#CiscoLive

Enabling Collaboration for Your

Remote Workforce with Cisco
Expressway
Part I

Luis Garcia
BRKCOL-2060a

#CiscoLive
 • Introduction
• Cisco Expressway
Agenda • Mobile and Remote Access
• MRA Setup
• Conclusion

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Remote Workforce

• Since COVID the number of

employees working remotely grew
exponentially.
• Companies with On-Premises
deployments required a reliable and
secure way to connect remote
workers.
• Most companies will continue to
adopt a hybrid work model, allowing
employees to work from home or the
office.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Expressway
Expressway Deployments
B2B Calling

Mobile and Remote Access

Internal Network DMZ External Network

CMS WebRTC

Internet Interworking

Expressway-C Expressway-E XMPP Federation

Call Control

Webex Edge

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Expressway Deployments
B2B Calling

Mobile and Remote Access

Internal Network DMZ External Network

CMS WebRTC

Internet Interworking

Expressway-C Expressway-E XMPP Federation

Call Control

Webex Edge

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Expressway Deployments
B2B Calling
Internal Network DMZ External Network

Mobile and Remote Access

CMS WebRTC

Internet Interworking

XMPP Federation

Call Control

Webex Edge

Expressway-C Expressway-E

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Why Expressways?
Security
• Enables encrypted communication from the corporate network to remote
employees.
• Joint Interoperability Test Command (JITC) certified.
• FIPS 140-2 Level 1 compliant​.
• Common Criteria (CC) accredited and Commercial Solutions for Classified
(CSfC) accredited​.
• Bare metal appliance (CE1200) available for secure deployments.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Why Expressways?
Firewall Traversal
• The traversal client constantly maintains a connection through the firewall
to a designated port on the traversal server.
• There’s no need to open inbound ports on the internal Firewall.

SIP Options

SIP 200 OK

Expressway-C Expressway-E

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Licensing X12.6 – X14.0
• Smart Licensing was introduced in version X12.6.
• Expressway supports PAK based licensing (regular option keys) and Smart
Licensing. Only one mode at any given time.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Licensing X12.6 – X14.0

Information on how to configure

Smart licensing can be found in
the Admin Guide.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Licensing X12.6 – X14.0
Not all option keys are supported in Smart Licensing.

Smart Licensing X12.6 – X14.0 Supported Not Supported

Rich Media Session

UC Manager Enhanced Plus (Desktop Systems)
UC Manager Telepresence (Room Systems)
Hardware Security Module (HSM) (Feature Preview)
Microsoft Interoperability
Advanced Account Security

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Licensing X14.2
• Only Smart Licensing support.
• Microsoft Interoperability will continue to work as an option key.
• Advanced Account Security option key will not be required to enable JITC.
This is an export-controlled license.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Virtual Machine Requirements
Deployment Size vCPU Reserved CPU Resource Reserved RAM NIC

Small 2 core 3600 MHz (2 x 1.8 GHz) 4 GB 1 GB

Medium 2 core 4800 MHz (2 x 2.4 GHz) 6 GB 1 GB

Large 8 core 25600 MHz (8 x 3.2 GHz) 8 GB 1 GB

No oversubscription of CPU, RAM or NIC.

Increasing or reducing the Deployment Size doesn’t happen automatically by
adding or removing HW resources.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Expressway Server Capacity

Server Capacity X14.0.2+

Registrations B2B calls *MRA Registrations MRA Calls

Video Audio Video Audio
CE1200 5,000 500 1,000 8,000 500 1,000

Large VM 5,000 500 1,000 4,000 500 1,000

Medium 2,500 100 200 3,500 150 300

VM
Small VM 2,000 40 40 3,000 100 200

*Pre-Routed Route Header – Fast Path Registration enabled

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Expressway Cluster Capacity

Cluster Capacity X14.0.2+

Registrations B2B calls *MRA Registrations MRA Calls

Video Audio Video Audio
CE1200 20,000 2,000 4,000 32,000 2,000 4,000

Large VM 20,000 2,000 4,000 16,000 2,000 4,000

Medium 10,000 400 800 14,000 600 1,200

VM
Small VM 2,000 40 40 3,000 100 200

Based on a 6 node cluster with a redundancy model of n+2.

*PRRH enabled.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
MRA New Redundancy Models – X14.2

MRA Registrations MRA Calls

PRRH Off PRRH On PRRH Off PRRH On

4+2 10,000 14,000 400 600

4+1 10,000 14,000 400 600

5+1 12,500 17,500 500 750

Medium OVA used as an example.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
New Features in Version X14.0.x
• SIP-Base DoS Attack Protection • IP/Port Filter for tcpdump on
Diagnostic logs.
• SIP Registration Failure Detection
• Support for AV1 Codec
• Rate Limits for SIP
• Webex UCM Calling – Escalate P2P
• MRA Registration Failover
to Meeting
• Redirect URI for SSO/OAuth
• API Updates
• System Key Recovery
• RedSky E911 Location Services

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Mobile and
Remote Access
 Mobile and Remote Access

Internal Network DMZ External Network

Internet

UCM, IM&P and Expressway-C Expressway-E

Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Mobile and Remote Access

Internal Network DMZ External Network

Internet

UCM, IM&P and Expressway-C Expressway-E

Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Mobile and Remote Access
Internal Network DMZ External Network

Internet

UCM, IM&P Expressway-C Expressway-E

and Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Mobile and Remote Access

Internal Network DMZ External Network Incoming Traffic

HTTPS
XCP
Internet
SIP TLS
STUN
UCM, IM&P and Expressway-C Expressway-E SRTP
Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 SIP TLS
SRTP

Media Path – MRA

Internal Network DMZ

External Network

Internet

UCM, IM&P and Expressway-C Expressway-E

Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 SIP TLS
SRTP

Media Path – MRA

Internal Network DMZ

External Network

UCM

Internet

Expressway-C Expressway-E

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Peer to Peer
TURN server

Media Paths ICE – MRA

Internal Network DMZ

External Network

Internet

UCM, IM&P and Expressway-C Expressway-E

Unity

More details in session

BRKCOL-2000

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 SIP TLS
MRA – UCM Calling HTTPS

Internal Network DMZ

UCM
Internet

Expressway-C Expressway-E

Unity Connection

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
MRA Configuration – Prerequisites
• MRA it’s only one feature running in Expressway, before you configure it,
you should follow the Basic Configuration and Administrator guides. Here
are some recommendations before setting up MRA:
1. Single NIC with Static NAT is supported but not recommended.
2. All alarms should be cleared out.
3. Internal logins should work before you implement MRA.
4. Static routes might be needed when using a Dual NIC deployment.
5. Cluster should be built before you setup MRA.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 MRA DNS Records
FQDN Priority Weight
GET https:///.../get_edge_config?service_name=_cisco-uds
Exp-E01 10 10
_collab-edge Exp-E02 10 10

Exp-E03 10 10

Exp-E01

Internet

Exp-E02
DNS
Exp-E03 Service Protocol Port Host FQDN

Internal _cisco-uds TCP 8443 UCM FQDN

External _collab-edge TCP 8443 Exp-E FQDN

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
MRA – Split DNS with a Single Domain

Internet

UCM Exp-C01 Exp-E01

Internal DNS External DNS

_cisco-uds._tcp.ucdemolab.com UCM FQDN _collab-edge._tls.ucdemolab.com Exp-E FQDN

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 MRA – Dual Domain without Split DNS
After X12.5, an internal cisco-uds record for
the external domain is not required. UCM
nodes need to be identified as FQDNs.

Internet

UCM Exp-C01 Exp-E01

Internal DNS External DNS

_cisco-uds._tcp.ucdemolab.com UCM FQDN _collab-edge._tls.ucdemolab.com Exp-E FQDN

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 DNS - Multiple Regions
AMERICAS
Internal Network DMZ

Geo-DNS

Internet

Geo-DNS

EMEA

UCM, IM&P Expressway-C Expressway-E

and Unity

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Multiple Cluster Setup
HTTPS://ucm1-pub.../cucm-
uds/clusterUser?username=john.doe

UCM – Cluster 1

HTTPS://…/get_edge_config
ILS/Cluster View
HTTP 200 OK
Home Cluster -> ucm2-sub.cisco.com
Expressway-C

Cluster 1 ucm1-pub.cisco.com
Cluster 1 ucm1-sub.cisco.com
UCM – Cluster 2 Cluster 2 ucm2-pub.cisco.com
john.doe
Cluster 2 ucm2-sub.cisco.com

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
MRA – Firewall

• Off Premise clients initiate the

connection to the Exp-E.
• TURN media and RTP/RTCP ports are
different.
• Traffic on port 5061, 8443 and 5222
uses TLS.
• Phone only deployments don’t need
port 5222 open.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
MRA – Firewall
• Expressway C (traversal client) initiates
the connection to Expressway-E
(traversal server).
• 2776-2777 are demuxed ports used for
RTP/RTCP in small/medium
deployments.
• Large deployments use the first 12 ports
from the Media Traversal port range.
• XMPP port changes from 5222 to 7400.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Certificates
• Signing the Exp-E certificate with an internal/private CA will result in the
external client failing to connect or showing alerts to the end user.
• Webex app by default won’t accept the certificate unless the UC Registration
domain is added as a SAN.

Expressway C Expressway E

CA Public/Private Public

SAN Phone Security Profile UCM Domain

Expressway Cluster name XMPP Federation Domains
IM&P Chat node aliases IM&P Chat node aliases

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
MRA – Certificates
SSL Negotiation

You can check the Expressway trust store under

Maintenance > Security > Trusted CA certificate

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
MRA – Certificates
SSL Negotiation

Exp-C FQDN is configured in the UC Traversal Zone in

the TLS verify subject name field.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
MRA Authentication
What do I choose?

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
MRA Authentication
• Jabber and Webex app can use Single Sign On or UCM/LDAP for
authentication over MRA.
• Telepresence endpoints and 78XX/88XX phones can only do the UCM/LDAP
authentication.
• Activation codes + Manufacturing Installed Certificates for 78XX/88XX
phones.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
MRA Authentication Paths

Internal Network DMZ External Network

Internet

UCM, IM&P and

Unity Expressway-C Expressway-E

Active Directory

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
MRA Authentication Path

Internal Network DMZ External Network

Internet

UCM, IM&P and

Unity Expressway-C Expressway-E

IdP IdP Proxy

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MRA Authentication
• OAuth token with refresh applies to both SSO and non-SSO deployments.
• User credential is required for Telepresence endpoints and IP phones.
• OAuth token (without refresh) is only needed if your UCM infrastructure
doesn’t support OAuth token with refresh. (11.5(1) SU3+)

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Configuration – UCM/IM&P
• Considerations before adding UCM to Expressway C:
1. Only Publishers are added to Expressway-C. Discovery of subscribers will occur after
publisher is added.
2. If using TLS Verify you should add the CUCM/IM&P publisher based on the Common
Name (CN) value in the Tomcat certificate that is uploaded to the Expressway-C.
3. Download Tomcat certificates from CUCM/IM&P OS Administration. Upload
certificates under (Maintenance > Security certificates > Trusted CA certificates)
4. You need an application user with the AXL API Access Role.
5. Once CUCM is added the necessary Search Rules and Neighbor Zones are
automatically configured.
6. Secured communication between Exp-C and CUCM is not required, but recommended.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Conclusion
Highlights
• Companies with On-Prem UC need Expressway to support their hybrid work
strategies.
• Expressway continues to be important in our portfolio of products.
• Webex UCM Calling over MRA allows to have some benefits of the Webex
Cloud while continue to use your On-Prem solution for calls.
• X14.2 will increase the capacity of the Expressway clusters.

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
What’s Next!

#CiscoLive BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education with

DevNet, Capture the Flag, and Walk-in
Continue Labs

your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKCOL-2060a © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Thank you

#CiscoLive
#CiscoLive