Application Layer Gateway ALG was in the past developped to provice NAT Traversal Solution in VOIP environment. Some Cisco Routers and ASA Firewall support ALG to allow voip traffic to traverse NAT allowing two endpoints to negociate the L3/L4 informations inside the SIP payload in order to establish later media or point-to-point Flow RTP.
Over the years, SIP protocol is improved, by adding extensions, applications like BFCP for content sharing, video stream, and security with SIP over TLS. This evolution involves that our Routers and Firewalls must be able to adapt and to understand the SIP protocols with new extensions and payload fields which is not obvious.
The challenge to improve constantly the user experience in collaboration grows by providing employees the ability to bring his device, to register it into the Call Control and to access Cisco Unified Applications like IMP and VoiceMail and the wish to do it through internet everywhere and everywhen securely with encryption to provide confidentiality through the Public Internet. This imperative and this encryption must be taken into consideration so that Routers and Firewalls with ALG enabled will be able to decrypt the SIP messages and inspect the embedded IP Address in the Layer 7 which is not obvious. Cisco Expressway Series is included in the collaboration portfolio to provide the NAT Traversal mechanism securely with end to end encryption.
In the past without, employees behind internet had the need to use of the VPN Client (like vpn anyconnect) in order to register their Jabber Client into the the enterprise’s Call Control CUCM which is basically and for security purposes resides in the inside network, VPN Client was a solution for the end users and employees to provide a secure registration of their Cisco Jabber Client when they are located in the internet, but there are many constraints:
-The administrators needs to ensure the correct version VPN Client (AnyConnect) is installed on the pc’s employee.
-If it is not installed, the employees should be educated to access the SSL VPN Clientless portal of the firewall (ASA from Cisco s’perspective), login into the portal and download the AnyConnect installer.
-Once the VPN Client installed, the employees will use the VPN Client and their own credentials to access the inside network of the office in order to have the reachability and connectivity to the Call Control (CUCM). The VPN AnyConnect provides full access to the inside network but we can control this access through ACL through the VPN-Filter. This traditional VPN Client solution protects both the DATA and VOICE Traffic.
The advent of the Cisco Expressway Solution is to avoid the tasks of installing a VPN Client, limit the access to the voice traffic only and educate the end users about how to download the correct version of VPN client and how to use it.
The idea behind the Cisco Expressway solution is to provide a secure registration of Cisco Jabber Client without a VPN client installed, a dedicated security solution for collaboration (voice traffic), so the goal providing a LESS-VPN Solution so that the end users are not disturbed by softwares installation issues.
The other idea is to improve the end users ‘s experience by providing a secure registration in the background (in other words using the DNS SRV records to locate the Cisco Expressway Edge), in other words we will not disturb the end user by a trainings ( how to access the SSL portal of the ASA and how to install and to use the VPN client). Instead the end users has to put their credentials using a public domain and automatically in the background a TLS connection is triggered to the Expressway Edge and proxied to the enterprise ‘s Call Control through the Cisco Expressway Core.
This integration will unify the Cisco Collaboration Solution with a bunch of components, each component has its own role, in addition of the Call Control for registration and call routing, IMP for presence status and Unity Connection for voicemail, Meeting Server for conferencing, Cisco Expressway add a new brick as an Edge solution (NAT Traversal and Firewall Traversal). This philosophy of unification will simplify the implementation from the admin's perspective and the use a lot of collaboration tools from the user's perspective: IP telephony for voice calling, web and video conferencing, voice mail, mobility, desktop sharing, instant messaging and presence, and more.
