Add to collection(s) Add to saved
  1. No category
Uploaded by Video Minocw

BRKCOL-2024

advertisement 
#CiscoLive
Building Work-from-Home
Architectures with
Expressway
Luca Pellegrini
Technical Marketing Engineer – Technical Leader
BRKCOL-2024
#CiscoLive
Agenda
•
Introduction
•
Work-from-home Endpoints and Clients
•
Registration and Provisioning
•
Architecture
•
•
Single Expressway Clusters
Multiple Expressway Clusters
• Geo DNS vs Service Domain
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
In-Person to Virtual Meetings
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Architectural Assumptions
•
Unified CM infrastructure is deployed
•
Few Mobile and Remote Access users
•
Webex app or Jabber
•
Webex devices
•
Voice and video hardware endpoints
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Work-from-Home
Endpoints and
clients
Cisco Collaboration Devices Portfolio
Choose how you wish to collaborate
Collaboration room
Room 70 G2 Dual and
Single
Room 55 Dual
Room 55
Huddle Spaces
Webex Share
Room Kit Mini
Room USB
Room Phone
Integrator solutions
Webex Board 55S,
70S, and 85
Room Panorama
700 Series
Room Kit and
Room Kit Plus
Collaboration desktop video
DX80
8845 and 8865
Headsets
500 Series
SX10 and SX20
Quick Sets
Codec Pro and SX80 for
custom/industry
applications
Soft clients
Desk Pro
Webex Desk*
Webex App
Jabber
Voice devices
IP Wireless Phone
6800, 7800, and 8800 Series
IP Conferencing
* Available by the end of CY21
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Endpoint Selection
•
•
•
Co-resident Clients
•
Webex app (Unified CM)
•
Cisco Jabber (Unified CM and IM&P on-prems)
Hardware devices
•
Audio
•
Video
Selection based on ergonomics and workflow
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Selection criteria
•
•
Ergonomics
•
Hunched Over Laptop Syndrome (HOLS)
•
Computer Vision Syndrome
Co-residency vs dedicated
•
Laptop and workstations with collaboration software
•
•
Dedicated hardware device
•
•
Collaboration applications resources shared with other applications
Extensive use of real-time applications
Tools
•
Full UCM integrations
•
Sharing
•
Whiteboarding
Space-based experience
•
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Hardware Endpoints
•
Video endpoint design takes into account ergonomics
•
Can usually be positioned at 24 inch of distance; screen and camera don’t require
head or body “hunching”
•
Media resiliency and error recovery in case of poor bandwitdh
•
Configurable calling rate for daily job
•
Example: Internet connection of 5 Mbps download and 600 Kbps upload
•
Bandwidth fluctuations are much more perceived in a low-capacity link. In this
case downspeed and upspeed might make the experience worse
•
Set the call to 256 or 384 Kbps in transmission and leave 1,5Mbps in receive
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Clients and endpoint features
•
Shared line with Webex app
•
Media path optimization in point-to-point calls
•
Legacy PBX features
•
Use of corporate PSTN
•
Noise reduction for use in a home office/shared space
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Registration and
Provisioning
Options
7800 and 8800 series
•
Unified CM Registration through:
•
•
Username/Password and discovery domain
Activation Code
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Webex App: Unified CM Registration
•
Webex app is able to register to Cisco Unified CM
•
Registration happens on-premises or through Mobile and Remote Access
•
Standard username/password or SSO - whatever mechanism an IdP uses
Cisco
Webex
Unified CM
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKCOL-2385.pdf
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Webex app (Unified CM) and Jabber Experience
Jabber
Webex app
Unified CM Multiline
Unified CM Settings
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Webex Edge For Devices Linked Device
•
Also referred to as Cloud-aware devices (DX80, Webex Desk,
Webex Desk Pro)
•
•
•
•
Native UCM Registration with username/password and discovery domain
Calls to meetings via Webex
Webex-managed upgrades
Webex-managed Device Specific configuration
Cisco
Webex
Unified CM
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Cloud-Aware Device Provisioning
• Endpoint must be registered to Unified CM
• Endpoint reachability from admin laptop not required
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Cloud-Aware Devices
192.0.2.10:5061
UCM Registration via MRA
Webex Registration
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Control Hub and Unified CM View
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
UCM Webex app and Cloud-Aware Devices
Benefits
•
Webex app and cloud-aware Webex devices fully UCM-integrated
•
•
•
•
•
•
•
•
•
•
•
•
•
Dial Plan
PSTN
Hold/Resume, Transfer, Forward
Ad-Hoc Conference
DND
Extension Mobility (hw devices)
Join
MWI
Single Number Reach
Multiline
Shared Line
Upgrades from the Cloud (hw devices)
Media Path optimization
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Architecture
Architecture
Webex app (Unified CM)
Cloud-aware
MRA-registered devices
INTERNET
Expressway-C
Expressway-E
On-prems
registered
devices
Jabber
• Webex app and Webex registered devices join Webex directly
• All other go via Expressway-C and Expressway-E
• 2-ways whiteboarding for Webex app and Cloud-aware Webex devices among all other Webex native
features
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Media Flows: Webex Call
Webex app (Unified CM)
Cloud-aware
MRA-registered devices
INTERNET
Expressway-C
• Direct media path for:
Expressway-E
On-prems
registered
devices
Jabber
• Webex app
• Cloud-aware devices
• 2-way whiteboarding
• Full Webex Meeting Experience including meeting management
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Media Flows: P2P Call
Webex app (Unified CM)
Cloud-aware
MRA-registered devices
INTERNET
Expressway-C
Expressway-E
On-prems
registered
devices
•
Jabber
Direct media path (if ICE is successful) for:
•
•
•
Webex app, Jabber
Cloud-aware device
88XX and 78XX series device
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Single
Expressway
Cluster
Single Expressway Cluster Architecture
Unified Communications
Manager Cluster 1
Expressway-E
ILS
Internet
Unified Communications
Manager Cluster 2
Expressway-C
•
Expressway-C cluster connected to all Unified CM/Unity Connection clusters
•
User’s home cluster checkbox set on Unified CM
•
ILS configured between the clusters
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Expressway Licensing
Business to Business
Calls
Consumer to Business
Calls
Interoperability Gateway
Calls
Firewall Traversal Calls
consume 1 x RMS on
Expressway E
(includes MSFT B2B
calls)
Jabber Guest Calls
consume 1 x RMS on
Expressway E
i.e. intradomain MSFT
interop calls, consume 1
RMS on Expressway C
Gateway
Registered Calls (no RMS required)
Calls between endpoints registered to Cisco Call control services
Calls to Cisco conferencing infrastructure or cloud services
Cisco Meeting Server WebRTC
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Expressway Compute Platform Options
Specs Based
Virtual Machine Support
CE1200 Appliance
OVA Size
vCPU
Reserved
RAM
Disk
Space
NIC(s)
Small
2 x 1.8
GHz
4GB
132GB
1Gb
Medium
2 x 2.4
GHz
6GB
132GB
1Gb
Large
8 x 3.2
GHz
8GB
132GB
1Gb
•
•
•
•
#CiscoLive
SKU: EXPWY-1200-K9
Bare metal – no hypervisor
Cisco UCS C220-M5L
Solution for customers with security policies
that do not allow VMware in the DMZ
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Expressway X12.7 MRA Scalability
Server
Cluster
Registrations
Video Calls
Audio Only
Calls
Registrations
Video Calls
Audio Only
Calls
CE1200
7,000
500
1,000
28,000
2,000
4,000
Large OVA
3,500
500
1,000
14,000
2,000
4,000
Medium OVA
3,000
150
300
12,000
600
1,200
Small OVA
2,500
100
200
2,500
100
200
Platform
• Multiple Clusters for more scalability
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Expressway Clustering, 4+2
• Cluster up to 6 Expressways for scale and
redundancy
• Clustering latency up to 80ms RTT
• Expressway E and C node types cannot be mixed in
the same cluster
• Deploy equal number of peers in Expressway C and
E clusters (this applies to most Expressway
deployments but is not critical if Expressway is
handling local registrations)
• Deploy same OVA sizes or appliances throughout
cluster
• Customers can deploy multiple clusters for the
same domain
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Expressway Service Discovery
DNS SRV lookup _cisco-uds._tcp.example.com
Private Network
DMZ
External Network
✗ Not Found
Internet
UCM Expressway-C Expressway-E
DNS SRV lookup _collab-edge._tls.example.com
Public DNS
✓ expwy-nyc.example.com
TLS Handshake, client authenticates
Expressway-E certificate
Jabber allows for a secondary domain to be used
for edge service discovery.
The “VoiceServicesDomain” can be provided in
jabber-config.xml (from TFTP or Messenger cloud),
or bootstrapped into client via MSI, or
ciscojabber://URL provisioning
HTTPS:
get_edge_config?service_name=_ciscouds&service_name=_cuplogin
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
MRA Client Authentication Options
1. SAML SSO is an option for Jabber/Webex app clients providing
•
Stronger client authentication, including 2FA with Identity Provider
•
Alignment with the broader enterprise authentication strategy
•
Expressway “SSO Exclusive” configuration option removes non-SSO MRA
authentication option
2. Activation codes + Manufacturing Installed Certificates for 78xx and 88xx phones
3. Basic authentication (username + password) is an option for all MRA clients
including
•
Webex devices or video endpoints with TC or CE firmware
•
78xx and 88xx Cisco IP Phones
•
Webex app/Jabber
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Media Traversal
Media Path Summary
• Call between “C” and “A”
• Media stream always SRTP
encrypted between endpoint “C”
and Expressway-C
B
Inside firewall
(Intranet)
DMZ
Collaboration
Services
Unified
CM
• SRTP encryption “A” to
Expressway-C when both endpoints
are provisioned with encrypted
security profile
Outside firewall
Media Relay
C
Internet
• Call between “C” and “B”
• Media is relayed via Expressway-C
• All Media streams SRTP encrypted
Expressway Expressway
C
E
D
SIGNALLING
MEDIA
Media Path Optimization
• Call between “D” and “C”
• Direct and encrypted media path
A
• Requires encrypted security profile
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
SIP OAuth for soft clients
Objective: make it simple to deploy and support Jabber clients with
voice/video encryption
Benefits
•
Simplification: Encrypted Webex app and Jabber clients no longer
require UCM mixed mode, CTL, LSCs, or CAPF enrollment
•
ICE Media Path Optimization over MRA becomes a possibility when
all SIP signaling legs are encrypted
•
The only option for Webex app to use encryption with UCM calling
deployment
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
(su
bje Fu
ct t u
t o re
ch
an
ge
)
SIP OAuth Support in UCM 12.5
New option in Phone Security
Profile enables encryption
without LSC/CAPF, using
“single” TLS + OAuth tokens
• Must be first enabled via CLI
(requires export-controlled)
CN’s/SAN’s
of Expwy
nodes
mTLS
UCM
Device Security Modes
Encrypted
(OAuth)
Tomcat
5091
Encrypted
CM
5090
TLS
• New SIP ports on UCM
5060
5061
Expwy-C
(MRA)
(+ OAuth in SIP)
Non-secure
mTLS
TCP
(configurable)
• Automatic mTLS with Expwy-C
LSC
for MRA-registered clients
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
Brief Introduction to ICE
•
Interactive Connectivity Establishment - RFC 8445
Internet
Expressway-E
(TURN Server)
•
Provides a best effort mechanism for SIP client NAT traversal
•
Allowing clients to discover network topology details and find one
or more paths by which they can communicate
•
Delivering the cheapest media routing that minimizes firewall
traversal and use of centralized resources
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
X12.5 MRA ICE Realities
Internet
•
ICE support has existed in Expressway/VCS for years
•
X12.5 adds ICE passthrough support allowing MRA clients and
devices to be compatible with ICE
•
ICE Media Path Optimization only applies to MRA to MRA calls
•
Expressway traversal media path will be used initially for all calls,
and an optimized media path will kick in within seconds (when
possible)
•
Endpoints and Jabber clients require encrypted security profiles
•
Endpoint support includes Jabber, 78xx/88xx phones (that support
MRA), and CE Devices
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Mobile & Remote Access Deployment Options
Unified CM
Clusters
1
1
2+
2+
Expressway-C Expressway-E
Clusters
Clusters
1
2+
1
2+
Comments
1
Single Expressway deployment
providing remote access to a central
Unified CM cluster
2+
Regional Expressway deployments
providing remote access to a central
Unified CM cluster
1
Single Expressway deployment
providing remote access to a multiple
Unified CM clusters
2+
#CiscoLive
Regional Expressway deployments
providing remote access to multiple
Unified CM Clusters
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Supporting Multiple Unified CM Clusters
Prerequisites
• Cross cluster UDS API calls are used to find a Jabber user’s home cluster
•
Establishing an Intercluster Lookup Service (ILS) network between Unified
CM clusters is the easiest way to allow Unified CMs to discover one
another and get home cluster discovery working
•
SIP URI replication over ILS is optional, not a requirement
Test this yourself within a browser, substitute in UCM addresses and
username(s) specific to your deployment
•
https://UCM/cucm-uds/clusterUser?username=mdude
•
Confirm the username lookup results always redirect to the same home
UCM cluster, no matter which UCM cluster you send the lookup request to
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
SME Architecture
Unified Communications
Manager Cluster 1
Unified Communications
Manager Session
Manager Edition
Unified Communications
Manager Cluster 2
Expressway-E
Internet
Expressway-C
Unified Communications
Manager Cluster 3
•
ILS enabled betwen Unified CM Clusters
•
Expressway-C connected to all leaf UCM clusters
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Multiple
Expressway
Clusters
Single Unified CM and Multiple Expressways
•
Expressway selection based on Geo DNS or services domain
Site 1
Central Site
Centralized
Unified
Communications
Manager
Expressway-E
Internet
Expressway-C
Site 2
Expressway-E
Internet
Expressway-C
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Geo DNS Setup Example
SRV Record
Priority
Weight
Expressway-E
_collab-edge._tls.ent-pa.com
10
10
us-expe1.example.com
10
10
us-expe2.example.com
20
10
emea-expe1.example.com
20
10
emea-expe2.example.com
10
10
emea-expe1.example.com
10
10
emea-expe2.example.com
20
10
us-expe1.example.com
20
10
us-expe2.example.com
Location: US
Location: EMEA
#CiscoLive
BRKCOL-2024
us-expe default
for devices in US
emea-expe as backup
for devices in US
emea-expe default
for devices in EMEA
us-expe as backup
for devices in EMEA
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
Service Domain
Static Assignment
• If Geo DNS is not an option or
•
If the admin wants to segregate users on specific Expressway clusters in
large installations
us-expe.ent-pa.com
_collab-edge._tls.us.ent-pa.com
apjc-expe.ent-pa.com
emea-expe.ent-pa.com
_collab-edge._tls.emea.ent-pa.com
agoodman
****
us.ent-pa.com
_collab-edge._tls.apjc.ent-pa.com
abarry
****
emea.ent-pa.com
#CiscoLive
BRKCOL-2024
dbritt@ent-pa.com
*****
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Service Domain for Hardware Endpoints
•
Webex and video devices
•
•
8800 and 7800 series
•
•
•
User must enter service domain, UserID and password
Secure onboarding: user enters a 16-digit code or points the camera to
the QR code. Service domain passed to the phone during onboarding
Standard registration: user enters a service domain, UserID and password
Webex app
•
Service Domain provisioned in Control Hub and transparent to the user
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
MRA Activation Domain
•
One MRA activation
domain per CUCM cluster
•
MRA activation domain
provided to Cisco Cloud to
redirect phones to
customer Expressway-E(s)
•
collab-edge DNS SRV
record(s) need to exist for
this domain
Advanced Features > Cisco
Cloud Onboarding menu
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
MRA Service Domains
Create and manage MRA
service domains under:
Advanced Features > MRA
Service Domain menu
•
MRA service domains are used by
phones to look up collab-edge
SRV after onboarding and
receiving phone config
•
The MRA activation domain can
also be used as a service domain
•
There will be one system level
default MRA service domain, plus
the option to establish MRA
service domains at the device
pool and device level
•
Different service domains can be
used to direct phones to regional
Expressway C/E pairs
•
collab-edge DNS SRV records
need to exist for each MRA
service domain
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Control Hub UC Manager Profiles for Webex App
• Per-user config or with bulk procedure
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Multiple Unified CM/Expressways with Geo DNS
Site 1
Unified
Communications
Manager
Expressway-E
Internet
Expressway-C
Unified
Communications
Manager
Site 2
Expressway-E
Internet
Expressway-C
•
Full-mesh connectivity between Expressway-C and Unified CM
required if users are roaming
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Multiple Unified CM/Expressways with Service
Domain
Site 1
Unified
Communications
Manager
Expressway-E
Internet
Expressway-C
Unified
Communications
Manager
Site 2
Expressway-E
Internet
Expressway-C
•
User segregation on specific Expressways through service domain
allows Expressway-C to connect to selected clusters only
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Geo-DNS vs Service Domain Comparison
Geo DNS
Service Domain
Expressway selection
Nearest to the endpoint location
Static
UCM, IM&P, CUC
Expressway-C connected to all
clusters
Expressway-C connected to
selected clusters
Bandwidth and Quality
Optimizes the quality
Optimizes the WAN bandwidth
Configuration
Involves DNS only
UCM and Control Hub config
Troubleshooting
Might Involve DNS providers
Involves UC infrastructure only
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Monitoring
Headset Inventory Detailed
CUCM 12.5(1)SU1 and CUCM 11.5(1)SU7
#CiscoLive
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Monitoring Unified CM Registrations via MRA (1)
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
Monitoring Unified CM Registrations via MRA (2)
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Summary
•
For best experience, use the already-available on-prems
infrastructure powered by Webex
•
Select the best endpoints and clients for a specific workflow
•
Size correctly the servers based on capacity
#CiscoLive
BRKCOL-2024
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
Thank you
#CiscoLive
#CiscoLive
Related documents
1.1.1.2 Lab - How Connected are You
1.1.1.2 Lab - How Connected are You
Study research 2021
Study research 2021
Module Summary
Module Summary
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
Open Source Used In Unified Screen and
Open Source Used In Unified Screen and
Download
advertisement