best practices for business-to- business video...
TRANSCRIPT
Best Practices for Business-to-business Video Collaboration
Luca Pellegrini, Technical Marketing Engineer
BRKCOL-2018
• Introduction
• Collaboration Edge Introduction
• Proxy or B2BUA?
• Expressway-E Dual Network Deployment
• Dial Plan
• Routing on the Internet: DNS SRV records
• Business-to-business Architecture
• Signaling encryption
• Media encryption
• Encryption and lock icon
Agenda
3
• Multipoint and Cloud Integration
• CMR Premises
• CMR Hybrid
• CMR Cloud
• Expressway Policy Protection
• Filtering ACLs
• Search Rules and CPL Rules
• Cisco Unified CM Inbound Calling Search Space
• Minimizing or reducing UDP ports opened in the Internet firewall
• General considerations for multiple Expressway deployments
Agenda
4
• Understand architectures for business-to-business video
communications
• Understand architectures for cloud-based integration
• Understand best practices to protect the internal dial plan
Why are we here today?
5
• Explain and design B2B architectures based on Expressway-C and Expressway-E on single edge, dual
network deployment
• Understand how to integrate Premises, Hybrid and Cloud CMR through Expressway
• Understand UDP media port requirements for B2B
Key Learning Objectives
7
• Collaboration Edge Introduction
• Proxy or B2BUA?
• Expressway-E Dual Network Deployment
• Dial Plan
• Routing on the Internet: DNS SRV records
Introduction
9
Introducing Cisco Collaboration Edge ArchitectureIndustry’s Most Comprehensive Any-to-Any Collaboration Solution
All the capabilities of Cisco Any-
to-Any collaboration to-dateTDM & analog gateways
ISDN Video gateways
Session border control
Firewall traversal
Standards-based & secure
TeleworkersMobile
Workers
B2B
Consumers
3rd Parties
Analog Devices
Branch Office
PSTN or IP PSTN
TDM or IP PBX
Cloud Services
10
Cisco ExpresswayA new gateway solving & simplifying business relevant use cases
• For Unified CM & Business
Edition environments
• Based on Cisco VCS
Technology
• Standards-based
interoperability
TeleworkersMobile
Workers
B2B
Consumers
3rd Parties
Analog Devices
Branch Office
PSTN or IP PSTN
TDM or IP PBX
Cloud Services
11
• Solution designed for and sold
exclusively with Unified CM 9.1 and
above (including Business Edition)
• Subset of X8.1 features
• No additional cost for server software
licenses
X8.1 Product Line Options
New
Offering
X8.1
“Expressway-C”
Or Core
“Expressway-E”
Or Edge
“VCS Control”
No Change
“VCS Expressway”
No Change
VCS Expressway
• Specialized video applications for
video-only customer base and
advanced video requirements
• No changes to existing licensing
model
12
Cisco Expressway Family
Expressway-C: SIP and H.323 trunk-side; includes a H.323-SIP gateway server
3rd party interoperability – trunk side only
Traversal client for B2B and Mobile and Remote Access
Normally deployed within the Enterprise network
Expressway-E: Application Edge Server for B2B and MRA SIP/H.323 firewall traversal
Traversal server for B2B and Mobile and Remote Access
Normally deployed in the DMZ
Expressway-C and Expressway-E
13
Expressway Routing
Does calling or
called match a
CPL rule?
Apply
Transform
Does the alias
match a
search rule?
Yes
Expressway
receives alias
No
Yes
Place
Call
Yes
Yes
No
Next lower-
priority rule until
end of rules or
the alias is found
Is the alias
found?
No
Allow/
Reject
Forbidden
Does the alias
match a
transform?
If “reject”
If “allow”
14
Cisco Expressway Family Overview
• A standard notation (POSIX), used in Unix and Linux editors
• Provide a concise and flexible means for matching and transforming strings
• Used simply, it is simple, but powerful
• One of the techniques available in Expressway for matching calls in zones
Regular Expressions (RegEx)
15
. Any single character
\d Single digit ≡ [0-9]
* 0 or more repetitions of previous character or expression
+ 1 or more repetitions of previous character or expression
? 0 or 1 repetitions of previous character or expression
{n}n repetitions of previous character or expression
[abc] A character from this set of characters
[1-4] A character from this range of characters
[^def] A character NOT including these characters
^ Start of line
$ End of line
\ Literalize, e.g. \* really is the * (asterisk character)
| ‘or’ – match (wxy|wyx)
( ) Group digits and store in store id \n
Key RegEx Metacharacters
For YourReference
Cisco Expressway Family Overview
16
• Add domain to E164 number:(\d+) \[email protected] [email protected]
• Remove a domain:(.*)@.+ \[email protected] 6002
• Add a prefix ‘01189’ to a 6 digit number:(\d{6}) 01189\1123456 01189123456
• Reverse the order of 3 digits and put a dot between each:(\d)(\d)(\d) \3\2\1
• Match either [email protected] or [email protected]:123@company.(com|net)
Examples of RegEx ManipulationsCisco Expressway Family Overview For Your
Reference
17
Expressway-C Expressway-E
Neighbor
Zone
UC Traversal
Zone (MRA)
Cisco Expressway Family Overview Most used zones on UCM-centric Architecture
Traversal Client
Zone (B2B)
DNS
Zone
Default
Zone
Traversal Server
Zone (B2B)
UC Traversal
Zone (MRA)
UCM
Inbound
calls-
alias or
IP based
Outbound
calls via
DNS query
UCM SIP
Trunk
H323 and SIP encrypted and unencrypted
SIP TLS and SRTP only
DNS
Zone
ENUM
Zone
Neighbor
Zone
ENUM
Zone
Default
Zone
Configured and
used
Not configured,
but used
Not configured,
not used
Legenda
18
SIP Proxy or SIP B2BUA?
• Proxy functionality is the native functionality of Expressway, always engaged
• B2BUA is a process internal to Expressway-C and Expressway-E engaged when needed together with Proxy
• B2BUA fully terminates a call leg and establishes a new call leg. The two call legs are then bridged together and count as two different calls
• B2BUA are of different kinds but we will focus on two of them:
• B2BUA for MRA and Business-to-Business, icon:
• B2BUA for SIP to H.323 interworking, icon:
19
Proxy Example
Good
morning!
Good
morning!
Translators
• No need for translators if the language is the same
20
Expressway with Proxy
• Media flows through Expressway in most cases (UCM scenario with no other call control)
• Expressway is able to read the packet to route the call leg but doesn’t “touch” it
SIP with
RTP
SIP with
RTP
21
B2BUA Example
Good
morning!
TranslatorsBuongiorno!
Good Morning!
• Different languages require a translating service
• Available “translations”: SRTP/RTP, H.323/SIP, IPv4/IPv6
Buongiorno!
22
Expressway with Proxy and B2BUA
RTP
B2BUASRTP
RTP
• B2BUA terminates a call leg and re-estabilishes another call leg with the destination in order to perform protocol conversion
• Communications takes place through B2BUA in all cases
SRTP
23
Proxy with B2BUA
Exp-C/E Proxy
Process
Exp-C/E B2BUA
Process
• The diagram shows the working principle only
• Flows are different in case of H.323, IP interworking or encryption
• Diagram might be different based on calling scenario
B2BUA can talk to calling or called directly (see Minimizing UPD ports section)
1. SRTP2. SIP3. IPv4
1. RTP2. H.3233. IPv6
25
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
26
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
27
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
28
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
29
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
30
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
31
DMZEnterprise Network
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
Unified
CM
Firewall Expressway-E FirewallExpressway-C
Internet
Outside Network
Media
Signaling
Expressway Firewall Traversal Basics
32
Expressway Dual Network Deployment Model
• Recommended solution
• Expressway-E LAN1 interface is used for clustering purposes
• Expressway-E LAN1 interface can be translated by static NAT only on standalone appliance (no clustering)
• Expressway-E LAN2 interface can be translated by static NAT
• Expressway-C interface can be translated by NAT
33
DMZ Firewall Expressway-E Internet Firewall
Expressway Firewall Traversal BasicsRouting on Expressway-E
LAN1 LAN2
10.10.10.10172.19.19.19 1.2.3.4
10.10.10.1
Internet
172.19.19.1
34
B2B Dial Plan
• By default every line has a directory number
• By assigning one or more alphanumeric SIP URI to a line, a user’s line can be reached by dialing:
<directory number>@domain
<alphanumeric SIP URI>@domain
•Disabling DN based dialing and allowing alphanumeric SIP URI only increases security
• This is independent from the phone/video device model type and works for both audio and video
Numbers and alphanumeric SIP URIs together on CUCM
35
DNS SRV Records for B2B and MRA
SRV record format for SIP and H.323 (RFC 2782)
Name of the
service
Protocol and
domain name
(TCP, UDP...)
DNS Time-To-Live: how much
time the server caches the
record before it flushes the
cache
DNS Class.
Always “IN”
Priority: Lowest
priority means
“preferred”.
Weight: load-
balances records
with same
priority
Port: TCP or
UDP port for
the service
Targed: hostname or
IP Address for the host
Providing the service
_sip. _tcp.example.com 86400 IN 10 60 5060 expe.example.comSRV
36
Service Discovery
Bigbox
Smallbox
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
37
Service Discovery
Bigbox
Smallbox
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Dial:
38
Service Discovery
Bigbox
Smallbox
_sips._tcp.example.com?
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Dial:
39
Service Discovery
Bigbox
Smallbox
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Dial:
40
Service Discovery
Bigbox
Smallbox
60%
40%
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
Dial:
41
60%
40%
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
42
60%
40%
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
43
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.
44
Cisco SRV Records for business-to-businessSRV record format for SIP and H.323
SIP B2B _sips._tcp.domain 5061 TLS
_sip._tcp.domain 5060 TCP
_sip._udp.domain 5060 UDP
H.323 B2B _h323ls._udp.domain 1719 RAS
_h323cs._tcp.domain 1720 H.225
45
Business-to-business Architecture
• Encryption for Signaling
• Encryption for Media
• Encryption and lock icon
47
B2B Call Flow Single Edge
DNSHierarchy
Expressway-C
Expressway-E
VCS-E
Calls [email protected]
Forward SIP Invite to companyB.com using IP address received via DNS
Sends SIP 200 OK
VCS-C
COMPANY B
Internet
COMPANY A
48
SIPH.323
H.323
B2BUA Expressway
H.323 Gatekeeper
3002
BFCP H.239
SIP to H.323 Interworking
VCS and Expressway
SIP
MediaSIPH.323
GK
49
Protocol selection algorithm
• H.323 and SIP enabled globally and at zone-level
• H.323/SIP protocol selection: native protocol first, alternative protocol as backup.
• Interworking has to be enabled
• SIP to H.323 interworking with media handling
SIP
1. SIP
2. H.323
Expressway-C
SIP to H323 B2BUAfor signaling and media
H.323 endpoint
H.323
VCS-C
50
SIP Signaling Interworking
• Neighbor zones and Traversal zones: interworks if the outgoing transport type is different from the incoming
• DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first
• In case of TLS/TCP protocol translation, B2BUA is not engaged
SIP Transport Protocol Protocol Selection
SIP/TLS
Expressway-E Default Zone accepts SIP UDP/TCP/TLS
ExpC ExpE
Traversal zone set to TLS
Traversal zone set to TCP
ExpE1. SIP/TLS
2. SIP/TCP
3. SIP/UDP
SIP/TLS/TCP/UDP
SIP/TCP
ExpC
UCM
UCM
51
SIP TLS
Expressway-C with B2BUA
RTP to SRTP Media Interworking
SIP TLS
SIP TCP
RTP
SRTP
SIP TLS
SIP TCP
RTPSRTP
52
Media Encryption
• For SIP: Media encryption mode can be configured
• H.323 doesn’t work with forced media encryption or force unencrypted
• Separate H.323 from SIP traversal zones if “force encrypted” is to be configured
• Auto: depends on endpoints request only
• Best Effort: will fallback to unencrypted if encryption is not available
Expressway-E
Applies to:Neighbor, DNS, Traversal, Default Zones
Expressway-C
53
Media Encryption and B2BUA Engagement
• With other settings than “Auto”, Expressway will engage B2BUA. As a consequence, media will always be interworked by Expressway
• “3-in-a-row rule” exception for Expressway-E: if the inbound zone and outbound zone are set to same encryption media type and one of those zones is a Traversal Server zone, Expressway-E checks the value of the associated Traversal Client zone. If all these 3 zones are set to the same value, Expressway-E won’t engage the B2BUA
2. Traversal client zone set to other settings than “auto”
ExpC ExpE
54
B2B Call legs
• Based on the engagements of B2BUA on both Expressway-C and Expressway-E
• When a B2BUA is engaged the call leg is “broken” into two pieces for both signaling and media
• Multiple engagements of B2BUA is sometimes unnecessary and can be minimized through reconfiguration
• Based on B2BUA engagement, a single call might consist of 1 to 5 call legs
• Lock icon closed only if all call legs with exception of the last one, from the remote Edge to the destination endpoints, are encrypted, for both signaling and media
55
Example 1“Auto” setting
CM Neighbor
Zone
Auto
TLS
Traversal
Client Zone
Auto
TLS
Traversal
Server Zone
Auto
TLS
Default Zone
Auto
Not configurable
DNS Zone
Auto
Not configurable
Expressway-C Expressway-E
• “Auto” setting doesn’t engage B2BUA
• 2 call legs
• No control of media status; endpoints decide encryption settings
• Lock icon reflects the status of the first leg only
SRTP
Inbound zone
Outbound zone
Remote Edge
RTP
Internet
56
Example 2Different settings for media
CM Neighbor
Zone
Best Effort
TLS
Traversal
Client Zone
Force encr
TLS
Traversal
Server Zone
Force encr
TLS
Default Zone
Auto
Not configurable
DNS Zone
Best Effort
Not configurable
Expressway-C Expressway-E
TLS/SRTP TLS/SRTP TCP/RTP
Inbound zone
Outbound zone
RTP
Remote Edge
Internet
• Multiple call legs with different encryption status
• Lock icon shows closed only if all the call legs are encrypted with the exception of the Remote Edge to endpoint call leg
57
Example 2Different settings on Expresway-C and Expressway-E
CM Neighbor
Zone
Best Effort
TLS
Traversal
Client Zone
Force encr
TLS
Traversal
Server Zone
Force encr
TLS
Default Zone
Auto
Not configurable
DNS Zone
Best Effort
Not configurable
Expressway-C Expressway-E
TLS/SRTP TLS/SRTP TLS/SRTP
Inbound zone
Outbound zone
RTP
Remote Edge
Internet
• 4 call legs
• Unnecessary engagement of B2BUA on Expressway-E
• Lock icon closed because the first 3 call legs are encrypted
58
Example 3Optimization of previous example
CM Neighbor
Zone
Best Effort
TLS
Traversal
Client Zone
Best Effort
TLS
Traversal
Server Zone
Best Effort
TLS
Default Zone
Best Effort
Not configurable
DNS Zone
Best Effort
Not configurable
Expressway-C Expressway-E
TLS/SRTP TLS/SRTP
Inbound zone
Outbound zone
RTP
Remote Edge
Internet
• Traversal zone set to “Best Effort”: 3 call legs due to “3-in-a-row” rule optimization. Minimizes fw port usage!
• Lock icon shows closed because the first 2 call legs are encrypted
59
Dial PlanInbound and outbound calls
Expressway-C Expressway-E
UCM
• –E to –C and –C to UCM for all calls matching the internal domain (ent-pa.com)
• UCM routes outbound any URI different from Directory URI and not included in ILS table
• Expressway-C and –E route outbound any URI not matching the internal domain
60
IP Address Dialing: Outbound Calls
• Cisco Unified CM doesn’t support native IP address dialing
• Workaround: instruct the users to append a suffix such as: 10.10.10.10@ip. This will match the SIP Route Pattern “ip”
• Other workarounds: instruct the user to use “*” instead of “.” such as 10*10*10*10. This will match one of the following Route Patterns to the Expressway:
• X*!
• XX*!
• XXX*!
Cisco Unified CM IP dialing
61
• Inbound calls for CMR Premises
• CMR Hybrid Integration
• CMR Cloud Integration
Multipoint and Cloud Integration
63
CMR Premises
• On-premise multipoint calls hosted on TS/Conductor
• Range for scheduled calls
80991XXX
• Range for permanent or personal CMR80044XXX
80051XXX
80065XXX
• Alphanumeric aliases for personal CMR ([email protected])
• Reachable from the Internet by dialing <alias>@domain
Example dial plan for CMR Premises
65
Expressway-EExpressway-C
Cisco Unified CM
Cisco Unified Presence Server
CMR Premises
External participant
TMS
Signaling
Media
Multipoint call flow
Conductor
vTS
66
CMR PremisesIP-based inbound dialing
Expressway-EExpressway-C
Cisco Unified CM
Cisco Unified Presence Server
External participant
TMS
Signaling
Media
Conductor
vTS
1. Dial A.B.C.D
2. Fallback alias
set to voice mail
pilot
3. “Please dial
the extension”
4. User enters PIN for the multipoint meeting
Unity Connection or
UCCX
A.B.C.D
67
Internet
CMR Hybrid with VoIP audio connection
CUCM Expressway-C Expressway-E
WebEx
TMS
CUCM endpoint
External participant
For meeting1:
• Users dial [email protected]
• TS dials out abcd@company-
a.webex.com
HTTPS outbound connection
Conductor
Telepresence Server
68
CMR Hybrid Requirements
• CMR Hybrid requires an encrypted connection from Expressway-C or Expressway-E
• Trusted CA list is published in the Cisco Collaboration Meeting Rooms(CMR) Hybrid Deployment Guide
• It is recommended to turn encryption on Expressway-C (set traversal client zone to “best effort” or “force encrypted”)
• Expressway-E zones can all be set to “auto” or to same settings of the traversal client (to avoid unnecessary engagement of B2BUA).
• Expressway-E certificate has to be signed by a public CA in Webex trust list
69
CMR Hybrid Dial Plan
• Same dial plan of on-premise CMR
• TS will be instructed from the Cloud via TMS-Conductor to dial a string followed by the corporate webex site: <alphanumeric string>@company-a.webex.com
• Expressway-C and Expressway-E will route any URI matching domain company-a.webex.com to the Webex cloud
70
CMR Cloud Requirements
• Encrypted or unencrypted calls
• If encrypted, Expressway-E needs a certificate signed from a Certification Authority from a list of Webex trusted CA. “TLS verify” name is also recommended
• Trusted CA list is published in the Cisco WebEx Meeting Center with Collaboration Meeting Rooms Deployment Guide
• If H.323 has to be enabled, set Expressway-C traversal client zone to “best effort”
• Expressway-E zones can all be set to “best effort” or all set to “auto” to avoid engagement of B2BUA in Expressway-E and encrypt all traffic in the DMZ
72
Simplified Dialing Habit for scheduled meetings
• WebEx dialplan: [email protected]
• User dials: 7-123456789
• Route Pattern on UCM 7XXXXXXXXX to Expressway-C
• Expressway-C strips prefix (7) and adds domain, leading to: [email protected]
• It’s possible to use * as prefix
• In case the dialplan doesn’t allow for an easy prefix, it’s possible to use a domain: 123456789@cloud
• This will be matched against a SIP Route Pattern and sent to the Expressway-C
• Expressway-C will add the correct domain and send to the Webex cloud
73
Simplified Dialing Habit for Personal CMR
• If Directory URI is not enabled, i.e lpellegr is not defined as Directory URI, the UCM user can just dial lpellegr.
• Endpoint will add the OTLD (es. customer-a.webex.com) and match the SIP Route Pattern customer-a.com to Expressway-C
• Expressway-C will replace customer-a.com with customer-a.webex.com and send the call to the Cloud
• If directory URI is configured, user can dial lpellegr@cloud. Expressway will normalize it and send to the WebEx cloud.
74
• Filtering ACLs
• Search Rules and CPL Rules
• Cisco Unified CM Inbound Calling Search Space
• Minimizing or reducing UDP ports opened in the Internet firewall
Expressway Policy Protection
76
How Expressway-E is often configured
• Allows inbound calls to local domain
• Allows outbound calls to non-local domains
77
What might happen1. Fraudulent use of PSTN GW
Inbound CSS not specifically configured for Expressway-C
Dial:[email protected]
Internet
Video GW or Voice GWPSTN
Expressway and UCM don’t block gateway access from the
Internet
Expressway-E
Expressway-C
CUCM
78
What might happen2. Calls to Unity Connection
Inbound CSS not specifically configured for Expressway-C
Dial:[email protected]
Internet
Unity Connection
VM Pilot: +14085554999
Expressway and UCM don’t block direct calls to Unity
Connection
Expressway-C
CUCM Expressway-E
79
What might happen3. Calls to Conductor/TS
Inbound CSS not specifically configured for Expressway-C
Dial:[email protected]
Internet
Conductor Telepresence Server
Instant meetings:
meet.*
8123\d{3}
Expressway and UCM don’t block instant calls to
Conductor
Expressway-C
CUCM Expressway-E
80
What might happen4. Calls to external destinations over the Internet
Inbound CSS not specifically configured for Expressway-C
Dial:[email protected]
Internet
• Expressway by default does not block a call coming from the Default Zone to the DNS Zone
• External user can leverage on security credentials of Expressway
Expressway-C
CUCM Expressway-E
81
1. How to find Expressway systems over the Internet
Scan an IP range on ports 5060/5061.
IP range not shown!
Get the results (not shown!)
{IP range}
{IP Addr/port No}
82
Scan effect on Expressway
Expressway-E search rules
• Note: 100@ means 100@<Expressway-E IP address>. IP addresses have been removed
83
In case of many search rules…
One call from the Internet might trigger many searches until the last rule is analyzed
{Expressway-E IP Address}
{IP Addr/port No}
{IP Addr/port No}
84
2. Search for available servicesSearch for escape and services code
Access code to PSTN (0,9) and to internal numbering plan (80…)
Time interval is large enough to bypass DoS prevention
85
• Filter access to Expressway allowing only required TCP & UDP ports
• Call Policy Rules on Expressway protect against scanners and toll fraud
• SIP Trunk CSS provides fine grain access control to gateways/resources
Policy in Layers
Internet
Filtering inbound unauthenticated video federation traffic
SIP UDP
SIP TCP
H.323 TCP
DMZ
Firewall
Expressway
C
Expressway
E
External
Firewall
Unified CM
CPL Rules,
Search Rules
SIP Trunk
Inbound CSS
Filtering
ACLs
Search
Rules
Enterprise
Resources
Unauthenticated
B2B traffic
86
Components of Expressway Media Traversal
DMZ
Firewall
Expressway
E
Expressway
C
Proxy
B2BUA
A
s
s
e
n
t
Proxy default component used for media traversal
B2BUA component used when media encryption policy other than “auto” is applied
Assent protocol is used for multiplexed media on Traversal server zones
87
Proxy
B2BUA
A
s
s
e
n
t
Proxy
B2BUA
Traversal Media Port Range
DMZ
Firewall
Expressway
E
Expressway
C
Traversal Media Port RangeAdmin configures port range on Configuration > Traversal Subzone menu on both Expressway C & E, defaults to 36000 – 59999
Allocated media port range is divided and shared
1st half goes to Proxy
2nd half goes to B2BUA
88
Proxy
B2BUA
A
s
s
e
n
t
Assent Traversal Media Ports
DMZ
Firewall
Expressway
E
Expressway
C
Assent Demultiplexing PortsAdmin configures port range on Configuration > Traversal > Ports menu on Expressway E only
Defaults to UDP 2776-7
Large VMs, CE1100, CE1000 require 12 demux ports, automatically allocated from the beginning of the traversal media port range, typically UDP 36000 – 36011
Proxy
B2BUA
89
• The UDP port details, expressway components, and encryption attributes are best understood in the following categories• Internal – media path between Expressway-C and on-prem resources
• Traversal zone – media path between Expressway-C and Expressway-E
• External – media path between Expressway-E and destination
B2B Media Paths
A
s
s
e
n
t
Expressway-EExpressway-C
Internal Traversal Zone External
90
- On large systems, default allocation for multiplexed media is 36000 to 36011- On small/medium systems, two configurable ports are allocated for multimedia traffic. Defaults are 2776 and 2777 and might be changed, but if admin chooses not to configure those ports, Expressway will listen to 36000 and 36001
Filtering ACLs for B2B calls
Based on medium/small OVA with non-specific configured multiplexed ports
Source IP Source portTransport protocol
Dest. IP Dest. port
H.323 calls using Assent (Natted endpoints)
Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776
RTP Assent Any >=1024 UDP ExpE LAN2 36000*
RTCP Assent Any >=1024 UDP ExpE LAN2 36001*
H.323 endpoints with public IP addresses or remote Edge systems
Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720
H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
SIP endpoints or remote Edge systems
SIP TCP Any >=1024 TCP ExpE LAN2 5060
SIP UDP Any >=1024 UDP ExpE LAN2 5060
SIP TLS Any >=1024 TCP ExpE LAN2 5061
RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*
91
• No need to open other ports like TCP 80, 443 and 22
• If MRA is deployed together with B2B, open ports TCP 5222 (XMPP) and TCP 8443 (HTTPS for UDS proxy services). More details on Mobile and Remote Access Deployment Guide
• It’s a good rule to manage Expressway-E with the LAN1 interface: management on LAN2 can be disabled using FW rules on Expressway interfaces
Other Recommendations
92
• Filter access to Expressway allowing only required TCP & UDP ports
• Call Policy Rules on Expressway protect against scanners and toll fraud
• SIP Trunk CSS provides fine grain access control to gateways/resources
Policy in Layers
Internet
Filtering inbound unauthenticated video federation traffic
SIP UDP
SIP TCP
H.323 TCP
DMZ
Firewall
Expressway
C
Expressway
E
External
Firewall
Unified CM
CPL Rules,
Search Rules
SIP Trunk
Inbound CSS
Filtering
ACLs
Search
Rules
Enterprise
Resources
Unauthenticated
B2B traffic
93
Allow-based policy: • Allow calls matching internal diaplan for users and rooms
• Allow multiparty meetings
• Deny all other inbound calls (includes access code to PSTN, Unity calls, ect.)
Deny-based policy:• Deny calls to PSTN
• Deny calls to Unity
• Deny calls to instant meetings on Conductor
• Allow everything else matching the internal domain
• Deny all other inbound calls
Expressway policy considerations
94
Zone Authentication policy
• Non-authenticated traffic matching CPL rules can be rejected
• Authenticated Traffic from Expressway-C is always allowed
Traversal Zone
Internet
authenticated
non-authenticated
Expressway-C
Expressway-E
Do not check credentialsAll messages are classified as unauthenticated.
Any existing P-Asserted-Identity headers are removed
Treat as authenticatedAll messages are classified as authenticated.
Messages with P-Asserted-Identity header are passed on
unchanged. Messages without P-Asserted-Identity header have
one inserted
CPL and authentication policy
• This rule rejects only the traffic coming from the Internet (Default Zone)
• All outbound calls will be allowed
• Note: search rules don’t have an option to reject calls
Internetauthenticated
Expressway-C Expressway-E
non-authenticated
96
Expressway Routing
Does calling or
called match a
CPL rule?
Apply Transform
Does the alias
match a
search rule?
Yes
Expressway
receives alias
No
Yes
Place
Call
Ye
s
Yes
No
Next lower-
priority rule until
end of rules or
the alias is found
Is the alias
found?
No
Allow/
Reject
Forbidden
Does the alias
match a
transform?
If “reject”
If “allow”
• Transforms are usually not needed
on a UCM installation.
• CPL can block the routing process
soon after it has started
97
CPL Rule example
• A simple rule matches the domain portion only: .*@ent-pa\.com
• Calls from external to external destinations are forbidden
• Simple policy rule protects against scanners sending traffic to @ipAddress
• Calls to Unity, PSTN gateways, Conductor instant meetings are allowed
• It is better to further restrict the access
Search rules
98
Allow-based policy Example (1)
• P2P calls to SIP URIs only
• How is the allowed SIP URI? Some of most common options:• 1. userid are 8 characters long
• 2. userid=name.surname
• 3. userid=first letter of name+surname
• Numeric calls to conferences only
Internal allowed calls
99
Allow-based policy Example (2)
• 8 characters userID
• From 2 to 8 characters
• Contains letters only and optionally a single digit at the end
• Regex: ^[a-z]{2,7}\w@ent-pa\.com.*$
Creating closest regex to match the internal dialplan
[email protected] 3 characters with an ending digit - OK
[email protected] 8 characters - OK
[email protected] 7 characters with a ending digit - OK
[email protected] First 7 characters can’t be digits
LPellegr3@ent-
pa.com
More than 8 characters - NO
[email protected] 1 character and 1 digit - NO
L*[email protected] contains a special character - NO
[email protected] Contains a dot - NO
[email protected] Contains two digits - NO
[email protected] Contains a digit in the middle - NO
[email protected] First characters can’t be digits
100
Allow-based policy Example (3)
• name.surname
• Name contains characters only, surname can contain an ending digit, no special characters
• Regex: [a-z]*\.[a-z]*(\d)?@ent-pa\.com
• First letter of name+surname
• Most generic of the 3; max length could be addedto further restrict the access (es. 20 characters)
• Regex: [a-z]{1,20}(\d)?@ent-pa\.com
Creating closest regex to match the internal dialplan
OK
[email protected] Doesn’t contain the dot - NO
[email protected] First 7 characters can’t be digits
OK
luca.pellegrini Contains a dot - NO
[email protected] First 7 characters can’t be digits
For YourReference
101
Allow-based policy Example (4)
• Allow call to Directory URI and Personal CMR ([email protected] and [email protected]) Regex: ^(?![a-z]{2,7}\w(\.cmr)?@ent-pa\.com.*$
• Allow calls to scheduled conferences (80991XXX)Regex: 80991\d{3}@ent-pa\.com
• Allow calls to personal CMR (80044XXX, 80051XXX, 80065XXX)Regex: 80044\d{3}@ent-pa\.com
80051\d{3}@ent-pa\.com80065\d{3}@ent-pa\.com
• Reject anything else
Final dialplan
102
CPL Rules Example
Policy allows only legitimate traffic, and rejects all other traffic including:•Calls to PSTN (PSTN escape codes not included in regex)
•Direct calls to Unity Connection (Voicemail pilot not included in regex)
•Telepresence Servers instant meeting(not included in regex
•External-to-external calls (call entering the Expressway has to match the internal domain or won’t be routed)
103
Deny-based Policy (1)
Numeric Range for multipoint: 8000XXXX
Numeric Range for endpoints: 84969XXX, 83905XXX, 81974XXX, 81911XXX, 81975XXX, 84411XXX
Other services 85XXXXXX to 89XXXXXX
Rules:
- Block numeric range for endpoints
- Block prefixes for gateway access
- Block access to +E.164 numbers (includes Unity voicemail pilot)
- Allow URIs where the host portion matches the internal domain
Example based on Preferred Architecture dial plan
104
Deny-based Policy (2)
Source Destination Action
Unauthenticated 8[1-9]\d{6}@ent-pa\.com Deny
Unauthenticated [09]\d*@ent-pa.com Deny
Unauthenticated \+\d*@ent-pa.com Deny
Unauthenticated .*@ent-pa.com Allow
Unauthenticated .* Deny
Example
105
• Filter access to Expressway allowing only required TCP & UDP ports
• Call Policy Rules on Expressway protect against scanners and toll fraud
• SIP Trunk CSS provides fine grain access control to gateways/resources
Policy in Layers
Internet
Filtering inbound unauthenticated video federation traffic
SIP UDP
SIP TCP
H.323 TCP
DMZ
Firewall
Expressway
C
Expressway
E
External
Firewall
Unified CM
CPL Rules,
Search Rules
SIP Trunk
Inbound CSS
Filtering
ACLs
Search
Rules
Enterprise
Resources
Unauthenticated
B2B traffic
106
UCM Calling Search Space
• UCM has the whole dialplan and controls access to all resources
• Inbound trunk CSS will have access to Directory URI, Scheduled meetings, personal CMR and permanent conferences partitions
• UCM has a more granular approach, not based on numeric ranges
Block access at UCM level
Trunk
Expressway-CUCM
Directory URI partition
Scheduled meeting partition
Personal CMR partition
Inbound CSSDN partition
PSTN access partition
Voicemail partition
Internet B2B partition 107
What’s the result?
Routing stops immediately since CPL are the first checked
… but it doesn’t make you invisible!
{IP Addr/port No}
108
• B2B deployments include predictable UDP media traffic paths
• Traversal Media Port Range is set on Configuration > Traversal Subzone menu on both Expressway C & E, defaults to 36000 – 59999
• B2BUA could be engaged on Expressway-C and/or Expressway-E in order to perform encrypted to unencrypted call
• The proxy component is always used on both Expressway-C and Expressway-E
• This media port range is divided and shared
• 1st half goes to Proxy
• 2nd half goes to B2BUA
• The following example is taken with a port range 50000 to 59999:50000 to 54999 goes to Proxy55000 to 59999 goes to B2BUA
Business-to-business Access Media Traversal
110
• When Proxy only is engaged (all zones set to “auto”) on Expressway-E the number of ports is reduced by a half compared to the situation where B2BUA and Proxy are engaged
• Enabling encryption on Expressway-C instead of Expressway-E reduces the number of ports opened on external firewall
• With B2BUA: 24 ports engaged per call
• Without B2BUA: 12 ports engaged
B2BUA Impact on Firewall Ports
111
Example 1
• I.e. Default zone set to “best effort” and traversal zone set to “force encrypted” always engage B2BUA on Expressway-E
• 50 concurrent B2B calls
• Total 1200 (50x24) ports opened on external fw
• Range configured on Expressway: 2400 ports, from 50000 to 52399.
• First half goes to Proxy: 50000 to 51199
• Second half goes to B2BUA: 51200 to 52399
• Ports to be opened on external fw: 51200 to 52399
B2BUA engaged on Expressway-E
112
Example 2
• Expressway-E configured with “best effort” in all zones, and same zone setting, Expressway-C traversal client zone also set to “best effort”. B2BUA won’t be engaged on Expressway-E
• 50 concurrent B2B calls
• Total 600 ports opened on external fw (proxy requires 12 ports per call)
• Range configured on Expressway: 1200 ports, from 50000 to 51199.
• First half goes to Proxy: 50000 to 50599
• Second half goes to B2BUA: 50600 to 51199
• Ports to be opened on external fw: 50000 to 50599
B2BUA engaged on Expressway-C only
113
Media Latching
• When media latching is performed by Expressway-E, 36 ports are required from the Proxy range.
• If the number of NATted endpoints directly dialing into Expressway-E is big, it is worth to consider this number.
114
Expressway-E Signaling with B2BUAAudio portion of the call example
To Exp-C
To remote Exp-E
25060
7002
25020
5071 25021
5061
5061
200 OK 40882
101 ACK 55104 (B2BUA port)
200 OK 55114200 OK c=173.39.92.68/40882
101 ACK 50062
101 ACK 55104
Exp-E Proxy
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
Exp-E B2BUA
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
Expressway-E
For YourReference
115
Expressway-E Media with B2BUAAudio portion of the call
Exp-E Proxy
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
Exp-E B2BUA
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
To Exp-C
To remote Exp-E
48084
2776
55104
40882
50062
55114
Expressway-E
For YourReference
116
Media Ports Calculation
• Audio takes 2 ports on B2BUA (55104, 55114) and Proxy 2 ports (2776, 50062)
• If B2BUA is always engaged, two ports per media type are needed (55104 and 55114 in this case)
• Other streams are: video, duo video, BFCP, FECC, iX
• For each of these, a RTCP port is also engaged.
• Total: 24 ports per call
• If B2BUA is not engaged on Expressway-E: 12 UDP ports per call are required (1 from Proxy range, other=2776)
B2BUA
Exp-E Proxy
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
Exp-E B2BUA
Process
10.52.254.55 LAN1
173.38.168.145 LAN2
To Exp-C
To remote Exp-E
48084
277650062
55114
55104
40882
For YourReference
117
Expressway-E Media LatchingAudio portion of the call example
Exp-E Proxy
10.52.254.55 LAN1
173.38.168.145 LAN2
Exp-E B2BUA
10.52.254.55 LAN1
173.38.168.145 LAN2
To Exp-C
To remote endpoint
2776
55452
50224
55440
50236
5024616369
• Proxy ports only exposed
• 3 ports per media type
• 36 ports per call (12x3)
For YourReference
118
Conclusion
• Enable B2BUA on Expressway-C and try to avoid it on Expressway-E in order to reduce ports open on external FW
• Open only the ports that are needed
• If MRA is used, B2BUA will be engaged on Expressway-C. 12 ports per MRA calls are also needed
119
Multiple Expressway Clusters
• Outbound calls can be sent to the nearest Expressway-C cluster based on CSS and Partitions on UCM
• Inbound calls
• Geo DNS setup
• Directory Expressway setup
121
B2B Inbound CallsGeo DNS: Minimizing the distance between the calling device and edge
Internet
Company A US Site
Company B
US Site
WAN
Company A
EMEA Site
CUCM cluster
122
Geo DNS characteristics
• Geo DNS is a service delivered by many Internet organization and allows to forward the inbound call registration request to the edge nearest to the calling device
• Geo DNS services applied to SRV records are the preferred way
• Some DNS providers implement Geo DNS services on specific records only, like CNAME or A-records
• Disaster recovery between different sites can be achieved only if the Geo DNS supports SRV records
Geo DNS for MRA and B2B
123
Directory ExpresswayMinimizing the distance between thecalled endpoint and the edge
Company A US Site
Company B
US Site
WAN
Company A
EMEA Site
CUCM cluster
Internet
Directory Expressway
124
Example with multiple Cisco Unified CM Clusters
Expressway-E1
Expressway-C1
Expressway-C2
Expressway-E2
Directory Expressway-E
1
22
Inbound CSS trunks
doesn’t include the
partition for the SIP
Route Pattern matching
the route string
Call:
33
4
UCM1
UCM2
Inbound CSS trunks
doesn’t include the
partition for the SIP
Route Pattern matching
the route string
Corporate Network
Internet
125
Geo-DNS and Alternative Approach Comparison Chart
Geo-DNS Alternative Approach
Intra-site redundancy (clustering) Yes Yes
Inter-site redundancy Depends on Geo DNS (1) No
WAN bandwitdth optimization for
B2B
No Yes
Higher video quality Yes (most use of WAN) No
(1) Check if it’s possible to apply Geo DNS services to SRV records
126
Summary
• B2B architectures for single edge Expressway-C and Expressway-E with dual network Expressway-E
• Cloud integration
• How to protect the dialplan
• How to minimize ports opened on external firewall
127
Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs
• Technical Solution Clinics
• Meet the Engineer
• Lunch and Learn Topics
• DevNet zone related sessions
128
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
129