#CiscoLive Building Work-from-Home Architectures with Expressway Luca Pellegrini Technical Marketing Engineer – Technical Leader BRKCOL-2024 #CiscoLive Agenda • Introduction • Work-from-home Endpoints and Clients • Registration and Provisioning • Architecture • • Single Expressway Clusters Multiple Expressway Clusters • Geo DNS vs Service Domain #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 In-Person to Virtual Meetings #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Architectural Assumptions • Unified CM infrastructure is deployed • Few Mobile and Remote Access users • Webex app or Jabber • Webex devices • Voice and video hardware endpoints #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Work-from-Home Endpoints and clients Cisco Collaboration Devices Portfolio Choose how you wish to collaborate Collaboration room Room 70 G2 Dual and Single Room 55 Dual Room 55 Huddle Spaces Webex Share Room Kit Mini Room USB Room Phone Integrator solutions Webex Board 55S, 70S, and 85 Room Panorama 700 Series Room Kit and Room Kit Plus Collaboration desktop video DX80 8845 and 8865 Headsets 500 Series SX10 and SX20 Quick Sets Codec Pro and SX80 for custom/industry applications Soft clients Desk Pro Webex Desk* Webex App Jabber Voice devices IP Wireless Phone 6800, 7800, and 8800 Series IP Conferencing * Available by the end of CY21 #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Endpoint Selection • • • Co-resident Clients • Webex app (Unified CM) • Cisco Jabber (Unified CM and IM&P on-prems) Hardware devices • Audio • Video Selection based on ergonomics and workflow #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Selection criteria • • Ergonomics • Hunched Over Laptop Syndrome (HOLS) • Computer Vision Syndrome Co-residency vs dedicated • Laptop and workstations with collaboration software • • Dedicated hardware device • • Collaboration applications resources shared with other applications Extensive use of real-time applications Tools • Full UCM integrations • Sharing • Whiteboarding Space-based experience • #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Hardware Endpoints • Video endpoint design takes into account ergonomics • Can usually be positioned at 24 inch of distance; screen and camera don’t require head or body “hunching” • Media resiliency and error recovery in case of poor bandwitdh • Configurable calling rate for daily job • Example: Internet connection of 5 Mbps download and 600 Kbps upload • Bandwidth fluctuations are much more perceived in a low-capacity link. In this case downspeed and upspeed might make the experience worse • Set the call to 256 or 384 Kbps in transmission and leave 1,5Mbps in receive #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Clients and endpoint features • Shared line with Webex app • Media path optimization in point-to-point calls • Legacy PBX features • Use of corporate PSTN • Noise reduction for use in a home office/shared space #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Registration and Provisioning Options 7800 and 8800 series • Unified CM Registration through: • • Username/Password and discovery domain Activation Code #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Webex App: Unified CM Registration • Webex app is able to register to Cisco Unified CM • Registration happens on-premises or through Mobile and Remote Access • Standard username/password or SSO - whatever mechanism an IdP uses Cisco Webex Unified CM https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKCOL-2385.pdf #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Webex app (Unified CM) and Jabber Experience Jabber Webex app Unified CM Multiline Unified CM Settings #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Webex Edge For Devices Linked Device • Also referred to as Cloud-aware devices (DX80, Webex Desk, Webex Desk Pro) • • • • Native UCM Registration with username/password and discovery domain Calls to meetings via Webex Webex-managed upgrades Webex-managed Device Specific configuration Cisco Webex Unified CM #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Cloud-Aware Device Provisioning • Endpoint must be registered to Unified CM • Endpoint reachability from admin laptop not required #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Cloud-Aware Devices 192.0.2.10:5061 UCM Registration via MRA Webex Registration #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Control Hub and Unified CM View #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 UCM Webex app and Cloud-Aware Devices Benefits • Webex app and cloud-aware Webex devices fully UCM-integrated • • • • • • • • • • • • • Dial Plan PSTN Hold/Resume, Transfer, Forward Ad-Hoc Conference DND Extension Mobility (hw devices) Join MWI Single Number Reach Multiline Shared Line Upgrades from the Cloud (hw devices) Media Path optimization #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Architecture Architecture Webex app (Unified CM) Cloud-aware MRA-registered devices INTERNET Expressway-C Expressway-E On-prems registered devices Jabber • Webex app and Webex registered devices join Webex directly • All other go via Expressway-C and Expressway-E • 2-ways whiteboarding for Webex app and Cloud-aware Webex devices among all other Webex native features #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Media Flows: Webex Call Webex app (Unified CM) Cloud-aware MRA-registered devices INTERNET Expressway-C • Direct media path for: Expressway-E On-prems registered devices Jabber • Webex app • Cloud-aware devices • 2-way whiteboarding • Full Webex Meeting Experience including meeting management #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Media Flows: P2P Call Webex app (Unified CM) Cloud-aware MRA-registered devices INTERNET Expressway-C Expressway-E On-prems registered devices • Jabber Direct media path (if ICE is successful) for: • • • Webex app, Jabber Cloud-aware device 88XX and 78XX series device #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Single Expressway Cluster Single Expressway Cluster Architecture Unified Communications Manager Cluster 1 Expressway-E ILS Internet Unified Communications Manager Cluster 2 Expressway-C • Expressway-C cluster connected to all Unified CM/Unity Connection clusters • User’s home cluster checkbox set on Unified CM • ILS configured between the clusters #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Expressway Licensing Business to Business Calls Consumer to Business Calls Interoperability Gateway Calls Firewall Traversal Calls consume 1 x RMS on Expressway E (includes MSFT B2B calls) Jabber Guest Calls consume 1 x RMS on Expressway E i.e. intradomain MSFT interop calls, consume 1 RMS on Expressway C Gateway Registered Calls (no RMS required) Calls between endpoints registered to Cisco Call control services Calls to Cisco conferencing infrastructure or cloud services Cisco Meeting Server WebRTC #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Expressway Compute Platform Options Specs Based Virtual Machine Support CE1200 Appliance OVA Size vCPU Reserved RAM Disk Space NIC(s) Small 2 x 1.8 GHz 4GB 132GB 1Gb Medium 2 x 2.4 GHz 6GB 132GB 1Gb Large 8 x 3.2 GHz 8GB 132GB 1Gb • • • • #CiscoLive SKU: EXPWY-1200-K9 Bare metal – no hypervisor Cisco UCS C220-M5L Solution for customers with security policies that do not allow VMware in the DMZ BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Expressway X12.7 MRA Scalability Server Cluster Registrations Video Calls Audio Only Calls Registrations Video Calls Audio Only Calls CE1200 7,000 500 1,000 28,000 2,000 4,000 Large OVA 3,500 500 1,000 14,000 2,000 4,000 Medium OVA 3,000 150 300 12,000 600 1,200 Small OVA 2,500 100 200 2,500 100 200 Platform • Multiple Clusters for more scalability #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Expressway Clustering, 4+2 • Cluster up to 6 Expressways for scale and redundancy • Clustering latency up to 80ms RTT • Expressway E and C node types cannot be mixed in the same cluster • Deploy equal number of peers in Expressway C and E clusters (this applies to most Expressway deployments but is not critical if Expressway is handling local registrations) • Deploy same OVA sizes or appliances throughout cluster • Customers can deploy multiple clusters for the same domain #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Expressway Service Discovery DNS SRV lookup _cisco-uds._tcp.example.com Private Network DMZ External Network ✗ Not Found Internet UCM Expressway-C Expressway-E DNS SRV lookup _collab-edge._tls.example.com Public DNS ✓ expwy-nyc.example.com TLS Handshake, client authenticates Expressway-E certificate Jabber allows for a secondary domain to be used for edge service discovery. The “VoiceServicesDomain” can be provided in jabber-config.xml (from TFTP or Messenger cloud), or bootstrapped into client via MSI, or ciscojabber://URL provisioning HTTPS: get_edge_config?service_name=_ciscouds&service_name=_cuplogin #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 MRA Client Authentication Options 1. SAML SSO is an option for Jabber/Webex app clients providing • Stronger client authentication, including 2FA with Identity Provider • Alignment with the broader enterprise authentication strategy • Expressway “SSO Exclusive” configuration option removes non-SSO MRA authentication option 2. Activation codes + Manufacturing Installed Certificates for 78xx and 88xx phones 3. Basic authentication (username + password) is an option for all MRA clients including • Webex devices or video endpoints with TC or CE firmware • 78xx and 88xx Cisco IP Phones • Webex app/Jabber #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Media Traversal Media Path Summary • Call between “C” and “A” • Media stream always SRTP encrypted between endpoint “C” and Expressway-C B Inside firewall (Intranet) DMZ Collaboration Services Unified CM • SRTP encryption “A” to Expressway-C when both endpoints are provisioned with encrypted security profile Outside firewall Media Relay C Internet • Call between “C” and “B” • Media is relayed via Expressway-C • All Media streams SRTP encrypted Expressway Expressway C E D SIGNALLING MEDIA Media Path Optimization • Call between “D” and “C” • Direct and encrypted media path A • Requires encrypted security profile #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 SIP OAuth for soft clients Objective: make it simple to deploy and support Jabber clients with voice/video encryption Benefits • Simplification: Encrypted Webex app and Jabber clients no longer require UCM mixed mode, CTL, LSCs, or CAPF enrollment • ICE Media Path Optimization over MRA becomes a possibility when all SIP signaling legs are encrypted • The only option for Webex app to use encryption with UCM calling deployment #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 (su bje Fu ct t u t o re ch an ge ) SIP OAuth Support in UCM 12.5 New option in Phone Security Profile enables encryption without LSC/CAPF, using “single” TLS + OAuth tokens • Must be first enabled via CLI (requires export-controlled) CN’s/SAN’s of Expwy nodes mTLS UCM Device Security Modes Encrypted (OAuth) Tomcat 5091 Encrypted CM 5090 TLS • New SIP ports on UCM 5060 5061 Expwy-C (MRA) (+ OAuth in SIP) Non-secure mTLS TCP (configurable) • Automatic mTLS with Expwy-C LSC for MRA-registered clients #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Brief Introduction to ICE • Interactive Connectivity Establishment - RFC 8445 Internet Expressway-E (TURN Server) • Provides a best effort mechanism for SIP client NAT traversal • Allowing clients to discover network topology details and find one or more paths by which they can communicate • Delivering the cheapest media routing that minimizes firewall traversal and use of centralized resources #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 X12.5 MRA ICE Realities Internet • ICE support has existed in Expressway/VCS for years • X12.5 adds ICE passthrough support allowing MRA clients and devices to be compatible with ICE • ICE Media Path Optimization only applies to MRA to MRA calls • Expressway traversal media path will be used initially for all calls, and an optimized media path will kick in within seconds (when possible) • Endpoints and Jabber clients require encrypted security profiles • Endpoint support includes Jabber, 78xx/88xx phones (that support MRA), and CE Devices #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Mobile & Remote Access Deployment Options Unified CM Clusters 1 1 2+ 2+ Expressway-C Expressway-E Clusters Clusters 1 2+ 1 2+ Comments 1 Single Expressway deployment providing remote access to a central Unified CM cluster 2+ Regional Expressway deployments providing remote access to a central Unified CM cluster 1 Single Expressway deployment providing remote access to a multiple Unified CM clusters 2+ #CiscoLive Regional Expressway deployments providing remote access to multiple Unified CM Clusters BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Supporting Multiple Unified CM Clusters Prerequisites • Cross cluster UDS API calls are used to find a Jabber user’s home cluster • Establishing an Intercluster Lookup Service (ILS) network between Unified CM clusters is the easiest way to allow Unified CMs to discover one another and get home cluster discovery working • SIP URI replication over ILS is optional, not a requirement Test this yourself within a browser, substitute in UCM addresses and username(s) specific to your deployment • https://UCM/cucm-uds/clusterUser?username=mdude • Confirm the username lookup results always redirect to the same home UCM cluster, no matter which UCM cluster you send the lookup request to #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 SME Architecture Unified Communications Manager Cluster 1 Unified Communications Manager Session Manager Edition Unified Communications Manager Cluster 2 Expressway-E Internet Expressway-C Unified Communications Manager Cluster 3 • ILS enabled betwen Unified CM Clusters • Expressway-C connected to all leaf UCM clusters #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Multiple Expressway Clusters Single Unified CM and Multiple Expressways • Expressway selection based on Geo DNS or services domain Site 1 Central Site Centralized Unified Communications Manager Expressway-E Internet Expressway-C Site 2 Expressway-E Internet Expressway-C #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Geo DNS Setup Example SRV Record Priority Weight Expressway-E _collab-edge._tls.ent-pa.com 10 10 us-expe1.example.com 10 10 us-expe2.example.com 20 10 emea-expe1.example.com 20 10 emea-expe2.example.com 10 10 emea-expe1.example.com 10 10 emea-expe2.example.com 20 10 us-expe1.example.com 20 10 us-expe2.example.com Location: US Location: EMEA #CiscoLive BRKCOL-2024 us-expe default for devices in US emea-expe as backup for devices in US emea-expe default for devices in EMEA us-expe as backup for devices in EMEA © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Service Domain Static Assignment • If Geo DNS is not an option or • If the admin wants to segregate users on specific Expressway clusters in large installations us-expe.ent-pa.com _collab-edge._tls.us.ent-pa.com apjc-expe.ent-pa.com emea-expe.ent-pa.com _collab-edge._tls.emea.ent-pa.com agoodman **** us.ent-pa.com _collab-edge._tls.apjc.ent-pa.com abarry **** emea.ent-pa.com #CiscoLive BRKCOL-2024 dbritt@ent-pa.com ***** © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Service Domain for Hardware Endpoints • Webex and video devices • • 8800 and 7800 series • • • User must enter service domain, UserID and password Secure onboarding: user enters a 16-digit code or points the camera to the QR code. Service domain passed to the phone during onboarding Standard registration: user enters a service domain, UserID and password Webex app • Service Domain provisioned in Control Hub and transparent to the user #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 MRA Activation Domain • One MRA activation domain per CUCM cluster • MRA activation domain provided to Cisco Cloud to redirect phones to customer Expressway-E(s) • collab-edge DNS SRV record(s) need to exist for this domain Advanced Features > Cisco Cloud Onboarding menu BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 MRA Service Domains Create and manage MRA service domains under: Advanced Features > MRA Service Domain menu • MRA service domains are used by phones to look up collab-edge SRV after onboarding and receiving phone config • The MRA activation domain can also be used as a service domain • There will be one system level default MRA service domain, plus the option to establish MRA service domains at the device pool and device level • Different service domains can be used to direct phones to regional Expressway C/E pairs • collab-edge DNS SRV records need to exist for each MRA service domain BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Control Hub UC Manager Profiles for Webex App • Per-user config or with bulk procedure #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Multiple Unified CM/Expressways with Geo DNS Site 1 Unified Communications Manager Expressway-E Internet Expressway-C Unified Communications Manager Site 2 Expressway-E Internet Expressway-C • Full-mesh connectivity between Expressway-C and Unified CM required if users are roaming #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Multiple Unified CM/Expressways with Service Domain Site 1 Unified Communications Manager Expressway-E Internet Expressway-C Unified Communications Manager Site 2 Expressway-E Internet Expressway-C • User segregation on specific Expressways through service domain allows Expressway-C to connect to selected clusters only #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Geo-DNS vs Service Domain Comparison Geo DNS Service Domain Expressway selection Nearest to the endpoint location Static UCM, IM&P, CUC Expressway-C connected to all clusters Expressway-C connected to selected clusters Bandwidth and Quality Optimizes the quality Optimizes the WAN bandwidth Configuration Involves DNS only UCM and Control Hub config Troubleshooting Might Involve DNS providers Involves UC infrastructure only #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Monitoring Headset Inventory Detailed CUCM 12.5(1)SU1 and CUCM 11.5(1)SU7 #CiscoLive © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Monitoring Unified CM Registrations via MRA (1) #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Monitoring Unified CM Registrations via MRA (2) #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Summary • For best experience, use the already-available on-prems infrastructure powered by Webex • Select the best endpoints and clients for a specific workflow • Size correctly the servers based on capacity #CiscoLive BRKCOL-2024 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Thank you #CiscoLive #CiscoLive