What is the latest release of the Cisco Expressway deployment guide?
Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.10) Mobile and Remote Access Through Cisco Expressway Deployment Guide First Published: April 2014 Last Updated: September 2018 Cisco Expressway X8.10 CiscoSystems,Inc. www.cisco.com
How does call signaling work on the Cisco Expressway?
All call signaling, including the signaling for Mobile and Remote Access on Expressway, traverses the IP connection between the client and Cisco Unified Communications Manager. Voice media traverses the cellular interface and hairpins at the enterprise Public Switched Telephone Network (PSTN) gateway.
How do I enable automated intrusion protection in Expressway-c?
See Automated Intrusion Protection, page 1. Enabling the Expressway-C for Mobile and Remote Access To enable Mobile and Remote Access functionality: 1.Go to Configuration > Unified Communications > Configuration. 2.Set Unified Communications mode to Mobile and Remote Access. 3.Click Save.
How to enable mobile and remote access mode on Expressway-c?
You must enable Mobile and Remote Access mode on Expressway before you can configure domains and traversal zones. On the Expressway-C, go to Configuration > Unified Communications > Configuration . Set Unified Communications mode to Mobile and Remote Access . Click Save .
What is mobile and remote access?
The Mobile and Remote Access solution (MRA) supports a hybrid on-premises and cloud-based service model. This provides a consistent experience inside and outside the enterprise. MRA provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN.
How do I access Cisco Expressway?
Open a browser window and in the address line type one of the following: • IP address of the Cisco Expressway (for example, https://10.0.0.1). Enter the address as HTTPS. FQDN of the Cisco Expressway (for example, https://mydomain.example.com).
What is an MRA phone?
It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms. MRA allows Jabber clients that are outside the enterprise to do the following: Use Instant Messaging and Presence services. Make voice and video calls.
How does Cisco expressway work?
The Expressway acts as a Unified Communications gateway to provide secure firewall traversal and line-side support for Unified CM registrations. IM and Presence services on Unified CM: instant messaging and presence services for this SIP domain are provided by the Unified CM IM and Presence service.
What is the difference between Cisco Expressway C and E?
Differences between VCS C and VCS E Tandberg's legacy devices typically used VCS Control, or VCS C, within the organization and VCS Expressway, or VCS E, was used between firewalls. To put it more simply, VCS C was used internally within the organization while VCS E was utilized externally.
What is VCS Expressway?
The VCS Expressway is a SIP Registrar & Proxy and H. 323 Gatekeeper for devices which are located outside the internal network (for example, home users and mobile worker registering across the internet and 3rd party businesses making calls to, or receiving calls from this network).
How do you set up an MRA?
0:306:47Expressway MRA Basic Configuration - YouTubeYouTubeStart of suggested clipEnd of suggested clipLet's start in the expressway CE and go to configuration domains. Let's add the SIP domain that'sMoreLet's start in the expressway CE and go to configuration domains. Let's add the SIP domain that's going to be used for mr a click new and type in the domain name. And then click create domain.
What are two functions of Cisco expressway in the collaboration edge?
A. Expressway-C provides encryption for Mobile and Remote Access but not for business-to-business communications. B. Expressway-E provides a VPN entry point for Cisco IP phones with a Cisco AnyConnect client using authentication based on certificates.
What is Expressway-C and expressway-E?
The Expressway-C is configured with DNS servers which are located on the internal network. The Expressway-E is configured with DNS servers which are publicly routable.
What is the difference between a highway and an expressway?
An expressway is a limited-access highway for a high-speed and high volume of traffic without any signal, intersection, or property access. Whereas, the highway is a main public roadway for a higher volume of traffic with traffic signals, intersections, and property access.
How do I upgrade my Cisco Expressway?
1:544:49How to Upgrade an Expressway Cluster - YouTubeYouTubeStart of suggested clipEnd of suggested clipSeries section you can go to download software to get the upgrade the upgrade file is going to beMoreSeries section you can go to download software to get the upgrade the upgrade file is going to be the dot tar. Gz. File. It's the same file for both the C and the E. Now go to the expressway.
What is VCS Cisco?
The Cisco Video Communication Server (VCS) provides the most advanced telepresence and video conferencing call control in the industry. Flexible and extensible for video conferencing applications, it enables any-to-any interoperability between all standards-compliant SIP and H. 323 devices.
What are two functions of Cisco expressway in the collaboration edge?
A. Expressway-C provides encryption for Mobile and Remote Access but not for business-to-business communications. B. Expressway-E provides a VPN entry point for Cisco IP phones with a Cisco AnyConnect client using authentication based on certificates.
What is the difference between a highway and an expressway?
An expressway is a limited-access highway for a high-speed and high volume of traffic without any signal, intersection, or property access. Whereas, the highway is a main public roadway for a higher volume of traffic with traffic signals, intersections, and property access.
What is Expressway C?
Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a Cluster Security Mode ( System > Enterprise Parameters > Security Parameters) of 1 ( Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the CallManager certificate for subsequent SIP communications. Each zone is created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.
What is SIP OAuth mode?
SIP OAuth Mode is recommended if you want secure SIP line signaling and your system supports it.
Does Cisco accept responsibility for SAML 2.0?
Cisco cannot accept responsibility for any errors, limitations, or specific configuration of the IdP. Although Cisco Collaboration infrastructure may prove to be compatible with other IdPs claiming SAML 2.0 compliance, only the following IdPs have been tested with Cisco Collaboration solutions: OpenAM 10.0.1.
Is SAML 2.0 compatible with 1.1?
SAML 2.0 is not compatible with SAML 1.1 and you must select an IdP that uses the SAML 2.0 standard. SAML-based identity management is implemented in different ways by vendors in the computing and networking industry, and there are no widely accepted regulations for compliance to the SAML standards.
Can multiple MRA users use the same IP address?
If you have multiple MRA users using the same IP address (for example, if you have multiple MRA users behind a NAT with the same public IP address), automated intrusion protection may trigger due to all of the traffic from the same IP address. In this case, configure an exemption on the IP address.
Do Expressway C and E trust each other?
Make sure that Expressway-C and Expressway-E trust each other's certificates. As each Expressway acts both as a client and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a server. For detailed information on certificate exchance requirements, see Certificate Requirements .
Does Cisco Expressway use SAML?
From X12.5, Cisco Expressway supports using a single, cluster-wide metadata file for SAML agreement with an IdP. Previously, you had to generate metadata files per peer in an Expressway-C cluster (for example, six metadata files for a cluster with six peers). For the cluster-wide option, run this procedure on the Expressway-C primary peer.
What is Expressway CSR?
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
How does Jabber verify the identity of Expressway E?
Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.
What is Cisco Unified Communications?
Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.
What is a mobile and remote access solution?
The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Jabber clients on Windows, Mac, iOS and Android platforms.
What is diagnostic log in Expressway?
The diagnostic logging tool in Expressway can be used to assist in troubleshooting system issues. It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log.
Why do I need to associate a domain with an IDP?
You need to associate a domain with an IdP if you want the MRA users of that domain to authenticate via the IdP. The IdP adds no value until you associate at least one domain with it.
What is deployment in a domain?
A deployment is an abstract boundary used to enclose a domain and one or more Unified Communications service providers , such as Unified CM, Cisco Unity Connection, and IM and Presence Service nodes.
How does the Expressway work?
The Expressway can limit the number of times that any user's credentials can be used, in a given configurable period, to authorize the user for collaboration services. This feature is designed to thwart inadvertent or real denial of service attacks, which can originate from multiple client devices authorizing the same user, or from clients that reauthorize more often than necessary.
What is Cisco Unified Communications Mobile and Remote Access?
Cisco Unified Communications Mobile and Remote Access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations.
What are the two certificates for Cisco Unified Communications Manager?
The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote Access are the CallManager certificate and the tomcat certificate . These are automatically installed on the Cisco Unified Communications Manager and by default they are self-signed and have the same common name (CN). We recommend using CA-signed certificates for best end-to-end security between external endpoints and internal endpoints. However, if you do use self-signed certificates, the two certificates must have different common names. This is because the Expressway does not allow two self-signed certificates with the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
What is deployment in a network?
A deployment is an abstract boundary used to enclose a domain and one or more Unified Communications service providers (such as Unified CM, Cisco Unity Connection, and IM and Presence Service nodes). The purpose of multiple deployments is to partition the Unified Communications services available to Mobile and Remote Access (MRA) users. So different subsets of MRA users can access different sets of services over the same Expressway pair.We recommend that you do not exceed ten deployments.
How does Jabber verify the identity of Expressway E?
Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.
What is Expressway C?
The Expressway-C must be configured with the address details of the Unified Communications services/nodes that are going to provide registration, call control, provisioning, voicemail, messaging, and presence services to MRA users.
Why does my Expressway call fail?
Call failures can occur if the traversal zones on Expressway are configured with an Authentication policy of Check credentials. Ensure that the Authentication policy on the traversal zones used for Mobile and Remote Access is set to Do not check credentials.
