Showing results for 
Search instead for 
Did you mean: 

Cisco Expressway mobile collaboration without a separate VPN client

Andy Johnston
Cisco Employee
Cisco Employee

Take a look at this blog post and let me know what you think. 

Now that administrators will have a choice, when would you allow mobile workers to connect to their collaboration services from outside the firewall via a secure TLS-connection? 

And when would you want them to connect via a layer 3 VPN client such as Cisco AnyConnect?

Are there situations where both are needed?

67 Replies 67

Now Version 8.5 available and we could use collaboration with out any need for VPN.

Jacqueline Goto

Any word on when firmware 10.3.1 and Expressway 8.5.2 will be GA?   Also, any requirement for IM&P if just 7800/8800 phones requiring VPNless connectivity?


No IMP is needed for just phones to work




I got the cmterm-78xx.10-3-1-12.k3.cop.sgn installed on my cucm 10.5.1 and I have 8.5.2 on my EXP-C/E. I took the phone out of the network, reset the network settings (to delete option 150) and the phone is asking for the service domain, user and password (just like Jabber MRA which I have working gr8). However, the phone displays "Connecting to Expressway Server" and "Connecting" but it does not move FWD.

I do not use a public CA (I use the CA on my AD server) and from what I read that might be the issue ?

Thanks guys

Yes, almost there but it sounds like the TLS handshake is failing.  The 78xx, 88xx, and DX series will all require public CA signed certs on the Expressway-E.  It's not mandatory to have the Expressway-C certificate signed by a public CA for Expressway MRA.

The list of supported root CA's is documented here,

Cisco IP Phone 8811, 8841, 8851, 8851NR, and 8861 Administration Guide for Cisco Unified Communications Manager 10.5 - …

I am pretty bad with certs :-( I just know the minimum to get the UC piece up and running so in theory, the only thing I should do is purchase a certificate from one of the supported CAs and have my EXP-E signed against one of them ?

The EXP-E signing process should be the same we use for the initial config between E and C right ? but of course now I only need to do it on EXP-E

Thanks much Kevin, I really want to try that out :-)

Yeah, use the GUI on the Exp-E to generate a new certificate signing request (CSR) and take it to your public CA of choice to have the cert signed.  Most of the major CAs are supported. Note, the list in our docs only contains root CAs, and it's very likely an intermediate CA will sign the Expressway certificate.  This is perfectly normal and will work as long as the root CA is trusted.

First upload the chain of CA certificates to the trusted CA list on both your the Exp-E and Exp-C.

Then upload the signed cert to the Expressway-E.

I think I am almost there but still no luck.

I choose Verisign and I did:

- Generated a CSR from EXP-E

- Gave that to Verisign

- They returned:

              - RootCA.cer

               - IntermediateCA.cer

               - ssl_certificate.cer

- I uploaded the RootCA.cer to my EXP-E trusted CA side

- I tried to upload the intermediate one under the server certificate (where you go to generate the CSR) and it gave an error .. I then uploaded the sslcert.cer and it uploaded fine. Rebooted the EXP-C

- My traversal ZONE went down due to TLS handshake error... :-(

Now I realize that I didn t upload the RootCA on my EXP-C but I though that this would be independent from the C-E ZONE

I guess my question is can I have the C-E traversal/UC Zone working using my internal CA Authority (Ms CA server) and use a public CA for the EXP-E only for IP Phones ?

Thanks guys!

Hey Joan ,

     i think you are almost there , all you need is the signed server certificate on the Exp-E which you already uploaded .

you also need to uploaded a Trusted CA certificate on both the Exp-C and Exp-E

Here are some tips to look at :

1. Was MRA working before with your self signed certificates ?

2.check the status -->log --> events on the Exp-C

     check to see what port its trying to reach the Exp-E .

3. Verify the unified communications zone SIP active ( most likely its failing right now) check your zone and see if it uses the same port on the Exp-C an E ..

Note : i also experienced the same issue wit a go daddy cert and was looking up port 7001 and i had 7002 previously

changed the port to 7001 on both Exp-C and E zone and my unified communications zone SIP became active .

Good Luck

Chris Henderson

Dang it I feel like I am hitting a wall :-) can I just open a TAC case :-) .. just kidding I know it is on preview only.

Here is the thing:

- MRA works perfect for Jabber before I start messing with public certs

- I only got one cert from Verisign.. so for EXP-E (Not for EXP-C as)

- The moment I generate the CSR on EXP-E, I get it signed back from Verisign and I upload it to EXP-E I get a TLS failure :-(

- I have Verisign's RootCA and Intermediate CA (not sure if it matters) uploaded on both EXP-E and C Trusted CA.

The ports and everything should be ok as it is working fine for Jabber

On EXP-C I basically get:

2015-06-03T15:40:53-07:00tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="XX.XX.XX.XX" Src-port="25006" Dst-ip="1XX.XX.XX.XX" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="myhostname" Level="1" UTCTime="2015-06-03 22:40:53,077"

I obviously deleted the IP address and my real FQDN

On my E I get

2015-06-03T15:42:13-07:00 tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="XX.XX.XX.XX" Src-port="25010" Dst-ip="" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2015-06-03 22:42:13,082"

I guess it should be better if I got another cert for My EXP-C and I do the whole Expressway certificates via Verisign instead of trying to use MsCA for EXP-C EXP-E traversal zone and Verisign for EXP-E with the phones. Any thoughts ?

Or could it be the way I download the signed certs from Verisign ? there are a couple of ways to download them and it asks for the type of system that I am trying to upload them to .. but I get .cer that look good to my eyes.. but I am not a security expert by any means as you can see :-)

Joan ,

So right now can you login to MRA using Jabber ?

You don’t need to generate a CSR for Exp-C just the trust CA needs to be uploaded there .

Also as you see its looking for port 7001 are you using the same port on your traversal zone …

Do a restart on both C and E after uploading certificates .

I have the 7821 phones working on MRA .

Chris Henderson

Correct. I can login to Jabber via MRA, that has been working for some months. So that leaves the ports and other configuration issues out of the picture if I am not mistaken.

I have only generated the CSR on EXP-E and I have uploaded the RootCA and Intermediate CA that Verisign sent me to both the EXP-C and EXP-E TRusted CA (Maintenance->Security Certs->trusted CA).

I basically generated the CSR like I did when I first setup E and C for standard MRA but I used MS CA to sign the certs..

Once I upload the ssl_certificate that Verign sends me (that is the signed cert from the CSR that I sent them) EXP-E tell me it needs to be rebooted and once it comes up I get the TLS failure between E and C on the traversal (now unified communications) zone... I have rebooted both C and E twice to make sure that was not the issue.

Thanks once again!

I have this working with 7841 and 7861.  You have to have a valid Public

Cert on your Expressway E, the Expressway C also needs a valid cert, though

it can be private as long as the Expressway-E trusts the CA that signed

it.  The Expressway C also needs to trust the CA of the Expressway E.

I used a Verisign Cert on my Expressway E and a cert on my

Expressway C, then uploaded the CA certs from both to both servers.

MRA for Jabber and the 7800 phones work.


Aaron Archambault

Chief Entrepreneur

As others have mentioned, this is completely valid to use a private CA on ExpC and public CA on ExpE.

I would double check the root and intermediate certs for both Verisign and your private CA are included on the both ExpE & ExpC trusted CA list.

You might also try using the client certificate checker on the Expressway under  Maintenance > Security certificates > Client certificate testing.  From the Exp-E, upload the ExpC certificate pem file and see if any errors show up.  If it's clean in that direction, try checking the ExpE cert from ExpC GUI.

I don't think there is any problem opening a TAC case.  They can assist with your TLS errors and getting the traversal connection stabilized. 


Cisco recently posted 10.3.1 firmware for the 8800 and 7800 series phones.  The combination of these products allows these phones to register remotely to CUCM utilizing Collaboration Edge MRA.  This is the phone proxy replacement solution we have been waiting for and I have it working.

I have tested with my 8811 at home and it prompts for MRA credentials, attempts service record lookup and successfully registered to CUCM. There were issues with off-hook dialing. Upgrading the Expressways to version x8.5.3 resolved this.

CUCM Version and up

C / MX / SX / EX CODECs - TC7.3.2

78/ 88xx Firmware  10-3-1-20

DX - Support Coming in July?

Expressway-C X8.5.3

Expressway-E X8.5.3


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: