Unified CM Dial Plan
The Unified CM dial plan is not impacted by devices registering via Expressway. Remote and mobile devices still register directly to Unified CM and their dial plan will be the same as when it is registered locally.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Unified CM dial plan is not impacted by devices registering via Expressway. Remote and mobile devices still register directly to Unified CM and their dial plan will be the same as when it is registered locally.
Unified CM nodes and Expressway peers can be located in different domains. For example, your Unified CM nodes may be in the enterprise.com domain and your Expressway system may be in the edge.com domain.
In this case, Unified CM nodes must use IP addresses or FQDNs for the Server host name / IP address to ensure that Expressway can route traffic to the relevant Unified CM nodes.
Unified CM servers and IM and Presence Service servers must share the same domain.
The first character of the DNS host name defined for the Unified CM must be a letter (do not start with a digit or special character).
Two Cisco Unified Communications Manager certificates are significant for Mobile and Remote Access:
CallManager certificate
Tomcat certificate
These certificates are automatically installed on the Cisco Unified Communications Manager and by default they are self-signed and have the same common name (CN).
We recommend using CA-signed certificates. However, if you do use self-signed certificates, the two certificates must have different common names. The Expressway does not allow two self-signed certificates with the same CN. So if the CallManager and tomcat self-signed certificates have the same CN in the Expressway's trusted CA list, the Expressway can only trust one of them. This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
Also, when generating tomcat certificate signing requests for any products in the Cisco Collaboration Systems Release 10.5.2, you need to be aware of CSCus47235. You need to work around this issue to ensure that the FQDNs of the nodes are in the certificates as Subject Alternative Name (SAN) entries. The Expressway X8.5.3 Release Note on the Release Notes page has details of the workarounds.
Two IM and Presence Service certificates are significant if you use XMPP:
cup-xmpp certificate
tomcat certificate
We recommend using CA-signed certificates. However, if you do use self-signed certificates, the two certificates must have different common names. The Expressway does not allow two self-signed certificates with the same CN. If the cup-xmpp and tomcat (self-signed) certificates have the same CN, Expressway only trusts one of them, and some TLS attempts between Cisco Expressway-E and IM and Presence Service servers will fail. For more details, see CSCve56019.
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant Subject Alternative Name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
A table that lists which CSR alternative name elements apply to which Unified Communications features, is provided in the Cisco Expressway Certificate Creation and Use Deployment Guide on the Expressway configuration guides page.
The Expressway-C server certificate must include the following elements in its list of subject alternate names:
Unified CM phone security profile names
IM and Presence chat node aliases (federated group chat)
The Expressway-C automatically includes the chat node aliases in the certificate signing request (CSR), providing it has discovered a set of IM and Presence Service servers.
We recommend that you use DNS format for the chat node aliases when generating the CSR. You must include the same chat node aliases in the Expressway-E server certificate's alternative names.
More details, including the process to generate the CSR, are provided in the Cisco Expressway Certificate Creation and Use Deployment Guide on the Expressway configuration guides page.
The Expressway-E server certificate needs to include the following elements in its list of subject alternative names (SAN):
Unified CM registrations domains
XMPP federation domains
IM and Presence chat node aliases (federated group chat)
More details, including the process to generate the CSR, are provided in the Cisco Expressway Certificate Creation and Use Deployment Guide on the Expressway configuration guides page.
High volumes of Mobile and Remote Access calls may trigger denial of service thresholds on Unified CM. This is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold ( , and select the Cisco CallManager service) to 750 KB/second.