This article contains the process and information you need to configure Mobile Remote Access for Jabber and Cisco DX/MX/EX Series Endpoints. This does not include Jabber Guest at this time. As most organisations move towards a borderless network, collaboration technologies outside the workplace is becoming less of a feature and more a requirement. MRA assists organisations allowing collaboration to extend outside of the walls of the organisation while providing the same feature rich experience for users.
This article is based on the following UC platforms:
- CUCM version 10.5.XX
- CUC version 10.5.XX
- IM & Presence version 10.5.XX
- VCS Expressway version x8.2
- VCS Control version x8.2
- Cisco Jabber for Windows 10.5.XX
Preparation
Order your Licenses for MRA
Log onto the Cisco CCW Website and order the Expressway license. This is a zero cost order.
Know your network topology
Gather or create network topology documents and other tables documenting, how the DMZ is configured, or Internet edge zones, Domain Names, Hostnames to use, IP Addressing requirements etc.
Details to gather:
VCS Control
System Administration Details
| System Name | ||
| System Name |
IP Details
| Configuration | ||
| Gateway | ||
| LAN 1 | ||
| IP Address | ||
| Subnet Mask |
DNS
| DNS Settings | ||
| System Host Name | ||
| Domain Name | ||
| Default DNS Servers | ||
| Address 1 | ||
| Address 2 |
NTP
| NTP Servers | ||
| NTP Server 1 | ||
| NTP Server 2 | ||
| Timezone | ||
| Timezone |
VCS Expressway
System Administration Details
| System Name | ||
| System Name |
IP Details
| Configuration | ||
| Gateway | ||
| LAN 1 | ||
| IP Address | ||
| Subnet Mask |
DNS
| DNS Settings | ||
| System Host Name | ||
| Domain Name | ||
| Default DNS Servers | ||
| Address 1 | ||
| Address 2 |
NTP
| NTP Servers | ||
| NTP Server 1 | ||
| NTP Server 2 | ||
| Timezone | ||
| Timezone |
IP Tel Cluster Devices
| Hostname | IP Address | Description |
| CUCM Publisher | ||
| CUCM Subscriber | ||
| CUC Publisher | ||
| CUC Subscriber | ||
| IM & Presence Publisher | ||
| IM & Presence Subscriber |
Configuration
Create Public DNS Records
No we know where we are going to place the collab edge devices and sourced our IP Addresses with hostname etc we now need to start the configuration phase.
Create an A Record for your VCS Expressway device. Then create an SRV Record for the _collab-edge service.
_collab-edge._tls.domain.com.au
I’ve provided a template to use to send to your provider, complete the table and email.
Public DNS Modification – Domain: DomainName
A Record
| Record Name | IP Address |
SRV Records
| Domain | Service | Protocol | Priority | Weight | Port | Target Host |
| collab-edge | tls | 10 | 10 | 8443 | A Record – Hostname from above table |
Create Internal DNS Records
Create A Records for both your VCS Control and VCS Expressway devices. You should already have A Records configured for your all your IP Tel Servers. (CUCM, CUC, IM&P).
Create the following SRV Record for every domain name that will be used as a login for Jabber.
_cisco-uds._tcp.domainname.com.au
IMPORTANT: By now, every hostname and srv record should be resolvable. If not, go back through DNS configuration and correct.
Firewall Rules for MRA
I’ve listed the firewall ports to open for the MRA solution. Referenced from the Unified Communications Mobile and Remote Access via Cisco VSC – Deployment Guide x8.2
VCS Control (Inside) to VCS Expressway (DMZ)
| Purpose | Protocol | VCS Control (source) | VCS Expressway (listening) |
| XMPP (IM and Presence) | TCP | Ephemeral port | 7400 |
| SSH (HTTP/S tunnels) | TCP | Ephemeral port | 2222 |
| Traversal zone SIP signaling | TLS | 25000 to 29999 | 7001 |
| Traversal zone SIP media(for small/medium systems on X8.1 or later) | UDP | 36000 to 59999* | 36000 (RTP), 36001 (RTCP) (defaults)2776 (RTP), 2777 (RTCP) (old defaults*) |
| Traversal zone SIP media(for large systems) | UDP | 36000 to 59999* | 36000 to 36011 (6 pairs of RTP and RTCP ports for multiplexed media traversal) |
VCS Expressway (DMZ) to Internet (Outside)
| Purpose | Protocol | VCS Expressway (source) | Internet endpoint (listening) |
| SIP media | UDP | 36002 to 59999 or36012 to 59999 | >= 1024 |
| SIP signaling | TLS | 25000 to 29999 | >= 1024 |
Public Internet (Outside) to VCS Expressway (DMZ)
| Purpose | Protocol | Internet endpoint (source) | VCS Expressway (listening) |
| XMPP (IM and Presence) | TCP | >= 1024 | 5222 |
| HTTP proxy (UDS) | TCP | >= 1024 | 8443 |
| Media | UDP | >= 1024 | 36002 to 59999 or36012 to 59999* |
| SIP signaling | TLS | >= 1024 | 5061 |
| HTTPS (administrative access) | TCP | >= 1024 | 443 |
VCS Control to CUCM / CUC
| Purpose | Protocol | VCS Control (source) | Unified CM (listening) |
| XMPP (IM and Presence) | TCP | Ephemeral port | 7400 (IM and Presence) |
| HTTP proxy (UDS) | TCP | Ephemeral port | 8443 (Unified CM) |
| HTTP proxy (SOAP) | TCP | Ephemeral port | 8443 (IM and Presence Service) |
| HTTP (configuration file retrieval) | TCP | Ephemeral port | 6970 |
| CUC (voicemail) | TCP | Ephemeral port | 443 (CUC) |
| Media | UDP | 36000 to 59999* | >= 1024 |
| SIP signaling | TCP | 25000 to 29999 | 5060 |
| Secure SIP signaling | TLS | 25000 to 29999 | 5061 |
Deploy VCS Control
Download and run the OVA template for VCS x8.2. Default username/password is admin/TANDBERG. This will shoot you straight in a wizard. Complete the wizard with details in the preparation section. When the wizard is complete, the device will reboot and you will now have HTTPS access to the GUI.
Log into the Web Interface and start to configure the necessary system information. I’ve outlined the details to either add or modify on the VCS Control.
*NOTE: Install the release keys and option keys for VCS Control before finalising configuration in the Web GUI. Some fields and options will only be available after the license keys are installed. You will need the serial number to enter in the Cisco Licensing Portal.
| Parameter | Location | Notes |
| System Name | System -> Administration | Enter Fully Qualified Domain Name |
| H323 Mode | Configuration -> Protocols -> H323 | Disable |
| SIP Mode | Configuration -> Protocols -> SIP | Enable |
| Unified Communications Mode | Configuration -> Unified Communications -> Configuration | Select “Mobile and remote access” |
| Unified CM Servers | Configuration -> Unified Communications -> Unified CM Servers | Add New CM Server (Publisher). This will discover all Subscribers and add a Neighbour Zone into VCSc |
| IM and Presence Servers | Configuration -> Unified Communications -> IM and Presence Servers | Add New IM and Presence Server (Publisher). This will discover Subscribers. |
| Domain Configuration | Configuration -> Domains | Add New Domain. Need to add all domains that will be used with Jabber.Complete the below details.
Domain Name SIP Registrations and provisioning on Unified CM : On IM and Presence services on Unified CM : On |
| Calls to Unknown IP Addresses | Configuration -> Dialplan -> Configuration | Select “Indirect” |
| Traversal Zone Details | Configuration -> Zones -> Zones | Add Traversal Zone.Name: TraversalZone
Username: traversal Password: ****** Port: 7001 Accept Proxied Registrations: Yes Peer 1 Address: Enter the FQDN of the VCSe Gateway |
Deploy VCS Expressway
Now its time to deploy the VCS Expressway. The initial deployment steps are alike to the VCS Control, use the same OVA Template and complete the wizard using the details collected in the preparation phase for the VCS Expressway.
Once the Wizard has finalised and the Expressway has rebooted, log into the Web GUI to start configuration. I’ve outlined the details to either add or modify on the VCS Control.
*NOTE: Install the release keys and option keys for VCS Expressway before finalising configuration in the Web GUI. Some fields and options will only be available after the license keys are installed. You will need the serial number to enter in the Cisco Licensing Portal.
| Parameter | Location | Notes |
| System Name | System -> Administration | Enter Fully Qualified Domain Name |
| H323 Mode | Configuration -> Protocols -> H323 | Disable |
| SIP Mode | Configuration -> Protocols -> SIP | Enable |
| Unified Communications Mode | Configuration -> Unified Communications -> Configuration | Select “Mobile and remote access” |
| Calls to Unknown IP Addresses | Configuration -> Dialplan -> Configuration | Select “Indirect” |
| Traversal Zone Details | Configuration -> Zones -> Zones | Add Traversal Zone.Name: TraversalZone
Username: traversal Password: ****** Port: 7001 TLS verify subject name: Enter the FQDN of the VCS Control Gateway. |
Traversal Communications
Both the VCS Control and VCS Expressway configuration should now be complete. However the traversal zone will be throwing errors due to security invalid security certificates. From release X8.2 both the Control and Expressway need to validate security certificates to force secure communications. So, we need to either purchase external certificates or use an Internal CA to sign certificates.
First we need to generate a CSR from both the Control and Expressway. Navigate to Maintenance -> Security Certificates -> Server Certificates. Select Generate CSR. Enter the required details, ensure all domains are entered in the Unified CM registrations domains and the format is SRVName. Download the CSR file and give to your Security Admin to either enrol a certificate or purchase a third party certificate.
*NOTE: The common name must match the SRV Target Hostname in the Public DNS Zone. This has been identified as Bug ID CSCuo83458.
It is recommended a public certificate be generated for the VCS Expressway. This will eliminate the need to install the Install CA’s root certificate on all devices accessing Jabber remotely.
Upload the signed certificate once received. If you had the Internal CA sign the certificate request, you will need to upload the CA’s root certificate to each the Control and Expressway.
Reboot both Control and Expressway, the Traversal channel should now be active.
If you are using a MS CA, following the below link for a step by step to sign SAN certificates for Control and Expressway.
Side Notes
I created an SRV Record for each domain the users will be logging into. However due to the above Bug ID mentioned, all the SRV Target Hostnames must point to a common A record, this A record must match the VCS Expressway System Name.
Use the System -> Logs to check for errors when logging into Jabber initially. Authentication errors can be caused by certificates, DNS mis-configuration.
HTTP Server Allow List under the Configuration -> Unified Communications -> Configuration then clicking on the hyperlink “Configure HTTP Server allow list”. This white list is where you enter any auxiliary servers for example photo database server also Unity Connection Servers so Jabber can access Voicemail.
That’s about it.