Aug 10

Cisco Expressway – CPL Reference to Block Toll Fraud

Posted on August 10, 2018 by ben

Quick reference for CPL rules to close all potential toll fraud calls. (Australia)

Single Domain reference below. For multi-domain environments, will just need to duplicate for each. Be careful of the order.

Please reference the image below, but essentially we allowing:

- Ben.morgan@domain.com.au
- ben@domain.com.au
- ben1@domain.com.au
- Ben.morgan1@domain.com.au
- 3 digit extension@domain.com.au
- Full 10 digit number@domain.com.au
- E164 number@domain.com.au

Block everything else.

If anyone has additional expressions to add in case I missed one.. Please add a comment.

Mar 22

Upgrading the Expressway Cluster from v8.7 to v8.9 – Take Note

Posted on March 22, 2017 by ben

Quick note on the upgrade process from Expressway Cluster v8.7 and below to v8.8 and above. The database synchronisation/replication ports have changed slightly. 8.7 and previous uses UDP 500 (IKE) and AH 51. DB traffic is encapsulated in this header. As from 8.8 no more encapsulation with AH. TCP ports 4371 – 4372 are used as direct synchronisation/replication. Ensure these ports open on any firewall between the cluster peers.

Oct 10

Cisco Expressway 8.8 Features

Posted on October 10, 2016 by ben

There a couple of new features in version 8.8 for Cisco Expressway that is worth mentioning. One feature is the introduction of being able to register SIP Devices to the Expressway-C device. H323 is on the road map and will be introduced in a later release. Devices that can be registered include Desktop Endpoints such as the DX and EX Series and room based endpoints such as the SX and MX series. As well as third-party video SIP endpoints.

The licensing structure for such registrations will follow the same principles as CUCM. Desktop endpoints will require a UCL Enhanced or above and Telepresence endpoints will require a Room based license. Partners/Customers will be able to select what Call Control server (Expressway-C or CUCM) the license will be installed on at the time of registering the PAK.

This architecture will now complement Video only infrastructure where CUCM is not deployed in the organisation.

The second is more a modification as opposed to a feature. The RMS License model has been revised and now the Expressway-E device is the only device required to host an RMS (Traversal) License. Pre 8.8 both the Expressway-C and Expressway-E devices were required to host RMS Licenses.

The one exception being is if the Expressway-C device is performing interoperability between Cisco registered endpoints and third-party standalone or registered endpoints. EG MS SFB Business endpoints.

These images were referenced from Cisco’s CCP Presentation.

Jan 20

Change Root Password for Expressway

Posted on January 20, 2016 by ben

1. SSH to the Expressway and log in as user root, default password is TANDBERG.

2. Enter passwd

3. Type a new secure password for the root account then confirm the password.

No need to restart. Changes are written immediately.

Dec 05

Jabber Softphones for Collaboration Edge Access

Posted on December 5, 2015 by ben

Cisco Jabber as evolved rapidly over the past couple of years with a lot of growth still to come. With the introduction of Collaboration Edge architecture, Cisco Jabber can be used from outside the corporate network while being secure (both Signalling and Audio).

For Cisco Jabber to connect through the Collaboration Edge environment and be feature rich the below is required.

- Cisco Unified CM
- Cisco IM & Presence
- Cisco Unity Connection
- SRV Records (External and Internal)
- Cisco Expressway-E and Expressway-C

The following Cisco Jabber Devices can be configured to connect through the Collaboration Edge environment.

- MS Windows Operating System
- MAC Operating System
- Apple iPad
- Apple iPhone
- Android mobile devices

Fro each of the above devices to connect through the Collaboration Edge environment a phone device is required to be configured in CUCM. Each phone device name must be prefixed to allow CUCM to identify the device type. Prefixes include:

- CSF (Windows/MAC)
- TCT (iPhone)
- TAB (iPad)
- BOT (Android)

I’ve outlined below the steps to create a Cisco Jabber softphone. (In the below example an iPhone device type will be created.

1. In CUCM navigate to Device -> Phones
2. Select Add New
3. Drop down the Phone Type Menu and select Dual Mode for iPhone.

4. The Device Name is ‘TCTusername’ The device name has a 15 character limit.
5. Complete the Description, I always place the device type in the description as well for easy identification.
6. Complete the other required fields (with an *)
7. Select the appropriate user for the Owner Field

8. Add a new DN (Top Left)
9. Enter the extension of the user. (The User would have an existing deskphone, make sure to use the same extension, creating a shared line like setup)
10. Select the Partition. (After the selecting the Partition, the Line details should auto populate until the ‘Line 1 on Device TCTUPLINX Section)
11. Complete the Display Name and External Phone Mask.
12. Select ‘Associate End Users and select the end user who will use this device/line. FYI, this section allows CUCM to auto publish phone status for a user. Example. If this line is busy, the system will change the user status to ‘OnCall’.
13. Click Save
14. Navigate to the User Management -> End User page
15. Find and select the required User.
16. Scroll down to Service Settings section and ensure the ‘Home Cluster’ and ‘Enable User for IM & Presence’ is checked.
17. Add the newly created device to the Controlled Devices window for the user.
18. Click Save.

This user is now ready to download the Cisco Jabber App and log into the UC System from both within the corporate network or from outside the corporate network.

** NOTE 1: RTP will be encrypted from the Mobile device to the Expressway-E Device. However, the default non-secure device security profile does not encrypt RTP from the Expressway-C to the CUCM. This is typically on the same LAN segment. If you are required to encrypt RTP over this LAN segment as well, create a secure Device Security profile with the appropriate encryption algorithms and assign the Device. (Device Page). Also, the Expressway-C must include the Device Security Profile name in its SAN Certificate.

**NOTE 2: Device Types are as follows:

- Android Device is ‘Dual Mode for Android’
- iPad Device Type is ‘Cisco Jabber for Tablet’
- Windows.MAC Device Type is ‘Cisco Unified Client Services Framework’
- iPhone Device Type is ‘Dual Mode for iPhone’

**NOTE 3: A Cisco Jabber softphone/mobile device will consume a UCL Enhanced License if the Owner remains as anonymous. If an owner is selected and the owner(user) already owns another device, the Cisco Jabber softphone/mobile device will add to the UCL Enhanced Plus or CUWL Std/Pro license count depending the number of devices owned by the user.

Feb 06

Collaboration Edge Deployment – Support for Multi-Domain

Posted on February 6, 2015 by ben

This article contains the process and information you need to configure Mobile Remote Access for Jabber and Cisco DX/MX/EX Series Endpoints. This does not include Jabber Guest at this time. As most organisations move towards a borderless network, collaboration technologies outside the workplace is becoming less of a feature and more a requirement. MRA assists organisations allowing collaboration to extend outside of the walls of the organisation while providing the same feature rich experience for users.

This article is based on the following UC platforms:

CUCM version 10.5.XX
CUC version 10.5.XX
IM & Presence version 10.5.XX
VCS Expressway version x8.2
VCS Control version x8.2
Cisco Jabber for Windows 10.5.XX

Preparation

Order your Licenses for MRA

Log onto the Cisco CCW Website and order the Expressway license. This is a zero cost order.

Know your network topology

Gather or create network topology documents and other tables documenting, how the DMZ is configured, or Internet edge zones, Domain Names, Hostnames to use, IP Addressing requirements etc.

Details to gather:

VCS Control

System Administration Details

System Name
System Name

IP Details

Configuration
Gateway
LAN 1
IP Address
Subnet Mask

DNS

DNS Settings
System Host Name
Domain Name
Default DNS Servers
Address 1
Address 2

NTP

NTP Servers
NTP Server 1
NTP Server 2
Timezone
Timezone

VCS Expressway

System Administration Details

System Name
System Name

IP Details

Configuration
Gateway
LAN 1
IP Address
Subnet Mask

DNS

DNS Settings
System Host Name
Domain Name
Default DNS Servers
Address 1
Address 2

NTP

NTP Servers
NTP Server 1
NTP Server 2
Timezone
Timezone

IP Tel Cluster Devices

Hostname	IP Address	Description
		CUCM Publisher
		CUCM Subscriber
		CUC Publisher
		CUC Subscriber
		IM & Presence Publisher
		IM & Presence Subscriber

Configuration

Create Public DNS Records

No we know where we are going to place the collab edge devices and sourced our IP Addresses with hostname etc we now need to start the configuration phase.

Create an A Record for your VCS Expressway device. Then create an SRV Record for the _collab-edge service.

_collab-edge._tls.domain.com.au

I’ve provided a template to use to send to your provider, complete the table and email.

Public DNS Modification – Domain: DomainName

A Record

Record Name	IP Address

SRV Records

Domain	Service	Protocol	Priority	Weight	Port	Target Host
	collab-edge	tls	10	10	8443	A Record – Hostname from above table

Create Internal DNS Records

Create A Records for both your VCS Control and VCS Expressway devices. You should already have A Records configured for your all your IP Tel Servers. (CUCM, CUC, IM&P).

Create the following SRV Record for every domain name that will be used as a login for Jabber.

_cisco-uds._tcp.domainname.com.au

IMPORTANT: By now, every hostname and srv record should be resolvable. If not, go back through DNS configuration and correct.

Firewall Rules for MRA

I’ve listed the firewall ports to open for the MRA solution. Referenced from the Unified Communications Mobile and Remote Access via Cisco VSC – Deployment Guide x8.2

VCS Control (Inside) to VCS Expressway (DMZ)

Purpose	Protocol	VCS Control (source)	VCS Expressway (listening)
XMPP (IM and Presence)	TCP	Ephemeral port	7400
SSH (HTTP/S tunnels)	TCP	Ephemeral port	2222
Traversal zone SIP signaling	TLS	25000 to 29999	7001
Traversal zone SIP media(for small/medium systems on X8.1 or later)	UDP	36000 to 59999*	36000 (RTP), 36001 (RTCP) (defaults)2776 (RTP), 2777 (RTCP) (old defaults*)
Traversal zone SIP media(for large systems)	UDP	36000 to 59999*	36000 to 36011 (6 pairs of RTP and RTCP ports for multiplexed media traversal)

VCS Expressway (DMZ) to Internet (Outside)

Purpose	Protocol	VCS Expressway (source)	Internet endpoint (listening)
SIP media	UDP	36002 to 59999 or36012 to 59999	>= 1024
SIP signaling	TLS	25000 to 29999	>= 1024

Public Internet (Outside) to VCS Expressway (DMZ)

Purpose	Protocol	Internet endpoint (source)	VCS Expressway (listening)
XMPP (IM and Presence)	TCP	>= 1024	5222
HTTP proxy (UDS)	TCP	>= 1024	8443
Media	UDP	>= 1024	36002 to 59999 or36012 to 59999*
SIP signaling	TLS	>= 1024	5061
HTTPS (administrative access)	TCP	>= 1024	443

VCS Control to CUCM / CUC

Purpose	Protocol	VCS Control (source)	Unified CM (listening)
XMPP (IM and Presence)	TCP	Ephemeral port	7400 (IM and Presence)
HTTP proxy (UDS)	TCP	Ephemeral port	8443 (Unified CM)
HTTP proxy (SOAP)	TCP	Ephemeral port	8443 (IM and Presence Service)
HTTP (configuration file retrieval)	TCP	Ephemeral port	6970
CUC (voicemail)	TCP	Ephemeral port	443 (CUC)
Media	UDP	36000 to 59999*	>= 1024
SIP signaling	TCP	25000 to 29999	5060
Secure SIP signaling	TLS	25000 to 29999	5061

Deploy VCS Control

Download and run the OVA template for VCS x8.2. Default username/password is admin/TANDBERG. This will shoot you straight in a wizard. Complete the wizard with details in the preparation section. When the wizard is complete, the device will reboot and you will now have HTTPS access to the GUI.

Log into the Web Interface and start to configure the necessary system information. I’ve outlined the details to either add or modify on the VCS Control.

*NOTE: Install the release keys and option keys for VCS Control before finalising configuration in the Web GUI. Some fields and options will only be available after the license keys are installed. You will need the serial number to enter in the Cisco Licensing Portal.

Parameter	Location	Notes
System Name	System -> Administration	Enter Fully Qualified Domain Name
H323 Mode	Configuration -> Protocols -> H323	Disable
SIP Mode	Configuration -> Protocols -> SIP	Enable
Unified Communications Mode	Configuration -> Unified Communications -> Configuration	Select “Mobile and remote access”
Unified CM Servers	Configuration -> Unified Communications -> Unified CM Servers	Add New CM Server (Publisher). This will discover all Subscribers and add a Neighbour Zone into VCSc
IM and Presence Servers	Configuration -> Unified Communications -> IM and Presence Servers	Add New IM and Presence Server (Publisher). This will discover Subscribers.
Domain Configuration	Configuration -> Domains	Add New Domain. Need to add all domains that will be used with Jabber.Complete the below details. Domain Name SIP Registrations and provisioning on Unified CM : On IM and Presence services on Unified CM : On
Calls to Unknown IP Addresses	Configuration -> Dialplan -> Configuration	Select “Indirect”
Traversal Zone Details	Configuration -> Zones -> Zones	Add Traversal Zone.Name: TraversalZone Username: traversal Password: ****** Port: 7001 Accept Proxied Registrations: Yes Peer 1 Address: Enter the FQDN of the VCSe Gateway

Deploy VCS Expressway

Now its time to deploy the VCS Expressway. The initial deployment steps are alike to the VCS Control, use the same OVA Template and complete the wizard using the details collected in the preparation phase for the VCS Expressway.

Once the Wizard has finalised and the Expressway has rebooted, log into the Web GUI to start configuration. I’ve outlined the details to either add or modify on the VCS Control.

*NOTE: Install the release keys and option keys for VCS Expressway before finalising configuration in the Web GUI. Some fields and options will only be available after the license keys are installed. You will need the serial number to enter in the Cisco Licensing Portal.

Parameter	Location	Notes
System Name	System -> Administration	Enter Fully Qualified Domain Name
H323 Mode	Configuration -> Protocols -> H323	Disable
SIP Mode	Configuration -> Protocols -> SIP	Enable
Unified Communications Mode	Configuration -> Unified Communications -> Configuration	Select “Mobile and remote access”
Calls to Unknown IP Addresses	Configuration -> Dialplan -> Configuration	Select “Indirect”
Traversal Zone Details	Configuration -> Zones -> Zones	Add Traversal Zone.Name: TraversalZone Username: traversal Password: ****** Port: 7001 TLS verify subject name: Enter the FQDN of the VCS Control Gateway.

Traversal Communications

Both the VCS Control and VCS Expressway configuration should now be complete. However the traversal zone will be throwing errors due to security invalid security certificates. From release X8.2 both the Control and Expressway need to validate security certificates to force secure communications. So, we need to either purchase external certificates or use an Internal CA to sign certificates.

First we need to generate a CSR from both the Control and Expressway. Navigate to Maintenance -> Security Certificates -> Server Certificates. Select Generate CSR. Enter the required details, ensure all domains are entered in the Unified CM registrations domains and the format is SRVName. Download the CSR file and give to your Security Admin to either enrol a certificate or purchase a third party certificate.

*NOTE: The common name must match the SRV Target Hostname in the Public DNS Zone. This has been identified as Bug ID CSCuo83458.

It is recommended a public certificate be generated for the VCS Expressway. This will eliminate the need to install the Install CA’s root certificate on all devices accessing Jabber remotely.

Upload the signed certificate once received. If you had the Internal CA sign the certificate request, you will need to upload the CA’s root certificate to each the Control and Expressway.

Reboot both Control and Expressway, the Traversal channel should now be active.

If you are using a MS CA, following the below link for a step by step to sign SAN certificates for Control and Expressway.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

Side Notes

I created an SRV Record for each domain the users will be logging into. However due to the above Bug ID mentioned, all the SRV Target Hostnames must point to a common A record, this A record must match the VCS Expressway System Name.

Use the System -> Logs to check for errors when logging into Jabber initially. Authentication errors can be caused by certificates, DNS mis-configuration.

HTTP Server Allow List under the Configuration -> Unified Communications -> Configuration then clicking on the hyperlink “Configure HTTP Server allow list”. This white list is where you enter any auxiliary servers for example photo database server also Unity Connection Servers so Jabber can access Voicemail.

That’s about it.

Jan 28

Creating a Photo Repository for Collaboration Edge.

Posted on January 28, 2015 by ben

Install IIS on a selected Windows Server. Select the basic features, no need to change the defaults.
Open the IIS Management Window. Navigate to the Default Website. If this is an existing IIS Server, Right-click the Default Website and select “Add New Website”. Assign the new website a name, default path and unique port to use. More than likely the default website will already be port 80, so choose a different port.

Add your photos to the default path you selected above. The filename for the each photo must be in the following format: username.jpg

Modify the jabber-config.xml file and add the following lines:

Upload the jabber-config.xml to the all CUCM Servers. Restart the TFTP Service.

Browse to the VCS Control. Navigate to Configuration -> Unified Communications -> Configuration page. Under Advanced, select the hyperlink “Configure HTTP Server Allow List”. Select New to add the photo repository server to the Whitelist. Complete the IP Address and Description details and select create entry.

The Jabber client will now have access to the photo repository server from both inside and outside the corporate network.

Cisco UC

Collaborate Anywhere

Category Archives: Collaboration Edge