Cisco Expressway Deployment and Installation

Shared Expressway

Data Center Configuration Overview

This section provides guidance for configuring the Cisco Expressway for Business-to-Business Communication through the Internet. Use this information with, but not as a replacement for, the Cisco Expressway documentation.

Plan your network design with the following information:

  • Two VLANs (Shared Transit VLAN and Shared outside VLAN) are required to accommodate the deployment of shared Expressway.

  • The DMZ outside VLAN and DMZ inside VLANs may exist if you deployed Expressway for OTT. If OTT is not deployed, then you need two more VLANs (DMZ outside VLAN and DMZ inside VLAN).

  • Configuration is required in the Nexus 7000, vSphere Distributed Switch (VDS) (and, optionally, the Nexus 5000, if deployed), UCS Manager, and ASA.

  • Ensure that the global DMZ inside VLAN, Shared Transit VLAN, and shared outside VLAN extend into the data center. These VLANs are used on the virtualized Cisco Expressway-E and Expressway-C.

    • Cisco Expressway-E hosts the public IP address. The remote businesses access this address by way of the public Internet.

    • In the Service Provider Cisco HCS data center, Cisco Expressway-E runs on UCS behind the ASA.

    • Cisco Expressway-C sits in the shared outside VLAN along with the Session Border Controller.

    • Communication between Cisco Expressway-C and Cisco Expressway-E is through the ASA, which provides the NAT and firewall functions.

Create a Shared Cisco Expressway Data Center Network

The diagram DC Deployment for Shared Expressway captures the data center deployment for the Shared Expressway.

Figure 1. DC Deployment for Shared Expressway


The following diagram captures the network topology for the Shared Expressway.

Figure 2. Network Topology for Shared Expressway


Procedure

Step 1

Create four VLANs (DMZ inside, DMZ outside, Shared Transit, and Shared Outside) on the aggregation device (Nexus 7000). The DMZ inside and DMZ outside may already exist if Expressway based OTT is already deployed. Refer to the OTT deployment.

Step 2

Extend the Shared outside VLAN, Shared Transit VLAN and DMZ inside VLAN into the vSphere Distributed Switch (VDS) and UCS Manager. (Fabric Interconnect)

Step 3

In the ASA, create two contexts: Create Context 1 for Internet connectivity and add DMZ inside/DMZ outside interfaces with previously created VLANs. Create Context 2 for SBC traversal between C and E with the Shared Transit VLAN and the Shared Outside VLAN.

Step 4

In the ASA, configure the inside and outside interfaces according to step 3.

Step 5

Add any static routes and access lists for inside and outside access. Perform port and protocol filtering as described in the VCS IP Port usage for FirewallTraversal Deployment Guide. See Unified Communications Port Reference for a table that summarizes the ports to open on the firewalls between your internal network (Cisco Expressway-C), DMZ (Cisco Expressway-E), and the DMZ to public internet.

Configuring the Nexus 7000

Two new VRFs and two new VLANs, Shared Transit VLAN (916) and Shared Outside VLAN (917), are added as part of the Shared Expressway deployment. The configuration provided in this seciton is from the Nexus 7000. 

N7K side A configuration
Shared Transit VRF
interface Vlan916
vrf member shd-expy-inside
vrf context shd-expy-inside
description Shared Transit Vlan
!
interface Vlan916
description Shared Transit Vlan
no shutdown
vrf member shd-expy-inside
ip address 199.91.6.4/28
hsrp version 2
hsrp 916
ip 199.91.6.5
Shared Outside VRF
interface Vlan917
vrf member shd-expy-outside
vrf context shd-expy-outside
description Shared Outside Vlan
!
interface Vlan917
description Shared Outside Vlan
no shutdown
vrf member shd-expy-outside
ip address 199.91.7.4/28
hsrp version 2
hsrp 917
ip 199.91.7.5
N7K side B configuration
Shared Transit VRF
!
interface Vlan916
vrf member shd-expy-inside
vrf context shd-expy-inside
description Shared Transit Vlan
!
interface Vlan916
description Shared Transit Vlan
no shutdown
vrf member shd-expy-inside
ip address 199.91.6.3/28
hsrp version 2
hsrp 916
preempt
priority 150
ip 199.91.6.5
!
Shared Outside VRF
interface Vlan917
vrf member shd-expy-outside
vrf context shd-expy-outside
description Shared Outside Vlan
interface Vlan917
description Shared Outside Vlan
no shutdown
vrf member shd-expy-outside
ip address 199.91.7.3/28
hsrp version 2
hsrp 917
preempt
priority 150
ip 199.91.7.5

Configuring the ASA

In a shared Expressway deployment, a call from a non-Cisco HCS customer is routed through the external DMZ interface of Expressway-E to Expressway-C. From there, the call is routed to Session Border Controller, and then to the respective customer's Unified Communications server. The IP address of the Expressway-E is discovered through the DNS SRV lookup as detailed in the DNS configuration section.


Note

Reverse DNS lookup fails if you use a common DNS instance for all the tenant VRFs. For reverse DNS lookup to work, manually reconfigure DNS providing the local instance for each tenant. Configure the DNS entries on each box using the host file.

DMZ context config 

DMZ context config
DMZ inside interface
interface Port-channel21.906
nameif inside
security-level 0
ip address 199.90.6.1 255.255.255.240 standby 199.90.6.2 
!

DMZ outside interface 


interface Port-channel21.907
nameif outside
security-level 100
ip address 199.90.7.1 255.255.255.240 standby 199.90.7.2 
External interface address of shared expressway E
object-group network SHD-EXPY-E
network-object 199.90.6.3 255.255.255.255
Natted IP address of external interface
object-group network SHD-EXPY-E-Outside
network-object 199.90.7.9 255.255.255.255
nat (inside,outside) source static SHD-EXPY-E SHD-EXPY-E-Outside
access-list incoming_traffic extended permit udp any gt 16384 object-group SHD-EXPY-E range 36002 59999
access-list incoming_traffic extended permit tcp any gt 1023 object-group SHD-EXPY-E eq 5061
access-list outgoing_traffic extended permit tcp object-group SHD-EXPY-E any eq 5061
access-list outgoing_traffic extended permit udp object-group SHD-EXPY-E any gt 1023
access-list outgoing_traffic extended permit udp object-group SHD-EXPY-E any eq domain
access-group incoming_traffic in interface outside
access-group outgoing_traffic out interface outside

Shared Expressway Context on ASA

The inside interface of Shared Expressway-E and Shared Expressway-C is in a new context. 


Inside interface - Shared Expressway E
interface Port-channel21.916
description Shared Transit Vlan
nameif outside
security-level 100
ip address 199.91.6.1 255.255.255.240 standby 199.91.6.2
!

Outside interface Shared Expressway-C 

interface Port-channel21.917
description Shared Outside Vlan
nameif inside
security-level 0
ip address 199.91.7.1 255.255.255.240 standby 199.91.7.2
!
object-group network SHD-EXPY-E
network-object 199.91.6.13 255.255.255.255
object-group network SHD-EXPY-C
network-object 199.91.7.13 255.255.255.255
access-list incoming_traffic extended permit udp object-group SHD-EXPY-C host 192.6.1.3 eq domain
access-list incoming_traffic extended permit tcp object-group SHD-EXPY-C object-group SHD-EXPY-E eq 7002
access-list incoming_traffic extended permit udp object-group SHD-EXPY-C gt 1023 object-group SHD-EXPY-E gt 1023
!
access-group outgoing_traffic in interface inside
access-group incoming_traffic in interface outside

Note

More configuration can allow management access to Expressway servers.

Collaboration Edge Expressway

Data Center Configuration Overview

This section provides guidance for configuring Collaboration Edge OTT in the Service Provider Cisco HCS data center. Use this information with, but not as a replacement for, the Cisco Expressway documentation.

Two more VLANs are required to accommodate ASA contexts, global DMZ inside and outside. The customer inside and outside VLANs are also required. Configuration is required in the Nexus 7000, vSphere Distributed Switch (VDS) (and in the Nexus 5000, if deployed), UCS Manager, and ASA. The global DMZ inside VLAN (after Firewall) and the customer outside VLAN extend into the DC. These VLANs are used on the virtualized Cisco Expressway-E.

Expressway in OTT DeploymentsExpressway-E hosts the public IP address. The client accesses this address by way of the public Internet. Expressway-E typically sits in the DMZ of the enterprise network. In the HCS DC, Expressway-E runs on UCS behind the ASA. Expressway-C sits in the same IP address space as Cisco Unified Communications Manager. Communication between Expressway-C and Expressway-E is through the ASA, which provides the NAT and firewall functions.

Shared Expressway for Business-to-Business Dialing: Expressway-E hosts the public IP address. The non-HCS businesses access this address by way of the public Internet. Expressway-E typically sits in the DMZ of the shared network, between the common outside and shared inside firewall contexts on ASA, to create a DMZ. The Expressway-E is connected to the Expressway-C through the shared internal firewall context. Communication between Expressway-C and Expressway-E is through the ASA, which provides the NAT and firewall functions. The Expressway-C is peered with the session border controller (as a neighbor). For more information, see the Cisco Hosted Collaboration Solution Solution Reference Network Design Guide.

Create the Over-the-Top Data Center Network

Create VLANs in the aggregation device and extend them to the DC in the vSphere Distributed Switch (VDS) and UCS Manager. Create a new context in the ASA and configure the interfaces.

Procedure

Step 1

Create two VLANs, DMZ inside and DMZ outside on the aggregation device. (Nexus 7000)

Step 2

Extend the customer outside VLAN (existing) and DMZ inside VLAN (new) in the vSphere Distributed Switch (VDS) and UCS Manager. (Fabric Interconnect)

Step 3

In the ASA, create a new DMZ context and add inside/outside interfaces with previously created VLANs.

Step 4

In the ASA, configure the inside and outside interfaces.

Step 5

Add static routes and access lists for inside and outside access.

Step 6

Perform port and protocol filtering. For more information, see the Cisco VCS IP Port Usage for Firewall Transversal Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-installation-and-configuration-guides-list.html.

See Unified Communications Port Reference for a table that summarizes the ports that need to be opened on the firewalls between your internal network (Cisco Expressway-C), the DMZ (Cisco Expressway-E), and the DMZ to the public internet.

Configuration Tasks and Concepts

Review the following topics when configuring Collaboration Edge Expressway.

Mobile and Remote Access on Expressway

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge architecture. When an endpoint such as Cisco Jabber is not within the enterprise network, Cisco Unified Communications Manager (Unified CM) provides the registration, call control, provisioning, messaging and presence services. Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

The Mobile and Remote Access via Cisco Expressway Deployment Guide provides the information you need to configure mobile and remote access. Of particular interest in an HCS environment are the following topics.

Topics to Review

Why You Should Review It

"Mobile and Remote Access Overview"

The architecture, call flow, deployment scope, ports, and Jabber client connectivity.

"Configuration Prerequisite"

  • Required version for the components.

  • Configuration recommendation and requirements for IP Addresses, Network Domain, DNS, Firewall, Bandwidth Restriction, Jabber Client, Unified CM, IM and Presence Service, and Endpoints.

  • Configurations required on Expressway-E and the Expressway-C.

"Configuring Mobile and Remote Access on Expressway"

Details on setting up the Expressway-C and the Expressway-E

"Checking the Status of Unified Communications Services"

Instructions for verifying UC services on Expressway-C and Expressway-E

"Mobile and Remote Access Port Reference"

The summary of the ports that can be used between your internal network (where Expressway-C is located) and the DMZ (where Expressway-E is located) and the public Internet. See the Cisco Expressway IP Port Usages guide for detailed information.

"SIP Trunks Between Unified CM and Expressway-C"

The explanation of the use of SIP trunks.

"Deployment Scenarios"

Details of the supported Mobile and Remote Access deployments, which is based on one-to-one Unified Communications zones between Expressway-C clusters and Expressway-E clusters.

"Supported and Unsupported Features When Using Mobile and Remote Access"

Lists the supported features and unsupported features based on the Mobile and Remote Access deployment.

You can find the Mobile and Remote Access via Cisco Expressway Deployment Guide here: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Enable Security on the Cisco Unified CM IM and Presence Service Server

Use the procedure to enable security settings.

Procedure

Step 1

Enable TLS for establishing a TLS session between Expressway and the Cisco Unified Communications Manager IM and Presence Service server. In General Settings, specify TLS in SIP Intra-cluster Proxy-to-Proxy Transport Protocol.

Step 2

In User Assignment, verify the status of the user profile synchronization on the Unified CM.

Deploying Cisco Jabber Guest Server for a Dedicated Instance

The Cisco Jabber Guest server must be configured to work with the other elements in your network.

The Cisco Jabber Guest Server Installation and Configuration Guide provides the information you need to deploy Cisco Jabber Guest Server. Use the table in this section to see the topics of particular interest in an HCS environment.

Topics to Review

Why You Should Review It

"Prepare to Install"

Prerequisites

"Install Cisco Jabber Guest Server"

Details on installing the server to vCenter, signing in to the administration interface, installing certificates, signing in to the CLI, and changing the time zone

"Perform Initial Setup"

Details on configuring Expressway-C and Expressway-E

You can find the Cisco Jabber Guest documentation here: http://www.cisco.com/c/en/us/support/unified-communications/jabber-guest/products-installation-guides-list.html.

Create PAT Entries to Allow Traffic

Add a Second Route to Expressway-E

Use this procedure to add a second route to the Expressway-E for traffic between the Expressway-C and Expressway-E.

Procedure
Step 1

Sign in to the CLI as an administrator.

Step 2

Type N when prompted to Run Install Wizard.

Step 3

Enter the following commands one at a time. (Note: there are no prompts.)

  1. xconfig ip route 1 address: IP.ADD.RESS.### (Example 10.10.10.0)

  2. xconfig ip route 1 prefixlength: ### (Example 24)

  3. xconfig ip route 1 gateway: IP.ADD.RESS.### (Example 10.10.10.1)

  4. xconfig ip route 1 interface: LAN# (Example LAN2)

Configuring Endpoints for Cisco Unified Communications Manager

Endpoint devices register to Cisco Unified Communications Manager (Unified CM). The Expressway acts as a Unified Communications (UC) gateway and provides mobile and remote access.

To configure your Expressway system for UC services, see the Unified Communications Mobile and Remote Access via Expressway Deployment Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

To configure Jabber endpoints, see the On-Premises Deployment for Cisco Jabber guide: http://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html.

  • The "Apply an IM and Presence Service" topic helps you associate a user with a UC Service Profile.

  • The "Configure User Associations" topic helps you associate a user with controlled devices. You can also use this topic to include Standard CCM End Users and Standard CTI Enabled users in the Access Control Group.

  • The "Create and Configure Cisco Jabber Devices" topic helps you associate a device with a profile and Directory Number.

  • The "Automatic Connection Setting for Service Discovery" topic helps you automatically discover servers.

To configure Cisco TelePresence System EX Series endpoint devices, see the following documents:

To manage the security of endpoint devices, you can configure the Certification Authority Proxy Function (CAPF) in Unified CM. For more information, see the Administration Guide for Cisco Unified Communications Manager: http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html.

Public and Local DNS Requirements

This topic summarizes the public (external) and local (internal) DNS requirements. For more information, see the Cisco Jabber DNS Configuration Guide: http://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html.


Note

This section provides instructions for configuring DNS that is specific to a Cisco HCS solution. For more information about configuring mobile and remote devices, see the Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Configure the public DNS with SRV records for every enterprise hosted in Cisco HCS. With this configuration, non-Cisco HCS businesses can connect to the Cisco Expressway-E when dialing the URI of a Cisco HCS tenant. For example, for a cluster of two Cisco Expressway-E systems:

Domain

Service

Protocol

Priority

Weight

Port

Targethost

EnterpriseA.com

sips

TCP

10

10

5061

Shared-expe1.example.com

EnterpriseB.com

sips

TCP

10

10

5061

Shared-expe2.example.com

Configure the Expressway-E DNS so that the default DNS server is a public DNS and inside domains are set to the internal DNS.

Installing Cisco Expressway-C and Expressway-E Virtual Machines

For installation instructions, see the Cisco Expressway on Virtual Machine Installation Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-guides-list.html. For the Expressway-C, use the shared outside network VLAN. Use the appropriate host, domain, DNS, and NTP settings.

Always deploy Expressway-E with two interfaces: Use the network built for the global DMZ VLAN. Set the appropriate host, domain, DNS, and NTP settings. Licences and certificates should be applied for Expressway-C and Expressway-E.

  • The external interface in the Global DMZ inside VLAN

  • The other interface in the Shared Transit VLAN

Create Cisco Expressway Virtual Machines

HCS Expressway-E is always deployed with two interfaces: one toward Expressway-C and the other toward the internet.

Procedure

Step 1

Create Expressway virtual machines using the Cisco VCS on Virtual Machine Installation Guide.. A minimum of two VMs are required, for Expressway-C and Expressway-E. If clustering is required, see the Cisco VCS Cluster Creation and Maintenance Deployment Guide at http://www.cisco.com/c/en/us/ support/unified-communications/telepresence-video-communication-server-vcs/ products-installation-and-configuration-guides-list.html. Special certificate requirements must be adhered to as well. Review the VM options and select the correct configuration for your deployment.

Step 2

For Expressway-C, use the shared outside VLAN IP on the single network interface. For the Expressway-E, use the global DMZ inside VLAN that was previously created as the outside interface and the shared transit VLAN for the inside interface.

Step 3

Set the appropriate host, domain, DNS and NTP settings.

Step 4

After VM creation, follow the steps for password and other essential steps in the VM creation document to finish the installation. The Expressway-C should now be available from a browser. The Expressway-E DMZ inside address can use NAT to be accessed from a browser from the management network.

License Cisco Expressway Virtual Machines

Procedure

Step 1

Apply a release key to Expressway-C.

Step 2

Apply option key for Traversal Calls in Expressway-C.

Step 3

Apply a release key to Expressway-E.

Step 4

Apply option keys Advanced Networking to provide for an additional interface/NAT, Traversal Server, and Traversal Calls (number allowed).

Certificate Use on Cisco Expressway Virtual Machines

Generate certificates for Expressway-C and Expressway- E. For more information, see the Cisco Expressway Certificate Creation and Use Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html. The "Overview of Certificate Use on the Expressway" topic explains how Expressway uses its certificates to validate the devices that connect to it.

Expressway needs certificates for:

  • Secure HTTP with TLS (HTTPS) connectivity.

  • TLS connectivity for SIP signaling, endpoints, and neighbor zones.

  • Connections to other systems such as Cisco Unified Communications Manager, Cisco TMS, LDAP servers, and syslog servers.

Exceptions to Cisco Expressway Basic Configuration

The table Exceptions to Basic Expressway Configuration identifies exceptions to the documented, required configuration tasks in the Cisco Expressway Basic Configuration Deployment Guide. Refer to the guide for details. If a task is not identified in the table, you can perform the task as documented in the deployment guide.

Table 1. Exceptions to Basic Expressway Configuration

Task

Exception for HCS Configuration

Performing Initial Configuration

Don't perform this task if you completed the work during VM installation.

Setting the System Name

The system name is also used by the Cisco TelePresence Management Suite.

Configuring the Traversal Zone

Set the following fields as indicated. Accept the default values for the other fields.

  • H.323 Mode: Off

  • SIP Port: 7002

  • TLS verify mode: On

Configuring Traversal Zone Search Rules

On Expressway C, set the following fields to create a search rule that routes sessions from Expressway-E toward Expressway-C.

  • Rule name: To HCS

  • Description: Calls to HCS customers

  • Priority: 30

  • Protocol: SIP

  • Source: Named

  • Source name: TraversalZone-to-E

  • Target: To Session Border Controller (SBC)

On Expressway C, set the following fields to create a search rule that routes traffic from Session Border Controller to Expressway-E, and then on to a non-HCS user.

  • Rule name: ToExpresswayE

  • Priority: 35

  • Protocol: SIP

  • Source: Named

  • Source name: To SBC

  • Target: TraversalZone-to-E

Configuring the DNS Zone

Set the following fields as indicated. Accept the default values for the other fields.

  • Name: Internet

  • H.323 Mode: Off

  • Fallback transport protocol: TLS

  • Media encryption mode: Force encrypted

Configuring a Static Route

Because Expressway-C and Session Border Cntroller (SBC) are in the same VRF and the same VLAN, configure a static route on C to reach signaling and media IP addresses on the SBC. Use the SBC interface.

The following is an example of adding the static route from the administrative command-line interface.

xCommand RouteAdd Address: "10.13.8.0" PrefixLength: 32 Gateway: "192.44.0.1" where 10.13.8.0 is the signaling and media subnet toward the SBC and 192.44.0.1 is the SBC IP address on the shared outside LAN.

Applying Encryption Settings

The diagram in this section identifies the recommended encryption settings that allow secure and non-secure Cisco HCS endpoints to communicate with non-Cisco HCS endpoints. Apply the encryption settings on the Shared Expressway-E and -C (SHD-E and SHD-C).

Configuring Firewalls

Configure the appropriate ports on your firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located).

For more information, see the "Firewall and NAT Settings" chapter in the Cisco Expressway Basic Configuration Deployment Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

For more information, see the Cisco Expressway IP Port Usage for Firewall Traversal Deployment Guide: http://www.cisco.com/en/US/products/ps13435/products_installation_and_configuration_guides_list.html.