Configuring Cisco Unity Connection Integration
86
Configuring Cisco Unity Connection Integration
Transcript of Configuring Cisco Unity Connection Integration
PowerPoint PresentationOverview of Cisco Unity Connection
Integration
Overview of Cisco Unity Connection Integration (Cont.)
SIP Integration
Call Handler Overview
Call Handler Reachability
Cisco Unified Communications Manager Deployment Options
Service Discovery
Quality of Service
Compare the Protocols XMPP and SIMPLE SIP (Cont.)
XMPP
IM and Presence Service High Availability
Cisco Jabber Product Overview
Cisco Jabber Operational Modes
Cisco Jabber in Phone-Only Mode
Cisco Jabber and Voicemail
Cisco Jabber and Conferencing
Cisco Unified Communications IM and Presence, Active Directory, and Exchange
OAuth Refresh Tokens
• Once authenticated, Jabber is issued with • Access Token
• Refresh Token
• The Access Token has a short lifetime (60 mins). The Access token is used to gain access to a service. e.g. Cisco UDS. The Access Token is not stored on disk.
• The Refresh Token has a long life (60 days default). The Refresh Token is used to retrieve a new Access Token either before the current Access Token expires or at Jabber start up. The Refresh Token is stored on disk (encrypted) and is available across sessions (including non persistent VDI desktops)
UCM
1. On a first time login, Jabber connects to UC
Manager authorization service and is redirected to
the configured authentication service (Jabber does
not have an access token yet)CUCM
Auth
LDAP
Auth
SSO/IDP
Authentication
Authorised
Authentication is performed – e.g.
authentication assertionCUCM
Refresh token from UC Manager authorisation
service Refresh token
4. Jabber uses the Access token to gain access to
configured services. Jabber can now use these
services e.g. UDS, IM&P, voicemail
Refresh token
Access token
5. The access token has a lifetime of 60 minutes.
Jabber will use the Refresh token to request a new
Access token at 0.75 times the Access token life (45
minutes) CUCM
access to configured services. The new Access
tokens timer starts again (60 mins)
Refresh token
Access token
OAuth Flow (On Prem)
• As the Refresh token is about to expire, the user will be prompted to refresh their session (Jabber will use its active Refresh token to retrieve a new Refresh token)
• The user is prompted once per day from 3 days out of expiry (for 60 day lifetime)
Updated OAuth Behaviour (12.7+)
• Clicking “Sign out” will destroy the active Refresh Token
• The user will need to re authenticate to sign into Jabber
• Applies whether SSO is enabled or not
• If the Refresh Token expires during an active session, Jabber will automatically sign out
• If there is an active call, Jabber will sign out once the call has ended
<LegacyOAuthLogout>False</LegacyOAuthLogout>
OAuth Refresh Tokens
• OAuth Refresh tokens can be enabled from System > Enterprise Parameters
• OAuth tokens can be revoked (per user) from UC Manager
• User is prompted to Sign Out to retrieve new configuration once Oauth Refresh Login Flow is enabled
Messaging Webex Teams
OPTION 3:
Calling Cisco UC Manager
Cisco Jabber
Calling Cisco UC Manager
• Jabber uses Webex Teams platform for messaging (1:1 and spaces)
• Jabber uses on prem/hosted services for calling, voicemail, directory
Messaging Service
Presence Service
Contacts Service
UC Manager/HCS
Unity Connection
Corporate Directory
Jabber
Premise
MessagingContacts/Directory
Contacts
Meetings
Meetings
Jabber Team Messaging Mode – Custom Contacts
• Custom Contact Support in Jabber 12.8!
• Custom contacts can now be added to a users contact list in Jabber Team Messaging Mode
• IM&P Custom Contacts can also be migrated to Team Messaging Mode
Contacts/Directory
Jabber Team Messaging Mode Summary
• Team Messaging Mode is an optional migration path for organisation on the journey to cloud
• Messaging is migrated to the cloud
• Calling is maintained on premise
• Existing Jabber deployments only
• Team Messaging Mode will not inherit all Webex Teams messaging features
• Webex Teams offers a superior messaging experience
• E.g. Message threading, Reactions, Teams Management, Message Edit, Pinning, Forwarding, Custom Presence will not be implemented in Team Messaging Mode
• Webex Teams will support the Jabber calling feature set
Cisco Expressway
UCM
A
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed within the enterprise network
2. Expressway-C connects via the firewall to a specific port on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E.
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway C then initiates connection through CUCM to the endpoint
6. The call is established and media traverses the firewall securely
B FW FW
How Expressway Firewall Traversal Works Enterprise Network DMZ Outside Network
Internet
Expressway Compute Platform Options
OVA Size vCPU Reserved
CE1200 Appliance
• SKU: EXPWY-1200-K9
• Bare metal –no hypervisor • Cisco UCS C220-M5L • Solution for customers with security policies
that do not allow VMware in the DMZ
• Expressway only
Calls Registrations Video Calls
Large OVA 3,500 500 1,000 14,000 2,000 4,000
Medium OVA 2,500 100 200 10,000 400 800
Small OVA 2,000 75 150 2,000 75 150
MRA Client & Endpoint Support Available Today
DX650, DX70, DX80
7811, 7821, 7841, 7861
Internal Network External NetworkDMZ
Webex Room 55,
Webex Room Kit Plus
DNS SRV lookup _collab-edge._tls.example.com
get_edge_config?service_name=_cisco- uds&service_name=_cuplogin
Jabber allows for a secondary domain to be used for edge service discovery.
The “VoiceServicesDomain” can be provided in
jabber-config.xml (from TFTP or Messenger cloud),
or bootstrapped into client via MSI, or
ciscojabber://URL provisioning
• collab-edge record needs to be available in public DNS
• Multiple SRV records (and Expressway-E hosts) should be deployed for clusters
• A GEO DNS service can be used to provide unique DNS responses by geographic region
_collab-edge._tls.example.com. SRV 10 10 8443 expwy1.example.com. _collab-edge._tls.example.com. SRV 10 10 8443 expwy2.example.com.
• cisco-uds record needs to be available only in internal DNS
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm1.example.com.
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm2.example.com.
Protocol Workload Summary
HTTPS TLS Logon,
Outside firewall (Public Internet)
HTTPS TLS Logon,
Webex Messenger Cloud
UDS Directory Search
• All Jabber clients connecting via Expressway will use UDS for directory search (assuming Unified CM IM&P deployment)
• TelePresence endpoints, DX series, IP Phones also use UDS directory search
• For the best contact search experience, all Enterprise Users should be imported into every Unified CM cluster’s end user table
• Home cluster check box needs to be selected on only one cluster for each user
• Unified CM clusters support 80K end users, and can scale as high as 160K with BU approval
Activation Code Onboarding
• Cisco Unified CM 12.5 offers a new capability to onboard phones on-prem with
activation codes
• Activation codes are single use 16 digit codes that expire in 7 days
• Activation code onboarding is an alternative to using auto-registration for on-premises
phones
• Provides administrative advantages and flexibility to provision phones with or without
MAC
address in Cisco UCM
• Offers a common onboarding experience for Cisco IP Phones, delivered across multiple call control options (Webex calling, Cisco UCM, MRA, HCS, UCM Cloud)
Functionality Flow (MRA) Admin configures Cisco Cloud Onboarding on CUCM, with
an Expressway MRA activation domain
Admin creates full device configuration without specifying
MAC address (BAT, AXL, GUI)
Admin requests activation code for this device. Device
Activation Service gets code from Cisco cloud service
“GDS” Activation code sent to a user/admin
User enters activation code. Phone gets MRA activation
domain from GDS
Expressway and CUCM using manufacturing installed
certificate (MIC) + activation code in an SRP
handshake Device activation service updates device configuration in the
database with phone MAC and sends success to the phone.
The phone can now register and request its phone specific
configuration file from TFTP like normal MRA and register.
Device Activation Service releases code from
GDS
CUCM
Internet
5
Domain
Manager
mra.foo.com
GDS
4
1
0
2
6
2
Express-C media encryption policy (b2bua) enforces media encryption for MRA clients
Expressway Expressway
C E
• Provides a best effort mechanism for SIP client NAT traversal
• Allowing clients to discover network topology details and find one or more paths by which they can communicate
• Delivering the cheapest media routing that minimizes firewall traversal and use of centralized resources
Internet
What is ICE?
• Interactive Connectivity Establishment (ICE), defined in RFC 8445, is a protocol that combines STUN and TURN.
• Session Traversal Utilities for NAT (STUN), defined in RFC 5389, enables endpoints and clients to create and maintain UDP connections through one or many firewalls and NAT devices.
• Traversal Using Relays around NAT (TURN), defined in RFC 5766, enables a central server to handle media on behalf of endpoints and clients if the firewall does not allow outbound UDP traffic performs symmetric NAT
What problem is being solved?
Standard media path —This is the traditional media path for MRA endpoints (without ICE enablement)
Media through the TURN server —In this case the media is bridged between the MRA endpoints and a TURN server(s) over their direct Internet access.
Peer-to-peer media —This is a media path for ICE-enabled endpoints where media is able to flow directly between the endpoints.
1
2
3
InternetDMZEnterprise
Expressway-E
Core Components
• Cisco Expressway-C and Expressway-E X12.5.5 or later release is required for Internet connectivity and firewall traversal.
• TURN server enabled on Expressway-E for TURN media relay
• Cisco IP Phone 8800 Series, 7800 Series, and/or other endpoints running CE firmware, enabled for MRA
• Jabber 12.5, enabled for MRA
• Cisco Unified CM 11.5 or later release
Key Benefits – ICE for MRA
• Allows MRA endpoints to communicate media directly over the Internet instead of hair-pinning the media through the Enterprise
• Decreases Enterprise Internet bandwidth utilization
• Offloads Expressway-C and Expressway-E utilization
• Improves the voice and video quality by reducing delay and potential packet loss due to the shorter path length
• Uses the standard media path, through Expressway-E and Expressway-C, if the endpoints do not support ICE or if ICE negotiation fails
Roles
• Cisco Unified CM: ICE enablement on selected endpoints and provisioning of the primary and backup TURN server.
• Cisco Expressway-C: Provides for ICE transparency by removing itself from the media path if the endpoints can send media directly.
• Expressway-E: Has an embedded TURN server that is used in ICE scenarios together with Mobile and Remote Access (MRA) devices.
Unified CM
Alice’s IP is
10.50.10.11
• SDP for media • m line: media description (audio, video, etc)
• c line: IP address for that media
• Up to 6 media lines for video devices
• Up to 10 ports per video devices
• Example (audio only shown)
• m=audio 19140
• RTCP port 19141
• m=audio 18888
• RTCP port 18889
When Alice and Bob Are Separated by NAT and Firewalls
Alice
10.50.10.10
My IP is
Alice and Bob that the 2 endpoints can’t
reach each other
takes the media for MRA endpoints 203.0.113.144 192.0.2.10
How Expressway Takes the Media (no ICE)
Expressway-EUnified CM
• Performs media latching by managing
NAT and firewall traversal
• Permits calls through unconnected
• Expressway-E deals with NAT and performs media latching
• Expressway-C performs encryption and registers to Unified CM on behalf of the endpoints
• Media path always flows through Expressway-C and Expressway-E, even if Alice and Bob share the same network
InternetDMZEnterprise
ICE Media Paths
• If Alice and Bob are able to talk together, media is direct • Behind same firewall
• Behind different firewalls in disjointed network and successful UDP Hole Punching
• If Alice and Bob can’t talk directly, media flows through the TURN Server • Hardware devices only
3 • If ICE negotiation fails, media follows the standard path.
InternetDMZEnterprise
Expressway-E
B
2
B
U
A
Alice
Bob
Internet DMZ Enterprise
• Both endpoints have a security profile
• Both are in Edge mode
• ICE will be triggered
• Alice has an encrypted phone profile, Bob doesn’t
• Both are in Edge mode
• ICE won’t be triggered
Internet DMZ Enterprise
Internet DMZ
Expressway E
• Alice registered through MRA, Bob’s via VPN
• Both have an encrypted profile. Bob’s endpoint has LSC through CAPF
• ICE not triggered as Bob is not in Edge mode
Non-ICE Scenarios
• At resume, ICE will be negotiated again
• MoH doesn’t support ICE
• Gateways don’t support ICE
• Unity and other internal services don’t support ICE
Jabber Guest Consumer to Business
Video Extending the reach of your organization's video
deployment
Guest?
• Enhance customer interactions with click to call video links embedded in email and on your website
• Make experts easy to find and consult with on video
• HR Interviews: Video Recruiting and Interviews
• Jabber Guest 11 introduces guest content share
• Voice, video and content streams SRTP encrypted over the internet
• Ideal for customers that haven’t transitioned to, or invested in Cisco Meeting
Server
Jabber Guest Design Considerations
• Jabber Guest cannot co-reside on an Expressway C & E pair deployed for MRA
• Jabber Guest requires one rich media session license per call (Expressway E)
• Include Jabber Guest link domain name in Expressway E certificate as SAN
• External firewall required to map inbound TCP 443 to TCP 9443 of Expressway E
(allowing for
• Expressway E network design trade offs
• Dual NIC Expressway E deployments allow for assent media traversal between C & E, but requires TCP 5061 open between Expressway-E and Jabber Guest
• Single NIC Expressway E deployments do not allow for assent media traversal and require UDP ports open between E & C, but no requirement for TCP 5061 between Expressway E and Jabber Guest Server
WebRTC Access to Cisco Meeting Server
Spaces
Private
Network
External
Network
DMZ
Expressway-EExpressway-C
Internet
Cisco
Meeting
Server
Expressway + CMS
WebRTC Overview
• Expressway E&C pair provides firewall traversal for WebRTC clients, including https reverse proxy & TURN server
• Does not replace Web Bridge! The CMS Web Bridge, Call
Bridge, XMPP, and database components are all required
• Allows for guest access to Cisco Meeting Server spaces,
end user access (with login) too
• No RMS license required for CMS WebRTC calls
• Bidirectional content (chrome extension required when
sharing from WebRTC side)
Overview of Cisco Unity Connection Integration (Cont.)
SIP Integration
Call Handler Overview
Call Handler Reachability
Cisco Unified Communications Manager Deployment Options
Service Discovery
Quality of Service
Compare the Protocols XMPP and SIMPLE SIP (Cont.)
XMPP
IM and Presence Service High Availability
Cisco Jabber Product Overview
Cisco Jabber Operational Modes
Cisco Jabber in Phone-Only Mode
Cisco Jabber and Voicemail
Cisco Jabber and Conferencing
Cisco Unified Communications IM and Presence, Active Directory, and Exchange
OAuth Refresh Tokens
• Once authenticated, Jabber is issued with • Access Token
• Refresh Token
• The Access Token has a short lifetime (60 mins). The Access token is used to gain access to a service. e.g. Cisco UDS. The Access Token is not stored on disk.
• The Refresh Token has a long life (60 days default). The Refresh Token is used to retrieve a new Access Token either before the current Access Token expires or at Jabber start up. The Refresh Token is stored on disk (encrypted) and is available across sessions (including non persistent VDI desktops)
UCM
1. On a first time login, Jabber connects to UC
Manager authorization service and is redirected to
the configured authentication service (Jabber does
not have an access token yet)CUCM
Auth
LDAP
Auth
SSO/IDP
Authentication
Authorised
Authentication is performed – e.g.
authentication assertionCUCM
Refresh token from UC Manager authorisation
service Refresh token
4. Jabber uses the Access token to gain access to
configured services. Jabber can now use these
services e.g. UDS, IM&P, voicemail
Refresh token
Access token
5. The access token has a lifetime of 60 minutes.
Jabber will use the Refresh token to request a new
Access token at 0.75 times the Access token life (45
minutes) CUCM
access to configured services. The new Access
tokens timer starts again (60 mins)
Refresh token
Access token
OAuth Flow (On Prem)
• As the Refresh token is about to expire, the user will be prompted to refresh their session (Jabber will use its active Refresh token to retrieve a new Refresh token)
• The user is prompted once per day from 3 days out of expiry (for 60 day lifetime)
Updated OAuth Behaviour (12.7+)
• Clicking “Sign out” will destroy the active Refresh Token
• The user will need to re authenticate to sign into Jabber
• Applies whether SSO is enabled or not
• If the Refresh Token expires during an active session, Jabber will automatically sign out
• If there is an active call, Jabber will sign out once the call has ended
<LegacyOAuthLogout>False</LegacyOAuthLogout>
OAuth Refresh Tokens
• OAuth Refresh tokens can be enabled from System > Enterprise Parameters
• OAuth tokens can be revoked (per user) from UC Manager
• User is prompted to Sign Out to retrieve new configuration once Oauth Refresh Login Flow is enabled
Messaging Webex Teams
OPTION 3:
Calling Cisco UC Manager
Cisco Jabber
Calling Cisco UC Manager
• Jabber uses Webex Teams platform for messaging (1:1 and spaces)
• Jabber uses on prem/hosted services for calling, voicemail, directory
Messaging Service
Presence Service
Contacts Service
UC Manager/HCS
Unity Connection
Corporate Directory
Jabber
Premise
MessagingContacts/Directory
Contacts
Meetings
Meetings
Jabber Team Messaging Mode – Custom Contacts
• Custom Contact Support in Jabber 12.8!
• Custom contacts can now be added to a users contact list in Jabber Team Messaging Mode
• IM&P Custom Contacts can also be migrated to Team Messaging Mode
Contacts/Directory
Jabber Team Messaging Mode Summary
• Team Messaging Mode is an optional migration path for organisation on the journey to cloud
• Messaging is migrated to the cloud
• Calling is maintained on premise
• Existing Jabber deployments only
• Team Messaging Mode will not inherit all Webex Teams messaging features
• Webex Teams offers a superior messaging experience
• E.g. Message threading, Reactions, Teams Management, Message Edit, Pinning, Forwarding, Custom Presence will not be implemented in Team Messaging Mode
• Webex Teams will support the Jabber calling feature set
Cisco Expressway
UCM
A
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed within the enterprise network
2. Expressway-C connects via the firewall to a specific port on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E.
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway C then initiates connection through CUCM to the endpoint
6. The call is established and media traverses the firewall securely
B FW FW
How Expressway Firewall Traversal Works Enterprise Network DMZ Outside Network
Internet
Expressway Compute Platform Options
OVA Size vCPU Reserved
CE1200 Appliance
• SKU: EXPWY-1200-K9
• Bare metal –no hypervisor • Cisco UCS C220-M5L • Solution for customers with security policies
that do not allow VMware in the DMZ
• Expressway only
Calls Registrations Video Calls
Large OVA 3,500 500 1,000 14,000 2,000 4,000
Medium OVA 2,500 100 200 10,000 400 800
Small OVA 2,000 75 150 2,000 75 150
MRA Client & Endpoint Support Available Today
DX650, DX70, DX80
7811, 7821, 7841, 7861
Internal Network External NetworkDMZ
Webex Room 55,
Webex Room Kit Plus
DNS SRV lookup _collab-edge._tls.example.com
get_edge_config?service_name=_cisco- uds&service_name=_cuplogin
Jabber allows for a secondary domain to be used for edge service discovery.
The “VoiceServicesDomain” can be provided in
jabber-config.xml (from TFTP or Messenger cloud),
or bootstrapped into client via MSI, or
ciscojabber://URL provisioning
• collab-edge record needs to be available in public DNS
• Multiple SRV records (and Expressway-E hosts) should be deployed for clusters
• A GEO DNS service can be used to provide unique DNS responses by geographic region
_collab-edge._tls.example.com. SRV 10 10 8443 expwy1.example.com. _collab-edge._tls.example.com. SRV 10 10 8443 expwy2.example.com.
• cisco-uds record needs to be available only in internal DNS
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm1.example.com.
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm2.example.com.
Protocol Workload Summary
HTTPS TLS Logon,
Outside firewall (Public Internet)
HTTPS TLS Logon,
Webex Messenger Cloud
UDS Directory Search
• All Jabber clients connecting via Expressway will use UDS for directory search (assuming Unified CM IM&P deployment)
• TelePresence endpoints, DX series, IP Phones also use UDS directory search
• For the best contact search experience, all Enterprise Users should be imported into every Unified CM cluster’s end user table
• Home cluster check box needs to be selected on only one cluster for each user
• Unified CM clusters support 80K end users, and can scale as high as 160K with BU approval
Activation Code Onboarding
• Cisco Unified CM 12.5 offers a new capability to onboard phones on-prem with
activation codes
• Activation codes are single use 16 digit codes that expire in 7 days
• Activation code onboarding is an alternative to using auto-registration for on-premises
phones
• Provides administrative advantages and flexibility to provision phones with or without
MAC
address in Cisco UCM
• Offers a common onboarding experience for Cisco IP Phones, delivered across multiple call control options (Webex calling, Cisco UCM, MRA, HCS, UCM Cloud)
Functionality Flow (MRA) Admin configures Cisco Cloud Onboarding on CUCM, with
an Expressway MRA activation domain
Admin creates full device configuration without specifying
MAC address (BAT, AXL, GUI)
Admin requests activation code for this device. Device
Activation Service gets code from Cisco cloud service
“GDS” Activation code sent to a user/admin
User enters activation code. Phone gets MRA activation
domain from GDS
Expressway and CUCM using manufacturing installed
certificate (MIC) + activation code in an SRP
handshake Device activation service updates device configuration in the
database with phone MAC and sends success to the phone.
The phone can now register and request its phone specific
configuration file from TFTP like normal MRA and register.
Device Activation Service releases code from
GDS
CUCM
Internet
5
Domain
Manager
mra.foo.com
GDS
4
1
0
2
6
2
Express-C media encryption policy (b2bua) enforces media encryption for MRA clients
Expressway Expressway
C E
• Provides a best effort mechanism for SIP client NAT traversal
• Allowing clients to discover network topology details and find one or more paths by which they can communicate
• Delivering the cheapest media routing that minimizes firewall traversal and use of centralized resources
Internet
What is ICE?
• Interactive Connectivity Establishment (ICE), defined in RFC 8445, is a protocol that combines STUN and TURN.
• Session Traversal Utilities for NAT (STUN), defined in RFC 5389, enables endpoints and clients to create and maintain UDP connections through one or many firewalls and NAT devices.
• Traversal Using Relays around NAT (TURN), defined in RFC 5766, enables a central server to handle media on behalf of endpoints and clients if the firewall does not allow outbound UDP traffic performs symmetric NAT
What problem is being solved?
Standard media path —This is the traditional media path for MRA endpoints (without ICE enablement)
Media through the TURN server —In this case the media is bridged between the MRA endpoints and a TURN server(s) over their direct Internet access.
Peer-to-peer media —This is a media path for ICE-enabled endpoints where media is able to flow directly between the endpoints.
1
2
3
InternetDMZEnterprise
Expressway-E
Core Components
• Cisco Expressway-C and Expressway-E X12.5.5 or later release is required for Internet connectivity and firewall traversal.
• TURN server enabled on Expressway-E for TURN media relay
• Cisco IP Phone 8800 Series, 7800 Series, and/or other endpoints running CE firmware, enabled for MRA
• Jabber 12.5, enabled for MRA
• Cisco Unified CM 11.5 or later release
Key Benefits – ICE for MRA
• Allows MRA endpoints to communicate media directly over the Internet instead of hair-pinning the media through the Enterprise
• Decreases Enterprise Internet bandwidth utilization
• Offloads Expressway-C and Expressway-E utilization
• Improves the voice and video quality by reducing delay and potential packet loss due to the shorter path length
• Uses the standard media path, through Expressway-E and Expressway-C, if the endpoints do not support ICE or if ICE negotiation fails
Roles
• Cisco Unified CM: ICE enablement on selected endpoints and provisioning of the primary and backup TURN server.
• Cisco Expressway-C: Provides for ICE transparency by removing itself from the media path if the endpoints can send media directly.
• Expressway-E: Has an embedded TURN server that is used in ICE scenarios together with Mobile and Remote Access (MRA) devices.
Unified CM
Alice’s IP is
10.50.10.11
• SDP for media • m line: media description (audio, video, etc)
• c line: IP address for that media
• Up to 6 media lines for video devices
• Up to 10 ports per video devices
• Example (audio only shown)
• m=audio 19140
• RTCP port 19141
• m=audio 18888
• RTCP port 18889
When Alice and Bob Are Separated by NAT and Firewalls
Alice
10.50.10.10
My IP is
Alice and Bob that the 2 endpoints can’t
reach each other
takes the media for MRA endpoints 203.0.113.144 192.0.2.10
How Expressway Takes the Media (no ICE)
Expressway-EUnified CM
• Performs media latching by managing
NAT and firewall traversal
• Permits calls through unconnected
• Expressway-E deals with NAT and performs media latching
• Expressway-C performs encryption and registers to Unified CM on behalf of the endpoints
• Media path always flows through Expressway-C and Expressway-E, even if Alice and Bob share the same network
InternetDMZEnterprise
ICE Media Paths
• If Alice and Bob are able to talk together, media is direct • Behind same firewall
• Behind different firewalls in disjointed network and successful UDP Hole Punching
• If Alice and Bob can’t talk directly, media flows through the TURN Server • Hardware devices only
3 • If ICE negotiation fails, media follows the standard path.
InternetDMZEnterprise
Expressway-E
B
2
B
U
A
Alice
Bob
Internet DMZ Enterprise
• Both endpoints have a security profile
• Both are in Edge mode
• ICE will be triggered
• Alice has an encrypted phone profile, Bob doesn’t
• Both are in Edge mode
• ICE won’t be triggered
Internet DMZ Enterprise
Internet DMZ
Expressway E
• Alice registered through MRA, Bob’s via VPN
• Both have an encrypted profile. Bob’s endpoint has LSC through CAPF
• ICE not triggered as Bob is not in Edge mode
Non-ICE Scenarios
• At resume, ICE will be negotiated again
• MoH doesn’t support ICE
• Gateways don’t support ICE
• Unity and other internal services don’t support ICE
Jabber Guest Consumer to Business
Video Extending the reach of your organization's video
deployment
Guest?
• Enhance customer interactions with click to call video links embedded in email and on your website
• Make experts easy to find and consult with on video
• HR Interviews: Video Recruiting and Interviews
• Jabber Guest 11 introduces guest content share
• Voice, video and content streams SRTP encrypted over the internet
• Ideal for customers that haven’t transitioned to, or invested in Cisco Meeting
Server
Jabber Guest Design Considerations
• Jabber Guest cannot co-reside on an Expressway C & E pair deployed for MRA
• Jabber Guest requires one rich media session license per call (Expressway E)
• Include Jabber Guest link domain name in Expressway E certificate as SAN
• External firewall required to map inbound TCP 443 to TCP 9443 of Expressway E
(allowing for
• Expressway E network design trade offs
• Dual NIC Expressway E deployments allow for assent media traversal between C & E, but requires TCP 5061 open between Expressway-E and Jabber Guest
• Single NIC Expressway E deployments do not allow for assent media traversal and require UDP ports open between E & C, but no requirement for TCP 5061 between Expressway E and Jabber Guest Server
WebRTC Access to Cisco Meeting Server
Spaces
Private
Network
External
Network
DMZ
Expressway-EExpressway-C
Internet
Cisco
Meeting
Server
Expressway + CMS
WebRTC Overview
• Expressway E&C pair provides firewall traversal for WebRTC clients, including https reverse proxy & TURN server
• Does not replace Web Bridge! The CMS Web Bridge, Call
Bridge, XMPP, and database components are all required
• Allows for guest access to Cisco Meeting Server spaces,
end user access (with login) too
• No RMS license required for CMS WebRTC calls
• Bidirectional content (chrome extension required when
sharing from WebRTC side)
