CUCM & EXP Integration¶
Expressway Concept¶
In the realm of networking, "Expressway" typically refers to a type of solution provided by Cisco, known as Cisco Expressway. Cisco Expressway is a versatile, secure collaboration gateway that allows users outside the corporate firewall to access various collaboration services. It's commonly used in conjunction with Cisco Unified Communications Manager (CUCM) and Cisco Unified Communications Manager IM and Presence Service (CUCM IM&P), enabling secure remote access to services such as voice, video, content sharing, and instant messaging.
Here are some key concepts related to Cisco Expressway:
- Traversal Zones: These are secure communication links between Expressway-C (located within the corporate network) and Expressway-E (located in the DMZ or external network). Traversal zones facilitate communication between internal and external endpoints while maintaining security.
Example: Imagine you have a remote worker using a Cisco Jabber client on their laptop. The laptop connects to Expressway-E outside the corporate network, which then communicates securely with Expressway-C inside the network, allowing the user to make VoIP calls or access other collaboration services.
- Mobile and Remote Access (MRA): This feature of Cisco Expressway allows external users, such as telecommuters or mobile workers, to securely connect to the corporate network and utilize collaboration services as if they were within the office environment.
Example: An employee working from home can use their Cisco Jabber client to make a voice call to a colleague's office phone. The call is securely transmitted through Cisco Expressway, providing a seamless experience regardless of the user's location.
- Secure Communication: Expressway uses various encryption and authentication methods to ensure the security of communications between internal and external endpoints. This includes TLS (Transport Layer Security) for encryption and certificate-based authentication.
Example: When a user logs into their Cisco Jabber client from a remote location, Expressway verifies their credentials using certificates or other authentication mechanisms before granting access to collaboration services.
- Integration with Third-Party Applications: Besides Cisco collaboration tools, Expressway can also integrate with third-party applications and devices, enabling interoperability and extending the reach of collaboration services.
Example: Expressway can facilitate communication between a Cisco video conferencing system and a third-party SIP-based video conferencing endpoint, allowing users on different platforms to join the same virtual meeting.
Overall, Cisco Expressway plays a crucial role in enabling secure, remote collaboration for organizations, ensuring that users can access essential communication services from anywhere without compromising security.
Smart License¶
- Smart Licensing was introduced in version X12.6. The PAK license has continued until version 14.2.
- Expressway supports PAK based licensing (regular option keys) and Smart Licensing. Only one mode at any given time.
- After version 14.2, only Smart Licensing is supported.
Expressway Server Capacity¶
MRA Media Path Flows¶
- Outside to Outside
- Outside to Inside
Firewall Configuration¶
- Between
OUTSIDEandEXPe
- Between
EXPeandEXPc
Expressway Integration and MRA Configuration¶
hqexpc.cciecollab.com (HOST-A) - 192.168.80.121/24
hqexpe.cciecollab.com (HOST-A) - 192.168.80.122/24
-
Step 1 - Deploy .ova template. Ova template helps you to configure basic network parameters like :
Ip address Network Mask Gateway DnS server NTP Server Hostname
-
Step 2 - Deploy .ova template again for expressway-e with same procedure.
- Step 3 - Create
Host-Arecord for expc and expe
- Step 4 - After power on the virtual machine configure roo and admin password from colsole for expc and expe
- Step 5 - Login on
GUIsecure connection with admin user and password.
- Step 6 - Choose
typeandServicefor node. ChoseExressway-Cfor expc andexpressway-Efor expe as a type,Mobile and Remote Access including Meeting Server Web Proxyfor both device.
- Step 7 - Check configuration for any mistake. This area is configured at while .ova template deployment.
- Step 8 - finish intial configuration and restart servers.
- Step 9 - Enable mobile and remote access under
Unified Communicationsboth expc and expe
- Step 10 - Define Domain under
Domain(PS:This must be before CSR request)
- Step 11 - Configure
System Nameon expc and expe
- Step 12 - Generate CSR fron expc and expe
Mainteance -> Security -> Server Certificate
- Step 13 - Sign CSR on CA with configured certificate template (web and client authentication). Download certificate with Base 64 encoded.
- Step 14 - Download ca root certificate and upload to server for trusted CA certificate. Mainteance -> Security -> Trusted CA certificate.
PS: After version 14.0.2 you should also upload Tomcat ECDSA cerviticate as on a trust store of expc (only expc) or disable check mechanism on expc (only expc)
xConfiguration EdgeConfigServer VerifyOriginServer: Off
- Step 15 - Upload signed certificate to expc and expe Mainteance -> Security -> Server Certificate
-
Step 16 - Repeat this all procedures for expe
-
Step 17 - Enable
SIPTCP / UDP / TLS on expc and expe
Configuration -> Protocols -> SIP
- Step 18 - Add CUCM to expc Configuration -> Unified Commnications -> Configuration -> Unified CM Servers
- Step 19 - Add IMP to expc Configuration -> Unified Commnications -> Configuration -> IMP
- Step 20 - Create user on Local database on expe Configuration -> Authentication -> Local Database
- Step 21 - Create
zoneon expe for expc Configuration -> Zone -> Zones
- Step 22 - Create
zoneon expc Configuration -> Zone -> Zones
- Step 23 - Check Connection between expc and expe
- Step 24 - Check registered user
B2B Configuration¶
Notice that, there is no SIP Trunk or like that. No need to configuration from CUCM to EXPc direction. MRA is one way operation thar is from EXPe to EXPc and EXPc to CUCM .
But , In B2B there are two directions process.
In this design, the Expressway-C is already configured for mobile and remote access. Port 5060 is used for line-side registrations of endpoints in mobile and remote access scenario. A SIP trunk cannot be formed between Expressway-C and CUCM by using port 5060 because the CUCM cannot accept lineside and trunk-side communication from the same device using the same port.
Thus the SIP trunk from Expressway-C to CUCM has to use another SIP port on the CUCM incoming side.
This design uses 5560 as the SIP trunk incoming port. You can change the SIP incoming port by creating a
new SIP trunk security profile and assigning this profile to the SIP trunk created between CUCM and
Expressway-C.
- Step 1 - Navigate to System > Security > SIP Trunk Security Profile and click Add New for B2B call.
- Step 2 - Create
SIP Trunkfor expressway-C withSip Trunk Security Profilethat we create previous step.
- Step 3 - Configure SIP route pattern on CUCM for B2B
- Step 4 - Configure neighbor zone on Expressway-C for CUCM
- Step 5 - Configure traversal client zone on Expressway-C and Traversal server zone on Expressway-E
- Step 6 - Configure search rules on Expressway-C
- Step 7 - Configure transform on Expressway-C
PS : [] means not, [^@] not begin @ sign, [^@]* means any character but not begin @ sign
- Step 8 - Configure DNS Zone on Expressway-E
- Step 9 - Configure searchrule on Expressway-E
- Step 10 - Configure transform on Expressway-E
Regular Expression¶
Basic Expression¶
A regular expression, shortened as regex or also referred to as rational expression, is a sequence of symbols and characters expressing a string or pattern to be searched for within a longer piece of text. There are many software application and programming languages that support regular expressions (such as Python, Java, Oracle, etc.) and as usual in the software world, different regular expression engines are not fully compatible with each other. The Cisco Expressway uses POSIX format for regular expression syntax.
| Character | Meaning |
|---|---|
| . | Any single character (alpha or numeric or special character) |
| \d | Digit 0-9 (*Note the before the d – we will talk about why shortly!) |
| [abc123] | Match a single character in the list |
| [0-9] or [a-z] | Match a single character in the range (Also: [0-9a-z] same as . but excludes special characters) |
| [^abc] | Excluding (any character that is not in the list) |
| ( ) | Grouping, can be recalled with \n |
| \ | Changes the meaning of the next character (character to variable, or variable to character) |
Example¶
| Character | Meaning |
|---|---|
| .... | A four-character string (alphanumeric) |
| 7\d\d\d | A four-digit string that starts with a 7 |
| [0-9#*] | “Anything on a telephone keypad” |
| (@bob.com) | Captures the domain, recall with \1 |
| (sales@)(billy.)(bob.com) | Captures a URI as three groups. To get rid of the “billy.” subdomain, recall the string with \1\3 |
Repetition Exressions¶
| Character | Meaning |
|---|---|
| * | Matches 0 or more repetitions of the previous character or expression (Wide Open!) |
| + | Matches 1 or more repetitions of the previous character or expression (MUST exist) |
| ? | Matches 0 or 1 repetitions of the previous character or expression (MAY exist) |
| {n} | Matches n repetitions of the previous character or expression |
| {n,m} | Matches between n and m repetitions of the previous character or expression |
Example¶
| Character | Meaning |
|---|---|
| .* | A string of at least one character, but any length |
| \++.* | Must start with a +, but any length (would also match ++) |
| 7\d{3} | A four-digit string that starts with a 7 (also: 7\d\d\d) |
| \d{4,6}@10.1.5.15 | Any 4- 5- or 6-digit number at that IP address |
| 1?\d{10} | A 10-digit number (NANP) with or without the 1 |
| (703)?\d{7} | A 10-digit number in the 703 area code, or any 7-digit number |
Additional Expressions¶
| Character | Meaning |
|---|---|
| (x|y) | Match either string “x” or string “y” [ex: (com |
| ^ | Start of expression (first character) – EXCEPT if inside square brackets, then is “not” |
| $ | End of expression (last character) |
| \s | Single whitespace character |
| %localdomains% | Match all SIP domains currently configured in Expressway |
| %ipv4% | Matches all IPv4 addresses on any LAN interface on the Expressway |
Example¶
| Character | Meaning |
|---|---|
| [a-z0-9._-]+@[a-z0-9.-]+.[com | net |
| ^703\d{7}$ | a 10-digit number in the 703 area code but no shorter or longer |
Look Expressions¶
Positive Lookahead: -> X(?=Y) -> Look for me (Y), and then look to see if X exists ahead of me. If so, match
Negative Lookahead: ->X(?!Y) -> Look for me (Y), and then look to see if X exists ahead of me. If so, no match
Positive lookbehind: -> (?<=Y)X -> Look for me (Y), and then look to see if X exists after (behind) me. If so, match
Negative lookbehind: -> (?<!Y)X -> Look for me (Y), and then look to see if X exists after (behind) me. If so, no match
Example¶
| Character | Meaning |
|---|---|
| (?!.@cciecollab.com$). | anything that does not have cciecollab.com in it matches |
| (?!.@%localdomains%.$).* | Match all non-local domains |
Replace String¶
| Match | Replace | Effect |
|---|---|---|
| (\d*) | \1@cciecollab.com | Add domain to number |
| (.*)@.+ | \1 | Remove domain |
| (.+@cciecollab.com) | Leave | Match local domain but dont change anything |
| .@(pod1.)?cciecollab.com. | Leave | Match pod1.cciecollab.com or cciecollab.com |
| (.@)(pod1.)(cciecollab.com). | \1\3 | Replace pod1.cciecollab.com with cciecollab.com, removing any information on the line after the domain |