BRKCOL-2202 Cisco Spark Hybrid Call Services Architecture and Design Luca Pellegrini Technical Marketing Engineer
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcol-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda Introduction Call Service Aware and Connect CSC Global Reachability CSC Call Anchoring Certificates DNS Service Discovery Dial Plan Identity Theft and Toll Fraud Prevention Shared Expressway for Hybrid and B2B Deployment Models Multiple Clusters SME Architecture HCS Deployment
Cisco Spark Services Suite A complete business collaboration service from the Cisco cloud that enables customers to message, meet, or call anyone, anywhere, and anytime. Cisco Spark Services* Cisco Spark Control Hub Cisco Spark Messaging Cisco Spark Meetings Cisco Spark Rooms Cisco Spark Board Cisco Spark Hybrid Calling Cisco Spark Care *Cisco Spark is hosted and operated by Cisco, and sold by partners BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Hybrid Service Architecture Microsoft Exchange Active Directory HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Hybrid Service Architecture Microsoft Exchange Active Directory HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Hybrid Service Architecture Microsoft Exchange Active Directory Directory Connector HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Hybrid Service Architecture Microsoft Exchange Active Directory Directory Connector HTTP Proxy Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Hybrid Service Architecture Connector Host Microsoft Exchange Active Directory Directory Connector HTTP Proxy Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy Management Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Hybrid Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy Management Connector Calendar Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Hybrid Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Hybrid Service Architecture Connector Host Management Connector Calendar Connector Call Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Calendar Connector Call Connector Directory Connector Hybrid Signaling for Directory, Calendar and Call over HTTPS HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Calendar Connector Call Connector Directory Connector Hybrid Signaling for Directory, Calendar and Call over HTTPS HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E Firewall traversal architecture with Expressways for hybrid call signaling and media BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Call Service Architecture Connector Host Management Connector Calendar Connector Call Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Call Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Call Connector Hybrid Signaling Active (AXL, Directory CTI-QBE Directory over Connector HTTPS) HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Call Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Call Connector Hybrid Signaling Active (AXL, Directory CTI-QBE Directory over Connector HTTPS) HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM SIP signaling and SRTP media Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Call Service Aware and Connect
Call Service Aware & Call Service Connect Call Service Aware Call Service Connect Enables Cisco Spark users to share their screen using Spark Complements, and is aware, of Cisco UC calls and allows for Desktop Sharing Depends on Call Service Aware. Allows Cisco Spark users to call Cisco UC registered devices, as well as be called by Cisco UC users. Together with Call Service Aware, enables users to manage a unified Spark and UC call history from the Cisco Spark calls tab BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Call Service Aware/Connect Addressing Cisco Spark Control Hub Cisco UCM Interface Spark RD +14085551234 RD Connector Host Shared Line +14085551234 Cisco Unified CM agoodman@ent-pa.com Aaron Goodman +14085551234 agoodman@ent-pa.call.ciscospark.com Aaron Goodman BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Spark RD Provisioning Through Connector Host Each UCM cluster needs to be provisioned on Call Connector UCM needs User an application user with: Standard AXL API Access Standard CTI Allow Control of All Devices Standard CTI Enabled Standard CTI Allow Control of Phones supporting Connected Xfer and conf Standard CTI Allow Control of Phones supporting Rollover Mode Every end-user must have a directory URI CFQDN has to be set to a unique value Manual or Automatic Provisioning of Spark RD Remote Destinations always provisioned through the Connector Spark RD provisioned automatically using single Device Pool, Location, Calling Search Space, Rerouting CSS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Call Service Connect Global Reachability
UCM to UCM call UCM Releases where Spark RD is supported 12.0(1) 12.0.1.10000-10 +14085551234 bob@example.com with Connectors 11.5(1) SU3 11.5.1.13900-52 11.0(1a) SU3 11.0.1.23900-5 Spark RD RD bob@example.call.ciscospark.com 10.5(2) SU5 10.5.2.15900-8 2 2 3 Expressway-E Cisco Unified CM 3 bob@example.call.ciscospark.com 3 Internet 1 Dial bob@example.com or +14085551234 Alice Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Spark to Spark Call +14085551234 bob@example.com Calling alice@example.call.ciscospark.com Called bob@example.com Cisco Unified CM 3 Spark RD Alice RD bob@example.call.ciscospark.com 1 3 4 Expressway-E bob@example.com 2 bob@example.com 2 Internet 4 4 bob@example.call.ciscospark.com cancelled Alice calls Bob alice@example.com +14085551235 Bob 2 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Call Service Connect Call Anchoring
Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Spark RD RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls 2 Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls 2 Bob +19725555142 bob@example.com Call from: Alice +14085551235 alice@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Call Anchoring and CSS Preservation Call Anchoring based on calling ID==RD +14085551235 alice@example.com Alice Spark RD RD alice@example.call.ciscospark.com 1 Calling ID Called ID alice@example.call.ciscospark.com +390212345678 Alice s CSS: Internal and Local calls 2 +14085551234 bob@example.com PSTN Bob Spark RD 2 Calling Called Bob s CSS: All Calls RD bob@example.call.ciscospark.com 1 bob@example.call.ciscospark.com +390212345678 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
PSTN Call Flow +14085551234 alice@example.com Line CSS: allow international calls Spark RD RD alice@example.call.ciscospark.com Called ID Calling ID Called ID Calling ID 3 4 Called ID Calling ID +390212345678 alice@example.call.ciscospark.com +390212345678 alice@example.call.ciscospark.com +390212345678 +14085551234 alice@example.com Alice Cisco Unified CM 2 Internet 2 Expressway-E 5 1 Called ID Calling ID PSTN audio or video GW +390212345678 +14085551234 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
B2B Call Flow +14085551234 alice@example.com Called ID Bob@xyz.com Calling ID alice@example.call.ciscospark.com Spark RD RD alice@example.call.ciscospark.com Alice Called ID Bob@xyz.com Calling ID alice@example.call.ciscospark.com 3 4 Called ID Bob@xyz.com Calling ID alice@example.com 2 1 Dial: Bob@xyz.com Cisco Unified CM 2 Internet 5 Expressway-E 6 Called ID Bob@xyz.com Calling ID alice@example.com Bob@xyz.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Certificates for Authentication and Encryption
Identity Verification Expressway-E and the Cloud need to trust each other Public certificates are the preferred way to trust the remote peer s identity Public CAs release certificates after the identity verification is successful CN and SAN in the certificate are used to check the identity of the remote peer A certificate that has been released for Cisco can t be released to another organization because it must prove that it owns the domain BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
TLS Handshake with Mutual Authentication Client hello Server hello followed by certificate Certificate Request Expressway-E Expressway-E checks the Cloud certificate for both inbound and outbound calls callservice.ciscospark.com must be included in the certificate presented by the Cloud BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cloud Certificate used in Spark Hybrid Scenarios Common name: l2sip-cfa-01.ciscospark.com SANs: l2sip-cfa-01.ciscospark.com, l2sip-cfa-01.wbx2.com, l2sip-cfa-01-web.wbx2.com, l2sipcfa-web.wbx2.com, callservice.ciscospark.com... Organization: Cisco Systems, Inc. Location: San Jose, CA, US Valid from November 16, 2016 to November 16, 2018 Serial Number: 08bd6c90982db954a25830361d7dcb4b441b719b Signature Algorithm: sha256withrsaencryption Issuer: HydrantID SSL ICA G2 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Authenticating the Cloud: Inbound Calls Example DNS Zone (trunk to Cloud) 3 expe.example.com callservice.ciscospark.com Cloud Cert <Public Key> 2 expe.example.com ExpE Cert <Public Key> Expressway-E 1 Client hello BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Certificates and certification authorities Recommended option: the Cloud will trust certificates signed by specific certification authorities by default https://help.webex.com/docs/doc-4302 The Cloud can be configured to trust (through manual upload): certificate signed by a private certification authority self-signed certificate certificate signed by a public CA that is not in the trusted list of the Cloud The Cloud will trust any of the above if: The CN or SAN includes the Expressway-E DNS name the CRL (if present) is publicly reachable from the Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Call Service Connect Service Discovery
TLS vs dedicated MTLS port on Expressway Any incoming TCP connection on port 5061 will use TLS. For B2B communications. Any incoming TCP connection on port 5062 will trigger the TLS handshake with Mutual Authentication. For Spark Hybrid Comunications BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Standard SRV Records for SIP SRV record format for SIP TLS and MTLS are part of the same specification (RFC 5246) It doesn t exist a separate record for MTLS _sips._tcp.example.com 5061 TLS _sips._tcp.mtls.example.com 5062 TLS with Mutual Authentication _sip._tcp.example.com 5060 TCP Used for B2B TLS only Used in Spark Hybrid Services and MTLS _sip._udp.domain 5060 UDP BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Enterprise Service Discovery for Spark Hybrid DNS SRV Use A-record IP Address/port Corporate Network Internet _sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061 _sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062 bob@example.com 7 CFQDN: cucm.example.com 2 CUCM 6 Exp-C 5 Exp-E 3 4 1 Alice calls Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Verified Domains SIP domains must be verified to prevent someone else to use that domain and mitigate impersonation theft SIP domains must be publicly routable (no internal.local as Directory URI domain) BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Verification token 1 Get the token 2 Create the TXT record Test the TXT record 3 Cisco recommends to use the prefix cisco-ci-domain-verification= Followed by the token, i.e. cisco-ci-domainverification=123456789abcdef123456789abcdef123456 789abcdef123456789abcdef BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Inbound Calls: Authenticated vs Unauthenticated Traffic TLS with Mutual Authentication and Certificates on Expressway with DNS Zone expe.example.com Default zone Inbound trunk from any unknown destination Non-authenticated Traffic Certificate is NOT requested Internet Spark DNS Zone Trunk to Spark Hybrid Authenticated Traffic Certificate Requested CN/SAN=callservice.ciscospark.com Dedicated box to Hybrid Services: Block calls from Default Zone Shared box: apply rules to non-authenticated traffic to filter calls BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Dial Plan
Route Header and Request URI The Cloud populates forked calls with CFQDN Route Header takes the precedence over the Request URI CFQDN: Enterprise parameter used in SIP routing decisions CFQDN must be different than Expressway system name, domain or DNS name Can t contain wildcards If wildcards are needed, you can add two entries, first of which won t contain wildcards: CQFDN: us-cm-pub.example.com *.example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Home Cluster Routing: Route Headers and Request URIs Cluster Fully Qualified Domain Name EMEA Cluster Directory URI Destination in Route Header with Connectors bob@example.com emea-cucm-pub.example.com bob@example.com emea-cucm-pub.example.com Call Connector alice@example.com us-cucm.pub.example.com 4 us-cucm-pub.example.com Expressway-E 3 INVITE Request URI sip:bob@example.com Route header sip:us-cucm-pub.example.com 2 alice@example.com US Cluster Calls Bob 1 Cluster Fully Qualified Domain Name Alice s Cisco Spark Client BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Spark Dial Plan with multiple UCM clusters From Spark to UCM From UCM to Spark Priority Rule Name Protocol Source Mode Target 50 Spark inbound Any Spark DNS Zone Any alias Spark Traversal Server 60 Spark outbound Any Spark Traversal Server Any alias Spark DNS Zone CUCM_US Spark Traversal Zone Expressway-E CUCM_EMEA Priority Rule Name Protocol Source Mode Target 50 Spark inbound US Any Any Prefix: us-cm-pub.example.com 50 Spark inbound EMEA Any Any Prefix: emea-cm-pub.example.com 60 Spark outbound Any Any Regex:.*@example\.call.\ciscospark\.com UCM_US UCM_EMEA Spark Traversal Server BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Identity Theft and Toll Fraud Prevention
Simulating a Spark Hybrid identity through a B2B connection +14085551234 alice@example.com Spark-RD alice@example.call.ciscospark.com Internet Bob 3 Expressway-E 1 Call from Alice Cisco Unified CM 2 Hacker simulating Alice with calling ID: alice@example.call.ciscospark.com dials: bob@example.com 1. Hacker simulates Bob s SIP Spark Address with Spark SIP address and dials to Alice, or to PSTN Because he can t use the cloud certificate, the call will enter into the Default Zone BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
PSTN Call Allowed Based on Alice's CSS +14085551234 alice@example.com Spark-RD alice@example.call.ciscospark.com Internet Alice 3 Expressway-E 1 Cisco Unified CM 2 Hacker simulating Alice with calling ID: alice@example.call.ciscospark.com dials: 9393357454076 PSTN Alice Office +1(408) 5551234 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Expressway Mitigating Toll Fraud Traversal Server Zone Spark DNS Zone Authenticated Authenticated B2B Zone authentication policy sets authenticated (P-Asserted Identity trusted in the Spark DNS Zone) or unauthenticated traffic (PAI removed from calls hitting the Default Zone) Call policy rules applied to the source zone or to unauthenticated traffic BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Checking the calling alias Any call with a Call ID containing example.call.ciscospark.com will enter into the Default Zone From Address Rule Applies To Source Pattern Destination Pattern Action Unauthenticated (.*)@example\.call\.ciscospark\.com.*.* Reject BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
2 nd Line of Defense: Trusted Identity on UCM Traversal client, server and UCM neighbor zone will preserve PAI if Authentication policy is set to check credentials or treat as authenticated Trunk on UCM 12 set to Trust PAI Only : UCM will trust the identity and anchor the call only if it has PAI. For calls with PAI, CSS of the line will be used to route the call For calls without PAI, CSS of the trunk will be used to route the call CUCM Expressway-E SIP messages PAI SIP messages PAI SIP messages B2B BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Demo
Deployment Models
Expressway Cluster Capacity and Expressway-E used for media can clustered following Expressway clustering guidelines Up to 6 servers in the same cluster in 2:1 redundancy All servers active Cluster capacity: 4 times the capacity of the single box due to 2:1 redundancy model Connector Host 1:1 redundancy for Calendar and Call Connect All servers active BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Connectors and Media on a Shared Active Directory Connector Host Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Connectors and Media on a Shared Active Directory Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Connector Host Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Connectors and Media on a Shared Active Directory Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Connector Host Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Connectors and Media on a Shared Microsoft Exchange Directory Connector Active Directory Connector Host services and SIP Signaling and Media for Hybrid Services only Scalability for MRA and B2B together with Connector is not tested Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Capacity for Connector Host dedicated to Connector Hosting: 5000 users with medium OVA per server 15000 users with medium OVA per 6-peer cluster Testing in progress! shared together with SIP signaling and media for Hybrid Services (no MRA, B2B) 500 users with small OVA 2000 users with medium OVA and 2 servers cluster Testing in progress! BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
BE6000H Example Configuration for 500 Users with Shared Connector Host Unified CM Directory 1000 Users OVA Connector(1) BE6000H Primary Unity Connection Expy-C Small OVA Expy-E Small OVA Prime BE6000H Secondary (1) Directory Connector can be deployed with HA BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
BE7000 Example Configuration for 2,000 users and Shared Connector Host UCM Cluster 2500 Users OVA sub1 tftp1 BE7000H Primary Unity Connection Exp-C Medium OVA Exp-E Medium OVA sub2 tftp2 BE7000H Secondary pub CER Directory Connector Prime BE7000H Tertiary BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Architecture for 10,000 Users Connector Host Medium OVA Cisco Unified CM Cluster 7500 Users OVA TFTP Call Control Large OVA Clusters Expressway-E Large OVA Clusters Publisher Directory Connector BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Multiple Clusters
Dual Clusters Outbound Calls Connector Host Connector Host CUCM Signaling Media Expressway-E Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Inbound Calls with Two Datacenters Call can be sent in one of the two datacenters; this is achieved through the use of DNS SRV with equal weight and priority for all Expressway-E servers in both datacenters Route Header contains the information of the calling user s home cluster Every Expressway-E is configured to send the call to the associated or to the remote Expressway-E based on the Route Header BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Inbound Calls: Called and Calling on Same Cluster DNS Configuration CUCM EMEA EMEA Site emea-expe.example.com DNS SRV Target Priority Weight _sips._tcp.mtls.example.com emea-expe.example.com 10 10 CUCM US us-expe.example.com US Site Calls are sent to EMEA cluster BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Inbound Calls: Called and Calling on Same Cluster Signaling EMEA Site Rule Target Directory URI Destination in Route Header emea-cm-pub.example.com EMEA alice@example.com us-cm-pub.example.com us-cm-pub.example.com Expressway-E US bob@example.com us-cm-pub.example.com emea-expe.example.com 2. INVITE to Expressway: Alice 2. Route to US Expressway Route Header: us-cm-pub.example.com INVITE sip: bob@example.com From: alice@example.call.ciscospark.com 3. Route to home cluster us-expe.example.com 1. Alice calls Bob 4. Route to destination Rule us-cm-pub.example.com Target US emea-cm-pub.example.com Expressway-E EMEA Bob US Site BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Inbound Calls: Called and Calling on Same Cluster Media EMEA Site Rule Target Directory URI Destination in Route Header emea-cm-pub.example.com EMEA alice@example.com us-cm-pub.example.com us-cm-pub.example.com Expressway-E US bob@example.com us-cm-pub.example.com emea-expe.example.com Alice us-expe.example.com Bob Rule us-cm-pub.example.com emea-cm-pub.example.com US Site Target US Expressway-E EMEA BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Directory Expressway Architecture for N > 3 Sites UCM1 UCM2 UCM3 UCM4 Expc1 Expc2 Rule cm1.example.com Target expe1.example.com Expc3 Expc4 cm2.example.com expe2.example.com cm3.example.com expe3.example.com cm4.example.com expe4.example.com Expe1 Expe2 Expe3 Expe4 Dir Expe Corporate Network Call with Route Header cm3.example.com signaling media Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Multiple Cluster Depoyment Models UCM cluster3 Connector Host Region 1 UCM Expressway-E Expressway-E UCM cluster2 Connector Host Connector Host Region 2 UCM Expressway-E UCM cluster1 Regional UCM Expressways and Connector Hosts Multiple UCM, Single Expressways and Connector Host Region 1 UCM Expressway-E Rule of Thumb: Connector Host Region 2 UCM Expressway-E Connector Host clusters = Expressway clusters used for SIP Signaling and Media Regional UCM, Single Connector Host and Multiple Expressways BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
SME Architecture With UCM 12 and Above
SME Architecture for N >=3 Sites UCM EMEA UCM APJC UCM US Connector Host SME 12.X Connector Host Connector Host CFQDN of UCM Clusters/SIP Route Patterns us-cm-pub.example.com Destination UCM_US emea-cm-pub.example.com UCM_EMEA Expressway-E apjc-cm-pub.example.com UCM_APJC Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Call Flow: Signaling Bob UCM EMEA Alice UCM APJC UCM US Connector Host Connector Host SME Connector Host 1. INVITE from Expressway-E: Route Header: us-cm-pub.example.com INVITE sip: bob@example.com From: alice@example.call.ciscospark.com CTI/AXL SIP BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
HCS Deployment
HCS Architecture with Multitenant Expressway-E Internet Partner Data Center Customer Prem Partner DMZ Shared Expressway-E Cluster SIP Calls Customer 1 VRF Customer 1 On-Prem Directory Connector Spark clients Cisco Collaboration Cloud (Spark) SIP Calls Connector HTTP Connector HTTP P r o x y P r o x y Customer 2 VRF Directory Connector Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Mid-Size Customers: Setup for 20,000 HCS Users Internet Partner Data Center Customer Prem 50 tenants per Expressway-E Cluster Partner DMZ 20000 Users with 6xLarge OVA SIP Calls Customer 1 VRF 1000 users with 2xMedium OVA Customer 1 On-Prem P r o x y Customer 2 VRF 500 users with 2xSmall OVA on BE6K Customer 1 On-Prem Spark clients SIP Calls Cisco Collaboration Cloud (Spark) Connector HTTP Connector HTTP P r o x y P r o x y Customer 3 VRF 300 users with 2xSmall OVA Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Small-Size Customers: Setup for 5,000 HCS Users Internet Partner Data Center Customer Prem 50 tenants per Expressway-E Cluster Partner DMZ Users with 6xMedium OVA SIP Calls Customer 1 VRF 100 users with 1xSmall OVA on a BE6K Customer 1 On-Prem SIP Calls P r o x y Customer 2 VRF 200 users with 2xSmall OVA on BE6K Customer 1 On-Prem Spark clients SIP Calls Cisco Collaboration Cloud (Spark) Connector HTTP Connector HTTP P r o x y P r o x y Customer 3 VRF 100 users with 1xSmall OVA Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Summary Call Service Connect Focus Security, Authentication and Toll Fraud/Identity Theft Prevention Architecture BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcol-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Thank you
DNS SRV Tutorial
DNS SRV Records Refresher SRV record format for SIP _sips. _tcp.example.com 86400 IN 10 60 5062 expe.example.com SRV Name of the service Protocol and domain name (TCP, UDP...) DNS Time-To-Live: how much time the server caches the record before it flushes the cache DNS Class. Always IN Priority: Lowest priority means preferred. Port: TCP or Weight: loadbalances records UDP port for the service with same priority Target: hostname or IP Address for the host Providing the service BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox _sips._tcp.example.com? Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe1.example.com. _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe2.example.com. _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe3.example.com. expe3.example.com expe2.example.com 33% 33% expe1.example.com 33% Dial: abc@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Enterprise Service discovery for B2B DNS SRV Use A-record IP Address/port Corporate Network Internet _sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061 _sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062 bob@example.com 7 CUCM 2 3 party Edge 6 Exp-C 5 Exp-E 3 4 1 Call: bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Spark Hybrid Cloud Service Discovery bob@example.com Alice calls Bob DNS SRV A-record IP Address/port _sips._tcp.callservice.ciscospark.com l2sip.ciscocloudexample.com A.B.C.D:5062 2 1 CUCM 2 bob@example.call.ciscospark.com Exp-E 4 3 6 5 7 Exp-C Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107