Remote-access Guide

cisco expressway mobile and remote access

by Kristofer Hermiston Published 3 years ago Updated 2 years ago
image

The Expressway solution builds on the firewall traversal capabilities of the Cisco TelePresence Video Communication Server (VCS) family and explicitly allows mobile and remote access without the need for a separate VPN

Virtual private network

A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g. …

client. Two servers are required to provide the firewall traversal features.

Full Answer

What is the latest release of the Cisco Expressway deployment guide?

Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.10) Mobile and Remote Access Through Cisco Expressway Deployment Guide First Published: April 2014 Last Updated: September 2018 Cisco Expressway X8.10 CiscoSystems,Inc.     www.cisco.com

How to enable mobile and remote access mode on Expressway-c?

You must enable Mobile and Remote Access mode on Expressway before you can configure domains and traversal zones. On the Expressway-C, go to Configuration > Unified Communications > Configuration . Set Unified Communications mode to Mobile and Remote Access . Click Save .

How do I enable automated intrusion protection in Expressway-c?

See Automated Intrusion Protection, page 1. Enabling the Expressway-C for Mobile and Remote Access To enable Mobile and Remote Access functionality: 1.Go to Configuration > Unified Communications > Configuration. 2.Set Unified Communications mode to Mobile and Remote Access. 3.Click Save.

How does call signaling work on the Cisco Expressway?

All call signaling, including the signaling for Mobile and Remote Access on Expressway, traverses the IP connection between the client and Cisco Unified Communications Manager. Voice media traverses the cellular interface and hairpins at the enterprise Public Switched Telephone Network (PSTN) gateway.

image

What is mobile and remote access?

The Mobile and Remote Access solution (MRA) supports a hybrid on-premises and cloud-based service model. This provides a consistent experience inside and outside the enterprise. MRA provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN.

How do I connect to Cisco Expressway?

Open a browser window and in the address line type one of the following: • IP address of the Cisco Expressway (for example, https://10.0.0.1). Enter the address as HTTPS. FQDN of the Cisco Expressway (for example, https://mydomain.example.com).

What is Cisco expressway used for?

Cisco Expressway Series (Expressway) is designed specifically for comprehensive collaboration services. It features established firewall-traversal technology and helps to redefine traditional enterprise collaboration boundaries, to support our Cisco vision of any-to-any collaboration.

What is an MRA phone?

It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms. MRA allows Jabber clients that are outside the enterprise to do the following: Use Instant Messaging and Presence services. Make voice and video calls.

What is the difference between Cisco Expressway-C and E?

Differences between VCS C and VCS E Tandberg's legacy devices typically used VCS Control, or VCS C, within the organization and VCS Expressway, or VCS E, was used between firewalls. To put it more simply, VCS C was used internally within the organization while VCS E was utilized externally.

How do I log into my Expressway-E?

Open the browser to the Expressway-E at https://expe1a.pod9.cms.lab. Log in with username admin and password c1sco123. If prompted, click Skip Service Setup Wizard.

What is difference between Expressway-C and expressway-E?

The Expressway-C is configured with DNS servers which are located on the internal network. The Expressway-E is configured with DNS servers which are publicly routable.

What are two functions of Cisco expressway in the collaboration edge?

A. Expressway-C provides encryption for Mobile and Remote Access but not for business-to-business communications. B. Expressway-E provides a VPN entry point for Cisco IP phones with a Cisco AnyConnect client using authentication based on certificates.

What is Cisco Webex Expressway?

Cisco Expressway is a powerful gateway solution specifically designed for comprehensive collaboration services provided through Cisco Unified Communications Manager, Cisco Business Edition, or Cisco Hosted Collaboration Solution (HCS).

How do you set up an MRA?

0:586:47Expressway MRA Basic Configuration - YouTubeYouTubeStart of suggested clipEnd of suggested clipAlso make sure that authorized by user credential is set to on scroll. Down and hit save. Now thatMoreAlso make sure that authorized by user credential is set to on scroll. Down and hit save. Now that MRA is enabled the domains can be set up for MRA. Let's go back to configuration. Domains.

What is VCS Expressway?

The VCS Expressway is a SIP Registrar & Proxy and H. 323 Gatekeeper for devices which are located outside the internal network (for example, home users and mobile worker registering across the internet and 3rd party businesses making calls to, or receiving calls from this network).

How do I upgrade my Cisco Expressway?

1:544:49How to Upgrade an Expressway Cluster - YouTubeYouTubeStart of suggested clipEnd of suggested clipSeries section you can go to download software to get the upgrade the upgrade file is going to beMoreSeries section you can go to download software to get the upgrade the upgrade file is going to be the dot tar. Gz. File. It's the same file for both the C and the E. Now go to the expressway.

What is Expressway C?

Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a Cluster Security Mode ( System > Enterprise Parameters > Security Parameters) of 1 ( Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the CallManager certificate for subsequent SIP communications. Each zone is created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.

What is SIP OAuth mode?

SIP OAuth Mode is recommended if you want secure SIP line signaling and your system supports it.

Does Cisco accept responsibility for SAML 2.0?

Cisco cannot accept responsibility for any errors, limitations, or specific configuration of the IdP. Although Cisco Collaboration infrastructure may prove to be compatible with other IdPs claiming SAML 2.0 compliance, only the following IdPs have been tested with Cisco Collaboration solutions: OpenAM 10.0.1.

Can multiple MRA users use the same IP address?

If you have multiple MRA users using the same IP address (for example, if you have multiple MRA users behind a NAT with the same public IP address), automated intrusion protection may trigger due to all of the traffic from the same IP address. In this case, configure an exemption on the IP address.

Do Expressway C and E trust each other?

Make sure that Expressway-C and Expressway-E trust each other's certificates. As each Expressway acts both as a client and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a server. For detailed information on certificate exchance requirements, see Certificate Requirements .

Does Cisco Expressway use SAML?

From X12.5, Cisco Expressway supports using a single, cluster-wide metadata file for SAML agreement with an IdP. Previously, you had to generate metadata files per peer in an Expressway-C cluster (for example, six metadata files for a cluster with six peers). For the cluster-wide option, run this procedure on the Expressway-C primary peer.

What is Expressway CSR?

The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

What is Cisco Unified Communications?

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

What is a mobile and remote access solution?

The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms.

What is diagnostic log in Expressway?

The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.

Why do I need to associate a domain with an IDP?

You need to associate a domain with an IdP if you want the MRA users of that domain to authenticate via the IdP. The IdP adds no value until you associate at least one domain with it.

Do you need SIP trunks for Expressway?

Expressway deployments for mobile and remote access do not require SIP trunk connections between Unified CM and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each discovered Unified CM node are not SIP trunks.

How does the Expressway work?

The Expressway can limit the number of times that any user's credentials can be used, in a given configurable period, to authorize the user for collaboration services. This feature is designed to thwart inadvertent or real denial of service attacks, which can originate from multiple client devices authorizing the same user, or from clients that reauthorize more often than necessary.

What is Expressway C?

The Expressway-C must be configured with the address details of the Unified Communications services/nodes that are going to provide registration, call control, provisioning, voicemail, messaging, and presence services to MRA users.

What are the two certificates for Cisco Unified Communications Manager?

The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote Access are the CallManager certificate and the tomcat certificate . These are automatically installed on the Cisco Unified Communications Manager and by default they are self-signed and have the same common name (CN). We recommend using CA-signed certificates for best end-to-end security between external endpoints and internal endpoints. However, if you do use self-signed certificates, the two certificates must have different common names. This is because the Expressway does not allow two self-signed certificates with the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.

What is Cisco Unified Communications Mobile and Remote Access?

Cisco Unified Communications Mobile and Remote Access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

What is deployment in a network?

A deployment is an abstract boundary used to enclose a domain and one or more Unified Communications service providers (such as Unified CM, Cisco Unity Connection, and IM and Presence Service nodes). The purpose of multiple deployments is to partition the Unified Communications services available to Mobile and Remote Access (MRA) users. So different subsets of MRA users can access different sets of services over the same Expressway pair.We recommend that you do not exceed ten deployments.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

Why does my Expressway call fail?

Call failures can occur if the traversal zones on Expressway are configured with an Authentication policy of Check credentials. Ensure that the Authentication policy on the traversal zones used for Mobile and Remote Access is set to Do not check credentials.

What is Expressway C?

Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a Cluster Security Mode (System > Enterprise Parameters > Security Parameters) of 1 (Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the CallManager certificate for subsequent SIP communications. Each zone is created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

What is diagnostic log in Expressway?

The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.

What is mobile and remote access?

The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms.

What is Cisco Unified Communications?

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

Is unified CM impacted by Expressway?

The Unified CM dial plan is not impacted by devices registering via Expressway. Remote and mobile devices still register directly to Unified CM and their dial plan will be the same as when it is registered locally.

Do you need SIP trunks for Expressway?

Expressway deployments for mobile and remote access do not require SIP trunk connections between Unified CM and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each discovered Unified CM node are not SIP trunks.

How does the Expressway work?

The Expressway can limit the number of times that any user's credentials can be used, in a given configurable period, to authorize the user for collaboration services. This feature is designed to thwart inadvertent or real denial of service attacks, which can originate from multiple client devices authorizing the same user, or from clients that reauthorize more often than necessary.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

What is diagnostic log in Expressway?

The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.Before taking a diagnostic log, you must configure the log level of the relevant logging modules:

What are the two certificates for Cisco Unified Communications Manager?

The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote Access are the CallManager certificate and the tomcat certificate . These are automatically installed on the Cisco Unified Communications Manager and by default they are self-signed and have the same common name (CN). We recommend using CA-signed certificates for best end-to-end security between external endpoints and internal endpoints. However, if you do use self-signed certificates, the two certificates must have different common names. This is because the Expressway does not allow two self-signed certificates with the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.

What is a mobile and remote access solution?

The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms.

What is Cisco Unified Communications?

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

Is unified CM impacted by Expressway?

The Unified CM dial plan is not impacted by devices registering via Expressway. Remote and mobile devices still register directly to Unified CM and their dial plan will be the same as when it is registered locally.

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9