Re: New Expressway Deployment Questions with Jabber 12.X

josjackson · ‎05-01-2019

Hello Everyone. Im a little new to the whole Cisco Expressway deployments. Have some general questions if anyone wants to chime in.

In my environment we are replacing CIPC with Jabber Multiline. We have the new Jabber 12.X and the cop file installed. Creating the devices is no issue. Our cluster is not DNS enabled. We are in the process of updating all of that but will need to also generate new certificates since we use a third party call recording application.

What I found is that we can get Jabber to register and detect services on the internal network. On the clients network it almost seems like Jabber does detect the services but when prompted for username password it fails. We have some DNS entries to create from the looks of it however we also need DNS enabled on our cluster. Jabber can detect the UDS part only.

We are deploying some Expressways however Im not sure if we need a core and an edge. Can you deploy just a core expressway? Jabber is only going to be used from customer issued machines. The will of course connect from onsite LAN connection back to our datacenter or a VPN Tunnel if they are working from home. Its going to be Jabber but in a phone only mode. Sole direction is to replace CIPC with Jabber (now that it supports dual lines)

Any thoughts on best direction?

1. Do we need expressways (C and E) or maybe just C in a Jabber phone only mode config? No accessing Jabber from the internet. Just existing FW rules from the clients network back to our hosted DC environment.

2. Should step 1 start with new certificates that include a FQDN on the cluster

3. Step 2 enabling DNS on cluster?

4. Can Jabber work without an expressway for phone only mode?

I keep seeing mixed recommendations. End scenario will look like this

Inbound Calls--- Third party IVR>>>Third Party Call Routing>>>Cisco TDM GW>>>CUCM>>>Jabber Phone

Outbound Calls--- Jabber Phone>>>CUCM>>>>CUBE (SIP TRUNKING)>>>ISP

This is a new deployment. Looking into every option, but I think starting with a DNS enabled cluster would be step 1.

Adam Pawlowski · ‎05-01-2019

@josjackson wrote:

Any thoughts on best direction?
1. Do we need expressways (C and E) or maybe just C in a Jabber phone only mode config? No accessing Jabber from the internet. Just existing FW rules from the clients network back to our hosted DC environment.

If they are directly reachable with no NAT, like the VPN you mentioned - you don’t need any expressway if you’re not calling off system.

2. Should step 1 start with new certificates that include a FQDN on the cluster

Yes, I would do this if you could.

3. Step 2 enabling DNS on cluster?

Same, the recommendation changed some years ago not to run IP only. Run DNS enabled - it’s not hard other than certs and resolution.

4. Can Jabber work without an expressway for phone only mode?

Absolutely, if it can contact the cluster . You may find phone mode with contacts more useful if you can setup IMP .

I keep seeing mixed recommendations. End scenario will look like this
Inbound Calls--- Third party IVR>>>Third Party Call Routing>>>Cisco TDM GW>>>CUCM>>>Jabber Phone
Outbound Calls--- Jabber Phone>>>CUCM>>>>CUBE (SIP TRUNKING)>>>ISP

I dont understand Jabber phone outbound calls here.

This is a new deployment. Looking into every option, but I think starting with a DNS enabled cluster would be step 1.

Ammar Saood · ‎05-15-2019

1. Do we need expressways (C and E) or maybe just C in a Jabber phone only mode config? No accessing Jabber from the internet. Just existing FW rules from the clients network back to our hosted DC environment.

No, You don't need any of Expressway C or E if you are using VPN.

This pair is required if you want to connect to CUCM via Internet (VPNless connectivity) or If you want Business to business calls i.e. calling other sip/h323 device over the internet.

2. Should step 1 start with new certificates that include an FQDN on the cluster

Jabber connects directly with the CUCM server. if you don't want your users to be bothered with certificates warning. you need

a. DNS records in Local DNS server.

b. CA-Signed certificate on CUCM and for this, your CUCM cluster must be using FQDN, not IPs.

Once your cluster is using Certificates and DNS records, you can enable Secure SIP and secure Media, End to End encryption and OAuth logins.

To help you further with smooth and secure deployment, I would also suggest using a specific UC certificate template when signing your CUCM cluster CSRs. (Tomcat and Callmanager)

Use a CA template that is for Client and Server Web Authentication (TLS Web Client Authentication and TLS Web Server Authentication in the X509v3 Extended Key Usage).

Product Certificate service X509v3 Key Usage X509v3 Extended Key Usage

Unified CM	tomcat	Digital Signature, Key Encipherment, Data Encipherment	TLS Web Server Authentication, TLS Web Client Authentication
Unified CM	CallManager	Digital Signature, Key Encipherment, Data Encipherment	TLS Web Server Authentication, TLS Web Client Authentication

3. Step 2 enabling DNS on cluster?

Just add DNS A and SRV records in your local DNS servers. it must match hostname configured in OS Admin.

add DNS server and DNS domain in CUCM.

convert IPs into CUCM FQDN in CUCM Admin page

Regenerate all Certs

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/10_0_1/ipchange/CUCM_BK_C3782AAB_00_change-ipaddress-hostname-100/CUCM_BK_C3782AAB_00_change-ipaddress-hostname-100_chapter_011.html

4. Can Jabber work without an expressway for phone only mode?

Yes, it works without Expressway C or E. because jabber connects directly with CUCM in LAN environment.

HTH,

AMMAR

Please rate, click on stars below and mark answered if helpful.