best practices for business-to- business video...

Best Practices for Business-to-business Video Collaboration

Luca Pellegrini, Technical Marketing Engineer

BRKCOL-2018

• Introduction

• Collaboration Edge Introduction

• Proxy or B2BUA?

• Expressway-E Dual Network Deployment

• Dial Plan

• Routing on the Internet: DNS SRV records

• Business-to-business Architecture

• Signaling encryption

• Media encryption

• Encryption and lock icon

Agenda

3

• Multipoint and Cloud Integration

• CMR Premises

• CMR Hybrid

• CMR Cloud

• Expressway Policy Protection

• Filtering ACLs

• Search Rules and CPL Rules

• Cisco Unified CM Inbound Calling Search Space

• Minimizing or reducing UDP ports opened in the Internet firewall

• General considerations for multiple Expressway deployments

Agenda

4

• Understand architectures for business-to-business video

communications

• Understand architectures for cloud-based integration

• Understand best practices to protect the internal dial plan

Why are we here today?

5

Key Learning Objective

6

• Explain and design B2B architectures based on Expressway-C and Expressway-E on single edge, dual

network deployment

• Understand how to integrate Premises, Hybrid and Cloud CMR through Expressway

• Understand UDP media port requirements for B2B

Key Learning Objectives

7

Introduction

8

• Collaboration Edge Introduction

• Proxy or B2BUA?

• Expressway-E Dual Network Deployment

• Dial Plan

• Routing on the Internet: DNS SRV records

Introduction

9

Introducing Cisco Collaboration Edge ArchitectureIndustry’s Most Comprehensive Any-to-Any Collaboration Solution

All the capabilities of Cisco Any-

to-Any collaboration to-dateTDM & analog gateways

ISDN Video gateways

Session border control

Firewall traversal

Standards-based & secure

TeleworkersMobile

Workers

B2B

Consumers

3rd Parties

Analog Devices

Branch Office

PSTN or IP PSTN

TDM or IP PBX

Cloud Services

10

Cisco ExpresswayA new gateway solving & simplifying business relevant use cases

• For Unified CM & Business

Edition environments

• Based on Cisco VCS

Technology

• Standards-based

interoperability

TeleworkersMobile

Workers

B2B

Consumers

3rd Parties

Analog Devices

Branch Office

PSTN or IP PSTN

TDM or IP PBX

Cloud Services

11

• Solution designed for and sold

exclusively with Unified CM 9.1 and

above (including Business Edition)

• Subset of X8.1 features

• No additional cost for server software

licenses

X8.1 Product Line Options

New

Offering

X8.1

“Expressway-C”

Or Core

“Expressway-E”

Or Edge

“VCS Control”

No Change

“VCS Expressway”

No Change

VCS Expressway

• Specialized video applications for

video-only customer base and

advanced video requirements

• No changes to existing licensing

model

12

Cisco Expressway Family

Expressway-C: SIP and H.323 trunk-side; includes a H.323-SIP gateway server

3rd party interoperability – trunk side only

Traversal client for B2B and Mobile and Remote Access

Normally deployed within the Enterprise network

Expressway-E: Application Edge Server for B2B and MRA SIP/H.323 firewall traversal

Traversal server for B2B and Mobile and Remote Access

Normally deployed in the DMZ

Expressway-C and Expressway-E

13

Expressway Routing

Does calling or

called match a

CPL rule?

Apply

Transform

Does the alias

match a

search rule?

Yes

Expressway

receives alias

No

Yes

Place

Call

Yes

Yes

No

Next lower-

priority rule until

end of rules or

the alias is found

Is the alias

found?

No

Allow/

Reject

Forbidden

Does the alias

match a

transform?

If “reject”

If “allow”

14

Cisco Expressway Family Overview

• A standard notation (POSIX), used in Unix and Linux editors

• Provide a concise and flexible means for matching and transforming strings

• Used simply, it is simple, but powerful

• One of the techniques available in Expressway for matching calls in zones

Regular Expressions (RegEx)

15

. Any single character

\d Single digit ≡ [0-9]

* 0 or more repetitions of previous character or expression

+ 1 or more repetitions of previous character or expression

? 0 or 1 repetitions of previous character or expression

{n}n repetitions of previous character or expression

[abc] A character from this set of characters

[1-4] A character from this range of characters

[^def] A character NOT including these characters

^ Start of line

$ End of line

\ Literalize, e.g. \* really is the * (asterisk character)

| ‘or’ – match (wxy|wyx)

( ) Group digits and store in store id \n

Key RegEx Metacharacters

For YourReference

Cisco Expressway Family Overview

16

• Add domain to E164 number:(\d+) \[email protected] [email protected]

• Remove a domain:(.*)@.+ \[email protected] 6002

• Add a prefix ‘01189’ to a 6 digit number:(\d{6}) 01189\1123456 01189123456

• Reverse the order of 3 digits and put a dot between each:(\d)(\d)(\d) \3\2\1

• Match either [email protected] or [email protected]:123@company.(com|net)

Examples of RegEx ManipulationsCisco Expressway Family Overview For Your

Reference

17

Expressway-C Expressway-E

Neighbor

Zone

UC Traversal

Zone (MRA)

Cisco Expressway Family Overview Most used zones on UCM-centric Architecture

Traversal Client

Zone (B2B)

DNS

Zone

Default

Zone

Traversal Server

Zone (B2B)

UC Traversal

Zone (MRA)

UCM

Inbound

calls-

alias or

IP based

Outbound

calls via

DNS query

UCM SIP

Trunk

H323 and SIP encrypted and unencrypted

SIP TLS and SRTP only

DNS

Zone

ENUM

Zone

Neighbor

Zone

ENUM

Zone

Default

Zone

Configured and

used

Not configured,

but used

Not configured,

not used

Legenda

18

SIP Proxy or SIP B2BUA?

• Proxy functionality is the native functionality of Expressway, always engaged

• B2BUA is a process internal to Expressway-C and Expressway-E engaged when needed together with Proxy

• B2BUA fully terminates a call leg and establishes a new call leg. The two call legs are then bridged together and count as two different calls

• B2BUA are of different kinds but we will focus on two of them:

• B2BUA for MRA and Business-to-Business, icon:

• B2BUA for SIP to H.323 interworking, icon:

19

Proxy Example

Good

morning!

Good

morning!

Translators

• No need for translators if the language is the same

20

Expressway with Proxy

• Media flows through Expressway in most cases (UCM scenario with no other call control)

• Expressway is able to read the packet to route the call leg but doesn’t “touch” it

SIP with

RTP

SIP with

RTP

21

B2BUA Example

Good

morning!

TranslatorsBuongiorno!

Good Morning!

• Different languages require a translating service

• Available “translations”: SRTP/RTP, H.323/SIP, IPv4/IPv6

Buongiorno!

22

Expressway with Proxy and B2BUA

RTP

B2BUASRTP

RTP

• B2BUA terminates a call leg and re-estabilishes another call leg with the destination in order to perform protocol conversion

• Communications takes place through B2BUA in all cases

SRTP

23

Proxy with B2BUA

Exp-C/E Proxy

Process

Exp-C/E B2BUA

Process

• The diagram shows the working principle only

• Flows are different in case of H.323, IP interworking or encryption

• Diagram might be different based on calling scenario

B2BUA can talk to calling or called directly (see Minimizing UPD ports section)

1. SRTP2. SIP3. IPv4

1. RTP2. H.3233. IPv6

25

DMZEnterprise Network

1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.

Unified

CM

Firewall Expressway-E FirewallExpressway-C

Internet

Outside Network

Media

Signaling

Expressway Firewall Traversal Basics

26



2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.

Unified

CM


Internet

Outside Network

Media

Signaling


27




3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection

Unified

CM


Internet

Outside Network

Media

Signaling


28





4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.

Unified

CM


Internet

Outside Network

Media

Signaling


29






Unified

CM


Internet

Outside Network

Media

Signaling


30






5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint

Unified

CM


Internet

Outside Network

Media

Signaling


31






5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint

6. The call is established and media traverses the firewall securely over an existing traversal connection

Unified

CM


Internet

Outside Network

Media

Signaling


32

Expressway Dual Network Deployment Model

• Recommended solution

• Expressway-E LAN1 interface is used for clustering purposes

• Expressway-E LAN1 interface can be translated by static NAT only on standalone appliance (no clustering)

• Expressway-E LAN2 interface can be translated by static NAT

• Expressway-C interface can be translated by NAT

33

DMZ Firewall Expressway-E Internet Firewall

Expressway Firewall Traversal BasicsRouting on Expressway-E

LAN1 LAN2

10.10.10.10172.19.19.19 1.2.3.4

10.10.10.1

Internet

172.19.19.1

34

B2B Dial Plan

• By default every line has a directory number

• By assigning one or more alphanumeric SIP URI to a line, a user’s line can be reached by dialing:

<directory number>@domain

<alphanumeric SIP URI>@domain

•Disabling DN based dialing and allowing alphanumeric SIP URI only increases security

• This is independent from the phone/video device model type and works for both audio and video

Numbers and alphanumeric SIP URIs together on CUCM

35

DNS SRV Records for B2B and MRA

SRV record format for SIP and H.323 (RFC 2782)

Name of the

service

Protocol and

domain name

(TCP, UDP...)

DNS Time-To-Live: how much

time the server caches the

record before it flushes the

cache

DNS Class.

Always “IN”

Priority: Lowest

priority means

“preferred”.

Weight: load-

balances records

with same

priority

Port: TCP or

UDP port for

the service

Targed: hostname or

IP Address for the host

Providing the service

_sip. _tcp.example.com 86400 IN 10 60 5060 expe.example.comSRV

36

Service Discovery

Bigbox

Smallbox

Backupbox

_sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.

_sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com.

_sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.

37

Service Discovery

Bigbox

Smallbox

Backupbox




Dial:

[email protected]

38

Service Discovery

Bigbox

Smallbox

_sips._tcp.example.com?

Backupbox




Dial:

[email protected]

39

Service Discovery

Bigbox

Smallbox

Backupbox




Dial:

[email protected]

40

Service Discovery

Bigbox

Smallbox

60%

40%

Backupbox




Dial:

[email protected]

41

60%

40%

Bigbox

Backupbox

Dial:

[email protected]

Smallbox

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com.



42

60%

40%

Bigbox

Backupbox

Dial:

[email protected]

Smallbox




43

Bigbox

Backupbox

Dial:

[email protected]

Smallbox




44

Cisco SRV Records for business-to-businessSRV record format for SIP and H.323

SIP B2B _sips._tcp.domain 5061 TLS

_sip._tcp.domain 5060 TCP

_sip._udp.domain 5060 UDP

H.323 B2B _h323ls._udp.domain 1719 RAS

_h323cs._tcp.domain 1720 H.225

45

Business-to-Business Architecture

46

Business-to-business Architecture

• Encryption for Signaling

• Encryption for Media

• Encryption and lock icon

47

B2B Call Flow Single Edge

DNSHierarchy

[email protected]

Expressway-C

Expressway-E

VCS-E

Calls [email protected]

Forward SIP Invite to companyB.com using IP address received via DNS

Sends SIP 200 OK

VCS-C

COMPANY B

Internet

COMPANY A

[email protected]

48

SIPH.323

H.323

B2BUA Expressway

H.323 Gatekeeper

3002

BFCP H.239

SIP to H.323 Interworking

VCS and Expressway

SIP

MediaSIPH.323

GK

49

Protocol selection algorithm

• H.323 and SIP enabled globally and at zone-level

• H.323/SIP protocol selection: native protocol first, alternative protocol as backup.

• Interworking has to be enabled

• SIP to H.323 interworking with media handling

SIP

1. SIP

2. H.323

Expressway-C

SIP to H323 B2BUAfor signaling and media

H.323 endpoint

H.323

VCS-C

50

SIP Signaling Interworking

• Neighbor zones and Traversal zones: interworks if the outgoing transport type is different from the incoming

• DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first

• In case of TLS/TCP protocol translation, B2BUA is not engaged

SIP Transport Protocol Protocol Selection

SIP/TLS

Expressway-E Default Zone accepts SIP UDP/TCP/TLS

ExpC ExpE

Traversal zone set to TLS

Traversal zone set to TCP

ExpE1. SIP/TLS

2. SIP/TCP

3. SIP/UDP

SIP/TLS/TCP/UDP

SIP/TCP

ExpC

UCM

UCM

51

SIP TLS

Expressway-C with B2BUA

RTP to SRTP Media Interworking

SIP TLS

SIP TCP

RTP

SRTP

SIP TLS

SIP TCP

RTPSRTP

52

Media Encryption

• For SIP: Media encryption mode can be configured

• H.323 doesn’t work with forced media encryption or force unencrypted

• Separate H.323 from SIP traversal zones if “force encrypted” is to be configured

• Auto: depends on endpoints request only

• Best Effort: will fallback to unencrypted if encryption is not available

Expressway-E

Applies to:Neighbor, DNS, Traversal, Default Zones

Expressway-C

53

Media Encryption and B2BUA Engagement

• With other settings than “Auto”, Expressway will engage B2BUA. As a consequence, media will always be interworked by Expressway

• “3-in-a-row rule” exception for Expressway-E: if the inbound zone and outbound zone are set to same encryption media type and one of those zones is a Traversal Server zone, Expressway-E checks the value of the associated Traversal Client zone. If all these 3 zones are set to the same value, Expressway-E won’t engage the B2BUA

2. Traversal client zone set to other settings than “auto”

ExpC ExpE

54

B2B Call legs

• Based on the engagements of B2BUA on both Expressway-C and Expressway-E

• When a B2BUA is engaged the call leg is “broken” into two pieces for both signaling and media

• Multiple engagements of B2BUA is sometimes unnecessary and can be minimized through reconfiguration

• Based on B2BUA engagement, a single call might consist of 1 to 5 call legs

• Lock icon closed only if all call legs with exception of the last one, from the remote Edge to the destination endpoints, are encrypted, for both signaling and media

55

Example 1“Auto” setting

CM Neighbor

Zone

Auto

TLS

Traversal

Client Zone

Auto

TLS

Traversal

Server Zone

Auto

TLS

Default Zone

Auto

Not configurable

DNS Zone

Auto

Not configurable


• “Auto” setting doesn’t engage B2BUA

• 2 call legs

• No control of media status; endpoints decide encryption settings

• Lock icon reflects the status of the first leg only

SRTP

Inbound zone

Outbound zone

Remote Edge

RTP

Internet

56

Example 2Different settings for media

CM Neighbor

Zone

Best Effort

TLS

Traversal

Client Zone

Force encr

TLS

Traversal

Server Zone

Force encr

TLS

Default Zone

Auto

Not configurable

DNS Zone

Best Effort

Not configurable


TLS/SRTP TLS/SRTP TCP/RTP

Inbound zone

Outbound zone

RTP

Remote Edge

Internet

• Multiple call legs with different encryption status

• Lock icon shows closed only if all the call legs are encrypted with the exception of the Remote Edge to endpoint call leg

57

Example 2Different settings on Expresway-C and Expressway-E

CM Neighbor

Zone

Best Effort

TLS

Traversal

Client Zone

Force encr

TLS

Traversal

Server Zone

Force encr

TLS

Default Zone

Auto

Not configurable

DNS Zone

Best Effort

Not configurable


TLS/SRTP TLS/SRTP TLS/SRTP

Inbound zone

Outbound zone

RTP

Remote Edge

Internet

• 4 call legs

• Unnecessary engagement of B2BUA on Expressway-E

• Lock icon closed because the first 3 call legs are encrypted

58

Example 3Optimization of previous example

CM Neighbor

Zone

Best Effort

TLS

Traversal

Client Zone

Best Effort

TLS

Traversal

Server Zone

Best Effort

TLS

Default Zone

Best Effort

Not configurable

DNS Zone

Best Effort

Not configurable


TLS/SRTP TLS/SRTP

Inbound zone

Outbound zone

RTP

Remote Edge

Internet

• Traversal zone set to “Best Effort”: 3 call legs due to “3-in-a-row” rule optimization. Minimizes fw port usage!

• Lock icon shows closed because the first 2 call legs are encrypted

59

Dial PlanInbound and outbound calls


UCM

• –E to –C and –C to UCM for all calls matching the internal domain (ent-pa.com)

• UCM routes outbound any URI different from Directory URI and not included in ILS table

• Expressway-C and –E route outbound any URI not matching the internal domain

60

IP Address Dialing: Outbound Calls

• Cisco Unified CM doesn’t support native IP address dialing

• Workaround: instruct the users to append a suffix such as: 10.10.10.10@ip. This will match the SIP Route Pattern “ip”

• Other workarounds: instruct the user to use “*” instead of “.” such as 10*10*10*10. This will match one of the following Route Patterns to the Expressway:

• X*!

• XX*!

• XXX*!

Cisco Unified CM IP dialing

61

mailto:10.10.10.10@ip

Multipoint and Cloud Integration

62

• Inbound calls for CMR Premises

• CMR Hybrid Integration

• CMR Cloud Integration

Multipoint and Cloud Integration

63

Collaboration Meeting Rooms Deployment Options

64

CMR Premises

• On-premise multipoint calls hosted on TS/Conductor

• Range for scheduled calls

80991XXX

• Range for permanent or personal CMR80044XXX

80051XXX

80065XXX

• Alphanumeric aliases for personal CMR ([email protected])

• Reachable from the Internet by dialing <alias>@domain

Example dial plan for CMR Premises

65

mailto:[email protected]

Expressway-EExpressway-C

Cisco Unified CM

Cisco Unified Presence Server

CMR Premises

External participant

TMS

Signaling

Media

Multipoint call flow

Conductor

vTS

66

CMR PremisesIP-based inbound dialing


Cisco Unified CM

Cisco Unified Presence Server


TMS

Signaling

Media

Conductor

vTS

1. Dial A.B.C.D

2. Fallback alias

set to voice mail

pilot

3. “Please dial

the extension”

4. User enters PIN for the multipoint meeting

Unity Connection or

UCCX

A.B.C.D

67

Internet

CMR Hybrid with VoIP audio connection

CUCM Expressway-C Expressway-E

WebEx

TMS

CUCM endpoint


For meeting1:

• Users dial [email protected]

• TS dials out abcd@company-

a.webex.com

HTTPS outbound connection

Conductor

Telepresence Server

68

CMR Hybrid Requirements

• CMR Hybrid requires an encrypted connection from Expressway-C or Expressway-E

• Trusted CA list is published in the Cisco Collaboration Meeting Rooms(CMR) Hybrid Deployment Guide

• It is recommended to turn encryption on Expressway-C (set traversal client zone to “best effort” or “force encrypted”)

• Expressway-E zones can all be set to “auto” or to same settings of the traversal client (to avoid unnecessary engagement of B2BUA).

• Expressway-E certificate has to be signed by a public CA in Webex trust list

69

CMR Hybrid Dial Plan

• Same dial plan of on-premise CMR

• TS will be instructed from the Cloud via TMS-Conductor to dial a string followed by the corporate webex site: <alphanumeric string>@company-a.webex.com

• Expressway-C and Expressway-E will route any URI matching domain company-a.webex.com to the Webex cloud

70

Internet

CMR Cloud

CUCM Expressway-C Expressway-E

WebEx

CUCM endpoints


71

CMR Cloud Requirements

• Encrypted or unencrypted calls

• If encrypted, Expressway-E needs a certificate signed from a Certification Authority from a list of Webex trusted CA. “TLS verify” name is also recommended

• Trusted CA list is published in the Cisco WebEx Meeting Center with Collaboration Meeting Rooms Deployment Guide

• If H.323 has to be enabled, set Expressway-C traversal client zone to “best effort”

• Expressway-E zones can all be set to “best effort” or all set to “auto” to avoid engagement of B2BUA in Expressway-E and encrypt all traffic in the DMZ

72

Simplified Dialing Habit for scheduled meetings

• WebEx dialplan: [email protected]

• User dials: 7-123456789

• Route Pattern on UCM 7XXXXXXXXX to Expressway-C

• Expressway-C strips prefix (7) and adds domain, leading to: [email protected]

• It’s possible to use * as prefix

• In case the dialplan doesn’t allow for an easy prefix, it’s possible to use a domain: 123456789@cloud

• This will be matched against a SIP Route Pattern and sent to the Expressway-C

• Expressway-C will add the correct domain and send to the Webex cloud

73



Simplified Dialing Habit for Personal CMR

• [email protected]

• If Directory URI is not enabled, i.e lpellegr is not defined as Directory URI, the UCM user can just dial lpellegr.

• Endpoint will add the OTLD (es. customer-a.webex.com) and match the SIP Route Pattern customer-a.com to Expressway-C

• Expressway-C will replace customer-a.com with customer-a.webex.com and send the call to the Cloud

• If directory URI is configured, user can dial lpellegr@cloud. Expressway will normalize it and send to the WebEx cloud.

74

Expressway Policy Protection

75

• Filtering ACLs

• Search Rules and CPL Rules

• Cisco Unified CM Inbound Calling Search Space

• Minimizing or reducing UDP ports opened in the Internet firewall

Expressway Policy Protection

76

How Expressway-E is often configured

• Allows inbound calls to local domain

• Allows outbound calls to non-local domains

77

What might happen1. Fraudulent use of PSTN GW

Inbound CSS not specifically configured for Expressway-C

Dial:[email protected]

Internet

Video GW or Voice GWPSTN

Expressway and UCM don’t block gateway access from the

Internet

Expressway-E

Expressway-C

CUCM

78

What might happen2. Calls to Unity Connection



Internet

Unity Connection

VM Pilot: +14085554999

Expressway and UCM don’t block direct calls to Unity

Connection

Expressway-C

CUCM Expressway-E

79

What might happen3. Calls to Conductor/TS



Internet

Conductor Telepresence Server

Instant meetings:

meet.*

8123\d{3}

Expressway and UCM don’t block instant calls to

Conductor

Expressway-C

CUCM Expressway-E

80

What might happen4. Calls to external destinations over the Internet



Internet

[email protected]

• Expressway by default does not block a call coming from the Default Zone to the DNS Zone

• External user can leverage on security credentials of Expressway

Expressway-C

CUCM Expressway-E

81

1. How to find Expressway systems over the Internet

Scan an IP range on ports 5060/5061.

IP range not shown!

Get the results (not shown!)

{IP range}

{IP Addr/port No}

82

Scan effect on Expressway

Expressway-E search rules

• Note: 100@ means 100@<Expressway-E IP address>. IP addresses have been removed

83

In case of many search rules…

One call from the Internet might trigger many searches until the last rule is analyzed

{Expressway-E IP Address}

{IP Addr/port No}

{IP Addr/port No}

84

2. Search for available servicesSearch for escape and services code

Access code to PSTN (0,9) and to internal numbering plan (80…)

Time interval is large enough to bypass DoS prevention

85

• Filter access to Expressway allowing only required TCP & UDP ports

• Call Policy Rules on Expressway protect against scanners and toll fraud

• SIP Trunk CSS provides fine grain access control to gateways/resources

Policy in Layers

Internet

Filtering inbound unauthenticated video federation traffic

SIP UDP

SIP TCP

H.323 TCP

DMZ

Firewall

Expressway

C

Expressway

E

External

Firewall

Unified CM

CPL Rules,

Search Rules

SIP Trunk

Inbound CSS

Filtering

ACLs

Search

Rules

Enterprise

Resources

Unauthenticated

B2B traffic

86

Components of Expressway Media Traversal

DMZ

Firewall

Expressway

E

Expressway

C

Proxy

B2BUA

A

s

s

e

n

t

Proxy default component used for media traversal

B2BUA component used when media encryption policy other than “auto” is applied

Assent protocol is used for multiplexed media on Traversal server zones

87

Proxy

B2BUA

A

s

s

e

n

t

Proxy

B2BUA

Traversal Media Port Range

DMZ

Firewall

Expressway

E

Expressway

C

Traversal Media Port RangeAdmin configures port range on Configuration > Traversal Subzone menu on both Expressway C & E, defaults to 36000 – 59999

Allocated media port range is divided and shared

1st half goes to Proxy

2nd half goes to B2BUA

88

Proxy

B2BUA

A

s

s

e

n

t

Assent Traversal Media Ports

DMZ

Firewall

Expressway

E

Expressway

C

Assent Demultiplexing PortsAdmin configures port range on Configuration > Traversal > Ports menu on Expressway E only

Defaults to UDP 2776-7

Large VMs, CE1100, CE1000 require 12 demux ports, automatically allocated from the beginning of the traversal media port range, typically UDP 36000 – 36011

Proxy

B2BUA

89

• The UDP port details, expressway components, and encryption attributes are best understood in the following categories• Internal – media path between Expressway-C and on-prem resources

• Traversal zone – media path between Expressway-C and Expressway-E

• External – media path between Expressway-E and destination

B2B Media Paths

A

s

s

e

n

t


Internal Traversal Zone External

90

- On large systems, default allocation for multiplexed media is 36000 to 36011- On small/medium systems, two configurable ports are allocated for multimedia traffic. Defaults are 2776 and 2777 and might be changed, but if admin chooses not to configure those ports, Expressway will listen to 36000 and 36001

Filtering ACLs for B2B calls

Based on medium/small OVA with non-specific configured multiplexed ports

Source IP Source portTransport protocol

Dest. IP Dest. port

H.323 calls using Assent (Natted endpoints)

Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776

RTP Assent Any >=1024 UDP ExpE LAN2 36000*

RTCP Assent Any >=1024 UDP ExpE LAN2 36001*

H.323 endpoints with public IP addresses or remote Edge systems

Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720

H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999

RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*

SIP endpoints or remote Edge systems

SIP TCP Any >=1024 TCP ExpE LAN2 5060

SIP UDP Any >=1024 UDP ExpE LAN2 5060

SIP TLS Any >=1024 TCP ExpE LAN2 5061

RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*

91

• No need to open other ports like TCP 80, 443 and 22

• If MRA is deployed together with B2B, open ports TCP 5222 (XMPP) and TCP 8443 (HTTPS for UDS proxy services). More details on Mobile and Remote Access Deployment Guide

• It’s a good rule to manage Expressway-E with the LAN1 interface: management on LAN2 can be disabled using FW rules on Expressway interfaces

Other Recommendations

92




Policy in Layers

Internet


SIP UDP

SIP TCP

H.323 TCP

DMZ

Firewall

Expressway

C

Expressway

E

External

Firewall

Unified CM

CPL Rules,

Search Rules

SIP Trunk

Inbound CSS

Filtering

ACLs

Search

Rules

Enterprise

Resources

Unauthenticated

B2B traffic

93

Allow-based policy: • Allow calls matching internal diaplan for users and rooms

• Allow multiparty meetings

• Deny all other inbound calls (includes access code to PSTN, Unity calls, ect.)

Deny-based policy:• Deny calls to PSTN

• Deny calls to Unity

• Deny calls to instant meetings on Conductor

• Allow everything else matching the internal domain

• Deny all other inbound calls

Expressway policy considerations

94

Zone Authentication policy

• Non-authenticated traffic matching CPL rules can be rejected

• Authenticated Traffic from Expressway-C is always allowed

Traversal Zone

Internet

authenticated

non-authenticated

Expressway-C

Expressway-E

Do not check credentialsAll messages are classified as unauthenticated.

Any existing P-Asserted-Identity headers are removed

Treat as authenticatedAll messages are classified as authenticated.

Messages with P-Asserted-Identity header are passed on

unchanged. Messages without P-Asserted-Identity header have

one inserted

CPL and authentication policy

• This rule rejects only the traffic coming from the Internet (Default Zone)

• All outbound calls will be allowed

• Note: search rules don’t have an option to reject calls

Internetauthenticated


non-authenticated

96

Expressway Routing

Does calling or

called match a

CPL rule?

Apply Transform

Does the alias

match a

search rule?

Yes

Expressway

receives alias

No

Yes

Place

Call

Ye

s

Yes

No

Next lower-

priority rule until

end of rules or

the alias is found

Is the alias

found?

No

Allow/

Reject

Forbidden

Does the alias

match a

transform?

If “reject”

If “allow”

• Transforms are usually not needed

on a UCM installation.

• CPL can block the routing process

soon after it has started

97

CPL Rule example

• A simple rule matches the domain portion only: .*@ent-pa\.com

• Calls from external to external destinations are forbidden

• Simple policy rule protects against scanners sending traffic to @ipAddress

• Calls to Unity, PSTN gateways, Conductor instant meetings are allowed

• It is better to further restrict the access

Search rules

98

mailto:.*@ent-pa/.com

Allow-based policy Example (1)

• P2P calls to SIP URIs only

• How is the allowed SIP URI? Some of most common options:• 1. userid are 8 characters long

• 2. userid=name.surname

• 3. userid=first letter of name+surname

• Numeric calls to conferences only

Internal allowed calls

99


• 8 characters userID

• From 2 to 8 characters

• Contains letters only and optionally a single digit at the end

• Regex: ^[a-z]{2,7}\w@ent-pa\.com.*$

Creating closest regex to match the internal dialplan

[email protected] 3 characters with an ending digit - OK

[email protected] 8 characters - OK

[email protected] 7 characters with a ending digit - OK

[email protected] First 7 characters can’t be digits

LPellegr3@ent-

pa.com

More than 8 characters - NO

[email protected] 1 character and 1 digit - NO

L*[email protected] contains a special character - NO

[email protected] Contains a dot - NO

[email protected] Contains two digits - NO

[email protected] Contains a digit in the middle - NO

[email protected] First characters can’t be digits

100


• name.surname

• Name contains characters only, surname can contain an ending digit, no special characters

• Regex: [a-z]*\.[a-z]*(\d)?@ent-pa\.com

• First letter of name+surname

• Most generic of the 3; max length could be addedto further restrict the access (es. 20 characters)

• Regex: [a-z]{1,20}(\d)?@ent-pa\.com

Creating closest regex to match the internal dialplan

[email protected],

[email protected]

OK

[email protected] Doesn’t contain the dot - NO


[email protected],

[email protected]

OK

luca.pellegrini Contains a dot - NO


For YourReference

101


• Allow call to Directory URI and Personal CMR ([email protected] and [email protected]) Regex: ^(?![a-z]{2,7}\w(\.cmr)?@ent-pa\.com.*$

• Allow calls to scheduled conferences (80991XXX)Regex: 80991\d{3}@ent-pa\.com

• Allow calls to personal CMR (80044XXX, 80051XXX, 80065XXX)Regex: 80044\d{3}@ent-pa\.com

80051\d{3}@ent-pa\.com80065\d{3}@ent-pa\.com

• Reject anything else

Final dialplan

102



CPL Rules Example

Policy allows only legitimate traffic, and rejects all other traffic including:•Calls to PSTN (PSTN escape codes not included in regex)

•Direct calls to Unity Connection (Voicemail pilot not included in regex)

•Telepresence Servers instant meeting(not included in regex

•External-to-external calls (call entering the Expressway has to match the internal domain or won’t be routed)

103

Deny-based Policy (1)

Numeric Range for multipoint: 8000XXXX

Numeric Range for endpoints: 84969XXX, 83905XXX, 81974XXX, 81911XXX, 81975XXX, 84411XXX

Other services 85XXXXXX to 89XXXXXX

Rules:

- Block numeric range for endpoints

- Block prefixes for gateway access

- Block access to +E.164 numbers (includes Unity voicemail pilot)

- Allow URIs where the host portion matches the internal domain

Example based on Preferred Architecture dial plan

104

Deny-based Policy (2)

Source Destination Action

Unauthenticated 8[1-9]\d{6}@ent-pa\.com Deny

Unauthenticated [09]\d*@ent-pa.com Deny

Unauthenticated \+\d*@ent-pa.com Deny

Unauthenticated .*@ent-pa.com Allow

Unauthenticated .* Deny

Example

105




Policy in Layers

Internet


SIP UDP

SIP TCP

H.323 TCP

DMZ

Firewall

Expressway

C

Expressway

E

External

Firewall

Unified CM

CPL Rules,

Search Rules

SIP Trunk

Inbound CSS

Filtering

ACLs

Search

Rules

Enterprise

Resources

Unauthenticated

B2B traffic

106

UCM Calling Search Space

• UCM has the whole dialplan and controls access to all resources

• Inbound trunk CSS will have access to Directory URI, Scheduled meetings, personal CMR and permanent conferences partitions

• UCM has a more granular approach, not based on numeric ranges

Block access at UCM level

Trunk

Expressway-CUCM

Directory URI partition

Scheduled meeting partition

Personal CMR partition

Inbound CSSDN partition

PSTN access partition

Voicemail partition

Internet B2B partition 107

What’s the result?

Routing stops immediately since CPL are the first checked

… but it doesn’t make you invisible!

{IP Addr/port No}

108

Minimizing UDP Ports open to Expressway-E

109

• B2B deployments include predictable UDP media traffic paths

• Traversal Media Port Range is set on Configuration > Traversal Subzone menu on both Expressway C & E, defaults to 36000 – 59999

• B2BUA could be engaged on Expressway-C and/or Expressway-E in order to perform encrypted to unencrypted call

• The proxy component is always used on both Expressway-C and Expressway-E

• This media port range is divided and shared

• 1st half goes to Proxy

• 2nd half goes to B2BUA

• The following example is taken with a port range 50000 to 59999:50000 to 54999 goes to Proxy55000 to 59999 goes to B2BUA

Business-to-business Access Media Traversal

110

• When Proxy only is engaged (all zones set to “auto”) on Expressway-E the number of ports is reduced by a half compared to the situation where B2BUA and Proxy are engaged

• Enabling encryption on Expressway-C instead of Expressway-E reduces the number of ports opened on external firewall

• With B2BUA: 24 ports engaged per call

• Without B2BUA: 12 ports engaged

B2BUA Impact on Firewall Ports

111

Example 1

• I.e. Default zone set to “best effort” and traversal zone set to “force encrypted” always engage B2BUA on Expressway-E

• 50 concurrent B2B calls

• Total 1200 (50x24) ports opened on external fw

• Range configured on Expressway: 2400 ports, from 50000 to 52399.

• First half goes to Proxy: 50000 to 51199

• Second half goes to B2BUA: 51200 to 52399

• Ports to be opened on external fw: 51200 to 52399

B2BUA engaged on Expressway-E

112

Example 2

• Expressway-E configured with “best effort” in all zones, and same zone setting, Expressway-C traversal client zone also set to “best effort”. B2BUA won’t be engaged on Expressway-E

• 50 concurrent B2B calls

• Total 600 ports opened on external fw (proxy requires 12 ports per call)

• Range configured on Expressway: 1200 ports, from 50000 to 51199.

• First half goes to Proxy: 50000 to 50599

• Second half goes to B2BUA: 50600 to 51199

• Ports to be opened on external fw: 50000 to 50599

B2BUA engaged on Expressway-C only

113

Media Latching

• When media latching is performed by Expressway-E, 36 ports are required from the Proxy range.

• If the number of NATted endpoints directly dialing into Expressway-E is big, it is worth to consider this number.

114

Expressway-E Signaling with B2BUAAudio portion of the call example

To Exp-C

To remote Exp-E

25060

7002

25020

5071 25021

5061

5061

200 OK 40882

101 ACK 55104 (B2BUA port)

200 OK 55114200 OK c=173.39.92.68/40882

101 ACK 50062

101 ACK 55104

Exp-E Proxy

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

Exp-E B2BUA

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

Expressway-E

For YourReference

115

Expressway-E Media with B2BUAAudio portion of the call

Exp-E Proxy

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

Exp-E B2BUA

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

To Exp-C

To remote Exp-E

48084

2776

55104

40882

50062

55114

Expressway-E

For YourReference

116

Media Ports Calculation

• Audio takes 2 ports on B2BUA (55104, 55114) and Proxy 2 ports (2776, 50062)

• If B2BUA is always engaged, two ports per media type are needed (55104 and 55114 in this case)

• Other streams are: video, duo video, BFCP, FECC, iX

• For each of these, a RTCP port is also engaged.

• Total: 24 ports per call

• If B2BUA is not engaged on Expressway-E: 12 UDP ports per call are required (1 from Proxy range, other=2776)

B2BUA

Exp-E Proxy

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

Exp-E B2BUA

Process

10.52.254.55 LAN1

173.38.168.145 LAN2

To Exp-C

To remote Exp-E

48084

277650062

55114

55104

40882

For YourReference

117

Expressway-E Media LatchingAudio portion of the call example

Exp-E Proxy

10.52.254.55 LAN1

173.38.168.145 LAN2

Exp-E B2BUA

10.52.254.55 LAN1

173.38.168.145 LAN2

To Exp-C

To remote endpoint

2776

55452

50224

55440

50236

5024616369

• Proxy ports only exposed

• 3 ports per media type

• 36 ports per call (12x3)

For YourReference

118

Conclusion

• Enable B2BUA on Expressway-C and try to avoid it on Expressway-E in order to reduce ports open on external FW

• Open only the ports that are needed

• If MRA is used, B2BUA will be engaged on Expressway-C. 12 ports per MRA calls are also needed

119

General Considerations for multiple Expressway Deployments

120

Multiple Expressway Clusters

• Outbound calls can be sent to the nearest Expressway-C cluster based on CSS and Partitions on UCM

• Inbound calls

• Geo DNS setup

• Directory Expressway setup

121

B2B Inbound CallsGeo DNS: Minimizing the distance between the calling device and edge

Internet

Company A US Site

Company B

US Site

WAN

Company A

EMEA Site

CUCM cluster

122

Geo DNS characteristics

• Geo DNS is a service delivered by many Internet organization and allows to forward the inbound call registration request to the edge nearest to the calling device

• Geo DNS services applied to SRV records are the preferred way

• Some DNS providers implement Geo DNS services on specific records only, like CNAME or A-records

• Disaster recovery between different sites can be achieved only if the Geo DNS supports SRV records

Geo DNS for MRA and B2B

123

Directory ExpresswayMinimizing the distance between thecalled endpoint and the edge

Company A US Site

Company B

US Site

WAN

Company A

EMEA Site

CUCM cluster

Internet

Directory Expressway

124

Example with multiple Cisco Unified CM Clusters

Expressway-E1

Expressway-C1

Expressway-C2

Expressway-E2

Directory Expressway-E

1

22

Inbound CSS trunks

doesn’t include the

partition for the SIP

Route Pattern matching

the route string

[email protected]

Call:

[email protected]

33

4

UCM1

UCM2

Inbound CSS trunks

doesn’t include the

partition for the SIP

Route Pattern matching

the route string

Corporate Network

Internet

125

Geo-DNS and Alternative Approach Comparison Chart

Geo-DNS Alternative Approach

Intra-site redundancy (clustering) Yes Yes

Inter-site redundancy Depends on Geo DNS (1) No

WAN bandwitdth optimization for

B2B

No Yes

Higher video quality Yes (most use of WAN) No

(1) Check if it’s possible to apply Geo DNS services to SRV records

126

Summary

• B2B architectures for single edge Expressway-C and Expressway-E with dual network Expressway-E

• Cloud integration

• How to protect the dialplan

• How to minimize ports opened on external firewall

127

Call to Action

• Visit the World of Solutions for

• Cisco Campus

• Walk in Labs

• Technical Solution Clinics

• Meet the Engineer

• Lunch and Learn Topics

• DevNet zone related sessions

128

Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

129

best practices for business-to- business video...

Documents