РешениеCisco Collaboration EdgeМихаил ЩекотиловCustomer Support Engineer, Cisco TAC Russia
7913
2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Обзор архитектуры решения и компонент Процесс регистрации клиента Cisco Jabber Важные моменты при подготовке инфраструктуры Домены и DNS Сертификаты
Известные ограничения и проблемы
Содержание
3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Обзор архитектуры решения и компонент
4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Collaboration Edge – решение и архитектура для предоставления услуг голосовой связи и расширенных сервисов через границу корпоративной сети
Expressway – продукт на основе VCS, предназначенный для преодоления границы
Mobile and Remote Access – функционал решения, который обеспечивает работу удаленных клиентов с использованием Cisco Jabber
Терминология
5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Что сможет Cisco Jabber?
Make voice and video calls
Instant Message and Presence
Access visual voicemail
Search corporate directory
Launch a web conference
Share content
Inside firewall (Intranet)
Outside firewall(Public Internet)
Collaboration Services
Internet
DMZ
ExpresswayE
ExpresswayC
Unified CM
6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Модель CUCM + IM&P
7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Модель CUCM + Webex
8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Компоненты решения
Jabber Client ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
Expressway EExternal DNS
• External и Internal DNS – сервера DNS• Expressway E(dge) – точка входа и Firewall Traversal Server• Expressway C(ore) – Firewall Traversal Client и Reverse HTTP Proxy• CUCM:
• UDS (User Data Services) – данные о пользователях, устройствах, сервисах и т.п.
• TFTP – конфигурационные файлы• IM&P (Instant Messaging & Presence) – сервисы директории, обмена
сообщениями и присутствия
9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Процесс регистрации клиента Cisco Jabber
10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
Expressway EExternal DNS
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
DNS Query
SRV _cuplogin._tcp.coluc.com
Not Found
Query Response
Not Found
Регистрация Cisco Jabber
11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
DNS Query
SRV _collab-edge._tls.coluc.com
Query Response
(Contain “Answers” including SRV and A/AAAA record)Service: collab-edgeProtocol: tlsName: coluc.comType: SRVPort: 8443Target: xwaye.coluc.comSRV coluc.com
DNS Query
A xwaye.coluc.com
Query Response
(Contain “Answers” including A/AAAA record)Name: xwaye.coluc.comType: AAddr: 122.208.118.4
Jabber Client Expressway EExternal DNS
Регистрация Cisco Jabber
12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VCS Control Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
SSL: Client Hello
SSL: Server Hello
SSL: Certificate, Server Hello Done
HTTPS
HTTPS: GET /get_edge_configHTTPMSG:GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1Authorization: xxxxx <= Basic username and passwordHost: xwaye.coluc.com:8443User-Agent: Jabber-Win-746
HTTPS
HTTPS: GET /get_edge_configHTTPMSG:GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1Authorization: xxxxx <= Basic username and passwordHost: vcs_control.coluc.com:8443User-Agent: Jabber-Win-746X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received fromVia: https/1.1 vcs[7AD07604] (ATS)
Jabber Client VCS ExpresswayExternal DNS
Establish secure communication channel between VCS-E
Client requests Edge Configuration data
Регистрация Cisco Jabber
13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
DNS Query
A colcm9pub.coluc.com
Query Response
(Addr: 172.16.1.36
Jabber Client Expressway EExternal DNS
When DNS record is not cached ExpressWay C will send out following DNS queries
Регистрация Cisco Jabber
SRV _cisco-phone-tftp._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
(Target: colcup.coluc.com)
DNS Query
A colcup.coluc.com
Query Response
(Addr: 172.16.1.33)
Jabber Client Expressway EExternal DNS
Регистрация Cisco Jabber
15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Expressway C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
HTTP(S)
HTTPS: GET //<cucm-fqdn>/cucm-uds/clusterUser?<user-name>HTTPMSG:GET //colcm9pub:8443/cucm-uds/clusterUser?username=xwayj HTTP/1.1
Jabber Client Expressway EExternal DNS
HTTP(S) 200 OK
HTTPMSG:HTTP/1.1 200 OK Content-Type: application/xml Server: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucm-uds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucm-uds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>
Requesting CUCM home node information
Should see “Found user cluster” and “Found UDS server” internal status log this point in diagnostic log===========================================================Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj" Cluster="172.16.1.36“
Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36" UdsServer="colcm9pub“===========================================================
Регистрация Cisco Jabber
16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
HTTP(S)
HTTPS: GET //<cucm-fqdn>/cucm-uds/user/<user-name>/devicesHTTPMSG:GET //colcm9pub:8443/cucm-uds/user/xwayj/devices HTTP/1.1 Authorization: <CONCEALED>
Jabber Client Expressway EExternal DNS
HTTP(S) 200 OK
HTTPMSG:HTTP/1.1 200 OK Set-Cookie: JSESSIONIDSSO=xxxxx, Path=/; Secure; HttpOnlySet-Cookie: JSESSIONID=xxxxx; Path=/cucm-uds/; Secure; HttpOnlyContent-Type: application/xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices version="9.1.2" uri="https://colcm9pub:8443/cucm-uds/user/xwayj/devices"><device hasPrimaryNumber="false" uri="https://colcm9pub:8443/cucm-uds/user/xwayj/device/663e40ed-b3bd-3060-5483-b6721d04c32e"><id>663e40ed-b3bd-3060-5483-b6721d04c32e</id><name>CSFxwayj</name><model>Cisco Unified Client Services Framework</model> ….. </device></devices> |
Get Devices
Регистрация Cisco Jabber
17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
HTTPS 200 OK
HTTPMSG:HTTP/1.1 200 OKServer: CE_C ECSSet-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-phone-tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port><address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
Jabber Client Expressway EExternal DNS
HTTPS 200 OK
HTTPMSG:HTTP/1.1 200 OKServer: CE_C ECSSet-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-phone-tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port><address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
Returned configuration:1) IMP, CUCM, TFTP SRV2) SIP edge3) Randomized list of UDS4) XMPP edge5) HTTP edgeetc.
Регистрация Cisco Jabber
18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
HTTPS
Jabber Client Expressway EExternal DNS
HTTPS: GET /jabber-config.xmlHTTPMSG:GET https:///...../jabber-config.xml HTTP/1.1Host: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746
HTTPS: POST /EPASSoap/service/ loginHTTPMSG:POST https:///...../EPASSoap/service/v80 HTTP/1.1Host: xwaye.coluc.com:8443User-Agent: gSOAP/2.8User-Agent: Jabber-Win-746Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com“SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"
Регистрация Cisco Jabber
HTTPS: POST /EPASSoap/service / get_all_config…
HTTPS: POST /EPASSoap/service / get_user_config…
System & User configuration, licensing features, etc.
HTTPS: POST /EPASSoap/service / get_onetime_password…
Password to be used for subsequent IMP xmpp logon
19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
HTTPS
Jabber Client Expressway EExternal DNS
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlvHTTPMSG:GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xmlHTTPMSG:GET https:///....../CSFxwayj.cnf.xml HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746
Регистрация Cisco Jabber
20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
Jabber Client Expressway EExternal DNS
SIP - REFER
REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1000 REFERFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP 407 Proxy
Authentication Required
Client includes the route set received at startup negotiation
Регистрация Cisco Jabber
21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
SIP - REFER
Jabber Client Expressway EExternal DNS
REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub", response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth, nc=00000001, algorithm=MD5
Регистрация Cisco Jabber
SIP SERVICE
CSeq: 100 SERVICE From: <sip:serviceproxy@colcm9pub>;tag=c726e3c167f0c775 To: <sip:serviceserver@colcm9pub> Event: serviceP-Asserted-Identity: <sip:serviceproxy@colcm9pub> <?xml version="1.0" encoding="utf-8"?> <methodCall><params><username>xwayj</username>…..<uri>sip:colcm9pub</uri><method>REFER</method><id>30</id><reqtype>collab-edge</reqtype></params> <methodName>DigestAuth</methodName> …..</sipdomain> </methodCall>
Delegated credential checking on Refer request
22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
SIP - REFER
Jabber Client Expressway EExternal DNS
REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERRefer-To: <cid:[email protected]> Referred-By: <sip:[email protected]>From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>P-Asserted-Identity: <sip:[email protected]>
SIP - REFER
REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERRefer-To: <cid:[email protected]> Referred-By: <sip:[email protected]>From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>P-Asserted-Identity: <sip:[email protected]>
Регистрация Cisco Jabber
23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
Jabber Client Expressway EExternal DNS
SIP
202 Accepted
SIP
202 Accepted
SIP
202 Accepted
Registration request including Contact and all Route information
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 101 REGISTER Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000-081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";videoFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP 407 Proxy
Authentication Required
Регистрация Cisco Jabber
24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
SIP - REGISTER
Jabber Client Expressway EExternal DNS
REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..CSeq: 102 REGISTER Contact: <sip:[email protected]:50036;transport=tls>….. +u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub", response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth, nc=00000001, algorithm=MD5
Регистрация Cisco Jabber
25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C Internal DNS CUCM Home UDS
TFTPServer
IM&PServer
SIP - REGISTER
Jabber Client Expressway EExternal DNS
REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706;ingress-zone=CollaborationEdgeZone
CSeq: 102 REGISTER From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub>
Via information include;1) Edge zone name2) Client local and NAT address with
port number
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TCP 172.16.1.30:5060;egress-zone=CEtcpcolcm9pub;…..;proxy-call-id=….. Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706;ingress-zone=CollaborationEdgeZone
CSeq: 101 REGISTER From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>
Proxy registration to CUCM
Cseq number for REGISTER is managing separately
SIP
200 OK
Регистрация Cisco Jabber
26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Важные моменты при подготовке инфраструктуры
Домены и DNS
28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Для обнаружения сервисов используются сервисные записи DNS (SRV).
В зависимости от результатов запросов клиент определяет находится ли он внутри или вне сети.
Вне сети должна разрешаться SRV запись ‘_collab-edge._tls.<domain>’, которая должна указывать на ExpressWay E.
Только внутри сети должна разрешаться SRV запись ‘_cisco-uds._tcp.<domain>’, которая указывает на кластер CUCM.
Только внутри сети должна разрешаться SRV запись ‘_cuplogin._tcp.<domain>’, которая указывает на кластер IM&P.
Обнаружение сервисов
29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
Сценарий 1- Один домен- ExpressWay Servers : domain1.com- UC servers : domain1.com- IM&P domain : domain1.com
expwayC.domain1.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain1 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
expwayC.domain1.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain1 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question : How do I login?
Answer : With <userid>@domain1.com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain1.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my external DNS configured?Answer:
Entry Resolves toSRV record ‘_collab-edge._tls.domain1.com’ xwayE.domain1.com port 8443A record ‘xwayE.domain1.com’ External IP address ExpressWay E
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain1.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay E configured?Answer:> System > DNS >- System host name ‘xwayE’- Domain name ‘domain1.com’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay C configured?Answer:> System > DNS >
- System host name ‘xwayE’- Domain name ‘domain1.com’
> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my Internal DNS configured?Answer:
xwayC.domain1 com
Entry Resolves toSRV record ‘_cisco-uds._tcp.domain1.com’ cucm.domain1.com port 8443A record ‘cucm.domain1.com’ IP address CUCM
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my CUCM configured?Answer:> CCMADMIN > System > Server
- Server with hostname ‘cucm’> CLI ‘set network domain ‘domain1.com’
xwayC.domain1 com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com
IM&P Server
Question: How is my CUP configured?Answer:> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain1.com- IM and Presence Domain with ‘domain1.com’(*)
xwayC.domain1 com cucm.domain1.com
(*) Only 1 is supported
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Сценарий 2- Разные домены внутри и вне сети- Expressway servers : domain2.com- UC and CUP servers : domain1.com- IM&P domain : domain1.com
expwayC.domain2.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain2 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
expwayC.domain2.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain2 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question : How do I login?
Answer :- With <userid>@domain1.com- jabber-config.xml has ‘voiceservicesdomain’ set to domain2.com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain2.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain2 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my external DNS configured?Answer:
Entry Resolves toSRV record ‘_collab-edge._tls.domain2.com’ xwayE.domain2.com port 8443A record ‘xwayE.domain2.com’ External IP address ExpressWay E
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain1.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay E configured?Answer:> System > DNS >- System host name ‘xwayE’- Domain name ‘domain2.com’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
41© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain2 com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay C configured?Answer:> System > DNS >
- System host name ‘xwayE’- Domain name ‘domain2.com’
> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain2.com cucm.domain1.com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my Internal DNS configured?Answer:
xwayC.domain2.com
Entry Resolves toSRV record ‘_cisco-uds._tcp.domain2.com’ cucm.domain1.com port 8443A record ‘cucm.domain1.com’ IP address CUCM
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
43© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com cup.domain1.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my CUCM configured?Answer:> CCMADMIN > System > Server
- Server with hostname ‘cucm’> CLI ‘set network domain ‘domain1.com’
xwayC.domain1 com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain1 com
IM&P Server
Question: How is my CUP configured?Answer:> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain1.com- IM and Presence Domain with ‘domain1.com’
xwayC.domain1 com cucm.domain1.com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
45© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Сценарий 3- Разные домены внутри и вне сети, третий домен для SIP- Expressway servers : domain3.com- UC and CUP servers : domain2.com- IM&P domain : domain1.com
expwayC.domain3.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain3 com cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
expwayC.domain3.com
Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS
expwayE.domain3 com cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question : How do I login?
Answer : - With <userid>@domain1.com- jabber-config.xml has voice ‘voiceservicesdomain’ set to domain3.com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
47© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain3.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain3 com cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my external DNS configured?Answer:
Entry Resolves toSRV record ‘_collab-edge._tls.domain3.com’ xwayE.domain3.com port 8443A record ‘xwayE.domain3.com’ External IP address ExpressWay E
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
48© 2013-2014 Cisco and/or its affiliates. All rights reserved.
xwayC.domain3.com
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay E configured?Answer:> System > DNS >- System host name ‘xwayE’- Domain name ‘domain3.com’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
49© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain3.com cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my ExpressWay C configured?Answer:> System > DNS >
- System host name ‘xwayE’- Domain name ‘domain3.com’
> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’ - Domain ‘domain3.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
50© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain3 com cucm.domain2.com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my Internal DNS configured?Answer:
xwayC.domain3 com
Entry Resolves toSRV record ‘_cisco-uds._tcp.domain3.com’ cucm.domain2.com port 8443A record ‘cucm.domain2.com’ IP address CUCM
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
51© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain3 com cup.domain2.comwith
IM and Presence Domain = domain1.com
IM&P Server
Question: How is my CUCM configured?Answer:> CCMADMIN > System > Server
- Server with hostname ‘cucm’> CLI ‘set network domain ‘domain2.com’
xwayC.domain3 com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
52© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS
xwayE.domain3 com
IM&P Server
Question: How is my CUP configured?Answer:> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain2.com- IM and Presence Domain with ‘domain1.com’
xwayC.domain3 com cucm.domain2.com
ExpressWay – Mobile and Remote AccessНастройки доменов и DNS
53© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Домен ExpressWay или UC не добавлен на ExpressWay C или не активирован для Unified Communications
Логин Jabber – Cannot communicate with the server Диагностический лог
HTTPMSG:|GEThttps:///Y29sdWMuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuploginHTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Accept: */*User-Agent: Jabber-Win-345
HTTPMSG:|HTTP/1.1 403 ForbiddenDate: Mon, 17 Mar 2014 16:07:20 GMTConnection: closeServer: CE_EContent-Length: 0|
Decodes to ‘coluc.com’
ExpressWay – Mobile and Remote AccessНе настроен домен UC
54© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Домен IM&P не добавлен или не активирован для IM&P Логин Jabber – Cannot communicate with the server Диагностический лог
xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140582990952192" Module="Jabber" Level="INFO " CodeLocation="deliver.c:1492" Detail="bouncing a packet to 'domain3.com” from 'cm-1_jsmcp-1.xwaye-domain1.com'”
xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864" Module="cm-1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198" Detail="Failed to query auth component for SASL mechanisms"
ExpressWay – Mobile and Remote Access Не настроен домен IM&P (SIP)
Сертификаты
56© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Maintenance > Security Certificate > Server Certificate
Сертификаты
57© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Maintenance > Security Certificate > Trusted CA Certificate
Сертификаты
58© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CA Signed
- Должен быть подписан CA- Используется для Traversal Zone с ExpressWay E - Используется для связи с CUCM если режим безопасностиустройства настроен как Authenticated или Encrypted - Сертификат CA Root должен быть загружен в “Trusted CA certificate” на обоих ExpressWay- Сертификат CA Root должен быть загружен в Callmanager-trust на каждом сервере кластера
ExpressWay C – Требования к сертификату
59© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Traversal Zone State Failed
Expressway-C Diagnostics logs (traversal client)
xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25016" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872”
Expressway Event logs
ExpressWay C – Требования к сертификатуCA Root не загружен на ExpressWay E
60© 2013-2014 Cisco and/or its affiliates. All rights reserved.
В регистрации Softphone отказано, если режим настроен как Authenticated или Encrypted
ExpressWay C – Требования к сертификатуCA Root не загружен на CUCM
61© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay-C diagnostic logs
2014-03-24T18:57:37+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25264" Dst-ip="10.48.55.96" Dst-port="5061" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="COLCM9PUB.coluc.com" Level="1" UTCTime="2014-03-24 18:57:37,777”
Expressway-C event logs
ExpressWay C – Требования к сертификатуCA Root не загружен на CUCM
62© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Extended Key Usage
- TLS Web Server Authentication*и- TLS Web Client Authentication
(*) Automatically added
ExpressWay C – Требования к сертификату
63© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SAN должен включать ‘Chat node alias’ сервера IM&P
- Требуется для федераций XMPP- Добавляется автоматически после IM&P Discovery- Чтобы добавить вручную смотрим CUPADMIN > Messaging > Group Chat Server Alias Mapping, Find.
ExpressWay C – Требования к сертификату
64© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CUPADMIN > Messaging > Group Chat Server Alias Mapping
ExpressWay C – Требования к сертификату
65© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SAN должен включать ‘Device Security Profile Name’
- Нужно, чтобы установить TLS соединение с CUCM- Некоторые (публичные) CA не позволяют использовать просто имя в SAN, в этом случае название профиля должно иметь формат FQDN (например abc.def.com)
ExpressWay C – Требования к сертификату
66© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C – Требования к сертификату
System > Security > Phone Security Profile
67© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994 bytes:[53,NET]REGISTER sip:COLCM9PUB SIP/2.0……//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName calling findSIPStationInit//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit… SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS. Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]…SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ. Will check SAN the next SIPStationD(9) - validTLSConnection: Found matching SAN, SAN Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com;csf-secure, Expected=csf-secure
ExpressWay C – Требования к сертификатуSecurity Profile добавлен в SAN (CUCM trace)
68© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994 bytes:[53,NET]REGISTER sip:COLCM9PUB SIP/2.0……//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName calling findSIPStationInit//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit… SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS. Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]…SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ. Will check SAN the next SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either, Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure
ExpressWay C – Требования к сертификатуSecurity Profile не добавлен в SAN (CUCM trace)
69© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C – Требования к сертификатуSecurity Profile не добавлен в SAN (CUCM trace)
70© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay E – Требования к сертификату
CA Signed
- Должен быть подписан CA- Используется для Traversal Zone с ExpressWay C - Сертификат CA Root должен быть загружен в “Trusted CA certificate” на обоих ExpressWay
71© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Traversal Zone State
ExpressWay E diagnostic logsxwaye tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25006" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2014-03-25 09:52:36,680”
ExpressWay E event logs
ExpressWay E – Требования к сертификатуCA root не загружен на ExpressWay C
72© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SAN должен включать все используемые домены (*)
- Домен, используемый для логина Jabber- Voiceservicesdomain из jabber-config.xml (если есть)- IM&P домен CUP (если отличается)
= все имеющиеся домены UC
(*) подробнее в разделе про домены
ExpressWay E – Требования к сертификату
73© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Лучше использовать подписанные CA сертификаты и на CUCM Не забывайте добавить CA root в “Trusted CA Certificate” Если используются самоподписанные сертификаты CUCM, то
сертификаты Tomcat и CUCM нужно добавить в “Trusted CA Certificate” на ExpressWay C
НО есть следующий дефект:“CSCun30200: Unable to configure secure MRA UCM using self signed certs”
Certificates – Общие рекомендации
74© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Известные ограничения и проблемы
75© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Медиа между ExpressWay C и внутренними телефонами работает по RTP/AVP вместо RTP/SAVP несмотря на то, что обе стороны поддерживают шифрование.
Нет SRTP между ExpressWay C и внутренним телефоном
Collaboration InfrastructureWith SIP security Profile=
Encrypted
RTPXWY-C
XWY-ESRTP
SRTP
76© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Поддержка SIP Early Media
ExpressWay B2BUA будет поддерживатьEarly Media в X8.5
Jabber INVITETRYING CUCM 183 SESSION PROGRESS (with SDP) CUCM
183 session progress используется для проключения медиа для установления соединения (EARLY MEDIA)
“CSCul52293: Edge calls are missing or have incorrect tones and announcements”
77© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ICE не поддерживается на CUCMне включайте TURN/ICE на Expressway
При звонках между абонентами вне сети медиа будет проходить через ExpressWay C
Поддержка TURN/ICE
78© 2013-2014 Cisco and/or its affiliates. All rights reserved.
При корректной настройке адресов, зон и NAT звонки не должны занимать лицензии Rich Media на ExpressWay
Проверяйте при первоначальной настройке
Использование лицензий Rich Media
79© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay С регистрирует MRA клиентов на CUCM от своего адреса
SIP trunk для звонков Rich Media между ExpressWay C и CUCM должен использовать другие TCP порты (например 5060->5560, 5061->5561)
Использование SIP trunk между ExpressWay C и CUCM
7913
Спасибо