Cisco Spark Hybrid Call Services Architecture and · Cisco Spark Hybrid Call Services Architecture...
Transcript of Cisco Spark Hybrid Call Services Architecture and · Cisco Spark Hybrid Call Services Architecture...
Cisco Spark Hybrid Call Services Architecture and Design
Luca Pellegrini Technical Marketing Engineer
BRKCOL-2202
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOL-2202
• Introduction
• Call Service Aware and Connect
• CSC Global Reachability
• CSC Call Anchoring
• Certificates
• DNS Service Discovery
• Dial Plan
• Identity Theft and Toll Fraud Prevention
• Shared Expressway for Hybrid and B2B
• Deployment Models
• Multiple Clusters
• SME Architecture
• HCS Deployment
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco®
Spark Control
HubCisco Spark Services*
Cisco SparkMeetings
Cisco SparkMessaging
Cisco Spark Care
Cisco Spark Rooms
Cisco Spark Board
Cisco SparkHybrid Calling
Cisco Spark Services SuiteA complete business collaboration service from the Cisco cloud that enables customers to message, meet, or callanyone, anywhere, and anytime.
*Cisco Spark is hosted and operated by Cisco, and sold by partners
BRKCOL-2202 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 6
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 7
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 8
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 9
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 10
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pla
tfo
rm
Ed
ge
Win
dow
s
*Includes Business Edition or HCS
WebEx
Messenger
Integrating Premises and Cloud
Directory Calendar Media KMS
Microsoft ADExchange /Office 365
Hybrid Media
Hybrid Data Security
Call Future
FutureCisco UCM *
?
BRKCOL-2202 11
?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Active Directory
SIP signaling and media
Internal FW DMZ FW
MicrosoftExchange
BRKCOL-2202 12
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Active Directory
SIP signaling and media
Internal FW DMZ FW
MicrosoftExchange
BRKCOL-2202 13
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
MicrosoftExchange
BRKCOL-2202 14
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Directory Connector
MicrosoftExchange
BRKCOL-2202 15
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Directory Connector
MicrosoftExchange
BRKCOL-2202 16
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Directory Connector
Management Connector
MicrosoftExchange
BRKCOL-2202 17
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Calendar Connector
Directory Connector
Management Connector
MicrosoftExchange
BRKCOL-2202 18
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Calendar Connector
Directory Connector
Management Connector
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 19
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Management Connector
Call Connector
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 20
HTTP Proxy
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Management Connector
Call Connector
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 21
HTTP Proxy
Hybrid Signaling for Directory, Calendar and Call over HTTPS
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Expressway-C
Connector Host
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Management Connector
Call Connector
Firewall traversal architecture with Expressways for hybrid call signaling and media
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 22
HTTP Proxy
Hybrid Signaling for Directory, Calendar and Call over HTTPS
Hybrid Service Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Call Service Architecture
Management Connector
Call Connector
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 23
HTTP Proxy
Expressway-C
Connector Host
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Call Service Architecture
Management Connector
Call Connector
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 24
Hybrid Signaling (AXL, CTI-QBE over HTTPS)
HTTP Proxy
Expressway-C
Connector Host
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-CCisco Unified CM
Calendar Connector
Active Directory Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Call Service Architecture
Management Connector
Call Connector
SIP signaling and SRTP media
MicrosoftExchange
AXL CTI-QBE
BRKCOL-2202 25
Hybrid Signaling (AXL, CTI-QBE over HTTPS)
HTTP Proxy
Expressway-C
Connector Host
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Service Aware
Enables Cisco Spark users
to share their screen using Spark
Complements, and is aware, of Cisco UC
calls and allows for Desktop Sharing
Call Service Connect
Depends on Call Service Aware.
Allows Cisco Spark users to call Cisco UC
registered devices, as well as be called by
Cisco UC users.
Together with Call Service Aware, enables
users to manage a unified Spark and UC
call history from the Cisco Spark calls tab
Call Service Aware & Call Service Connect
27BRKCOL-2202
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Service Aware/Connect Addressing
28BRKCOL-2202
Cisco Unified CM
Aaron [email protected]
Aaron Goodman
Expressway-C
Connector Host
Spark RD
RD
Shared Line
Cisco Spark Control Hub
Cisco UCM Interface
+14085551234
+14085551234
+14085551234
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark RD Provisioning Through Expressway-C Connector Host
Spark RD provisioned automatically using single Device Pool, Location, Calling Search Space, Rerouting CSS
BRKCOL-2202 29
• Each UCM cluster needs to be provisioned on Call Connector
• UCM needs User an application user with:• Standard AXL API Access
• Standard CTI Allow Control of All Devices
• Standard CTI Enabled
• Standard CTI Allow Control of Phones supporting Connected Xfer and conf
• Standard CTI Allow Control of Phones supporting Rollover Mode
• Every end-user must have a directory URI
• CFQDN has to be set to a unique value
• Manual or Automatic Provisioning of Spark RD
• Remote Destinations always provisioned through the Connector
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark RD
RD
Internet
Expressway-EExpressway-C
Cisco Unified CM
Expressway-C
with Connectors
1
2
3
Dial [email protected] or
+14085551234
Bob
2 3
3
UCM to UCM call
Alice
BRKCOL-2202 31
UCM Releases where Spark RD is supported
12.0(1) 12.0.1.10000-10
11.5(1) SU3 11.5.1.13900-52
11.0(1a) SU3 11.0.1.23900-5
10.5(2) SU5 10.5.2.15900-8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark RD
RD
Internet
Expressway-EExpressway-C
1
+14085551235
Alice
2
2
4 4
3 3 4
Cisco Unified CM
Alice calls Bob
Spark to Spark Call
cancelled
Calling Called
[email protected] [email protected]
Bob
BRKCOL-2202 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Anchoring and Calling ID PreservationSingle UCM cluster
Spark RD
RD
Alice
Alice’s CSS: Internal and Local calls
Bob
BRKCOL-2202 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Anchoring and Calling ID PreservationSingle UCM cluster
Spark RD
RD
Calling Called
[email protected] [email protected]
Alice
Alice’s CSS: Internal and Local calls
1
Bob
BRKCOL-2202 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Anchoring and Calling ID PreservationSingle UCM cluster
Spark RD
RD
Calling Called
[email protected] [email protected]
Alice
Alice’s CSS: Internal and Local calls
1
2Bob
BRKCOL-2202 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Anchoring and Calling ID PreservationSingle UCM cluster
Spark RD
RD
Calling Called
[email protected] [email protected]
Alice
Alice’s CSS: Internal and Local calls
1
2Bob
Call from:
Alice
+14085551235
BRKCOL-2202 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Anchoring and CSS PreservationCall Anchoring based on calling ID==RD
Spark RD
RD
Spark RD
RD
Calling ID Called ID
[email protected] +390212345678
Alice
Alice’s CSS: Internal
and Local calls
Bob’s CSS: All Calls
1
PSTN
Calling Called
[email protected] [email protected]
2
2
Bob
BRKCOL-2202 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark RD
RD
Internet
Expressway-EExpressway-C
Alice
1
22
3 4
Cisco Unified CM
[email protected] ID Calling ID
+390212345678 [email protected]
5
PSTN audio or video GW
Called ID Calling ID
+390212345678 +14085551234
Called ID Calling ID
+390212345678 [email protected]
.ciscospark.com
Called ID Calling ID
+390212345678 +14085551234
PSTN Call Flow
Line CSS: allow international calls
BRKCOL-2202 39
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark RD
RD
Internet
Expressway-EExpressway-C
Alice
2
2
3 4
Cisco Unified CM
Called ID Calling ID
[email protected] [email protected]
5
Called ID Calling ID
[email protected] [email protected]
Called ID Calling ID
[email protected] [email protected]
.ciscospark.com
Called ID Calling ID
[email protected] [email protected]
B2B Call Flow
Dial: [email protected]
1
6
BRKCOL-2202 40
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Verification
• Expressway-E and the Cloud need to trust each other
• Public certificates are the preferred way to trust the remote peer’s identity
• Public CAs release certificates after the identity verification is successful
• CN and SAN in the certificate are used to check the identity of the remote peer
• A certificate that has been released for Cisco can’t be released to another organization because it must prove that it owns the domain
BRKCOL-2202 42
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLS Handshake with Mutual Authentication
• Expressway-E checks the Cloud certificate for both inbound and outbound calls
• callservice.ciscospark.com must be included in the certificate presented by the Cloud
Client hello
Server hellofollowed by certificate
Certificate Request
Expressway-E
BRKCOL-2202 43
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Certificate used in Spark Hybrid Scenarios
Common name: l2sip-cfa-01.ciscospark.com
SANs: l2sip-cfa-01.ciscospark.com, l2sip-cfa-01.wbx2.com, l2sip-cfa-01-web.wbx2.com, l2sip-
cfa-web.wbx2.com, callservice.ciscospark.com
.......................................................
Organization: Cisco Systems, Inc.
Location: San Jose, CA, US
Valid from November 16, 2016 to November 16, 2018
Serial Number: 08bd6c90982db954a25830361d7dcb4b441b719b
Signature Algorithm: sha256WithRSAEncryption
Issuer: HydrantID SSL ICA G2
BRKCOL-2202 44
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authenticating the Cloud: Inbound Calls Example
<Public Key>
ExpE Cert
expe.example.com
expe.example.com
Client hello
1
3
DNS Zone (trunk to Cloud)
Expressway-E
<Public Key>
Cloud Cert
callservice.ciscospark.com
2
BRKCOL-2202 45
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificates and certification authorities
• Recommended option: the Cloud will trust certificates signed by specific certification authorities by default
• https://help.webex.com/docs/DOC-4302
• The Cloud can be configured to trust (through manual upload):
• certificate signed by a private certification authority
• self-signed certificate
• certificate signed by a public CA that is not in the trusted list of the Cloud
• The Cloud will trust any of the above if:
• The CN or SAN includes the Expressway-E DNS name
• the CRL (if present) is publicly reachable from the Internet
BRKCOL-2202 46
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLS vs dedicated MTLS port on Expressway
• Any incoming TCP connection on port 5061 will use TLS. For B2B communications.
• Any incoming TCP connection on port 5062 will trigger the TLS handshake with Mutual Authentication. For Spark Hybrid Comunications
BRKCOL-2202 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Standard SRV Records for SIPSRV record format for SIP
• TLS and MTLS are part of the same specification (RFC 5246)
• It doesn’t exist a separate record for MTLS
_sips._tcp.example.com 5061 TLS
_sips._tcp.mtls.example.com 5062 TLS with Mutual
Authentication
_sip._tcp.example.com 5060 TCP
_sip._udp.domain 5060 UDP
Used in Spark Hybrid Services and MTLS
BRKCOL-2202 49
Used for B2B – TLS only
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Service Discovery for Spark Hybrid
Exp-C
Alice calls Bob
1
2
3
4
Exp-E
DNS SRV Use A-record IP Address/port
_sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061
_sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062
CUCM
5
6
7
InternetCorporate Network
CFQDN: cucm.example.com
BRKCOL-2202 50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verified Domains
• SIP domains must be verified to prevent someone else to use that domain and mitigate impersonation theft
• SIP domains must be publicly routable (no internal.local as Directory URI domain)
BRKCOL-2202 51
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verification token
12
3
Get the tokenCreate the TXT record
Test the TXT record Cisco recommends to use the prefix
cisco-ci-domain-verification=
Followed by the token, i.e.
cisco-ci-domain-
verification=123456789abcdef123456789abcdef123456
789abcdef123456789abcdef
BRKCOL-2202 52
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inbound Calls: Authenticated vs Unauthenticated TrafficTLS with Mutual Authentication and Certificates on Expressway with DNS Zone
expe.example.com Default zone
Inbound trunk from any unknown
destination
Non-authenticated Traffic
Certificate is NOT requested
Spark DNS Zone
Trunk to Spark Hybrid
Authenticated Traffic
Certificate Requested
CN/SAN=callservice.ciscospark.com
Internet
Dedicated box to Hybrid Services: Block calls from Default Zone
Shared box: apply rules to non-authenticated traffic to filter calls
BRKCOL-2202 53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Route Header and Request URI
• The Cloud populates forked calls with CFQDN
• Route Header takes the precedence over the Request URI
• CFQDN: Enterprise parameter used in SIP routing decisions
• CFQDN must be different than Expressway system name, domain or DNS name
• Can’t contain wildcards
• If wildcards are needed, you can add two entries, first of which won’t contain wildcards:
CQFDN: us-cm-pub.example.com *.example.com
BRKCOL-2202 55
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
INVITE
Request URI sip:[email protected]
Route header sip:us-cucm-pub.example.com
Expressway-EExpressway-C
US Cluster
Expressway-C
with Connectors
Call Connector
us-cucm-pub.example.com
Directory URI Destination in Route Header
[email protected] emea-cucm-pub.example.com
[email protected] us-cucm.pub.example.com
EMEA Cluster
emea-cucm-pub.example.com
Alice’s Cisco Spark Client
Calls Bob 1
2
Home Cluster Routing: Route Headers and Request URIsCluster Fully Qualified Domain Name
Cluster Fully Qualified Domain Name
BRKCOL-2202 56
3
4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Dial Plan with multiple UCM clusters
Expressway-C
Expressway-E
CUCM_US
Priority Rule Name Protocol Source Mode Target
50 Spark inbound US Any Any Prefix:
us-cm-pub.example.com
UCM_US
50 Spark inbound EMEA Any Any Prefix:
emea-cm-pub.example.com
UCM_EMEA
60 Spark outbound Any Any Regex:
.*@example\.call.\ciscospark\.com Spark Traversal Server
Spark Traversal Zone
Priority Rule Name Protocol Source Mode Target
50 Spark inbound Any Spark DNS Zone Any alias Spark Traversal Server
60 Spark outbound Any Spark Traversal Server Any alias Spark DNS Zone
CUCM_EMEA
From Spark to UCM
From UCM to Spark
BRKCOL-2202 57
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simulating a Spark Hybrid identity through a B2B connection
• 1. Hacker simulates Bob’s SIP Spark Address with Spark SIP address and dials to Alice, or to PSTN
• Because he can’t use the cloud certificate, the call will enter into the Default Zone
Internet
Expressway-EExpressway-C
Cisco Unified CM
Spark-RD
Hacker simulating Alice with calling ID:[email protected]
dials:[email protected]
1
2
3
Call from
Alice
Bob
BRKCOL-2202 59
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PSTN Call Allowed Based on Alice's CSS
Internet
Expressway-EExpressway-C
Cisco Unified
CM
Spark-RD
Hacker simulating Alice with calling ID:[email protected]
dials:9393357454076
1
2
3Alice
PSTN
Alice Office
+1(408)5551234
BRKCOL-2202 60
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Expressway – Mitigating Toll Fraud
• Zone authentication policy sets authenticated (P-Asserted Identity trusted in the Spark DNS Zone) or unauthenticated traffic (PAI removed from calls hitting the Default Zone)
• Call policy rules applied to the source zone or to unauthenticated traffic
BRKCOL-2202 61
B2B
Spark DNS ZoneTraversal Server Zone
Authenticated
Authenticated
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Checking the calling alias
• Any call with a Call ID containing example.call.ciscospark.com will enter into the Default Zone
From
Address
Rule Applies To Source Pattern Destination
Pattern
Action
Unauthenticated (.*)@example\.call\.ciscospark\.com.* .* Reject
BRKCOL-2202 62
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2nd Line of Defense: Trusted Identity on UCM
• Traversal client, server and UCM neighbor zone will preserve PAI if Authentication policy is set to “check credentials” or “treat as authenticated”
• Trunk on UCM 12 set to “Trust PAI Only”: UCM will trust the identity and anchor the call only if it has PAI.
• For calls with PAI, CSS of the line will be used to route the call
• For calls without PAI, CSS of the trunk will be used to route the call
63
Expressway-C Expressway-ECUCM
B2B
SIP messages PAI
SIP messages
SIP messages PAI
BRKCOL-2202
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Expressway Cluster Capacity
• Expressway-C and Expressway-E used for media can clustered following Expressway clustering guidelines
• Up to 6 servers in the same cluster in 2:1 redundancy
• All servers active
• Cluster capacity: 4 times the capacity of the single box due to 2:1 redundancy model
• Expressway-C Connector Host
• 1:1 redundancy for Calendar and Call Connect
• All servers active
BRKCOL-2202 66
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-C
Cisco Unified CM
Active Directory
Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
MicrosoftExchange
Expressway-C
Connector Host
Connectors and Media on a Shared Expressway-C
BRKCOL-2202 67
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-C
Cisco Unified CM
Active Directory
Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
MicrosoftExchange
Expressway-C
Connector Host
Connectors and Media on a Shared Expressway-C
BRKCOL-2202 68
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-C
Cisco Unified CM
Active Directory
Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Connectors and Media on a Shared Expressway-C
MicrosoftExchange
Expressway-C
Connector Host
BRKCOL-2202 69
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Expressway-EExpressway-C
Cisco Unified CM
Active Directory
Directory Connector
SIP signaling and media
Internal FW DMZ FW
Management Connector
Call Connector
Calendar Connector
Directory Connector
Connectors and Media on a Shared Expressway-C
MicrosoftExchange
BRKCOL-2202 70
• Connector Host services and SIP Signaling and Media for Hybrid Services only
• Scalability for MRA and B2B together with Connector is not tested
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Capacity for Expressway-C Connector Host
BRKCOL-2202 71
• Expressway-C dedicated to Connector Hosting:
• 5000 users with medium OVA per server
• 15000 users with medium OVA per 6-peer cluster
• Testing in progress!
• Expressway-C shared together with SIP signaling and media for Hybrid Services (no MRA, B2B)
• 500 users with small OVA
• 2000 users with medium OVA and 2 servers cluster
• Testing in progress!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BE6000H Example Configuration for 500 Users with Shared Connector Host
Unity
ConnectionExpy-C
Small OVA
Unified CM
1000 Users OVAExpy-E
Small OVA
Prime
BE6000H Primary
BE6000H Secondary
Directory
Connector(1)
(1) Directory Connector can be deployed with HA
BRKCOL-2202 72
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
BE7000 Example Configuration for 2,000 users and Shared Connector Host
Unity
Connectionsub1
Prime
BE7000H Primary
pub
sub2 tftp2
tftp1
CER
Exp-C
Medium OVAExp-E
Medium OVA
Directory
Connector
BE7000H Secondary
BE7000H Tertiary
UCM Cluster
2500 Users OVA
BRKCOL-2202 73
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architecture for 10,000 Users
BRKCOL-2202 74
Expressway-C
Large OVA Clusters
Publisher
Call Control
Cisco Unified CM Cluster
7500 Users OVA
TFTP
Expressway-E
Large OVA Clusters
Directory Connector
Expressway-C
Connector Host
Medium OVA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Expressway-C
Connector Host
Dual Clusters Outbound Calls
Signaling
Media
CUCM
Expressway-E
Expressway-CExpressway-C
Expressway-E
Expressway-C
Connector Host
BRKCOL-2202 76
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inbound Calls with Two Datacenters
• Call can be sent in one of the two datacenters; this is achieved through the use of DNS SRV with equal weight and priority for all Expressway-E servers in both datacenters
• Route Header contains the information of the calling user’s home cluster
• Every Expressway-E is configured to send the call to the associated Expressway-C or to the remote Expressway-E based on the Route Header
BRKCOL-2202 77
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
US Site
emea-expe.example.com
us-expe.example.com
Inbound Calls: Called and Calling on Same ClusterDNS Configuration
EMEA Site
Calls are sent to EMEA cluster
BRKCOL-2202 78
DNS SRV Target Priority Weight
_sips._tcp.mtls.example.com emea-expe.example.com 10 10
CUCM EMEA
CUCM US
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
EMEA Site
Directory URI Destination in Route Header
us-cm-pub.example.com
us-cm-pub.example.com
1. Alice calls Bob
2. INVITE to Expressway:
Route Header: us-cm-pub.example.com
INVITE sip: [email protected]
From: [email protected]
US Site
Rule Target
emea-cm-pub.example.com Expressway-C EMEA
us-cm-pub.example.com Expressway-E US
Rule Target
us-cm-pub.example.com Expressway-C US
emea-cm-pub.example.com Expressway-E EMEA
emea-expe.example.com
us-expe.example.com
2. Route to US Expressway
3. Route to
home cluster
4. Route to
destination
Inbound Calls: Called and Calling on Same ClusterSignaling
Bob
Alice
BRKCOL-2202 79
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
EMEA Site
Directory URI Destination in Route Header
us-cm-pub.example.com
us-cm-pub.example.com
US Site
emea-expe.example.com
us-expe.example.com
Inbound Calls: Called and Calling on Same ClusterMedia
Rule Target
emea-cm-pub.example.com Expressway-C EMEA
us-cm-pub.example.com Expressway-E US
Rule Target
us-cm-pub.example.com Expressway-C US
emea-cm-pub.example.com Expressway-E EMEA
BRKCOL-2202 80
Bob
Alice
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
Directory Expressway Architecture for N > 3 Sites
Dir Expe
Expc1
Expc3 Expc4
Expe1
Expc2
Expe2
Expe3 Expe4
UCM1 UCM2
UCM3UCM4
Corporate Network
BRKCOL-2202 81
media
Rule Target
cm1.example.com expe1.example.com
cm2.example.com expe2.example.com
cm3.example.com expe3.example.com
cm4.example.com expe4.example.com
Call with Route Headercm3.example.com
signaling
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multiple Cluster Depoyment Models
Expressway-E Expressway-C
Region 1
UCM
Expressway-E Expressway-C
Region 2
UCM
Expressway-E Expressway-C
UCM
cluster1
Expressway-C
Connector Host
Expressway-C
Connector Host
Expressway-C
Connector Host
UCM
cluster2
UCM
cluster3
Expressway-E Expressway-C
Region 1
UCM
Expressway-E Expressway-C
Region 2
UCM
Expressway-C
Connector Host
Multiple UCM, Single Expressways and Connector HostRegional UCM Expressways and Connector Hosts
Regional UCM, Single Connector Host and Multiple Expressways
Rule of Thumb:
Connector Host clusters = Expressway clusters used for SIP Signaling and Media
BRKCOL-2202 82
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet
SME Architecture for N >=3 Sites
SME 12.X
UCM EMEA
UCM APJC
UCM US
Expressway-C
Expressway-E
BRKCOL-2202 84
Expressway-C Connector Host
Expressway-C Connector Host
Expressway-C Connector Host
CFQDN of UCM Clusters/SIP
Route Patterns
Destination
us-cm-pub.example.com UCM_US
emea-cm-pub.example.com UCM_EMEA
apjc-cm-pub.example.com UCM_APJC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call Flow: Signaling
SME
UCM EMEA
UCM APJC
UCM US
Expressway-C
Expressway-C Connector Host
CTI/AXL
SIP
Alice
Bob
1. INVITE from Expressway-E:
Route Header: us-cm-pub.example.com
INVITE sip: [email protected]
From: [email protected]
BRKCOL-2202 85
Expressway-C Connector Host
Expressway-C Connector Host
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Partner DMZ
Cisco
Collaboration
Cloud
(Spark)
Spark
clients
Customer 1 On-PremCustomer 1 VRF
Customer 2 On-PremCustomer 2 VRF
Internet Partner Data Center Customer Prem
SIP CallsConnector HTTP
Connector HTTPP
r o x
yP
r o x
y
Shared Expressway-E
Cluster
HCS Architecture with Multitenant Expressway-E
SIP Calls
Expressway-C
Directory Connector
Expressway-C
Directory Connector
BRKCOL-2202 87
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Partner DMZ
20000 Users with
6xLarge OVA
Cisco
Collaboration
Cloud
(Spark)
Spark
clients
Customer 1
On-PremCustomer 2 VRF – 500 users with 2xSmall OVA on
BE6K
Customer 2
On-Prem
Customer 3 VRF – 300 users with 2xSmall OVA
Internet Partner Data CenterCustomer
Prem
SIP Calls
SIP Calls
Connector HTTP
Connector HTTPP
r o x
yP
r o x
y
Mid-Size Customers: Setup for 20,000 HCS Users
Customer 1
On-PremCustomer 1 VRF – 1000 users with 2xMedium
OVA
P r o
x y
50 tenants per Expressway-E Cluster
BRKCOL-2202 88
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Partner DMZ
Cisco
Collaboration
Cloud
(Spark)
Spark
clients
Customer 1
On-PremCustomer 2 VRF – 200 users with 2xSmall OVA on
BE6K
Customer 2
On-Prem
Customer 3 VRF – 100 users with 1xSmall OVA
Internet Partner Data CenterCustomer
Prem
SIP Calls
SIP Calls
Connector HTTP
Connector HTTPP
r o x
yP
r o x
y
Users with 6xMedium
OVA
Small-Size Customers: Setup for 5,000 HCS Users
Customer 1
On-PremCustomer 1 VRF – 100 users with 1xSmall OVA on
a BE6K
P r o
x y
SIP Calls
50 tenants per Expressway-E Cluster
BRKCOL-2202 89
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90BRKCOL-2202
Summary
• Call Service Connect Focus
• Security, Authentication and Toll Fraud/Identity Theft Prevention
• Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOL-2202
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
93BRKCOL-2202
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS SRV Records RefresherSRV record format for SIP
Name of the
service
Protocol and
domain name
(TCP, UDP...)
DNS Time-To-Live: how much
time the server caches the
record before it flushes the
cache
DNS Class.
Always “IN”
Priority: Lowest
priority means
“preferred”.
Weight: load-
balances records
with same
priority
Port: TCP or
UDP port for
the service
Target: hostname or
IP Address for the host
Providing the service
_sips. _tcp.example.com 86400 IN 10 60 5062 expe.example.comSRV
BRKCOL-2202 97
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Discovery
Bigbox
Smallbox
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
Dial:
BRKCOL-2202 98
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Discovery
Bigbox
Smallbox
_sips._tcp.example.com?
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
Dial:
BRKCOL-2202 99
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Discovery
Bigbox
Smallbox
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
Dial:
BRKCOL-2202 100
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Discovery
Bigbox
Smallbox
60%
40%
Backupbox
_sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
Dial:
BRKCOL-2202 101
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
60%
40%
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
BRKCOL-2202 102
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
60%
40%
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
BRKCOL-2202 103
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bigbox
Backupbox
Dial:
Smallbox
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com.
_sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com.
BRKCOL-2202 104
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
33%
33%
expe1.example.com
Dial:
Real Scenario_sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe1.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe2.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe3.example.com.
expe2.example.com
expe3.example.com
33%
BRKCOL-2202 105
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Service discovery for B2B
Exp-C
Call: [email protected]
1
2
3
4
Exp-E
DNS SRV Use A-record IP Address/port
_sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061
_sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062
CUCM
5
6
7
InternetCorporate Network
3° party Edge
BRKCOL-2202 106
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spark Hybrid Cloud Service Discovery
Exp-C
Alice calls Bob
1
2
3
4
Exp-E
DNS SRV A-record IP Address/port
_sips._tcp.callservice.ciscospark.com l2sip.ciscocloudexample.com A.B.C.D:5062
CUCM
5
6
Bob
2
7
BRKCOL-2202 107