiles as alternative names means that Unified CM can communicate via TLS with the Expressway-C when it is forwarding messages from devices that use those profiles.

Expressway-E Server Certificate Requirements

The Expressway-E server certificate needs to include the following element in its list of subject alternative names (SAN):

  • Unified CM registrations domains: all of the domains which are configured on the Expressway-C for Unified CM registrations. Required for secure communications between endpoint devices and Expressway-E.

    The Unified CM registration domains used in the Expressway configuration and Expressway-E certificate, are used by Mobile and Remote Access clients to lookup the _collab-edge DNS SRV record during service discovery. They enable MRA registrations on Unified CM, and are primarily for service discovery.

    These service discovery domains may or may not match the SIP registration domains. It depends on the deployment, and they don't have to match. One example is a deployment that uses a .local or similar private domain with Unified CM on the internal network, and public domain names for the Expressway-E FQDN and service discovery. In this case, you need to include the public domain names in the Expressway-E certificate as SANs. There is no need to include the private domain names used on Unified CM. You only need to list the edge domain as a SAN.

    Select the DNS format and manually specify the required FQDNs. Separate the FQDNs by commas if you need multiple domains. You may select CollabEdgeDNS format instead, which simply adds the prefix collab-edge to the domain that you enter. This format is recommended if you do not want to include your top level domain as a SAN (see example in following screenshot).

Headset Requirements for Calling in Webex Teams (Unified CM)

Calling in Webex Teams (Unified CM) supports the following Cisco 500 series headsets. Click the links for more information on each model:

License Requirements for Calling in Webex Teams (Unified CM)

You require a Cisco Webex organization (managed in Cisco Webex Control Hub) with a paid subscription.

Additionally, for softphone functionality, each Webex Teams app registers to Unified CM as a softphone client. Like Cisco Jabber, this registration uses the Cisco Unified Client Services Framework (CSF) client for desktop and a BOT, TCT, or TAB device for mobile, and counts as a device toward Unified CM licensing. Users with three or more apps and/or devices require CUWL perpetual licensing or for the organization to be on a Flex Calling subscription. (Flex Calling is the recommended subscription channel.

Webex Teams App Requirements for Calling in Webex Teams (Unified CM)

  • Version 3.0.11421.0 and later for Windows and Mac

  • Version 4.0.62 and later for Android

  • Version 4.0.17 and later for iPhone and iPad


    Note

    We recommend that users be on the latest release of the Webex Teams app for desktop or mobile.

Recommended Configuration for Calling in Webex Teams (Unified CM)

  • For Calling in Webex Teams (Unified CM), SSO is supported with Unified CM and Expressway. You must either enable or disable SSO on both. For a consistent user experience with SSO, we recommend that you extend your Identity Provider (IdP) integration to Webex Teams so that users can sign in with the same credentials. With Single Sign-On (SSO) integration between your IdP, your premises environment, and the Webex cloud, users can sign in across applications with one set of credentials.

  • User phone numbers can appear in contact cards in the Webex Teams app for Windows and Mac:

    For the numbers to appear, you must deploy Cisco Directory Connector to synchronize the numbers from an existing Active Directory attribute into the cloud. See the attribute mapping information in the Deployment Guide for Cisco Directory Connector at https://www.cisco.com/go/hybrid-services-directory.

  • We recommend the following additional configuration to provide further benefits for your Calling in Webex Teams (Unified CM) deployment:

    • Quality of Service (QoS), covered in the Appendix in this guide. QoS helps manage packet loss, delay and jitter on your network infrastructure.

    • Call Admission Control (CAC) on Unified CM, covered in the System Configuration Guide for Cisco Unified Communications Manager. CAC enables you to control the audio quality and video quality of calls over a wide-area (IP WAN) link by limiting the number of calls that are allowed on that link at the same time.

Hybrid Call Service Removal Requirements for Calling in Webex Teams (Unified CM)

You must disable Hybrid Call Service for any users in your organization, because Hybrid Call Service for users cannot coexist with Calling in Webex Teams (Unified CM) for users. See the migration guidance that follows.

Considerations for Migrating from Hybrid Call Service to Calling in Webex Teams (Unified CM)

This table summarizes the key points you must consider as you transition your organization from the old Hybrid Call Service (server-side integration) solution to the new Calling in Webex Teams (Unified CM) (client-side integration) solution. This table takes into account what is required to transition users over to the new solution and what needs to be preserved if you want to continue to use Webex cloud-registered video devices with Hybrid Call Service. Specific configuration steps for Hybrid Call Service (user) removal and end-to-end deployment of Calling in Webex Teams (Unified CM) follow in this guide.

Before Migration After Migration Impact Recommendation
Cisco Spark Remote Devices (Cisco Spark-RD) for both users and Webex cloud-registered video devices Cisco Spark-RD for only Webex cloud-registered video devices None
Cisco Spark-RD for users

Jabber-type devices (desktop on Client Service Framework (CSF), mobile on TCT, BOT, or TAB) for users

 Unified CM Configuration

Remove any Cisco Spark-RD for users; add Jabber devices of desired types (CSF, TCT, BOT, TAB) for users

One Spark RD per user for apps (desktop, mobile, and so on.)

One Jabber-type device per app (desktop, mobile)

 Licensing Convert perpetual licensing to Flex (recommended); or upgrade perpetual UCL Enh/Enh+ to CUWL
Capacity Review Unified CM device capacity utilization; deploy additional capacity (larger OVAs or more servers) as necessary
Call Connector required for Hybrid Call Service users and video devices Call Connector required only for video devices Less Call Connector capacity required Reduce or remove Expressway capacity for Call Connectors; reallocate capacity to other connectors (Calendar, Messaging, Serviceability)
Webex Teams apps connect to cloud for calling Webex Teams apps register directly to Unified CM for calling Off-premises Webex Teams apps require Mobile Remote Access (MRA) for registration Evaluate MRA registration capacity needed; reallocate Expressway capacity from Hybrid Call Service to MRA
All call attempts between Hybrid Call Service users traverse the firewall Call attempts traverse the firewall only for off-premises Webex Teams apps that use MRA Off-premises Teams apps require MRA for calling; on-premises Webex Teams apps do not require any firewall traversal Evaluate MRA calling capacity needed; reallocate capacity from Hybrid Call Service to MRA
Jabber and Webex Teams apps installed separately Webex Teams apps install with embedded Jabber-type device Webex Teams app install does not replace existing Jabber client Remove existing Jabber client manually

Retain Configuration for Hybrid Call Service for Webex Devices

Before removing Hybrid Call Service for users, you must ensure that the following configuration remains in place for Webex devices in a Place that are enabled for Hybrid Call Service.

Procedure

  Command or Action Purpose
Step 1

Do not remove configuration from the Expressway-C and Expressway-E traversal pair.

Enterprise calls to and from Webex devices in a Place are securely routed over the Expressway pair for Hybrid Call Service.

Step 2

Do not remove SIP Destinations.

The SIP destination address in Control Hub resolves to your Expressway-E in the call traversal pair for Hybrid Call Service. All the hybrid call traffic goes through this address. This entry is typically a DNS-SRV record which can resolve to multiple Expressway-Es.

Step 3

Do not deactivate Hybrid Call Service Connect for your organization.

This setting resides in Control Hub and is organization-wide. When enabled, Hybrid Call Service is active and available and can then be assigned to Webex-registered devices.

Step 4

Do not remove Cisco Spark-RD or end user accounts that are tied to Webex devices in a Place.

The Cisco Spark-RD is a virtual device that is attached to a user's work number and links the Cisco Webex account SIP identity to the enterprise SIP identity so that calls anchor on the Unified CM side or fork to the Cisco Webex cloud side. Behind the scenes, the Cisco Spark-RD ties together call activity in the cloud and the premises and the end user account is associated with devices in a Place.

Step 5

Do not remove Cisco Unified Communications Manager Settings for Hybrid Call Service.

Cisco Unified Communications Manager receives calls from Expressway-C. The configuration in place enables URI routing between the cloud and the on-premises enterprise. The cluster FQDN specified in the enterprise parameter is used in SIP routing decisions, and that helps identify multiple clusters so that calls can occur between them.

Step 6

Do not unregister Expressway-Cs that host Call Connectors supporting hybrid Webex devices.

Cisco Webex Hybrid Services use software connectors hosted on Expressway-C to securely connect Cisco Webex to your organization's environment. The Expressway-C clusters registered to the cloud for hybrid services must remain.

Step 7

Do not remove verified domains used for hybrid Webex devices or those who administer them.

Domain verification is essential to the security and integrity of your organization. The established verification proves to us that you own a particular domain and is required for this service to work. For Hybrid Call Service, the verified domains are the ones in on-premises directory URIs tied to Webex devices and anyone who administers the devices.

What to do next

Carefully follow the steps in Remove Hybrid Call Service Configuration From Users.

Remove Hybrid Call Service Configuration From Users

If you already have Hybrid Call Service deployed in your organization, you must remove it for your users before you can deploy Calling in Webex Teams (Unified CM). Use these steps to disable Hybrid Call Service for your users, and remove any of the related configuration from Unified CM.


Caution

If any Hybrid Call Service users have personal mode devices configured, these devices also lose Hybrid Call Service because the service is disabled for the user. The workaround is to convert the personal mode device to shared mode, add it to a Place, and activate it for Hybrid Call Service. See Deploy Hybrid Call Service for Cisco Webex Devices for more information.

Before you begin

Hybrid Call Service is still required if you added the service to Room, Desk, or Board devices that are in a Place in Control Hub. You must not remove anything necessary for Room, Desk, and Board devices enabled with Hybrid Call Service. Review the following sections before you proceed:

Procedure

Step 1

To remove Call Service Aware and Call Service Connect from user accounts in Cisco Webex Control Hub, sign in to the customer view in https://admin.webex.com. You can then use any of the following methods:

Table 2. Options to Remove the Service from Webex Teams User Accounts in Control Hub

User Configuration Method

Steps to Disable Hybrid Call Service

Individual Users

Go to Users, click a username in the list to open the overview pane, click Call Service, then Connect, and then toggle off the setting. Then return and toggle off the Aware setting.

Bulk users accounts using the CSV template

Go to Users, click Manage Users > Export Users List, enter FALSE in the Call Service Aware and Call Service Connect columns, save the file, and then go back to https://admin.webex.com to click Import and then choose the file that you updated. Click Add and remove services and then click Submit.

Directory-synchronized user accounts (through the Cisco Directory Connector)

Go to Users, click Manage Users, choose Modify all synchronized users, and then click Next. Click through the prompts to get to the Sync Status screen. Click the refresh arrow, click Next, and then remove Call Service Aware and Call Service Connect from users.

This step completely disables Hybrid Call Service for your users only, but it remains configured at the organization level (Hybrid Call Service is still necessary for Room, Desk, and Board devices in a Place that are registered to the cloud). Next, you must remove the Cisco Spark Remote Device (Cisco Spark-RD) for any users who used Hybrid Call Service. Whether you chose the automatic creation option in the Call Connector or manually created them in Unified CM, you must manually remove them in the next step.

Step 2

To remove any Cisco Spark-RD that was associated with a user, go to Cisco Unified CM Administration and follow these steps:

  1. Click Device > Phone.

  2. In the Find phone where drop-down, choose Device Type, and in the Select item or enter search text drop-down, choose Cisco Spark Remote Device. Click Find.

  3. Check any of the devices that you want to remove, and then click Delete selected. Read the prompt and when you're sure, click OK.

    This step removes all selected Cisco Spark-RD and corresponding remote destinations for users.

    Caution 

    If you have Hybrid Call Service configured for Room, Board, and Desk devices in a place, only remove Cisco Spark-RD that are associated with Webex Teams users on Hybrid Call Service in your organization. Do not proceed to the next steps.

  4. Return to Device > Phone and search for CTI-RDs that may've been used for Hybrid Call Service: in the Find phone where drop-down, choose Device Type, and in the Select item or enter search text drop-down, choose CTI Remote Device. Click Find.

    Tip 

    CTI-RDs that were used for Hybrid Call Service contain a remote destination with *.call.ciscospark.com as the address.

  5. Check any of the devices that you want to remove, and then click Delete selected. Read the prompt and when you're sure, click OK.

    This step removes all selected CTI-RDs and corresponding remote destinations for users.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us