Cisco Expressway Basic Configuration Deployment Guide Cisco Expressway X8.5.
Contents Introduction 4 Example network deployment Network elements Internal network elements DMZ network element External network elements NAT devices and firewalls SIP and H.
Appendix 1: Configuration details 36 Expressway-C configuration details Expressway-E configuration details Expressway-C and Expressway-E configuration details 36 37 38 Appendix 2: DNS records 40 DNS configuration on host server Host DNS A record DNS SRV records DNS configuration (internal DNS server) Local DNS A record Local DNS SRV records 40 40 40 40 41 41 Appendix 3: Firewall and NAT settings 42 Internal firewall configuration Outbound (Internal network > DMZ) Inbound (DMZ > Internal network) E
Introduction Introduction Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified Communications Manager. It features established firewall-traversal technology and helps redefine traditional enterprise collaboration boundaries, supporting our vision of any-to-any collaboration. This document describes how to configure an Expressway-E and an Expressway-C as the cornerstones of a basic video infrastructure deployment.
Introduction Example network deployment The example network shown below is used as the basis for the deployment described in this document. This example network includes internal and DMZ segments – in which Expressway-C and Expressway-E platforms are respectively deployed. Cisco Expressway Basic Configuration Deployment Guide (X8.5.
Introduction Network elements Internal network elements The internal network elements are devices which are hosted on the organization’s local area network. Elements on the internal network have an internal network domain name. This internal network domain name is not resolvable by a public DNS. For example, the Expressway-C is configured with an internally resolvable name of expc.internal-domain.net (which resolves to an IP address of 10.0.0.2 by the internal DNS servers).
Introduction The Expressway-E is configured with a traversal server zone to receive communications from the Expressway-C in order to allow inbound and outbound calls to traverse the NAT device. The Expressway-E has a public network domain name. For example, the Expressway-E is configured with an externally resolvable name of expe.example.com (which resolves to an IP address of 192.0.2.2 by the external / public DNS servers).
Prerequisites and process summary Prerequisites and process summary Prerequisites Before starting the system configuration, make sure you have access to: n the Expressway Administrator Guide and Expressway Getting Started Guide (for reference purposes) n your Expressway system n a PC connected via Ethernet to a LAN which can route HTTP(S) traffic to the Expressway n a web browser running on the PC n a serial interface on the PC and cable (if the initial configuration is to be performed over the se
Expressway system configuration Expressway system configuration Task 1: Performing initial configuration Assuming the Expressway is in the factory delivered state, follow the Initial configuration steps described in the Expressway Getting Started Guide to configure the basic network parameters: n LAN1 IP (IPv4 or IPv6) address n Subnet mask (if using IPv4) n Default Gateway IP address (IPv4 or IPv6) Note that Expressway requires a static IP address (it will not pick up an IP address from a DHCP serve
Expressway system configuration 3. Click Save. Expressway-C Expressway-E Task 3: Configuring DNS System host name The System host name defines the DNS hostname that this system is known by. Note that this is not the fully-qualified domain name, just the host label portion. Note that . = FQDN of this Expressway. To configure the System host name: 1. Go to System > DNS. 2.
Expressway system configuration DNS servers The DNS server addresses are the IP addresses of up to 5 domain name servers to use when resolving domain names.
Expressway system configuration Expressway-E has a Fully Qualified Domain Name of expe.example.com Task 4: Replacing the default server certificate For extra security, you may want to have the Expressway communicate with other systems (such as LDAP servers, neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption. For this to work successfully in a connection between a client and server: n The server must have a certificate installed that verifies its identity.
Expressway system configuration TLS can be difficult to configure. For example, when using it with an LDAP server we recommend that you confirm that your system is working correctly before you attempt to secure the connection with TLS. You are also recommended to use a third party LDAP browser to verify that your LDAP server is correctly configured to use TLS. Note: be careful not to allow your CA certificates or CRLs to expire as this may cause certificates signed by those CAs to be rejected.
Routing configuration Routing configuration Pre-search transforms Pre-search transform configuration allows the destination alias (called address) in an incoming search request to be modified. The transformation is applied by the Expressway before any searches are sent to external zones. The pre-search transform configuration described in this document is used to standardize destination aliases originating from both H.323 and SIP devices.
Routing configuration 1. Go to Configuration > Dial plan > Transforms. 2. Click New. 3. Configure the transform fields as follows: Expressway-C Expressway-E Priority Enter 1 Same as Expressway-C Description Enter Transform destination aliases to URI format Pattern type Regex Pattern string Enter ([^@]*) Pattern behavior Replace Replace string Enter \1@example.com State Enabled 4. Click Create transform.
Routing configuration Expressway-C Expressway-E Name Enter Traversal zone Enter Traversal zone Type Traversal client Traversal server Username Enter exampleauth Enter exampleauth Password Enter ex4mpl3.c0m Not applicable H.323 Mode On On H.323 Protocol Assent Assent H.323 Port Enter 6001 Enter 6001 H.323 H.460.
Routing configuration Expressway-C Cisco Expressway Basic Configuration Deployment Guide (X8.5.
Routing configuration Expressway-E To configure the authentication credentials in the Local authentication database (which are configured in the Expressway-E only): 1. Go to Configuration > Authentication > Devices > Local database. 2. Click New. Cisco Expressway Basic Configuration Deployment Guide (X8.5.
Routing configuration 3. Configure the fields as follows: Expressway-C Expressway-E Name Not applicable Enter exampleauth Password Not applicable Enter ex4mpl3.c0m 4. Click Create credential.
Routing configuration Note: Systems that are configured as peers must not also be configured as neighbors to each other, and vice versa. Neighboring your clusters To neighbor your local Expressway (or Expressway cluster) to a remote Expressway cluster, you create a single zone to represent the cluster and configure it with the details of all the peers in that cluster: 1. On your local Expressway (or, if the local Expressway is a cluster, on the master peer), create a zone of the appropriate type.
Routing configuration selective by adding search rules or configuring call policy. 4. Click Create search rule. Expressway-C Expressway-E Cisco Expressway Basic Configuration Deployment Guide (X8.5.
Routing configuration Task 9: Configuring the DNS zone The DNS zone is used to search for externally hosted systems (such as for business to business calling). Destination aliases are searched for by a name using a DNS lookup. To configure the DNS zone: 1. Go to Configuration > Zones > Zones. 2. Click New. 3.
Routing configuration Task 10: Configuring DNS zone search rules The DNS search rule defines when the DNS zone should be searched. A specific regular expression is configured which will prevent searches being made using the DNS zone (i.e. on the public internet) for destination addresses (URIs) using any SIP domains which are configured on the local network (local domains). To create the search rules to route via DNS: 1. Go to Configuration > Dial plan > Search rules. 2. Click New. 3.
Routing configuration Note that the regular expression used to prevent local domains being searched via the DNS zone can be broken down into the following components: (.*) = match all pattern strings (?!.*@%localdomains%.*$).* = do not match any pattern strings ending in @localdomains In the deployment example, calls destined for @cisco.com would be searched via the DNS zone, whereas calls destined for @example.com would not.
Routing configuration 3. Click Save. Expressway-C Expressway-E To create the search rules to route calls to IP addresses to the Expressway-E: 1. Go to Configuration > Dial plan > Search rules. 2. Click New. 3.
Routing configuration Cisco Expressway Basic Configuration Deployment Guide (X8.5.
System checks System checks Zone status Go to Status > Zones on both Expressway-C and Expressway-E to check that the traversal zone is Active. You can also check the zone status via Configuration > Zones > Zones. If the traversal zone is not active: n Review the traversal zone configuration. n Confirm that the relevant ports are enabled for outbound routing on the NAT and firewall devices located between the Expressway-C and Expressway-E (see Appendix 3: Firewall and NAT settings [p.42]).
Maintenance routine Maintenance routine Creating a system backup To create a backup of Expressway system data: 1. Go to Maintenance > Backup and restore. 2. Optionally, enter an Encryption password with which to encrypt the backup file. If a password is specified, the same password will be required to restore the file. 3. Click Create system backup file. 4. After the backup file has been prepared, a pop-up window appears and prompts you to save the file (the exact wording depends on your browser).
Optional configuration tasks Optional configuration tasks Task 12: Configuring routes to a neighbor zone (optional) You can optionally set up neighbor zones and associated search rules on the Expressway-C if you need to route calls to other systems such as a Cisco VCS or Unified CM. Example: Cisco VCS neighbor zone For example, you may want to route calls towards devices (typically H.323 devices) that are registered to a Cisco VCS.
Optional configuration tasks Expressway-C Expressway-E Rule name Enter Route to VCS Not applicable Description Enter Search VCS neighbor zone Priority Enter 100 Protocol Any Source Any Request must be authenticated No Mode Alias pattern match Pattern type Suffix Pattern string Enter @vcs.domain Pattern behavior Leave On successful match Continue Target Neighbor zone to VCS State Enabled 4. Click Create search rule.
Optional configuration tasks 3. Click Save. Task 14: Restricting access to ISDN gateways (optional) Expressway users are recommended to take appropriate action to restrict unauthorized access to any ISDN gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which this can be achieved. In these examples, an ISDN gateway is a neighbour zone that routes calls starting with a 9.
Optional configuration tasks Expressway-E Protocol Any Source All zones Request must be authenticated No Mode Alias pattern match Pattern type Regex Pattern string Enter (9\d+)(@example.com) Pattern behavior Replace Replace string Enter \1 On successful match Stop Target TraversalZone State Enabled 4. Click Create search rule. 5. Click New. 6.
Optional configuration tasks Expressway-E Description Enter Blocks everything (including non-registered endpoints) Priority Enter 41 Protocol Any Source Any Request must be authenticated No Mode Alias pattern match Pattern type Regex Pattern string Enter (9\d+)(.*)(@example.com) Pattern behavior Replace Replace string Enter do-not-route-this-call for example On successful match Stop Target TraversalZone State Enabled 7. Click Create search rule.
Optional configuration tasks Expressway-C This example shows how to configure the Expressway-C to stop calls coming in via the gateway from being able to route calls back out of the gateway. This is done by loading some specially constructed CPL onto the Expressway-C and configuring its Call policy mode to use Local CPL. Creating a CPL file The CPL file to be uploaded onto the Expressway can be created in a text editor. Here are 2 example sets of CPL.
Optional configuration tasks Loading the CPL onto Expressway-C To configure the Expressway-C to use the CPL: 1. Go to Configuration > Call Policy > Configuration. 2. Click Browse... and select your CPL file (created above) from your file system. 3. Click Upload file. l You should receive a "File upload successful" message.
Appendix 1: Configuration details Appendix 1: Configuration details This appendix summarizes the configuration required for the Expressway-C and Expressway-E.
Appendix 1: Configuration details Configuration item Value Expressway page On successful match Continue Configuration > Dial plan > Search rules Target TraversalZone Configuration > Dial plan > Search rules Rule name External IP address search rule Configuration > Dial plan > Search rules Description Route external IP address Configuration > Dial plan > Search rules Priority 100 Configuration > Dial plan > Search rules Source Any Configuration > Dial plan > Search rules Mode Any IP ad
Appendix 1: Configuration details Configuration item Value Expressway page Name exampleauth Configuration > Authentication > Devices > Local database Password ex4mpl3.
Appendix 1: Configuration details Configuration item Value Expressway page Pattern behavior Replace Configuration > Dial plan > Transforms Replace string \1@example.
Appendix 2: DNS records Appendix 2: DNS records DNS configuration on host server The following records are required in the external DNS which hosts the externally routable domain: example.com to allow messages from non-registered endpoints (or other infrastructure devices) to be routed to the Expressway-E Host DNS A record Host Host IP address expe.example.com 192.0.2.2 DNS SRV records Name Service Protocol Priority Weight Port Target host example.com. h323cs tcp 10 10 1720 expe.example.
Appendix 2: DNS records Local DNS A record Host Host IP address expc.internal-domain.net 10.0.0.2 Local DNS SRV records Name Service Protocol Priority Weight Port Target host internal-domain.net. h323cs tcp 10 10 1720 expc.internal-domain.net. internal-domain.net. h323ls udp 10 10 1719 expc.internal-domain.net. internal-domain.net. sip tcp 10 10 5060 expc.internal-domain.net. internal-domain.net. sip udp * 10 10 5060 expc.internal-domain.net. internal-domain.net.
Appendix 3: Firewall and NAT settings Appendix 3: Firewall and NAT settings Internal firewall configuration In many deployments outbound connections (from internal network to DMZ) will be permitted by the NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For further information, see Expressway IP Port Usage for Firewall Traversal. Ensure that any SIP or H.
Appendix 3: Firewall and NAT settings Inbound (DMZ > Internal network) As Expressway-C to Expressway-E communications are always initiated from the Expressway-C to the Expressway-E (Expressway-E sending messages by responding to Expressway-C’s messages) no ports need to be opened from DMZ to Internal for call handling.
Appendix 3: Firewall and NAT settings Purpose Source Dest. Source IP RTP & RTCP Endpoint EXPe Any Source port Transport protocol Dest. IP Dest. port >=1024 UDP 192.0.2.2 36002 to 59999 SIP endpoints using UDP / TCP or TLS SIP TCP Endpoint EXPe Any >=1024 TCP 192.0.2.2 5060 SIP UDP Endpoint EXPe Any >=1024 UDP 192.0.2.2 5060 SIP TLS Endpoint EXPe Any >=1024 TCP 192.0.2.2 5061 RTP & RTCP Endpoint EXPe Any >=1024 UDP 192.0.2.
Appendix 3: Firewall and NAT settings Purpose Source Dest. Source IP NTP (time sync) EXPe 192.0.2.2 123 NTP server Source port Cisco Expressway Basic Configuration Deployment Guide (X8.5.2) Transport protocol Dest. IP Dest.
Appendix 4: Advanced network deployments Appendix 4: Advanced network deployments This section discusses network deployments that use static NAT or Dual Network Interface architectures. Prerequisites Deploying an Expressway-E behind a NAT mandates the use of the Advanced Networking option key. It enables the static NATing functionality of the Expressway-E as well as dual network interfaces.
Appendix 4: Advanced network deployments n Endpoint A with IP address 10.0.20.3 n Endpoint B with IP address 64.100.0.20, located on the Internet Assume that endpoint A places a SIP call towards endpoint B. The call will arrive at the Expressway-E, which will proxy the SIP INVITE towards endpoint B.
Appendix 4: Advanced network deployments Max-Forwards: 70 Content-Type: application/sdp Content-Length: 2825 v=0 s=c=IN IP4 10.0.10.2 b=AS:2048 … … … Figure 4: SIP INVITE arriving at Endpoint B As can be seen from the example above, endpoint B will see that the SIP INVITE was received from IP 64.100.0.10 (NAT router), so the endpoint will know where to send its reply messages for the INVITE itself. The c-line within the SDP of the SIP INVITE is however still set to c=IN IP4 10.0.10.
Appendix 4: Advanced network deployments n Dual interfaces are selected and the external LAN interface is set to LAN2 n Configuration > IPv4 gateway is set to 10.0.10.1, the local IP address of the NAT router n LAN1 > IPv4 address is set to 10.0.20.2 n LAN1 > IPv4 static NAT mode is set to Off n LAN2 > IPv4 address is set to 10.0.10.2 n LAN2 > IPv4 static NAT mode is set to On n LAN2 > IPv4 static NAT address is set to 64.100.0.
Appendix 4: Advanced network deployments Via: SIP/2.0/TLS 10.0.10.2:5061 Via: SIP/2.0/TLS 10.0.20.3:55938 Call-ID: 20ec9fd084eb3dd2@127.0.0.1 CSeq: 100 INVITE Contact: From: "Endpoint A" ;tag=9a42af To: Max-Forwards: 70 Content-Type: application/sdp Content-Length: 2825 v=0 s=c=IN IP4 64.100.0.
Appendix 4: Advanced network deployments As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a Expressway-E, as, when enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the Expressway-E itself. This is also mentioned in Appendix 3: Firewall and NAT settings [p.42].
Appendix 4: Advanced network deployments n DMZ subnet 2 – 10.0.20.0/24, containing: l the external interface of Firewall B – 10.0.20.1 l the LAN1 interface of the Expressway-E – 10.0.20.2 n LAN subnet – 10.0.30.0/24, containing: l the internal interface of Firewall B – 10.0.30.1 l the LAN1 interface of the Expressway-C – 10.0.30.2 l the network interface of the Cisco TMS server – 10.0.30.3 n Firewall A is the publicly-facing firewall; it is configured with a NAT IP (public IP) of 64.100.0.
Appendix 4: Advanced network deployments The xCommand RouteAdd command and syntax is described in full detail in Expressway Administrator Guide. Example deployments The following section contains additional reference designs which depict other possible deployment scenarios. Single subnet DMZ using single Expressway-E LAN interface In this case, FW A can route traffic to FW B (and vice versa). Expressway-E allows video traffic to be passed through FW B without pinholing FW B from outside to inside.
Appendix 4: Advanced network deployments Expressway-E communications will be to the 64.100.0.10 address of the Expressway-E; the return traffic from the Expressway-E to Expressway-C might have to go via the default gateway. If a static route is added to the Expressway-E so that reply traffic goes from the Expressway-E and directly through FW B to the 10.0.30.0/24 subnet, this will mean that asymmetric routing will occur and this may or may not work, depending on the firewall capabilities.
Technical support Technical support If you cannot find the answer you need in the documentation, check the website at www.cisco.com/cisco/web/support/index.html where you will be able to: n Make sure that you are running the most up-to-date software. n Get help from the Cisco Technical Support team. Make sure you have the following information ready before raising a case: n Identifying information for your product, such as model number, firmware version, and software version (where applicable).
Document revision history Document revision history Date Description April 2015 Menu path changes for X8.5. Republished with X8.5.2. December 2014 Republished for X8.5. August 2014 Correction in firewall appendix. June 2014 Republished for X8.2. December 2013 Initial release. Cisco Expressway Basic Configuration Deployment Guide (X8.5.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
