close

Вход

Забыли?

вход по аккаунту

- Cisco Connect

код для вставкиСкачать
Решение
Cisco Collaboration Edge
Михаил Щекотилов
Customer Support Engineer, Cisco TAC Russia
7913
Содержание

Обзор архитектуры решения и компонент

Процесс регистрации клиента Cisco Jabber

Важные моменты при подготовке инфраструктуры



Домены и DNS
Сертификаты
Известные ограничения и проблемы
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2
Обзор архитектуры решения
и компонент
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
3
Терминология

Collaboration Edge – решение и архитектура для предоставления
услуг голосовой связи и расширенных сервисов через границу
корпоративной сети

Expressway – продукт на основе VCS, предназначенный для
преодоления границы

Mobile and Remote Access – функционал решения, который
обеспечивает работу удаленных клиентов с использованием Cisco
Jabber
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
4
Что сможет Cisco Jabber?
Access visual
voicemail
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
Outside firewall
(Public Internet)
Instant Message
and Presence
Internet
Expressway
C
Expressway
E
Make voice and
video calls
Launch a web
conference
Share content
Search corporate
directory
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
5
Модель CUCM + IM&P
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
6
Модель CUCM + Webex
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
7
Компоненты решения
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
External и Internal DNS – сервера DNS
Expressway E(dge) – точка входа и Firewall Traversal Server
Expressway C(ore) – Firewall Traversal Client и Reverse HTTP Proxy
CUCM:
• UDS (User Data Services) – данные о пользователях, устройствах,
сервисах и т.п.
• TFTP – конфигурационные файлы
• IM&P (Instant Messaging & Presence) – сервисы директории, обмена
сообщениями и присутствия
•
•
•
•
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
8
Процесс регистрации
клиента Cisco Jabber
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
9
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
Not Found
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
Not Found
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
10
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
DNS Query
SRV _collab-edge._tls.coluc.com
Query Response
(Contain “Answers” including SRV and A/AAAA record)
Service: collab-edge
Protocol: tls
Name: coluc.com
Type: SRV
Port: 8443
Target: xwaye.coluc.com
SRV coluc.com
DNS Query
A xwaye.coluc.com
Query Response
(Contain “Answers” including A/AAAA record)
Name: xwaye.coluc.com
Type: A
Addr: 122.208.118.4
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
11
Регистрация Cisco Jabber
Jabber Client
External DNS
VCS Expressway
VCS Control
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SSL: Client Hello
SSL: Server Hello
SSL: Certificate, Server Hello Done
Establish secure communication channel
between VCS-E
HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: xwaye.coluc.com:8443
User-Agent: Jabber-Win-746
Client requests Edge Configuration data
HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: vcs_control.coluc.com:8443
User-Agent: Jabber-Win-746
X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received from
Via: https/1.1 vcs[7AD07604] (ATS)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
12
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
When DNS record is not cached ExpressWay C will send out following DNS queries
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
SRV _cisco-phone-tftp._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
DNS Query
A colcm9pub.coluc.com
Query Response
(Addr: 172.16.1.36
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
13
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
(Target: colcup.coluc.com)
DNS Query
A colcup.coluc.com
Query Response
(Addr: 172.16.1.33)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
14
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
Expressway C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
HTTP(S)
Requesting CUCM home node information
HTTPS: GET //<cucm-fqdn>/cucm-uds/clusterUser?<user-name>
HTTPMSG:
GET //colcm9pub:8443/cucm-uds/clusterUser?username=xwayj HTTP/1.1
HTTP(S) 200 OK
Should see “Found user cluster” and “Found UDS server” internal status log this point in diagnostic log
===========================================================
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj"
Cluster="172.16.1.36“
HTTPMSG:
HTTP/1.1 200 OK
Content-Type: application/xml
Server:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucmuds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucmuds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36"
UdsServer="colcm9pub“
===========================================================
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
15
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
HTTP(S)
Get Devices
HTTPS: GET //<cucm-fqdn>/cucm-uds/user/<user-name>/devices
HTTPMSG:
GET //colcm9pub:8443/cucm-uds/user/xwayj/devices HTTP/1.1
Authorization: <CONCEALED>
HTTP(S) 200 OK
HTTPMSG:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONIDSSO=xxxxx, Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=xxxxx; Path=/cucm-uds/; Secure; HttpOnly
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices version="9.1.2" uri="https://colcm9pub:8443/cucmuds/user/xwayj/devices"><device hasPrimaryNumber="false" uri="https://colcm9pub:8443/cucmuds/user/xwayj/device/663e40ed-b3bd-3060-5483-b6721d04c32e"><id>663e40ed-b3bd-3060-5483b6721d04c32e</id><name>CSFxwayj</name><model>Cisco Unified Client Services Framework</model> …..
</device></devices> |
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
16
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
HTTPS 200 OK
Returned configuration:
1) IMP, CUCM, TFTP SRV
2) SIP edge
3) Randomized list of UDS
4) XMPP edge
5) HTTP edge
etc.
HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
HTTPS 200 OK
HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
17
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
HTTPS
HTTPS: GET /jabber-config.xml
HTTPMSG:
GET https:///...../jabber-config.xml HTTP/1.1
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: POST /EPASSoap/service/ login
HTTPMSG:
POST https:///...../EPASSoap/service/v80 HTTP/1.1
Host: xwaye.coluc.com:8443
User-Agent: gSOAP/2.8
User-Agent: Jabber-Win-746
Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com“
SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"
HTTPS: POST /EPASSoap/service / get_all_config
…
System & User configuration,
licensing features, etc.
HTTPS: POST /EPASSoap/service / get_user_config
…
HTTPS: POST /EPASSoap/service / get_onetime_password
…
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Password to be used for
subsequent IMP xmpp logon
18
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
HTTPS
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlv
HTTPMSG:
GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xml
HTTPMSG:
GET https:///....../CSFxwayj.cnf.xml HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
19
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1000 REFER
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP
Client includes the route set received at
startup negotiation
407 Proxy
Authentication Required
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
20
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
SIP SERVICE
Delegated credential
checking on Refer request
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
CSeq: 100 SERVICE
From: <sip:[email protected]>;tag=c726e3c167f0c775
To: <sip:[email protected]>
Event: service
P-Asserted-Identity: <sip:[email protected]>
<?xml version="1.0" encoding="utf-8"?>
<methodCall><params><username>xwayj</username>…..<uri>sip:colcm9pub</uri><meth
od>REFER</method><id>30</id><reqtype>collab-edge</reqtype></params>
<methodName>DigestAuth</methodName> …..</sipdomain> </methodCall>
21
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
Refer-To: <cid:[email protected]>
Referred-By: <sip:[email protected]>
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:[email protected]>
SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
Refer-To: <cid:[email protected]>
Referred-By: <sip:[email protected]>
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:[email protected]>
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
22
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP
SIP
202 Accepted
202 Accepted
SIP
202 Accepted
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 101 REGISTER
Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";video
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
SIP
Registration request including Contact and
all Route information
407 Proxy
Authentication Required
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
23
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..
CSeq: 102 REGISTER
Contact: <sip:[email protected]:50036;transport=tls>…..
+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
24
Регистрация Cisco Jabber
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
CUCM Home
UDS
TFTP
Server
IM&P
Server
SIP - REGISTER
Via information include;
1) Edge zone name
2) Client local and NAT address with
port number
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706
;ingress-zone=CollaborationEdgeZone
CSeq: 102 REGISTER
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
SIP - REGISTER
Proxy registration to CUCM
Cseq number for REGISTER is managing
separately
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TCP 172.16.1.30:5060;egress-zone=CEtcpcolcm9pub;…..;proxy-call-id=…..
Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706
;ingress-zone=CollaborationEdgeZone
CSeq: 101 REGISTER
From: <sip:[email protected]>;tag=081196545e6500020000428b-00005ddf
To: <sip:[email protected]>
Route: <sip:colcm9pub;transport=tcp;lr>
SIP
200 OK
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
25
Важные моменты при
подготовке инфраструктуры
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
26
Домены и DNS
Обнаружение сервисов

Для обнаружения сервисов используются сервисные записи DNS (SRV).

В зависимости от результатов запросов клиент определяет находится ли он
внутри или вне сети.

Вне сети должна разрешаться SRV запись ‘_collab-edge._tls.<domain>’,
которая должна указывать на ExpressWay E.

Только внутри сети должна разрешаться SRV запись ‘_ciscouds._tcp.<domain>’, которая указывает на кластер CUCM.

Только внутри сети должна разрешаться SRV запись
‘_cuplogin._tcp.<domain>’, которая указывает на кластер IM&P.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
28
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS

Сценарий 1
- Один домен
- ExpressWay Servers : domain1.com
- UC servers : domain1.com
- IM&P domain : domain1.com
Jabber Client
External DNS
Expressway E
expwayE.domain1 com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Expressway C
expwayC.domain1.com
Internal DNS
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
29
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
expwayE.domain1 com
Expressway C
expwayC.domain1.com
Internal DNS
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question : How do I login?
Answer : With <userid>@domain1.com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
30
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
xwayC.domain1.com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my external DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_collab-edge._tls.domain1.com’
xwayE.domain1.com port 8443
A record ‘xwayE.domain1.com’
External IP address ExpressWay E
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
31
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain1.com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my ExpressWay E configured?
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain1.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
32
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
CUCM Home UDS
cucm.domain1.com
Question: How is my ExpressWay C configured?
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain1.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for ‘UCM registrations’
and ‘IM and Presence’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
33
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
ExpressWay C
Expressway E
Internal DNS
xwayC.domain1 com
xwayE.domain1 com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my Internal DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_cisco-uds._tcp.domain1.com’
cucm.domain1.com port 8443
A record ‘cucm.domain1.com’
IP address CUCM
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
34
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
CUCM Home UDS
xwayC.domain1 com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my CUCM configured?
Answer:
> CCMADMIN > System > Server
- Server with hostname ‘cucm’
> CLI ‘set network domain ‘domain1.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
35
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
(*) Only 1 is supported
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ExpressWay C
xwayC.domain1 com
Internal DNS
CUCM Home UDS
IM&P Server
cucm.domain1.com
Question: How is my CUP configured?
Answer:
> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain1.com
- IM and Presence Domain with ‘domain1.com’(*)
36
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS

Сценарий 2
- Разные домены внутри и вне сети
- Expressway servers : domain2.com
- UC and CUP servers : domain1.com
- IM&P domain : domain1.com
Jabber Client
External DNS
Expressway E
expwayE.domain2 com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Expressway C
expwayC.domain2.com
Internal DNS
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
37
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
expwayE.domain2 com
Expressway C
expwayC.domain2.com
Internal DNS
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question : How do I login?
Answer :
- With <userid>@domain1.com
- jabber-config.xml has ‘voiceservicesdomain’ set to domain2.com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
38
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain2 com
ExpressWay C
Internal DNS
xwayC.domain2.com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my external DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_collab-edge._tls.domain2.com’
xwayE.domain2.com port 8443
A record ‘xwayE.domain2.com’
External IP address ExpressWay E
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
39
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain1.com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my ExpressWay E configured?
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain2.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
40
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayE.domain2 com
Question: How is my ExpressWay C configured?
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain2.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
41
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
ExpressWay C
Expressway E
Internal DNS
xwayC.domain2.com
xwayE.domain2.com
CUCM Home UDS
cucm.domain1.com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my Internal DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_cisco-uds._tcp.domain2.com’
cucm.domain1.com port 8443
A record ‘cucm.domain1.com’
IP address CUCM
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
42
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
Internal DNS
CUCM Home UDS
xwayC.domain1 com
IM&P Server
cup.domain1.com
with
IM and Presence Domain =
domain1.com
Question: How is my CUCM configured?
Answer:
> CCMADMIN > System > Server
- Server with hostname ‘cucm’
> CLI ‘set network domain ‘domain1.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
43
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain1 com
ExpressWay C
xwayC.domain1 com
Internal DNS
CUCM Home UDS
IM&P Server
cucm.domain1.com
Question: How is my CUP configured?
Answer:
> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain1.com
- IM and Presence Domain with ‘domain1.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
44
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS

Сценарий 3
- Разные домены внутри и вне сети, третий домен для SIP
- Expressway servers : domain3.com
- UC and CUP servers : domain2.com
- IM&P domain : domain1.com
Jabber Client
External DNS
Expressway E
expwayE.domain3 com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Expressway C
expwayC.domain3.com
Internal DNS
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
45
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
expwayE.domain3 com
Expressway C
expwayC.domain3.com
Internal DNS
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Question : How do I login?
Answer :
- With <userid>@domain1.com
- jabber-config.xml has voice ‘voiceservicesdomain’ set to domain3.com
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
46
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
ExpressWay C
Internal DNS
xwayC.domain3.com
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Question: How is my external DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_collab-edge._tls.domain3.com’
xwayE.domain3.com port 8443
A record ‘xwayE.domain3.com’
External IP address ExpressWay E
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
47
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayC.domain3.com
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Question: How is my ExpressWay E configured?
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain3.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
48
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
ExpressWay C
Internal DNS
xwayE.domain3.com
Question: How is my ExpressWay C configured?
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain3.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
- Domain ‘domain3.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
49
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
ExpressWay C
Expressway E
Internal DNS
xwayC.domain3 com
xwayE.domain3 com
CUCM Home UDS
cucm.domain2.com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Question: How is my Internal DNS configured?
Answer:
Entry
Resolves to
SRV record ‘_cisco-uds._tcp.domain3.com’
cucm.domain2.com port 8443
A record ‘cucm.domain2.com’
IP address CUCM
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
50
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
ExpressWay C
Internal DNS
CUCM Home UDS
xwayC.domain3 com
IM&P Server
cup.domain2.com
with
IM and Presence Domain =
domain1.com
Question: How is my CUCM configured?
Answer:
> CCMADMIN > System > Server
- Server with hostname ‘cucm’
> CLI ‘set network domain ‘domain2.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
51
ExpressWay – Mobile and Remote Access
Настройки доменов и DNS
Jabber Client
External DNS
Expressway E
xwayE.domain3 com
ExpressWay C
xwayC.domain3 com
Internal DNS
CUCM Home UDS
IM&P Server
cucm.domain2.com
Question: How is my CUP configured?
Answer:
> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain2.com
- IM and Presence Domain with ‘domain1.com’
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
52
ExpressWay – Mobile and Remote Access
Не настроен домен UC

Домен ExpressWay или UC не добавлен на ExpressWay C или не
активирован для Unified Communications

Логин Jabber – Cannot communicate with the server

Диагностический лог
HTTPMSG:|GET
https:///Y29sdWMuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443
Accept: */*User-Agent: Jabber-Win-345
HTTPMSG:|HTTP/1.1 403 Forbidden
Date:
Mon, 17 Mar 2014 16:07:20 GMT
Connection: closeServer:
© 2013-2014
Cisco and/or its affiliates. All rights reserved.
CE_EContent-Length:
0|
Decodes to ‘coluc.com’
53
ExpressWay – Mobile and Remote Access
Не настроен домен IM&P (SIP)

Домен IM&P не добавлен или не активирован для IM&P

Логин Jabber – Cannot communicate with the server

Диагностический лог
xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310"
ThreadID="140582990952192" Module="Jabber" Level="INFO " CodeLocation="deliver.c:1492"
Detail="bouncing a packet to 'domain3.com” from 'cm-1_jsmcp-1.xwaye-domain1.com'”
xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864"
Module="cm-1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198"
Detail="Failed to query auth component for SASL mechanisms"
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
54
Сертификаты
Сертификаты

Maintenance > Security Certificate > Server Certificate
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
56
Сертификаты

Maintenance > Security Certificate > Trusted CA Certificate
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
57
ExpressWay C – Требования к сертификату

CA Signed
- Должен быть подписан CA
- Используется для Traversal Zone с ExpressWay E
- Используется для связи с CUCM если режим безопасности
устройства настроен как Authenticated или Encrypted
- Сертификат CA Root должен быть загружен в “Trusted CA
certificate” на обоих ExpressWay
- Сертификат CA Root должен быть загружен в Callmanager-trust на
каждом сервере кластера
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
58
ExpressWay C – Требования к сертификату
CA Root не загружен на ExpressWay E

Traversal Zone State Failed

Expressway-C Diagnostics logs (traversal client)
xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25016"
Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Commonname="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872”

Expressway Event logs
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
59
ExpressWay C – Требования к сертификату
CA Root не загружен на CUCM

В регистрации Softphone отказано, если режим настроен как
Authenticated или Encrypted
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
60
ExpressWay C – Требования к сертификату
CA Root не загружен на CUCM

ExpressWay-C diagnostic logs
2014-03-24T18:57:37+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25264" Dst-ip="10.48.55.96" Dst-port="5061"
Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="COLCM9PUB.coluc.com"
Level="1" UTCTime="2014-03-24 18:57:37,777”

Expressway-C event logs
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
61
ExpressWay C – Требования к сертификату

Extended Key Usage
- TLS Web Server Authentication*
и
- TLS Web Client Authentication
(*) Automatically added
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
62
ExpressWay C – Требования к сертификату

SAN должен включать ‘Chat node alias’ сервера IM&P
- Требуется для федераций XMPP
- Добавляется автоматически после IM&P Discovery
- Чтобы добавить вручную смотрим CUPADMIN > Messaging >
Group Chat Server Alias Mapping, Find.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
63
ExpressWay C – Требования к сертификату
CUPADMIN > Messaging > Group Chat Server Alias Mapping
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
64
ExpressWay C – Требования к сертификату

SAN должен включать ‘Device Security Profile Name’
- Нужно, чтобы установить TLS соединение с CUCM
- Некоторые (публичные) CA не позволяют использовать просто
имя в SAN, в этом случае название профиля должно иметь
формат FQDN (например abc.def.com)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
65
ExpressWay C – Требования к сертификату
System > Security > Phone Security Profile
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
66
ExpressWay C – Требования к сертификату
Security Profile добавлен в SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0…
…
//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName
calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit
…
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
…
SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ.
Will check SAN the next
SIPStationD(9) - validTLSConnection: Found matching SAN, SAN Rcvd=xwayc.coluc.com;conference-2ecup9.coluc.com;csf-secure, Expected=csf-secure
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
67
ExpressWay C – Требования к сертификату
Security Profile не добавлен в SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0…
…
//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or x509SubjectName
calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit
…
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
…
SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com, Expected=CSFEWAYJ.
Will check SAN the next
SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either,
Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
68
ExpressWay C – Требования к сертификату
Security Profile не добавлен в SAN (CUCM trace)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
69
ExpressWay E – Требования к сертификату

CA Signed
- Должен быть подписан CA
- Используется для Traversal Zone с ExpressWay C
- Сертификат CA Root должен быть загружен в “Trusted CA
certificate” на обоих ExpressWay
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
70
ExpressWay E – Требования к сертификату
CA root не загружен на ExpressWay C

Traversal Zone State

ExpressWay E diagnostic logs
xwaye tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25006"
Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1"
UTCTime="2014-03-25 09:52:36,680”

ExpressWay E event logs
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
71
ExpressWay E – Требования к сертификату

SAN должен включать все используемые домены (*)
- Домен, используемый для логина Jabber
- Voiceservicesdomain из jabber-config.xml (если есть)
- IM&P домен CUP (если отличается)
= все имеющиеся домены UC
(*) подробнее в разделе про домены
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
72
Certificates – Общие рекомендации

Лучше использовать подписанные CA сертификаты и на CUCM

Не забывайте добавить CA root в “Trusted CA Certificate”

Если используются самоподписанные сертификаты CUCM, то
сертификаты Tomcat и CUCM нужно добавить в “Trusted CA
Certificate” на ExpressWay C

НО есть следующий дефект:
“CSCun30200: Unable to configure secure MRA UCM using self signed
certs”
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
73
Известные ограничения и
проблемы
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
74
Нет SRTP между ExpressWay C и внутренним телефоном
• Медиа между ExpressWay C и внутренними телефонами
работает по RTP/AVP вместо RTP/SAVP несмотря на то, что обе
стороны поддерживают шифрование.
RTP
Collaboration Infrastructure
With SIP security Profile=
Encrypted
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
XWY-C
XWY-E
SRTP
SRTP
75
Поддержка SIP Early Media
Jabber  INVITE
TRYING  CUCM
183 SESSION PROGRESS (with SDP)  CUCM
ExpressWay B2BUA
будет поддерживать
Early Media в X8.5
183 session progress используется для проключения медиа для установления
соединения (EARLY MEDIA)
“CSCul52293: Edge calls are missing or have incorrect tones and announcements”
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
76
Поддержка TURN/ICE

ICE не поддерживается на CUCM
не включайте TURN/ICE на Expressway

При звонках между абонентами вне сети медиа будет проходить
через ExpressWay C
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
77
Использование лицензий Rich Media

При корректной настройке адресов, зон и NAT звонки не должны
занимать лицензии Rich Media на ExpressWay

Проверяйте при первоначальной настройке
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
78
Использование SIP trunk между ExpressWay C и CUCM

ExpressWay С регистрирует MRA клиентов на CUCM от своего
адреса

SIP trunk для звонков Rich Media между ExpressWay C и CUCM
должен использовать другие TCP порты (например 5060->5560,
5061->5561)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
79
Спасибо
7913
1/--страниц
Пожаловаться на содержимое документа