Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution Kevin Roarty, Technical Marketing Engineer John Burnett, Technical Marketing Engineer
Abstract With the 9.0 release of Cisco Unified Communications Manager, SIP URI dialing is now a mainstream feature that is easy to deploy within the enterprise. URI dialing also enables elegant business reachability for voice + video or voice alone over the internet. But how does a typical Cisco UC Manager voice deployment enable internet facing URI dialing? And how can you enable this reachability without compromising your voice environment? This session will cover the steps required to enable URI dialing on Cisco UC Manager including the integration with the VCS Expressway solution, emphasizing secure deployment considerations every step along the way. 3
Associated Sessions BRKEVT-2319 Business to Business Video BRKUCC-2008 Enterprise Dial Plan Fundamentals BRKUCC-3000 Advanced Dial Plan Design for Unified Communications Networks BRKUCC-2501 Cisco UC Manager Security BRKEVT-2801 Cisco TelePresence: best practices for call control integration 4
Agenda 4 Reference Architecture and Targeted Call Flows 12 Enabling SIP URI dialing in UCM, plus SIP trunk 7 5 4 8 VCS Control Setup, including UCM neighbor zone Expressway Setup Define the Security Threats, discuss expanded attack surface Protecting your environment w/ security in layers Q & A Targeting 40 content slides 5
Laying the groundwork
Standards Based Voice and Video Federation Unified Call Control Reference Architecture Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner EX90 @ Home on-premise endpoints 7
Call Flows in Focus ( 1 of 2 ) Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner on-premise endpoints B2B SIP URI call between on-premise endpoint and partner s video endpoint EX90 @ Home 8
Call Flows in Focus ( 2 of 2 ) Inside firewall (Intranet) DMZ Outside firewall (Public Internet) EX90 @ Partner Collaboration Services Internet UCM VCS Control VCS Expressway SIP Phones @ Partner on-premise endpoints B2B SIP URI call between remote endpoint registered to VCS Expressway and partner s video endpoint EX90 @ Home 9
UCM and VCS Versions UCM 9.1.1 VCS X7.2 10
SIP URI dialing in UCM
UCM Trivia Question True or False T F F T F T UCM 8.6 supports SIP URI dialing and routing? UCM 8.6 allows endpoints to register with an alphanumeric SIP URI? UCM 8.6 allows local endpoints to be reached by alphanumeric SIP URI? UCM 9.0 supports SIP URI dialing and routing? UCM 9.0 allows endpoints to register with an alphanumeric SIP URI? UCM 9.0 allows local endpoints to be reached by alphanumeric SIP URI? 12
SIP URI in UCM john.doe@example.com UCM treats URIs as aliases for directory numbers (DNs) Endpoints have no notion of their associated URI(s), they still register with DN A call to a URI behaves as if the call was made directly to the DN Calls from an endpoint will include a URI in the caller ID if assigned to the DN A call from an endpoint always includes the DN in the caller ID so it can be presented to a device that doesn t support URIs, and those devices can return the call 13
UCM SIP URI Overlay Dial Plan URI Dial Plan overlays existing (and required) numeric dial plan Each DN can have up to 5 SIP URI aliases Each DN with a SIP URI will have a primary SIP URI for caller id purposes Benefits of the URI overlay All UCM endpoints are reachable at SIP URI: SIP, SCCP, Analog Not all IP phones can dial SIP URI s, but Speed Dials are an option Use SIP alpha URI for SNR Remote Destination 14
Import and Assign SIP URI How do I add SIP URIs to my existing dial plan? Easiest approach via LDAP Directory Integration Recommendation is to map the mail attribute to Directory URI Issue w/ msrtcsip attribute, CSCub73272 Set end user primary line if not already set, to associate Directory URI associated DN Other URI import options include Bulk Admin Tool AXL API Manual update to DN page 15
UCM Directory URI Partition End User Directory URIs will be added to Directory URI partition Directory URI partition needs to be included in the dial plan by either Adding the partition to existing Calling Search Spaces Alias the Directory URI partition to an existing partition 16
UCM SIP Profile for SIP Endpoints SIP Profile for endpoints should be set to use, Use Fully Qualified Domain Name in SIP Requests If this parameter is not enabled, the endpoint might end up with strange looking connected party id, instead of seeing the dialed URI Avoid this: john.doe@10.2.10.5 17
UCM SIP Profile for SIP Trunk Start by copying the Standard SIP Profile For Cisco VCS SIP Profile should be set to use, Use Fully Qualified Domain Name in SIP Requests The SIP Profile can be configured for different dial string interpretation settings SIP OPTIONS ping enabled 18
UCM SIP Trunk Integration point with VCS Control Recommendation is to set the Calling and Connected Party Info Format to Deliver URI only in connected party, if available Associate SIP Trunk Profile created for VCS Configure trunk with one or more VCS Control IP addresses Set appropriate CSS allowing for inbound access to local URIs 19
UCM SIP Route Patterns Use the SIP Route Pattern s Domain Routing option * character is a wildcard, matching all numbers, alpha chars,. and - Simplest approach is using * pattern to match any domain, good for a default route to VCS Option to route/block using more specific patterns (*.com, cisco.com,, *.org, *.xxx) Starting w/ UCM 9, SIP Route Patterns can now utilize SIP Trunk or a Route List 20
Enterprise Parameters of Interest URI Lookup Policy controls URI case sensitive treatment Default is case sensitive, per RFC 3261 Suggest Case Insensitive Specify an Organization Top Level Domain (OTLD) to allow end users to dial only the user portion of a URI (left hand side) Also include Cluster Fully Qualified Domain Name(s) to allow routing to numeric URIs 21
VCS enabling video federation and remote access
VCS Trivia Question - True or False T F F T F T Did version X2.0 of VCS support URI dialing? The VCS only support URI dialing for SIP registered endpoints. The VCS only supports URI dialing for IPv4 based endpoints. URI dialing via DNS is the best way to reach all endpoints globally. The VCS cannot provide B2B video for immersive TIP based calls. The VCS can enforce security for all SIP URI based calls. 23
VCS Zone Configuration Signaling port Transport protocol Neighbor information Neighbor availability status Profile for different integrations 24
SIP Trunk with Option Ping Option ping Unified CM Option ping response in 200 OK Option ping Option ping response in 200 OK, 408/503 Option ping Cisco VCS Unified CM Option ping response in 200 OK Cisco VCS Option Ping for reachability Trunks In-Service if response received Trunks Out-of-service if 408 request timeout, 503 service unavailable or no response Calls from CUCM not sent to out-of-service servers Avoids SIP message retry and timeouts Can be used for all nodes in trunk DNS SRV queries and all hosts of the SRV responses 25
VCS Advanced Zone Profile Optimized zone profile settings for Cisco Unified Communication Manager SIP signaling Yes SIP Invite On SIP signaling SIP based Presentation channel Presentation channel OFF OFF OFF 26
VCS Advanced Zone Profile Current Option Optimized zone profile settings for CUCM Custom SIP signaling ALWAYS SIP Invite On SIP based Presentation channel Presentation channel OFF OFF 27
VCS Search Rule Configuration VCS Control Dial Plan Setup Priority Pattern Mode Pattern Behavior Continue or Stop Destination Zone 28
VCS Transform Configuration VCS Control Dial Plan Setup Priority Pattern String Pattern Behavior Replacement String 29
VCS Expressway Traversal Client Zone Traversal Type Traversal username Traversal password Traversal Port (unique) Media Encryption Mode 30
VCS Expressay Traversal Server Zone Traversal Type Traversal username Traversal Port (unique) Media Encryption Mode 31
VCS Expressway DNS Zone Zone Type H.323 Mode Media Encryption Mode Address of Record) 32
How VCS Expressway Firewall Traversal Works Inside Network DMZ Outside Network Internet A VCS Control VCS Expressway B 1. No inbound ports need to be opened on internal firewall to VCS Control, minimizing any potential attack area 2. VCS Control initiates outbound connection through the firewall to VCS Expressway using secure login credentials 3. VCS Control sends keep-alive packets to the VCS Expressway, to maintain the connection through the firewall 4. When VCS Expressway receives an incoming call, it issues an incoming call request to VCS Control 5. The VCS Control then initiates connection to the endpoint 6. The call is established and media traverses the firewall securely 33
Once again from the inside out, this time focusing on security
Security Threats Eavesdropping Listening or recording data without approval Denial of Service (DoS) or Distributed Denial of Service (DDoS) Flood bandwidth or resources of a targeted system Impersonation Attempt to be something or someone that you are not Modification RTP stream mixing/insertion Toll fraud Making calls that the users are not approved to do, usually long distance calls SPIT Calls generate annoyance for users, lower productivity What else? 35
Unified CM Dial Plan Segmentation Partitions for SIP URIs What if you don t want all end users to be reachable from the internet by their SIP URI? SIP URI import via LDAP sync results in all URIs in a default Directory URI partition Directory URIs are associated with a user, and also a DN when a user has a primary line configured SIP URIs can also be directly assigned to DNs When directly assigning to a DN, the SIP URIs can reside in any partition Multiple options on how to import URIs, including what partition they reside in Don t forget about the Directory URI Alias Partition Enterprise Parameter 36
Unified CM Dial Plan Segmentation Calling Search Spaces & Service Parameters SIP Trunk CSS allow you to shield gateways, conferencing resources, messaging applications, etc. Verify existing partitions in the dial plan offer enough segmentation Consider creating a new CSS specifically for the VCS SIP Trunk inbound traffic If necessary create a second SIP Trunk to VCS on a different port, with a CSS specifically for B2B traffic and new sip trunk security profile Consider Time of Day routing to deactivate segments of the dial plan after hours Drop Ad hoc Conferences + Block OffNet to OffNet transfer (Service Parameter) Don t forget to monitor Call Detail Records 37
Unified CM Dial Plan Segmentation SIP Route Patterns Can I limit what domains my end users can and cannot call directly on UCM? A * wildcard SIP Route Pattern routing to the VCS SIP trunk in a route partition accessible to end users provides access to any domain SIP Route patterns can also be set to block outbound calls to specific or wildcard domains How can I support HA B2B reachability? SIP Route patterns now support Route List if there is a need to route to multiple VCS clusters with 2 or more trunks SIP Route Pattern pointing directly at a SIP Trunk defined with multiple VCS nodes 38
Unified CM SIP Trunk Security Interested in end to end encryption on B2B calls? UCM needs to be in mixed mode to support secure endpoints Upload VCS certificates to CallManager-Trust Create SIP Trunk Security profile specifically for the VCS trunk, using Encrypted mode, and including the VCS X.509 certificate subject name(s) Generally not advisable to allow for SRTP if not using TLS 39
Unified CM TelePresence Encryption Support C/SX/EX/MX Series Endpoints TE6.0 & TC6.0 firmware updates allow for the following security features when registered to CUCM Support for CTL, CAPF, LSC Encrypted SIP Signaling srtp for Audio and Video streams Compatible with CUCM 8.6.2+ 40
Security in Video (Layered) Endpoint Hardening A Secure Conferencin g H.235/AES-128 SRTP/SDES MCU SIP-TLS H.323 VCS-C Traversal Client VCS Encryption Auto FW VCS-E Traversal Server VCS Encryption On Internet SIP-TLS H.323 H.323 ASSENT/SIP-TLS H.460.18/19 SIP-TLS H.323 FW C MCU Endpoint Hardening Secure Conferencin g SIP-TLS SRTP/SDES B SIP-TLS CUCM SIP-TLS SRTP/SDES CUCM Trunks + endpoints configured for security H.235/AES-128 SRTP/SDES HTTPS TMS *TMS strong security or JITC 41
VCS Secure Device Authentication The VCS Supports local database authentication, H.350 extended LDAP Directory, and Active Directory authentication for Jabber Video (Movi) Endpoint can be authenticated for registration and provisioning Endpoints are authenticated with name and password if using the local database Endpts are authenticated with username, authentication credentials (generated from password), and alias when using H.350 directory. Use TLS to encrypt connection to any external LDAP server 42
VCS Call Authentication Allow all calls through but differentiate between authenticated and unauthenticated calls Set Do Not Check Credentials on VCS Expressway default zone. This ensures all calls from outside your organization come through as unauthenticated. Any P-asserted identity field headers are stripped. Set specific search rules for any valued resources such as ISDN gateway. (Toll Fraud) Use CPL Rules to block unauthenticated access to valued resources Set authentication in the specific search rule to Check Credentials 43
VCS Call Authentication Use authentication for all registered devices in the configured subzone Set specific membership rules in the subzone where possible Turn off registration to the default subzone Use Registration Allow rules to specify who can register 44
Active FW/NAT Traversal VCS Firewall traversal (recommended most secure) A FW / NAT Private IP address FW / NAT B Internet VCS Control VCS Expressway No ports inbound need to be opened on the internal firewall Expressway in DMZ allowed to have non-public/private IP Static NAT on VCS Expressway, requires Dual Network interface option Minimize inbound ports to documented ranges that need to be opened through public facing firewall Endpoints can register directly to VCS Expressway Non-registered endpoints can send calls to VCS Expressway 45
Secure Signaling and Media Expressway Media Encryption RTP to SRTP Auto: No media encryption policy applied by the VCS Best Effort: Use encryption if available otherwise fallback to unencrypted Force Encrypted: All media must be encrypted A Unified CM VCS Control VCS Expressway TLS TLS TCP Media Encryption mode: Best Effort Media Encryption mode: Force Encrypted Media Encryption mode: On SRTP RTP SRTP 46
Configuring Security on VCS Side SIP Port for TLS Active on Port 5061 47
Configuring Security on VCS Side Generate CSR Register Secure Endpoint 48
VCS Secure Administrative Best Practices HTTP, HTTPS, Telnet, SSH and SNMP are all protocols used to manage and monitor the VCS Setup remote account authentication for AD authentication of admin user access to the VCS Use TLS & Secure LDAP (port 636) for encrypted connection to AD server. If web access is desirable to administer the VCS, disable HTTP and use HTTPS Load PKI certificates for HTTPS Enable CRL s and HTTPS client certificate validation Use Firewall Rules in the VCS to set access from specific IP addresses or IP address range to the VCS 49
VCS Secure Administrative Best Practices Recommendations Disable SNMP or use SNMPv3 with firewall rules Set your session timeout period to a nonzero value Disable remote logging Use TLS encryption for login account access to LDAP server Set CRL checking to all Do not enable incident reporting Use HTTPS for external management i.e. for TMS and enable certificate checking Apply best practices for perimeter security to the VCS. i.e. block external access to well know ports below 1024 50
Wrapping things up 51
Key Takeaways SIP URI dialing enables simple voice and video reachability UCM 9 allows for an elegant SIP URI overlay on your existing dial plan VCS Expressway provides open, standards based voice and video federation You are now armed with the knowledge to deploy secure B2B SIP URI dialing for your employees or customers 52
Reference Deployment Guides VCS and UCM Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_Cisco_Unified_Communications_Manager_Deployment_Guide_C UCM_8_9_and_X7-2.pdf Unified CM System Guide SIP URI Chapter http://www.cisco.com/en/us/docs/voice_ip_comm/cucm/admin/9_1_1/ccmsys/ CUCM_BK_C5565591_00_cucm-system-guide-91_chapter_010011.html VCS Basic Configuration VCS Control with Expressway Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Gui de_x7-2.pdf VCS IP port usage for firewall traversal http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf 53
Reference Deployment Guides VCS Authenticating Accounts Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ci sco_vcs_authenticating_accounts_using_ldap_deployment_guide_x7-2.pdf VCS Authenticating Devices Deployment Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/config_guide/ci sco_vcs_authenticating_devices_deployment_guide_x7-2.pdf VCS Administration Guide http://www.cisco.com/en/us/docs/telepresence/infrastructure/vcs/admin_guide/ci sco_vcs_administrator_guide_x7-2.pdf 54
Reference Blog Posts Thanks to the Cisco Support Community UCM SIP Trunk TLS Configuration and Troubleshooting https://supportforums.cisco.com/docs/doc-18689 IP Phone Security and CTL https://supportforums.cisco.com/docs/doc-18834 Communications Manager Security By Default and ITL Operation and Troubleshooting - Cisco Support Community https://supportforums.cisco.com/docs/doc-17679 55
Reference Cisco Press Text Published August 31, 2012 Akhil Behl, CCIE No. 19564 Solutions Architect, Cisco Advanced Services http://www.ciscopress.com/title/1587142953 56
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge points for each session evaluation you complete. Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. 57