Expressway & MRA
Prepared by
Rafik Mokadis
Orange Restricted
�• Agenda:
- Introduction
- Expressway Setup
- Certificates
- Zones
- SRV & A records
- MRA access
- Troubleshooting & Logs
Orange Restricted
� Introduction
The main purpose for Cisco Expressway is to offer users outside the
organization with VPN less connection to connect and register on the
organization servers like when a jabber device wants to register with
CUCM. Cisco Expressway provides highly secure access to all collaboration
workloads, including video, voice, content, IM and presence. Collaborate
with people who are on third-party systems and endpoints or in other
companies. Help tele workers and Cisco Jabber mobile users work more
effectively on their device of choice.
Orange Restricted
�What can a Jabber client do with
Expressway ?
Orange Restricted
� Supported Clients when Using Mobile and Remote Access
Expressway X8.6 and later:
MRA is supported with the Cisco IP Phone 78/8800 Series, phones firmware
version 11.0(1) or later.
Expressway X8.7 or later is recommended for use with these phones.
Cisco IP phone 8800 series
Cisco IP phone 7800 series
Cisco DX Series endpoints running firmware version 10.2.4(99) or
later.
Cisco DX650
Cisco DX80
Cisco DX70
Orange Restricted
�Expressway setup
Orange Restricted
�Expressway setup
Orange Restricted
�Expressway setup
Orange Restricted
�Certificates
Orange Restricted
� Certificates
- The main purpose of using certificates is that for a trust to be between the
two expressways as the connection between the two expressways will be
through a TLS connection and the traversal subzone between the two
expressways won’t come up if there is no trust between the expressways,
that’s why both expressways should have the same root CA certificate(s)
uploaded on them.
- There can be one CA server where both expressways can obtain the same
root CA certificate from it, or there can be two CA servers as in our setup and
in this case both expressways should trust both root CA certificates in order
to trust each other.
- CA server can be CUCM, or DNS as in our setup.
Orange Restricted
� Certificates
- In our example here for this implementation, External DNS server will be
considered as CA for Expressway E and Internal DNS server will be
considered as CA for Expressway C.
- In order for both Expressway E & C to trust each other, both root CA
certificates should be uploaded and signed on both expressways.
- Before the certificates, NTP should be verified as if the server time is not
synchronized, the certificates will be invalid.
Orange Restricted
� Certificates
- A temporary certificate will be found as it’s shown in the below
screenshot.
Maintenance >>> Security >>> Trusted CA certificate
Orange Restricted
� Certificates
- Both root CA certificates will be downloaded from both DNS servers in
order to be obtained by both expressways.
- In the below screenshot, “Download a CA certificate” will be chosen.
Orange Restricted
� Certificates
- Choose the Encoding method to be “Base 64” and click on “Download CA
certificate” as shown below.
- Same actions will be taken on external DNS server.
Orange Restricted
� Certificates
- After that, both root CA certificates should be uploaded on both
expressways as shown below.
- Same actions will be taken on the other expressway.
Orange Restricted
� Certificates
- After that, a CSR should be generated on both expressways in order for the
uploaded certificates to be signed from their respective CA servers.
- Go to Maintenance >>> Security >>> Server certificate >>> Server
certificate.
Orange Restricted
� Certificates
- On Expressway C, no need for any alternative names as the internal FQDN
will be resolvable by internal DNS server and no need to be resolvable by
public internet.
Orange Restricted
� Certificates
Additional information to be filled as shown below.
Orange Restricted
� Certificates
- Once the CSR is generated, click on “show (PEM file)” as shown below.
Orange Restricted
� Certificates
- Then copy the content of the certificate as shown below to be signed.
Orange Restricted
� Certificates
- Then go to the internal DNS server as this is Expressway C in order for the
certificate to be signed, choose “Request a certificate” as shown below.
Orange Restricted
� Certificates
- Then go to “advanced certificate request” as shown below.
- Then paste the certificate content and choose “Client/Server
Authentication” in Certificate Template field as shown below.
Orange Restricted
� Certificates
- Then choose “Base 64 encoded” and download certificate as shown below.
- Then upload the new certificate on the expressway as shown below.
Orange Restricted
� Certificates
- Then go to Maintenance >>> Security >>> Server certificate to accept the
new certificate.
- Then reboot the server through Maintenance >>> Restart options >>>
Reboot.
- On Expressway E, same steps will be done but there is important notes
about Expressway E, while generating the CSR, you will find the common
name as it will appear as “coedge.ine.com” for example as shown below,
this is the public FQDN , which means that the public SRV record (which is
important for the users logging from outside the network) of Collab edge
will point to this FQDN and the external DNS server in it’s records will map
this FQDN to the public WAN IP of Expressway E. So it’s very important for
this FQDN to be in the certificate.
Orange Restricted
� Certificates
- In the “Alternative name” field, we should add the internal FQDN for
Expressway E as shown below in order to be resolvable by the internal
DNS server to the internal LAN IP of Expressway E in order for a successful
connection between the two expressways to be established, which means
that this internal FQDN should be in the certificate also.
- As a conclusion, the external FQDN for Expressway E is important for a TLS
connection between Jabber and Expressway E, while the internal FQDN
for Expressway E is important for a TLS connection between the two
expressways.
Orange Restricted
� Certificates
- The DNS field in the screenshot in the previous slide should be filled in order
to be in Expressway E certificate, so a domain should be created on
Expressway C to be used to send to Expressway E.
- In order to create a new domain on Expressway C, go to Configuration >>>
Domains as shown below.
Orange Restricted
� Certificates
- Then Unified Communications services should be enabled on Expressway C,
this is very important before generating the CSR on Expressway E.
- On Expressway C, go to Configuration >>> Unified Communications >>>
Configuration in order to enable the “Mobile and remote access”, also the
“Authorize by user credential” should be “On” while “Authorize by OAuth
token with refresh” should be “Off” as there will be a username and
password created in order for Expressway C to connect to Expressway E.
Orange Restricted
� Certificates
- Then go to the created domain “ine.com”, you will find more options as
shown below, configure them as shown below.
Orange Restricted
� Certificates
- Then enable the “Mobile and remote access” on Expressway E.
- Now a CSR can be generated on Expressway E as you will find “Unified CM
registrations domains” option available as shown below which is required
for secure communications between endpoint devices and Expressway E,
this will include the email address domain entered by users of the client
application (e.g. Jabber). After generating the CSR, the new certificate will
be uploaded on Expressway E, in the same way as it is uploaded on
Expressway C then reboot the server.
Orange Restricted
�Zones
Orange Restricted
� Zones
- Zones configuration in expressway is very important as without zones, there
will be issues. For example, Traversal zone, if this zone is not configured, there
will be no TLS connection between the two expressways and this will lead to
an issue when a Jabber client for example is trying to register through MRA.
- Also if there is no Neighbor zone configured for example, there will be no
calls going through Expressway C to the CUCM.
- Another type of zones which is “DNS zone”, if this zone is not configured for
example, the expressway can’t quire the DNS server for name or service
record resolution in order for a connection to be established with a specific
domain through internet.
Orange Restricted
� Zones
- Now a traversal zone between the two expressways should be configured in
order to for a communication to be established between them to allow
inbound and outbound calls to traverse the NAT device.
- First we should go to protocols through the below path on both
expressways in order to enable the SIP as shown below as there are SIP
connections only in this implementation (If there are H.323 connections so
H.323 will be enabled also), same configuration will be applied on
Expressway E.
Configuration >>> Protocols >>> SIP
Orange Restricted
� Zones
- After that, the SIP status will be as shown below.
Orange Restricted
� Zones
- Then on Expressway E, go to Configuration >>> Authentication >>> Local
database in order to configure a username and password as shown below for
Expressway C to be able to connect to Expressway E as Expressway C is the
client and Expressway E is the server.
Orange Restricted
� Zones
- Then a traversal zone will be created on Expressway C but before that, let’s
know more about different types of zones and subzones before creating
zones and subzones on expressway.
- There is something called local zone which is the expressway itself, this local
zone is broken up into logical components as shown below.
Orange Restricted
� Zones
- On Expressway C, go to Configuration >>> Zones >>> Zones in order to
configure a traversal zone as shown below.
Orange Restricted
� Zones
-On Expressway E, a zone will be created too the same way with the same
configuration as on Expressway C, but there will be a more configuration on
the SIP part as shown below.
- If the certificates have been done correctly and the two expressways are
trusting each other, on Expressway it will be shown that the traversal zone
created is “Active” as shown below.
Orange Restricted
� Zones
- On Expressway C, go to Configuration >>> Unified Communications >>>
Unified CM servers to add the Call Manager servers as shown below.
Orange Restricted
� Zones
- Then you will find the integration from the expressway side to the CUCM
publisher and subscriber is as shown below.
- Same configuration steps will be done also to integrate between Expressway
C and IM&P server.
Orange Restricted
�SRV & A records
Orange Restricted
� SRV record
- The first thing that the Jabber is searching for when it is registering is that it
sends HTTP request to the Webex messenger URL (Service Domain) in order
to check if the domain is registered on the cloud or not, if not found, then
Jabber will send DNS queries for Cisco UDS and if not found then for CUP
login if not found then for Collab edge (Voice Service Domain) as shown
below.
Orange Restricted
� SRV record
- In the hybrid deployment, it’s recommended that the Service Domain to be
different than the Voice Service Domain as shown below.
- In this case, the user will try to login Jabber through the internet using the Service
Domain, Cisco Webex will find this domain, will authenticate it then will send back
to the Jabber the Voice Service Domain which is required to log in with.
Orange Restricted
� SRV record
- Below is the configuration file which is sent back from the Webex cloud to
the Jabber which shows the voice service domain that Jabber will use in order
for service discovery.
Orange Restricted
� SRV record
- SRV record for Collab edge on the external DNS server should be created as
shown below.
Orange Restricted
� A record
- A record is the translation of the FQDN to the IP address, an A record will be
configured on the external DNS server as shown below.
Orange Restricted
�MRA access
Orange Restricted
� MRA access
- Now you can log in Jabber successfully as shown below.
Orange Restricted
�Troubleshooting & Logs
Orange Restricted
� Troubleshooting & Logs
1) Domain does not exist for DNS record:
The below error appears when the SRV record for Expressway E FQDN is not
configured on DNS server.
Solution:
SRV record for Expressway E FQDN should be created on DNS server as shown
in slide 44.
Orange Restricted
� Troubleshooting & Logs
2) Cannot communicate with the server:
In order to troubleshoot for the below error, you should ask the
user for the time he/she tried to log in and faced this error in
order to check the event log as shown in the next slide.
Orange Restricted
� Troubleshooting & Logs
If you checked the event log following the below path, you will find in the
below screenshot that the access is denied as the MRA is not supported,
which means that the authentication between Expressway C and Expressway
E is not happening.
Status >>> Logs >>> Event Log
Solution:
In order to resolve this issue, you should check the MRA Access Control on
Expressway C and make sure that the configuration is as in slide 26.
Orange Restricted
� Troubleshooting & Logs
3) Jabber phone settings failure:
The below error may appear for example if the TCP mode in the SIP
configuration on Expressway C or E is turned off, in order to make sure from
the reason of the error, a problem report should be generated from the Cisco
Jabber and you will notice a message in this problem report stating that
“Connection mode TCP failed”.
Solution:
You should modify the TCP mode in the SIP configuration on Expressway C or
E to be “On”, follow the below path to reach to the SIP configuration.
Configuration >>> Protocols >>> SIP
Orange Restricted
� Troubleshooting & Logs
4) Blocked ports on Firewall or traffic is not reaching from
Expressway E to Firewall ports.
This issue is caused when TLS and/or TCP ports are blocked on Firewall or no
traffic is reaching from Expressway E to the Firewall on the ports. This
problem will lead to a failure in the phone services too on Jabber. To
troubleshoot this issue, you should also check the Event log on the
Expressway. As shown below you will find in the logs “Inbound TLS
Negotiation Error” and “Sending HTTP error response” messages which
means that there is an issue with TLS and TCP.
Orange Restricted
� Troubleshooting & Logs
In this case you should check the TCP and TLS configuration on SIP configuration
part on the expressways and make sure that they are “On”, if they are already on so
you can telnet from the PC which the jabber is installed on to the Expressway E
FQDN ports on the Firewall as shown below to make sure that the traffic is not
blocked and that the ports are opened on the Firewall.
• C:\>telnet edge.kayreach.com 8443
Connecting To edge.kayreach.com...Could not open connection to the host, on
port 8443: Connect failed >>> TCP (HTTP proxy (UDS))
• C:\>telnet edge.kayreach.com 5222
Connecting To edge.kayreach.com...Could not open connection to the host, on
port 5222: Connect failed >>> TCP (XMPP (IM and Presence))
• C:\>telnet edge.kayreach.com 5061
Connecting To edge.kayreach.com...Could not open connection to the host, on
port 5061: Connect failed >>> TLS (SIP signaling)
Orange Restricted
� Troubleshooting & Logs
Solution:
Turn on the TCP and TLS on the SIP configuration on Expressway
or ask the team who is managing the Firewall to open these
ports.
Orange Restricted
�Thank you
Orange Restricted
