Deploying B2B URI Dialing with Cisco UC Manager and...

Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution BRKUCC-2340

Kevin Roarty, Technical Marketing Engineer

John Burnett, Technical Marketing Engineer

© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public

Abstract

3

With the 9.0 release of Cisco Unified Communications Manager, SIP URI dialing is now a mainstream feature that is easy to deploy within the enterprise.

URI dialing also enables elegant business reachability for voice + video or voice alone over the internet.

But how does a typical Cisco UC Manager voice deployment enable internet facing URI dialing?

And how can you enable this reachability without compromising your voice environment?

This session will cover the steps required to enable URI dialing on Cisco UC Manager including the integration with the VCS Expressway solution, emphasizing secure deployment considerations every step along the way.


Associated Sessions

4

BRKEVT-2319 Business to Business Video

BRKUCC-2008 Enterprise Dial Plan Fundamentals

BRKUCC-3000 Advanced Dial Plan Design for Unified Communications Networks

BRKUCC-2501 Cisco UC Manager Security

BRKEVT-2801 Cisco TelePresence: best practices for call control integration


Agenda

5

Reference Architecture and Targeted Call Flows

Enabling SIP URI dialing in UCM, plus SIP trunk

VCS Control Setup, including UCM neighbor zone

Expressway Setup

Define the Security Threats, discuss expanded attack surface

Protecting your environment w/ security in layers

Q & A

4

12

7

5

4

8

Targeting 40 content slides

Laying the groundwork…


Standards Based Voice and Video Federation Unified Call Control Reference Architecture

7

EX90 @ Home

Inside firewall (Intranet)

Outside firewall (Public Internet)

VCS

Expressway

VCS

Control

Collaboration

Services

UCM

Internet

DMZ

on-premise endpoints

SIP Phones @ Partner

EX90 @ Partner


Call Flows in Focus ( 1 of 2 )

8

EX90 @ Home



VCS

Expressway

VCS

Control

Collaboration

Services

UCM

Internet

DMZ


EX90 @ Partner

B2B SIP URI call between on-premise

endpoint and partner’s video endpoint on-premise endpoints


Call Flows in Focus ( 2 of 2 )

9

EX90 @ Home



VCS

Expressway

VCS

Control

Collaboration

Services

UCM

Internet

DMZ


EX90 @ Partner

on-premise endpoints

B2B SIP URI call between remote

endpoint registered to VCS Expressway

and partner’s video endpoint


UCM and VCS Versions

UCM 9.1.1

VCS X7.2

10

SIP URI dialing in UCM


UCM Trivia Question

UCM 8.6 supports SIP URI dialing and routing?

UCM 8.6 allows endpoints to register with an alphanumeric SIP URI?

UCM 8.6 allows local endpoints to be reached by alphanumeric SIP URI?

UCM 9.0 supports SIP URI dialing and routing?

UCM 9.0 allows endpoints to register with an alphanumeric SIP URI?

UCM 9.0 allows local endpoints to be reached by alphanumeric SIP URI?

True or False

12

T

F

F

T

F

T


SIP URI in UCM

UCM treats URIs as aliases for directory numbers (DNs)

Endpoints have no notion of their associated URI(s), they still register with DN

A call to a URI behaves as if the call was made directly to the DN

Calls from an endpoint will include a URI in the caller ID if assigned to the DN

A call from an endpoint always includes the DN in the caller ID so it can be presented to a device that doesn’t support URIs, and those devices can return the call

[email protected]

13


UCM SIP URI Overlay Dial Plan

URI Dial Plan overlays existing (and required) numeric dial plan

Each DN can have up to 5 SIP URI aliases

Each DN with a SIP URI will have a primary SIP URI for caller id purposes

Benefits of the URI overlay

– All UCM endpoints are reachable at SIP URI: SIP, SCCP, Analog

– Not all IP phones can dial SIP URI’s, but Speed Dials are an option

– Use SIP alpha URI for SNR Remote Destination

14


Import and Assign SIP URI

How do I add SIP URIs to my existing dial plan? Easiest approach via LDAP Directory Integration

– Recommendation is to map the mail attribute to Directory URI

– Issue w/ msRTCSIP attribute, CSCub73272

Set end user primary line if not already set, to associate Directory URI associated DN

Other URI import options include

– Bulk Admin Tool

– AXL API

– Manual update to DN page

15


UCM Directory URI Partition

End User Directory URIs will be added to Directory URI partition

Directory URI partition needs to be included in the dial plan by either

– Adding the partition to existing Calling Search Spaces

– Alias the Directory URI partition to an existing partition

16


UCM SIP Profile for SIP Endpoints

SIP Profile for endpoints should be set to use, Use Fully Qualified Domain Name in SIP Requests

If this parameter is not enabled, the endpoint might end up with strange looking connected party id, instead of seeing the dialed URI

Avoid this: [email protected]

17


UCM SIP Profile for SIP Trunk

Start by copying the Standard SIP Profile For Cisco VCS

SIP Profile should be set to use, Use Fully Qualified Domain Name in SIP Requests

The SIP Profile can be configured for different dial string interpretation settings

SIP OPTIONS ping enabled

18


UCM SIP Trunk

Recommendation is to set the Calling and Connected Party Info Format to “Deliver URI only in connected party, if available”

Associate SIP Trunk Profile created for VCS

Configure trunk with one or more VCS Control IP addresses

Set appropriate CSS allowing for inbound access to local URIs

Integration point with VCS Control

19


UCM SIP Route Patterns

Use the SIP Route Pattern’s Domain Routing option

* character is a wildcard, matching all numbers, alpha chars, “.” and “-”

Simplest approach is using * pattern to match any domain, good for a default route to VCS

Option to route/block using more specific patterns (*.com, cisco.com, , *.org, *.xxx)

Starting w/ UCM 9, SIP Route Patterns can now utilize SIP Trunk or a Route List

20


Enterprise Parameters of Interest

URI Lookup Policy controls URI case sensitive treatment

– Default is case sensitive, per RFC 3261

– Suggest Case Insensitive

Specify an Organization Top Level Domain (OTLD) to allow end users to dial only the user portion of a URI (left hand side)

Also include Cluster Fully Qualified Domain Name(s) to allow routing to numeric URIs

21

VCS enabling video federation and remote access


VCS Trivia Question

Did version X2.0 of VCS support URI dialing?

The VCS only support URI dialing for SIP registered endpoints.

The VCS only supports URI dialing for IPv4 based endpoints.

URI dialing via DNS is the best way to reach all endpoints globally.

The VCS cannot provide B2B video for immersive TIP based calls.

The VCS can enforce security for all SIP URI based calls.

- True or False

23

T

F

F

T

F

T


VCS Zone Configuration

24

Transport

protocol

Signaling port

Neighbor

information

Neighbor

availability status

Profile for

different

integrations


Unified CM Cisco

VCS

Option ping

Option ping response in 200 OK

Option Ping for reachability

Trunks In-Service if response received

Trunks Out-of-service if 408 request timeout, 503 service unavailable or no response

Calls from CUCM not sent to out-of-service servers

Avoids SIP message retry and timeouts

Can be used for all nodes in trunk

DNS SRV queries and all hosts of the SRV responses

Option ping response in 200 OK, 408/503

Unified CM Cisco

VCS

Option ping

Option ping

Option ping response in 200 OK ✔

✘

✔

SIP Trunk with Option Ping

25


VCS Advanced Zone Profile Optimized zone profile settings for “Cisco Unified Communication Manager”

26

SIP based

Presentation

channel

Presentation

channel

SIP signaling

SIP Invite

SIP signaling

OFF

OFF

OFF

On

Yes


VCS Advanced Zone Profile Current Option Optimized zone profile settings for CUCM “Custom”

27

SIP based

Presentation

channel

Presentation

channel

SIP signaling

SIP Invite

OFF

OFF

On

ALWAYS


VCS Search Rule Configuration VCS Control Dial Plan Setup

28

Pattern Mode

Priority

Continue or Stop

Destination Zone

Pattern Behavior


VCS Transform Configuration VCS Control Dial Plan Setup

29

Pattern String

Priority

Replacement

String

Pattern Behavior


VCS Expressway Traversal Client Zone

30

Traversal

password

Traversal

username

Traversal Type

Traversal Port

(unique)

Media Encryption

Mode


VCS Expressay Traversal Server Zone

31

Traversal

username

Traversal Type

Traversal Port

(unique)

Media Encryption

Mode


VCS Expressway DNS Zone

32

H.323 Mode

Zone Type

Address of

Record)

Media Encryption

Mode


DMZ Outside Network Inside Network

How VCS Expressway Firewall Traversal Works…

1. No inbound ports need to be opened on internal firewall to VCS Control, minimizing any potential attack area

2. VCS Control initiates outbound connection through the firewall to VCS Expressway using secure login credentials

3. VCS Control sends keep-alive packets to the VCS Expressway, to maintain the connection through the firewall

4. When VCS Expressway receives an incoming call, it issues an incoming call request to VCS Control

5. The VCS Control then initiates connection to the endpoint

6. The call is established and media traverses the firewall securely

A VCS

Expressway

B VCS

Control

Internet

33

Once again from the inside out, this time focusing on security


Security Threats

Eavesdropping

– Listening or recording data without approval

Denial of Service (DoS) or Distributed Denial of Service (DDoS)

– Flood bandwidth or resources of a targeted system

Impersonation

– Attempt to be something or someone that you are not

Modification

– RTP stream mixing/insertion

Toll fraud

– Making calls that the users are not approved to do, usually long distance calls

SPIT

– Calls generate annoyance for users, lower productivity

What else? 35


Unified CM Dial Plan Segmentation

What if you don’t want all end users to be reachable from the internet by their SIP URI?

SIP URI import via LDAP sync results in all URIs in a default Directory URI partition

Directory URIs are associated with a user, and also a DN when a user has a primary line configured

SIP URIs can also be directly assigned to DNs

When directly assigning to a DN, the SIP URIs can reside in any partition

Multiple options on how to import URIs, including what partition they reside in

Don’t forget about the Directory URI Alias Partition Enterprise Parameter

Partitions for SIP URIs

36



SIP Trunk CSS allow you to shield gateways, conferencing resources, messaging applications, etc.

Verify existing partitions in the dial plan offer enough segmentation

Consider creating a new CSS specifically for the VCS SIP Trunk inbound traffic

If necessary create a second SIP Trunk to VCS on a different port, with a CSS specifically for B2B traffic and new sip trunk security profile

Consider Time of Day routing to deactivate segments of the dial plan after hours

“Drop Ad hoc Conferences” + “Block OffNet to OffNet transfer” (Service Parameter)

Don’t forget to monitor Call Detail Records

Calling Search Spaces & Service Parameters

37



Can I limit what domains my end users can and cannot call directly on UCM?

A * wildcard SIP Route Pattern routing to the VCS SIP trunk in a route partition accessible to end users provides access to any domain

SIP Route patterns can also be set to block outbound calls to specific or wildcard domains

How can I support HA B2B reachability?

SIP Route patterns now support Route List if there is a need to route to multiple VCS clusters with 2 or more trunks

SIP Route Pattern pointing directly at a SIP Trunk defined with multiple VCS nodes

SIP Route Patterns

38


Unified CM SIP Trunk Security

Interested in end to end encryption on B2B calls?

UCM needs to be in mixed mode to support secure endpoints

Upload VCS certificates to CallManager-Trust

Create SIP Trunk Security profile specifically for the VCS trunk, using Encrypted mode, and including the VCS X.509 certificate subject name(s)

Generally not advisable to allow for SRTP if not using TLS

39


Unified CM TelePresence Encryption Support

TE6.0 & TC6.0 firmware updates allow for the following security features when registered to CUCM

Support for CTL, CAPF, LSC

Encrypted SIP Signaling

sRTP for Audio and Video streams

Compatible with CUCM 8.6.2+

C/SX/EX/MX Series Endpoints

40


Security in Video (Layered)

Internet

Endpoint

Hardening

Endpoint

Hardening

Secure

Conferencin

g

Secure

Conferencin

g

*TMS ‘strong

security’ or

JITC

VCS

Encryption

Auto

CUCM Trunks

+ endpoints

configured for

security

VCS

Encryption

On

SIP-TLS ASSENT/SIP-TLS SIP-TLS

SRTP/SDES

SRTP/SDES

SRTP/SDES

SRTP/SDES

SIP-TLS

SIP-TLS

SIP-TLS

H.235/AES-128

H.235/AES-128

SIP-TLS

H.323 H.323 H.323 H.460.18/19

H.323

MCU

TMS

C

A

MCU

VCS-E

Traversal Server VCS-C

Traversal Client FW FW

CUCM

B

41

HTTPS


VCS Secure Device Authentication

The VCS Supports local database authentication, H.350 extended LDAP Directory, and Active Directory authentication for Jabber Video (Movi)

Endpoint can be authenticated for registration and provisioning

Endpoints are authenticated with name and password if using the local database

Endpts are authenticated with username, authentication credentials (generated from password), and alias when using H.350 directory.

Use TLS to encrypt connection to any external LDAP server

42


VCS Call Authentication

Allow all calls through but differentiate between authenticated and unauthenticated calls

Set Do Not Check Credentials on VCS Expressway default zone.

– This ensures all calls from outside your organization come through as unauthenticated.

– Any P-asserted identity field headers are stripped.

Set specific search rules for any valued resources such as ISDN gateway. (Toll Fraud)

– Use CPL Rules to block unauthenticated access to valued resources

– Set authentication in the specific search rule to Check Credentials

43


VCS Call Authentication

Use authentication for all registered devices in the configured subzone

Set specific membership rules in the subzone where possible

Turn off registration to the default subzone

Use Registration Allow rules to specify who can register

44


Active FW/NAT Traversal

No ports inbound need to be opened on the internal firewall

Expressway in DMZ allowed to have non-public/private IP

Static NAT on VCS Expressway, requires Dual Network interface option

Minimize inbound ports to documented ranges that need to be opened through public facing firewall

Endpoints can register directly to VCS Expressway

Non-registered endpoints can send calls to VCS Expressway

VCS Firewall traversal (recommended most secure)

45

A B

VCS

Control VCS Expressway

FW / NAT FW / NAT Private IP address

Internet


Secure Signaling and Media

Auto: No media encryption policy applied by the VCS

Best Effort: Use encryption if available otherwise fallback to unencrypted

Force Encrypted: All media must be encrypted

Expressway Media Encryption RTP to SRTP

46

A VCS Control VCS Expressway

Media

Encryption

mode: On Media Encryption

mode: Force Encrypted

SRTP

RTP SRTP

Unified CM

TLS

TLS

TCP Media Encryption

mode: Best Effort


Configuring Security on VCS Side

47

SIP Port for TLS

Active on Port

5061


Configuring Security on VCS Side

48

Generate CSR

Register Secure

Endpoint


VCS Secure Administrative Best Practices

HTTP, HTTPS, Telnet, SSH and SNMP are all protocols used to manage and monitor the VCS

Setup remote account authentication for AD authentication of admin user access to the VCS

– Use TLS & Secure LDAP (port 636) for encrypted connection to AD server.

If web access is desirable to administer the VCS, disable HTTP and use HTTPS

Load PKI certificates for HTTPS

Enable CRL’s and HTTPS client certificate validation

Use Firewall Rules in the VCS to set access from specific IP addresses or IP address range to the VCS

49


VCS Secure Administrative Best Practices

Disable SNMP or use SNMPv3 with firewall rules

Set your session timeout period to a nonzero value

Disable remote logging

Use TLS encryption for login account access to LDAP server

Set CRL checking to all

Do not enable incident reporting

Use HTTPS for external management i.e. for TMS and enable certificate checking

Apply best practices for perimeter security to the VCS. i.e. block external access to well know ports below 1024

Recommendations

50

Wrapping things up…

51


Key Takeaways

SIP URI dialing enables simple voice and video reachability

UCM 9 allows for an elegant SIP URI overlay on your existing dial plan

VCS Expressway provides open, standards based voice and video federation

You are now armed with the knowledge to deploy secure B2B SIP URI dialing for your employees or customers

52


Reference Deployment Guides

VCS and UCM Deployment Guide http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Cisco_Unified_Communications_Manager_Deployment_Guide_CUCM_8_9_and_X7-2.pdf

Unified CM System Guide SIP URI Chapter http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/9_1_1/ccmsys/CUCM_BK_C5565591_00_cucm-system-guide-91_chapter_010011.html

VCS Basic Configuration VCS Control with Expressway Deployment Guide http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

VCS IP port usage for firewall traversal http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf

53

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Cisco_Unified_Communications_Manager_Deployment_Guide_CUCM_8_9_and_X7-2.pdf





http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/9_1_1/ccmsys/CUCM_BK_C5565591_00_cucm-system-guide-91_chapter_010011.html









http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf






http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf






Reference Deployment Guides

54

VCS Authenticating Accounts Deployment Guide

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Accounts_Using_LDAP_Deployment_Guide_X7-2.pdf

VCS Authenticating Devices Deployment Guide

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2.pdf

VCS Administration Guide

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf

















Reference Blog Posts

UCM SIP Trunk TLS Configuration and Troubleshooting

https://supportforums.cisco.com/docs/DOC-18689

IP Phone Security and CTL


Communications Manager Security By Default and ITL Operation and Troubleshooting - Cisco Support Community


Thanks to the Cisco Support Community

55





https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4451&backBtn=true












Reference Cisco Press Text

Akhil Behl, CCIE No. 19564

Solutions Architect, Cisco Advanced Services

http://www.ciscopress.com/title/1587142953

Published August 31, 2012

56

http://www.ciscopress.com/title/1587142953


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

57

Deploying B2B URI Dialing with Cisco UC Manager and...

Documents

Transcript of Deploying B2B URI Dialing with Cisco UC Manager and...