Remote-access Guide

cisco mobile and remote access

by Soledad Mraz Published 3 years ago Updated 2 years ago
image

What is mobile and remote access?

The Mobile and Remote Access solution (MRA) supports a hybrid on-premises and cloud-based service model. This provides a consistent experience inside and outside the enterprise. MRA provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN.

What is MRA collaboration?

Mutual Recognition Agreement (MRA)

What are MRA phones?

It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms. MRA allows Jabber clients that are outside the enterprise to do the following: Use Instant Messaging and Presence services. Make voice and video calls.

What is MRA network?

MRA is a comprehensive service offering that provides an assessment of all network infrastructure and its ability to transport the media-rich applications that need to be deployed.

How does Cisco expressway work?

It enables simple and safe, session-based collaboration outside your firewall - without extra registration, accounts, passwords, or VPN: Cisco Expressway provides mobile users and guests with unlimited access to all collaboration workloads, including video, voice, instant messaging and content sharing, and thus ...

How do you set up an MRA?

1:286:47Expressway MRA Basic Configuration - YouTubeYouTubeStart of suggested clipEnd of suggested clipLet's go back to configuration. Domains. Click on View edit for the domain. And turn offMoreLet's go back to configuration. Domains. Click on View edit for the domain. And turn off registrations for Expressway turn on registrations for CCM.

What is Cisco Expressway C and E?

The Expressway acts as a Unified Communications gateway for third-party devices and for mobile and remote access. Or you can register directly to the Cisco Expressway-C. To configure the Expressway for Unified. Communications services, see Mobile and Remote. Access via Cisco Expressway Deployment Guide on.

Why is an MRA ordered?

Doctors use MRA to: identify abnormalities, such as aneurysms, in the aorta, both in the chest and abdomen, or in other arteries. detect atherosclerotic (plaque) disease in the carotid artery of the neck, which may limit blood flow to the brain and cause a stroke.

What is difference between MRI and MRA?

MRI, or magnetic resonance imaging, uses radio waves, a magnetic field, and a computer to create images of the inside of the body. MRA, or magnetic resonance angiography — sometimes called a magnetic resonance angiogram — is a magnetic resonance procedure that zeroes in on the blood vessels.

What does an MRA look for?

An MRA of the head is done to look at the blood vessels leading to the brain to check for a bulge (aneurysm), a clot, or a narrowing (stenosis) because of plaque.

What happens during an MRA?

During MRA, you lie flat inside an MRI scanner. This is a large, tunnel-like tube. In some cases, contrast dye may be added to your bloodstream. This is done to make your blood vessels easier to see.

What is quality management MRA?

The MRA curriculum with a concentration in quality assurance is designed to provide a broad understanding of the FDA-regulated product lifecycle with a particular focus on GLP and GMP-compliant management of product development and manufacturing.

Why is an MRA ordered?

Doctors use MRA to: identify abnormalities, such as aneurysms, in the aorta, both in the chest and abdomen, or in other arteries. detect atherosclerotic (plaque) disease in the carotid artery of the neck, which may limit blood flow to the brain and cause a stroke.

What is the maximum bit rate for video calls on Cisco Unified Communications Manager?

The Maximum Session Bit Rate for Video Calls on the default region on Cisco Unified Communications Manager is 384 kbps by default . The Default call bandwidth on Expressway-C is also 384 kbps by default. These settings may be too low to deliver the expected video quality for MRA-connected devices.

What is a single domain?

A single domain means that you have a common domain ( example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.

Does Cisco Expressway work with multiple domains?

Cisco Expressway supports Mobile and Remote Access with multiple external domains. With this deployment, you will have more than one external domain where your MRA clients may reside. Expressway-E must be able to connect to all of them. To configure this deployment, do the following:

Can you use CMS and MRA on the same Expressway?

If you use both the CMS Web Proxy service and MRA on the same Expressway, the following configuration items must be assigned different values per service. If you try to use the same value, the service that was configured first will work, but the other one will fail:

Can MRA have a single domain?

The ideal scenario for MRA is to have a single domain with a split DNS configuration, and this is the recommended approach. This is not always possible , so there are some other approaches to deal with various alternative scenarios.

Can you have multiple domains on Expressway C?

As of X8.5, you can create multiple deployments on the Expressway-C, but this feature is still limited to one domain per de ployment. As of X8.5.1, a deployment can have Multiple Presence Domains. However, this feature is in preview status only , and we recommend that you do not exceed 50 domains.

Can Jabber guest use Expressway?

The Expressway cannot be used for Jabber Guest when it's used for Mobile and Remote Access (MRA). The Expressway-C used for MRA cannot also be used for Microsoft gateway service. Microsoft gateway service requires a dedicated Expressway-C. Maintenance mode is not supported over MRA for endpoints running CE software.

What is Cisco AnyConnect Secure Mobility Client?

Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.

What is Cisco Identity Services Engine?

With Cisco Identity Services Engine (ISE), you can prevent noncompliant devices from accessing the network. You can gain secure remote access with Duo's multi-factor authentication (MFA) for verifying user identities. And with Umbrella Roaming, you can extend protection when users are off the VPN.

Is Cisco Secure a simple product?

Cisco Secure products are simple to use, simple to choose. Now they've never been simpler to buy. With the Choice Enterprise Agreement buy only what you need and manage it in a single agreement. Your security works together against attacks.

What is a mobile and remote access solution?

The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms.

What is Cisco Unified Communications?

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

What is Expressway CSR?

The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.

What is diagnostic log in Expressway?

The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.

Why do I need to associate a domain with an IDP?

You need to associate a domain with an IdP if you want the MRA users of that domain to authenticate via the IdP. The IdP adds no value until you associate at least one domain with it.

Do you need SIP trunks for Expressway?

Expressway deployments for mobile and remote access do not require SIP trunk connections between Unified CM and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each discovered Unified CM node are not SIP trunks.

Background

Proper troubleshooting technique requires that you have a thorough understanding of how things should work during normal operations. I presented on the MRA registration process during a NetCraftsmen Cisco Mid-Atlantic User Group (CMUG) meeting last year.

Service Discovery

Upon initialization, the Jabber client enters into a “Service Discovery” mode. At this stage, the client is trying to determine if it is inside the corporate network or outside. The mechanism that is used is DNS. Specifically, the Jabber client will query for specific DNS service records (SRV record) based on the assigned service domain.

Service Provisioning

Once the client establishes a TLS connection to port 8443 on the Edge appliance, the user credentials are authenticated. At this point, the proxy connection is established and the client will start downloading configuration information from the UCM cluster. This configuration information is used to complete the service registration phases.

XMPP Registration

If the Jabber client is provisioned for IM&P presence services, the client will attempt to establish a connection on TCP port 5222. Registration requests are sent to the Edge appliance, which then proxies the transaction through the Core appliance to the IM&P cluster node (s).

SIP Registration

If the Jabber client is provisioned as a voice/video soft phone, the client will attempt to establish a connection on TCP port 5061. Registration requests are sent to the Edge appliance, which is then proxied through the Core appliance to the UCM cluster node (s). Successful registration is required for voice/video call functionality.

Visual Voicemail

If the Jabber client is provisioned with visual voicemail, the Jabber client will submit registration requests to the Edge appliance using the already established TLS connection on port 8443. The Edge appliance proxies the request through the Core to the REST API on Unity Connection.

Service Discovery

This step is fairly straightforward. We need to determine if the client can resolve the proper DNS SRV records. Using dig or nslookup, verify that the client can resolve the collaboration edge SRV records. For example:

Configuring Mobile and Remote Access

To enable Cisco Jabber users with Mobile and Remote Access functionality, set up an Mobile and Remote Access User Policy within the User Profile Configuration window of Unified Communications Manager. The Mobile and Remote Access User Policy is not required for non-Jabber endpoints.

DNS Requirements

For the internal connection to Cisco Expressway, configure the following locally resolvable DNS SRV that points to Unified Communications Manager :

Cisco Expressway Requirements

This feature requires you to integrate Unified Communications Manager with Cisco Expressway. For Cisco Expressway configuration details for Mobile and Remote Access, refer to the Mobile and Remote Access Through Cisco Expressway Deployment Guide .

Certificate Prerequisites

You must exchange certificates between Unified Communications Manager, the IM and Presence Service, and Cisco Expressway-C. Cisco recommends that you use CA-signed certificates with the same CA for each system. In this case:

Activate Cisco AXL Web Service

Make sure that the Cisco AXL Web Service is activated on the publisher node.

Configure Maximum Session BitRate for Video

Configure Region settings for your Mobile and Remote Access endpoints. The default settings may be sufficient in many cases, but if you expect Mobile and Remote Access endpoints to use video, you may want to increase the Maximum Session Bit Rate for Video Calls within your Region Configuration.

Configure a Device Pool for Mobile and Remote Access

When you created a new region, assign your region to the device pool that your Mobile and Remote Access endpoints use.

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9