cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Deployment Guide for Cisco Webex Hybrid Message Service and the Cisco Expressway Cluster Creation and Maintenance Deployment Guide

312
Views
0
Helpful
0
Comments
Cisco Employee

I have questions from the above  guides:

 

A company currently has two different UC environments.  One in the US and one in the UK.  The US UC environment has (3) CUCM servers (Publisher and 2 subscribers), (2) IMP servers (Publisher and Subscriber), (2) Unity Connection servers (Publisher and Subscriber), (2) UCCX servers (Publisher and Subscriber) and (2) Cisco Emergency Responder servers (Publisher and Subscriber).  Our US environment is doing cluster over WAN for all the systems between two different Data Centers - Lewis Center (primary DC) and Cincinnati (secondary DC).  We have plenty of available bandwidth between the two DCs and about a 10ms round-trip time so well within any requirements for clustering of UC systems.  The US environment is all running versions that are in-line with the CSR12.5/12.6 versions.  

CUCM: 12.5.1.11900-146
IMP: 12.5.1.11900-117
Unity Connection: 12.5.1.11900-57
UCCX: 12.0.1.10000-24
CER: 12.5.1.21900-35

UK environment as it is a single site only has a single CUCM server, a single IMP server and a single Unity Connection server.  For internet connectivity they go through our same two US Data Centers.  Due to old hardware (which will be replaced shortly) they are still running versions consistent with the CSR12.0.  Hardware order is actually expected to be ordered very shortly and at that time they will be upgraded to CSR12.5/12.6 consistent with the US environment.  

CUCM: 12.0.1.23900-9
IMP: 12.0.1.10000-12
Unity Connection: 12.0.1.23900-7

They  have ICSA running between the US and UK IMP servers.  Their  goal is right now is to provide Hybrid Messaging in order to have an eventual transition from Cisco Jabber to Cisco Webex teams.  Based on conversations with their Sales team and the roadmap sessions I attend under the CCP program they are seeing the writing on the wall that Jabber will eventually go away and Webex Teams is the future.  Once Webex teams can be used as the CSF device and directly replace Jabber as the softphone of choice they would eventually migrate all of their users from Jabber to Webex teams.  What they  doing now is preparing for that eventuality and providing a migration path by configuring the Hybrid Messaging so Jabber users and Webex teams users can communicate with each other.  This would be considered a temporary requirement as once everyone is migrated to Webex teams we would no longer need the Hybrid Messaging.  The solution they are looking to deploy from the deployment guide is the "One Expressway Connector cluster to multiple IM and Presence service clusters" - Figure 8 in the document.  In their  case IMP Publisher 1 would be their  US cluster and IMP Publisher 2 would be the UK cluster.  Their  clusters are pretty small - 487 users in the US IMP cluster and 47 users in the UK IMP cluster so being able to use a single expressway-c cluster to serve both of these clusters would be preferable.  

The way our DC and internet connectivity is set-up, we have the two DCs with an MPLS connection between them.  Each Data Center has an internet circuit with each one having independent external addressing.  Currently they have only installed an Expressway-C in our Lewis Center DC.  For redundancy purposes they would like to also install a second Expressway-C in the second Cincinnati DC and cluster them.  This is where most of the  questions come from and here is some further details to the  questions.

1. Need to better understand clustering an Expressway-C.
a. Clustering guide indicates that you need to ensure H.323 mode is enabled, but the menu path to check this (Configuration > Protocols > H.323) is not a valid path.  This question came as the were   trying to do step 6 in this section from the guide https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/hybridservices/messageservice/cmgt_b_spark-hybrid-message-deployment-guide/cmgt_b_spark-hybrid-message-deployment-guide_chapter_01.html#task_E4158047C66F3B4FA5353D2156F999DB
The note below the point about Enabling H.323 which is required for clustering mentions that if you used the Service Select wizard to configure the Expressway for Hybrid services you might not see the H.323 menu item.  Which is what I did and I don't even see a Configuration menu item, much less the H.323 sub-menu item below that.  But if they SSH into the system the command mentioned does not work as shown below ( they are  logged in as root into the system):

Last login: Tue Sep 15 13:28:16 EDT 2020 from 192.168.62.238on pts/0
~ # xconfig H323 Mode: "On"
-sh: xconfig: command not found
~ #

b. To meet the requirement that each peer has a certificate that identifies it to the other peers, does this required a CA-signed certificate or is there a self-signed certificate by default  that can be used for this as long as this remains with TLS verification mode set to Permissive.  Based on my reading of this (same step as the previous question)  I believe as long as I leave this set to permissive that the cluster would form regardless of whether I have CA-signed certificates.  Considering this would be used for a transition period I would prefer not to have to purchase CA-signed certificates.  I just want to make sure there is not the need for this and if I don't have CA-signed certificates that this just requires me to leave the setting to "Permissive".

c. If the two servers in a cluster use a different DC and internet connection to communicate with the Webex cloud (and hence different external IP address) would this create a problem?  As I mentioned the design I am looking to deploy is the "One Expressway Cluster to Multiple IM and Presence Service clusters" as showing in figure 8 in the deployment guide here (https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/hybridservices/messageservice/cmgt_b_spark-hybrid-message-deployment-guide/cmgt_b_spark-hybrid-message-deployment-guide_chapter_00.html#reference_774B4B51E0FAE05EAFC6B20EA58...).  But honestly this would be the same question even if I forget any discussion about the second IMP cluster as even my US single cluster is using Cluster of WAN across DCs.  If the Expressway Publisher and the secondary Expressway in the same cluster are in two different DCs with different internet circuits and therefore use different external IPs they are NAT to will this work.  All the pictures just show a single green arrow between the Expressway Publisher and the internet.  But what if the secondary Expressways have a different internet connection.

d. Is there a need for DNS SRV records for an Expressway-C cluster used solely for Hybrid Messaging?  If so how does this need to be set-up exactly?  Is this only for clustering internally or is a DNS SRV record of some sort needed for both servers in the cluster to communicate with the cloud?  The same Step 6 in the guide simply talks about configuring the FQDN for the cluster and says "typically this FQDN is mapped by an SRV record in DNS that resolves to A/AAAA records for the cluster peers".  Really just looking to understand exactly how this needs to be set-up keeping in mind we are ONLY looking to do Hybrid Messaging and nothing else.  Secondly, is this something used internally only for the clustering or do we need to also have some sort of DNS SRV record on the internet as well.

2. Is a signed public-CA certificate required on the Expressway-C to communicate with the Webex cloud?  Is a signed public-CA certificate required for the cluster or the individual servers to communicate with our CUCM/IMP?  The anticipation is that long term we would migrate everyone from Jabber/IMP to Webex Teams with their Webex Teams registered as a CSF device in CUCM (once available)  and the Hybrid Messaging would no longer be needed, so if public-CA signed certificates are not needed would rather not purchase.

3. From what they reading, all communication between the Expressway-C and the cloud is initiated from the Expressway, so we do not need to open any holes inbound on our firewall, correct? 

 

Content for Community-Ad
This widget could not be displayed.