Cisco Spark Hybrid Call Services Architecture and Design

Similar documents
BRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments

Best Practices for Business-to- Business Video Collaboration

Best Practices for Businessto-Business. Collaboration. Luca Pellegrini - Technical Marketing Engineer Davide Preti - Technical Marketing Engineer

Deployment Guide for Cisco Spark Hybrid Call Services

Deployment Guide for Cisco Webex Hybrid Call Service

Mobile and Remote Access Through Cisco Expressway

Unified Communications Mobile and Remote Access via Cisco Expressway

Unified Communications Mobile and Remote Access via Cisco Expressway

Cisco Expressway Session Classification

Enabling Seamless Collaboration with Advanced Session Routing Architectures and Cisco Spark

Configure Call Control

Cisco Expressway Options with Cisco Meeting Server and/or Microsoft Infrastructure

Cisco Expressway-E and Expressway-C - Basic Configuration

Unified Communications Mobile and Remote Access via Cisco VCS

Cisco Unified CM SIP Trunking, Session Management, and Global Dial Plan Replication

Cisco Expressway-E and Expressway-C - Basic Configuration

Multiparty Conferencing for Audio, Video and Web Collaboration using Cisco Meeting Server

Cisco Unified Communications XMPP Federation

Deploy Webex Video Mesh

Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution

Enabling External Collaboration and Federation with Expressway

Cisco Spark Hybrid Media service

Cisco Expressway-E and Expressway-C - Basic Configuration

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

HCS Architecture and Evolution

Configure Mobile and Remote Access

ICE / TURN / STUN Tutorial

Mobile and Remote Access Through Cisco Expressway

Cisco VCS Authenticating Devices

Mobile and Remote Access Through Cisco Expressway

Cisco Expressway-E and Expressway-C - Basic Configuration

Configure Voice and Video Communication

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

Enabling External Collaboration and Federation with Expressway

ITBraindumps. Latest IT Braindumps study guide

Technical Overview of Cisco Preferred Architecture for Enterprise Collaboration

Unified Communications in RealPresence Access Director System Environments

Designing Workspace of the Future for the Mobile Worker

Configure Centralized Deployment

Cisco VCS Expressway and VCS Control - Basic Configuration

Cisco Unified Border Element (CUBE) Integration Guide

Mobile and Remote Access Through Cisco Video Communication Server

CMR Cloud Product Update

Mobile and Remote Access Through Cisco Video Communication Server

Cisco Spark Hybrid Media Service

Cisco Jabber Deployment for Multiple CUCM and IMP clusters using single Expressway-E and C.

Mobile and Remote Access Through Cisco Expressway

Cisco TelePresence Basic Cisco VCS configuration

Mobile and Remote Access Through Cisco Video Communication Server

NXOS in the Real World Using NX-API REST

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Mobile and Remote Access Through Cisco Expressway

Mobile and Remote Access Through Cisco Expressway

Cisco Expressway with Jabber Guest

Cisco TelePresence Integration Guide Documentation for integrating Cisco CTS/TX TelePresence Systems with BlueJeans

Mobile and Remote Access Through Cisco Expressway

Cisco TelePresence Device Authentication on Cisco VCS

IM and Presence Service Configuration for XMPP Federation

HCS Update Business, Architecture, And Evolution

Enterprise Recording and Live Streaming Architecture with VBrick

Interdomain Federation for the IM and Presence Service, Release 10.x

Setting Up a Cisco Unified Communications Manager SIP Trunk Integration, page 1

Deployment Guide for Cisco Spark Hybrid Calendar Service

Migrating from VCS to CUCM

User Management. Jabber IDs

Cisco Expressway Cluster Creation and Maintenance

Deploy Hybrid Calendar Service for Microsoft Exchange

Interdomain Federation with Skype for Business

Test-king. Number: Passing Score: 800 Time Limit: 120 min File Version:

Business to Business Video with Cisco Video Communication Server Expressway TM

Polycom RealPresence Access Director System

Troubleshooting Guide for Cisco Spark Hybrid Call Service Connect Contents

HCS Shared Architecture - A simple, scalable and standardized deployment model

Deployment Guide for Cisco Spark Hybrid Calendar Service

Cisco Hosted Collaboration Solution (HCS) and Cisco Collaboration Cloud

Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 10.5(1)

SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions Used by CM-IMP. XMPP (extensible Messaging and Presence Protocol) Used by CM-IMP

Acano solution. Third Party Call Control Guide. 07 June G

BRKCOL-2614 Technical Overview of the Preferred Architecture for Enterprise Collaboration 12.0

Release 8.6, page 2 Configure Cisco Unity Connection for Use with Cisco Jabber, page 3

Acano solution. Third Party Call Control Guide. December F

Integrate Microsoft Office Communicator and Microsoft Lync Clients for Cisco UC

Cisco VCS Expressway and VCS Control - Basic Configuration

Cisco Expressway Registrar

Command or Action Step 1 with Cisco Jabber, on page 2. Configure Retrieval and Redirection, on page 3. Apply a Voic Service, on page 5

Polycom RealPresence Access Director System

CloudCenter for Developers

Cisco TelePresence Cisco Unified Communications Manager with Cisco VCS (SIP Trunk)

examcollection.premium.exam.161q

Real4Test. Real IT Certification Exam Study materials/braindumps

Cisco TelePresence Conductor with Cisco Unified Communications Manager

Cisco Expressway with Microsoft Infrastructure

Federating Cisco Jabber

Cisco WebEx Meeting Center Enterprise Deployment Guide for Video Device-Enabled Meetings (WBS31 and WBS32)

Cisco Unified Communications Domain Manager manual configuration

Cisco Expressway Registrar

Cisco Expressway at the Collaboration Edge Design Session

Cisco TelePresence Video Communication Server Basic Configuration (Single VCS Control)

Cisco Meeting Server. Cisco Meeting Server Release 2.1. with Cisco Unified Communications Manager Deployment Guide. November 08,

Transcription:

BRKCOL-2202 Cisco Spark Hybrid Call Services Architecture and Design Luca Pellegrini Technical Marketing Engineer

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcol-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda Introduction Call Service Aware and Connect CSC Global Reachability CSC Call Anchoring Certificates DNS Service Discovery Dial Plan Identity Theft and Toll Fraud Prevention Shared Expressway for Hybrid and B2B Deployment Models Multiple Clusters SME Architecture HCS Deployment

Cisco Spark Services Suite A complete business collaboration service from the Cisco cloud that enables customers to message, meet, or call anyone, anywhere, and anytime. Cisco Spark Services* Cisco Spark Control Hub Cisco Spark Messaging Cisco Spark Meetings Cisco Spark Rooms Cisco Spark Board Cisco Spark Hybrid Calling Cisco Spark Care *Cisco Spark is hosted and operated by Cisco, and sold by partners BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Integrating Premises and Cloud Windows Edge Platform WebEx Messenger Directory Calendar Call Future Media KMS Microsoft AD Exchange / Office 365 Cisco UCM * Future Hybrid Media Hybrid Data Security?? *Includes Business Edition or HCS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Hybrid Service Architecture Microsoft Exchange Active Directory HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Hybrid Service Architecture Microsoft Exchange Active Directory HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Hybrid Service Architecture Microsoft Exchange Active Directory Directory Connector HTTP Proxy Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Hybrid Service Architecture Microsoft Exchange Active Directory Directory Connector HTTP Proxy Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Hybrid Service Architecture Connector Host Microsoft Exchange Active Directory Directory Connector HTTP Proxy Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy Management Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Hybrid Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy Management Connector Calendar Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Hybrid Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Hybrid Service Architecture Connector Host Management Connector Calendar Connector Call Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Calendar Connector Call Connector Directory Connector Hybrid Signaling for Directory, Calendar and Call over HTTPS HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Hybrid Service Architecture Connector Host Management Connector Microsoft Exchange Active Directory Calendar Connector Call Connector Directory Connector Hybrid Signaling for Directory, Calendar and Call over HTTPS HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E Firewall traversal architecture with Expressways for hybrid call signaling and media BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Call Service Architecture Connector Host Management Connector Calendar Connector Call Connector Microsoft Exchange Active Directory Directory Connector HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Call Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Call Connector Hybrid Signaling Active (AXL, Directory CTI-QBE Directory over Connector HTTPS) HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Call Service Architecture Connector Host Management Connector Calendar Connector Microsoft Exchange Call Connector Hybrid Signaling Active (AXL, Directory CTI-QBE Directory over Connector HTTPS) HTTP Proxy AXL CTI-QBE Management Connector Calendar Connector Call Connector Directory Connector Internal FW DMZ FW SIP signaling and media Internet Cisco Unified CM SIP signaling and SRTP media Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Call Service Aware and Connect

Call Service Aware & Call Service Connect Call Service Aware Call Service Connect Enables Cisco Spark users to share their screen using Spark Complements, and is aware, of Cisco UC calls and allows for Desktop Sharing Depends on Call Service Aware. Allows Cisco Spark users to call Cisco UC registered devices, as well as be called by Cisco UC users. Together with Call Service Aware, enables users to manage a unified Spark and UC call history from the Cisco Spark calls tab BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Call Service Aware/Connect Addressing Cisco Spark Control Hub Cisco UCM Interface Spark RD +14085551234 RD Connector Host Shared Line +14085551234 Cisco Unified CM agoodman@ent-pa.com Aaron Goodman +14085551234 agoodman@ent-pa.call.ciscospark.com Aaron Goodman BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Spark RD Provisioning Through Connector Host Each UCM cluster needs to be provisioned on Call Connector UCM needs User an application user with: Standard AXL API Access Standard CTI Allow Control of All Devices Standard CTI Enabled Standard CTI Allow Control of Phones supporting Connected Xfer and conf Standard CTI Allow Control of Phones supporting Rollover Mode Every end-user must have a directory URI CFQDN has to be set to a unique value Manual or Automatic Provisioning of Spark RD Remote Destinations always provisioned through the Connector Spark RD provisioned automatically using single Device Pool, Location, Calling Search Space, Rerouting CSS BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Call Service Connect Global Reachability

UCM to UCM call UCM Releases where Spark RD is supported 12.0(1) 12.0.1.10000-10 +14085551234 bob@example.com with Connectors 11.5(1) SU3 11.5.1.13900-52 11.0(1a) SU3 11.0.1.23900-5 Spark RD RD bob@example.call.ciscospark.com 10.5(2) SU5 10.5.2.15900-8 2 2 3 Expressway-E Cisco Unified CM 3 bob@example.call.ciscospark.com 3 Internet 1 Dial bob@example.com or +14085551234 Alice Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Spark to Spark Call +14085551234 bob@example.com Calling alice@example.call.ciscospark.com Called bob@example.com Cisco Unified CM 3 Spark RD Alice RD bob@example.call.ciscospark.com 1 3 4 Expressway-E bob@example.com 2 bob@example.com 2 Internet 4 4 bob@example.call.ciscospark.com cancelled Alice calls Bob alice@example.com +14085551235 Bob 2 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Call Service Connect Call Anchoring

Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Spark RD RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls 2 Bob +19725555142 bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Call Anchoring and Calling ID Preservation Single UCM cluster Alice +14085551235 alice@example.com Calling Called Spark RD 1 alice@example.call.ciscospark.com bob@example.com RD alice@example.call.ciscospark.com Alice s CSS: Internal and Local calls 2 Bob +19725555142 bob@example.com Call from: Alice +14085551235 alice@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Call Anchoring and CSS Preservation Call Anchoring based on calling ID==RD +14085551235 alice@example.com Alice Spark RD RD alice@example.call.ciscospark.com 1 Calling ID Called ID alice@example.call.ciscospark.com +390212345678 Alice s CSS: Internal and Local calls 2 +14085551234 bob@example.com PSTN Bob Spark RD 2 Calling Called Bob s CSS: All Calls RD bob@example.call.ciscospark.com 1 bob@example.call.ciscospark.com +390212345678 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

PSTN Call Flow +14085551234 alice@example.com Line CSS: allow international calls Spark RD RD alice@example.call.ciscospark.com Called ID Calling ID Called ID Calling ID 3 4 Called ID Calling ID +390212345678 alice@example.call.ciscospark.com +390212345678 alice@example.call.ciscospark.com +390212345678 +14085551234 alice@example.com Alice Cisco Unified CM 2 Internet 2 Expressway-E 5 1 Called ID Calling ID PSTN audio or video GW +390212345678 +14085551234 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

B2B Call Flow +14085551234 alice@example.com Called ID Bob@xyz.com Calling ID alice@example.call.ciscospark.com Spark RD RD alice@example.call.ciscospark.com Alice Called ID Bob@xyz.com Calling ID alice@example.call.ciscospark.com 3 4 Called ID Bob@xyz.com Calling ID alice@example.com 2 1 Dial: Bob@xyz.com Cisco Unified CM 2 Internet 5 Expressway-E 6 Called ID Bob@xyz.com Calling ID alice@example.com Bob@xyz.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Certificates for Authentication and Encryption

Identity Verification Expressway-E and the Cloud need to trust each other Public certificates are the preferred way to trust the remote peer s identity Public CAs release certificates after the identity verification is successful CN and SAN in the certificate are used to check the identity of the remote peer A certificate that has been released for Cisco can t be released to another organization because it must prove that it owns the domain BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

TLS Handshake with Mutual Authentication Client hello Server hello followed by certificate Certificate Request Expressway-E Expressway-E checks the Cloud certificate for both inbound and outbound calls callservice.ciscospark.com must be included in the certificate presented by the Cloud BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Cloud Certificate used in Spark Hybrid Scenarios Common name: l2sip-cfa-01.ciscospark.com SANs: l2sip-cfa-01.ciscospark.com, l2sip-cfa-01.wbx2.com, l2sip-cfa-01-web.wbx2.com, l2sipcfa-web.wbx2.com, callservice.ciscospark.com... Organization: Cisco Systems, Inc. Location: San Jose, CA, US Valid from November 16, 2016 to November 16, 2018 Serial Number: 08bd6c90982db954a25830361d7dcb4b441b719b Signature Algorithm: sha256withrsaencryption Issuer: HydrantID SSL ICA G2 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Authenticating the Cloud: Inbound Calls Example DNS Zone (trunk to Cloud) 3 expe.example.com callservice.ciscospark.com Cloud Cert <Public Key> 2 expe.example.com ExpE Cert <Public Key> Expressway-E 1 Client hello BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Certificates and certification authorities Recommended option: the Cloud will trust certificates signed by specific certification authorities by default https://help.webex.com/docs/doc-4302 The Cloud can be configured to trust (through manual upload): certificate signed by a private certification authority self-signed certificate certificate signed by a public CA that is not in the trusted list of the Cloud The Cloud will trust any of the above if: The CN or SAN includes the Expressway-E DNS name the CRL (if present) is publicly reachable from the Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Call Service Connect Service Discovery

TLS vs dedicated MTLS port on Expressway Any incoming TCP connection on port 5061 will use TLS. For B2B communications. Any incoming TCP connection on port 5062 will trigger the TLS handshake with Mutual Authentication. For Spark Hybrid Comunications BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Standard SRV Records for SIP SRV record format for SIP TLS and MTLS are part of the same specification (RFC 5246) It doesn t exist a separate record for MTLS _sips._tcp.example.com 5061 TLS _sips._tcp.mtls.example.com 5062 TLS with Mutual Authentication _sip._tcp.example.com 5060 TCP Used for B2B TLS only Used in Spark Hybrid Services and MTLS _sip._udp.domain 5060 UDP BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Enterprise Service Discovery for Spark Hybrid DNS SRV Use A-record IP Address/port Corporate Network Internet _sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061 _sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062 bob@example.com 7 CFQDN: cucm.example.com 2 CUCM 6 Exp-C 5 Exp-E 3 4 1 Alice calls Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Verified Domains SIP domains must be verified to prevent someone else to use that domain and mitigate impersonation theft SIP domains must be publicly routable (no internal.local as Directory URI domain) BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Verification token 1 Get the token 2 Create the TXT record Test the TXT record 3 Cisco recommends to use the prefix cisco-ci-domain-verification= Followed by the token, i.e. cisco-ci-domainverification=123456789abcdef123456789abcdef123456 789abcdef123456789abcdef BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Inbound Calls: Authenticated vs Unauthenticated Traffic TLS with Mutual Authentication and Certificates on Expressway with DNS Zone expe.example.com Default zone Inbound trunk from any unknown destination Non-authenticated Traffic Certificate is NOT requested Internet Spark DNS Zone Trunk to Spark Hybrid Authenticated Traffic Certificate Requested CN/SAN=callservice.ciscospark.com Dedicated box to Hybrid Services: Block calls from Default Zone Shared box: apply rules to non-authenticated traffic to filter calls BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Dial Plan

Route Header and Request URI The Cloud populates forked calls with CFQDN Route Header takes the precedence over the Request URI CFQDN: Enterprise parameter used in SIP routing decisions CFQDN must be different than Expressway system name, domain or DNS name Can t contain wildcards If wildcards are needed, you can add two entries, first of which won t contain wildcards: CQFDN: us-cm-pub.example.com *.example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Home Cluster Routing: Route Headers and Request URIs Cluster Fully Qualified Domain Name EMEA Cluster Directory URI Destination in Route Header with Connectors bob@example.com emea-cucm-pub.example.com bob@example.com emea-cucm-pub.example.com Call Connector alice@example.com us-cucm.pub.example.com 4 us-cucm-pub.example.com Expressway-E 3 INVITE Request URI sip:bob@example.com Route header sip:us-cucm-pub.example.com 2 alice@example.com US Cluster Calls Bob 1 Cluster Fully Qualified Domain Name Alice s Cisco Spark Client BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Spark Dial Plan with multiple UCM clusters From Spark to UCM From UCM to Spark Priority Rule Name Protocol Source Mode Target 50 Spark inbound Any Spark DNS Zone Any alias Spark Traversal Server 60 Spark outbound Any Spark Traversal Server Any alias Spark DNS Zone CUCM_US Spark Traversal Zone Expressway-E CUCM_EMEA Priority Rule Name Protocol Source Mode Target 50 Spark inbound US Any Any Prefix: us-cm-pub.example.com 50 Spark inbound EMEA Any Any Prefix: emea-cm-pub.example.com 60 Spark outbound Any Any Regex:.*@example\.call.\ciscospark\.com UCM_US UCM_EMEA Spark Traversal Server BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Identity Theft and Toll Fraud Prevention

Simulating a Spark Hybrid identity through a B2B connection +14085551234 alice@example.com Spark-RD alice@example.call.ciscospark.com Internet Bob 3 Expressway-E 1 Call from Alice Cisco Unified CM 2 Hacker simulating Alice with calling ID: alice@example.call.ciscospark.com dials: bob@example.com 1. Hacker simulates Bob s SIP Spark Address with Spark SIP address and dials to Alice, or to PSTN Because he can t use the cloud certificate, the call will enter into the Default Zone BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

PSTN Call Allowed Based on Alice's CSS +14085551234 alice@example.com Spark-RD alice@example.call.ciscospark.com Internet Alice 3 Expressway-E 1 Cisco Unified CM 2 Hacker simulating Alice with calling ID: alice@example.call.ciscospark.com dials: 9393357454076 PSTN Alice Office +1(408) 5551234 BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Expressway Mitigating Toll Fraud Traversal Server Zone Spark DNS Zone Authenticated Authenticated B2B Zone authentication policy sets authenticated (P-Asserted Identity trusted in the Spark DNS Zone) or unauthenticated traffic (PAI removed from calls hitting the Default Zone) Call policy rules applied to the source zone or to unauthenticated traffic BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Checking the calling alias Any call with a Call ID containing example.call.ciscospark.com will enter into the Default Zone From Address Rule Applies To Source Pattern Destination Pattern Action Unauthenticated (.*)@example\.call\.ciscospark\.com.*.* Reject BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

2 nd Line of Defense: Trusted Identity on UCM Traversal client, server and UCM neighbor zone will preserve PAI if Authentication policy is set to check credentials or treat as authenticated Trunk on UCM 12 set to Trust PAI Only : UCM will trust the identity and anchor the call only if it has PAI. For calls with PAI, CSS of the line will be used to route the call For calls without PAI, CSS of the trunk will be used to route the call CUCM Expressway-E SIP messages PAI SIP messages PAI SIP messages B2B BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Demo

Deployment Models

Expressway Cluster Capacity and Expressway-E used for media can clustered following Expressway clustering guidelines Up to 6 servers in the same cluster in 2:1 redundancy All servers active Cluster capacity: 4 times the capacity of the single box due to 2:1 redundancy model Connector Host 1:1 redundancy for Calendar and Call Connect All servers active BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Connectors and Media on a Shared Active Directory Connector Host Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Connectors and Media on a Shared Active Directory Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Connector Host Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Connectors and Media on a Shared Active Directory Microsoft Exchange Directory Connector Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Connector Host Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Connectors and Media on a Shared Microsoft Exchange Directory Connector Active Directory Connector Host services and SIP Signaling and Media for Hybrid Services only Scalability for MRA and B2B together with Connector is not tested Directory Connector Cisco Unified CM Management Connector Calendar Connector Call Connector Internal FW DMZ FW SIP signaling and media Internet Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Capacity for Connector Host dedicated to Connector Hosting: 5000 users with medium OVA per server 15000 users with medium OVA per 6-peer cluster Testing in progress! shared together with SIP signaling and media for Hybrid Services (no MRA, B2B) 500 users with small OVA 2000 users with medium OVA and 2 servers cluster Testing in progress! BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

BE6000H Example Configuration for 500 Users with Shared Connector Host Unified CM Directory 1000 Users OVA Connector(1) BE6000H Primary Unity Connection Expy-C Small OVA Expy-E Small OVA Prime BE6000H Secondary (1) Directory Connector can be deployed with HA BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

BE7000 Example Configuration for 2,000 users and Shared Connector Host UCM Cluster 2500 Users OVA sub1 tftp1 BE7000H Primary Unity Connection Exp-C Medium OVA Exp-E Medium OVA sub2 tftp2 BE7000H Secondary pub CER Directory Connector Prime BE7000H Tertiary BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Architecture for 10,000 Users Connector Host Medium OVA Cisco Unified CM Cluster 7500 Users OVA TFTP Call Control Large OVA Clusters Expressway-E Large OVA Clusters Publisher Directory Connector BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Multiple Clusters

Dual Clusters Outbound Calls Connector Host Connector Host CUCM Signaling Media Expressway-E Expressway-E BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Inbound Calls with Two Datacenters Call can be sent in one of the two datacenters; this is achieved through the use of DNS SRV with equal weight and priority for all Expressway-E servers in both datacenters Route Header contains the information of the calling user s home cluster Every Expressway-E is configured to send the call to the associated or to the remote Expressway-E based on the Route Header BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Inbound Calls: Called and Calling on Same Cluster DNS Configuration CUCM EMEA EMEA Site emea-expe.example.com DNS SRV Target Priority Weight _sips._tcp.mtls.example.com emea-expe.example.com 10 10 CUCM US us-expe.example.com US Site Calls are sent to EMEA cluster BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Inbound Calls: Called and Calling on Same Cluster Signaling EMEA Site Rule Target Directory URI Destination in Route Header emea-cm-pub.example.com EMEA alice@example.com us-cm-pub.example.com us-cm-pub.example.com Expressway-E US bob@example.com us-cm-pub.example.com emea-expe.example.com 2. INVITE to Expressway: Alice 2. Route to US Expressway Route Header: us-cm-pub.example.com INVITE sip: bob@example.com From: alice@example.call.ciscospark.com 3. Route to home cluster us-expe.example.com 1. Alice calls Bob 4. Route to destination Rule us-cm-pub.example.com Target US emea-cm-pub.example.com Expressway-E EMEA Bob US Site BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Inbound Calls: Called and Calling on Same Cluster Media EMEA Site Rule Target Directory URI Destination in Route Header emea-cm-pub.example.com EMEA alice@example.com us-cm-pub.example.com us-cm-pub.example.com Expressway-E US bob@example.com us-cm-pub.example.com emea-expe.example.com Alice us-expe.example.com Bob Rule us-cm-pub.example.com emea-cm-pub.example.com US Site Target US Expressway-E EMEA BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Directory Expressway Architecture for N > 3 Sites UCM1 UCM2 UCM3 UCM4 Expc1 Expc2 Rule cm1.example.com Target expe1.example.com Expc3 Expc4 cm2.example.com expe2.example.com cm3.example.com expe3.example.com cm4.example.com expe4.example.com Expe1 Expe2 Expe3 Expe4 Dir Expe Corporate Network Call with Route Header cm3.example.com signaling media Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Multiple Cluster Depoyment Models UCM cluster3 Connector Host Region 1 UCM Expressway-E Expressway-E UCM cluster2 Connector Host Connector Host Region 2 UCM Expressway-E UCM cluster1 Regional UCM Expressways and Connector Hosts Multiple UCM, Single Expressways and Connector Host Region 1 UCM Expressway-E Rule of Thumb: Connector Host Region 2 UCM Expressway-E Connector Host clusters = Expressway clusters used for SIP Signaling and Media Regional UCM, Single Connector Host and Multiple Expressways BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

SME Architecture With UCM 12 and Above

SME Architecture for N >=3 Sites UCM EMEA UCM APJC UCM US Connector Host SME 12.X Connector Host Connector Host CFQDN of UCM Clusters/SIP Route Patterns us-cm-pub.example.com Destination UCM_US emea-cm-pub.example.com UCM_EMEA Expressway-E apjc-cm-pub.example.com UCM_APJC Internet BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Call Flow: Signaling Bob UCM EMEA Alice UCM APJC UCM US Connector Host Connector Host SME Connector Host 1. INVITE from Expressway-E: Route Header: us-cm-pub.example.com INVITE sip: bob@example.com From: alice@example.call.ciscospark.com CTI/AXL SIP BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

HCS Deployment

HCS Architecture with Multitenant Expressway-E Internet Partner Data Center Customer Prem Partner DMZ Shared Expressway-E Cluster SIP Calls Customer 1 VRF Customer 1 On-Prem Directory Connector Spark clients Cisco Collaboration Cloud (Spark) SIP Calls Connector HTTP Connector HTTP P r o x y P r o x y Customer 2 VRF Directory Connector Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Mid-Size Customers: Setup for 20,000 HCS Users Internet Partner Data Center Customer Prem 50 tenants per Expressway-E Cluster Partner DMZ 20000 Users with 6xLarge OVA SIP Calls Customer 1 VRF 1000 users with 2xMedium OVA Customer 1 On-Prem P r o x y Customer 2 VRF 500 users with 2xSmall OVA on BE6K Customer 1 On-Prem Spark clients SIP Calls Cisco Collaboration Cloud (Spark) Connector HTTP Connector HTTP P r o x y P r o x y Customer 3 VRF 300 users with 2xSmall OVA Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Small-Size Customers: Setup for 5,000 HCS Users Internet Partner Data Center Customer Prem 50 tenants per Expressway-E Cluster Partner DMZ Users with 6xMedium OVA SIP Calls Customer 1 VRF 100 users with 1xSmall OVA on a BE6K Customer 1 On-Prem SIP Calls P r o x y Customer 2 VRF 200 users with 2xSmall OVA on BE6K Customer 1 On-Prem Spark clients SIP Calls Cisco Collaboration Cloud (Spark) Connector HTTP Connector HTTP P r o x y P r o x y Customer 3 VRF 100 users with 1xSmall OVA Customer 2 On-Prem BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Summary Call Service Connect Focus Security, Authentication and Toll Fraud/Identity Theft Prevention Architecture BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcol-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Thank you

DNS SRV Tutorial

DNS SRV Records Refresher SRV record format for SIP _sips. _tcp.example.com 86400 IN 10 60 5062 expe.example.com SRV Name of the service Protocol and domain name (TCP, UDP...) DNS Time-To-Live: how much time the server caches the record before it flushes the cache DNS Class. Always IN Priority: Lowest priority means preferred. Port: TCP or Weight: loadbalances records UDP port for the service with same priority Target: hostname or IP Address for the host Providing the service BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox _sips._tcp.example.com? Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox 40% Bigbox 60% Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 60 5062 bigbox.example.com. _sips._tcp.example.com. 86400 IN SRV 10 40 5062 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5062 backupbox.example.com. Smallbox Backupbox Bigbox Dial: luca@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe1.example.com. _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe2.example.com. _sips._tcp.example.com. 86400 IN SRV 10 10 5062 expe3.example.com. expe3.example.com expe2.example.com 33% 33% expe1.example.com 33% Dial: abc@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Enterprise Service discovery for B2B DNS SRV Use A-record IP Address/port Corporate Network Internet _sips._tcp.example.com B2B with TLS expe.example.com <public IP>:5061 _sips._tcp.mtls.example.com MTLS expe.example.com <public IP>:5062 bob@example.com 7 CUCM 2 3 party Edge 6 Exp-C 5 Exp-E 3 4 1 Call: bob@example.com BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

Spark Hybrid Cloud Service Discovery bob@example.com Alice calls Bob DNS SRV A-record IP Address/port _sips._tcp.callservice.ciscospark.com l2sip.ciscocloudexample.com A.B.C.D:5062 2 1 CUCM 2 bob@example.call.ciscospark.com Exp-E 4 3 6 5 7 Exp-C Bob BRKCOL-2202 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback