Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution

Similar documents
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

Configure Call Control

Cisco TelePresence Device Authentication on Cisco VCS

Cisco VCS Authenticating Devices

Unified Communications Mobile and Remote Access via Cisco Expressway

Cisco TelePresence Conductor with Cisco Unified Communications Manager

Cisco TelePresence Basic Cisco VCS configuration

Cisco Expressway-E and Expressway-C - Basic Configuration

Cisco TelePresence Conductor with Unified CM

Deploying TelePresence and Video Endpoints on Unified Communications Manager

Cisco TelePresence Conductor with Cisco Unified Communications Manager

Configure Mobile and Remote Access

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

Cisco VCS Expressway and VCS Control - Basic Configuration

Cisco VCS Expressway and VCS Control - Basic Configuration

Mobile and Remote Access Through Cisco Expressway

Polycom RealPresence Access Director System

Cisco TelePresence Video Communication Server

Cisco TelePresence Cisco Unified Communications Manager with Cisco VCS (SIP Trunk)

BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

Cisco Expressway Session Classification

Cisco Expressway with Jabber Guest

Cisco Expressway-E and Expressway-C - Basic Configuration

Business to Business Video with Cisco Video Communication Server Expressway TM

Test-king. Number: Passing Score: 800 Time Limit: 120 min File Version:

Cisco Expressway-E and Expressway-C - Basic Configuration

Cisco Expressway-E and Expressway-C - Basic Configuration

Cisco Meeting Server. Cisco Meeting Server Release 2.3. with Cisco Unified Communications Manager Deployment Guide

Cisco TelePresence Multiway

Unified Communications Mobile and Remote Access via Cisco Expressway

Cisco Expressway Options with Cisco Meeting Server and/or Microsoft Infrastructure

Polycom RealPresence Access Director System

Cisco TelePresence Video Communication Server Basic Configuration (Single VCS Control)

Unified Communications Mobile and Remote Access via Cisco VCS

Configure Voice and Video Communication

ITBraindumps. Latest IT Braindumps study guide

examcollection.premium.exam.161q

Cisco TelePresence Integration Guide Documentation for integrating Cisco CTS/TX TelePresence Systems with BlueJeans

Telepresence solution design,features, updates

Deploy Webex Video Mesh

Acano solution. Third Party Call Control Guide. 07 June G

Cisco TelePresence Conductor with Cisco VCS (Policy Service)

cisco. Number: Passing Score: 800 Time Limit: 120 min

cisco. Number: Passing Score: 800 Time Limit: 120 min.

Cisco TelePresence Video Communication Server

Acano solution. Third Party Call Control Guide. December F

Cisco Expressway Registrar

Cisco TelePresence Video Communication Server

DEMO QUESTION 1 An engineer is performing an international multisite deployment and wants to create an effective backup method to access TEHO destinat

Cisco Single VCS Control - Basic Configuration

Configure Centralized Deployment

Cisco TelePresence Video Communication Server Basic Configuration (Single VCS Control)

Unified Communications in RealPresence Access Director System Environments

Cisco VCS SIP Trunk to Unified CM

Multiparty Conferencing for Audio, Video and Web Collaboration using Cisco Meeting Server

Mobile and Remote Access Through Cisco Video Communication Server

PracticeTorrent. Latest study torrent with verified answers will facilitate your actual test

Mobile and Remote Access Through Cisco Expressway

Real4Test. Real IT Certification Exam Study materials/braindumps

Cisco Implementing Cisco IP Telephony and Video, Part 2 (CIPTV2)

Cisco TelePresence Conductor

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Cisco Expressway. Administrator Guide. Software version: X8.1 D

CCNP COLLABORATION. Cisco Certified Network Professional Collaboration

Cisco Meeting Server. Cisco Meeting Server Release 2.1. with Cisco Unified Communications Manager Deployment Guide. November 08,

Cisco Expressway. Administrator Guide. Software version: X8.1.1 D

Migrating from VCS to CUCM

Cisco Single VCS Control - Basic Configuration

Implementing Jabber with VCS-Expressway and MRA

Cisco TelePresence Video Communication Server

TLS Setup. TLS Overview. TLS Prerequisites

Cisco WebEx Meeting Center Enterprise Deployment Guide for Video Device-Enabled Meetings (WBS31 and WBS32)

Setting Up a Cisco Unified Communications Manager SIP Trunk Integration, page 1

Cisco Unified Communications XMPP Federation

Cisco VCS Starter Pack Express

Infrastructure Configuration Product Fields

Cisco TelePresence Video Communication Server

Deploying Cisco Jabber on Mobile Devices

Cisco Video Communication Server Control

Cisco Exam Questions & Answers

Cisco Expressway Registrar

Designing Workspace of the Future for the Mobile Worker

Implementing, Configuring and Managing Cisco Meeting Server (ICMCMS-CT)

Cisco TelePresence Management Suite Provisioning Extension

Cisco Expressway SIP Trunk to Unified CM

Cisco Meeting Server. Deployment Planning and Preparation Guide. December 20, Cisco Systems, Inc.

Implementing Cisco IP Telephony & Video, Part 2 v1.0

IM and Presence Service Configuration for XMPP Federation

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

CAPPS: Implementing Cisco Collaboration Applications v1

Cisco Unified Communications Manager with Cisco VCS

Cisco TelePresence Endpoints and Cisco Unified Communications Manager

"Charting the Course... Implementing Cisco Telepresence Video Solutions Part 2 (VTVS2) Course Summary

IP Addressing Modes for Cisco Collaboration Products

Cisco VCS Expressway Starter Pack

IP Addressing Modes for Cisco Collaboration Products

Polycom RealPresence Access Director System

Integrate Microsoft Office Communicator and Microsoft Lync Clients for Cisco UC

Encrypted Phone Configuration File Setup

Transcription:

Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution Kevin Roarty, Technical Marketing Engineer John Burnett, Technical Marketing Engineer

Abstract With the 9.0 release of Cisco Unified Communications Manager, SIP URI dialing is now a mainstream feature that is easy to deploy within the enterprise. URI dialing also enables elegant business reachability for voice + video or voice alone over the internet. But how does a typical Cisco UC Manager voice deployment enable internet facing URI dialing? And how can you enable this reachability without compromising your voice environment? This session will cover the steps required to enable URI dialing on Cisco UC Manager including the integration with the VCS Expressway solution, emphasizing secure deployment considerations every step along the way. 3

Associated Sessions BRKEVT-2319 Business to Business Video BRKUCC-2008 Enterprise Dial Plan Fundamentals BRKUCC-3000 Advanced Dial Plan Design for Unified Communications Networks BRKUCC-2501 Cisco UC Manager Security BRKEVT-2801 Cisco TelePresence: best practices for call control integration 4

Agenda 4 Reference Architecture and Targeted Call Flows 12 Enabling SIP URI dialing in UCM, plus SIP trunk 7 5 4 8 VCS Control Setup, including UCM neighbor zone Expressway Setup Define the Security Threats, discuss expanded attack surface Protecting your environment w/ security in layers Q & A Targeting 40 content slides 5

Laying the groundwork

Standards Based Voice and Video Federation Unified Call Control Reference Architecture Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner EX90 @ Home on-premise endpoints 7

Call Flows in Focus ( 1 of 2 ) Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner on-premise endpoints B2B SIP URI call between on-premise endpoint and partner s video endpoint EX90 @ Home 8

Call Flows in Focus ( 2 of 2 ) Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner on-premise endpoints B2B SIP URI call between remote endpoint registered to VCS Expressway and partner s video endpoint EX90 @ Home 9

UCM and VCS Versions UCM 9.1.1 VCS X7.2 10

SIP URI dialing in UCM

UCM Trivia Question True or False T F F T F T UCM 8.6 supports SIP URI dialing and routing? UCM 8.6 allows endpoints to register with an alphanumeric SIP URI? UCM 8.6 allows local endpoints to be reached by alphanumeric SIP URI? UCM 9.0 supports SIP URI dialing and routing? UCM 9.0 allows endpoints to register with an alphanumeric SIP URI? UCM 9.0 allows local endpoints to be reached by alphanumeric SIP URI? 12

SIP URI in UCM john.doe@example.com UCM treats URIs as aliases for directory numbers (DNs) Endpoints have no notion of their associated URI(s), they still register with DN A call to a URI behaves as if the call was made directly to the DN Calls from an endpoint will include a URI in the caller ID if assigned to the DN A call from an endpoint always includes the DN in the caller ID so it can be presented to a device that doesn t support URIs, and those devices can return the call 13

UCM SIP URI Overlay Dial Plan URI Dial Plan overlays existing (and required) numeric dial plan Each DN can have up to 5 SIP URI aliases Each DN with a SIP URI will have a primary SIP URI for caller id purposes Benefits of the URI overlay All UCM endpoints are reachable at SIP URI: SIP, SCCP, Analog Not all IP phones can dial SIP URI s, but Speed Dials are an option Use SIP alpha URI for SNR Remote Destination 14

Import and Assign SIP URI How do I add SIP URIs to my existing dial plan? Easiest approach via LDAP Directory Integration Recommendation is to map the mail attribute to Directory URI Issue w/ msrtcsip attribute, CSCub73272 Set end user primary line if not already set, to associate Directory URI associated DN Other URI import options include Bulk Admin Tool AXL API Manual update to DN page 15

UCM Directory URI Partition End User Directory URIs will be added to Directory URI partition Directory URI partition needs to be included in the dial plan by either Adding the partition to existing Calling Search Spaces Alias the Directory URI partition to an existing partition 16

UCM SIP Profile for SIP Endpoints SIP Profile for endpoints should be set to use, Use Fully Qualified Domain Name in SIP Requests If this parameter is not enabled, the endpoint might end up with strange looking connected party id, instead of seeing the dialed URI Avoid this: john.doe@10.2.10.5 17

UCM SIP Profile for SIP Trunk Start by copying the Standard SIP Profile For Cisco VCS SIP Profile should be set to use, Use Fully Qualified Domain Name in SIP Requests The SIP Profile can be configured for different dial string interpretation settings SIP OPTIONS ping enabled 18

UCM SIP Trunk Integration point with VCS Control Recommendation is to set the Calling and Connected Party Info Format to Deliver URI only in connected party, if available Associate SIP Trunk Profile created for VCS Configure trunk with one or more VCS Control IP addresses Set appropriate CSS allowing for inbound access to local URIs 19

UCM SIP Route Patterns Use the SIP Route Pattern s Domain Routing option * character is a wildcard, matching all numbers, alpha chars,. and - Simplest approach is using * pattern to match any domain, good for a default route to VCS Option to route/block using more specific patterns (*.com, cisco.com,, *.org, *.xxx) Starting w/ UCM 9, SIP Route Patterns can now utilize SIP Trunk or a Route List 20

Enterprise Parameters of Interest URI Lookup Policy controls URI case sensitive treatment Default is case sensitive, per RFC 3261 Suggest Case Insensitive Specify an Organization Top Level Domain (OTLD) to allow end users to dial only the user portion of a URI (left hand side) Also include Cluster Fully Qualified Domain Name(s) to allow routing to numeric URIs 21

VCS enabling video federation and remote access

VCS Trivia Question - True or False T F F T F T Did version X2.0 of VCS support URI dialing? The VCS only support URI dialing for SIP registered endpoints. The VCS only supports URI dialing for IPv4 based endpoints. URI dialing via DNS is the best way to reach all endpoints globally. The VCS cannot provide B2B video for immersive TIP based calls. The VCS can enforce security for all SIP URI based calls. 23

VCS Zone Configuration Signaling port Transport protocol Neighbor information Neighbor availability status Profile for different integrations 24

SIP Trunk with Option Ping Option ping Unified CM Option ping response in 200 OK Option ping Option ping response in 200 OK, 408/503 Option ping Cisco VCS Unified CM Option ping response in 200 OK Cisco VCS Option Ping for reachability Trunks In-Service if response received Trunks Out-of-service if 408 request timeout, 503 service unavailable or no response Calls from CUCM not sent to out-of-service servers Avoids SIP message retry and timeouts Can be used for all nodes in trunk DNS SRV queries and all hosts of the SRV responses 25

VCS Advanced Zone Profile Optimized zone profile settings for Cisco Unified Communication Manager SIP signaling Yes SIP Invite On SIP signaling SIP based Presentation channel Presentation channel OFF OFF OFF 26

VCS Advanced Zone Profile Current Option Optimized zone profile settings for CUCM Custom SIP signaling ALWAYS SIP Invite On SIP based Presentation channel Presentation channel OFF OFF 27

VCS Search Rule Configuration VCS Control Dial Plan Setup Priority Pattern Mode Pattern Behavior Continue or Stop Destination Zone 28

VCS Transform Configuration VCS Control Dial Plan Setup Priority Pattern String Pattern Behavior Replacement String 29

VCS Expressway Traversal Client Zone Traversal Type Traversal username Traversal password Traversal Port (unique) Media Encryption Mode 30

VCS Expressay Traversal Server Zone Traversal Type Traversal username Traversal Port (unique) Media Encryption Mode 31

VCS Expressway DNS Zone Zone Type H.323 Mode Media Encryption Mode Address of Record) 32

How VCS Expressway Firewall Traversal Works Inside Network DMZ Outside Network Internet A VCS Control VCS Expressway B 1. No inbound ports need to be opened on internal firewall to VCS Control, minimizing any potential attack area 2. VCS Control initiates outbound connection through the firewall to VCS Expressway using secure login credentials 3. VCS Control sends keep-alive packets to the VCS Expressway, to maintain the connection through the firewall 4. When VCS Expressway receives an incoming call, it issues an incoming call request to VCS Control 5. The VCS Control then initiates connection to the endpoint 6. The call is established and media traverses the firewall securely 33

Once again from the inside out, this time focusing on security

Security Threats Eavesdropping Listening or recording data without approval Denial of Service (DoS) or Distributed Denial of Service (DDoS) Flood bandwidth or resources of a targeted system Impersonation Attempt to be something or someone that you are not Modification RTP stream mixing/insertion Toll fraud Making calls that the users are not approved to do, usually long distance calls SPIT Calls generate annoyance for users, lower productivity What else? 35

Unified CM Dial Plan Segmentation Partitions for SIP URIs What if you don t want all end users to be reachable from the internet by their SIP URI? SIP URI import via LDAP sync results in all URIs in a default Directory URI partition Directory URIs are associated with a user, and also a DN when a user has a primary line configured SIP URIs can also be directly assigned to DNs When directly assigning to a DN, the SIP URIs can reside in any partition Multiple options on how to import URIs, including what partition they reside in Don t forget about the Directory URI Alias Partition Enterprise Parameter 36

Unified CM Dial Plan Segmentation Calling Search Spaces & Service Parameters SIP Trunk CSS allow you to shield gateways, conferencing resources, messaging applications, etc. Verify existing partitions in the dial plan offer enough segmentation Consider creating a new CSS specifically for the VCS SIP Trunk inbound traffic If necessary create a second SIP Trunk to VCS on a different port, with a CSS specifically for B2B traffic and new sip trunk security profile Consider Time of Day routing to deactivate segments of the dial plan after hours Drop Ad hoc Conferences + Block OffNet to OffNet transfer (Service Parameter) Don t forget to monitor Call Detail Records 37

Unified CM Dial Plan Segmentation SIP Route Patterns Can I limit what domains my end users can and cannot call directly on UCM? A * wildcard SIP Route Pattern routing to the VCS SIP trunk in a route partition accessible to end users provides access to any domain SIP Route patterns can also be set to block outbound calls to specific or wildcard domains How can I support HA B2B reachability? SIP Route patterns now support Route List if there is a need to route to multiple VCS clusters with 2 or more trunks SIP Route Pattern pointing directly at a SIP Trunk defined with multiple VCS nodes 38

Unified CM SIP Trunk Security Interested in end to end encryption on B2B calls? UCM needs to be in mixed mode to support secure endpoints Upload VCS certificates to CallManager-Trust Create SIP Trunk Security profile specifically for the VCS trunk, using Encrypted mode, and including the VCS X.509 certificate subject name(s) Generally not advisable to allow for SRTP if not using TLS 39

Unified CM TelePresence Encryption Support C/SX/EX/MX Series Endpoints TE6.0 & TC6.0 firmware updates allow for the following security features when registered to CUCM Support for CTL, CAPF, LSC Encrypted SIP Signaling srtp for Audio and Video streams Compatible with CUCM 8.6.2+ 40

Security in Video (Layered) Endpoint Hardening A Secure Conferencin g H.235/AES-128 SRTP/SDES MCU SIP-TLS H.323 VCS-C Traversal Client VCS Encryption Auto FW VCS-E Traversal Server VCS Encryption On Internet SIP-TLS H.323 H.323 ASSENT/SIP-TLS H.460.18/19 SIP-TLS H.323 FW C MCU Endpoint Hardening Secure Conferencin g SIP-TLS SRTP/SDES B SIP-TLS CUCM SIP-TLS SRTP/SDES CUCM Trunks + endpoints configured for security H.235/AES-128 SRTP/SDES HTTPS TMS *TMS strong security or JITC 41

VCS Secure Device Authentication The VCS Supports local database authentication, H.350 extended LDAP Directory, and Active Directory authentication for Jabber Video (Movi) Endpoint can be authenticated for registration and provisioning Endpoints are authenticated with name and password if using the local database Endpts are authenticated with username, authentication credentials (generated from password), and alias when using H.350 directory. Use TLS to encrypt connection to any external LDAP server 42

VCS Call Authentication Allow all calls through but differentiate between authenticated and unauthenticated calls Set Do Not Check Credentials on VCS Expressway default zone. This ensures all calls from outside your organization come through as unauthenticated. Any P-asserted identity field headers are stripped. Set specific search rules for any valued resources such as ISDN gateway. (Toll Fraud) Use CPL Rules to block unauthenticated access to valued resources Set authentication in the specific search rule to Check Credentials 43

VCS Call Authentication Use authentication for all registered devices in the configured subzone Set specific membership rules in the subzone where possible Turn off registration to the default subzone Use Registration Allow rules to specify who can register 44

Active FW/NAT Traversal VCS Firewall traversal (recommended most secure) A FW / NAT Private IP address FW / NAT B Internet VCS Control VCS Expressway No ports inbound need to be opened on the internal firewall Expressway in DMZ allowed to have non-public/private IP Static NAT on VCS Expressway, requires Dual Network interface option Minimize inbound ports to documented ranges that need to be opened through public facing firewall Endpoints can register directly to VCS Expressway Non-registered endpoints can send calls to VCS Expressway 45

Secure Signaling and Media Expressway Media Encryption RTP to SRTP Auto: No media encryption policy applied by the VCS Best Effort: Use encryption if available otherwise fallback to unencrypted Force Encrypted: All media must be encrypted A Unified CM VCS Control VCS Expressway TLS TLS TCP Media Encryption mode: Best Effort Media Encryption mode: Force Encrypted Media Encryption mode: On SRTP RTP SRTP 46

Configuring Security on VCS Side SIP Port for TLS Active on Port 5061 47

Configuring Security on VCS Side Generate CSR Register Secure Endpoint 48

VCS Secure Administrative Best Practices HTTP, HTTPS, Telnet, SSH and SNMP are all protocols used to manage and monitor the VCS Setup remote account authentication for AD authentication of admin user access to the VCS Use TLS & Secure LDAP (port 636) for encrypted connection to AD server. If web access is desirable to administer the VCS, disable HTTP and use HTTPS Load PKI certificates for HTTPS Enable CRL s and HTTPS client certificate validation Use Firewall Rules in the VCS to set access from specific IP addresses or IP address range to the VCS 49

VCS Secure Administrative Best Practices Recommendations Disable SNMP or use SNMPv3 with firewall rules Set your session timeout period to a nonzero value Disable remote logging Use TLS encryption for login account access to LDAP server Set CRL checking to all Do not enable incident reporting Use HTTPS for external management i.e. for TMS and enable certificate checking Apply best practices for perimeter security to the VCS. i.e. block external access to well know ports below 1024 50

Wrapping things up 51

Key Takeaways SIP URI dialing enables simple voice and video reachability UCM 9 allows for an elegant SIP URI overlay on your existing dial plan VCS Expressway provides open, standards based voice and video federation You are now armed with the knowledge to deploy secure B2B SIP URI dialing for your employees or customers 52

Reference Deployment Guides VCS and UCM Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_Cisco_Unified_Communications_Manager_Deployment_Guide_C UCM_8_9_and_X7-2.pdf Unified CM System Guide SIP URI Chapter http://www.cisco.com/en/us/docs/voice_ip_comm/cucm/admin/9_1_1/ccmsys/ CUCM_BK_C5565591_00_cucm-system-guide-91_chapter_010011.html VCS Basic Configuration VCS Control with Expressway Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Gui de_x7-2.pdf VCS IP port usage for firewall traversal http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf 53

Reference Deployment Guides VCS Authenticating Accounts Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ci sco_vcs_authenticating_accounts_using_ldap_deployment_guide_x7-2.pdf VCS Authenticating Devices Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ci sco_vcs_authenticating_devices_deployment_guide_x7-2.pdf VCS Administration Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/admin_guide/ci sco_vcs_administrator_guide_x7-2.pdf 54

Reference Blog Posts Thanks to the Cisco Support Community UCM SIP Trunk TLS Configuration and Troubleshooting https://supportforums.cisco.com/docs/doc-18689 IP Phone Security and CTL https://supportforums.cisco.com/docs/doc-18834 Communications Manager Security By Default and ITL Operation and Troubleshooting - Cisco Support Community https://supportforums.cisco.com/docs/doc-17679 55

Reference Cisco Press Text Published August 31, 2012 Akhil Behl, CCIE No. 19564 Solutions Architect, Cisco Advanced Services http://www.ciscopress.com/title/1587142953 56

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge points for each session evaluation you complete. Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback