cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
851
Views
0
Helpful
4
Replies

UCM-Expressway Mobile Remote Access configuration

monster.speaks
Level 1
Level 1

Hello,

We are planning to setup Expressway in our orgaization and have decided on the following setup:

CUCM--Expressway-C--DMZ-Expressway-E(on a stick)--GTM(Acts as the DNS and load balancer)--Internet--Remote IP phone

Now, I have the following queries:
1. The users are local to the CUCM and not authenticated via LDAP , how will the remote user get authenticated in this case, is it even supported?
2. The internal domain would be set as xyz.net and over the internet it is xyz.com; from the admin/config guides, it seems that we need the following to be setup on the DNS:

Local DNS:
Domain  Service    Target
xyz.net cisco-uds  cucm.xyz.net

Public DNS:
Domain   Service       Target
xyz.com  collab-edge   expresswaye.example.com

Is that all that is required on the DNS servers?
3. Also, what needs to be set on the IP phone when they are configured over the internet?

4. Would it support the directory feature in our scenario, as it is more of a local user directory that is based on the CUCM? As it supports only uds based directory structure, can someone point me how are these records created for local users?

I have already gone through the configuration/admin guides available for Expressway 8.6 and would really appreciate, if I can get some direct answers.

4 Replies 4

devils_advocate
Level 7
Level 7

Hi, we have just implemented Expressway.

It took a lot longer than I expected actually!

In terms of your questions:

1. That will work fine, we create users manually within CUCM so as long as the users can login to Jabber internally then it should be fine externally, they will simply authenticate against CUCM.

2. Setup the _collab-edge SRV record in your xyz.com domain and point it at the A record for the Expressway-Edge devices Public IP address. 

3. Nothing needs to be set on the Desktop IP Phone, the Jabber device is seperate to this. Once the user opens Jabber outside the organisation they will type in 'Username@xyz.com'. The Jabber device will then query DNS for _collab-edge._tcp.xyz.com which will provide the Jabber client with the Expressway-E Public IP. That is the service discovery done. The user then just logs in with their CUCM username and password.

4. Within the Service Profile for Jabber on CUCM itself, there is an option to use UDS. We have enabled this option and the Jabber clients via Expressway simply use the CUCM directory which uses the Telephone Number field under the end user.

A few other notes....

Make sure you open ALL firewall the ports required in the deploymeny guide, one missing and you could end up with nobody being able to login via Expresway. We made a typo in one of the ports and I spent days with a TAC engineer trying to figure out what was wrong. The Jabber client has very few error messages which is not helpful.

DNS - Make sure this is setup correctly both internally and externally.

TLS for Certificates - this can be a pain, try and get a Public CA assigned Cert for the Expressway-E box as it makes it easier.

Hope this helps 

Hey,

Thanks for the valuable output. However, we don't have any Jabber device but IP phones, we are planning to buy the new 8900s that support this feature(not officially though), I guess it should work in the same manner, but , I am not too sure of the directory feature in these IP phones, how does it work?

Also, for the certificates, we have a private CA signed certificates that would be installed on the Expressway-C and Expressway-E along with it's root so that they can authenticate each other and the CA. Do we need the public CA as well? It seems that we do, as the IP phones would have public signed certificates.

For the DNS, I am assuming nothing more has to be setup than what I have mentioned earlier:

Local DNS:
Domain  Service    Target
xyz.net cisco-uds  cucm.xyz.net

Public DNS:
Domain   Service       Target
xyz.com  collab-edge   expresswaye.example.com

Is that right?

You definetly need a publicly signed certificate on the Expressway Edge, as you can't modify the phone's CA trust list, thus the phone will only register over MRA if it trusts the certificate issued to the Edge. The phones are shipped with common public CA root certificates installed.

See the X8.6.1 release notes below:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/release_note/Cisco-Expressway-Release-Note-X8-6-1.pdf 

Thanks Daniel, do you think the DNS is covered or do we need anything else?