Media Optimization - CUBE ICE-lite - CUBE behind a NAT

2006nicolas · ‎12-12-2022

Hi Community

My customer is evaluating to configure Direct Routing with Microsoft and i was planning to propose Cisco CUBEs since it now supports ICE-Lite which is required for media optimization.

However, when doing some research and reviewing the link below, it is my understanding that

a) If the CUBE is placed in a DMZ behind a NAT, Media Optimization won't be possible since the CUBE won't to know its public IP via STUN.

b) Thus, the only possible way to do Media Optimization is to have the CUBE connected directly to the internet.

Cisco Unified Border Element Configuration Guide Through Cisco IOS XE 17.5 - ICE-Lite Support on CUBE [Cisco Unified Border Element] - Cisco

Possible Scenarios:

Local Network >> internal Firewall >> CUBE in DMZ >> External Firewall >> Internet >>> Microsoft Teams

Local Network >> internal Firewall >> CUBE in DMZ >> External Firewall >> Internet >>> Cisco Webex

Do you guys have the same understanding?

Any pointers to a document that can prove me wrong will be greatly appreciated.

Thx,

Jorge

Engnr · ‎12-12-2022

I am not familiar with ICE but I wonder if you can do SIP profiles on your CUBE to modify the SDP headers with the public IP address you are given to your CUBE (I assume this is static NAT).

2006nicolas · ‎12-12-2022

There is a way to do SIP Profiles with NAT, but this is not related to my question, since when an endpoint supports the ICE framework, it is able to ask a STUN server (in the internet) what public IP and port is using for an specific call and then update the other endpooint STUN probes. Media optimization will be completed if the 2nd endpoint supports the ICE framework too, because in that case the 2 endpoints will be able to renegotiate the media IPs/Ports and the RTP will be able to flow between the 2 endpoints using their respective public IPs, this way removing the hairpinning on Microsoft Teams or Webex calling for instance.

Engnr · ‎12-12-2022

Did you see this one?

https://ipcorp.co.uk/microsoft-teams-direct-routing-cisco-cucm-integration/

2006nicolas · ‎12-21-2022

This is a nice reference for Direct Routing integration. Thx!!

2006nicolas · ‎12-21-2022

Here my final understanding after additional review

Cisco CUBE supports only ICE-Lite. it will never ask a STUN server in the internet what its public IP and port is. The CUBE will only reply to queries for media optimization requests with its real IP. However, by using a SIP Profile, private IP is converted to public IP in the SDP header. This way the other party will learn the media IP address of the CUBE (public IP) and media optimization could be initiated

SIP Profile 200 as configured in the "Direct Routing for Microsoft Phone System with CUBE" Document published by Cisco does all the tweaking necessary for media optimization when the CUBE is behind a NAT (lines 300 to 350)

rule 300 response ANY sdp-header Audio-Attribute modify "a=rtcp:(.*) IN IP4 cube-priv-ip" "a=rtcp:\1 IN IP4 nat-ext-ip" rule 310 request ANY sdp-header Audio-Attribute modify "a=rtcp:(.*) IN IP4 cube-priv-ip" "a=rtcp:\1 IN IP4 nat-ext-ip" rule 320 response ANY sdp-header Audio-Attribute modify "a=candidate:1 1(.*) cube-priv-ip (.*)" "a=candidate:1 1\1 nat-ext-ip \2" rule 330 request ANY sdp-header Audio-Attribute modify "a=candidate:1 1(.*) cube-priv-ip (.*)" "a=candidate:1 1\1 nat-ext-ip \2" rule 340 response ANY sdp-header Audio-Attribute modify "a=candidate:1 2(.*) cube-priv-ip (.*)" "a=candidate:1 2\1 nat-ext-ip \2" rule 350 request ANY sdp-header Audio-Attribute modify "a=candidate:1 2(.*) cube-priv-ip (.*)" "a=candidate:1 2\1 nat-ext-ip \2"

In a nutshell, the CUBE should be able to handle media optimization even when it is behind a NAT.