Remote-access Guide

cisco mobile remote access

by Ms. Tabitha Koepp PhD Published 3 years ago Updated 2 years ago
image

What is mobile and remote access?

The Mobile and Remote Access solution (MRA) supports a hybrid on-premises and cloud-based service model. This provides a consistent experience inside and outside the enterprise. MRA provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN.

What are MRA phones?

It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms. MRA allows Jabber clients that are outside the enterprise to do the following: Use Instant Messaging and Presence services. Make voice and video calls.

What is MRA collaboration?

Mutual Recognition Agreement (MRA)

What is MRA network?

MRA is a comprehensive service offering that provides an assessment of all network infrastructure and its ability to transport the media-rich applications that need to be deployed.

How do you set up an MRA?

1:286:47Expressway MRA Basic Configuration - YouTubeYouTubeStart of suggested clipEnd of suggested clipLet's go back to configuration. Domains. Click on View edit for the domain. And turn offMoreLet's go back to configuration. Domains. Click on View edit for the domain. And turn off registrations for Expressway turn on registrations for CCM.

How does Cisco expressway work?

It enables simple and safe, session-based collaboration outside your firewall - without extra registration, accounts, passwords, or VPN: Cisco Expressway provides mobile users and guests with unlimited access to all collaboration workloads, including video, voice, instant messaging and content sharing, and thus ...

What is Cisco Expressway E?

The Expressway acts as a Unified Communications gateway for third-party devices and for mobile and remote access. Or you can register directly to the Cisco Expressway-C. To configure the Expressway for Unified. Communications services, see Mobile and Remote. Access via Cisco Expressway Deployment Guide on.

Why is an MRA ordered?

Doctors use MRA to: identify abnormalities, such as aneurysms, in the aorta, both in the chest and abdomen, or in other arteries. detect atherosclerotic (plaque) disease in the carotid artery of the neck, which may limit blood flow to the brain and cause a stroke.

How do I log into my Expressway E?

Open the browser to the Expressway-E at https://expe1a.pod9.cms.lab. Log in with username admin and password c1sco123. If prompted, click Skip Service Setup Wizard.

What does an MRA look for?

An MRA of the head is done to look at the blood vessels leading to the brain to check for a bulge (aneurysm), a clot, or a narrowing (stenosis) because of plaque.

What happens during an MRA?

During MRA, you lie flat inside an MRI scanner. This is a large, tunnel-like tube. In some cases, contrast dye may be added to your bloodstream. This is done to make your blood vessels easier to see.

What is quality management MRA?

The MRA curriculum with a concentration in quality assurance is designed to provide a broad understanding of the FDA-regulated product lifecycle with a particular focus on GLP and GMP-compliant management of product development and manufacturing.

Why is an MRA ordered?

Doctors use MRA to: identify abnormalities, such as aneurysms, in the aorta, both in the chest and abdomen, or in other arteries. detect atherosclerotic (plaque) disease in the carotid artery of the neck, which may limit blood flow to the brain and cause a stroke.

What is the maximum bit rate for video calls on Cisco Unified Communications Manager?

The Maximum Session Bit Rate for Video Calls on the default region on Cisco Unified Communications Manager is 384 kbps by default . The Default call bandwidth on Expressway-C is also 384 kbps by default. These settings may be too low to deliver the expected video quality for MRA-connected devices.

What is a single domain?

A single domain means that you have a common domain ( example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.

Does Cisco Expressway work with multiple domains?

Cisco Expressway supports Mobile and Remote Access with multiple external domains. With this deployment, you will have more than one external domain where your MRA clients may reside. Expressway-E must be able to connect to all of them. To configure this deployment, do the following:

Can you use CMS and MRA on the same Expressway?

If you use both the CMS Web Proxy service and MRA on the same Expressway, the following configuration items must be assigned different values per service. If you try to use the same value, the service that was configured first will work, but the other one will fail:

Can MRA have a single domain?

The ideal scenario for MRA is to have a single domain with a split DNS configuration, and this is the recommended approach. This is not always possible , so there are some other approaches to deal with various alternative scenarios.

Can you have multiple domains on Expressway C?

As of X8.5, you can create multiple deployments on the Expressway-C, but this feature is still limited to one domain per de ployment. As of X8.5.1, a deployment can have Multiple Presence Domains. However, this feature is in preview status only , and we recommend that you do not exceed 50 domains.

Can Jabber guest use Expressway?

The Expressway cannot be used for Jabber Guest when it's used for Mobile and Remote Access (MRA). The Expressway-C used for MRA cannot also be used for Microsoft gateway service. Microsoft gateway service requires a dedicated Expressway-C. Maintenance mode is not supported over MRA for endpoints running CE software.

What is Cisco AnyConnect Secure Mobility Client?

Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.

What is Cisco Identity Services Engine?

With Cisco Identity Services Engine (ISE), you can prevent noncompliant devices from accessing the network. You can gain secure remote access with Duo's multi-factor authentication (MFA) for verifying user identities. And with Umbrella Roaming, you can extend protection when users are off the VPN.

Is Cisco Secure a simple product?

Cisco Secure products are simple to use, simple to choose. Now they've never been simpler to buy. With the Choice Enterprise Agreement buy only what you need and manage it in a single agreement. Your security works together against attacks.

Rapid scalability

Get users up and running quickly for rapid time-to-value and enhance business continuity.

Greater ROI

Our flexible, subscription-based pricing allows you to reduce costs by paying only for what you need.

Seamless user experience

Always-on connectivity and security provide end users with a great experience regardless of location.

Highly available, secure network access

Provide users with highly secure access to corporate resources from any location or device. Our service autodetects trusted networks and disconnections, automatically enforcing appropriate policies and remedies where needed.

Trusted security across Mac, Windows, iOS, and Android devices

Enjoy greater flexibility when bringing personal devices to the corporate network—without compromising security.

Cloud-based, scalable architecture

Our service is built on a cloud-based, highly available infrastructure that provides scalable remote access to get users up and running quickly.

Always-on service monitoring, performance metrics, and alerts

Cisco provides 24x7x365 monitoring of infrastructure, including continuous device health, performance metrics, and alerting.

What is a mobile and remote access solution?

The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms.

What is Cisco Unified Communications?

Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.

How does Jabber verify the identity of Expressway E?

Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

What is Expressway CSR?

The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.

What is diagnostic log in Expressway?

The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.

Why do I need to associate a domain with an IDP?

You need to associate a domain with an IdP if you want the MRA users of that domain to authenticate via the IdP. The IdP adds no value until you associate at least one domain with it.

Do you need SIP trunks for Expressway?

Expressway deployments for mobile and remote access do not require SIP trunk connections between Unified CM and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each discovered Unified CM node are not SIP trunks.

What is a comstice mobile agent?

Comstice Mobile Agent app utilises Cisco Finesse REST APIs. It communicates with Cisco Finesse through Comstice Server on your network DMZ. Comstice Server acts as a proxy for HTTPS and XMPP traffic. So that, your Finesse clients can communicate with Cisco Finesse Service without opening any Finesse ports to the public Internet.

Does Comstice have a VPN?

Comstice offers a WebRTC-based phone functionality on the web browser or using Comstice Softphone with no Cisco Expressway required. Comstice WebRTC Gateway simplifies the topology and helps to offer voice over data for the remote users with no VPN or a specialist firewall needed.

Background

Proper troubleshooting technique requires that you have a thorough understanding of how things should work during normal operations. I presented on the MRA registration process during a NetCraftsmen Cisco Mid-Atlantic User Group (CMUG) meeting last year.

Service Discovery

Upon initialization, the Jabber client enters into a “Service Discovery” mode. At this stage, the client is trying to determine if it is inside the corporate network or outside. The mechanism that is used is DNS. Specifically, the Jabber client will query for specific DNS service records (SRV record) based on the assigned service domain.

Service Provisioning

Once the client establishes a TLS connection to port 8443 on the Edge appliance, the user credentials are authenticated. At this point, the proxy connection is established and the client will start downloading configuration information from the UCM cluster. This configuration information is used to complete the service registration phases.

XMPP Registration

If the Jabber client is provisioned for IM&P presence services, the client will attempt to establish a connection on TCP port 5222. Registration requests are sent to the Edge appliance, which then proxies the transaction through the Core appliance to the IM&P cluster node (s).

SIP Registration

If the Jabber client is provisioned as a voice/video soft phone, the client will attempt to establish a connection on TCP port 5061. Registration requests are sent to the Edge appliance, which is then proxied through the Core appliance to the UCM cluster node (s). Successful registration is required for voice/video call functionality.

Visual Voicemail

If the Jabber client is provisioned with visual voicemail, the Jabber client will submit registration requests to the Edge appliance using the already established TLS connection on port 8443. The Edge appliance proxies the request through the Core to the REST API on Unity Connection.

Service Discovery

This step is fairly straightforward. We need to determine if the client can resolve the proper DNS SRV records. Using dig or nslookup, verify that the client can resolve the collaboration edge SRV records. For example:

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9