Expressway for Mobile and Remote Access Deployments
Expressway for Mobile and Remote Access for Cisco Unified Communications Manager allows users to access their collaboration tools from outside the corporate firewall without a VPN client. Using Cisco collaboration gateways, the client can connect securely to your corporate network from remote locations such as public Wi-Fi networks or mobile data networks.
-
Set up servers to support Expressway for Mobile and Remote Access using Cisco Expressway-E and Cisco Expressway-C.*
-
See the following documents to set up the Cisco Expressway servers: -
Cisco Expressway Basic Configuration Deployment Guide
-
Mobile and Remote Access via Cisco Expressway Deployment Guide
* If you currently deploy a Cisco TelePresence Video Communications Server (VCS) environment, you can set up Expressway for Mobile and Remote Access. For more information, see Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide and Mobile and Remote Access via Cisco VCS Deployment Guide.
-
-
Add any relevant servers to the whitelist for your Cisco Expressway-C server to ensure that the client can access services that are located inside the corporate network.
To add a server to the Cisco Expressway-C whitelist, use the HTTP server allow setting.
This list can include the servers on which you host voicemail or contact photos.
-
-
Configure an external DNS server that contains the
_collab-edge
DNS SRV record to allow the client to locate the Expressway for Mobile and Remote Access server. -
If you deploy a hybrid cloud-based architecture where the domain of the IM and presence server differs from the domain of the voice server, ensure that you configure the Voice Services Domain.
The Voice Services Domain allows the client to locate the DNS server that contains the
_collab-edge
record.You can configure the voice services domain using one of the following methods: -
Client configuration file (all Cisco Jabber clients)
-
Configuration URL (all Cisco Jabber clients except Cisco Jabber for Windows)
-
Installer options (Cisco Jabber for Windows only)
-
Important |
|
Supported Services
The following table summarizes the services and functionality that are supported when the client uses Expressway for Mobile and Remote Access to remotely connect to Cisco Unified Communications Manager.
Service | Supported | Unsupported | |
---|---|---|---|
Directory |
|||
UDS directory search |
X |
||
LDAP directory search |
X |
||
Directory photo resolution |
X * Using HTTP white list on Cisco Expressway-C |
||
Intradomain federation |
X * Contact search support depends on the format of your contact IDs. For more information, see the note below. |
||
Interdomain federation |
X |
||
Instant Messaging and Presence | |||
On-premises |
X |
||
Cloud |
X |
||
Chat |
X |
||
Group chat |
X |
||
High Availability: On-premises deployments |
X |
||
File transfer: On-premises deployments |
X Advanced options available for file transfer using Cisco Unified Communications Manager IM and Presence Service 10.5(2) or later, see the note below. |
||
File transfer: Cloud deployments |
X |
||
Video screen share - BFCP |
X (Cisco Jabber for mobile clients only support BFCP receive.) |
||
IM-Only Screen Share |
x |
||
Audio and Video | |||
Audio and video calls |
X * Cisco Unified Communications Manager 9.1(2) and later |
||
Deskphone control mode (CTI) (desktop clients only) |
X |
||
Extend and connect (desktop clients only) |
X |
||
Remote desktop control (desktop clients only) |
X |
||
Silent Monitoring and Call Recording |
X |
||
Dial via Office - Reverse (mobile clients only) |
X |
||
Session persistency |
X |
||
Early media |
X |
||
Self Care Portal access |
X |
||
Graceful Registration |
X * Applies to Cisco Jabber for Android. Jabber for Android supports graceful registration over Expressway for Mobile and Remote Access from Cisco Unified Communications Manager Release 10.5.(2) 10000-1. |
||
Voicemail | |||
Visual voicemail |
X * Using HTTP white list on Cisco Expressway-C |
||
Cisco Webex Meetings | |||
On-premises |
X |
||
Cloud |
X |
||
Cisco Webex screen share (desktop clients only) |
X |
||
Installation (Desktop clients) | |||
Installer update |
X * Using HTTP white list on Cisco Expressway-C |
X Not supported on Cisco Jabber for Mac |
|
Customization | |||
Custom HTML tabs |
X |
||
Enhanced911 Prompt |
X * To ensure that the web page renders correctly for all Jabber clients operating outside the corporate network, the web page must be a static HTML page because the scripts and link tags are not supported by the E911NotificationURL parameter. For more inforation, see the latest Parameter Reference Guide for Cisco Jabber. |
||
Security | |||
End-to-end encryption |
X |
||
CAPF enrollment |
X |
||
Single Sign-On |
X |
||
Advanced Encryption Standard (AES) 256 and TLS1.2 |
X * Applies to Cisco Jabber for Android. Advanced encryption is supported only on corporate Wi-Fi |
||
Troubleshooting (Desktop clients only) | |||
Problem report generation |
X |
||
Problem report upload |
X |
||
High Availability (failover) | |||
Audio and Video services |
X |
||
Voicemail services |
X |
||
IM and Presence services |
X |
Directory
-
LDAP contact resolution —The client cannot use LDAP for contact resolution when outside of the corporate firewall. Instead, the client must use UDS for contact resolution.
When users are inside the corporate firewall, the client can use either UDS or LDAP for contact resolution. If you deploy LDAP within the corporate firewall, Cisco recommends that you synchronize your LDAP directory server with Cisco Unified Communications Manager to allow the client to connect with UDS when users are outside the corporate firewall.
-
Directory photo resolution — To ensure that the client can download contact photos, you must add the server on which you host contact photos to the white list of your Cisco Expressway-C server. To add a server to Cisco Expressway-C white list, use the HTTP server allow setting. For more information, see the relevant Cisco Expressway documentation.
-
Intradomain federation — When you deploy intradomain federation and the client connects with Expressway for Mobile and Remote Access from outside the firewall, contact search is supported only when the contact ID uses one of the following formats: -
sAMAccountName@domain
-
UserPrincipleName (UPN)@domain
-
EmailAddress@domain
-
employeeNumber@domain
-
telephoneNumber@domain
-
-
Interdomain federation using XMPP — Expressway for Mobile and Remote Access doesn’t enable XMPP Interdomain federation itself. Cisco Jabber clients connecting over Expressway for Mobile and Remote Access can use XMPP Interdomain federation if it has been enabled on Cisco Unified Communications Manager IM and Presence.
Instant Messaging and Presence
When the client connects to services using Expressway for Mobile and Remote Access, it supports instant messaging and presence with the following limitations:
-
For Cisco Webex cloud deployments, file transfer is supported.
-
For on-premises deployments with Cisco Unified Communication IM and Presence Service 10.5(2) or later, the Managed File Transfer selection is supported, however the Peer-to-Peer option is not supported.
-
For on-premises deployments with Cisco Unified Communications Manager IM and Presence Service 10.0(1) or earlier deployments, file transfer is not supported.
-
For Expressway for Mobile and Remote Access deployments with unrestricted Cisco Unified Communications Manager IM and Presence Server, Managed File Transfer is not supported.
Audio and Video Calling
-
Cisco Unified Communications Manager — Expressway for Mobile and Remote Access supports video and voice calling with Cisco Unified Communications Manager Version 9.1.2 and later.
Expressway for Mobile and Remote Access is not supported with Cisco Unified Communications Manager Version 8.x.
-
Deskphone control mode (CTI) (Desktop clients only) — The client does not support deskphone control mode (CTI), including extension mobility.
-
Extend and connect (Desktop clients only) — The client cannot be used to: -
Make and receive calls on a Cisco IP Phone in the office.
-
Perform mid-call control such as hold and resume on a home phone, hotel phone, or Cisco IP Phone in the office.
-
-
Dial via Office - Reverse (Mobile clients only) — The client cannot make Dial via Office - Reverse calls from outside the firewall.
-
Session Persistency — The client cannot recover from audio and video calls drop when a network transition occurs. For example, if a users start a Cisco Jabber call inside their office and then they walk outside their building and lose Wi-Fi connectivity, the call drops as the client switches to use Expressway for Mobile and Remote Access.
-
Early Media — Early Media allows the client to exchange data between endpoints before a connection is established. For example, if a user makes a call to a party that is not part of the same organization, and the other party declines or does not answer the call, Early Media ensures that the user hears the busy tone or is sent to voicemail.
When using Expressway for Mobile and Remote Access, the user does not hear a busy tone if the other party declines or does not answer the call. Instead, the user hears approximately one minute of silence before the call is terminated.
-
Self care portal access (Desktop clients only) — Users cannot access the Cisco Unified Communications Manager Self Care Portal when outside the firewall. The Cisco Unified Communications Manager user page cannot be accessed externally.
Cisco Expressway-E proxies all communications between the client and unified communications services inside the firewall. However, the Cisco Expressway-E does not proxy services that are accessed from a browser that is not part of the Cisco Jabber application.
Voicemail
Voicemail service is supported when the client connects to services using Expressway for Mobile and Remote Access.
Note |
To ensure that the client can access voicemail services, you must add the voicemail server to the white list of your Cisco Expressway-C server. To add a server to Cisco Expressway-C white list, use the HTTP server allow setting. For more information, see the relevant Cisco Expressway documentation. |
Cisco Webex Meetings
When the client connects to services using Expressway for Mobile and Remote Access, it supports only cloud-based conferencing using Cisco Webex Meetings Center. The client cannot access the Cisco Webex Meetings Server or join or start on-premises Cisco Webex Meetings.
When users use the Cisco Webex Meetings Servers for meetings or the meeting siteType is ORION, the client cannot access the Cisco Webex Meetings Server, and join or start on-premises Cisco Webex Meetings over Mobile and Remote Access (MRA).
To use the Webex Meetings option in Cisco Jabber for Android, ensure that the meeting client is installed before installing Cisco Jabber for Android.
Installation
Cisco Jabber for Mac — When the client connects to services using Expressway for Mobile and Remote Access, it doesn't support installer updates.
Note |
To ensure that the client can download installer updates, you must add the server that hosts the installer updates to the white list of your Cisco Expressway-C server. To add a server to the Cisco Expressway-C white list, use the HTTP server allow setting. For more information, see the relevant Cisco Expressway documentation. |
Security
-
Initial CAPF enrollment — Certificate Authority Proxy Function (CAPF) enrollment is a security service that runs on the Cisco Unified Communications Manager Publisher that issues certificates to Cisco Jabber (or other clients). To successfully enrol for CAPF, the client must connect from inside the firewall or using VPN.
-
End-to-end encryption — When users connect through Expressway for Mobile and Remote Access and participate in a call: -
Media is always encrypted on the call path between the Cisco Expressway-C and devices that are registered to the Cisco Unified Communications Manager using Expressway for Mobile and Remote Access.
-
Media is not encrypted on the call path between the Cisco Expressway-C and devices that are registered locally to Cisco Unified Communications Manager, if either Cisco Jabber or an internal device is not configured with Encrypted security mode.
-
Media is encrypted on the call path between the Expressway-C and devices that are registered locally to Cisco Unified Communication Manager, if both Cisco Jabber and internal device are configured with Encypted security mode.
-
-
Single Sign-On (SSO) — If you have SSO enabled for your on-premises deployment, it also applies to your Expressway for Mobile and Remote access deployment. If you disable SSO, it is disabled for both on-premises and Expressway for Mobile and Remote access deployments.
Troubleshooting
Cisco Jabber for Windows only. Problem report upload — When the desktop client connects to services using Expressway for Mobile and Remote Access, it cannot send problem reports because the client uploads problem reports over HTTPS to a specified internal server.
To work around this issue, users can save the report locally and send the report in another manner.
High Availability (failover)
High Availability means that if the client fails to connect to the primary server, it fails over to a secondary server with little or no interruption to the service. In relation to high availability being supported on the Expressway for Mobile and Remote Access, high availability refers to the server for the specific service failing over to a secondary server (such as Instant Messaging and Presence).
Some services are available on the Expressway for Mobile and Remote Access that are not supported for high availability. This means that if users are connected to the client from outside the corporate network and the instant messaging and presence server fails over, the services will continue to work as normal. However, if the audio and video server or voicemail server fails over, those services will not work as the relevant servers do not support high availability.