2017/eur/pdf/BRKCOL 2018 PDF

Best Practices for Business-to-
Business Video Collaboration

Luca Pellegrini
Technical Marketing Engineer
BRKCOL-2018
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow

participants after the session
Download the Cisco Spark app from iTunes or Google Play

1. Go to the Cisco Live Berlin 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKCOL-2018
5. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Key Learning Objectives
Explain and design B2B architectures based on Cisco Unified Communications

Manager, Expressway-C and Expressway-E with single edge, dual network
deployment
Understand encryption and how to protect Expressway from spam/scan calls
from the Internet
Whats not covered here
Multiple Expressway clusters deployment with Geo DNS

Multiple Expressway clusters with Directory Expressway architecture
Both covered in the Preferred Architecture doc
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/
116/collbcvd/edge.html
Directory Expressway architecture is covered with two edges only. Need more?
Agenda
Expressway Introduction
Business-to-business Architecture
Expressway Policy Protection
Minimizing or reducing UDP ports opened in the Internet firewall
General considerations for multiple Expressway deployments
Expressway Introduction
Introducing Cisco Collaboration Edge Architecture
Industrys Most Comprehensive Any-to-Any Collaboration Solution
Mobile
Teleworkers
Workers
All the capabilities of Cisco Any-
TDM or
to-Any collaboration to-date B2B IP PBX
TDM & analog gateways
ISDN Video gateways
Session border control PSTN or
Consumers IP PSTN
Firewall traversal
Standards-based & secure
3rd Branch
Parties Office
Cloud Analog
Services Devices
Cisco Expressway
A new gateway solving & simplifying business relevant use cases
Mobile
Teleworkers
For Unified CM & Business Workers
TDM or
Edition environments B2B IP PBX
Based on Cisco VCS Consumers

PSTN or
IP PSTN
Technology
Branch
Standards-based
3rd
Parties Office
interoperability Cloud Analog

Devices
Services
Cisco Expressway
Cisco Expressway
Jabber
Guest/WebRTC B2C
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Endpoint
Cisco video and registration
3rd party devices
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
CTI and AXL
connection to UCM
EWS connection to
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
CTI and AXL
connection to UCM
EWS connection to
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
CTI and AXL
connection to UCM
EWS connection to
Exchange
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
3rd party devices
Signaling and media

gateway
Cisco Expressway
CTI and AXL
connection to UCM
EWS connection to
Exchange
Jabber
Guest/WebRTC B2C
Spark B2B Open Video

Connector Federation
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
3rd party devices
Signaling and media

gateway
Licensing and Consumption
Call scenarios that require Rich Media Session licenses to proceed
Business to Business Business to Customer Interoperability

Calls Calls Gateway Calls
Firewall Traversal Calls Jabber Guest Calls i.e. MS Interop calls,

consume 1 x RMS on consume 1 x RMS on consume 1 x RMS on
Expressway-E Expressway-E Expressway-C Gateway
Registered Calls (no RMS required)

Calls between endpoints registered to Cisco Call control services 1
Calls to Cisco conferencing infrastructure2 or cloud services3
Routing
1 Step: Call enters into Expressway
Expressway Zone Concept
When a call or reaches Expressway, Expressway classifies it based on source

and destination address and port
Based on classification, the call is sent to a specific zone.
Except for the Local Zone (not covered here), the other zones connects to
remote systems as in the case of a SIP Trunk on CUCM
Different policies can be applied per zone, such as:
signaling and media encryption
protocol usage (i.e. SIP and/or H.323)
message authentication (PAI header for SIP)
use of TLS with Mutual Authentication
Others
Most common used zones on Expressway
Neighbor Zone: this is the zone most similar to a SIP Trunk

Traversal Zone: its a special neighbor zone with firewall traversal capabilities
DNS Zone: its a special neighbor zone used for outbound B2B calls supporting
DNS SRV
Default Zone: its a special neighbor zone used for inbound B2B calls
Expressway Zone Example For
Your
Reference
Expressway-C 10.10.10.10
Call From (IP/port) To (IP/port) Mapped
Neighbor Zone A to Neighbor Zone B to 1 to
192.168.10.10/5061 192.168.10.11/5061
5 Inbound 192.168.10.11/40307 10.10.10.10/5061 1
call on -C
B2B Traversal from UC Traversal from Inbound 10.10.10.11/7001 10.10.10.10/26202

call on -C 2
10.10.10.10/26202 to 10.10.10.10/26209 to
10.10.10.11/7001 10.10.10.11/7002 Inbound 10.10.10.10/26209 10.10.10.11/7002
2 3
call on -E
Inbound 172.19.100.100/32001 10.10.10.11/5061
call on -E
4
3
B2B Traversal from UC Traversal from
10.10.10.11/7001 to 10.10.10.11/7002 to Call Routing Rule To (IP/port) Mapped
10.10.10.10/26202 10.10.10.10/26209 to
4 Outbound Send 8XXX to 192.168.10.10/5061
Default 5
Zone call on -C Neighbor Zone A
Expressway-E 10.10.10.11
Cisco Expressway Connectivity Overview
Most used zones on Unified CM-centric Architecture
B2B Traversal B2B Traversal

Client Zone H323 and SIP (B2B) Server Zone
Expressway-C UC Traversal
Expressway-E
UC Traversal
Zone SIP TLS and SRTP Zone
mandatory (MRA)
Cloud Traversal Cloud Traversal
Client Zone SIP TLS and SRTP Server Zone
recommended (Spark)
Neighbor ENUM
Neighbor Zone
Zone
Zone
Default DNS B2B DNS Spark
Default ENUM DNS
Zone Zone Zone
Zone Zone Zone
UCM SIP B2B Outbound
Trunk B2B Inbound calls
calls
Spark Hybrid
Calls
Unified CM MRA
2 Step: Call is routed
Expressway Routing Expressway
receives alias
Yes Does the alias

Apply
match a
Transform Forbidden
transform?
If reject
No
Does calling or Yes Allow/

called match a
Reject
CPL rule?
No
If allow
Does the alias
match a
Next lower- search rule?
priority rule until
end of rules or Yes
the alias is found
No
Is the alias
Yes Send call to
found? target Zone
Pattern Matching
Regular Expressions (RegEx)
A standard notation (POSIX), used in Unix and Linux editors

Provide a concise and flexible means for matching and transforming strings
Used simply, it is simple, but powerful
One of the techniques available in Expressway for matching calls in zones
Cisco Expressway Family Overview For
Your
Reference
Key RegEx Metacharacters

. Any single character
\d Single digit [0-9]
* 0 or more repetitions of previous character or expression
+ 1 or more repetitions of previous character or expression
? 0 or 1 repetitions of previous character or expression
{n}n repetitions of previous character or expression
[abc] A character from this set of characters
[1-4] A character from this range of characters
[^def] A character NOT including these characters
^ Start of line
$ End of line
\ Literalize, e.g. \* really is the * (asterisk character)
| or match (wxy|wyx)
( ) Group digits and store in store id \n
Cisco Expressway Family Overview For
Your
Reference
Examples of RegEx Manipulations
Add domain to E164 number:

(\d+) \1@cisco.com
50022 50022@cisco.com
Remove a domain:
(.*)@.+ \1
6002@cisco.com 6002
Add a prefix 01189 to a 6 digit number:
(\d{6}) 01189\1
123456 01189123456
Reverse the order of 3 digits and put a dot between each:
(\d)(\d)(\d) \3\.\2\.\1
123 3.2.1
Match either 123@company.com or 123@company.net:
123@company\.(com|net)
Match the internal dial plan
To be used to allow calls only if they are using a legal internal SIP address
UserID rule: from 2 to 8 digits, starting with a letter, ending with a letter or a
number. Might include .cmr for personal CMR
[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com
UserID rule: name.surname. Might include an ending letter to distinguish
between users with the same userID
[a-z]+\.[a-z]+[0-9](\.cmr)?@example\.com
Most common used Regex on Expressway
Regex Meaning Replacement Result/Meaning
.* Any string of any length
.*@example\.com Internal domain
(?!.*@example\.com.*$).* All external (non-corporate)

domains
[09]\d*@example.com PSTN Access number
(8000\d{4})(@.*)? 8-digits internal dialplan \1@example.com 8000XXXX@example.com
Proxy and B2BUA
SIP Proxy or SIP B2BUA?
Proxy functionality is the native functionality of Expressway, always

engaged
B2BUA is a process internal to Expressway-C and Expressway-E
engaged when needed together with Proxy
B2BUA fully terminates a call leg and establishes a new call leg. The two
call legs are then bridged together and count as two different calls
B2BUA are of different kinds but we will focus on two of them:
B2BUA for MRA and Business-to-Business
B2BUA for SIP to H.323 interworking
Proxy Without B2BUA Engagement
Expressway
Single call leg
Media leg
No media termination
Exp-C/E Proxy B2B call traverses the
Process Expressways
Under the following
conditions:
1. SIP/RTP 1. SIP/RTP
2. H.323 2. H.323
3. SIP/SRTP 3. SIP/SRTP
Exp-C/E B2BUA 4. IPv4
4. IPv4
Process
B2BUA engagement for Media: "Encrypt on behalf of"
Expressway-C/E
RTP SRTP
Media leg 1 Exp-C/E Proxy Media leg 4
Process
The diagram shows the working
principle
Media leg 2 Media leg 3 In most cases the B2BUA talks
directly to the endpoint or end
system without going back to the
Exp-C/E B2BUA Proxy
Cisco Unified CM Process
Dual Network Deployment
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
Expressway Dual Network Deployment Model
Recommended solution
Expressway-E LAN1 interface (internal) is used for clustering
Expressway-E LAN1 interface can be translated by static NAT only on
standalone appliance (no clustering support)
Expressway-E LAN2 interface (external) can be translated by static NAT
Expressway-C interface can be translated by NAT
Expressway Dual Network Deployment Diagram
Routing on Expressway-E
Default GW
Static Route to Network 3
Network 3 Network 2 LAN1 LAN2 Network 1 Internet

Expressway-C DMZ Firewall Expressway-E Internet Firewall
Expressway-C interface translated by NAT: no static routes are needed

(Expressway receives traffic from Network 2 only)
Expressway-C interface not translated by NAT and on a different network
segment: static route is needed for that network (as shown in the picture)
DNS SRV Call Flow
DNS SRV Records for B2B
SRV record format for SIP and H.323 (RFC 2782)
_sips. _tcp.example.com 86400 IN SRV 10 60 5061 expe.example.com
DNS Class. Always

Protocol and IN
domain name
(TCP, UDP...)
Priority: Lowest priority
Name of the means preferred.
service
Port: TCP or
Weight: load-
UDP port for the
balances records
service
with same priority
DNS Time-To-Live: how much

time the server caches the record
before it flushes the cache Targed: hostname or
IP Address for the host
Providing the service
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
Bigbox
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
Smallbox
Backupbox
_sips._tcp.example.com?
Bigbox
Dial:
luca@example.com
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe1.example.com.
Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe2.example.com.

_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe3.example.com.
expe3.example.com
expe2.example.com
33%
33%
expe1.example.com
33% SIP Server
Dial:
abc@example.com
Cisco SRV Records for business-to-business
SRV record format for SIP and H.323
SIP B2B _sips._tcp.domain 5061 TLS
_sip._tcp.domain 5060 TCP
_sip._udp.domain 5060 UDP
H.323 B2B _h323ls._udp.domain 1719 RAS
_h323cs._tcp.domain 1720 H.225
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
Forward SIP Invite to companyB.com

using IP address received via DNS
VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C

VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C

VCS-E
Expressway-E
Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C

VCS-E
Expressway-E Sends SIP 200 OK

Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C

VCS-E

Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C

VCS-E

Calls
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
Business-to-Business
Architecture
Business-to-business Architecture
Recommended Expressway-C to Expressway-E encrypted
connection
Encryption for Signaling
Encryption for Media
Encryption and lock icon
Signaling Encryption
H.323/SIP Protocol Selection Algorithm
H.323 and SIP enabled globally and at zone-level

H.323/SIP protocol selection: native protocol first, alternative protocol as backup.
Interworking has to be enabled
SIP to H.323 interworking with media handling
Expressway-C
1. SIP VCS-C
SIP 2. H.323
SIP to H323 B2BUA H.323

for signaling and media
H.323 endpoint
SIP Transport Protocol Signaling Interworking
SIP Transport Protocol Protocol Selection
Neighbor zones and Traversal zones: interworks if the outgoing transport type is different from the
incoming
UCM ExpC ExpE
SIP/TLS SIP/TLS/TCP/UDP
UCM zone set Traversal zone Expressway-E Default

to TCP set to TLS Zone accepts SIP
TLS to TCP UDP/TCP/TLS
DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first
UCM ExpE
ExpC 1. SIP/TLS
SIP/TLS
2. SIP/TCP
Traversal zone set to TLS
3. SIP/UDP
In case of TLS/TCP protocol translation, B2BUA is not engaged
TLS: Certificate Check on Expressway
During validity check, standard browsers make sure that hostname matches
SAN/CN, and that the cert has been signed by a trusted CA
On Expressway this is optional and activated by the TLS verify mode set to On
and configurable per zone
Consequences: if you dont setup TLS verification, TLS can be setup with self-
signed certificate
In both cases the call will be encrypted, but TLS verify mode set to On
authenticates the other peer
TLS verify set to Off
Traversal Zone Example
Expressway-C connecting to Expressway-E via traversal zone

Peer1 certificate SAN:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:expe.example.com
If TLS verify mode is set to Off: Expressway wont check hostname and that
the cert is properly signed
IP addresses can be used
Note that IP address is not included in SAN of the remote peer (Expressway-E)
TLS verify set to On
Neighbor zone example: connection to UCM
TLS Verify Mode triggers MTLS
Certificate CN or SAN is matched against the Peer Address
Peer1 certificate SAN:

X509v3 Subject Alternative Name:
DNS:example.com, DNS:us-cm-srv1.example.com
Outbound B2B calls on Expressway-E with TLS
DNS Zone (outbound)
1
Client hello
expe.example.com
TLS verify set to On checks host.mypreferredpartner.com
the signing CA and that server 3
certificate SAN matches the
TLS verify subject name.
Good for closed video
federation host.mypreferredpartner.com
CERTIFICATE
If TLS verify subject name is 2 Third-party

<Public Key>
not known in advance (open Expressway-E Server hello Edge
video federation), TLS verify
mode must be turned off
TLS verify summary
TLS Verify increases security by checking the certificate (signature, hostname,

etc.). TLS verify requires to know the DNS hostname of the remote peer
included in the certificate
Recommended to turn it on on Traversal Zones and Neighbor Zones
If the hostnames in the DMZ uses a separate DNS and IP addresses are used instead
of DNS names, TLS verify must be turned off
Closed video federation (B2B communications with selected partners): turn TLS
verify on (remote peers and cert are known)
Open video federation (standard B2B): turn TLS verify off (remote peers and
certs are not known)
Media Encryption Policy
Expressway Media Encryption Mode

Applies to:
Neighbor, DNS, Traversal,
and Default Zones
SIP and H.323 calls interworked to SIP
Does NOT apply to H.323 (only) calls
Auto: No media encryption policy applied by Expressway

Best Effort: Use encryption if available otherwise fallback to unencrypted
Force Encrypted: All media must be encrypted
Force Unencrypted: All outgoing media will be unencrypted
Media Encryption Auto Example
Inbound zone
Default Zone
CUCM Expressway-C Expressway-E Not configurable
CM Neighbor Traversal Traversal Auto
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Auto Auto
DNS Zone RTP/SRTP
TLS with SRTP or RTP Not configurable
based on endpoints Auto
negotiation
Internet
Remote Edge
Auto: doesnt engage B2BUA
No control of media status; endpoints decide encryption settings
Media encryption Best Effort example
Optimization of previous example
Inbound zone
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Auto Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TCP/RTP or
TLS/RTP TLS/SRTP Remote Edge
Best Effort-Auto example: 3 call legs due to 3-in-a-row rule optimization

Minimizes number of ports open on external firewall
Media encryption Lock icon
Optimization of previous example
Inbound zone
Default Zone
Not configurable
CM Neighbor Traversal Traversal Best Effort
Best Effort Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TLS/SRTP TLS/SRTP Remote Edge
Lock icon shows closed because the first 2 call legs are encrypted
Neighboring Expressway-C to Unified CM w. SIP TLS
Neighbor Zone to Unified CM
Turn off H.323
Set port other than 5061 if Expressway

if shared between MRA and B2B. TLS
verify mode triggers Mutual TLS.
Best Effort: Expressway will try SRTP

first and RTP if the remote endpoint is
non-encrypted. Mixed mode required
on Unified CM
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Neighboring Expressway to Cisco Unified CM
Zone Configuration
DNS names mandatory
if TLS verification is set
to on (MTLS). They
will be checked against
the certificate SAN. IP
addresses require TLS
verify mode set to off
OPTIONS PING to
monitor status
Documentation says
to create a custom
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway
/config_guide/X8-8/Cisco-Expressway-SIP-Trunk-to-Unified-CM-
zone with Call
Deployment-Guide-CUCM-8-9-10-11-and-X8-8.pdf signaling routed
mode set to always
CUCM SIP Trunk to Expressway-C
This check box enables Secure Real-Time Protocol (SRTP) SIP Trunk
connections and also allows the SIP trunk to fall back to Real-Time Protocol
(RTP) if the endpoints do not support SRTP.
In order for this check box to be effective, Cisco Unified CM must be in mixed
mode
SIP TLS trunk doesnt require mixed mode if RTP only is used
SIP Trunk Destination and SIP Trunk Security Profile
SIP Trunk settings
Mutual TLS: has to match with the SANs

of the remote system cert
Unified CM listening port. Has to match
the port on the Unified CM neighbor
zone configured on Expressway
Dial Plan Priority Regex Target
Priority Regex Target
60 .*@example.com.* UCM Zone 60 .*@example.com.* B2B Traversal

Server Zone
65 (?!.*@example.com. B2B Traversal Client 65 (?!.*@example.com. B2B DNS Zone

*$).* Zone *$).*
UCM
E to C and C to UCM for all calls matching the

internal domain
UCM routes outbound any URI different from
Directory URI and not included in ILS table
Expressway-C and E route outbound any URI not
matching the internal domain
IP Address Dialing
Cisco Unified CM IP dialing
Outbound calls:
Option 1: instruct the users to append a suffix such as: 10.10.10.10@ip. This will match
the SIP Route Pattern ip
Option 2: instruct the user to use * instead of . such as 10*10*10*10. Replace on
Expressway * with . before sending out the call using search rules or transforms
Inbound calls to IP address of Expressway-E:
Configure fallback alias on Expressway-E to redirect the call to a UCM destination
(static)
Configure fallback alias on Expressway-E to redirect the call to Unity or UCCX IVR to
deliver auto-attendant services (dynamic)
Expressway
Policy Protection
Example of unauthorized access attempts on
Expressway-E
Example of unauthorized access attempts on
Expressway-E
Access codes to PSTN (0,9) and to internal

numbering plan (80)
Call Policy Rules with 8.9.1 and above
CPL are embedded in user interface

Different from CPL scripting; fully supported
Ability to reject/allow a call based on:
Source Zone
Authentication type (authenticated vs unauthenticated traffic)
Calling ID
Called ID
Use regex
CPL Settings
From Rule Applies To Source Destination Action
Source Type Address Pattern Pattern
Authenticated vs Configurable Configurable with Allow/Reject
unauthenticated with Regex Regex
traffic
Zone Originating Zone Destination Pattern Action
Drop-down menu Configurable with Regex Allow/reject
If source type is selected the CPL applies for all calls coming from a specific
zone that match the configured called ID pattern (no calling ID)
With from address, it is possible to specify both the calling and the called ID
pattern. However, this traffic will apply to authenticated or unauthenticated calls
Expressway Mitigating Toll Fraud
Zone authentication policy
Traversal Zone
Authenticated Unauthenticated
Traversal Zone
Authenticated Unauthenticated
Call policy rules applied to the source zone or to unauthenticated

traffic
CPL design
Note: CPL are analyzed top-down
1. Reject malformed calling aliases
2. Reject forbidden destinations in called aliases
PSTN access
Specific numeric ranges not allowed from B2B
3. Allow for called destination matching the internal domain

4. Deny all
Point 3. could be much more granular than this! i.e.
Allow [a-z]*\.[a-z]*(\d)?@ent-pa\.com
Allow 8002[12]\d{3}@example\.com
Checking the calling alias
Calling alias of a call hitting the Default Zone (B2B) shouldnt contain:
Corporate domain (example.com)
Expressway IPs
Enterprise Cisco Spark domains
From Rule Applies To Source Pattern Destination Action Example
Address Pattern
Unauthenticated (.*)@example\.com.* .* Reject Call from 100@example.com rejected
Unauthenticated (.*)@10\.10\.10\.1[12] .* Reject Call from user@10.10.10.11 or

200@10.10.10.12 rejected
Checking the called alias
Block PSTN access
Block any numeric range that is not supposed to receive B2B calls (if
esists)
Allow any other destination that contains the domain
Final deny-all
Zone Originating Zone Destination Pattern Action Example
Default [09]\d+@example\.com.* Reject 0003939012345678@example.com
Default Zone 8001\d{4}@example\.com.* Reject 80010123@example.com
Default Zone (.*)@example\.com.* Allow <anything>@example.com
Default Zone .* Reject Anything else
Putting things together
From Rule Applies To Source Pattern Destination Action
Address Pattern
Unauthenticated (.*)@example\.com.* .* Reject
Policies
applied Unauthenticated (.*)@10\.10\.10\.1[12] .* Reject
to calling
Zone Originating Zone Destination Pattern Action
Default [09]\d+@example\.com.* Reject

Policies
applied Default Zone 8001\d{4}@example\.com.* Reject Order is important!
to called
Default Zone (.*)@example\.com.* Allow
Default Zone .* Reject
CPL Result
Default
zone
CUCM Expressway-C Expressway-E

IP 10.10.10.10
Calling Called Result

100@10.10.10.10 800@example.com Reject
100@example.com 800@example.com Reject
user@example.call.ciscospark.com 800@example.com Reject
Any legal address 91234567890@example.com Reject
Any legal address abcde@example.com Allow
Whats the final result?
Routing stops
immediately since CPL
are the first checked {IP Addr/port No}
but it doesnt make you invisible!

To make Expressway invisible, use an IPS to
block unwanted traffic Expressway-E Expressway-C
NGIPS
- Traffic analysis based on (customized) signature

- Inspects packets
- Drop unwanted traffic before it reaches Expressway-E
- Drop traffic that doesnt match the internal dial plan
- As an example: userID of 8 characters, might end with a digit, needs to have the
domain
- Block SIP OPTIONS and SIP INVITE that dont match the internal dial plan
- Added as an example only. Currently not supported!
Customized Rules offset
1. SIP TCP RULE FOR INVITE:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100001; msg:"SIP SPAM - invalid INVITE Request URI with
metadata:service sip"; rev:8; resp:reset_both; content:"INVITE|20|sip:"; nocase; distance:-11; pcre:!"/sip:[a-z]{2,7}[a-z0-
9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
2. SIP UDP RULE FOR INVITE:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100006; msg:"SIP SPAM - invalid INVITE UDP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"INVITE|20|sip:"; nocase; content:"INVITE|20|"; distance:-11; pcre:!"/sip:[a-
z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
3. SIP TCP RULE FOR SIP OPTIONS:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100007; msg:"SIP SPAM - invalid OPTIONS TCP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12;
pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
4. SIP UDP RULE FOR SIP OPTIONS:

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100008; msg:"SIP SPAM - invalid OPTIONS UDP Request URI with
metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12;
pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )
CURRENTLY NOT SUPPORTED! SHOWN AS REFERENCE ONLY
UCM Calling Search Space
Block access at UCM level
UCM has the whole dialplan and controls access to all resources
Inbound trunk CSS will have access to allowed address only (i.e. Directory URI,
Scheduled meetings, personal CMR and permanent conferences partitions)
UCM has a more granular approach, not based on numeric ranges
Trunk
UCM Inbound CSS

Expressway-C DN partition
Directory URI partition
Scheduled meeting PSTN access partition
partition
Voicemail partition
Personal CMR partition
Internet B2B partition
Minimizing UDP Ports open to
Expressway-E
Filtering ACLs for B2B calls: External Firewall Port
Requirements
Based on medium/small OVA with non-specific configured Transport
Source IP Source Port Dest. IP Dest. port
multiplexed ports Protocol
H.323 calls using Assent (Natted endpoints)
Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776
RTP Assent Any >=1024 UDP ExpE LAN2 36000*
RTCP Assent Any >=1024 UDP ExpE LAN2 36001*
H.323 endpoints with public IP addresses or
remote Edge systems
Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720
H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
SIP endpoints or remote Edge systems
SIP TCP Any >=1024 TCP ExpE LAN2 5060
SIP UDP Any >=1024 UDP ExpE LAN2 5060
SIP TLS Any >=1024 TCP ExpE LAN2 5061
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
- On large systems, default allocation for multiplexed media is 36000 to 36011
- On small/medium systems, two configurable ports are allocated for multimedia traffic. Defaults are 2776 and 2777 and might be changed, but if
admin chooses not to configure those ports, Expressway will listen to 36000 and 36001
Business-to-business Access Media Traversal
Traversal Media Port Range is set on Configuration > Traversal Subzone menu on both
Expressway C & E, defaults to 36000 59999
B2BUA could be engaged on Expressway-C and/or Expressway-E in order to perform
encrypted to unencrypted call
The proxy component is always used on both Expressway-C and Expressway-E
This media port range is divided and shared
1st half goes to Proxy
2nd half goes to B2BUA
The following example is taken with a port range 36000 to 59999:

36000 to 47999 goes to Proxy
48000 to 59999 goes to B2BUA
B2BUA Impact on Firewall Ports
When Proxy only is engaged (all zones set to auto) on Expressway-E

the number of ports is reduced by a half compared to the situation
where B2BUA and Proxy are engaged
Enabling encryption on Expressway-C instead of Expressway-E
reduces the number of ports opened on external firewall
With B2BUA: 24 ports engaged per call
Without B2BUA: 12 ports engaged
Example
50 concurrent B2B calls

Total 1200 (50x24) ports opened on external FW with B2BUA
Range configured on Expressway: 2400 ports, from 50000 to 52399.
First half goes to Proxy: 50000 to 51199
Second half goes to B2BUA: 51200 to 52399. These ports will be opened on
external FW
Total 600 (50x12) ports on external FW without B2BUA
Ports to be opened on external FW without B2BUA engaged
Range configured on Expressway: 1200 ports, from 50000 to 51199
First half goes to Proxy: 50000 to 50599. These ports will be opened on
external FW
Expressway-E Signaling with B2BUA For Your
Reference
Audio portion of the call example

25060 To Exp-C
INVITE
101 ACK 50062 7002
Expressway-E
25020 10.52.254.55 LAN1
Exp-E Proxy To remote Exp-E

INVITE 101 ACK 55104 (B2BUA port)
Process
200 OK 40882 5061
173.38.168.145 LAN2 INVITE
5071 25021
5061
200 OK 55114
10.52.254.55 LAN1 200 OK c=<remote ExpE_IP>/40882
Exp-E B2BUA INVITE

Process
173.38.168.145 LAN2
101 ACK 55104
Expressway-E Media with B2BUA For Your
Reference
Audio portion of the call 48084
To Exp-C
2776
50062 Expressway-E
10.52.254.55 LAN1
Exp-E Proxy To remote Exp-E

Process 40882
173.38.168.145 LAN2
10.52.254.55 LAN1
55114
Exp-E B2BUA
Process
55104
173.38.168.145 LAN2
Media Ports Calculation
For Your
Reference
To Exp-C
B2BUA 48084
Audio takes 2 ports on B2BUA (55104, 55114) and

50062 2776
Proxy 2 ports (2776, 50062)
10.52.254.55 LAN1 If B2BUA is always engaged, two ports per media
Exp-E Proxy type are needed (55104 and 55114 in this case)
Process
173.38.168.145 LAN2 Other streams are: video, duo video, BFCP, FECC, iX
10.52.254.55 LAN1
55114
For each of these, a RTCP port is also engaged.
Exp-E B2BUA
Process Total: 24 ports per call
173.38.168.145 LAN2
55104 If B2BUA is not engaged on Expressway-E: 12 UDP
ports per call are required (1 from Proxy range,
40882 other=2776)
To remote Exp-E
Firewall Port Recommendations
Enable B2BUA on Expressway-C and try to avoid it on Expressway-E in

order to reduce ports open on external FW
Open only the ports that are needed
Summary
B2B architectures for single edge Expressway-C and Expressway-E with dual
network interfaces
How to protect the dialplan
How to minimize ports opened on external firewall
Quick overview on multiple Expressway deployment options
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Thank You

2017/eur/pdf/BRKCOL 2018 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

2017/eur/pdf/BRKCOL 2018 PDF

Загружено:

Авторское право:

Доступные форматы

Best Practices for Business-to-

Business Video Collaboration

Use Cisco Spark to communicate with the Speaker and fellow

Download the Cisco Spark app from iTunes or Google Play

Explain and design B2B architectures based on Cisco Unified Communications

Multiple Expressway clusters deployment with Geo DNS

Based on Cisco VCS Consumers

interoperability Cloud Analog

Signaling and media

Signaling and media

Signaling and media

Signaling and media

Spark B2B Open Video

Signaling and media

Business to Business Business to Customer Interoperability

Firewall Traversal Calls Jabber Guest Calls i.e. MS Interop calls,

Registered Calls (no RMS required)

When a call or reaches Expressway, Expressway classifies it based on source

Neighbor Zone: this is the zone most similar to a SIP Trunk

B2B Traversal from UC Traversal from Inbound 10.10.10.11/7001 10.10.10.10/26202

B2B Traversal B2B Traversal

Yes Does the alias

Does calling or Yes Allow/

A standard notation (POSIX), used in Unix and Linux editors

Key RegEx Metacharacters

Examples of RegEx Manipulations

Add domain to E164 number:

Regex Meaning Replacement Result/Meaning

.* Any string of any length

.*@example\.com Internal domain

(?!.*@example\.com.*$).* All external (non-corporate)

(8000\d{4})(@.*)? 8-digits internal dialplan \1@example.com 8000XXXX@example.com

Proxy functionality is the native functionality of Expressway, always

Network 3 Network 2 LAN1 LAN2 Network 1 Internet

Expressway-C interface translated by NAT: no static routes are needed

_sips. _tcp.example.com 86400 IN SRV 10 60 5061 expe.example.com

DNS Class. Always

DNS Time-To-Live: how much

Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe2.example.com.

SIP B2B _sips._tcp.domain 5061 TLS

_sip._tcp.domain 5060 TCP

_sip._udp.domain 5060 UDP

H.323 B2B _h323ls._udp.domain 1719 RAS

_h323cs._tcp.domain 1720 H.225

Forward SIP Invite to companyB.com

Forward SIP Invite to companyB.com

Forward SIP Invite to companyB.com

Forward SIP Invite to companyB.com

Expressway-E Sends SIP 200 OK

Forward SIP Invite to companyB.com

Expressway-E Sends SIP 200 OK

Forward SIP Invite to companyB.com

Expressway-E Sends SIP 200 OK

Encryption for Media

Encryption and lock icon

H.323 and SIP enabled globally and at zone-level

SIP to H323 B2BUA H.323

UCM zone set Traversal zone Expressway-E Default

In case of TLS/TCP protocol translation, B2BUA is not engaged

Expressway-C connecting to Expressway-E via traversal zone

Peer1 certificate SAN:

If TLS verify subject name is 2 Third-party

TLS Verify increases security by checking the certificate (signature, hostname,

(?!.@example\.com.$).* All external (non-corporate)

60 .@example.com. UCM Zone 60 .@example.com. B2B Traversal

65 (?!.@example.com. B2B Traversal Client 65 (?!.@example.com. B2B DNS Zone

Unauthenticated (.)@10\.10\.10\.1[12] . Reject Call from user@10.10.10.11 or

Default Zone (.)@example\.com. Allow <anything>@example.com