Unified Collaboration Architecture

TECCOL-2982

Unified Collaboration Architecture Greg Schalmo – Senior Technical Solutions Architect Justin Jordan – Technical Solutions Architect Dennis Fogler– Senior Systems Engineering Manager Wes Wiley – Technical Solutions Architect Agenda • Introduction

• Preferred Architecture

• Identity and Collaboration Tools

• Premise Architecture

• Hybrid Architecture

• Cloud Architecture

• Licensing

• Customer Care

• Conclusions and Q&A

• 30-40 page Documents

• Prescriptive design guidance

• Modular and scalable Design Base for Any Customer

What products to use to enable users for Unified Communications for simple deployments? Prescriptive Concise Tested best recommendations Documents practices

• Cisco Validated Design Guides (CVDs) • Two types of CVDs: • Technology Guides • Solution Guides

• Solution Reference Network Design (SRND) • 1,200 page comprehensive document covering network, endpoints, and all UC applications. Focus on design considerations and guidelines.

• Product Configuration and Deployment Guides • Step by step instructions for deploying specific products or solutions. Updated with each software release.

Collaboration Sub-Systems

Applications

Mobile/Teleworker Call Control Internet Collab Edge

MPLS WAN Conferencing Remote Site

Endpoints PSTN / ISDN

• Cisco Preferred Architecture for Enterprise Collaboration

• Cisco Preferred Architecture for Mid-Market Collaboration

• Cisco Preferred Architecture for Mid-Market Voice

• Cisco Preferred Architecture for Video

• Official URL:

• http://www.cisco.com/go/cvd/collaboration

• Shortcut:

• http://cs.co/pa4collab

Access Provisioning Entitlements Secure Attribute Management (Manual, Directory Sync, (Enable & Disable Service Exchange SCIM, SAML JIT) for user, group or tenant) (Authentication & Authorization)

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 • Existing identity stores/syncs Current Identity Challenge • Existing contact stores • Existing contact/directory interfaces • Existing WebEx SSO mechanisms

CLIENTS • Existing UC SSO mechanisms • Existing authz token mechanisms

GUI/ HTTP/ EDI/LDAP SAML UDS GUI/ GUI/ XMPP SOAP/ SOAP XMPP TUI HTTP

SAML WEBEX SERVICES UC SERVICES

SAML TMS OpenAM API

IDENTITY IDENTITY MANAGEMENT .csv MANAGEMENT

FTP UNIFIED LDAP CAS/NMTG Prime API

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 What Does All This Mean? Identity Matters! • Cisco Collaboration Solutions are not owners of identity, they are consumers • Not multi-domain capable for all protocols and rolls, IM vs. SIP vs. Messaging • No password change or enforcement capabilities

• An Email address or UPN are the only fields that can be used for a UserID across the portfolio, although you can sync with this field it can cause other design changes if you are trying to deploy more than one role in the portfolio

• Single Sign-On and Edge solutions require unique left hand ID’s ([email protected]) across the entire portfolio that match in all systems if you want to use all of the auto provisioning and placement tools

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Identity Considerations Why the concern • Communications Manager is capable of ingesting multiple domains, but can only point to two authentication source • All domains should be consolidated into a single digest system for authentication

• Communications Manager has a character limit on the domain field (255 characters) • May require multiple cluster depending on number and length of domains

• For multiple domain situations, Communications Manager 10.5.2 or later is required for Flexible JID

Mobile Workers Teleworkers LDAP Domain = sales.cisco.com = (right hand) B2B TDM or • Account = bob.smith = (left hand) CMR IP PBX • Email = [email protected] • PSTN Email Addresses can change Consumers Or • Department Transfers - sales  engineering IP PSTN • Name Changes (marriage or by choice) Third Branch • If we use email address as the userID it Parties Office requires IT to delete and recreate a user in Cloud Analog all of the connected applications and tools if Services Devices any change happens

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Three Components of an Identity System • Account • An individual’s identifier: should be globally unique • Typically, this does not change • For example, Employee ID or User ID • Authentication • Mechanism used to identify the user is who they say they are • Can be based on any attribute supported by the directory vendor or the Identity Management System (IdMS) • Examples: • Active Directory supports authentication using SAM Account, UPN, or user logon name • IdMS can support SAM Account, Employee ID, Email, etc. • Authorization • A users ability, or permission, to access resources or services

• All users have a single TOP LEVEL Identifier that does not change • All other attributes are defined as variables under the user account on the IDP • Account or Logon – globally unique left hand • Telephone Number – 10 or 11 digit, E.164, or + Number ID • Email Address – derived from Acct and mail domain • IM Address – derived from Acct and IM domain • SIP Address – derived from Acct and video domain

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Identity Workflow Agency Microsoft Domains and Services IDENTITY MANAGEMENT ITS, TAX, ETC Top Level Domain (NY.GOV) Cloud Services

Standard Attributes Collaboration Tools Contained in Identity (NY.GOV) • ID – Emp ID or GUID • SaMAcct • Telephone # • SIP Address • IM Address • Email Address End User Applications Non Microsoft

• Globally unique left hand user-id should be used (there can be only one bob!)

• Use a SAMLv2 IdP for all your local and cloud systems (Oasis Standard)

• Ensure all data is in your IdP, and ensure that it is correct • Unique left hand • Telephone Numbers (E.164 or + Number format recommended) • Proper Group Access and Assignment

• IdP must be accessible locally as well as from the internet

• Messaging

• Conferencing

• Applications

• Network Considerations

• Remote Access

Pocket

Cisco® Cisco Webex Service Collaboration Message | Meeting | Call Cloud

Cisco Hybrid

Cisco Collaboration Edge Architecture Cisco On-Premises and Unified Customer Partner-Hosted HCS Conferencing Communications Care Boardroom

End to End Security

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Call Control and Core Services Call Control Architecture and Deployment Models: Simplification • Recommendation: Centralized Call Processing Model (Single Call Processing Cluster)

• Full-Mesh Distributed Call Processing Deployment Model (Multiple Call Processing clusters) may be required. This model is based on multiple iterations of the Centralized Call Processing Deployment Model

IM&P UCM IM&P UCM IM&P UCM

Branch1 Branch2 Branch1 Branch2 Branch1 Branch2

• Collaboration-friendly dial plan which makes easy to add video to voice, IM&P to voice and video • Simplified deployment model, design, dial-plan, video, IM&P integration, sizing, etc.

• Modular architectural approach which enables better scalability

• Add additional services avoiding re-configuration costs

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Single Cluster or Multi Cluster When and why to consider • Multiple Domains • Because many of the systems are not multi-domain capable for all functions and not all customers can deploy an IdP or consolidate domains

• Risk Averse Lines of Business • If you have critical business services that cause you to not upgrade on normal schedules because of fear of change or business impact

• International or High Latency Links • Any time latency between sites exceeds recommended deployment guidelines for real time communications or database replication

• Alpha clusters for user acceptance and testing – HIGHLY RECOMENDED

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Reasons for Deploying a SME Cluster Functions that a SME Cluster Offer • Centralized Dial Plan • Mobility Features • Globalize and Normalize the called and • Offer Single Number Reach calling numbers used by al leaf systems functionality to devices on 3rd Party • Mange overlapping number ranges in UC systems Leaf systems • Offer Extend and Connect • Configure “find me” call routing using functionality to devices on 3rd Party Route List and Route Groups UC systems • Re-route calls via PSTN when the device cannot be reached via IP path • Normalization Scripting • PSTN trunk consolidation and dynamic • Allow you to modify inbound and re-routing outbound SIP message and SDP body content – simplifying interoperability with 3rd party UC systems

• A CUCM cluster and a SME cluster use exactly the same software

• A CUCM cluster is typically used to register phones

• A SME cluster is typically used as a platform for Trunk and Dial Plan aggregation

• Both CUCM and SME support Voice, Video, and Encrypted calls

CUBE CUBE CUBE H323 Trunk MGCP Trunk SIP Trunk

• Extension Mobility Cross Cluster (EMCC) • Inter-Cluster Lookup Service (ILS) • Public Space Phones • Allows CUCM to learn about remote clusters without the need for an administrator to • Contact Center Agents manually configure connections between each • Hoteling cluster • TFTP (proxy TFTP Server) • ILS URI Replication feature enables ILS to exchange directory URI catalogs with the other • Allows all endpoints to point to a single TFTP clusters in an ILS network. URI Replication server and be redirected to the correct “home provides support for intercluster URI dialing server” for config and registration • RSVP Agent • PSTN Access • Allows local vs. home cluster media resources • PSTN Access for all cross cluster members for EMCC devices

• Location Bandwidth Manager (LBM) • Allows for full-mesh replication of their cluster topology

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Communications Manager Architecture The center of the collaboration experience • All current and capable shipping endpoints register to CUCM • Soft-clients, Personal Endpoints, and Room Systems register here!

• Single SIP domain (cluster wide setting)

• CUCM is first and always is a directory number based system

• Always use FQDN • Put Hostnames, DNS servers, and Domains on systems when upgrading or installing • Install certificates on all internal and public facing systems (use a trusted CA, not self-signed or internal CA) • Turn ON Encryption on all UC infrastructure!!

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Premise Architecture with Video Registration Prime IP Phones UC Manager 11.X and Beyond (Combined Voice & Telepresence) Jabber Win, Expressway-C Expressway-E Mac, iOS and Android Internet

DX Series

SX and MX Any Endpoint Series DX/MX/SXJabber Win, Series Mac, iOS and IX Series Android TMS Lync

VCS Control PSTN Cisco Meeting Server

IP PSTN

• Multiparty bridging for audio and video, for all types of . More exciting new endpoints! conferences now consolidated under Conductor with SIP – DX series endpoints provide all of the “phone” features with CE TMS for scheduling and meeting management code H.323 – SVC/AVC and H.265 support in single-scree endpoints SCCP, MGCP, • Best Effort Early Offer and bridges ISDN • Full provisioning of TC and CE endpoint device-specific parameters

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Dial Plan Numbering Plan • Use +E.164 or + Numbering as DN Addressing – Benefit: compliance with the Jabber phone numbers in the contact list • Use 8 + 7 digit dialplan for inter-site calling – Benefit: use a normalized approach for inter-site calls • Use XXXX for intra-site – Benefit: allow for intra-site abbreviated dialing for intra-site • Implement translation patterns/transformation patterns for abbreviated dialing and maintain caller ID consistency • SIP URI alias for all endpoints and users • Non-DID offices will be addressed by using 8 + 7 digit dial plan • ILS and GDPR in multi-cluster deployments or 3rd party integration

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 TP Calling Search Space (CSS) Inheritance “split personality” Translation Patterns • NormalizationCSSs translation patternsPartitions use the activatingRoute Lists CSS forRoute secondary Groups

lookup DN SJCInternational All IP Phone DNs (+E.164)

UStoE164 9011.!, Urgent, Pre-Dot, Prefix + 9011.!#, Urgent, Pre-Dot, Prefix + 9.1[2-9]XX[2-9]XXXXXX, XYZ RG Pre-Dot, Prefix +

PSTNInternational USPSTNNational Local Route LOC RL Group

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 TP CSS Inheritance “split personality” Translation Patterns CSSs Route Lists Route Groups • Normalization translation patternsPartitions use the activating CSS for secondary lookup DN SJCInternational All IP Phone DNs (+E.164) • A secondary lookup CSS following the activating CSS allows for re-use of

normalization UStoE164 9011.!, Urgent, Pre-Dot, Prefix + 9011.!#, Urgent, Pre-Dot, Prefix + 9.1[2-9]XX[2-9]XXXXXX, XYZ RG Pre-Dot, Prefix +

PSTNInternational SJCNational Local USPSTNNational Route LOC RL Group

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 TP CSS Inheritance “CSS Inheritance” forces digit analysis to go back to the activating CSS after CSSs Partitions Route Lists Route Groups •performing“split personality” the calling/called Translation party Patterns transformations defined on the translation pattern DN SJCInternational All IP Phone DNs (+E.164) Translation Pattern using CSS inheritance: secondary lookup uses activating CSS UStoE164 9011.!, Urgent, Pre-Dot, Prefix + Translation Patterns can be re-used 9011.!#, Urgent, Pre-Dot, Prefix + 9.1[2-9]XX[2-9]XXXXXX, Pre-Dot, Prefix + XYZ RG

SJCNational PSTNInternational USPSTNNational Local Route LOC RL Group

• New translation pattern attribute (“Use Originator's Calling Search Space”)

CSS is empty!

• W/o CSS Inheritance: dialing • W/ CSS Inheritance: dialing normalization patterns per CoS normalization re-used (and site)

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Numbering Plan and Alias Cautions and Caveats • CUCM is a DN based system, even if you configure an alias • An alias is just an alias to a DN, you cant have one without the other • All DNs are converted to alias as well – Users can dial a SIP alias of [email protected] or [email protected] ([email protected]) • Alias and DNs can be published or restricted to ILS • Plan for scale with your dial plan, a little planning goes a long way as new technology and systems are integrated

Video Conferencing

Interoperabilit Audio y Conferencing

Web Customization Recording Conferencing

Enjoy One Consistent Meeting Experience From: . Standards-based video endpoint . Smartphone or laptop with Cisco Jabber . Browser with WebRTC . Cisco Meeting App for PC, Mac or mobile . Skype for Business

Video Conferencing Audio Conferencing Web Conferencing

. Attend meetings on the move; . Feel as though you are really . Reduce complexity with a join from your browser as user or there with high quality video solution that integrates with your guest experiences existing dial plan . Fully participate with audio, . Make meetings more enjoyable . Give your users more flexibility video, content sharing, and with consistent experience on with: controls room, desktop, and mobile ‒ Multiple ways to join . No plug-in with WebRTC devices ‒ Customizable DTMF controls . Make the experience work for compatible browsers ‒ Interactive voice response (IVR) you with flexible layouts and . Maintain security with guest controls access PIN or user login

. Virtual rooms for audio, video, and web . Unlimited spaces: as many as you want, for each project, and team . Always available . Follows your workflow . Connect with any device

• Personal meetings: • Invite others to your personal meeting using your own join details • With Spaces – users are in control • Schedule meetings: • Leverage Cisco TelePresence Management Suite (including Microsoft Outlook integration) • One-Button-to-Push support • Ad hoc with UCM • Easily escalate your 1:1 calls to include more people

. Cisco TelePresence Management (TMS) Suite . Scheduling using Outlook, HTML Smart Scheduler, by helpdesk, or booking API . One Button to Push (OBTP) with Cisco video endpoints to easily join meetings . OBTP with Skype for Business Outlook plug- in with Meeting Server Dual Home solution . Co-exist with TelePresence Server & MCU

Recording Indicator . Record your meetings for later viewing . Integrated Record button, or automatic recording on meeting start, or triggered via DTMF; administrator defined . Store on Network File System (NFS) . MP4 file format . Direct Integration with VBrick REV for portal playback, speech to text, and other playback options.

Cisco is Ending support of the Meeting app for Dekstop, IOS, and Android. • With the inclusion of WebRTC across most standard Web Browsers- Safari, Firefox, Chrome and Edge, WebRTC is the move forward plans for Mobile and Desktop Meeting support with Audio and Video. • WebRTC is now the Preferred and long term model for support on Mobile and Desktop Devices.

Layout Families

Active Speaker Overlay onePlusN Equal NxN onePlusN and Equal layouts dynamically scale as more participants join

Customize • Backdrop image onePlus5 onePlus7 onePlus7 • On screen text • Audio Prompts

Active Speaker Overlay

Equal: 2x2, 3x3, 4x4, 5x5 onePlusN: N=5, 7 or 9

Key Features: . Seamlessly connects Skype for Business with other video systems . Skype video, audio, and content sharing . NEW - Schedule conferences from S4B with OBTP* . Bidirectional content sharing (RDP) . Direct Federation (including O365) . Integration Modes . Gateway, Spaces, Dual Home

. Gateway: Allows calling between room endpoints and Lync/Skype for Business

. Spaces: Room endpoints and Lync/Skype for Business users all connect on Cisco Meeting Server for best experience & content sharing

. Dual Home Conferencing: Room endpoints connect on Meeting Server with connection to Lync/Skype for Business meetings as full- featured participants (video, audio, & content)

. Direct federation with Office 365

Dial Conference Dial Conference Address Address LYNC LYNC

Cisco Meeting Server Lync/Skype Skype for Front End Business

Standards Based Video Systems Lync/Skype Clients

. For Customers using Skype for Business as primary IM, video & voice PC client

. Users schedule meetings using Outlook no change to current work flow for everyone

. Dual Home Conferencing: Room endpoints connect on Meeting Server with connection to Lync/Skype for Business meetings as full-featured participants (video, audio, & content)

. OBTP from Cisco endpoints into meeting

OBTP to Conference ID Dual Home Connection Click to Join LYNC LYNC

Video Systems Cisco Meeting Server Lync Server AVMCU Skype for Business

. Initiate every meeting using the Skype for Business . Users are seen both on video endpoint or Skype for B. Outlook plug-in without change in process . Shared roster . Join using OBTP or via IVR from video or audio only . Meeting Server can send both RTV and H.264 SVC endpoints streams to the AVMCU

Cisco Endpoints Skype for Business

Dual Home Connection

. Cisco Meeting Server provides a powerful (RESTful) API to enable customers to integrate and customize the meeting experience . Use the API to customize: - Server branding - WebRTC experience - Dialing rules - DTMF for meeting controls - Creation of outbound SIP calls to users - Advanced Meeting Scenarios

Migrate From Cisco Meeting Server

CUWL Pro (with Personal Multiparty) CUWL Meetings (with Personal Shared Multiparty Multiparty Plus)/ Shared Multiparty Plus

TelePresence Server Screen Licenses Shared Multiparty Plus MCU Port Licenses

Acano Capacity Units / Perpetual User Personal / Shared Multiparty Plus

TP Multiparty EA Multiparty Add-on

• Migrations require current support contract & purchase of new contract • See migration guide for specific for details on SKUs, pricing etc

. Key Features: ‒ Preserve the user experience as meetings scale seamlessly across servers in different locations ‒ Each user is connected to their local server; bandwidth is optimized between servers ‒ Servers can be deployed in redundant configurations . Key Benefits: ‒ Provide all users with their own virtual meeting space ‒ Optimal user experience and simplified management of meetings ‒ Video bandwidth savings ‒ Enhanced resilience

APAC North Features America . Co-location redundancy CMS CMS

. Different location redundancy CMS CMS . Up to 8 call bridge servers per cluster

APAC1 APAC2 NA1 NA2 NA3 NA4

APAC North EMEA Features 1.5 Mbps x 1 America 1.5 Mbps x 1 Max 4 PIP Max 4 PIP . Ability to add servers with increased CMS CMS CMS meeting usage CMS CMS CMS . Multiparty Licensing allows for deploying as many servers as needed . Resource management APAC1 APAC2 NA1 NA2 NA3 NA4 EMEA1 EMEA2 EMEA3 1.5 Mbps x 2 1.5 Mbps x 4 1.5 Mbps x 3 . Efficient bandwidth utilization in meetings across sites

APAC North EMEA Features 1.5 Mbps x 1 America 1.5 Mbps x 1 Max 4 PIP Max 4 PIP . Server resource geographical CMS CMS CMS

distribution CMS CMS CMS . Preservation of meeting experience while saving WAN bandwidth

. Flexible license management across APAC1 APAC2 NA1 NA2 NA3 NA4 EMEA1 EMEA2 EMEA3

all servers 1.5 Mbps x 2 1.5 Mbps x 4 1.5 Mbps x 3 [email protected]

NA1 EMEA3 NA2

APAC1 NA2 AMEA1 AMEA2 APAC1 NA2 AMEA1 AMEA2 APAC1 NA2 APAC2 NA4

. Create a great presentation device . Share content wirelessly or by cable* . Use both screens of a dual-screen system to share and compare content when outside of a call

Supported on Room Kits only Note: 4K@30fps requires an HDMI 1.4 cable

TMS Conference Control Center

. Integrated in TMS . MCU and TS only . Windows and Java based

Cisco Meeting Management

. Built on same platform as CMS . Future proof for adding more services . CMS only

. Manage active Cisco Meeting Server meetings for white glove operator Executive Sample Meeting services . Future releases to include configuration services and CMS cluster dashboard . Simplify the deployment with easy to use tools . Use with Cisco TMS for scheduling and endpoint management . CMM is included with existing CMS licensing

Meeting Management In-conference controls • See list of active or recent meetings • Meeting details • Search by meeting title or individual • List of participants in a meeting participant • Change layout for all participants in a • Pin meeting at top of the list meeting • Access controls and see details for Cisco Meeting Server management individual participants • See connected Cisco Meeting Servers • View and download event log for a • Add and remove Call Bridge nodes or meeting clusters • Start and stop recording and streaming

Notifications and logs

Single instance of Meeting Management can manage deployments from single Call Bridge to multiple Call Bridge Clusters

NTP servers synchronize Meeting Servers and Meeting Management instances

User access is authenticated via LDAP

External syslog server for system and audit logs

Meeting Manager does not require any specific configuration on UCM clusters or Expressway/VCS environment

TMS CMM • Scheduling • White glove tool • Endpoint Management (Meeting Manager)

Schedule meetings using Monitor and manage ongoing TMS. OBTP to endpoints. meetings using Meeting Management.

NOTE: Information is not exchanged between Meeting Management and TMS in CMM 1.0. Planned for future release.

• LDAP user synchronization

• Single Inbox

• Partner-based Integrations • Google Mail, Domino, etc… • PIMG/TIMG Integrations

• VPIM Support

• Multiple phone systems supported simultaneously • Cisco UCM-SME allows for centralized deployment

• Rest-Based APIs allow for custom development

• Secure Messaging • No chance of forwarding a secure voice message • Securely streamed from Connection appliance (Message never leaves Connection)

• Secure Delete

• SE Linux enabled

• Disaster Recovery with Full data backup and restore

• Federal Information Processing Standards (FIPS) • Version 11.5(1) Incorporates FIPS Compliant Libraries

• Joint Interoperability Test Command (JITC) certification • Version 11.5 (1) JITC Certified and on APL

• Up to 20,000 users and 250 ports per server

• Active/Active Redundancy over LAN/MAN/WAN (up to 500 ports)

• 100,000 users across 20 digitally networked nodes

• VPIM Networking (100 locations, 100,000 users/contacts) • Blind addressing doesn’t count against contacts

Guaranteed bandwidth with no steady-state congestion: –For 50 voice messaging ports on each server—7 Mbps For more than 2000 users and/or more than 80 –For 100 voice messaging ports on each server—14 Mbps milliseconds of latency, see Design Guide. –For 150 voice messaging ports on each server—21 Mbps –For 200 voice messaging ports on each server—28 Mbps –For 250 voice messaging ports on each server—35 Mbps Exchange Network Exchange Unity Connection Mailbox Server Active/Active Cluster

Bandwidth/Latency CUCM Cluster

CUCM Cluster

WAN Main Office or Primary DC Branch Office or DR DC

Clustering over the WAN with Single Inbox Guaranteed bandwidth with no steady-state congestion: doubles the bandwidth requirements if –For 50 voice messaging ports on each server—14 Mbps Exchange is only accessible over the WAN –For 100 voice messaging ports on each server—28 Mbps connection –For 150 voice messaging ports on each server—42 Mbps –For 200 voice messaging ports on each server—56 Mbps –For 250 voice messaging ports on each server—70 Mbps Exchange Network Unity Connection Unity Connection 1/2 2/2

Bandwidth/Latency CUCM Cluster

CUCM Cluster

WAN Main Office or Primary DC Branch Office or DR DC

• Synchronization with users in Active Directory 2008/2012/2016 11.5(1), 12.X Active/Active Cluster • No schema extensions necessary Server Pair • One-way synch of user data from LDAP (read only) • Distribution Lists and Contacts not supported

• Up to 20K users can be synchronized and authenticated Active Directory per server/cluster 2008/2012/2016 • Filters supported per synchronization agreement Stand-alone Server • Directory integrated users, standalone users, and CUCM AXL users can co-exist on Unity Connection server

• Standalone and AXL users can be converted to directory integrated users Active Directory 2008/2012/2016 • LDAP/AD Synchronization is NOT required

Up to 250 Ports Up to 250 Ports

Heartbeats

Database

Primary Secondary Messages

Security and Certificates

Up to 20,000 Users

Access to all User Interfaces (TUI, VUI, IMAP, Admin, etc…)

• Supports Exchange 2016, 2010, 2007 and 2003

• Microsoft BPOS-D and Office 365 (8000 supported 11.5.(1))

• Google Mail via Donoma Software

• Domino integrations • Intelligent Notifications (Unity Connection 9.0 and later) • Donoma Unify (Partner Solution) • Esnatech CloudLink (Partner Solution)

• With every new CUCM and BE6000/7000 starting with 9.1, the Informacast Paging Software OVA is included with all shipments.

• Existing customers on CUCM 8.X and newer will be able to download Informacast Paging Features from the CCO access with a valid ESW Contract.

• ISO includes OVA for VM Deployment and production documentation as well.

• Fully supported as a Co-Resident virtual server alongside other Cisco approved voice applications.

• Limited functionality included in the basic licensing model. Advanced notification licensing can be purchased to un-lock the full features of Informacast.

• 60-Day trial of Advanced notification is available to determine if it’s a need for the environment.

• Basic Paging – Free Not Licensed

• Point to Point and Group Live Audio Paging to/from Cisco Phones

• Unlimited Group/Zones of endpoints as configured by admin

• Maximum of 50 endpoint devices per group

• Paging between sites is supported (Multicast over WAN)

• Advanced Notification- Optional and Licensed

• Pre-Recorded/Scheduled Broadcasts (bells, shift changes)

• Notification to Jabber (XMPP)

• Notification to Social Media

• Communication with mobile and remote users

• Triggered notification to/from other systems – M2M input/output (panic buttons, door locks, lights, etc.)

• Integration with existing overhead paging systems

• Text and Audio to Cisco IP Phones and other endpoints

• Broadcast to IP Speakers

• Advanced Notification- Additional Components

• Legacy paging integration with existing overhead paging systems

• 911/Emergency call monitoring/alerting/recording

• Weather and CAP Based Alerts

• Dynamically-triggered conference calls

• Notifications to desktop and Digital Signage

• Two methods of Page #1 Group communication – CTI and A Page #2 SIP Multicast Enabled Group B • Services required for backend connectivity – Virtualized Deployment Model- 1 VM per App SNMP and AXL Unity Paging UPM CCX IM&P VCS Plus other CXN Apps.. CUCM SIP Trunk • Phones require the or CTI Comm.

following features – HTTP AXL/ SNMP (web server) and RTP Multiple Apps can run co-res depending on virtualized server platform (BE6K, UC on (Multicast) UCS, etc.) Multicast Enabled Paging Originator

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 On-Premise – IP Speakers Direct Support in Informacast • Speakers must be supported in Informacast • Manufacturers included Atlas Sound, Advanced Network Devices, Cyberdata, and Valcom, Algo.

• There are many styles/models of Speakers • Most are POE based, Single connection and require Class 3 Power over Ethernet • Some are One-Way, Some are Two-Way and some support dual registration with CUCM as a SIP endpoint for direct calling (Enhanced User connect license needed) • Outdoor, Indoor, Indoor with Display, Indoor with Display and Strobe, Ceiling Tile • More Information: IP Speaker Information

• Connect to existing Amplifiers with a Zone controller, which provides a line level output to existing over head speakers.

• Singlewire Mobile notifications, subscription based

• Additional SMS and Phone dial out notifications via Cloud based options

• Notify users desktops, notify them via Jabber IM, or Webex

• Link to digital signage

Rich, Real-time Collaboration with Cisco Jabber® Platform

All-in-one UC application Collaborate from any workspace . Presence and IM . PC, Mac, tablet, and smartphone . Voice, video, and voice messaging . On-premises and cloud . Desktop sharing and conferencing . Integration with 3rd party productivity tools

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Jabber Chat Phone Mode Remote Access Multi-line Single Number Android Auto Bots SDK with Contacts Policy (MRA) Reach Support

Import Local UX Additional Biometric Jabber Softphone Outlook Calendar contacts (Mac) Enhancements Emoji Authentication for VDI integration (Mac)

Wireless Location Schedule Meeting HCS SNI New Device & New Headset Other Awareness (Windows) Support OS Support Support Enhancements

• Jabber provides multiple features leveraging relationships with apple

Apple iOS10 Call-Kit Provides application integration API for calling functions

Apple iOS10 Siri-Kit Provides application integration API for voice control

Apple/Cisco Fast Lane Provides enhanced QoS functionality with Apple

Cisco AnyConnect Cisco® Unified Communications Manager and . Layer 3 VPN solution Applications . Secures entire device and its contents Cisco . Allows users access to any AnyConnect® permitted applications and data VPN and/or… Cisco Expressway

. Session-based firewall traversal Cisco . Allows access to collaboration Expressway applications only through TLS . Personal data not routed through enterprise network

• Users should never be prompted for configuration information!!!

• Service discovery allows Jabber to discover service configuration and operating location using DNS SRV records, Webex Cloud and UC Manager UDS services

Remember: CUP_LOGIN retired with Jabber 11.5

When planning a Jabber deployment, domain configuration can be confusing. DNS Domains User Address Domains Service “Discovery Domain” Voice/Video Domain (SIP) Voice_Service “Discovery Domain” Presence Domain (XMPP)

UC Manager DNS domain Email Domain (SMTP) Expressway DNS domain Directory Domain (i.e. AD)

DNS SRV lookup _cisco- Inside firewall DMZ Outside firewall uds._tcp.example.com (Intranet) (Public Internet) ✗ Not Found

Collaboration DNS SRV lookup _collab- Services Public DNS edge._tls.example.com Unified CM Expressway Expressway expwyNYC.example.com C E ✓

TLS Handshake, trusted certificate verification HTTPS: get_edge_config?service_name=_cisco- uds&service_name=_cuplogin

Services Domain

Edge Domain

UPN from AD can be used to seed Service_domain search

Enhanced Diagnostics tool now provides support for contact sources testing

Ctrl-Shift-D Show Diagnostics Ctrl-Shift-C Show Contacts tool

Configuration Diagnostics tool now available on Mac Client

Note: Contacts tool only available on windows

IM/Chat APNs support Cisco Expressway (or Cisco VCS) X8.9.1 Available Unified CM & IM&P 11.5(1) SU2 Available Cisco Jabber for iPhone and iPad 11.8 MR Available

Voice APNs support Cisco Expressway (or Cisco VCS) X8.10.1 Available Unified CM 11.5(1) SU3 Available Cisco Jabber for iPhone and iPad 11.9 Available

Expressway Forward Proxy APNs support NEW Cisco Expressway (or Cisco VCS) X8.11 Targeting Q2 CY18 11.5(1) SU4 Available Unified CM & IM&P 12.5(1) Targeting 2H CY18

• Cisco Prime Collaboration Provisioning • Single point of Move/Add/Change Mechanism • LDAP is Required • Single pane of Glass and Multi-Levels of Administration (Help-Desk) • Template and Service Area Based • Start with Prime Provisioning, overlay on existing system can take more time • Auto-Provisioning from LDAP, User Portal • Virtual Server, with mutltiple sizing based. Linux based deployments

• Cisco Prime Collaboration Assurance and Analytics

• Prime Collaboration Assurance • The former “Operations Manager and Service Monitor” • Assurance for one Cluster is included with all CUCM 10.X and above deployments • Analytics is a cost per “device” • Red light/Green light view of the voice and network portion • Great intermediary between the CUCM and a overall management platform.

• Prime Collaboration Analytics • Call quality and MOS score tool • Can actively provide analytics during call (1040 probe required)

• Cisco TMS • Video Management and booking engine • Manage VCS/Expressway Health, Call Records, Issue management • Manage Endpoints, booking of Endpoints, booking of Bridging resources • Live View of conferencing resources, ability to add/remove users in a live conference • Multiple Extensions to enable Exchange resources booking, API integration, Provisioning for Endpoints/Jabber for Telepresence (MOVI). Third party bridging and endpoint support available as well (check the compatibility matrix) • Start with Prime Provisioning, overlay on existing system can take more time • Auto-Provisioning from LDAP, User Portal for simple scheduling. • WebEx CMR and CMR-Hybrid booking mechanism

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 Collaboration Edge Expressway Cisco Collaboration Edge Value Proposition Work anywhere  with anyone  on any device  using any workload  delivered from anywhere

Inside the Outside the organization organization

Intelligent Collaboration Ecosystem Increased Connect to productivity with customers, a connected partners, and community businesses

Unified Simplified view Communications Services

Hybrid Connectors

UCM

Business to Business (B2B)

Cisco Meeting Server (op tional) Other Companies Cisco EXPWY-E B2B (Stds, MS, O365) Collaboration 1St & 3rd Cloud Integration Cisco Cloud

(Cisco, Polycom, Lifesize, DMZ Internet Avaya, SfB) SIP or H.323 EXPWY-C

3rd party Interop via Cloud CMR Mobile Remote Access (MRA) (SfB, Polycom, JabberGuest CMS WebRTC Lifesize, Avaya)

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 Fixed Endpoint Support On Cisco Expressway Available Today Spark Room Kit, Spark Room Kit, Spark Room Kit Plus Spark Room Kit Plus

Internal Network DMZ External Network

DX70, DX80 DX70, DX80 Internet

Expressway-C Expressway-E MX, SX, EX, C Series MX, SX, EX, C Series TelePresence Endpoints TelePresence Endpoints

Spark Room Kit, Spark Room Kit Plus, MX, SE, EX and C Series can also be registered directly to Cisco Expressway

Spec-based Appliance Support Virtual Machine Support EXPRESSWAY 1200

OVA Size vCPU Reserved Disk NIC(s) RAM Space Small 2 x 1.8 4GB 132GB 1Gb (BE6K only) GHz Medium 2 x 2.4 6GB 132GB 1Gb • Appliance based on UCS C220 M5 GHz • Bare metal – no hypervisor Large 8 x 3.2 8GB 132GB 10Gb • Solution for customers with security policies that do GHz not allow VMware in the DMZ • Expressway application preloaded with licenses • Expressway Appliance SKUs EXPWY-1200-K9

Server Cluster

MRA Audio Only MRA Audio Only Platform Registration Video Calls Video Calls Calls Registrations Calls s Large OVA, CE1100 2,500 500 1,000 10,000 2,000 4,000 (10Gbps NIC) Medium OVA, CE1100 (w/o 2,500 100 200 10,000 400 800 10Gbps NIC) Small OVA 2,500 100 200 2,500 100 200 (BE6000)

New X8.10 will allow for large-scale capacity on Large OVA and EXPWY1200 with only 1Gbps NIC

• Cluster Expressways for scale and redundancy

• Expressway clusters support up to 6 peers (RTT – 30ms)

• Expressway-C and -E node types cannot be mixed in the same cluster

• Deploy equal number of peers in Expressway-C and -E clusters (applies to most Expressway deployments but not critical if Expressway handles New local registrations)

• Deploy same OVA sizes or appliances throughout cluster

• Customers can deploy multiple clusters for the same domain

Use Case: Mobile / Teleworker Access visual voicemail

Inside firewall DMZ Outside firewall (Intranet) (Public Internet)

Collaboration Internet Instant Message Services and Presence

CUCM Expressway Expressway Core Edge Make voice and video calls

Launch WebEx Share content Search corporate directory

DNS SRV lookup _cisco- Inside firewall DMZ Outside firewall uds._tcp.example.com (Intranet) (Public Internet) ✗ Not Found

Collaboration DNS SRV lookup _collab- Services Public DNS edge._tls.example.com Unified CM Expressway Expressway expwyNYC.example.com C E ✓

TLS Handshake, trusted certificate verification HTTPS: get_edge_config?service_name=_cisco- uds&service_name=_cuplogin

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 Jabber MRA via Expressway AnyConnect comparison Cisco AnyConnect • Layer 3 VPN solution • Secures entire device and its contents Cisco Unified CM • Requires AnyConnect license & Applications • Allows users access to any permitted applications & data Cisco AnyConnect® VPN Cisco Expressway • Session-based firewall traversal • Allows access to collaboration applications only through TLS Cisco • Personal data not routed through Expressway enterprise network • No additional cost • Better user experience than VPN

Internal Network DMZ External Network DX650, DX70, DX80

Internet MX, SX, EX, C Series UCM Expressway-C Expressway-E TelePresence Endpoints

New! 12.1.1 require 8811, 8841, 8845, 8851, 8861, 8865 d 7832 & 8832 7811, 7821, 7841, 7861

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 Expressway-E certificate requirements DX, 78XX, 88XX specific requirements • Trust model based on broadly trusted Public Certificate Authorities DX650, DX70, DX80

• Endpoint firmware includes 135 trusted public root CA certificates

• No option to import and trust other root CA certificates on these endpoints 8811, 8841, 8851, 8861 • Expressway-E certificate needs to be signed by trusted public CA

7821, 7841, 7861

Cisco.com Example.com

Call sent to server1.cisco.com

Call sent to serverA.example.com

_sip._tcp.cisco.com IN SRV 10 1 5060 server1.cisco.com .SIP, H.323 service IN SRV 50 1 5060 .TCP or UDP protocol server2.cisco.com _sip._udp.cisco.com IN SRV 10 5 5060 server1.cisco.com .Multiple servers in record provide redundancy IN SRV 10 1 5060 .DNS SRV records use priority, weight for load server2.cisco.com balancing server1.cisco.com IN A 10.10.10.1 .DNS server needs to be highly available server2.cisco.com INPriority A 10.10.10.2 Weight .SIP Options ping for reachability

Enterprise Network DMZ Outside Network

Unified Internet CM Firewall Expressway Firewall Expressway Signalling C E Keep-alive Media 1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network

2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials

3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection

4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C

5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint The call is established and media traverses the firewall securely over an existing traversal connection

Enterprise Network DMZ Outside Network

2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials

3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection

4. When an endpoint behind Unified CM places a SIP URI call to a domain unknown by the Unified CM dial plan, the call is routed to the Expressway-C

5. Expressway-C then routes the call to Expressway-E to reach the called user or endpoint The call is established and media traverses the firewall securely over an existing traversal connection

Does whole URI Does RHS Does whole URI no match one in the no no match a no Is LHS numeric? match one in Block call CSS and URI SIP Route ILS? table? Pattern?

yes yes yes yes No match

Route using SIP Route based on Route/block route patterns RHS to based on Offer call based on routing Expressway C existing numeric string provided rules by ILS (see next slide) Note: Assume only [email protected] is in URI table, Fallback for alpha-URIs not 1) alice@CUCM IP address will not route. 2) alice@CFQDN will not route local and not found in ILS! e.g. default routing user @ example.org

left-hand-side (LHS) right-hand-side (RHS)

DMZ

Unified CM EXPCTRUNK Internet

Expressway Firewall Expressway Firewall Public H.323 Endpoint C E 126.126.126.126

1. User srogers dials the SIP URI 126.126.126.126@ip (RHS can be any keyword) DN:\+14085552001 2. Matches Unified CM SIP Route Pattern of * and routes to EXPCTRUNK device. [email protected] 3. Expressway C matches the URI with pre-search transform that strips the RHS @ip and forwards the call to Expressway E. 4. Expressway E matches identifies the destination as an IP address and forwards to the IP Address Zone and sends the call to the destination IP of 126.126.126.126.

Internal Network DMZ External Network

Internet

Expressway-C Expressway-E

H.323 Gatekeeper & SIP Registrar providing standards- based interop and video support for Cisco & 3rd party endpoints SIP signaling H.323 Signaling

• Beginning with X8.11 Expressway-E will support local SIP and H.323 video registration • Expressway-E no longer required to proxy SIP registrations • Allows for remote H.323 registrations

• Local SIP and H.323 registrations allowed on Expressway-C since X8.9

• UCL Enhanced License enables SIP Desktop Endpoints (DX70/80, EX60/90)

• TP Room System License required for all other systems including 3rd party and H.323

• Same option keys (Room System, Desktop System) used on both Expressway C & E

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 Jabber IM&P Federation with Expressway Now extending to organizations using Microsoft CMS is always recommended for integration with S4B Microsoft ® Office 365

Organizations with Skype™ for Internal Network DMZ External Network Business on premises

Internet WebEx Expressway-C Expressway-E IM&P Messenger Cloud

XMPP Standards Organizations SIP based XMPP service with Cisco Collab

Cisco Collaboration Cloud Message | Meeting | Call Hybrid Call Service • Room System Integration

Hybrid Calendar Service

Existing Services Hybrid Directory Service

Creating unique value by connecting on-premises and cloud services.

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 Deployment Guide: http://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/maroon/hybridswp.pdf HTTPS CTI/AXL SIP Architecture SIP and API control Hybrid Services DMZ

Unified CM Expressway-C Expressway-E

Internet

New

Hybrid Service TMS CMS Expressway-C • Management Connector • Calendar Connector • Call Connector Minimum Exchange Minimum Cisco UCM Requirements: Requirements: Minimum Expressway . Exchange 2010 SP3 / 2013 / . For Unified CM 10.5(2)SU3 Requirements: 2016/O365 . For HCS 10.6.X . Version 8.8 or later . @WebEx requires T31+ & PMR

Hybrid Directory Service - This service allows any WebEx customer to synchronize their current Active Directory with the Cisco Collaboration Cloud. This makes onboarding users to the Cisco Collaboration Cloud simple and consistent.

Ad Users: Ben Expressway - C WebEx Users: Katie Ben Melissa Katie Import Users Directory Connector Melissa installed on Windows Domain Server.

Directory Connector installed on Windows Domain Server (2003,2008 R2 or 2012, 2012 R2) with administrator user privileges

Call Service Connect – integrates cloud registered room systems with premise based CUCM systems to allow inbound and outbound calling to and from cloud registered shared video systems

Calling Conference Room1

Conference Room 1

PSTN / ISDN

Katie

• Each UCM cluster needs to be provisioned on Call Connector

• UCM needs User an application user with: • Standard AXL API Access • Standard CTI Allow Control of All Devices • Standard CTI Enabled • Standard CTI Allow Control of Phones supporting Connected Xfer and conf • Standard CTI Allow Control of Phones supporting Rollover Mode

• Every device must have a directory URI Webex RD provisioned • CFQDN has to be set to a unique value automatically using single Device Pool, Location, Calling Search • Manual or Automatic Provisioning of Spark RD Space, Rerouting CSS • Remote Destinations always provisioned

Hybrid Calendar Service: This service allows any WebEx customer to enable scheduling of WebEx meetings with an automatically created and associated Cisco Spark space. By adding @Spark to the location field of the Exchange appointment, all attendees of the appointment are automatically added to the Cisco Spark space. With @WebEx in the location field, the details of the WebEx personal meeting room of the inviting user are automatically added to the invitation sent for the appointment.

@webex Organizer’s Personal Room in Webex @spark Meeting information in the New virtual room Webex team space Meeting information in the calendar invite

Problem Internal • 1:1 meetings use a cloud resource to meet

• Multiparty meetings use a cloud resource to meet WebEx Teams App • Signaling and media go to and from the cloud 2 MB

• Increased bandwidth requirement for the Internet with adoption of Cisco Spark Meetings 2 MB WebEx Room Device Internet

2 MB Solution WebEx Teams App

Cisco Hybrid Media Service WebEx Teams AppWebEx Teams App

• A little of our cloud on your premises

• Cisco cloud basic meeting capabilities packaged in an OVA for on premise deployment

Video Mesh Node • Ability for any paid WebEx Teams customer to provide local media processing on the enterprise network.

• Customers can deploy media nodes across multiple locations, optimizing media quality within a location and Corporate Network bandwidth across locations

• Automatic overflow from on-premise media node to cloud nodes

• Automatic upgrades of media nodes (upgrade window)

• Single pane of glass for management, resource Hybrid Media Node Hybrid Media Node monitoring and usage metrics

Corporate Network Hybrid Media Node Cascade Link Cisco Collaboration Cloud

Overflow: Cisco WebEx standards based registered devices SIP endpoints and and WebEx Teams Cisco WebEx, standards based app WebEx Teams app, SIP clients or Skype for Business

On-premise registered Cisco and 3rd-party Cisco WebEx registered Overflow: Cisco WebEx registered standards based SIP endpoints and standards devices, and any devices, WebEx Teams app based SIP clients standard based SIP/H.323 endpoints TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 HTTPS

SIPCTI/AXL

SIP and API control Architecture DMZ Hybrid Services Unified CM Expressway-C Expressway-E

Internet

Hybrid Service TMS CMS Expressway-C

Video Mesh Node Video Mesh Node

Expressway-C Expressway-E Cisco Multiparty Media410v server • 46vCPUs • 60GB main memory Internet • 250GB local hard disk space

Cisco Meeting Server 1000 • 70vCPUs • 60GB main memory

• 250GB local hard disk space Hybrid Service Expressway-C Specifications-based Configuration: • 46vCPUs • 60GB main memory OR • 250GB local hard disk space Video Mesh Node Video Mesh Node • 2.6GHz Intel Xeon E52600v3 or later processor • VMware ESXi 6 and vSphere 6 or later TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 Cisco Webex Hybrid Media Service New functionality

Corporate Network Video Mesh Node Cascade Link Cisco Collaboration Cloud

Overflow: Standards Cisco WebEx based SIP endpoints registered devices Cisco WebEx, and standards based and WebEx Teams WebEx Teams app, SIP clients app or Skype for Business

Cisco WebEx On-premise registered Cisco and 3rd-party registered devices, Overflow: Cisco WebEx standards based SIP endpoints and and any standard registered devices, WebEx standards based SIP clients based SIP/H.323 Teams app endpoints

Cisco Spark only Standard based SIP endpoints and Cisco Spark app/devices

(720p | 1080p) (720p | 1080p) MM410v (Full version) 100 | 75 65 | 48

CMS 1000 (Full version) 100 | 75 80 | 60

Demo version 10 | 5 10 | 5

If all the meetings hosted on a given Video Mesh Node have only WebEx Team apps and WebEx registered devices, then the server can scale up to 100 participants at 720p. If all meetings have a mix of WebEx Teams app and SIP participants, then the scale goes up to 80 participants for the CMS 1000 server and 65 participants for the MM410v server.

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Webex Edge Cisco Webex Edge Audio Architecture requirements Unified CM support only • 10.5 or later Webex Edge Cisco UCM registered IP phones Cisco Audio • Supporting G.711 or G.722 Unified Meetin CM Z g Expressway support only

Expressway C/E • X8.10 or later • Can use existing Expressway C/E deployment • Audio scale dependent on Expressway deployment and services enabled.

IP Webex site Phone • WBS 33.x or higher Customer • Included in Flex, A-WBX and A-SPK SKU need Signaling the Webex Edge Audio package Premises Media Path • Not available on CCA-SP, CCA-ENT or TSP sites. • Requires migration to Webex Audio Site Version 1.1

Requires a signed certification from a Cisco trusted

Webex Edge Cisco Audio 1. Endpoint dials Webex Audio access 5 Unified Meetin number. g CM Z SIP Trunk 2. Cisco UCM matches the number and

2 3 4 routes as +E.164 through SIP trunk to Expressway C/E Expressway-C.

3. LUA script on SIP trunk to Expressway-C

1 Dials Webex Access Number applies transformations required for correct routing to Webex IP Phone 4. Expressway-C sends request to Expressway-E. Customer Signaling Premises 5. Expressway-E routes call to the Webex Media Path cloud.

6. Meeting resources are setup. Version 1.1

Webex Edge Cisco Audio 1. The IP phone sends media to Expressway- 4 Unified Meetin C g CM Z 2. The Expressway-C sends media to 2 3 Expressway-E via the traversal zone Expressway C/E 1 3. The Expressway-E sends media to the Webex cloud.

4. IP phone’s audio is mixed into the meeting IP and it hears the other participants. Phone

Customer Signaling Premises Media Path

Version 1.1

Webex Edge Webex Edge Audio Cisco Cisco Audio Unified Meetin Unified Meetin g g CM Z CM Z SIP Trunk

Expressway C/E Expressway C/E

IP IP PSTN Phone Phone PSTN GW

Customer Signaling Customer Signaling Premises Premises

User dials E.164 Webex Access number that does have an User dials E.164 Webex Access number that does not have an associated Edge Audio route pattern in Cisco UCM associated Edge Audio route pattern in Cisco UCM

Version 1.1

Webex Edge Webex Edge Audio Cisco Cisco Audio Unified Meetin Unified Meetin g g CM Z CM Z

Expressway C/E Expressway C/E

IP IP PSTN Phone Phone PSTN GW Customer Customer Premises Premises Media Path Media Path

Version 1.1

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 Deployment Scenarios Single Site Call Back – Edge Audio not configured US – off net Meetin g SIP PSTN Webex Edge +1.408.555.6713 Audio Cisco

Unified Intern CM Z et

Expressway C/E Call back made to +1.408.555.6713 HTTP to Webex

+1.408.555.4478IP Laptop PSTN GW Phone Client # • Expressway-E configuration in Webex for callback is disabled or inactive Customer • Routing utilizes Webex PSTN connectivity to reach the Premises phone number USA Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147 Call Back – Edge Audio not configured US – on net Meetin g SIP PSTN Webex Edge +1.408.555.6713 Audio Cisco

Unified Intern CM Z et

Expressway C/E Call back made to +1.408.555.4478 HTTP to Webex

+1.408.555.4478IP Laptop PSTN GW Phone Client # • Expressway-E configuration in Webex for callback is disabled or inactive Customer • Routing utilizes Webex PSTN connectivity to reach the Premises phone number USA Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148 Single site Call Back – Endpoint offline US Meetin g PSTN Webex Edge +1.408.555.6713 Audio Cisco

Unified Intern CM Z et

Expressway C/E Call back made to Unregistered +1.408.555.4478

+1.408.555.4478IP Laptop PSTN GW Phone Client # • IP Phone is unregistered to Cisco UCM • Cisco UCM reroutes the call based on configuration (call Customer forward unregistered) to a secondary number which is offnet Premises USA Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Single site with SME

Meetin g Webex Edge Audio Cisco Unified CM (SME) Intern Z SIP Trunk et

• Session Manager Edition is supported • +E.164 enterprise dial plan to route dial-in and call-back • Inter-cluster routing using ILS/GDPR • Apply LUA script on SME trunk for dial-in • Request and To: URI manipulation • Enterprise dial plan can support arbitrary dialing habits for dial-in • … as long as the number ultimately exposed to LUA Customer script is a valid +E.164 Webex dial-in number Premises USA Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150 Single Country Call Back – Multiple Expressways

Meetin Cisco Site 1 Webex Edge g Unified CM Audio

Z Intern et exp-amer1.example.com

WAN

Site 2 DNS SRV: Cisco Webex Edge _sips._tcp.edge-amer.example.com Unified CM Audio DNS SRV Records

_sips._tcp.edge-amer.example.com. 60 IN SRV 0 5 5062 exp-amer1.example.com. Z _sips._tcp.edge-amer.example.com. 60 IN SRV 0 5 5062 exp-amer2.example.com.

exp-amer2.example.com • Expressway-E is configured in Webex for callback • +1 is defined in Webex callback settings Laptop Call back made to Client On net IP phone • SRV records along with DNS configuration will determine Customer cluster routing or load balancing Premises Signaling USA Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151 Deployment Scenarios Multiple Sites Multisite Dial In PSTN Dials US and Germany +49.6196.773.9002 Germany Webex Access Number Meetin g Webex Edge Webex Edge Cisco Audio Audio Cisco Unified Unified CM CM Z Intern Z SIP Trunk SIP Trunk et

Expressway C/E Expressway C/E PSTN GW Dials Dials +1.408.525.6800 +49.6196.773.9002 US Webex Access Number Germany Webex Access Number IP IP Phone • Requires LUA script applied to the SIP trunk configuration Phone • Off Net participant uses PSTN to connect to Webex Customer • Media traverses Expressway C/E to the meeting for On net Customer Premises phones Premises USA Germany Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153 Multisite Dial In PSTN Dials US, Germany and UK +44.20.8824.0117 UK Webex Access Number Meetin g Webex Edge Webex Edge Cisco Audio Audio Cisco Unified Unified CM CM Z Intern Z SIP Trunk SIP Trunk et

Expressway C/E Expressway C/E PSTN GW Dials Dials +1.408.525.6800 +49.6196.773.9002 US Webex Access Number Germany Webex Access Number IP IP Phone • Requires LUA script applied to the SIP trunk configuration Phone • Off Net UK participant uses PSTN to connect to Webex Customer • Media traverses Expressway C/E to the meeting for On Customer Premises net phones Premises USA Germany Signaling Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154 Multisite Call Back PSTN Call back # US, Germany and UK +44.21.8824.6910

Meetin g Webex Edge Webex Edge Cisco Audio Audio Cisco Unified Unified CM CM Z Intern Z et

Expressway C/E Expressway C/E

Public DNS: PSTN GW

Call back # _sips._tcp.edge-amer.example.com. 60 IN SRV 0 5 5062 exp-amer.example.com. Call back # _sips._tcp.edge-emea.example.com. 60 IN SRV 0 5 5062 exp-emea.example.com. PST +1.408.555.4478 +49.6100.773.5678 N IP • One SRV domain per region IP Phone • One SRV record per Expressway-E associates Expressway-E to Phone region Customer • Global Callback enabled on Webex Customer Call back # • Webex routes call back calls to Expressway C/E then to the local +49.6100.773. Premises 8852 Premises Cisco UCM for on net numbers USA • Cisco UCM routes in country PSTN connection for unresolved in country Germany numbers. Local PSTN toll charges apply Signaling • Webex routes call to PSTN for out of country phones (UK) Media Path Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155 Webex Edge Connect Webex Edge Connect Brings the power of the Webex backbone directly to your data center

Webex Edge Connect

• A direct peering at Equinix data centers • Bypasses the Internet by providing a direct connection1 to the Webex data center • All Webex media traffic traverses the dedicated link providing end-to-end QoS. (VoIP, video, content sharing) • When used with Video Mesh provides a more secure end-to-end experience Webex Edge

(Future)

Colocation Cisco WebEx Locations

1. A cage and router in place at Equinix

2. A paid connection to the Equinix Cloud Exchange

3. Knowledge of BGP Routing Customer Equinix Cisco Webex 4. Public BGP Autonomous System Number Premises Cloud Exchange 5. Public provider independent IP block (ECX) • No RFC1918 addressing (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) • Customer may rent a /29 IP block from Equinix

6. Paid service to Cisco Webex

Equinix Network Details Cloud Exchange 1. Customer orders physical circuit to ECX fabric Layer 1 (1G/10G) 2. Customer provisions virtual circuit to Cisco WebEx using Layer 2 Equinix self-service portal (802.1q) AS13445 3. Customer completes WebEx Customer BGP network questionnaire Layer 3 Network (BGP) 4. Cisco enables BGP connection to the Customer to establish connectivity

Roles and Responsibilities

1. Layer 1 – Physical Connectivity Equinix responsibility:  Physical link provisioning (cross connects) 2. Layer 2 – Ethernet Connectivity  Virtual circuit monitoring reports & support

3. Layer 3 – IP connectivity Cisco responsibility:  Peering provisioning and support Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160 Cisco Webex Architecture ORD10-WXBB-CRT01 ORD10-WXBB-CRT02

• A customer setups up dual ORD10-WXBB-PE02 connections to Equinix for redundancy ORD10-WXBB-PE01

• Cisco Webex has redundant connection to Equinix at all colocations across the globe SE • BGP routing is used to route traffic PRI Intern C across the peering connection. et Equinix • Customers that have a global presence can choose which regions PRI SE to peer. C

• Customer’s Internet connection is used as fallback

• Media flows via Equinix peering connection.

Webex AS13445 • Webex Meetings app signaling Webex IP blocks: and media use the peering https://collaborationhelp. cisco.com/article/en- connection us/WBX000028782 • Signaling for cloud registered Internet devices and Webex Teams Signaling only uses the public Internet • Third party services accessed Z via the Internet Signaling

Media Path Customer

Video Mesh Node local media kept local Video Mesh Node local media kept local

Webex Edge Video Mesh

• Software extends cloud to the premises - media stays local for on-premises attendees Video Mesh Node local media • Cloud simple: managed by & registered to Webex cloud kept local

• Automatic overflow if local capacity is full / unavailable

Webex Edge • Video Mesh is part of the Webex Edge Cisco Audio Unified Meetin solution CM g • Video Mesh functionality is the same, handling the Main Video, Speaker’s Audio ExpresswayZ C/E and Content being shared by the video devices in the meeting that can utilize Video Mesh Video Mesh • Video Mesh communicates directly to SIP Cloud Video Registered Webex cloud and terminates the media for Endpoint Video cloud registered device and SIP video Endpoint endpoints for dialing into Webex meetings. Customer Signaling Premises • Webex Teams, Webex registered devices Media Path and Cisco UCM registered SIP video endpoints use Video Mesh. Webex Meeting app or Webex Teams browser does not use Video Mesh. Version 1.1 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165 Cisco Webex Edge Audio + Video Mesh Signaling and Media

Webex Edge • Video Mesh and Edge Audio work Cisco Audio Unified Meetin independently but are part of an overall CM g solution when connecting to a Webex SIP Trunk meeting.

Z Expressway C/E • IP phones dialing in or call back to the Webex meeting use +E.164 numbers and utilize the Expressway to connect to the Video Webex meeting. (Webex Edge Audio) Mesh IP SIP Cloud Phone Video Registered • Cisco UCM registered SIP video endpoints, Endpoint Video Webex registered devices and Webex Endpoint Teams app dial SIP URIs to the Webex Customer Signaling meeting and use Video Mesh for local media Premises Media Path processing.

• Webex Meeting app goes directly to the Webex Cloud.

Cisco Webex Edge • Webex Connect is a peering connection to Unified Meetin Cisco Webex. g CM • Both Video Mesh and Webex Edge Audio Expresswa Z can use the Webex Edge Connect peering y Connect service to connect media to the Webex Meeting, but it is not a requirement.

Video Mesh • Webex Teams signaling goes via the Internet link and all media goes via Webex SIP Video IP Laptop Laptop Internet Endpoint Phone Client Client Connect. • Webex Meetings app sends signaling and Customer Signaling media via Webex Connect. Premises Media Path • If the peering connection is not available all signaling and media traffic will flow via the Internet.

• Messaging

• Meetings

• Security

• Calling

The Cisco Webex™ application simplifies teamwork by making communication seamless. Send messages, share files, and meet with different teams, all in one place.

Making Teamwork Simpler.

Unlimited Persistent and secure Face-to-face meetings Superior business-class virtual rooms messaging and file sharing with screen sharing experience

Pull Everyone Together Simpler Way to Work With All Your Teams

Start collaborating with Work together in unlimited virtual Connect your mobile calendar to create anyone by simply adding rooms that you can easily access a Webex room for upcoming calendar their name or e-mail through a searchable, sortable list entries. Join virtual meetings, including address WebEx meetings, in a single tap.

Consistent and Easy- Add Files Quickly Scan Get Caught Up to-Use Experience on Even While Mobile Shared Files Quickly Every Device

Share a photo or add a See files instantly without Review previously shared Cisco Webex for: file directly into your a download to get to the messages and files at any • iPad and iPhone rooms important information time • Android fast • Web • Windows • Mac • Windows Phone (BETA)

Meet, Share, and Recall Broaden the Discussion

Start a meeting in your Share your Capture important Add a guest participant to join a rooms of up to 200 screen to gain details while you talk meeting on the fly people* from any device quick alignment that can be reviewed later

*Paid subscription feature

• Group rooms by teams

• A team defines a set of users

• Same Webex experience once in a team room

• Better organization of rooms

• Open and Discoverable Rooms • Moderated, private, invite-only rooms also available

• Immediately connect new users with their team, projects & tasks

• Anyone can create a team • Teams are best for organizational structures or small projects • Anyone in a team can create rooms in a team • Rooms can be either be open or private • Rooms in a team can have invited guests • Guests can participate in the specific rooms in which they were invited • Guests cannot discover open rooms and are not a member of the team • A team creator is the default team moderator • Invite/remove people from the team, archive the team, and assign other moderators • Archive Team/Team Rooms • When finished with a team or room in a team, users can archive these constructs

• Rooms created with no team attached can be moved into a team • No loss of progress, messaging, or content

• Documented Teams APIs to create teams, add/remove people in a team, create rooms in a team, archive team/team rooms • https://developer.ciscoWebex.com

• Updated Native Windows and OSX desktop client updates

• Enhanced user experience

• Improved performance

• Greater stability

• Delivered via the same Teams update process

Make it easy for users to integrate Cisco Webex with the apps they love and give developers tools to transform collaboration experiences.

Native App Integration Platform Integrations Services APIs / SDKs

Teams unify Power-users Developers accelerate workstreams create their own apps the value of Webex in in a click in minutes their environments

‘Your App’ Now with

GET Cisco Collab!

/People POST /Memberships PUT /Rooms DELETE /Messages

/Webhooks

Meetings Webex Meetings Designed to deliver the best meeting experience in the industry Video-first user interface New desktop, mobile and web apps Integrations

Continuous Collaboration Messaging Whiteboarding ONE Meeting Files Bots / Integrations Cloud, Premises or Hybrid Proximity Meeting context Join - OBTP Meetings Video / Sharing Teams

Hybrid Media KMS Security

• One meeting, chose your client

• Consistent in-meeting experience

• No migration

• The Teams advantage • Asynchronous communication • Persistent content • Hardware integration • Smart lobby • Multi-stream video

Cisco Webex Teams Cisco Webex Meetings

Unified participant lists, controls, Stay in the Webex Teams app to Designed for simple recording host Webex Meetings customer evolution

Modern video-first experience, New in-meeting control bar Simplified dashboard everyone can be seen no matter with one click to the most provides single view of your how they join common tools Webex meeting capabilities

One click to start or join Integrated calendar Proximity for device pairing and content share

Reimagined mobile meetings equal Using WebRTC – no plug-ins to host or join a participation meeting

• One Button to Push (OBTP) to join WebEx, Teams or other SIP- based meetings

• Requires Cisco WebEx Teams Calendar services (Exchange, 0365, Google calendar)

• Device selection to join via Deskphone control, WebEx device in proximity or PSTN / TP (dial in / callback)

• One Button to Push (OBTP) on WebEx Shared and Personal Devices

• Start a meeting in your Personal Room

• Jump on someone’s Personal Room or drop the link in a space

• Be notified on WebEx Teams when someone is in your Personal Room lobby

• See who is in the meeting so you can decide when to join! • Easily switch from a meeting to another

• Multitask or locate the file you need to share in the meeting

• Identify who is sitting in the conference room (WebEx devices)

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 194 Get on the same page The cloud-based Webex app lets every team member participate as if they’re in the room together. Share ideas and access all the same tools across mobile devices, laptops and the Webex Board. Every contribution from the team is automatically updated to the Webex room, so you can reach whenever you need it.

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 195 Cloud Security and Hybrid Data Security • Introduction – Webex Cloud Security Agenda • Realms of Separation • Identity Obfuscation • Synchronizing User IDs with the Webex Cloud & Single Sign On Support • Secure App and Device Connections

• Cloud based Data Security and Data Services • Secure Messages and Content • Secure Search and Indexing • E-Discovery Services

• Customer controlled Security • On Premise – Hybrid Data Security • Key Management Server Federation • Deployment Considerations

Identity Service Content Server

Key Mgmt Service Indexing Service E-Discovery Service

Data Center A Data Center B Data Center C Webex logically and physically separates functional components within the cloud Identity Services holding real user Identity (e.g. email addresses) are separated from Encryption, Indexing and E-Discovery Services, which are in turn separated from Data Storage Services

messagexxxxxxxx

Identity Service Content Server

Key Mgmt Service Indexing Service E-Discovery Service

Data Center A Data Center B Data Center C

Webex logically and physically separates functional components within the cloud Data Services such as Encryption Key Generation, Secure Message Indexing for Data Search, and E-Discovery functions operate in different Data Centers from the Data Center that encrypted content is stored in

[email protected] Identity Service Content Server

Key Mgmt Service Indexing Service E-Discovery Service

Data Center A Data Center B Data Center C

Outside of the Identity Service - Real Identity information is obfuscated : For each User ID, Webex generates a random 128-bit Universally Unique Identifier (UUID) = The User’s obfuscated identity No real identity information transits the cloud

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 200 Webex – User Identity Sync and Authentication User Info can be synchronized to Webex from the Enterprise Active Directory

Multiple User attributes can Identity Service be synchronized

Scheduled sync tracks employee changes

Passwords are not synchronized - User : 1) Creates a Webes Directory password or Sync 2) Uses SSO for Auth

Administrators can configure Webex to

Identity Service work with their existing SSO solution

Webex supports Identity Providers using SAML SSO Security Assertion Markup Language

Directory (SAML) 2.0 and OAuth Sync 2.0

IdP See Notes for list of supported IdPs

1) Customer downloads and installs teams App (with Trust anchors) 2) Teams App establishes a secure TLS connection with the Spark Cloud

Identity Service Webex Service 3) Webex Identity Service prompts User for an e-mail ID 4) User Authenticated by Spark Identity Service, or the Enterprise IdP (SSO) 5) OAuth Access and Refresh Tokens created and sent to Teams App • The Access Tokens contain details of the Spark resources the User is authorized to access 5) Teams App presents its Access Tokens to register with Webex Services over a secure IdP channel

1) User enters 16 digit activation code received via e-mail from the Webex provisioning service 2) Device authenticated by Identity Identity Service Webex Service Service (Trust anchors sent to device and secure connection established) 3) OAuth Access and Refresh Tokens created and sent to Webex Device • The Access Tokens contain details of the Webex resources the User is authorized to access 5) Webex Device presents its Access Tokens to register with Webex Services over a secure channel

1234567890123456 TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 204 • Introduction – Webex Cloud Security Agenda • Realms of Separation • Identity Obfuscation • Synchronizing User IDs with the Webex Cloud & Single Sign On Support • Secure App and Device Connections

• Cloud based Data Security and Data Services • Secure Search and Indexing • E-Discovery Services

• Customer controlled Security • On Premise – Hybrid Data Security • Key Management Server Federation • Deployment Considerations

Key Management Service

Any messages or files sent by Content Server Key Mgmt Service an App are encrypted before being sent to the Webex Cloud

Teams App request a conversation encryption key

filefile from the Key Management message message message message Service Each Team Room uses a different Conversation Encryption key AES256-GCM cipher used for Encryption TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 207 Team - Decrypting Messages and Content

Key Management Service

Content Server Key Mgmt Service Encrypted messages sent by the App are stored in the Webex Cloud and also sent on to every other App in the Team Room The encrypted message also contains a link to the conversation message message message encryption key If needed, Teams Apps can retrieve encryption keys from the Key Management Service

HashB95748FE Algorithm

The Indexing Service : Enables users to search for names and Search Service words in the encrypted messages stored in the

Content Server Indexing Service Key Mgmt Service Content Server without ################# messag decrypting content SparkSparkB9 IS IS57 the the FE message 48 ## e A Search Index is built by creating a fixed length hash* of each word in each message within a Room

################# Spark IS the message ## The hashed indexes for each Team Room are stored by the * A new (SHA-256 HMAC) hashing key (Search Key) is used for each room Content Service TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 210 Searching Rooms : Querying a Search Index Search for the word “Cisco” Indexing Service Hash4857FEB9 Algorithm

App sends search request Search Service over a secure connection to the Indexing Service Content Server Indexing Service Key Mgmt Service The Indexing Service uses ################# “Spark”Spark“B9”B9 ## Per Room search keys to B9 57 FE 48 hash the search terms The Search Service Search for the word “Cisco” searches the for a match in the hash tables and returns Cisco################# IS the Message matching content to the App “Spark”## * *A link to Conversation Encryption Key is sent with encrypted message TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 211 Cloud Based Security : E Discovery Services Teams E-Discovery Service : (1)

Indexing Service

X1GFT5YYHash Algorithm

Compliance Officer selects a Indexing Service Search Service group of messages and files JoJo“X1GFT5YY” Smith’sSmith’sX1GFT5YY ContentContent to be retrieved for E- Discovery e.g. : based on Content Server E-Discovery Service Key Mgmt Service ################# date range/ content type/ ## username(s) Jo Smith’s Content The Indexing Service requests a search of related hashed content

################# The Content Server returns Jo Smith’s Content ## matching content to the E- Spark Control Hub Discovery Service TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Teams E-Discovery Service : (2)

E-Discovery Service E-Discov. Storage

################# ################# ################# ### The E-Discovery Service : Search Service Decrypts content from the Content Server, then

Content Server E-Discovery Service Key Mgmt Service compresses and re-encrypts Jo################# Smith’s Content it before sending it to the E- Jo#################Jo Smith’sSmith’s## Messages Content Discovery Storage Service #################and## Files Jo Smith’s Content ##### The E-Discovery Storage E-Discovery Service : Content Ready Sends the compressed and Jo Smith’s Messages and Files encrypted content to the Administrator on request Webex Control Hub TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 214 • Introduction – Webex Cloud Security Agenda • Realms of Separation • Identity Obfuscation • Synchronizing User IDs with the Webex Cloud & Single Sign On Support • Secure App and Device Connections

• Cloud based Data Security and Data Services • Secure Messages and Content • Secure Search and Indexing • E-Discovery Services

• Customer controlled Security • On Premise – Hybrid Data Security • Key Management Server Federation • Deployment Considerations

Part of Pro Pack for Cisco Webex Control Hub Webex– Hybrid Data Security (HDS)

Content Server Hybrid Data Services = On Premise : Key Management Server Indexing Server E-Discovery Service Key Mgmt Service Indexing Service E-Discovery Service

Secure Data Center Hybrid Data Security

Content Server make outbound connections only from the Enterprise to the Webex cloud, using HTTPS and Secure WebSockets (WSS)

Key Mgmt Service Indexing Service E-Discovery Service No special Firewall configuration required

Secure Data Center Hybrid Data Security Firewall

Content Server KeyKey MgmtMgmtServiceServer Multiple HDS servers can be provisioned for Scalability & Load Sharing

The Hybrid Data Security is

Secure Data Center managed and upgraded from Hybrid Data Security the cloud

Hybrid Data Security Customer’s can access usage information for the HDS Servers via the Spark Control

Key Management Service

Content Server Key Mgmt Server The Hybrid Key Management Server performs the same functions as the Cloud based Key Management Server

Secure Data Center BUT Now all of the keys for

Key Mgmt Service messages and content are owned and managed by the Customer

Key Management Service

Team Apps request an encryption Content Server Key Mgmt Service key from the HDS Key Management Server Any messages or files sent by an App are encrypted before being Secure Data Center sent to the Spark Cloud messagemessage messagemessage Encrypted messages and content Key Mgmt Service stored in the cloud Encryption Keys stored locally

Key Management Service

Content Server Key Mgmt Service Encrypted messages from Apps are stored in the Webex Cloud These messages are sent to every other App in the Team Room and

Secure Data Center contain a link to their encryption key on the HDS Key Management Server message message

Key Mgmt Service If needed, Team Apps can retrieve encryption keys from the HDS Key Management Server

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 222 Hybrid Data Security – Secure App Connections Teams Apps establish a direct TLS connection to Webex Service the On Premise HDS node

Search Service and KMS service

This encrypted peer to peer Content Server session traverses the Webex Cloud

Secure Data Center

Hybrid Data Security Node

App to Cloud TLS connection App to HDS TLS connection

Search Service

The Indexing Service : Enables Content Server users to search for names and ################# ################### words in the encrypted ## messages stored in the Content Server without decrypting content

Secure Data Center

HashB95748FE Algorithm

################# Indexing Service Key Mgmt Service Spark IS the message ## ## messag SparkSparkB9 IS IS57 the the FE message 48 e

* A new hashing key (Search Key) is used for each room TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 224 Hybrid Data Security: Querying a Search Inde Search for the word “Cisco” Indexing Service

Search Service

Content Server The Indexing Service sends ################# a hashed index of the App’s ## B9 57 FE 48 search request to the Search Service

Secure Data Center

Search for the word “Cisco” HashB9 Algorithm

Indexing Service Key Mgmt Service ################# Spark IS“Spark” the Message ## “Spark”Spark“B9”B9

*A link to Conversation Encryption Key is sent with the encrypted message TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 225 Messaging E-Discovery Service : (1) Indexing Service

Search Service The Indexing Service sends hashed search criteria to the Content Server Search Service ################# ## The Content Server returns Jo Smith’s Content matching content to the E- Discovery Service

Secure Data Center Compliance Officer selects a group of messages and X1GFT5YYHash Spark Control Hub files to be retrieved for E- Algorithm Discovery e.g. : based on date range/ content type/ username(s) E-Discovery Service Indexing Service Key Mgmt Service ################# Jo“X1GFT5YY” Smith’sX1GFT5YY Content Jo Smith’s## Content TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 226 Messaging E-Discovery Service : (2)

E-Discovery Service : Decrypts content from the Content Server, then compresses Search Service and re-encrypts it before sending it to the E-Discovery Storage Service Content Server E-Discov. Storage ################ E-Discovery Storage Service : ################ ################ Sends the compressed and ###### encrypted content to the Administrator on request

Secure Data Center

Spark Control Hub E-Discovery Service Key Mgmt Service E-Discovery ################Jo Smith’s Content Ready Jo Smith’s ################Jo Smith’s### ################JoContent Smith’s Messages and ################MessagesJo Smith’s### and Files ################Content Files Content#########

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 227 Customer Controlled Security : Key Management Server Federation HDS: Encryption Keys & Users in other Orgs Team Spaces with How do external users from multiple users retrieve Organizations can encryption keys from share encrypted the KMS of the

messages and Content Server Key Mgmt Service Organization that content owns the Spark Space ?

messagemessage message message?

Key Mgmt Service Key Mgmt Service

Organization A Organization B TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 229 HDS: Key Management Server Federation Hybrid Key Hybrid Key Management Management Servers in different Servers make Organizations can outbound

establish a Mutual Content Server Key Mgmt Service connections only : TLS connection via HTTPS, Web Socket the Spark Cloud Secure (WSS)

message message

Key Mgmt Service Key Mgmt Service

Organization A Organization B TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 230 HDS: Key Management Server Federation With a secure Mutually connection between Authenticated KMSs Key Management can request Room Servers… Encryption Keys from

Content Server Key Mgmt Service one another on behalf of their Users

message message

Key Mgmt Service Key Mgmt Service

Meetings Teams Calling

UC&C App Cisco Webex Meetings Only App (integrated calling, messaging & meetings) Calling App

Meetings Teams Calling

Meeting Knowledge Task Centric Worker Centric Workload Workload Workload

Webex Calling

• Bundled with Webex Teams • Sold with Webex Meetings • Enterprise Channels resells one of the PSTN options

Local Gateway to PSTN - Launch MVO – March ● Enterprise or VAR managed edge device for signaling and PBX functionality with PSTN calls routing through local gateway or UCM cluster via local SIP Trunk or PRI ● Partner facilitated deployment and configuration

Bring Your Own SIP Trunk - Roadmap ● Partner helps customer procure and provision PSTN, via certified SIP trunk provider interconnected directly to BroadCloud core. ● Enterprise level interconnect to Broadcloud core

Preferred Media Partner - Roadmap ● Single Network interconnect supporting all partners and customers ● Control Hub facilitated fulfillment process

✓ PSTN calls from/to users @ Branch A route via SIP Trunk connected to HQ Local GW Branch A ✓ PSTN calls from/to users @ Branch B route via SIP Trunk connected to Local Internet GW.

✓ Calls between users hosted in the cloud are processed/routed in BroadCloud HQ CUCM ✓ Calls from hosted cloud users that are PSTN Network 'unknown' will route via LGW/PBX trunk @ HQ – Dial Plan’s are static and not like CUCM, interdigit timeout.

✓ Calls from HQ PBX users to cloud users Local GW Local GW are routed via LGW/PBX trunk @ HQ Branch B

• Phone Behavior WILL be different

• Dial Plan Considerations • No configurable option for PSTN steering code • 2-6 Digit Internal dialing plan with DID’s • No configurable inter-digit timeout – Must use send code #, but will send Unknown to Local GW. • BroadCloud Calling / WebEx Calling end-user calling a room system URI is two different systems today. • MPP Phone URI dialing is peer to peer internal only • Lack of Unified Directory (Hybrid)

Webex Control Hub Webex Calling Administration

Subscription Cloud and Premises Simpler Selling

Easy OpEx purchasing Simplifying transitions: Separates buying Industry-leading from deploying Premises to Cloud

Enterprise Agreement Named User Active User for Cisco Collaboration (Flex Plan) (Flex Plan) Flex Plan

Individuals, team, MODIFY midterm MODIFY midterm department with Active User with EA Knowledge worker adoption 10%+ 40%+

• Named User. • Available for Meetings and Calling Plans • The “Named User” only has rights to use the software.

• Active User. • Available for Meetings only • License 15% of Knowledge Workers • Allows everyone access while only charging for “Power Users”

• Enterprise Agreement. • Available for Meetings and Calling Plans • License Knowledge Workers, Minimum 250 users • ”All In” Offer

Meetings Calling

Enterprise Enterprise Active User Named User Agreement Agreement Choose Choose between between

Customers can mix and match for maximum flexibility

1. Mix Enterprise Agreement Meetings with Named User Calling

2. Mix Active User Meetings with Named User Calling

• Who are the Business, Customer Service, and Technical Stakeholders?

• What are the Business and Operational Milestone Dates for System Acceptance and Full Production ?

• What Business Problem(s) are We Solving?

• What Current Customer Service Functionality Exists?

• Does Unified Contact Center Express Meet the Required Functional and Technical Requirements?

• Does the Customer Have all the Required Infrastructure and Unified

• Communications Applications?

• What is the Exit Criteria for the Completion of the Deployment?

OVA profile 3 2 1 3 2 1 BHCC 6000 5000 2000 6000 5000 2000 Agents 400 300 100 400 300 100 Supervisors 42 32 10 42 32 10 Agent E-Mail concurrent agents 120 120 30 120 120 30

Web Chat concurrent sessions 120 120 60 120 120 60 Web Chat volume 2400 2400 1200 2400 2400 1200 per hour Number of skills with which an agent can associate 50 50 50 50 50 50

6 2 1 PSTN

6 4 3 Router/GW 2 3 5 5 4 5 Agent Stations 1. Inbound PSTN Call to Voice Gateway 2. VoIP leg to CUCM UCCX 3. CUCM routes call to UCCX CallManager 4. UCCX trigger Redirects call to CTI Port Cluster Supervisor Stations 5. UCCX CTI port answers call, instantiates script associated with the application and executes Agent ICD Extension 19001 6. UCCX identifies an available resource and the CTI Route Point 10000 CTI port Consult Transfers the call to the agent CTI Ports 10001-10010 phone. TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 249 Design Components

In planning and Design for Contact Center Express Systems, Three Key Design Components Are Considered: • Ingress Gateways / PSTN Trunks How the calls get into the CC Express system • UC Manager CTI Ports / CCX IVR and Queue Ports Virtual devices used by UC Manager and CC Express to handle calls coming into the system • Contact CenterAgents The people who answer the calls and handle the contacts

PSTN

Router/GW

5 Agent Stations

UCCX • Provide access to the PSTN CallManager Cluster Supervisor • TDM Implementation, T1/E1, PRI Stations • Number of trunks affects gateway hardware, performance • For Outbound check for CPA-supported routers

PSTN

Router/GW 5 • Unified Communications Manager device object Agent Stations • One CTI Port required for each call during script processing (terminates media) UCCX • IVR Port License, one required for each call CallManager Cluster during script processing Supervisor Stations • Each multi-line (up to 3 non-ACD) is one CTI Port

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 252 To Calculate CTI Port and IVR Port Licenses Required - Sum: Maximum number of calls using Call Treatment (CT) during prompt and collect phase of call Maximum number of calls in queue loop CTI port is released when: 1. Call is dropped from the CTI ports 2. Call is transferred to agent

Scenario 1 – If all Triggers point to Scenario 2 - If each Trigger points the same Call Control Group to a separate Call Control Group

Is there a • Starvation on some Triggers may • CTI Ports may go unused due to occur. different traffic patterns across correct • Example: If IT Help Desk and Triggers. way? Sales Triggers both point to the • Single Triggers can experience same CCG and there is an CTI Port starvation. outage in the IT infrastructure.

PSTN

Router/GW

5 Agent Stations

UCCX Agents required to handle calls CallManager Cluster Supervisor Stations Hold Time Talk Time Time in queue Wrap-up time

• Average Handle Time AHT • Talk time + wrap-up

IVR port • Prompts/menu treatment in script usage time

• Busy Hour Call Attempts BHCA • Average number of calls received in a busy hour.

Service • Goal for agents • Percentage of calls answered by agents Level within a specific number of seconds

• Percentage of calls that get a busy tone Grade of (no gateway trunks available) out of the service total BHCA

“The erlang (symbol E) is a dimensionless unit that is used in telephony as a measure of offered load or carried load on service-providing elements such as telephone circuits or telephone switching equipment. A single cord circuit has the capacity to be used for 60 minutes in one hour. Full utilization of that capacity, 60 minutes of traffic, constitutes 1 erlang.”

ErlangB: is a formula for the blocking probability that describes the probability of call losses for a group of identical parallel resources. -- Used to calculate number of trunks/lines/ports

ErlangC: originally used to calculate number of switchboard operators required. -- Used to calculate number of agents

IVR Call is Agent Agent Agent Answers Queued Answers Hangs-up Ready

Treatment Queue Agent TalkTime Wrap-upTime Time Trunk Is Occupied Time IVR Is Occupied Time Agent Is Occupied

Erlang B Erlang C

BHCA

Blockage %

AHT

Trunks

Step1: Busy Hour Traffic (BHT) BHT = Average call duration (s) * BHCA/ 3600 BHCA 3253 BHT= 3253 *200 / 3600 BHT = 180.722 ~ 180 Blockage 1% % Step2: Use ErlangB calculator Many options. Used here: http://www.erlang.com/calculator/erlb/ AHT 200s

Trunks

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 264 Determine Average Handle Time Bank ABC uses ACD with legacy VRU, customer indicated that they want to replace their current VRU with Cisco UCCX. The bank has the following call flows

30%

40%

30% 300

What is the estimated average handle time that should be used to size the UCCX?

* 318 seconds * 420 seconds * 156 seconds * 232 seconds

Weighted Avg HT = = 30%*90 + 40% * 300 + 30% * 30 = 156 sec

BHCA

SLG

AHT

Agents

Input BHCA

SLG

Output AHT

Agents

http://www.erlang.com/calculator/erlc/

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 267 Determine Busy Hour Call Attempts ABC Corporation indicated that their monthly connected minutes is 750,000, they said that they have one shift a day, 8 AM to 5 PM, Monday through Friday. They also indicated that 17% of their traffic occurs between 12-1PM. What is the estimated BHCA? Traffic mix is listed in the diagram below

* ~8,7005 * ~2,220 * ~12,450 * ~22,450

TECCOL-2982 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 268 Determine Busy Hour Call Attempts 1) Calculate AHT (weighted) ABC Corporation indicated that their monthly connected minutes is 750,000, AHT = 40% * 160 + 60% * (30 + 90 + 60) = 172 sec they said that they have one shift a day, 8 AM to 5 PM, Monday through Friday. They also indicated that 17% of their traffic occurs between 12-1PM. What is the estimated BHCA? Traffic mix is listed in the diagram below

2) Number of days in a month ( 4 weeks , 5 days a week )= 20 days 3) Estimated daily minutes = 750,000 / 20 = 37,500 minutes a day 4) Estimated daily calls = 37,500 * 60 / 136 = 13,081 calls

5) Estimated BHCA = 13,081 * 17% = 2223

• When sizing call center IVR ports and PSTN trunks, it is better to over provision; cost of extra capacity is much cheaper than lost revenue, bad service or legal risk of not meeting SLA (if under provisioned)

• Consider the seasonal busy hour versus average busy hour; marketing campaigns where calls bunch up

• Consider agent staffing, availability, attendance, adherence to schedule, occupancy, different agent shifts, different time zone, reuse of facilities

• Provision extra IVR and GW ports for growth and unforeseen fluctuations— reserve about 20% extra capacity (reality will be different than modeling)

• Now That You Know How Many ‘Ports’ Are Required for Your Call Center…

• Functional Requirements Which Drive ACD/CTI/IVR Selection (Standard/Premium Licensing) Inbound and Outbound Call Flow Caller Expected Input and Output Agent Interaction Requirements Non-Agent Customer Service Requirements

• Physical Systems Design Infrastructure Sizing Software Selection

. Provide site redundancy for disaster recovery . Latency: 80 ms RTT between Unified CCX nodes (same as CUCM CoW) . Bandwidth: 2 x T1 between sites (Not yet finalized, final bandwidth will base upon test result) 1st T1 for CCX intra-cluster communication and external communication with other components (see next slide for detail) 2nd T1 for database replication

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/finesse/bandwidth_calculator/guide/Fines se_Bandwidth_Calculator_for_Unified_Contact_Center_Express.xlsx

• 150ms delay Web Chat-CCX

• Bandwidth • CCX to Web Chat 100kbps • Web Chat to Agent 100kpbs • Customer Web server and Web Chat 100 kpbs

• Add additional for richer customer context

• Up to 50 concurrent chat sessions

• SSL Impacts

Deployment Between Between Model UCCX UCCX and nodes CUCM ACD 1.2 Mbps 800 kbps

IPIVR 1.2 Mbps 200 kbps

• Select UCCX deployment model as HAoWAN • Local CUCM should be primary provider • SSO requirement: UCCX(Ids) should be local to IdP

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#TECCOL-2982

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings