14.3 Unified Communications Mobile and Remote Access Components

This topic describes the components of Unified Communications mobile and remote access.

Unified Communications mobile and remote access includes the following components:

  • Firewall traversal support
    1. Internal firewall between Cisco Expressway Core and Cisco Expressway Edge
    2. External firewall between the Internet and Cisco Expressway Edge
  • DNS records (internal and external)
  • Certificates
  • HTTPS reverse proxy

Unified Communications mobile and remote access consists of the following main components:

  • Firewall traversal services: Unified Communications mobile and remote access supports internal firewalls between Cisco Expressway Core and Cisco Expressway Edge as well as an external firewall between Cisco Expressway Edge and the Internet.
  • DNS records: Internal and external DNS records are essential for enabling endpoints to detect whether they should register directly with Cisco Unified Communications Manager or through Unified Communications mobile and remote access.
  • Certificates: Unified Communications mobile and remote access provides secure communication over TLS. Trust between TLS entities is established based on certificates. Implementing the necessary certificates for aPKI is an important part of the Unified Communications mobile and remote access implementation.
  • HTTPS reverse proxy: To support secure data services, such as visual voicemail, contact photo retrieval, Cisco Jabber custom tabs, and so on, an HTTPS reverse proxy runs on the Cisco Expressway Edge server.

Firewall Traversal

This section describes how firewall traversal services are used to allow incoming calls from public networks.

  • Cisco Expressway Series servers establish a firewall traversal connection to Cisco Expressway Series servers.
  • Keepalive packets are sent from Cisco Expressway Series servers to Cisco Expressway Series servers to maintain the connection.
  • Incoming call requests to Cisco Expressway Series servers are forwarded to Cisco Expressway Series servers through the existing connection.
  • Media are also sent over the existing connection.

Firewall Traversal Procedure

Unified Communications mobile and remote access uses a firewall traversal connection to allow inbound- and outbound-initiated packet exchange such as registration and call setup messages. Unified Communications mobile and remote access uses Cisco Expressway Edge, which is installed in a DMZ, as the traversal server. Cisco Expressway Core is the traversal client that is installed on the internal network. Firewall traversal offers secure communication across firewalls as follows:

  1. Cisco Expressway Core initiates an outbound traversal connection through the internal firewall to specific ports on Cisco Expressway Edge with secure login credentials.
  2. Once the connection has been established, Cisco Expressway Core sends keepalive packets periodically to Cisco Expressway Edge in order to maintain the connection.
  3. When Cisco Expressway Edge receives an incoming message (registration or signaling message) from the outside, it sends the request to Cisco Expressway Core through the existing traversal connection.
  4. Cisco Expressway Core then sends the message—for example, a call setup request—to Cisco Unified Communications Manager.
  5. Cisco Unified Communications Manager processes the call, and media streams are set up over the existing traversal connection.

The following connections must be enabled on the firewalls (if deployed):

  • Internal firewall between Cisco Expressway Core and Cisco Expressway Edge:
    1. SIP: TCP 7001
    2. Traversal Media: UDP 36000 to 36011
    3. XMPP: TCP 7400
    4. HTTPS (Tunneled over SSH Between Expressway-C and Expressway-E): TCP 2222
  • External firewall between the Internet and Cisco Expressway Edge:
    1. SIP: TCP 5061
    2. HTTPS: TCP 8443
    3. XMPP: TCP 5222
    4. Traversal Using Relay NAT TURN Server Control and Media: UDP 3478 / 60000 to 61799
    5. Media: UDP 36012 to 59999

Unified Communications Mobile and Remote Access DNS Requirements

This section describes the DNS requirements to support Unified Communications mobile and remote access.

Public (External) DNS Server

Domain Service Protocol Priority Weight Port Target Host
hq.cisco.com Collab-edge tls 10 10 8443 exp-e1.hq.cisco.com
hq.cisco.com Collab-edge tls 10 10 8443 exp-e2.hq.cisco.com
hq.cisco.com sips tcp 10 10 5061 exp-e1.hq.cisco.com
hq.cisco.com sips tcp 10 10 5061 exp-e2.hq.cisco.com

Local (Internal) DNS Server

Domain Service Protocol Priority Weight Port Target Host
hq.cisco.com cisco-uds tcp 10 10 8443 cucm1.hq.cisco.com
hq.cisco.com cuplogin tcp 10 10 8443 cup1.hq.cisco.com

The external DNS server must be configured with a _collab-edge._tls.<domain> service record so that external endpoints can discover that they should use Cisco Expressway Edge for mobile and remote access. Service records for secure SIP are also required, not specifically for mobile and remote access, but for deploying a secure SIP service on the Internet. The service records must point to the Cisco Expressway Edge server. In case of a Cisco Expressway Edge cluster, the service records must point to each cluster member of the Cisco Expressway Edge server.

The internal DNS server must be configured with a _cisco-uds._tcp.<domain> service record so that internal endpoints can discover that they should use Cisco Unified Communications Manager for direct registration. When using Cisco Unified Communications Manager IM and Presence, a _cuplogin._tcp.<domain> service record is also required on the internal DNS server. Just like with the service records that refer to the Cisco Expressway Edge servers, you must point to all call-processing nodes of a Cisco Unified Communications Manager cluster when configuring the _cisco-uds._tcp.<domain> service record and to all Cisco Unified Communications Manager IM and Presence servers when configuring the _cuplogin._tcp.<domain> service record. The internal DNS records must be available to all internal endpoints and to Cisco Expressway Core.

Note

Make sure that the _cisco-uds._tcp.<domain> and _cuplogin._tcp.<domain> service records are not resolvable from outside of the internal network. Otherwise, the Cisco Jabber client will not use the necessary mobile and remote access registration via Cisco Expressway Edge.

Unified Communications Mobile and Remote Access Certificate Requirements

This section describes the certificate requirements for different Unified Communications mobile and remote access scenarios.

Certificate Type Core Edge Comments
Public or Enterprise CA certificate chain used to sign Expressway Core certificate Y Y Required to establish traversal zone connection
Public or Enterprise CA certificate chain used to sign Expressway Edge certificate Y Y Required to establish traversal zone connection
Cisco Unified CM Tomcat certificates or CA chain Y N Only required when Expressway Core is configured to use TLS Verify mode on Cisco Unified CM discovery
Cisco Unified CM CallManager certificates or CA chain Y N Only required when Cisco Unified CM is in mixed mode for end-to-end TLS
Cisco Unified CM IM and Presence Tomcat certificates or CA chain Y N Only required when Expressway Core is configured to use TLS Verify mode on IM and Presence discovery
Cisco Unified CM CAPF certificate or certificates N Y Only required when remote endpoints authenticate with LSC
Note

CA = certificate authority; CAPF: Certificate Authority Proxy Function; LSC: locally significant certificate

The figure shows which certificates must be installed on which devices in certain scenarios.

HTTPS Reverse Proxy

This section describes the HTTPS reverse proxy feature of Unified Communications mobile and remote access.

  • Provides a mechanism to support visual voicemail access, contact photo retrieval, Jabber custom tabs, and so forth.
  • Reverse proxy is available on the Cisco Expressway Edge server on TCP port 8443 for HTTPS traffic.
  • Initial mobile and remote-access configuration allows inbound authenticated HTTPS requests to the following destinations on the internal network:
    1. TCP 6970 (TFTP file download) and TCP 8443 (UDS API) to all discovered Cisco Unified CM nodes
    2. TCP 7400 (XCP router) and TCP 8443 (SOAP API) to all discovered Cisco IM and Presence nodes
  • Additional hosts can be added to the allow list on Cisco Expressway Core.

The HTTPS reverse proxy is a function that Cisco Expressway Edge provides. It is required for certain data applications such as visual voicemail and contact photo retrieval.

Advertisements