Collaboration Edge Expressway Deployment and Secured Internet Installation

Data Center Configuration Overview

This section provides guidance for configuring Collaboration Edge OTT in the Service Provider Cisco HCS data center. Use this information with, but not as a replacement for, the Cisco Expressway documentation.

Two more VLANs are required to accommodate ASA contexts, global DMZ inside and outside. The customer inside and outside VLANs are also required. Configuration is required in the Nexus 7000, vSphere Distributed Switch (VDS) (and in the Nexus 5000, if deployed), UCS Manager, and ASA. The global DMZ inside VLAN (after Firewall) and the customer outside VLAN extend into the DC. These VLANs are used on the virtualized Cisco Expressway-E.

Expressway in OTT DeploymentsExpressway-E hosts the public IP address. The client accesses this address by way of the public Internet. Expressway-E typically sits in the DMZ of the enterprise network. In the HCS DC, Expressway-E runs on UCS behind the ASA. Expressway-C sits in the same IP address space as Cisco Unified Communications Manager. Communication between Expressway-C and Expressway-E is through the ASA, which provides the NAT and firewall functions.

Shared Expressway for Business-to-Business Dialing: Expressway-E hosts the public IP address. The non-HCS businesses access this address by way of the public Internet. Expressway-E typically sits in the DMZ of the shared network, between the common outside and shared inside firewall contexts on ASA, to create a DMZ. The Expressway-E is connected to the Expressway-C through the shared internal firewall context. Communication between Expressway-C and Expressway-E is through the ASA, which provides the NAT and firewall functions. The Expressway-C is peered with the session border controller (as a neighbor). For more information, see the Cisco Hosted Collaboration Solution Solution Reference Network Design Guide.

Create the Over-the-Top Data Center Network

Create VLANs in the aggregation device and extend them to the DC in the vSphere Distributed Switch (VDS) and UCS Manager. Create a new context in the ASA and configure the interfaces.

Procedure

Step 1

Create two VLANs, DMZ inside and DMZ outside on the aggregation device. (Nexus 7000)

Step 2

Extend the customer outside VLAN (existing) and DMZ inside VLAN (new) in the vSphere Distributed Switch (VDS) and UCS Manager. (Fabric Interconnect)

Step 3

In the ASA, create a new DMZ context and add inside/outside interfaces with previously created VLANs.

Step 4

In the ASA, configure the inside and outside interfaces.

Step 5

Add static routes and access lists for inside and outside access.

Step 6

Perform port and protocol filtering. For more information, see the Cisco VCS IP Port Usage for Firewall Transversal Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-installation-and-configuration-guides-list.html.

See Unified Communications Port Reference for a table that summarizes the ports that need to be opened on the firewalls between your internal network (Cisco Expressway-C), the DMZ (Cisco Expressway-E), and the DMZ to the public internet.

Public and Local DNS Configuration

This section summarizes the public (external) and local (internal) DNS requirements. For more information, see the Cisco Jabber DNS Configuration Guide: http://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html.


Note
This section provides instructions for configuring DNS that is specific to a Cisco HCS solution. For information on configuring mobile and remote devices, see the Mobile and Remote Access via Cisco Expressway Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Configure the public (external) DNS with _collab-edge._tls.<domain> SRV records so that endpoints can discover the Expressway-Es to use for mobile and remote access. SIP service records are also required (for general deployment, not specifically for mobile and remote access). For example, for a cluster of two Expressway-E systems:

Table 1. Public DNS
Domain Service Protocol Priority Weight Port Target host
example.com collab-edge tls 10 10 8443 expe1.example.com
example.com collab-edge tls 10 10 8443 expe2.example.com
example.com sips tcp 10 10 5061 expe1.example.com
example.com sips tcp 10 10 5061 expe2.example.com

The local (internal) DNS requires _cisco-uds._tcp.<domain>, _cuplogin._tcp.<domain>, _cisco-phone-http.<domain>, and standard SIP service SRV records. For example:

Table 2. Local DNS
Domain Service Protocol Priority Weight Port Target host
example.com cisco-uds tcp 10 10 8443 cucmserver.example.com
example.com cuplogin tcp 10 10 8443 cupserver.example.com
example.com cisco-phone-http tcp 10 10 8443 cucmserver.example.com
example.com sips tcp 10 10 5061 cucmserver.example.com
example.com sip tcp 10 10 5060 cucmserver.example.com
example.com sip udp 10 10 5060 cucmserver.example.com

Additionally, an A-record for the host names of the Expressway-C and Expressway-E should be entered in the local (DC) DNS server's domain.

Installing Cisco Expressway-C and Expressway-E Virtual Machines

For installation instructions, see the Cisco Expressway on Virtual Machine Installation Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-guides-list.html.

For the Expressway-C, use the customer inside network VLAN. Use the appropriate host, domain, DNS, and NTP settings. The Expressway-E is an Expressway-C on initial configuration, and, therefore, has only one interface.

Use the network previously for the global DMZ VLAN. Set the appropriate host, domain, DNS, and NTP settings. Also apply licenses and certificates for Expressway-C and Expressway-E.

Create Cisco Expressway Virtual Machines

HCS Expressway-E is always deployed with dual interfaces: one toward Expressway-C and the other toward the Internet.

Procedure

Step 1

Create Expressway virtual machines using the Cisco Expressway on Virtual Machine Installation Guide . At least two VMs are required, for Expressway-C and Expressway-E. If clustering is required, see the Cisco Expressway Cluster Creation and Maintenance Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html. Special certificate requirements must be adhered to as well. Review the VM options and select the correct configuration for your deployment.

Step 2

For Expressway-C, use the customer inside VLAN IP on the single network interface. For the Expressway-E, use the global DMZ inside VLAN that was previously created.

Step 3

Set the appropriate host, domain, DNS, and NTP settings.

Step 4

After creating the VM, create a password and perform other essential steps as described in the Cisco Expressway on Virtual Machine Installation Guide . The Expressway-C should now be available from a browser. The Expressway-E DMZ inside address can use NAT to be accessed from a browser on the management network.

License the Cisco Expressway Virtual Machines

Procedure

Step 1

Apply a release key to Expressway-C.

Step 2

Apply an option key for Traversal Calls in Expressway-C.

Step 3

Apply a release key to Expressway-E.

Step 4

Apply option keys Advanced Networking to provide for an additional interface/NAT, Traversal Server, and Traversal Calls (number allowed).

Certificate Use on Cisco Expressway Virtual Machines

Generate certificates for Expressway-C and Expressway- E. For more information, see the Cisco Expressway Certificate Creation and Use Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html. The "Overview of Certificate Use on the Expressway" topic explains how Expressway uses its certificates to validate the devices that connect to it.

Expressway needs certificates for the following:

  • Secure HTTP with TLS (HTTPS) connectivity.

  • TLS connectivity for SIP signaling, endpoints, and neighbor zones.

  • Connections to other systems such as Cisco Unified Communications Manager, Cisco TMS, LDAP servers, and syslog servers.

For information about requirements for Expressway server certificates, see the Mobile and Remote Access via Cisco Expressway Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html. The "Expressway Certificates" topic discusses the subject alternate name (SAN) entries that are appropriate for the Unified Communications features that are supported on Expressway.

Cisco Expressway Control Server Certificate Requirements


Note
This section provides information about the requirement for the Expressway Control server certificate. For more information, see the Mobile and Remote Access via Cisco Expressway Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

The Expressway Control server certificate may need to include the following elements in its list of subject alternate names:

  • The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release).
  • The Expressway Control automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM and Presence servers.
  • The names, in FQDN format, of all of the Phone Security Profiles in Cisco Unified CM that are configured for encrypted TLS and are used for devices requiring remote access. This ensures that Cisco Unified CM can communicate with Expressway Control via a TLS connection when it is forwarding messages from devices that are configured with those security profiles.
  • A new certificate may need to be produced if chat node aliases are added or renamed, such as when an IM and Presence node is added or renamed, or if new TLS phone security profiles are added. You must restart the Expressway Control for any new uploaded server certificate to take effect.

Cisco Expressway Server Certificate Requirements

The Expressway server certificate may need to include the following elements in its list of subject alternate names:

  • All of the domains which have been configured for Unified Communications. They are required for secure communications between endpoint devices and Expressway.
  • They may include the email address domain entered by users of the client application (e.g. Jabber) and any presence domains (as configured on Expressway-C) if they are different. There is no need to include the domains in DNS-SEC deployments.
  • The same set of Chat Node Aliases as entered on the Expressway Control's certificate, if you are deploying federated XMPP.
  • Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent Generate CSR page on the Expressway Control.
  • A new certificate must be produced if new presence domains or chat node aliases are added to the system. You must restart Expressway for any new uploaded server certificate to take effect.

Cisco Expressway Basic Configuration

The following topics describe exceptions from the basic configuration in the Cisco Expressway Basic Configuration Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html. Both Expressway-C and Expressway-E basic configuration is completed at the same time. Note that some settings may be different than what is shown.


Note
For more information, see the Mobile and Remote Access via Cisco Expressway Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Perform Initial Configuration

This step is not required if completed during VM installation.

Set the System Name

The system name defines the name of the Expressway, appears throughout the web interface, and is used by Cisco TMS. Assign a system name that lets you easily and uniquely identify it. If the system name is longer than 16 characters, only the last 16 characters appear in the display on the front panel.


Note
The system names used in the procedures in this section are for example purposes only.

Procedure

Step 1

Navigate to System > Administration.

Step 2

Configure the System name as follows:

  1. VCS Control:VCSc

  2. VCS Expressway:VCSe

Configure the DNS Local Host Name

The Local host name defines the DNS hostname by which this system is known. The Local host name is not the fully qualified domain name, just the host label portion. Note that <Local host name>.<Domain name>= FQDN of this Expressway.

Procedure
Step 1

Navigate to System > DNS.

Step 2

Configure the Local host name as follows:

  1. VCS Control: vcs-c

  2. VCS Expressway: vcs-e

Step 3

Click Save.

Configure the DNS Domain Name

You can append the Domain name to an unqualified host name before querying the DNS server.

Procedure
Step 1

Navigate to System > DNS.

Step 2

Configure the Domain name as follows:

  1. VCS Control: internal-domain.net

  2. VCS Expressway: example.com

Step 3

Click Save.

Configure DNS Servers

The DNS server addresses are the IP addresses of up to 5 domain name servers to use when resolving domain names. You must specify at least one default DNS server to be queried for address resolution if you want to either:

  • Use FQDNs (Fully Qualified Domain Names) instead of IP addresses when specifying external addresses (for example for LDAP and NTP servers, neighbor zones, and peers).
  • Use features such as URI dialing or ENUM dialing.

The Expressway only queries one server at a time; if that server is not available the Expressway will try another server from the list.

In the example deployment, two DNS servers are configured for each VCS, which provides a level of DNS server redundancy. Expressway-C is configured with DNS servers which are located on the internal network. Expressway-E is configured with DNS servers that are publicly routable.

Procedure
Step 1

Navigate to System > DNS
Step 2

Configure the DNS server Address fields as follows:

  1. VCS Control Address 1: 10.0.0.11

  2. VCS Control Address 2: 10.0.0.12

  3. VCS Expressway Address 1: 194.72.6.57

  4. VCS Expressway Address 2: 194.73.82.242
Step 3

Click Save.

Expressway-C has a Fully Qualified Domain Name of vcsc.internal-domain.net. Expressway-E has a Fully Qualified Domain Name of vcse.example.com.

Replace the Default Server Certificate

Complete this step if not completed in an earlier step.

For extra security, you can configure Expressway to communicate with other systems (such as LDAP servers, neighbor Cisco Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.

For this to work successfully in a connection between a client and server:

  • The server must have a certificate installed that verifies its identity. This certificate must be signed by a Certificate Authority (CA).
  • The client must trust the CA that signed the certificate used by the server.

Expressway allows you to install appropriate files so that it can act as either a client or a server in connections using TLS. Expressway can also authenticate client connections (typically from a web browser) over HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS client certificates.

Expressway can generate server certificate signing requests (CSRs). These requests remove the need to use an external mechanism to generate and obtain certificate requests.

For secure communications (HTTPS and SIP/TLS) we recommend that you replace the VCS default certificate with a certificate generated by a trusted certificate authority.

Note that in connections:

  • To an endpoint, Expressway acts as the TLS server
  • To an LDAP server, Expressway is a client
  • Between two VCS systems, either Expressway may be the client with the other Expressway being the TLS server
  • Via HTTPS, the web browser is the client and the Expressway is the server

TLS can be difficult to configure. For example, when using it with an LDAP server we recommend that you confirm that your system is working correctly before you attempt to secure the connection with TLS. We also recommend using a third-party LDAP browser to verify that your LDAP server is correctly configured to use TLS.

To load the trusted CA list, navigate to Maintenance > Security certificates > Trusted CA certificate.

To generate a CSR and upload the Cisco Expressway's server certificate, navigate to Maintenance > Security certificates > Server certificate.

For more information, including information about generating CSRs, see the Cisco Expressway Certificate Creation and Use Deployment Guide at http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Configure NTP Server Addresses and Time Zones

The NTP server address fields set the IP addresses or Fully Qualified Domain Names (FQDNs) of the NTP servers to be used to synchronize system time.

The Time Zone fields set the local time zone of the Expressway.

Procedure

Step 1

Navigate to System > Time.

Step 2

Configure the fields as follows on Expressway-C and Expressway-E:

  1. VCS Control NTP server 1: pool.ntp.org

  2. VCS Expressway NTP server 1: pool.ntp.org

  3. VCS Control Time Zone (for this example): GMT

  4. VCS Expressway Time Zone (for this example): GMT

Step 3

Click Save.

Configure SIP Domains

Expressway can act as a SIP Registrar for endpoints in the SIP domains that you configure. All registrations are sent to the Cisco Unified Communications Manager server or the IM and Presence Service server.


Note

In a Cisco Expressway for Secure Over-the-Top deployment, endpoints do not register to Expressway.

Perform the following procedure on Expressway-C (VCS Control) and Expressway-E (VCS Expressway).

Procedure

Step 1

Navigate to Configuration > Domains.

Step 2

Click New.

Step 3

In the Name field, enter the domain name. For example, example.com.

Step 4

Click Create domain.

The Domains page displays all configured SIP domain names.

Configuring the Traversal Zone

No search rules are necessary for the traversal zone.

The traversal zone configuration defines a connection between Expressway-C and Expressway-E platforms. A traversal zone connection allows firewall traversal for signaling and media between the two platforms. Expressway-C is configured with a traversal client zone, and Expressway-E with a traversal server zone.

Configure the Traversal Zone for Expressway-C and Expressway-E

Use the following procedure to configure the traversal zone for Cisco Expressway-C and Cisco Expressway-E.

Procedure
Step 1

Navigate to Configuration > Zones > Zones.

Step 2

Click New.

Step 3

Configure the fields as follows (leave all other fields with default values):

Section Name

Cisco Expressway-C Cisco Expressway-E

Configuration

Name

“Traversal zone” for example

“Traversal zone” for example

Type

Unified Communications traversal

Unified Communications traversal

Hop Count

15

15

Connection Credentials

User Name

“admin” for example

“admin” for example

Password

“bob@123” for example

“bob@123” for example

SIP Section

Port

7001

7001

TLS Verify Subject name

Not Applicable

“Expressway-C” FQDN name

Accept Proxied registration

allow

allow

ICE Support

off

off

SIP Position mode

off

off

Authentication

Authentication Policy

treat as authenticated

treat as authenticated

Client Settings

Retry Interval

120

Not Applicable

Location

Peer Address

“Expressway-E” FQDN name

Not Applicable

UDP/TCP Probes

UDP Retry Interval

Not Applicable

2

UDP Retry Count

5

UDP Keep Alive interval

20

TCP Retry Interval

2

TCP Retry Count

5

TCP Keep Alive interval

20

Configure the Traversal Zone for Expressway-E

Use the following procedure to configure the traversal zone for Cisco Expressway-E.

Procedure
Step 1

Navigate to Configuration > Zones > Zones.

Step 2

Click New.

Step 3

Configure the Expressway-E Configuration settings as follows:

  1. Name:TraversalZone

  2. Hop count: 15

Step 4

Configure the Expressway-E Connection credentials settings as follows:

  1. Username: admin

  2. Password: password

Step 5

Configure the Expressway-E H.323 settings as follows:

  1. Mode: Off

  2. Protocol: Assent

  3. H.460.19 demultiplexing mode: Off

Step 6

Configure the Expressway-E SIP settings as follows:

  1. Mode: On

  2. Port: 7001

  3. Transport: TLS

  4. Unified Communications services: Yes

  5. TLS verify mode: On

  6. TLS verify subject name: vcs-c.nsite.com

  7. Accept proxied registrations: Allow

  8. Media encryption mode: Force encrypted

  9. ICE support: Off

  10. Poison mode: Off

Step 7

Configure the Expressway-E Authentication setting as follows:

  1. Authentication policy: Do not check credentials

Step 8

Configure the Expressway-E UDP / TCP probes settings as follows:

  1. UDP retry interval:2

  2. UDP retry count: 5

  3. UDP keep alive interval: 20

  4. TCP retry interval: 2

  5. TCP retry count: 5

  6. TCP keep alive interval: 20

Step 9

Click Save.

Configure the Authentication Credentials

Support for Unified Communications features, such as mobile and remote access or Jabber Guest, requires a secure traversal zone connection between the Expressway-C and the Expressway-E.

  • The traversal client zone and the traversal server zone must be configured to use SIP TLS with TLS verify mode set to On. And Media encryption mode must be Force encrypted.
  • Both Expressways must trust each other's server certificate. Because each Expressway acts as a client and as a server, ensure that each Expressway's certificate is valid as a client and as a server.

Take the following steps to configure the authentication credentials in the Local authentication database, which are configured in Expressway only.

Procedure
Step 1

Navigate to Configuration > Authentication > Devices > Local database.

Step 2

Click New.

Step 3

Configure the username and password that was used for the traversal client in the Expressway-C.

Mobile and Remote Access on Expressway

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge architecture. When an endpoint such as Cisco Jabber is not within the enterprise network, Cisco Unified Communications Manager (Unified CM) provides the registration, call control, provisioning, messaging and presence services. Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

The Mobile and Remote Access via Cisco Expressway Deployment Guide provides the information you need to configure mobile and remote access. Of particular interest in an HCS environment are the following topics.

Topics to Review

Why You Should Review It

"Mobile and Remote Access Overview"

The architecture, call flow, deployment scope, ports, and Jabber client connectivity.

"Configuration Prerequisite"

  • Required version for the components.

  • Configuration recommendation and requirements for IP Addresses, Network Domain, DNS, Firewall, Bandwidth Restriction, Jabber Client, Unified CM, IM and Presence Service, and Endpoints.

  • Configurations required on Expressway-E and the Expressway-C.

"Configuring Mobile and Remote Access on Expressway"

Details on setting up the Expressway-C and the Expressway-E

"Checking the Status of Unified Communications Services"

Instructions for verifying UC services on Expressway-C and Expressway-E

"Mobile and Remote Access Port Reference"

The summary of the ports that can be used between your internal network (where Expressway-C is located) and the DMZ (where Expressway-E is located) and the public Internet. See the Cisco Expressway IP Port Usages guide for detailed information.

"SIP Trunks Between Unified CM and Expressway-C"

The explanation of the use of SIP trunks.

"Deployment Scenarios"

Details of the supported Mobile and Remote Access deployments, which is based on one-to-one Unified Communications zones between Expressway-C clusters and Expressway-E clusters.

"Supported and Unsupported Features When Using Mobile and Remote Access"

Lists the supported features and unsupported features based on the Mobile and Remote Access deployment.

You can find the Mobile and Remote Access via Cisco Expressway Deployment Guide here: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

Prerequisites

Table 3. Prerequisites for Mobile and Remote Access

Prerequisite Category

Description

Software

The following software versions are supported:

  • Cisco Expressway X8.1.1 or later

  • Unified CM 9.1(2)SU1 or later and IM & Presence 9.1(1) or later

Clients

The following clients are supported:

  • Cisco Jabber for Windows 9.7 or later

  • Cisco Jabber for Android 9.6 or later

  • Cisco Jabber for iOS (iPhone and iPad) 9.6.1 or later

  • Cisco TelePresence endpoints and codecs running TC7.0.1 or later firmware

Firewalls

Ensure that you configure the relevant ports the firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ and the public Internet.

Firewall

Ensure that the relevant ports have been configured on your firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ and the public internet per previous instruction.

Cisco Unified Communications Manager

For multiple Cisco Unified Communications Manager (Unified CM) clusters, configure Intercluster Lookup Service on all the clusters. This configuration allows the VCS to authenticate a client against its home cluster by sending a User Data Service query to a Unified CM node.

Ensure that the Maximum Session Bit Rate for Video Calls between and within regions is set to a suitable upper limit for your system. For example, 6000 kbps. Use the System > Region Information > Region menu path.

You can configure Unified CDM Phone Security Profiles for TLS and for devices requiring remote access. For these profiles, configure the Name as an FQDN that includes the enterprise domain. For example, jabber.secure.example.com. The FQDN format allows those names to be included in the list of Subject Alternate Names in the VCS Control's server certificate. Also ensure that the SIP phone port is set to 5061. Use the System > Security > Phone Security Profile menu path.

If you configured Unified CM servers by Hostname (rather than IP address), then ensure that those hostnames are resolvable by the VCS Control. Hostnames in FQDN format are not supported. Use the System > Server menu path.

If you use secure profiles, ensure that the root CA of the authority that signed the VCS Control certificate is installed as a CallManager-trust certificate. Use the Security > Certificate Management menu path in the Cisco Unified OS Administration application.

Configure the Cisco AXL Web Service as active on the Unified CM publishers used to discover the Unified CM servers that you use for remote access. Select the Cisco Unified Serviceability application and go to Tools > Service Activation.

We recommend that you configure remote and mobile devices (either directly or by Device Mobility) to use publicly accessible NTP servers.

  • Configure a public NTP server: System > Phone NTP Reference.
  • Add the NTP reference to a date and time group: System > Date/Time.
  • Assign the date and time group to the endpoint's device pool: System > Device Pool.

IM and Presence

Ensure that the Cisco AXL Web Service is active on the Cisco Unified Communications Manager IM and Presence Service publishers used to discover the Unified CM servers that are used for remote access. Select the Cisco Unified Serviceability application and go to Tools > Service Activation.

Expressway-C Configuration

This section describes the configuration steps required on the Expressway-C.

Configure the Expressway-C for Unified Communications

Use the following procedure to enable mobile and remote access functionality.

Procedure

Step 1

Navigate to Configuration > Unified Communications > Configuration.

Step 2

Set Unified Communications mode to Mobile and remote access.

Step 3

Click Save.

Configure the Domains to Route to Cisco Unified CM

Configure the domains for which registration, call control, provisioning, messaging, and presence services are routed to Cisco Unified Communications Manager (Unified CM).

Procedure

Step 1

On Expressway-C, navigate to Configuration > Domains.

Step 2

Select the domains (or create a new domain) for which services are routed to Unified CM.

Step 3

Turn on the services for each domain that Expressway is to support.

What to do next

SIP registrations and provisioning on VCS. The Expressway is authoritative for this SIP domain, and acts as a SIP registrar and Presence Server for the domain. It accepts registration requests for SIP endpoints that try to register with an alias that includes this domain. Set to Off.

SIP registrations and provisioning on Unified CM. Unified CM services the endpoint registration, call control, and provisioning for this SIP domain. The Expressway acts as a Unified Communications (UC) gateway to provide secure firewall traversal and line-side support for Unified CM registrations. Set to On.

IM and Presence Services on Unified CM. Instant messaging and presence services for this SIP domain are provided by the Unified CM IM and Presence Service. Turn on all the applicable services for each domain. For example, the following services can use the same domain:

  • Jabber or EX Series devices that require line-side UC support

  • Endpoints that require Expressway support, such as third-party SIP or H.323 devices. The signaling messages sent from the endpoint indicate whether line-side UC or Expressway support is required.

Discover Unified CM and IM and Presence Servers

The Expressway-C must be configured with the address details of the Cisco Unified Communications Manager and IM and Presence servers that provide registration, call control, provisioning, messaging, and presence services.


Note
You do not need to configure Unified CM IM and Presence servers for the hybrid deployment model.

Upload the Unified CM IM and Presence Service Tomcat Certificate

The default (and recommended) setting for TLS verify mode is On. When the setting is On during discovery of Unified CM IM and Presence Service servers, the Expressway-C must trust the Tomcat certificate for those servers.

Procedure

Step 1

Determine the relevant Certificate Authority (CA) certificates to upload.

  1. If the servers use self-signed certificates, the Expressway-C's trusted CA list must include the Tomcat certificate from every IM and Presence server.

  2. If the servers use CA-signed certificates, the Expressway-C's trusted CA list must include the root CA of the issuer of the Tomcat certificates.

Step 2

Upload the trusted CA certificates to the Expressway-C: Maintenance > Security certificates > Trusted CA certificate.

Step 3

Restart the Expressway-C for the new trusted CA certificates to take effect: Maintenance > Restart options.

Configure Cisco Unified CM IM and Presence Servers

Configure the Cisco Unified Communications Manager IM and Presence Service servers used for remote access.

Procedure

Step 1

On Expressway-C, navigate to Configuration > Unified Communications > IM and Presence servers. The resulting page displays any servers that have been configured.

Step 2

Add publisher details:

  1. Click New.

  2. Enter the IM and Presence publisher address and the Username and Password credentials required to access the server. The address can be specified as an FQDN or as an IP address. These credentials are stored permanently in the Expressway database. The IM and Presence Service user must have the Standard AXL API Access role.

  3. We recommend setting TLS verify mode to On. This setting ensures that the Expressway verifies the Tomcat certificate presented by the IM and Presence Service server for XMPP-related communications.

    • If the servers use self-signed certificates, the Expressway-C's trusted CA list must include the Tomcat certificate from every IM and Presence server.
    • If the servers use CA-signed certificates, the Expressway-C's trusted CA list must include the root CA of the issuer of the Tomcat certificates.

  4. Click Add address. The system contacts the publisher and retrieves details of its associated nodes.

    The status of the IM and Presence Service server is Inactive until a valid traversal zone connection between the Expressway-C and the Expressway-E is established. For more information, see Set up Secure VCS Traversal Zones.
Step 3

Repeat step 2 for every IM and Presence Service cluster.

Step 4

After configuring multiple publisher addresses, you can click Refresh servers to refresh the details of the nodes associated with selected addresses.

Configure Cisco Unified CM Servers

Configure the Cisco Unified Communications Manager servers used for remote access.

Procedure

Step 1

On Expressway-C, navigate to Configuration > Unified Communications > Unified CM servers. The resulting page displays any servers that have been configured.

Step 2

Add the details of a Unified CM publisher.

  1. Click New.

  2. Enter the Unified CM publisher address and the Username and Password credentials of an application user account that can access the server. The address can be specified as an FQDN or as an IP address. These credentials are stored permanently in the Expressway database. The Unified CM user must have the Standard AXL API Access role.

  3. We recommend setting TLS verify mode to On. This setting ensures that the Expressway verifies the Tomcat certificate presented by the Unified CM server for SIP-related communications.

    • If the server uses self-signed certificates, the Expressway-C's trusted CA list must include the Tomcat certificate and the Unified CM certificate (for subsequent SIP traffic) from every Unified CM server.
    • If the server uses CA-signed certificates, the Expressway-C's trusted CA list must include the root CA of the issuer of the Tomcat certificate and the Unified CM certificate.

  4. Click Add address. The system contacts the publisher and retrieves details of its associated nodes.

Step 3

Repeat step 2 for every Unified CM cluster.

Automatically Generated Zones and Search Rules

Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered Cisco Unified Communications Manager (Unified CM) node. A TCP zone is always created. And a TLS zone is created if the Unified CM node is configured with a Cluster Security Mode of 1 (Mixed). This setting enables the node to support devices provisioned with secure profiles. You can set the mode at System > Enterprise Parameters > Security Parameters.

The TLS zone is configured with its TLS verify mode set to On if the Cisco Unified Communications Manager discovery had TLS verify mode enabled. This means that the Expressway-C verifies the Unified CM certificate for subsequent SIP communications. Each zone is created with a name in one of the following formats:

  • CEtcp-<node name>

  • CEtls-<node name>

A non-configurable search rule, following the same naming convention, is also created automatically for each zone. The rules are created with a priority of 45. When a search rule targets a Unified CM node that has a long name, the search rule uses a regex for its address pattern match.

Unified CM manages load balancing when it passes routing information back to the registering endpoints.

Add Cisco Unity Connection to the HTTP Server Allow List

Use this procedure to add Cisco Unity Connection in Expressway-C to allow communication between an Expressway endpoint and Cisco Unity Connection for voicemail retrieval.

Procedure

Step 1

Navigate to Configuration > Unified Communications > Configuration.

Step 2

Click the Configure HTTP server allow list under Advanced.

Step 3

Select New and add the hostname or IP address of the Cisco Unity Connection server.

Step 4

Click Save.

Configuring Expressway-E

This section describes the configuration steps required on the Expressway-E.

Configure the Expressway-E for Unified Communications

Use this procedure to enable mobile and remote access functionality.

Procedure

Step 1

Navigate to Configuration > Unified Communications > Configuration.

Step 2

Set Unified Communications mode to Mobile and remote access.

Step 3

Click Save.

Set up Expressway Security Certificates

This deployment requires secure communications between the Expressway-C and the Expressway-E, and between the Expressway-E and endpoints located outside the enterprise.

Procedure

Step 1

Install a suitable server certificate on both the Expressway-C and the Expressway-E. The certificate on each Expressway has different requirements. For more information, see Expressway-C Server Certificate Requirements and Expressway-E Server Certificate Requirements.

  • The certificate must include the Client Authentication extension. You cannot upload a server certificate without this extension when mobile and remote access is enabled.
  • The Expressway includes a built-in mechanism to generate a certificate signing request (CSR) and is the recommended method for generating a CSR. This CSR includes the client authentication request and helps ensure that each Expressway certificate includes the correct subject alternate names for Unified Communications. The CSR also helps to establish a secure traversal zone. Ensure that the Certificate Authority (CA) that signs the request does not strip out the client authentication extension.
  • To generate a CSR or to upload a server certificate, navigate to Maintenance > Security certificates > Server certificate. Restart the Expressways to enable the new server certificate.
Step 2

On both Expressways, install the trusted CA certificates of the authority that signed the Expressway's server certificates. If appropriate, also installed the certificates of the authority that signed the endpoint certificates. The Expressway-C must also trust the Unified CM and IM and Presence Tomcat certificate.

  1. To upload the trusted CA certificates, navigate to Maintenance > Security certificates > Trusted CA certificate.

  2. Restart the Expressways to enable the new server certificate.

Expressway-C Server Certificate Requirements

The Expressway-C server certificate must include the following elements in its list of subject alternate names.

  • Chat Node Aliases. The aliases are configured on the IM and Presence servers. They are required only for Unified Communications XMPP federation deployments that use both TLS and group chat. The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM and Presence servers.

  • Phone Security Profiles. The profile names are in FQDN format in Unified CM, configured for encrypted TLS, and used for devices that require remote access. Unified CM can communicate with Expressway-C over a TLS connection when it forwards messages from devices that are configured with the security profiles.

You can upload a new certificate if chat node aliases are added or renamed or if new phone security profiles are added. Restart the Expressway-C to enable any new uploaded server certificate.

Expressway-E Server Certificate Requirements

The Expressway-E server certificate must include the following elements in its list of subject alternate names.

  • All domains that are configured for Unified Communications. They are required for secure communications between endpoint devices and Expressway-E. Include the email address domain of the client application, such as Jabber, and any presence domains (as configured on the Expressway-C), if they are different. You do not need to include the domains in DNS-SEC deployments.
  • The same Chat Node Aliases that you included for the Expressway-C's certificate, if you are deploying federated XMPP. You can view and copy the list of required aliases from the Generate CSR page on the Expressway-C.

You can upload a new certificate if new presence domains or chat node aliases are added to the system. Restart the Expressway-E to enable any new uploaded server certificate.

Set up Secure VCS Traversal Zones

To support Unified Communications features such as mobile and remote access, there must be a secure traversal zone connection between the Expressway-C and the Expressway-E.

The traversal client zone and the traversal server zone must be configured to use SIP TLS with TLS verify mode set to On. Media encryption mode must be Force encrypted.

Both Expressways must trust each other's server certificate, because each Expressway acts as both client and server.

To set up a secure traversal zone, configure your Expressway-C and Expressway-E as follows.

Procedure
Step 1

Navigate to Configuration > Zones > Zones.

Step 2

Click New.

Step 3

Complete the Configuration fields as follows:

  1. Name: TraversalZone

  2. Hop count:15

Step 4

Complete the Connection credential fields as follows:

  1. Username: admin

  2. Password: password

Step 5

Complete the H.323 fields as follows:

  1. Mode: Off

  2. Protocol: Assent

  3. H.460.19 demultiplexing mode: Off

Step 6

Complete the SIP fields as follows:

  1. Mode: On

  2. Port: 7001

  3. Transport: TLS

  4. Unified Communications services: Yes. Enable this field on only one traversal zone per Expressway.

  5. TLS verify mode: On

  6. TLS verify subject name: vcs-c.nsite.com

  7. Accept proxied registrations: Allow

  8. Media encryption mode: Force encrypted

  9. ICE support: Off

  10. Poison mode: Off

Step 7

Click Create zone.

Check the Status of Unified Communications Services

You can check the status of the Unified Communications services on both Expressway-C and Expressway-E.

Procedure

Step 1

Navigate to Status > Unified Communications.

Step 2

Review the list and status of domains, zones, and (Expressway-C only) Cisco Unified Communications Manager and IM and Presence servers. Configuration errors are listed, along with links to the relevant configuration page from where you can address the issue.

Unified Communications Port Reference

This section summarizes the ports that need to be open on the firewalls in the locations as follows.

  • Between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located)

  • Between the DMZ and the public Internet

Table 4. Outbound from Expressway-C (Private) to Expressway-E (DMZ)
Purpose Protocol Expressway-C (source) Expressway-E (listening)
XMPP (IM and Presence) TCP Ephemeral port 7400
SSH (HTTP/S tunnels) TCP Ephemeral port 2222
Traversal zone SIP signaling TLS 25000 to 29999 7001
Traversal zone SIP media UDP 36002 to 59999 * 36000 to 36001 *
Table 5. Outbound from Expressway-E (DMZ) to the Public Internet
Purpose Protocol Expressway-E (source) Internet endpoint (listening)
SIP media UDP 36002 to 59999 * >= 1024
SIP signaling TLS 25000 to 29999 >= 1024
Table 6. Inbound from the Public Internet to Expressway-E (DMZ)
Purpose Protocol Internet endpoint (source) Expressway-E (listening)
XMPP (IM and Presence) TCP >= 1024 5222
HTTP proxy (UDS) TCP >= 1024 8443
Media UDP >= 1024 36002 to 59999 *
SIP signaling TLS >= 1024 5061
HTTPS (administrative access) TCP >= 1024 443
Table 7. From Expressway-C to Unified CM and Cisco Unity Connection
Purpose Protocol Expressway-C (source) Cisco Unified Communications Manager (listening)
XMPP (IM and Presence) TCP Ephemeral port 7400 (IM and Presence)
HTTP proxy (UDS) TCP Ephemeral port 8443 (Cisco Unified Communications Manager)
HTTP (configuration file retrieval) TCP Ephemeral port 6970
Cisco Unity Connection (voicemail) TCP Ephemeral port 443 (Cisco Unity Connection)
Media UDP 36002 to 59999 * >= 1024
SIP signaling TCP/TLS 25000 to 29999 5060/5061

* The default media port range of 36000 to 59999 applies to new installations of X8.1 or later. The first two ports in the range are used for multiplexed traffic only. With large VM deployments, the first 12 ports in the range (36000 to 36011) are used). The previous default range of 50000 to 54999 still applies to earlier releases that have upgraded to X8.1.

Notes:

  • Ports 8191/8192 TCP and 8883/8884 TCP are used internally within the Expressway-C and the Expressway-E applications. Therefore these ports must not be allocated for any other purpose.
  • The Expressway-E listens externally on ports 7400 and 8883. We recommend that you create custom firewall rules on the external LAN interface to drop TCP traffic on those ports.

The Expressway-E listens on port 2222 for SSH tunnel traffic. The only legitimate sender of such traffic is the Expressway-C (cluster). We recommend that you create the following firewall rules for the SSH tunnels service:

  • One or more rules to allow all the Expressway-C peer addresses (using the internal LAN interface, if appropriate).
  • A lower priority (higher number) rule that drops all traffic for the SSH tunnels service on the internal LAN interface, if appropriate. If so, create another rule to drop all traffic on the external interface.

Requirements for SIP Trunks Between Cisco Unified CM and Expressway-C

Expressway deployments for mobile and remote access do not require SIP trunk connections between Cisco Unified Communications Manager (Unified CM) and Expressway-C. The neighbor zones that are automatically generated between Expressway-C and each discovered Unified CM node are not SIP trunks.

Enable Security on the Cisco Unified CM IM and Presence Service Server

Use the procedure to enable security settings.

Procedure

Step 1

Enable TLS for establishing a TLS session between Expressway and the Cisco Unified Communications Manager IM and Presence Service server. In General Settings, specify TLS in SIP Intra-cluster Proxy-to-Proxy Transport Protocol.

Step 2

In User Assignment, verify the status of the user profile synchronization on the Unified CM.

Jabber Guest Server for a Dedicated Instance

Cisco Jabber Guest promotes interactive, instant customer-to-employee voice, high-definition video, and data sharing from public websites and mobile devices. This section describes how to set up a Jabber Guest Server that enables a guest (nonregistered user) to begin video communications with a single-click. Guests can begin video with users within an enterprise or by remote access (OTT).

Deploy an OVA File to a Host Using vCenter

These instructions represent a typical installation. The Deploy OVF Template wizard dynamically changes to reflect your host configuration.

Procedure

Step 1

If the .ova (OVA) file is already loaded onto the ESXi Host data store (for example, in Cisco Business Edition 6000 deployments), take the following steps:

  1. Using a web browser, go to https://<VMwareHost>/folder, supplying any required credentials (typically the same username and password used to sign in to vCenter).

  2. In the index of data centers, find theOVA file you want to deploy from the data store.

  3. Right click the OVA file and select Copy Link Location.

Step 2

Log in to vCenter to access the ESXi Host.

Step 3

Select File > Deploy OVF Template.

Step 4

On the Source page, identify the location of the OVA file, and then click Next.

  • If the OVA file is already loaded onto the ESXi Host data store, paste the URL you copied from step 1. If necessary, enter username and password credentials so that vCenter can access the web server.

  • If the OVA file is not loaded on the data store, Browse to the location of the OVA file.

Step 5

On the OVF Template Details page, verify that the Publisher certificate is valid and click Next.

Step 6

On the End User License Agreement page, read and accept the EULA, click Accept, and then Next.

Step 7

On the Name and Location page, enter a Name for the Expressway VM guest and click Next.

Step 8

On the Deployment Configuration page, select the appropriate deployment size:

  • Select Small, Medium, or Large depending on the capabilities of the VMware host. The default is Medium. If the VMware host has insufficient resources, the virtual Expressway fails to power on or boot.

  • Click Next.

Step 9

On the Host / Cluster page, select where you want to run the virtual Expressway and click Next.

Step 10

On the Resource Pool page, select where you want to run the virtual Expressway and click Next.

Step 11

On the Storage page, select the location for deploying the virtual Expressway and click Next.

Step 12

On the Disk Format page, select the disk format of Thick Provision Lazy Zeroed and click Next.

Thin Provision is not supported because VM performance can degrade during resizing of a partition.
Step 13

On the Network Mapping page, select the network mapping that applies to your infrastructure (the default is VM Network) and click Next.

Step 14

On the Properties page, configure the network properties of the virtual Expressway and click Next. Properties include the Expressway's IPv4 Address, IPv4 Netmask, and IPv4 Gateway. You can also enable IPv6 support and specify the equivalent IPv6 addresses.

Step 15

On the Ready to Complete page:

  • Confirm the deployment settings.

  • Select the Power on after deployment check box.

  • Click Finish.

The installation process begins and a progress bar is displayed.
The OVA file is now deployed as a Guest on the VM Host and you can access the Expressway using a web browser.

What to do next

Order your release key. For more information, see Ordering and Entering Release and Option Keys.

Configure the VM Guest (vSphere Clients)

Procedure

Step 1

Select the VM guest and then select the Console tab.

The VM guest boots, creates its second hard disk partition, and then reboots to a sign-in prompt. You can ignore any RELEASE KEY INVALID messages that appear.
Step 2

At the sign-in prompt, enter admin for the username and TANDBERG for the password.

Step 3

At the Install Wizard prompt, type y and then press Enter.

Step 4

Follow the Install Wizard to enter the network IP information for the Expressway. You can enter default values by pressing Enter at the prompt.

When the wizard completes, the configuration is applied and the Expressway logs you out.
Step 5

Sign in to the Expressway as an administrator and then type xcommand boot to reboot the VM guest.

You can access the Expressway using a web browser.

What to do next

Order your release key. For more information, see Ordering and Entering Release and Option Keys.

Ordering and Entering Release and Option Keys

After you deploy the Expressway OVA file, order your release key.

Procedure

Step 1

Sign in to the Expressway from a web browser as an administrator with the default password of TANDBERG.

Step 2

Get the release and option keys:

  1. Navigate to Maintenance > Option keys.

  2. Copy the Hardware serial number.

  3. Use this serial number to order release and option keys for this VM Expressway.

Step 3

Sign in to the Expressway from a web browser as administrator.

Step 4

Enter the release and option keys:

  1. Navigate to Maintenance > Option keys.

  2. Enter the release key in the Release key field.

  3. Click Set release key.

  4. For each option key provided, enter the option key value in the Add option key field and click Add option.

    When the VM Expressway is installed, the banner area on the web interface shows 'Cisco TelePresence Video Communication Server'. After the Expressway Series option key is installed, the banner area changes to 'Cisco Expressway-C'. If you also install the Traversal Server option key, the banner area shows 'Cisco Expressway-E'.

Step 5

Reboot the Expressway to activate the licenses:

  1. Navigate to Maintenance > Restart options.

  2. Click Reboot.

Step 6

After the reboot, log in to the web interface and configure the Expressway, including changing any default passwords, configuring DNS, NTP, zones, search rules, as required. Use the Expressway Basic Configuration Deployment Guide to configure this VM Expressway.

What to do next

As a best practice, back up the Expressway configuration using the Expressway backup facility, and also take a VM snapshot. You can use the snapshot to restore a VM if it becomes damaged – the snapshot retains the existing license keys. If the VM is reinstalled instead of being restored, new license keys are required. See Cisco Expressway on Virtual Machine Installation Guide, Expressway X8.2 for information on taking and restoring snapshots.

Ethernet Interfaces (NICs)

In VM Expressway the LAN interfaces are Virtual NICs. Appropriate drivers are set up as VM Expressway is installed; configuration of IP addresses is carried out through the standard Expressway interface.

VM Expressway allocates 3 virtual NICs:

  • the first is used for the standard LAN 1 interface

  • the second is used if Dual Network interfaces is enabled (LAN 2)

  • the third is reserved for future use

Add URIs

Procedure

Step 1

Login to the JabberGuest Server Administration.

Step 2

Click Links.

Step 3

Click New.

Step 4

Enter the URI name in the Destination field.

Step 5

Enter the Display Name for the endpoint Display Name field.

Step 6

Enter the caller ID in the Caller name field.

Step 7

Choose Always Active as the state.

Step 8

Click Update to add the link.

Create PAT Entries to Allow Traffic

Add a Second Route to Expressway-E

Use this procedure to add a second route to the Expressway-E for traffic between the Expressway-C and Expressway-E.

Procedure

Step 1

Sign in to the CLI as an administrator.

Step 2

Type N when prompted to Run Install Wizard.

Step 3

Enter the following commands one at a time. (Note: there are no prompts.)

  1. xconfig ip route 1 address: IP.ADD.RESS.### (Example 10.10.10.0)

  2. xconfig ip route 1 prefixlength: ### (Example 24)

  3. xconfig ip route 1 gateway: IP.ADD.RESS.### (Example 10.10.10.1)

  4. xconfig ip route 1 interface: LAN# (Example LAN2)

Install Server to vCenter Server

Procedure

Step 1

Download JabberGuest-10.x.x.x.iso.

Step 2

Extract the contents from the ISO file.
Step 3

Copy the .OVA to a location on your drive that is accessible to vSphere.
Step 4

Open the vSphere Client.
Step 5

Choose File > Deploy OVF Template.

Step 6

In the Source screen, browse to location of the OVA package, and then click Next.

You can enter the URL in the text field if you know it.
Step 7

Verify the details in the OVF Template Details screen, and then click Next.

Step 8

In the Name and Location screen, enter a name for the virtual machine, select its location, and then click Next.

Step 9

In the Host / Cluster screen, select the virtual machine deployment cluster, and then click Next.

Step 10

In the Storage screen, select the virtual machine storage usage, and then click Next.

Step 11

In the Disk Format screen, select a Virtual Machine Disk (VMDK) provisioning format, and then click Next.

Step 12

In the Networking Mapping screen, select the appropriate Destination Networks for OVA deployment, and then click Next.

Step 13

In the Properties screen, enter the network settings, and then click Next.

The virtual machine is set up with DHCP by default. You must provide the following to configure the virtual machine with a static IP address:

  • IP address

  • Network mask

  • Hostname

  • Gateway IP address

  • At least one DNS server IP address

Important 

Do not add leading zeros to the IP addresses or the addresses will not resolve as intended.
Step 14

Click Finish.

What to do next

To turn on the virtual machine after it has been created, in the console window select Power On.

Configure the appropriate SIP trunk in Cisco Unified Communications Manager or zones in Cisco TelePresence Video Communication Server depending on the type of server deployed in your network.


Note

If the virtual machine cannot acquire the IP address of your VLAN, it will show a bootup failure related to network eth0.

Sign In to Cisco Jabber Guest Administration

The Cisco Jabber Guest server is set up with default credentials.

Before you begin

You can access Cisco Jabber Guest Administration on Windows with:

  • Google Chrome 18 or later

  • Microsoft Internet Explorer 8 or later (32-bit only)

  • Mozilla Firefox 10 or later

You can access Cisco Jabber Guest Administration on Mac with:

  • Apple Safari 5 or later

  • Google Chrome 18 or later

  • Mozilla Firefox 10 or later

Your session times out after 30 minutes of inactivity.

Procedure

Step 1

From a compatible browser, navigate to the IP address or host name of your Cisco Jabber Guest server and append /admin/ to the URL.

Step 2

For Alias, enter admin.

Step 3

For Password, enter jabbercserver.

The first time that you sign in you must change your password.
Step 4

Enter a new password.

Sign In to Cisco Jabber Guest Server CLI

The Cisco Jabber Guest server command-line interface (CLI) is set up with default credentials.

Procedure

Step 1

For the user ID, enter root.

Step 2

For the password enter jabbercserver. The first time that you sign in, you must change the password.

Step 3

Enter a new password.

Install Certificate

When you install Cisco Jabber Guest, a self-signed certificate is installed by default. If you want, you can:

  • Install a certificate that is signed by a third party (a trusted certificate authority).

  • Install a certificate with additional distinguished name information.

  • Install a certificate that includes the intermediate certificate or the entire certificate trust chain.

Cisco Jabber Guest supports installing DER encoded certificates and PEM encoded certificates.


Important

The certificate signing request must be generated on the server on which you install the certificate. For this reason, we recommend that you obtain a new CA-signed certificate for your new install of Cisco Jabber Guest or use a self-signed certificate.

If you choose to use the certificate that is installed by default, you must generate a new self-signed certificate if the hostname of the server changes.

Install Certificate Signed by a Certificate Authority

The following procedure creates a certificate signing request in which the Distinguished Name (DN) information is composed of Common Name=<ip address> only. If your organization requires you to include additional DN information in your request, follow the instructions in the procedure, Install Certificate with Additional Distinguished Name Information.

If you have deployed a Cisco Jabber Guest cluster, you must install a certificate on each server in the cluster.

When you create the new certificate signing request, the current certificate becomes invalid.

Procedure
Step 1

Sign in to Cisco Jabber Guest Administration as an administrator.

Step 2

Click Settings, and then click Local SSL Certificate.

Step 3

Under Certificate Signing Request Options, click Create a New Certificate Signing Request.

Step 4

Click Download a certificate signing request.

A 4096-bit certificate signing request named csr.pem downloads.
Step 5

Send the certificate signing request to a trusted certificate authority.

Step 6

After you receive the signed certificate from the certificate authority:

  1. Click Choose File.

  2. Open the signed certificate.

  3. Click Install a Certificate Authority Signed Certificate.

Under Certificate Status, the following message appears:

This system has a certificate authority signed certificate

Step 7

Restart the virtual machine:

  1. Open vSphere Client.

  2. In the virtual machines and templates inventory tree, right-click the virtual machine.

  3. Choose Power > Restart Guest.

Generate New Self-Signed Certificate

If you are using the self-signed certificate that is installed by default and the hostname of the server changes, you must generate a new self-signed certificate.

When you generate a new self-signed certificate, the current certificate becomes invalid.

Procedure
Step 1

Sign in to Cisco Jabber Guest Administration as an administrator.

Step 2

Click Settings, and then click Local SSL Certificate.

Step 3

Click Generate a New Self-Signed Certificate.

The message Update successful appears.
Step 4

Restart the virtual machine:

  1. Open vSphere Client.

  2. In the virtual machines and templates inventory tree, right-click the virtual machine.

  3. Choose Power > Restart Guest.

Change Time Zone on Server

By default, the server time zone is set to Coordinated Universal Time (UTC). To change the time zone, use the following procedure.

The time zone change takes effect immediately.

Procedure

Step 1

Sign in to the server as root.
Step 2

Check the current time zone by executing the command: date.

The date and time appear in the format: ddd mmm dd hh:mm:ss UTC yyyy. For example: Fri Dec 20 16:57:18 UTC 2013.
Step 3

Change directory to /opt/cisco/webcommon/scripts: 

cd /opt/cisco/webcommon/scripts
Step 4

Execute the timezone script: 

./timezone
Step 5

Follow the on-screen instructions.
Step 6

At the confirmation message, type 1 for Yes.

Step 7

Verify that the server is set to your time zone by executing the command: date.

Step 8

Restart Tomcat: 

service tomcat-as-standalone.sh restart

Deploying Cisco Jabber Guest Server for a Dedicated Instance

The Cisco Jabber Guest server must be configured to work with the other elements in your network.

The Cisco Jabber Guest Server Installation and Configuration Guide provides the information you need to deploy Cisco Jabber Guest Server. Use the table in this section to see the topics of particular interest in an HCS environment.

Topics to Review

Why You Should Review It

"Prepare to Install"

Prerequisites

"Install Cisco Jabber Guest Server"

Details on installing the server to vCenter, signing in to the administration interface, installing certificates, signing in to the CLI, and changing the time zone

"Perform Initial Setup"

Details on configuring Expressway-C and Expressway-E

You can find the Cisco Jabber Guest documentation here: http://www.cisco.com/c/en/us/support/unified-communications/jabber-guest/products-installation-guides-list.html.

Configuring Endpoints for Cisco Unified Communications Manager

Endpoint devices register to Cisco Unified Communications Manager (Unified CM). The Expressway acts as a Unified Communications (UC) gateway and provides mobile and remote access.

To configure your Expressway system for UC services, see the Unified Communications Mobile and Remote Access via Expressway Deployment Guide: http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-and-configuration-guides-list.html.

To configure Jabber endpoints, see the On-Premises Deployment for Cisco Jabber guide: http://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html.

  • The "Apply an IM and Presence Service" topic helps you associate a user with a UC Service Profile.

  • The "Configure User Associations" topic helps you associate a user with controlled devices. You can also use this topic to include Standard CCM End Users and Standard CTI Enabled users in the Access Control Group.

  • The "Create and Configure Cisco Jabber Devices" topic helps you associate a device with a profile and Directory Number.

  • The "Automatic Connection Setting for Service Discovery" topic helps you automatically discover servers.

To configure Cisco TelePresence System EX Series endpoint devices, see the following documents:

To manage the security of endpoint devices, you can configure the Certification Authority Proxy Function (CAPF) in Unified CM. For more information, see the Administration Guide for Cisco Unified Communications Manager: http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html.

Configure Jabber End User

Follow the normal Jabber user configuration and server setup guide if necessary as described in the Jabber setup guides as needed for your deployment. Configuration requirements for Expressway Over-the-Top deployment are noted below. Use the following table to select the appropriate device name for your product type.

Table 8. Outbound from Expressway-C (private) to Expressway-E (DMZ)
Device Product Type Device Name
Jabber for Windows Cisco Unified Client Services Framework CSF[UserID]
Jabber for iPad Cisco Jabber for Tablet TAB[UserID]
Jabber for iPhone Cisco Dual Mode for iPhone TCT[UserID]
Jabber for Android Cisco Dual Mode for iPhone BOT[UserID]
C/EX-series UA Cisco TelePresence SEP[MAC address]

Procedure

Step 1

In Service Settings, enable the end user for IM and Presence service with the appropriate UC Service Profile.
Step 2

In Device Information, associate the user with the appropriate controlled devices.
Step 3

In Permissions Information, ensure "Standard CCM End Users" and "Standard CTI Enabled" are added in the Access Control Group.

Configure Jabber Phone

Procedure

Step 1

In Association, add the phone device with the appropriate profile and Directory Number.
Step 2

Map the device owner user ID on the device to link the service profile.
Step 3

Add the owner user ID in "Associate End Users" under the Directory Number configuration.

Configure Jabber Client

Procedure

Step 1

Install the Jabber client for your device normally. Set for "Auto" discovery of servers.
Step 2

Enter the user name of the end user with domain (enduser@domain.com). Allow Jabber to register. Presence, Softphone, and Voicemail should connect. Desk phone will not be available on the outside network.

Configure Jabber Optional Steps

Procedure

Step 1

If a secure device is required, (on supported devices) Allow normal, non-secure registration. In Cisco Unified Communications Manager, Device, Phone, click on the subject CSF device. Scroll down to "Certification Authority Proxy Function (CAPF).

Step 2

Change Certificate Operation on the drop down to Install/Upgrade and Save and Apply Config.

Step 3

Allow time for the operation to complete.
Step 4

When the CAPF function indicates "Successfully Completed", change the device security profile to "SIP Secure - Encrypted". Click Save and Apply Settings. The device should register securely.

EX Device

Before you begin

The EX endpoint must have the CA authority's root certificate and the Expressway-E must have the domain name in the alternate subject names field for the device to successfully register. These issues were found applying the 7.1.1 TC software to EX devices. These conditions were not observed prior to 7.1.1. Base line image for EX endpoints should be moved to 7.1.1, which also correct the heartbleed security issue.

Additionally, NTP server issues were observed and are corrected by creating a new phone NTP reference pointing to a public NTP server and creating a new date/time group using that reference. The device pool that the OTT device lives in should be updated with this group. A new device pool should be created for OTT endpoints using this date/time group and bandwidth considerations for video endpoints. Documentation of these new requirements are essential for proper field operation of OTT/Expressway EX endpoints.

In the Cisco Unified Communications Manager, ensure the Cisco Unified Communications Manager Device, Device Settings, Device Defaults indicate that the Load Information for the EX device has 7.0.1 at the minimum package installed. If not, install the package in OS administration, Software Upgrades, Install Upgrade.

Procedure

Step 1

Do a normal install of the EX phone. Associate with shared CSF device or other as necessary. Assign an end user to the device.
Step 2

Verify the end user Permissions Information has the appropriate permissions specified.

Configure EX Device Optional Steps

Procedure

Step 1

If a secure device is required, allow normal, non-secure registration. In Cisco Unified Communications Manager Device, Phone, click on the subject EX device. Scroll down to Certification Authority Proxy Function (CAPF).

Step 2

Change Certificate Operation on the drop down to Install/Upgrade. Click Save and Apply Config.

Step 3

Allow time for the operation to complete.
Step 4

When the CAPF function indicates "Successfully Completed", change the device security profile to "Sip Secure - Encrypted". Click Save and Apply Settings. The device should register securely.