Академический Документы
Профессиональный Документы
Культура Документы
The Spark Room will be open for 2 weeks after Cisco Live
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Key Learning Objectives
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Whats not covered here
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
Expressway Introduction
Business-to-business Architecture
Expressway Policy Protection
Minimizing or reducing UDP ports opened in the Internet firewall
General considerations for multiple Expressway deployments
Expressway Introduction
Introducing Cisco Collaboration Edge Architecture
Industrys Most Comprehensive Any-to-Any Collaboration Solution
Mobile
Teleworkers
Workers
All the capabilities of Cisco Any-
TDM or
to-Any collaboration to-date B2B IP PBX
TDM & analog gateways
ISDN Video gateways
Session border control PSTN or
Consumers IP PSTN
Firewall traversal
Standards-based & secure
3rd Branch
Parties Office
Cloud Analog
Services Devices
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco Expressway
A new gateway solving & simplifying business relevant use cases
Mobile
Teleworkers
For Unified CM & Business Workers
TDM or
Edition environments B2B IP PBX
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco Expressway
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco Expressway
Jabber
Guest/WebRTC B2C
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Endpoint
Cisco video and registration
3rd party devices
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco Expressway
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA
devices
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Spark
Connector
Host
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
Cisco video and registration
3rd party devices
Jabber
Guest/WebRTC B2C
Jabber, hw
MRA B2B
devices
Technology
Microsoft
Integration
Calls to and from Cisco
Cloud (Spark, CMR)
Endpoint
Cisco video and registration
3rd party devices
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Routing
1 Step: Call enters into Expressway
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Expressway Zone Concept
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Most common used zones on Expressway
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Expressway Zone Example For
Your
Reference
Expressway-C 10.10.10.10
Call From (IP/port) To (IP/port) Mapped
Neighbor Zone A to Neighbor Zone B to 1 to
192.168.10.10/5061 192.168.10.11/5061
5 Inbound 192.168.10.11/40307 10.10.10.10/5061 1
call on -C
Expressway-E 10.10.10.11
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco Expressway Connectivity Overview
Most used zones on Unified CM-centric Architecture
Unified CM MRA
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
2 Step: Call is routed
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Expressway Routing Expressway
receives alias
If reject
No
No
If allow
Does the alias
match a
Next lower- search rule?
priority rule until
end of rules or Yes
the alias is found
No
Is the alias
Yes Send call to
found? target Zone
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Pattern Matching
Regular Expressions (RegEx)
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco Expressway Family Overview For
Your
Reference
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco Expressway Family Overview For
Your
Reference
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Most common used Regex on Expressway
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Proxy and B2BUA
SIP Proxy or SIP B2BUA?
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Proxy Without B2BUA Engagement
Expressway
Single call leg
Media leg
No media termination
Exp-C/E Proxy B2B call traverses the
Process Expressways
Under the following
conditions:
1. SIP/RTP 1. SIP/RTP
2. H.323 2. H.323
3. SIP/SRTP 3. SIP/SRTP
Exp-C/E B2BUA 4. IPv4
4. IPv4
Process
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
B2BUA engagement for Media: "Encrypt on behalf of"
Expressway-C/E
RTP SRTP
Media leg 1 Exp-C/E Proxy Media leg 4
Process
The diagram shows the working
principle
Media leg 2 Media leg 3 In most cases the B2BUA talks
directly to the endpoint or end
system without going back to the
Exp-C/E B2BUA Proxy
Cisco Unified CM Process
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Dual Network Deployment
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Expressway Dual Network Deployment Model
Recommended solution
Expressway-E LAN1 interface (internal) is used for clustering
Expressway-E LAN1 interface can be translated by static NAT only on
standalone appliance (no clustering support)
Expressway-E LAN2 interface (external) can be translated by static NAT
Expressway-C interface can be translated by NAT
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Expressway Dual Network Deployment Diagram
Routing on Expressway-E
Default GW
Static Route to Network 3
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
DNS SRV Call Flow
DNS SRV Records for B2B
SRV record format for SIP and H.323 (RFC 2782)
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
Bigbox
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
_sips._tcp.example.com?
Bigbox
Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
40%
Bigbox
60% Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Smallbox
Backupbox
Bigbox
Dial:
luca@example.com
SIP Server BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
_sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe1.example.com.
expe3.example.com
expe2.example.com
33%
33%
expe1.example.com
33% SIP Server
Dial:
abc@example.com
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cisco SRV Records for business-to-business
SRV record format for SIP and H.323
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-E
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
Expressway-E
Calls
x.y@companyB.com Internet
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
B2B Call Flow DNS
Hierarchy
Single Edge
Expressway-C
VCS-C
a.b@companyA.com
x.y@companyB.com
COMPANY A
COMPANY B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Business-to-Business
Architecture
Business-to-business Architecture
Recommended Expressway-C to Expressway-E encrypted
connection
Encryption for Signaling
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Signaling Encryption
H.323/SIP Protocol Selection Algorithm
Expressway-C
1. SIP VCS-C
SIP 2. H.323
H.323 endpoint
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SIP Transport Protocol Signaling Interworking
SIP Transport Protocol Protocol Selection
Neighbor zones and Traversal zones: interworks if the outgoing transport type is different from the
incoming
UCM ExpC ExpE
SIP/TLS SIP/TLS/TCP/UDP
DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first
UCM ExpE
ExpC 1. SIP/TLS
SIP/TLS
2. SIP/TCP
Traversal zone set to TLS
3. SIP/UDP
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
TLS: Certificate Check on Expressway
During validity check, standard browsers make sure that hostname matches
SAN/CN, and that the cert has been signed by a trusted CA
On Expressway this is optional and activated by the TLS verify mode set to On
and configurable per zone
Consequences: if you dont setup TLS verification, TLS can be setup with self-
signed certificate
In both cases the call will be encrypted, but TLS verify mode set to On
authenticates the other peer
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
TLS verify set to Off
Traversal Zone Example
If TLS verify mode is set to Off: Expressway wont check hostname and that
the cert is properly signed
IP addresses can be used
Note that IP address is not included in SAN of the remote peer (Expressway-E)
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
TLS verify set to On
Neighbor zone example: connection to UCM
TLS Verify Mode triggers MTLS
Certificate CN or SAN is matched against the Peer Address
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Outbound B2B calls on Expressway-E with TLS
DNS Zone (outbound)
1
Client hello
expe.example.com
TLS verify set to On checks host.mypreferredpartner.com
the signing CA and that server 3
certificate SAN matches the
TLS verify subject name.
Good for closed video
federation host.mypreferredpartner.com
CERTIFICATE
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
TLS verify summary
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Media Encryption Policy
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Media Encryption Auto Example
Inbound zone
Default Zone
CUCM Expressway-C Expressway-E Not configurable
CM Neighbor Traversal Traversal Auto
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Auto Auto
DNS Zone RTP/SRTP
TLS with SRTP or RTP Not configurable
based on endpoints Auto
negotiation
Internet
Remote Edge
Auto: doesnt engage B2BUA
No control of media status; endpoints decide encryption settings
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Media encryption Best Effort example
Optimization of previous example
Inbound zone
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Auto Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TCP/RTP or
TLS/RTP TLS/SRTP Remote Edge
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Media encryption Lock icon
Optimization of previous example
Inbound zone
Default Zone
Expressway-C Expressway-E
Not configurable
CM Neighbor Traversal Traversal Best Effort
Zone Client Zone Server Zone
TLS TLS TLS Outbound zone
Best Effort Best Effort Best Effort
DNS Zone
Not configurable
Best Effort
Internet RTP
TLS/SRTP TLS/SRTP Remote Edge
Lock icon shows closed because the first 2 call legs are encrypted
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Neighboring Expressway-C to Unified CM w. SIP TLS
This check box enables Secure Real-Time Protocol (SRTP) SIP Trunk
connections and also allows the SIP trunk to fall back to Real-Time Protocol
(RTP) if the endpoints do not support SRTP.
In order for this check box to be effective, Cisco Unified CM must be in mixed
mode
SIP TLS trunk doesnt require mixed mode if RTP only is used
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
SIP Trunk Destination and SIP Trunk Security Profile
Expressway-C Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Expressway
Policy Protection
Example of unauthorized access attempts on
Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Example of unauthorized access attempts on
Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Call Policy Rules with 8.9.1 and above
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
CPL Settings
From Rule Applies To Source Destination Action
Source Type Address Pattern Pattern
Authenticated vs Configurable Configurable with Allow/Reject
unauthenticated with Regex Regex
traffic
If source type is selected the CPL applies for all calls coming from a specific
zone that match the configured called ID pattern (no calling ID)
With from address, it is possible to specify both the calling and the called ID
pattern. However, this traffic will apply to authenticated or unauthenticated calls
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Expressway Mitigating Toll Fraud
Expressway-C Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Expressway Mitigating Toll Fraud
Traversal Zone
Zone authentication policy
Authenticated Unauthenticated
Expressway-C Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Expressway Mitigating Toll Fraud
Traversal Zone
Zone authentication policy
Authenticated Unauthenticated
Expressway-C Expressway-E
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
CPL design
Note: CPL are analyzed top-down
1. Reject malformed calling aliases
2. Reject forbidden destinations in called aliases
PSTN access
Specific numeric ranges not allowed from B2B
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Checking the calling alias
Calling alias of a call hitting the Default Zone (B2B) shouldnt contain:
Corporate domain (example.com)
Expressway IPs
Enterprise Cisco Spark domains
From Rule Applies To Source Pattern Destination Action Example
Address Pattern
Unauthenticated (.*)@example\.com.* .* Reject Call from 100@example.com rejected
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Checking the called alias
Block PSTN access
Block any numeric range that is not supposed to receive B2B calls (if
esists)
Allow any other destination that contains the domain
Final deny-all
Zone Originating Zone Destination Pattern Action Example
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Putting things together
From Rule Applies To Source Pattern Destination Action
Address Pattern
Unauthenticated (.*)@example\.com.* .* Reject
Policies
applied Unauthenticated (.*)@10\.10\.10\.1[12] .* Reject
to calling
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
CPL Result
Default
zone
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Whats the final result?
Routing stops
immediately since CPL
are the first checked {IP Addr/port No}
NGIPS
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Customized Rules offset
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
UCM Calling Search Space
Block access at UCM level
UCM has the whole dialplan and controls access to all resources
Inbound trunk CSS will have access to allowed address only (i.e. Directory URI,
Scheduled meetings, personal CMR and permanent conferences partitions)
UCM has a more granular approach, not based on numeric ranges
Trunk
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Business-to-business Access Media Traversal
Traversal Media Port Range is set on Configuration > Traversal Subzone menu on both
Expressway C & E, defaults to 36000 59999
B2BUA could be engaged on Expressway-C and/or Expressway-E in order to perform
encrypted to unencrypted call
The proxy component is always used on both Expressway-C and Expressway-E
This media port range is divided and shared
1st half goes to Proxy
2nd half goes to B2BUA
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
B2BUA Impact on Firewall Ports
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Example
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Expressway-E Signaling with B2BUA For Your
Reference
Expressway-E
25020 10.52.254.55 LAN1
173.38.168.145 LAN2
101 ACK 55104
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Expressway-E Media with B2BUA For Your
Reference
Audio portion of the call 48084
To Exp-C
2776
50062 Expressway-E
10.52.254.55 LAN1
173.38.168.145 LAN2
10.52.254.55 LAN1
55114
Exp-E B2BUA
Process
55104
173.38.168.145 LAN2
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Media Ports Calculation
For Your
Reference
To Exp-C
B2BUA 48084
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Summary
B2B architectures for single edge Expressway-C and Expressway-E with dual
network interfaces
How to protect the dialplan
How to minimize ports opened on external firewall
Quick overview on multiple Expressway deployment options
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
BRKCOL-2018 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Thank You