Showing results for 
Search instead for 
Did you mean: 

Cisco Meeting Server WebProxy with Cisco Expressway Part 9

Frequent Contributor

CMS WebProxy feature in Expressway allows to use expressway existing features (TURN and MRA) to provide firewall and NAT Traversal of WebRTC CMS clients.

•WebRTC proxy support added to Expressway from version X8.9.2.

•Enables off-premises users to browse to a Cisco Meeting Server Web Bridge.

•External clients and Guests can join spaces using a supported browser, no need of any software.

For users or guests to use the Cisco Meeting Server web app when outside the corporate network, access through the firewalls needs to be provided using the Cisco Expressways to proxy the WebRTC traffic from outside to in. The Cisco Expressway-E will proxy the HTTPS traffic back through an SSH tunnels to the Cisco Expressway-C. The Cisco Expressway-C will then route the traffic to an internal Web Bridge. For the Cisco Meeting Server web app to be able to access Web Bridge3.0 the Expressways must be running version X12.6 or later and if the Cisco Meeting Server web app is to use the Cisco Expressway-E TURN server then the TURN option key must be installed

WebRTC proxying can be used on the same Expressway pair that is used for Mobile and Remote Access (MRA), Business to Business (B2B) communication and any Microsoft Integration. The only service that WebRTC proxying cannot coexist with is Jabber Guest. Jabber Guest requires a dedicated pair of Expressways.


In an environment where the Cisco Expressways are proxying the HTTP traffic from outside to in, the external DNS server would route the Web Bridge URL from the browser of the external user to the Cisco Expressway-E. The Cisco Expressway-E would pass the traffic to the Cisco Expressway-C via the SSH tunnel that is established between them. The Cisco Expressway-C would use the internal DNS server to connect to one of the internal Web Bridges and forward the traffic. The Web Bridge would then treat the incoming traffic in the same way it would if the Cisco Meeting Server web app was inside the firewall. It would forward the necessary requests to the Call Bridge for processing such as user authentication, call requests and serve pages and manage the WebRTC connections back to the Cisco Meeting Server web app via the Expressways.




When a user joins a space, before sending any communications to the Web Bridge.

1.The Cisco Meeting Server web app will first send a STUN request to the STUN server.

2.The STUN server replies with its Server Reflexive Candidate.

3.The Cisco Meeting Server web app also sends a TURN Allocation Request to the TURN server to request that the TURN server allocate it a dedicated port on the TURN server. This address is referred to as the Cisco Meeting Server web app TURN Relay Candidate.

When the Call Bridge receives the call request, before replying, it will perform the same STUN and TURN Allocation Request to identify its Server Reflexive Candidate and Turn Relay Candidate.


Interactive Connectivity Establishment (ICE), defined in RFC 8445, is a framework that combines STUN and TURN.

Using ICE, devices can determine:

•If there is direct connectivity between them and will then apply the STUN Protocol.

•If direct media connectivity cannot be achieved, the endpoints will fall back to the TURN server and will send their UDP traffic centrally instead of going peer-to-peer.


ICE Prioritizes media connection as follow:

1.Use the host candidate (host address) if it succeeds.

2.Use the server-reflexive candidate if it succeeds.

Use the TURN server relayed candidate if all else fails


To enable the WebRTC traffic to be proxied, firewall ports will need to be opened from inside to out on the internal firewall to enable a connection to be established between the two Expressways through which the SSH tunnel is negotiated. The internal firewall must also allow the Call Bridge to connect to the TURN server media ports, as a minimum 3478 but preferably the higher TURN Relay Candidate ports as well.

The external firewall will need to allow HTTPS and media UDP traffic to connect to the Cisco Expressway-E. The HTTPS traffic connects to the Expressway on port 443 and media as a minimum will require access to the TURN Relay Address on the Expressway-E (3478) but as with the Call Bridge preferably the Cisco Meeting Server web app should be able to connect to the higher TURN media ports as well.



The DNS settings for the Web Bridge URL will need to be configured on both the internal and external DNS servers. The external DNS A records will need to point to the Cisco Expressway-E and the internal DNS A records to the Web Bridges. The connection between the Expressways will use a verified SIP TLS connection so certificates will need to be created on both Expressways.

The certificate on the Cisco Expressway-E will also require the Web Bridge URL in the SAN of the certificate so that when the Cisco Meeting Server web app connects to the Cisco Expressway-E it will receive a copy of the Expressways server certificate. The client browser will check that the URL appears in the certificate as part of its verification process and if it does, it will go straight to the login page. If it does not, then it will display a certificate warning page which the user will have to click through.


From X8.11 of Cisco Expressway, a new concept of load balancing based on priority and weight instead of the round robin for better load balancing and probe is added to prevent the Cisco Expressway-C to solicit a webbridge when it is down.Assume all the Cisco Meeting servers has different capacity, we can use a special SRV record _cms-web.tls.join.lab.public (note: join.lab.public is the url the remote user will type to use WebRTC based-browser in order to connect to a meeting, using this special SRV record we can configure a high priority for webbridge with high capacity to allow more WebRTC connections to go there from Expressway-C for better load balancing.

If the webbridge servers have the same capacity, for better load load balancing, use the same priority and weight values.A probe is sent periodically by the Cisco Expressway-C to query the DNS server if the ip address of the webbridge is reachable. If not, it marked the webbridge as failed and will no longer solicit the failed webbridge.



For more details about STUN TURN and ICE, see my article below: 




Recognize Your Peers
Content for Community-Ad