Prepare to Install
Server Requirements
License Requirements
Client Requirements
Deployment Options
Network Topology
- Call Control Flow
- Media Flow
  - Media Flow: Cisco Expressway-E with Single NIC Deployment
  - Media Flow: Cisco Expressway-E with Dual NIC Deployment
Ports and Protocols
- Ports and Protocols: Cisco Expressway-E with Single NIC Deployment
- Ports and Protocols: Cisco Expressway-E with Dual NIC Deployment
Clustering Options
Load Balancing Methods Available

Prepare to Install

Cisco Jabber Guest can be deployed in combination with Cisco Expressway-E and Cisco Expressway-C or in combination with Cisco VCS-E and VCS-C. To simplify the documentation, we reference only Cisco Expressway-E and Cisco Expressway-C throughout this guide.

The mobile and web clients use the same interfaces when interacting with Cisco Expressway/Cisco TelePresence Video Communication Server (VCS) and Cisco Jabber Guest. To simplify the documentation, we reference only the web client throughout this guide.

Server Requirements

Cisco Product Requirements

Deploy Cisco Jabber Guest with an existing Cisco Unified Communications Manager installation.

To allow Cisco Jabber Guest to access devices located inside the enterprise firewall, deploy the following:

Cisco Unified Communications Manager 8.6.x or later

Cisco Jabber Guest requires that your Cisco Unified Communications Manager be configured to work with Cisco Expressway.
Cisco Jabber Guest Server
Cisco Expressway-C X8.2 or later

Cisco Expressway-E X8.2 or later

Important

Without Cisco Expressway-C and Cisco Expressway-E, you are limited to testing with clients that can directly access the network on which the Cisco Jabber Guest server is homed.
You cannot use the same Cisco Expressway-C and Cisco Expressway-E pair or cluster for both Cisco Jabber Guest and Expressway for Mobile and Remote Access.

For more information, download the Cisco Expressway Administrator Guide, deployment guides, and release notes or see the online help for complete information on configuring the options available on your Cisco Expressway.

Virtual Machine Requirements

Cisco Jabber Guest is deployed as a virtual server using the Open Virtualization Format (OVF) standard for packaging and distributing virtual appliances that run in a virtual environment. It requires VMware vSphere as the hypervisor. Cisco publishes the distribution as an OVF file with the file extension .OVA, which stands for Open Virtual Appliance. This file contains the OVF template for the application. The OVF template defines the virtual machine’s hardware and is preloaded with required software.

Hardware and System Requirements

A server platform that meets VMware’s Compatibility Guide for VMware vSphere 5.1 or later is required. The Cisco Jabber Guest virtual machine uses a 64-bit distribution of CentOS 6.10. Make sure that the server platform uses CPUs that are capable of 64-bit instructions.
Cisco Jabber Guest Server is supported on any Full UC Performance CPU, beginning with Intel Xeon Processor 5600 with a minimum physical core speed of 2.53 GHz or higher and any Restricted UC Performance CPU, beginning with Intel Xeon Processor E5 2609 v1 with a minimum physical core speed of 2.4 GHz or higher. For more information on Full UC performance CPUs and Restricted UC Performance CPUs, see the Processors/CPUs section in UC Virtualization Supported Hardware.
Cisco Jabber Guest is allowed on server models meeting required specifications, including Cisco Business Edition 6000 (BE6000), Cisco Business Edition 7000 (BE7000), and UC on UCS Tested Reference Configurations with a Full UC Performance CPU. BE6000M (M2) UCS C200 M2 TRC#1 is not supported. For more information, see Virtualization for Cisco Jabber Guest Server. Cisco Jabber Guest Server must follow the application co-residency and virtual-to-physical sizing rules in the Unified Communications Virtualization Sizing Guidelines.
Cisco Jabber Guest supports all virtualization software described in Purchasing/Sourcing Options for Required Virtualization Software.
If Cisco Jabber Guest Server is installed on a Cisco Business Edition 6000 server or Cisco Business Edition 7000 server, it must follow the additional co-residency rules in the Cisco Business Edition 6000 and Cisco Business Edition 7000 Co-residency Policy Requirements.
See the VMware developer documentation for additional configuration and hardware requirements. We highly recommend using the Cisco Unified Computing System (CUCS) to simplify and maximize performance.

Supported Storage Models

Virtual Machine Specifications

Table 1. Virtual Machine Specifications
RAM	CPU	Storage	Operating System	CPU Resource Allocation	Memory Resource Allocation
4 GB	2 logical CPUs with 1 core each	100 GB	CentOS 6.10 64-bit	Default (not defined)	Default (not defined)

VMware vSphere Feature Support

The following VMware vSphere features are supported:

VM OVA template deployment (using the Cisco-provided Cisco Jabber Guest OVA)
VMware vMotion
VMware vSphere Distributed Switch (vDS)
VMware Dynamic Resource Scheduler (DRS)
VMware Storage vMotion (Storage DRS)
VMware Virtual Machine Snapshots

You can restart Cisco Jabber Guest on a different VMware ESXi host and create or revert VMware Snapshots as long as the application was shut down without any issues before moving or taking a snapshot.

The following VMware vSphere features have not been tested with Cisco Jabber Guest:

VMware Site Recovery Manager (SRM)
VMware Consolidated Backup (VCB)
VMware Data Recovery (VDR)
VMware Dynamic Power Management (Cisco Jabber Guest must be configured to run 24/7)
Long Distance vMotion (vMotion over a WAN)
VMware Fault Tolerance (FT)

The following VMware vSphere and third-party features are not supported with Cisco Jabber Guest:

VMware Hot Add
Copying a Cisco Jabber Guest virtual machine (must use OVA to deploy new server)
Configuring Cisco Jabber Guest with multiple virtual network interface controllers (vNICs)
Third-party Virtual to Physical (V2P) migration tools
Third-party deployment tools

Reverse Proxy Server Requirements

The Cisco Expressway-E and Cisco Expressway-C can be used to tunnel HTTP from the Cisco Jabber Guest client to the Cisco Jabber Guest server. If a third-party reverse proxy is used in front of the Cisco Expressway-E, configure it to proxy only the following URL types:

/call
/jabberc (used for HTTP/call control)

Configure the reverse proxy to redirect any HTTP requests to HTTPS.

License Requirements

Cisco Jabber Guest is licensed and obtained through User Connect Licensing (UCL), Cisco Unified Workspace Licensing (CUWL), and other ordering mechanisms. Contact a sales representative from a Cisco partner or from Cisco for ordering details. No license keys are provided or required for the Cisco Jabber Guest software.

The following table describes the license requirements for using Cisco Expressway with Cisco Jabber Guest.

Table 2. License Requirements for Using Cisco Expressway with Cisco Jabber Guest
License	Requirement	Note
Rich Media Session licenses	For Cisco Expressway X8.7.3 or earlier, 2 Rich Media Session licenses are required per Cisco Jabber Guest session: 1 Rich Media Session license on the Cisco Expressway-E for each Cisco Jabber Guest session 1 Rich Media Session license on the Cisco Expressway-C for each Cisco Jabber Guest session For Cisco Expressway X8.8 or later, 1 Rich Media Session license on the Cisco Expressway-E is required for each Cisco Jabber Guest session
TURN relay license	TURN licensed on Cisco Expressway	When you order Cisco Expressway, a TURN relay license is included.
Advanced Networking (AN) license	If Cisco Jabber Guest is installed in a dual-NIC deployment, an AN license is required on Cisco Expressway.	When you order Cisco Expressway, an AN license is included.

The following table describes the license requirements for using Cisco TelePresence Video Communication Server (VCS) with Cisco Jabber Guest.

Table 3. License Requirements for Using Cisco VCS with Cisco Jabber Guest
License	Requirement	Note
Traversal call licenses	2 traversal call licenses are required per Cisco Jabber Guest session: 1 traversal call license on the VCS-E for each Cisco Jabber Guest session 1 traversal call license on the VCS-C for each Cisco Jabber Guest session
TURN relay license	TURN licensed on Cisco VCS	When you order Cisco VCS, a TURN relay license is included.
Dual Network Interface (DI) license	If Cisco Jabber Guest is installed in a dual-NIC deployment, a DI license is required on Cisco VCS.	When you order Cisco VCS, a DI license is not included. Specifically select this license.

Client Requirements

Client Hardware and System Requirements

Users require a multimedia-capable computer with a camera and microphone that support the following software and hardware requirements:

Table 4. Client Requirements

Windows Requirements

Mac Requirements

Operating system

Microsoft Windows 7 or later

macOS 10.13 to 10.15

Hardware

GPU capable of OpenGL 1.2 or later

Minimum CPU supporting SSE2 (Pentium IV or newer)

Encoding at 720p 30 fps requires Intel Core2Duo @ 1.2 GHz or better

Encoding at VGA 30 fps can be done on as low-end CPUs as the Intel Atom @ 1.6 GHz

Intel x86 processor

Encoding at 720p 30 fps requires Intel Core2Duo @ 1.2 GHz or better. For optimal experience, Core2Duo @ 2 GHz with 2 MB L2 cache per core is recommended.

Browsers

Mozilla Firefox 10 or later

Google Chrome 18 or later

Microsoft Internet Explorer 8 or later (32-bit, or 64-bit running 32-bit tabs only. 64-bit browsers running 64-bit tabs are not supported.)

Note

On Windows 8 or later, only the desktop version is supported. The Metro version won't work.
Microsoft Internet Explorer 8 exhibits some minor layout differences because of certain browser limitations.
You may encounter video frame layout issues in Windows 7 and Windows 8, if the screen display scaling is not set at 100%. This is due to an OS limitation and does not occur in Windows 8.1 or later.

Safari 7 to 11

Mozilla Firefox 10 or later²

Google Chrome 18 or later

Note

Safari requires you to manually restart the browser in order for the Jabber Guest plugin to take effect.

¹ To configure Internet Explorer on Windows 8 or later to open the desktop version by default, do the following:

Open Microsoft Internet Explorer.
From the Tools menu, click Internet options.
Click the Programs tab.
Under Opening Internet Explorer, choose Always in Internet Explorer on the desktop.

² Currently, a known issue with Firefox on Mac OS X prevents full-screen video. This option is not offered for this combination of browser and operating system.

Cisco Jabber Guest Plug-in Requirement

The Cisco Jabber Guest solution includes a browser plug-in that is downloaded and installed by the caller on the local machine. For Google Chrome and Firefox (50 and later), the web page prompts the user to install the Chrome/Firefox Extension and the Cisco Jabber Guest Add-on. For all other browsers, the Cisco Jabber Guest web page prompts the caller to download and install the plug-in the first time the service is used.

New plug-ins are periodically made available with fixes and new functionality. The caller is prompted to download and install the new plug-in the next time an attempt is made to place a call.

Supported Mobile Devices

Android Supported Devices

We support Cisco Jabber Guest for Android on audio and video for the following Android devices and operating systems:

Table 5.
Make	Model	Minimum Android OS	Limitations
BlackBerry	Priv	5.1	Blackberry Priv device limitation: If Jabber is removed from the recently viewed apps list, and the device is kept idle for some time, then Jabber becomes inactive.
Fujitsu	Arrows M357	6.0.1
Google Nexus	4	5.1.1
	5	5
	5X	6
	6	5.0.2
	6P	6	If you have a Google Nexus 6P device with Android OS version 6.x or 7.0, then contact your administrator to set your Jabber phone service as a secure phone service. Otherwise, your device might not respond. However, if your Android OS version is 7.1 or later, no action is required.
	7	5
	9	5.0.2
	10	5
	Pixel	7
	Pixel C	6
	Pixel XL	7
	Pixel 2	8	During a Jabber call if the user switches audio from mobile device to a headset, then there might be some issues with the auido for few seconds.
	Pixel 2 XL	8	During a Jabber call if the user switches audio from mobile device to a headset, then there might be some issues with the auido for few seconds.
	Pixel 3	8	If you use the attached headset with the phone, then there might be some issues with the audio for few seconds.
	Pixel 3 XL	8	If you use the attached headset with the phone, then there might be some issues with the audio for few seconds.
Honeywell Dolphin	CT40	7.1.1
Honeywell Dolphin	CT50	5
HTC	10	6
	A9	6
	E9 PLUS	5.0.2
	M7	5
	M8	5
	M9	5
	One Max	5
	X9	6
Huawei	Honor 7	5
	M2	5
	Mate 7	5
	Mate 8	6
	Mate 9	6
	Nova	7
	Mate 10	8
	Mate 10 Pro	8
	P8	5
	P9	6
	P10	7
	P10 Plus	7
	P20	8
	P20 Pro	8
	Mate20	8
	Mate20 Pro	8
LG	G2	5
	G3	5
	G4	5.1
	G5	6
	G6	7
	V10	5
	V30	8
Motorola	MC40	5	Cisco Jabber supports only audio mode with MC40 device. Cisco Jabber does not support launching Webex Meetings from MC40 device.
	Moto G	5
	Moto X	5
	Moto Z Droid	6
OnePlus	One	5
	5	8
	5T	8
	6	9
	6T	9
Panasonic	Toughpad FZ-X1	5	Contact your administrator to set your Jabber phone service to be secure. Jabber plays ringback tone and busy tone at 24kHz.
Samsung	All	5	· In the Samsung devices with Android OS 5.x or later, the auto-run option for Jabber must be enabled.
			For Android OS 5.x, you can find the auto-run option under Settings and Device Manager.
			For Android OS 6.x and later, you can find the auto-run option under App Smart Manager.
			· Jabber delays the incoming call notification pop-up on Samsung Galaxy Tab Pro 8.4(Model T320UEU1AOC1) for Canada.
			· Jabber delays reconnecting to the network on a Samsung Xcover 3 when it loses Wi-Fi connectivity.
Smartisan	M1L	6.0.1
Sonim	XP8	7.1.1
Sony Xperia	M2	5
	XZ	7
	XZ1	8
	XZ2	8
	XZ3	9
	Z1	5
	Z2	5
	Z2 tablet	5
	Z3	5	Sony Xperia Z3 (Model SO-01G) with Android OS 5.0.2 has poor audio on Jabber calls.
	Z3 Tablet Compact	5
	Z3+/Z4	5.0.2	Video call is unstable on Sony Z3+/Z4, you can disable your self-video for a video call or make a voice call only.
	Z4 TAB	5
	Z5 Premium and Z5	5.0.2
	ZR/A	5	There is a limitation that Sony devices with Android OS 6.0 cannot play voicemail in Jabber.
Xiaomi	4C	5.1
	MAX	5.1
	Mi 4	5
	Mi 5	6
	Mi 5s	7
	Mi 6	7
	Mi 8	8
	Pocophone	8
	Mi Note	5
	Mi Note 2	7
	Mi Pad 2	5.1
	Mi MIX 2	8
	Mi A1	8
	Redmi 3	5.1
	Redmi Note 3	5.1
	Redmi Note 4X	6.0.1
	Redmi Note 5	8
Zebra	TC51	6
	TC70	5	TC70 devices might sometimes have issues connecting to Wi-Fi network configured over DHCP.
	TC70	5	In TC70, the default value of Keep wifi on during sleep is Off, you must set it to Always On to use Jabber.
	TC75X	6

We support Cisco Jabber Guest for Android with tested Android devices. Although other devices are not officially supported, you may be able to use Cisco Jabber Guest for Android with other devices.

iOS Supported Devices

Cisco Jabber Guest is supported on iOS 12or later.

The following table lists the iOS mobile devices that Cisco Jabber Guest supports:


iPhone	iPad
iPhone 5S	Pad Air
iPhone 6	iPad Air 2
iPhone 6 Plus	iPad Air (2019)
iPhone 6S	iPad (2017)
iPhone 6S Plus	iPad (2018)
iPhone SE	iPad Mini 2
iPhone 7	iPad Mini 3
iPhone 7 Plus	iPad Mini 4
iPhone 8	iPad Mini (5th generation)
iPhone 8 Plus	iPad Pro (9.7-inch)
iPhone X	iPad Pro (10.5-inch)
iPhone XS	iPad Pro (11-inch)
iPhone XS Max	iPad Pro (12.9-inch 1st generation)
iPhone XR	iPad Pro (12.9-inch 2nd generation)
	iPad Pro (12.9-inch 3rd generation)

Deployment Options

Cisco Jabber Guest supports two deployments:

Cisco Expressway-E with a single NIC—SIP traffic goes to the Cisco Expressway-C and media flows over a port range between the Cisco Expressway-E and the Cisco Expressway-C.
Cisco Expressway-E with dual NIC—SIP traffic goes to the Cisco Expressway-E and media flows through the traversal zone between the Cisco Expressway-E and the Cisco Expressway-C.

Important

Only the Cisco Expressway-E with dual NIC deployment supports NAT/PAT between the Cisco Expressway-E and the Cisco Expressway-C.

Lab Deployment

Cisco Jabber Guest can be pointed directly to Cisco Unified Communications Manager for lab deployments only; configure a SIP trunk on Cisco Unified Communications Manager for this deployment. This option is best suited to a lab deployment in which the goal is to familiarize yourself with Cisco Jabber Guest without the additional overhead of configuring Expressway. However, without configuring Expressway, Cisco Jabber Guest is not supported in a production environment.

Network Topology

Overview of Cisco Expressway-E with Single NIC Deployment

SIP traffic is sent to the Cisco Expressway-C.
Cisco Expressway-E is single NIC only.
Cisco Expressway-E in static NAT mode is optional and requires additional configuration on the Cisco Jabber Guest server.
Cisco Expressway-E is used for TURN services and reverse proxy, not call control.
Media flows between the Cisco Expressway-E and the Cisco Expressway-C over port range, not a traversal zone.

Overview of Cisco Expressway-E with Dual NIC Deployment

SIP traffic is sent to the Cisco Expressway-E.
Cisco Expressway-E is dual NIC only.
Cisco Expressway-E in static NAT mode is optional and requires additional configuration on the Cisco Jabber Guest server.
Cisco Expressway-E is used for TURN services, reverse proxy, and call control.
Media flows between the Cisco Expressway-E and the Cisco Expressway-C through a traversal zone.

In a production environment, Cisco Jabber Guest requires that your Cisco Unified Communications Manager be configured to work with Cisco Expressway.

Note

If Cisco Expressway-E is used for reverse proxy functionality, the Cisco Jabber Guest URL looks like https://expressway-e.example.com/call where expressway-e.example.com is the FQDN of Cisco Expressway-E.

Call Control Flow

The following are examples of call control flow for the two supported deployments of Cisco Jabber Guest Server.

Figure 1. Cisco Jabber Guest Call Control: Cisco Expressway-E with Single NIC Deployment

Cisco Expressway-E with Dual NIC Deployment

SIP flows between the Cisco Jabber Guest server and the Cisco Expressway-E. This requires bi-directional TCP traffic between the two servers over 5060 (SIP over TCP) or 5061 (SIP over TLS). The SIP traffic then goes over the traversal zone to the Cisco Expressway-C.

We recommend that you disable SIP and H.323 application-level gateways on routers/firewalls carrying network traffic to or from a Cisco Expressway-E.

Important

Because media hairpins between the two Cisco Expressway-E NICs, the TURN traffic and SIP traffic must reside on the same Cisco Expressway-E server. You must configure the static NAT address, DMZ external address, and DMZ internal address of the Cisco Expressway-E on the Cisco Jabber Guest server.

Media Flow

The web client uses TURN relays allocated on the Cisco Expressway-E to tunnel media into the enterprise. Media is sent and received in STUN encapsulated packets to the TURN server through UDP port 3478.

TURN relay credentials are acquired and used as follows:

The Cisco Jabber Guest client allocates a call resource through HTTP to the Cisco Jabber Guest server.
The Cisco Jabber Guest server requests short-term TURN credentials from the Cisco Expressway-C through a secure HTTP request. Administrator credentials are used for authentication. The configured domain must be on the Cisco Expressway-C with Jabber Guest service enabled.
The Cisco Expressway-C creates the TURN credential and passes it to the Cisco Jabber Guest server.
The Cisco Expressway-C propagates the TURN credential to the Cisco Expressway-E through the SSH tunnel (port 2222).
The Cisco Jabber Guest server responds to the Cisco Jabber Guest client with the TURN credential and TURN server (Cisco Expressway-E) address (DNS or IP).
The Cisco Jabber Guestclient uses the TURN credential to allocate the TURN relay on the TURN server.

Media Flow: Cisco Expressway-E with Single NIC Deployment

The following diagram is an example of the media flow for a Cisco Expressway-E with single NIC deployment of Cisco Jabber Guest.

Cisco Jabber Guest media does not go through the traversal link between Cisco Expressway-E and Cisco Expressway-C.

Important

If the Cisco Expressway-E is behind a NAT, additional configuration is required on the Cisco Jabber Guest server to avoid the media flowing to the static NAT address. Turn on Static NAT mode and configure the static NAT address and DMZ external address of the Cisco Expressway-E on the Cisco Jabber Guest server. This allows media to be sent to the DMZ external address of the Cisco Expressway-E, avoiding NAT reflection on the outside firewall.

Media Flow: Cisco Expressway-E with Dual NIC Deployment

The following diagram is an example of the media flow for a Cisco Expressway-E with dual NIC deployment of Cisco Jabber Guest.

Media flows through the traversal zone between the Cisco Expressway-C and the internal NIC of the Cisco Expressway-E. It hairpins on the Cisco Expressway-E to the external NIC of the Cisco Expressway-E, and then is STUN/TURN wrapped before being sent to the client browser.

Important

If the Cisco Expressway-E is behind a NAT, additional configuration is required on the Cisco Jabber Guest server to avoid the media flowing to the static NAT address. Turn on Static NAT mode and configure the static NAT address, DMZ external address, and DMZ internal address of the Cisco Expressway-E on the Cisco Jabber Guest server. This allows media to be sent to the DMZ external address of the Cisco Expressway-E, avoiding NAT reflection on the outside firewall.

Ports and Protocols

Important

HTTP and HTTPS traffic from Cisco Jabber Guest clients in the Internet is sent to ports 80 and 443 TCP respectively. Therefore the firewall between the Cisco Expressway-E and the public Internet must translate destination port 80 to 9980 and destination port 443 to 9443 for all TCP traffic that targets the Cisco Expressway-E address.
The Cisco Expressway-E redirects HTTP requests on port 9980 to HTTPS on 9443.
80/443 TCP are the standard HTTP/S administration interfaces on the Expressway. If the Cisco Expressway-E is administered from systems located in the Internet, then the firewall translation must also distinguish by source address and must not translate the destination port of traffic arriving from those management systems.
You also need to ensure that appropriate DNS records exist so that the Cisco Jabber Guest client can reach the Cisco Expressway-E. The FQDN of the Cisco Expressway-E in DNS must include the Cisco Jabber Guest domain. The Cisco Jabber Guest domain is the domain that is configured on the Cisco Expressway-C.
For more information on port usage for Firewall Traversal, refer to the Cisco Expressway IP Port Usage for Firewall Traversal Guide.

Ports and Protocols: Cisco Expressway-E with Single NIC Deployment

Table 6. Inbound from Public Internet to Cisco Expressway-E (DMZ)
Purpose	Protocol	Internet Endpoint (Source)	Cisco Expressway-E (Listening)
HTTP	TCP	TCP source port	9980 (read the following Important note)
HTTPS proxy	TLS	TCP source port	9443 (read the following Important note)
TURN Server (control and media relays)	UDP	UDP source port	3478³ 3478–3483 ⁴

³ For small and medium Cisco Expressway-E deployments

⁴ For large Cisco Expressway-E deployments

Important

The Cisco Expressway-E administrator currently uses port 80 and therefore, incoming requests from the Cisco Jabber Guest client to Cisco Expressway-E on port 80 must be remapped to port 9980 using a firewall (or similar) in front of Cisco Expressway-E. For the mobile client, using 9980 in call links is not supported; you must use port remapping on your firewall to remap port 80 to port 9980.
The Cisco Expressway-E administrator currently uses port 443 and therefore, incoming requests from the Cisco Jabber Guest client to Cisco Expressway-E on port 443 must be remapped to port 9443 using a firewall (or similar) in front of Cisco Expressway-E. For the mobile client, using 9443 in call links is not supported; you must use port remapping on your firewall to remap port 443 to port 9443.

Set Domain Used for Links

Table 7. Outbound from Cisco Expressway-C (Private) to Cisco Expressway-E (DMZ)
Purpose	Protocol	Cisco Expressway-C (Source)	Cisco Expressway-E (Destination)
SSH (HTTP/S tunnels)	TCP	Ephemeral port	2222 (not configurable)
Traversal zone SIP signaling	TLS	25000–29999	7001
Media⁵	UDP	36000–59999	24000–29999

⁵ By default, media is sent to the NAT interface unless the Cisco Jabber Guest server is configured for static NAT mode.

Table 8. Inbound from Cisco Expressway-E (DMZ) to Cisco Expressway-C (Private)
Purpose	Protocol	Cisco Expressway-E (Source)	Cisco Expressway-C (Destination)
Media	UDP	24000–29999	36000–59999

Important

Inbound firewall rules are required to allow media to flow from the Cisco Expressway-E to Cisco Expressway-C.
You may find that two-way media can still be established even if the inbound from Cisco Expressway-E (DMZ) to Cisco Expressway-C (private) firewall rules are not applied. This is because the outbound media creates a pinhole in the firewall; however, these rules are required to support uni-directional media (that is, only from outside to inside).

Table 9. From Cisco Expressway-C to Cisco Jabber Guest
Purpose	Protocol	Cisco Expressway-C (Source)	Cisco Jabber Guest (Destination)
HTTP	TCP	Ephemeral port	80
HTTPS	TLS	Ephemeral port	443
SIP	TCP/TLS	Ephemeral port	5060 (SIP over TCP) 5061 (SIP over TLS)

Table 10. From Cisco Jabber Guest to Cisco Expressway-C
Purpose	Protocol	Cisco Jabber Guest (Source)	Cisco Expressway-C (Destination)
HTTPS	TLS	Ephemeral port	443
SIP	TCP/TLS	Ephemeral port	5060 (SIP over TCP) 5061 (SIP over TLS)

Ports and Protocols: Cisco Expressway-E with Dual NIC Deployment

Table 11. Inbound from Public Internet to Cisco Expressway-E (DMZ)
Purpose	Protocol	Internet Endpoint (Source)	Cisco Expressway-E (Listening)
HTTP	TCP	TCP source port	9980 (read the following Important note)
HTTPS proxy	TLS	TCP source port	9443 (read the following Important note)
TURN Server (control and media relays)	UDP	UDP source port	3478⁶ 3478–3483 ⁷

⁶ For small and medium Cisco Expressway-E deployments

⁷ For large Cisco Expressway-E deployments

Important

The Cisco Expressway-E administrator currently uses port 80 and therefore, incoming requests from the Cisco Jabber Guest client to Cisco Expressway-E on port 80 must be remapped to port 9980 using a firewall (or similar) in front of Cisco Expressway-E. For the mobile client, using 9980 in call links is not supported; you must use port remapping on your firewall to remap port 80 to port 9980.
The Cisco Expressway-E administrator currently uses port 443 and therefore, incoming requests from the Cisco Jabber Guest client to Cisco Expressway-E on port 443 must be remapped to port 9443 using a firewall (or similar) in front of Cisco Expressway-E. For the mobile client, using 9443 in call links is not supported; you must use port remapping on your firewall to remap port 443 to port 9443.

Set Domain Used for Links

Table 12. Outbound from Cisco Expressway-C (Private) to Cisco Expressway-E (DMZ)

Purpose

Protocol

Cisco Expressway-C (Source)

Cisco Expressway-E (Destination)

SSH (HTTP/S tunnels)

TCP

Ephemeral port

2222 (not configurable)

Traversal zone SIP signaling

TLS

25000–29999

7001

Media

Note

If the internal > DMZ firewall rules allow outgoing traffic, no rules are needed for media.

UDP

36002–59999

36000–36001⁸

36000–36011⁹

⁸ For small and medium Cisco Expressway-E deployments

⁹ For large Cisco Expressway-E deployments

Table 13. Outbound from Cisco Jabber Guest (Private) to Cisco Expressway-E (DMZ)
Purpose	Protocol	Cisco Jabber Guest (Source)	Cisco Expressway-E (Destination)
SIP	TCP/TLS	Ephemeral port	5060 (SIP over TCP) 5061 (SIP over TLS)

Table 14. Inbound from Cisco Expressway-E (DMZ) to Cisco Jabber Guest (Private)
Purpose	Protocol	Cisco Expressway-E (Source)	Cisco Jabber Guest (Destination)
SIP	TCP/TLS	Ephemeral port	5060 (SIP over TCP) 5061 (SIP over TLS)

Table 15. From Cisco Expressway-C to Cisco Jabber Guest
Purpose	Protocol	Cisco Expressway-C (Source)	Cisco Jabber Guest (Destination)
HTTP	TCP	Ephemeral port	80
HTTPS	TLS	Ephemeral port	443

Table 16. From Cisco Jabber Guest to Cisco Expressway-C
Purpose	Protocol	Cisco Jabber Guest (Source)	Cisco Expressway-C (Destination)
HTTPS	TLS	Ephemeral port	443

Clustering Options

Cisco Jabber Guest only supports a three-server cluster. Three operational servers are required for full redundancy.

Recommended Deployment

Configure the reverse proxy to send requests to only one server in the cluster at a time. You set the order in which requests are sent on Cisco Expressway-C, from the Priority field in Configuration > Unified Communications > Configuration > Configure Jabber Guest servers. Give each Cisco Jabber Guest server a different priority. Requests are sent to a different server only if a server becomes unresponsive.

Cisco Jabber Guest can be administered from any server in the cluster. To simplify troubleshooting, we recommend that you use one server in the cluster for administration purposes.

Data Replication

The following table describes which data replicates in a cluster.

Table 17. Cluster Data Replication
Data That Replicates	Data That Does Not Replicate
Users	Settings > Local SSL Certificate
Links	Settings > Call Control and Media (Local)
Services > Passwords	Logs
Settings > Links
Settings > Mobile
Settings > Secure SIP Trust Certificate
Settings > Call Control and Media

Cluster Latency

The upper latency limit is 15 milliseconds.

Load Balancing Methods Available

You can balance the load on your Cisco Expressway-C, Cisco Expressway-E, and Cisco Jabber Guest server clusters.

The following table describes the methods of load balancing that are available to distribute different types of traffic across the network.

Table 18. Load Balancing Methods

Network Traffic

Method of Load Balancing Available

SIP for call control

Send SIP to the Cisco Expressway-C server cluster

Round-robin DNS
Round-robin comma-separated values (CSV)
HTTP

Send SIP to the Cisco Expressway-E server cluster

Send SIP to the Cisco Expressway-E server that provided TURN service

Important

For a clustered Cisco Expressway-E with dual NIC deployment. you must send SIP to the Cisco Expressway-E server that provided TURN service.

TURN credential provisioning requests to the Cisco Expressway-C server cluster

Round-robin DNS
Round-robin CSV
HTTP

HTTPS from the Cisco Jabber Guest client to the Cisco Expressway-E server cluster

Round-robin DNS

TURN for media between the Cisco Jabber Guest client and the Cisco Expressway-E server cluster

Round-robin DNS for the Cisco Expressway-E server IP address and port range for round-robin TURN port range
Round-robin CSV for the Cisco Expressway-E server IP address and port range for round-robin TURN port range

Important

TURN port ranges are only supported when you use the large Cisco Expressway-E virtual machine.

HTTP between the Cisco Expressway-E and Cisco Jabber Guest server clusters

Configure Cisco Jabber Guest server priorities on the Cisco Expressway-C server.

Installation and Configuration Guide for Cisco Jabber Guest Server 11.2

Bias-Free Language

Results

Chapter: Prepare to Install

Prepare to Install

Server Requirements

Cisco Product Requirements

Virtual Machine Requirements

Hardware and System Requirements

Supported Storage Models

Virtual Machine Specifications

VMware vSphere Feature Support

Reverse Proxy Server Requirements

License Requirements

Client Requirements

Client Hardware and System Requirements

Cisco Jabber Guest Plug-in Requirement

Supported Mobile Devices

Android Supported Devices

iOS Supported Devices

Deployment Options

Lab Deployment

Network Topology

Overview of Cisco Expressway-E with Single NIC Deployment

Overview of Cisco Expressway-E with Dual NIC Deployment

Call Control Flow

Cisco Expressway-E with Dual NIC Deployment

Media Flow

Media Flow: Cisco Expressway-E with Single NIC Deployment

Media Flow: Cisco Expressway-E with Dual NIC Deployment

Ports and Protocols

Ports and Protocols: Cisco Expressway-E with Single NIC Deployment

Ports and Protocols: Cisco Expressway-E with Dual NIC Deployment

Clustering Options

Recommended Deployment

Data Replication

Cluster Latency

Load Balancing Methods Available

Was this Document Helpful?

Contact Cisco