Решение Cisco Collaboration Edge

РешениеCisco Collaboration EdgeМихаил ЩекотиловCustomer Support Engineer, Cisco TAC Russia

7913

2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Обзор архитектуры решения и компонент Процесс регистрации клиента Cisco Jabber Важные моменты при подготовке инфраструктуры Домены и DNS Сертификаты

Известные ограничения и проблемы

Содержание


Обзор архитектуры решения и компонент


Collaboration Edge – решение и архитектура для предоставления услуг голосовой связи и расширенных сервисов через границу корпоративной сети

Expressway – продукт на основе VCS, предназначенный для преодоления границы

Mobile and Remote Access – функционал решения, который обеспечивает работу удаленных клиентов с использованием Cisco Jabber

Терминология


Что сможет Cisco Jabber?

Make voice and video calls

Instant Message and Presence

Access visual voicemail

Search corporate directory

Launch a web conference

Share content

Inside firewall (Intranet)

Outside firewall(Public Internet)

Collaboration Services

Internet

DMZ

ExpresswayE

ExpresswayC

Unified CM


Модель CUCM + IM&P


Модель CUCM + Webex


Компоненты решения

Jabber Client ExpressWay C Internal DNS CUCM Home UDS

TFTPServer

IM＆PServer

Expressway EExternal DNS

• External и Internal DNS – сервера DNS• Expressway E(dge) – точка входа и Firewall Traversal Server• Expressway C(ore) – Firewall Traversal Client и Reverse HTTP Proxy• CUCM:

• UDS (User Data Services) – данные о пользователях, устройствах, сервисах и т.п.

• TFTP – конфигурационные файлы• IM&P (Instant Messaging & Presence) – сервисы директории, обмена

сообщениями и присутствия


Процесс регистрации клиента Cisco Jabber


Jabber Client ExpressWay C Internal DNS CUCM Home UDS

TFTPServer

IM＆PServer

Expressway EExternal DNS

DNS Query

SRV _cisco-uds._tcp.coluc.com

Query Response

DNS Query

SRV _cuplogin._tcp.coluc.com

Not Found

Query Response

Not Found

Регистрация Cisco Jabber


ExpressWay C Internal DNS CUCM Home UDS

TFTPServer

IM＆PServer

DNS Query

SRV _collab-edge._tls.coluc.com

Query Response

(Contain “Answers” including SRV and A/AAAA record)Service: collab-edgeProtocol: tlsName: coluc.comType: SRVPort: 8443Target: xwaye.coluc.comSRV coluc.com

DNS Query

A xwaye.coluc.com

Query Response

(Contain “Answers” including A/AAAA record)Name: xwaye.coluc.comType: AAddr: 122.208.118.4

Jabber Client Expressway EExternal DNS



VCS Control Internal DNS CUCM Home UDS

TFTPServer

IM＆PServer

SSL: Client Hello

SSL: Server Hello

SSL: Certificate, Server Hello Done

HTTPS

HTTPS: GET /get_edge_configHTTPMSG:GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1Authorization: xxxxx <= Basic username and passwordHost: xwaye.coluc.com:8443User-Agent: Jabber-Win-746

HTTPS

HTTPS: GET /get_edge_configHTTPMSG:GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1Authorization: xxxxx <= Basic username and passwordHost: vcs_control.coluc.com:8443User-Agent: Jabber-Win-746X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received fromVia: https/1.1 vcs[7AD07604] (ATS)

Jabber Client VCS ExpresswayExternal DNS

Establish secure communication channel between VCS-E

Client requests Edge Configuration data




TFTPServer

IM＆PServer

DNS Query

SRV _cisco-uds._tcp.coluc.com

Query Response

(Target: colcm9pub.coluc.com)

DNS Query

A colcm9pub.coluc.com

Query Response

(Addr: 172.16.1.36


When DNS record is not cached ExpressWay C will send out following DNS queries


SRV _cisco-phone-tftp._tcp.coluc.com

Query Response

(Target: colcm9pub.coluc.com)



TFTPServer

IM＆PServer

DNS Query

SRV _cuplogin._tcp.coluc.com

Query Response

(Target: colcup.coluc.com)

DNS Query

A colcup.coluc.com

Query Response

(Addr: 172.16.1.33)




Expressway C Internal DNS CUCM Home UDS

TFTPServer

IM＆PServer

HTTP(S)

HTTPS: GET //<cucm-fqdn>/cucm-uds/clusterUser?<user-name>HTTPMSG:GET //colcm9pub:8443/cucm-uds/clusterUser?username=xwayj HTTP/1.1


HTTP(S) 200 OK

HTTPMSG:HTTP/1.1 200 OK Content-Type: application/xml Server: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucm-uds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucm-uds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>

Requesting CUCM home node information

Should see “Found user cluster” and “Found UDS server” internal status log this point in diagnostic log===========================================================Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj" Cluster="172.16.1.36“

Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36" UdsServer="colcm9pub“===========================================================




TFTPServer

IM＆PServer

HTTP(S)

HTTPS: GET //<cucm-fqdn>/cucm-uds/user/<user-name>/devicesHTTPMSG:GET //colcm9pub:8443/cucm-uds/user/xwayj/devices HTTP/1.1 Authorization: <CONCEALED>


HTTP(S) 200 OK

HTTPMSG:HTTP/1.1 200 OK Set-Cookie: JSESSIONIDSSO=xxxxx, Path=/; Secure; HttpOnlySet-Cookie: JSESSIONID=xxxxx; Path=/cucm-uds/; Secure; HttpOnlyContent-Type: application/xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices version="9.1.2" uri="https://colcm9pub:8443/cucm-uds/user/xwayj/devices"><device hasPrimaryNumber="false" uri="https://colcm9pub:8443/cucm-uds/user/xwayj/device/663e40ed-b3bd-3060-5483-b6721d04c32e"><id>663e40ed-b3bd-3060-5483-b6721d04c32e</id><name>CSFxwayj</name><model>Cisco Unified Client Services Framework</model> ….. </device></devices> |

Get Devices




TFTPServer

IM＆PServer

HTTPS 200 OK

HTTPMSG:HTTP/1.1 200 OKServer: CE_C ECSSet-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-phone-tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port><address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|


HTTPS 200 OK

HTTPMSG:HTTP/1.1 200 OKServer: CE_C ECSSet-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-phone-tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port><address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|

Returned configuration:1) IMP, CUCM, TFTP SRV2) SIP edge3) Randomized list of UDS4) XMPP edge5) HTTP edgeetc.




TFTPServer

IM＆PServer

HTTPS


HTTPS: GET /jabber-config.xmlHTTPMSG:GET https:///...../jabber-config.xml HTTP/1.1Host: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746

HTTPS: POST /EPASSoap/service/ loginHTTPMSG:POST https:///...../EPASSoap/service/v80 HTTP/1.1Host: xwaye.coluc.com:8443User-Agent: gSOAP/2.8User-Agent: Jabber-Win-746Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com“SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"


HTTPS: POST /EPASSoap/service / get_all_config…

HTTPS: POST /EPASSoap/service / get_user_config…

System & User configuration, licensing features, etc.

HTTPS: POST /EPASSoap/service / get_onetime_password…

Password to be used for subsequent IMP xmpp logon



TFTPServer

IM＆PServer

HTTPS


HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlvHTTPMSG:GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746

HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xmlHTTPMSG:GET https:///....../CSFxwayj.cnf.xml HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Cookie: X-Auth=<edge token>User-Agent: Jabber-Win-746




TFTPServer

IM＆PServer


SIP - REFER

REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1000 REFERFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP 407 Proxy

Authentication Required

Client includes the route set received at startup negotiation




TFTPServer

IM＆PServer

SIP - REFER


REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub", response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth, nc=00000001, algorithm=MD5


SIP SERVICE

CSeq: 100 SERVICE From: <sip:serviceproxy@colcm9pub>;tag=c726e3c167f0c775 To: <sip:serviceserver@colcm9pub> Event: serviceP-Asserted-Identity: <sip:serviceproxy@colcm9pub> <?xml version="1.0" encoding="utf-8"?> <methodCall><params><username>xwayj</username>…..<uri>sip:colcm9pub</uri><method>REFER</method><id>30</id><reqtype>collab-edge</reqtype></params> <methodName>DigestAuth</methodName> …..</sipdomain> </methodCall>

Delegated credential checking on Refer request



TFTPServer

IM＆PServer

SIP - REFER


REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERRefer-To: <cid:[email protected]> Referred-By: <sip:[email protected]>From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>P-Asserted-Identity: <sip:[email protected]>

SIP - REFER

REFER sip:colcm9pub SIP/2.0Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 1001 REFERRefer-To: <cid:[email protected]> Referred-By: <sip:[email protected]>From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>P-Asserted-Identity: <sip:[email protected]>




TFTPServer

IM＆PServer


SIP

202 Accepted

SIP

202 Accepted

SIP

202 Accepted

Registration request including Contact and all Route information

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 101 REGISTER Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000-081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";videoFrom: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP 407 Proxy

Authentication Required




TFTPServer

IM＆PServer

SIP - REGISTER


REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..CSeq: 102 REGISTER Contact: <sip:[email protected]:50036;transport=tls>….. +u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub> Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub", response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth, nc=00000001, algorithm=MD5




TFTPServer

IM＆PServer

SIP - REGISTER


REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706;ingress-zone=CollaborationEdgeZone

CSeq: 102 REGISTER From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub>

Via information include;1) Edge zone name2) Client local and NAT address with

port number

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0 Via: SIP/2.0/TCP 172.16.1.30:5060;egress-zone=CEtcpcolcm9pub;…..;proxy-call-id=….. Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706;ingress-zone=CollaborationEdgeZone

CSeq: 101 REGISTER From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf To: <sip:8300100@colcm9pub>Route: <sip:colcm9pub;transport=tcp;lr>

Proxy registration to CUCM

Cseq number for REGISTER is managing separately

SIP

200 OK



Важные моменты при подготовке инфраструктуры

Домены и DNS


Для обнаружения сервисов используются сервисные записи DNS (SRV).

В зависимости от результатов запросов клиент определяет находится ли он внутри или вне сети.

Вне сети должна разрешаться SRV запись ‘_collab-edge._tls.<domain>’, которая должна указывать на ExpressWay E.

Только внутри сети должна разрешаться SRV запись ‘_cisco-uds._tcp.<domain>’, которая указывает на кластер CUCM.

Только внутри сети должна разрешаться SRV запись ‘_cuplogin._tcp.<domain>’, которая указывает на кластер IM&P.

Обнаружение сервисов


ExpressWay – Mobile and Remote AccessНастройки доменов и DNS

Сценарий 1- Один домен- ExpressWay Servers : domain1.com- UC servers : domain1.com- IM&P domain : domain1.com

expwayC.domain1.com

Jabber Client Expressway C Internal DNS CUCM Home UDSExpressway EExternal DNS

expwayE.domain1 com cucm.domain1.com cup.domain1.comwith

IM and Presence Domain = domain1.com

IM＆P Server


expwayC.domain1.com




IM＆P Server

Question : How do I login?

Answer : With <userid>@domain1.com



xwayC.domain1.com

Jabber Client ExpressWay C Internal DNS CUCM Home UDSExpressway EExternal DNS

xwayE.domain1 com cucm.domain1.com cup.domain1.comwith


IM＆P Server

Question: How is my external DNS configured?Answer:

Entry Resolves toSRV record ‘_collab-edge._tls.domain1.com’ xwayE.domain1.com port 8443A record ‘xwayE.domain1.com’ External IP address ExpressWay E



xwayC.domain1.com


cucm.domain1.com cup.domain1.comwith


IM＆P Server

Question: How is my ExpressWay E configured?Answer:> System > DNS >- System host name ‘xwayE’- Domain name ‘domain1.com’






IM＆P Server

Question: How is my ExpressWay C configured?Answer:> System > DNS >

- System host name ‘xwayE’- Domain name ‘domain1.com’

> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’






IM＆P Server

Question: How is my Internal DNS configured?Answer:

xwayC.domain1 com

Entry Resolves toSRV record ‘_cisco-uds._tcp.domain1.com’ cucm.domain1.com port 8443A record ‘cucm.domain1.com’ IP address CUCM




xwayE.domain1 com cup.domain1.comwith


IM＆P Server

Question: How is my CUCM configured?Answer:> CCMADMIN > System > Server

- Server with hostname ‘cucm’> CLI ‘set network domain ‘domain1.com’

xwayC.domain1 com




xwayE.domain1 com

IM＆P Server

Question: How is my CUP configured?Answer:> CUPAdmin > Clustertopology

- Node configuration with ‘cup.domain1.com- IM and Presence Domain with ‘domain1.com’(*)

xwayC.domain1 com cucm.domain1.com

(*) Only 1 is supported



Сценарий 2- Разные домены внутри и вне сети- Expressway servers : domain2.com- UC and CUP servers : domain1.com- IM&P domain : domain1.com

expwayC.domain2.com




IM＆P Server



expwayC.domain2.com




IM＆P Server


Answer :- With <userid>@domain1.com- jabber-config.xml has ‘voiceservicesdomain’ set to domain2.com



xwayC.domain2.com




IM＆P Server





xwayC.domain1.com




IM＆P Server







IM＆P Server



> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’




xwayE.domain2.com cucm.domain1.com cup.domain1.comwith


IM＆P Server


xwayC.domain2.com







IM＆P Server



xwayC.domain1 com




xwayE.domain1 com

IM＆P Server


- Node configuration with ‘cup.domain1.com- IM and Presence Domain with ‘domain1.com’




Сценарий 3- Разные домены внутри и вне сети, третий домен для SIP- Expressway servers : domain3.com- UC and CUP servers : domain2.com- IM&P domain : domain1.com

expwayC.domain3.com




IM＆P Server



expwayC.domain3.com




IM＆P Server


Answer : - With <userid>@domain1.com- jabber-config.xml has voice ‘voiceservicesdomain’ set to domain3.com



xwayC.domain3.com




IM＆P Server





xwayC.domain3.com




IM＆P Server





xwayE.domain3.com cucm.domain2.com cup.domain2.comwith


IM＆P Server



> Configuration > Domains >- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’ - Domain ‘domain3.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’






IM＆P Server


xwayC.domain3 com







IM＆P Server



xwayC.domain3 com




xwayE.domain3 com

IM＆P Server


- Node configuration with ‘cup.domain2.com- IM and Presence Domain with ‘domain1.com’




Домен ExpressWay или UC не добавлен на ExpressWay C или не активирован для Unified Communications

Логин Jabber – Cannot communicate with the server Диагностический лог

HTTPMSG:|GEThttps:///Y29sdWMuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuploginHTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443Accept: */*User-Agent: Jabber-Win-345

HTTPMSG:|HTTP/1.1 403 ForbiddenDate: Mon, 17 Mar 2014 16:07:20 GMTConnection: closeServer: CE_EContent-Length: 0|

Decodes to ‘coluc.com’

ExpressWay – Mobile and Remote AccessНе настроен домен UC


Домен IM&P не добавлен или не активирован для IM&P Логин Jabber – Cannot communicate with the server Диагностический лог

xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140582990952192" Module="Jabber" Level="INFO " CodeLocation="deliver.c:1492" Detail="bouncing a packet to 'domain3.com” from 'cm-1_jsmcp-1.xwaye-domain1.com'”

xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864" Module="cm-1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198" Detail="Failed to query auth component for SASL mechanisms"

ExpressWay – Mobile and Remote Access Не настроен домен IM&P (SIP)

Сертификаты


Maintenance > Security Certificate > Server Certificate



Maintenance > Security Certificate > Trusted CA Certificate



CA Signed

- Должен быть подписан CA- Используется для Traversal Zone с ExpressWay E - Используется для связи с CUCM если режим безопасностиустройства настроен как Authenticated или Encrypted - Сертификат CA Root должен быть загружен в “Trusted CA certificate” на обоих ExpressWay- Сертификат CA Root должен быть загружен в Callmanager-trust на каждом сервере кластера

ExpressWay C – Требования к сертификату


Traversal Zone State Failed

Expressway-C Diagnostics logs (traversal client)

xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25016" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872”

Expressway Event logs

ExpressWay C – Требования к сертификатуCA Root не загружен на ExpressWay E


В регистрации Softphone отказано, если режим настроен как Authenticated или Encrypted

ExpressWay C – Требования к сертификатуCA Root не загружен на CUCM


ExpressWay-C diagnostic logs

2014-03-24T18:57:37+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25264" Dst-ip="10.48.55.96" Dst-port="5061" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="COLCM9PUB.coluc.com" Level="1" UTCTime="2014-03-24 18:57:37,777”

Expressway-C event logs

ExpressWay C – Требования к сертификатуCA Root не загружен на CUCM


Extended Key Usage

- TLS Web Server Authentication*и- TLS Web Client Authentication

(*) Automatically added



SAN должен включать ‘Chat node alias’ сервера IM&P

- Требуется для федераций XMPP- Добавляется автоматически после IM&P Discovery- Чтобы добавить вручную смотрим CUPADMIN > Messaging > Group Chat Server Alias Mapping, Find.



CUPADMIN > Messaging > Group Chat Server Alias Mapping



SAN должен включать ‘Device Security Profile Name’

- Нужно, чтобы установить TLS соединение с CUCM- Некоторые (публичные) CA не позволяют использовать просто имя в SAN, в этом случае название профиля должно иметь формат FQDN (например abc.def.com)




System > Security > Phone Security Profile


SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002

SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994 bytes:[53,NET]REGISTER sip:COLCM9PUB SIP/2.0……//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName calling findSIPStationInit//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit… SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS. Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]…SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ. Will check SAN the next SIPStationD(9) - validTLSConnection: Found matching SAN, SAN Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com;csf-secure, Expected=csf-secure

ExpressWay C – Требования к сертификатуSecurity Profile добавлен в SAN (CUCM trace)


SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004

SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994 bytes:[53,NET]REGISTER sip:COLCM9PUB SIP/2.0……//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName calling findSIPStationInit//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit… SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS. Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]…SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ. Will check SAN the next SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either, Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure

ExpressWay C – Требования к сертификатуSecurity Profile не добавлен в SAN (CUCM trace)


ExpressWay C – Требования к сертификатуSecurity Profile не добавлен в SAN (CUCM trace)


ExpressWay E – Требования к сертификату

CA Signed

- Должен быть подписан CA- Используется для Traversal Zone с ExpressWay C - Сертификат CA Root должен быть загружен в “Trusted CA certificate” на обоих ExpressWay


Traversal Zone State

ExpressWay E diagnostic logsxwaye tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25006" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2014-03-25 09:52:36,680”

ExpressWay E event logs

ExpressWay E – Требования к сертификатуCA root не загружен на ExpressWay C


SAN должен включать все используемые домены (*)

- Домен, используемый для логина Jabber- Voiceservicesdomain из jabber-config.xml (если есть)- IM&P домен CUP (если отличается)

= все имеющиеся домены UC

(*) подробнее в разделе про домены

ExpressWay E – Требования к сертификату


Лучше использовать подписанные CA сертификаты и на CUCM Не забывайте добавить CA root в “Trusted CA Certificate” Если используются самоподписанные сертификаты CUCM, то

сертификаты Tomcat и CUCM нужно добавить в “Trusted CA Certificate” на ExpressWay C

НО есть следующий дефект:“CSCun30200: Unable to configure secure MRA UCM using self signed certs”

Certificates – Общие рекомендации


Известные ограничения и проблемы


• Медиа между ExpressWay C и внутренними телефонами работает по RTP/AVP вместо RTP/SAVP несмотря на то, что обе стороны поддерживают шифрование.

Нет SRTP между ExpressWay C и внутренним телефоном

Collaboration InfrastructureWith SIP security Profile=

Encrypted

RTPXWY-C

XWY-ESRTP

SRTP


Поддержка SIP Early Media

ExpressWay B2BUA будет поддерживатьEarly Media в X8.5

Jabber INVITETRYING CUCM 183 SESSION PROGRESS (with SDP) CUCM

183 session progress используется для проключения медиа для установления соединения (EARLY MEDIA)

“CSCul52293: Edge calls are missing or have incorrect tones and announcements”


ICE не поддерживается на CUCMне включайте TURN/ICE на Expressway

При звонках между абонентами вне сети медиа будет проходить через ExpressWay C

Поддержка TURN/ICE


При корректной настройке адресов, зон и NAT звонки не должны занимать лицензии Rich Media на ExpressWay

Проверяйте при первоначальной настройке

Использование лицензий Rich Media


ExpressWay С регистрирует MRA клиентов на CUCM от своего адреса

SIP trunk для звонков Rich Media между ExpressWay C и CUCM должен использовать другие TCP порты (например 5060->5560, 5061->5561)

Использование SIP trunk между ExpressWay C и CUCM

7913

Спасибо

Technology

Решение Cisco Collaboration Edge