BRKCOL-2930
Best Practices to deploy secure Cloud Collaboration solutions in context of a Cloud Ready network
Marc Dionysius – Technical Solutions Architect Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2930
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda
• Introduction and Objectives
• Current challenges
• How to address the existing network architecture?
• Why are Cloud Ready Network Concepts relevant?
• A different angle to Cloud Security
• Conclusion Objectives Cloud Collaboration services continue to grow and present customers and partners with both opportunities and challenges to deploy those services in today’s customer environments. This session will review design and deployment considerations for secure Cloud Collaboration solutions in the context of current customer network architectures including proxies, centralized internet breakouts and future evolutions towards cloud-ready networks. It is designed for individuals looking to understand the various aspects, benefits and challenges of moving solutions towards Cisco Collaboration Cloud and Cisco Spark.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Current challenges “Cloud and Security are mutually exclusive!”
Undisclosed customer quote
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 The New Normal
More targeted attacks
More than 100 targeted breach attempts every year
Attacks are faster than ever but still take too long to find Shortage of cybersecurity expertise 82% of compromises measured in 1.5 million job openings by 2019 minutes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Are Cloud and Security Mutually really mutually exclusive?
Source: Gartner Highlights the Top 10 Cloud Myths
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 “We expect your solution to fit into our existing security framework.”
Undisclosed customer quote
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Collaboration Security – a History tour into 2006
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 How to address the existing network architecture? What topology we typically see in a customer‘s network? Internal DMZ Internet
IdP Cisco Collaboration Cloud Datacenter Cloud
IdP Remote Site Voice Video Endpoints IP WAN
Desktops/Laptops
Teleworker
Wireless Devices © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Spark - Types of Traffic
Spark Clients
Messages, Media Signalization, notifications, Spark Services Control and Analytics Traffic HTTPS and WSS
Voice, Video and Content Share
SRTP and STUN
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Traffic Flow Scenario 1 - Security relaxed customer, policies only enforced in the FW
Internal DMZ Internet
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Traffic Flow Scenario 2 - Security aware customer, policies enforced in the FW and Proxy
Internal DMZ Internet
Proxy
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Traffic Flow Scenario 3 - Security focus customer, policies enforced in the FW and Proxy plus no direct connection to internet
Internal DMZ Internet
Proxy
HMN
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 What is a proxy ?
• Proxy is a machine or groups of machines that allow computers in the internal LAN of the customer to reach to the internet.
• Mainly they deliver services for HTTP/HTTPS Protocol but other services are also supported ( FTP, Gopher, etc. )
• Typically we see them in customer network that don’t give direct access to the internet/outside.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Objective of proxies ?
• Caching – To allow the speed of downloading content from the internet, assuming that most of the times many user in the same organization access to the same sites.
• Filtering – Limiting to which sites the user of a specific organization can have access to.
• Authentication – Making sure that only valid users from a specific organization are allowed to access to the internet.
• Inspect – Some proxies also allow for inspection of HTTP/HTTPS traffic to make sure it is legit
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Proxy – Hot to configure
• Manually – user needs to manually configure the proxy in the web bowser or OS, it is a process that is unpractical in mid size to big organization
• GPO – Using Widows Group policy, Active Directory administrators can push to the Windows desktops the configuration for the proxies.
• PAC – Allow for administrators to create a file, to be store in a web Server, that specifies the proxies and exceptions. Easier to manage, since only requires that the user configure an URL
• WPAD - The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Proxy – How to authenticate?
• No Authentication – User or Endpoint does not need to authenticate against the proxy.
• Basic – Defined in RFC 2617, in Basic Authentication the client sends the username and password as unencrypted base64 encoded text.
• Digest – Same as Basic, but instead of passing the password in clear text, uses a hash based on the password and several other parameters. Only very few proxy servers support Digest authentication and if so, it can’t use User password in Active Directory
• NTLM - is a protocol that is used in several Microsoft network implementations to enable single sign-on across different services and use a Challenge/Response mechanisms for delivering authentication, password is never travels over the network.
• Negotiate - Microsoft release Simple And Protected Negotiate ( SPNEGO ) authentication method. In this method the server asked for Negotiate in the proxy Authentication, the clients will reply with a Kerberos ticket but can fallback to NTLM credentials. (First appear part of RFC 1510 but become obsolete by RFC 4120)
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Proxy – Inspection using TLS intercept client Server How does TLS works ?
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are key components of secure Client Hello communications in insecure medias. Server Hello Server Certificate The privacy, integrity, and authenticity provided by these Cipher Suite protocols are extremely important to transmit data. Request client Certificate Verify Client Certificate Server Cipher suite Modern implementations generally support both TLSv1.0 Certificate Client Finished Message and TLSv1.1, with TLSv1.2. All communications relies on the validation of the Server Finished Message certificates exchange Encrypted Data TLS intercept acts as a MiTM, will open the possibility of such attacks to the clients, need to be carefully planned.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Proxy – Inspection using TLS intercept How does proxy do TLS intercept ? Client Proxy Server
Client Hello Client Hello Intercept proxies can be deployed in Server Hello Server Hello several ways, depending on their Server Certificate Server Certificate Cipher Suite Cipher Suite purpose and what type of inspection they Request client Certificate Request client Certificate
do. Verify Server Client Certificate Verify Client Certificate Certificate Cipher suite Server Cipher suite Intercept proxies can be Deep Packet Client Finished Message Certificate Client Finished Message Inspection devices, can be included in
next-generation firewalls, or do data loss Server Finished Message Server Finished Message prevention (DLP). Data Data
Unencrypted Data
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 TLS intercept How to validate ?
In TLS, Clients needs to validate Server components. DMZ Public CA Client Enterprise Server So our Client needs to validate the CA Certificate used by the proxy, so it needs to trust the Enterprise or Public CA that sign it. Proxy Certificate Certificate Certificate But since the proxy itself is also a client TrustStore TrustStore TrustStore for the second segment, so it needs to validate the Public CA that sign the Server. There isn’t much point of doing TLS intercept to Spark traffic since inside the TLS packets there is another layer of encryption that proxies can’t decrypt, so the only advance would be to know the full URL’s used by Spark Service
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Spark Security Architecture End to End Secure Communication
Transport Key Management
Mutual TLS connection • Secure TLS REST interfaces • Interaction between services based on OAuth to authorize services certificate based MTLS Inter service message transport • Service components authorization by OAuth Tokens Establish TLS connection • Secure client connection to service over TLS Establish end to end ECDHE communication channel • End to End Client to Key Management channel negotiated ECDHE Client verifies KMS identity through PKI certificate • Identity of Key Management Service verified Crypto Key operations (key material) not visible to other cloud components by PKI certificate • Client to Key Management crypto key Establish TLS connection Inter service message operations E2E secured over transport layer transport JSON Web Encryption (JWE, RFC 7516)
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Proxy exceptions for Spark traffic An alternative to TCP Intercept
Most of the Proxy can create rules base on destinations. There are rules like TLS intercept bypass, authentication bypass, etc. For Spark we published the URLs that we require for the Spark service to work.
Some proxies like the Cisco WSA have the capabilities https://collaborationhelp.cisco.com/article/en-us/n4vzhkx of getting all this URL’s from a single live feed: https://www.ciscoSpark.com/content/dam/ciscoSpark/eopi/global /assets/Docs/Spark_wsa.csv
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Recommendations regarding Proxies • Spark traffic has encrypted traffic inside HTTPS connections, so even TLS delivers Hop by Hop encryption for the connections we add end-to-end encryption for the Spark traffic: In fact the only advantage of TLS Intercept is just to understand the destination URL (not only the domain information that the TLS connections provides by default), the traffic is complete opaque to the proxy
• Alternatively, create an exception in the proxy to exclude Spark traffic from the TLS Intercept and/or Authentication as described on the previous slide. We are absolutely NOT recommending to turn off TLS Intercept in general!!
• Spark Devices: recommendation is by using Destination (Cisco Spark domains) and User Agent of the HTTP request, to create rules where the Spark devices (CE and SparkBoard) will use a specific policy with exceptions for Cisco Spark, with no Authentication or TLS intercept configured.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 WSA Proxy authentication using ISE with .1x Some endpoints like CE and SB devices have no easy way of delivering secure authentication against proxies. If there is the need to authenticate on multiple OSI layers ( network, application ) why not use one to provide authentication to the other ?
Enterprise ISE Switch CA WSA Web Service
Sign certificate from a CA
Access to network, switch will redirect to the ISE
ISE will ask for .1x certificate base authentication
Endpoint with proxy configuration will request access to web services
WSA using pxGrid will check is device did successful .1x authentication
Endpoint connect securely to the Web Service using authenticated proxies without user interaction
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Proxy support - what does it means ?
• When we talk about proxy support we Spark Clients only talking HTTPS and WSS traffic. • Media over proxies isn’t Messages, Media Signalization, Spark Services recommended, proxies were not notifications, Control and Analytics Traffic designed to handle media, their HTTPS and WSS
performance is really bad and doesn’t Voice, Video and Content Share
scale. SRTP and STUN
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Firewall Requirements Spark Clients
Spark Services
Messages, Media Signalization, notifications, Control Message, Signalization, Notification and Control and Analytics Traffic HTTPS and WSS
Internal DMZ Internet
• Media goes directly to the internet using HTTPS WSS protocol.
Internal DMZ Internet
• Signalization goes through Proxy (rules already in place in the firewall). Proxy
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Protocol and Ports used by Spark Assuming the most simple scenario with direct connection to the internet
Protocol : TCP Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP Destination Port : 443
Internal DMZ Internet
Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100 - 52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 Destination Port : 5004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Protocol and Ports used by Spark
• From a Media perspective Spark clients always try to use UDP but will fallback to TCP if UDP is closed. TCP might impact media quality and it can’t guarantee quality for Real Time Media.
• As last case scenario for the software clients (Win, MAC, iOS and Android ) we can use HTTPS proxies for media, but it isn’t recommended. Cisco can’t help much if there will be quality issues with media.
Protocol : TCP • Spark Boards in old versions of SW need to Source IP : Internal LAN IP address Range Source Port : Ephemeral Destination IP : Any IP access NTP ( port 123 ) , but in new versions Destination Port : 443
will use DHCP. Internal DMZ Internet
Protocol : UDP Fallback Protocol : TCP Source IP : Internal LAN IP Source IP : Internal LAN IP Source Port : Voice 52000-52099 Source Port : Ephemeral Video 52100 - 52299 Destination IP : Any IP Destination IP : Any IP Destination Port : 5004 Destination Port : 5004
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Internal DMZ Internet
Firewall rules for Media
HMN
Option 1 – Access to the Spark Service through Hybrid Media Node. All clients inside the customer network would connect to the Hybrid Media Node, if there will be participants outside the customer network then HMN would cascade the media flow to the cloud. Unique sources, very well defines, if necessary in special DMZ’s to protect to connect to the Spark services in the Cloud. Will open UDP connection to a destination port 5004, few additional ports needed, please review reference slides in the Appendix.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Internal DMZ Internet
Firewall rules for Media
Option 2 – Using firewalls with STUN support Defined in RFC3489.
Uses UDP from any Spark client inside the customer network using source ports
Voice 52000-52099
Video 52100 - 52299
Where the destination might be any IP address in the internet with destination port 5004 STUN allow to open up pinholes only if the system is WebRTC compliant, and there is an external recipient expecting the traffic (prevents enterprise from being source of DDoS). From a security perspective this is the recommended model but require Firewalls that use STUN for WebRTC traffic like Cisco ASA.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Internal DMZ Internet
Firewall rules for Media
Option 3 – Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow.
Uses UDP from any Spark client inside the customer network using source ports
Voice 52000-52099
Video 52100 - 52299
Where the destination might be two /19 prefixed in the internet with destination port 5004 This is EFT today, will be GA soon.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Internal DMZ Internet
Firewall rules for Media
Option 4 – Direct access to the Spark Service using UDP protocol for media. We require that the administrator configure the firewall to access inside initiated UDP flow with return to the same 5-Tuple (Source IP address/port number, destination IP address/port number and the protocol in use ) with a 30s timeout on the creation of the pinhole, Bidirectional media is sent over this flow. Uses UDP from any Spark client inside the customer network using source ports
Voice 52000-52099
Video 52100 - 52299
Where the destination might be any IP address in the internet with destination port 5004
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Spark Clients
Spark Services
Voice, Video and Content Share Media for Voice, Video and Content Sharing SRTP and STUN
• Option 1 – Access to the Spark Service through Hybrid Media Node.
• Option 2 – Direct access to the Spark Service using firewalls with STUN support.
• Option 3 – Direct access to the Spark Service using UDP protocol for media using specific destination IP addresses.
• Option 4 – Direct access to the Spark Service using UDP protocol for media.
• Option 5 – Direct access to the Spark Service using TCP protocol for media.
• Option 6 – Access to the Spark Service using Proxy.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Why are Cloud Ready Network Concepts relevant? “With the growing number of Cloud Services consumed by our organization, we have to re-think our current Internet Breakout strategy!”
Undisclosed customer – Manager Solution Architecture Network & Unified Communications
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Why are enterprises thinking about SD-WAN? 50% of Apps accessed via Internet
58% 32.4% Of IT budgets spent on Cite management of WAN Connectivity connectivity at branch as a challenge
48.6% Cite poor application performance and latency as corporate WAN concern
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Secure SD-WAN and Cloud Access
Optimized Hybrid WAN Private MPLS (IP-VPN) Cloud Virtual 3G/4G-LTE Private V Cloud Branch
Internet DirectAccess Public Cloud Cloud
1. IWAN Secure VPN for private Increase WAN transport capacity and and virtual private cloud access app performance cost effectively!
2. Leverage local Internet path for Improve application performance public cloud and Internet access (right flows to right places)
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 SD-WAN: Secure Connectivity
Secure WAN Transport MPLS (IP-VPN) Private Cloud Virtual Private Cloud Branch
Internet Secure Public Internet Cloud Access Two areas of concern 1. Protecting the network from outside threats with data privacy over provider networks 2. Protecting user access to Public Cloud and Internet services; malware, privacy, phishing,…
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 SD-WAN: Direct Cloud Access
MPLS (IP-VPN) Private Cloud Virtual Private Cloud
Branch Internet
Direct Cloud Public Access Umbrella Cloud
Solutions • Leverage Local Internet path for Public Cloud and Internet access On Premise – Zone Based Firewall • Improve application performance (right flows to right places) Cloud Based – Cloud Umbrella Branch
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Cisco Umbrella
Any device Authoritative DNS root com. domain.com. User request patterns Authoritative DNS logs Used to detect: Used to find: • Compromised systems . Newly staged infrastructures • Command and control callbacks . Malicious domains, IPs, ASNs • Malware and phishing attempts . DNS hijacking • Algorithm-generated domains . Fast flux domains • Domain co-occurrences . Related domains • Newly registered domains
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Improving Cloud User Experience and Security Internet Cloudlock vPrivate Cloud DMZ
vPrivate Cloud • Secure Direct Cloud Access Colo DC • From the DC MPLS INET V V MPLS INET • From the Branch • From a Colocation Facility (Colo) • From within a Cloud Service (AWS, Azure,..) Internet MPLS
OpenDNS • Pervasive Security Umbrella • User, Transport, Cloud, Internet & Compliance AVC
R14
Branch Site
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 A different angle to Cloud Security Cisco Cloudlock
Discover and Control
Compromised Data Exposures Cloud Malware Accounts and Leakages
Privacy and Shadow IT/OAuth Insider Threats Compliance Violations Discovery and Control
User and Entity Cloud Data Loss Apps Firewall Behavior Analytics Prevention (DLP)
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 More of a proactive approach Events API for Data Loss Prevention, Archival, eDiscovery
API enables polling for events and content that enables organizations to monitor and correct user behavior, preventing the loss of sensitive data
Third party Integrations DLP or CASB Cisco Spark Events API Third-party vendor software
policies Corrective actions
Delete content Alert user / admin
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 More of a proactive approach – cont. Cloud Access Security Broker (CASB)
Unmanaged Users PUBLICADMIN OAUTHAPI Unmanaged ACCESSACCES Devices AuthorizedS Cisco Spark
Unmanaged Network
(Cisco?) NGFW/Umbrella
Managed Managed Managed Users Devices Network
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 More of a proactive approach – cont. Vendors for Compliance and Data Loss Prevention (DLP)
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Conclusions Conclusions
• Cloud and Security can be absolutely working hand in hand.
• In order to deploy Cisco Collaboration Cloud in a current customer network we may need to elaborate that a different approach is NOT less secure.
• Understand the bigger picture and the change that Cloud Applications bring to all aspects of a customer network and try to address customer demands and concerns in a cross-architecture approach.
• Leverage the full capabilities of Cisco‘s Collaboration Cloud to include it into a general framework for secure Cloud Application Access to address both, the technical requirements and the user side.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2930
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Technical Seminar • BRKCOL-2930 Cloud Security unveiled - all aspects of Network, Data-Security, Compliance and Data Leakage Prevention in Cisco Spark
• Breakout Sessions • BRKCOL-2030 Cisco Spark - Cloud and On Premise Security explained
• Recommended reading • Spark Security Whitepaper https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/whitepapers/cisco- spark-firewall-traversal-white-paper.pdf • Spark Firewall Traversal Whitepaper https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/whitepapers/cisco- spark-firewall-traversal-white-paper.pdf
• Demos in the Cisco campus
• Meet the Engineer 1:1 meetings
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Thank you
Appendix Cisco Spark Clients Proxy configuration
Config Spark Spark Spark Spark CE SparkBoard Type Windows Mac iOS Android
Manual Config
GPO
PAC
WPAD
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Cisco Spark Clients Proxy Authentication Support
Config Spark Spark Spark Spark CE SparkBoard Type Windows Mac iOS Android
No Auth
Basic
Digest
NTLM
Negotiate
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Cisco Spark Clients Other Security Features
Spark Spark Spark Spark Config Type CE SparkBoard Windows Mac iOS Android
802.1X Auth
TLS intercept
CDP
Media over HTTPS Content Sharing over UDP
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Hybrid Media Node
Internal DMZ Internet
HMN
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Expressway Connectors
Internal User Internal devices Servers DMZ Internet
Proxy • If customer has proxies we Expressway C support only No Auth and Basic Authentication, TLS intercept is also supported.
Internal User Internal devices Servers DMZ Internet
• If there isn’t any proxy we will Expressway C use HTTPS to send traffic to the Spark cloud.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Directory Connector
Internal User Internal DMZ Internet devices Servers
Proxy • If Windows OS is configured for Proxies we will use it and send all traffic there
Internal User Internal DMZ Internet devices Servers
• If there isn’t any proxies configured in the systems we will use HTTPS to send traffic to the Spark cloud.
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Hybrid Data Security
Internal User Internal DMZ Internet devices Servers
HDS
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Hybrid Media Node Media Considerations
Source IP Destination IP Source Destinations Media Address Address UDP Ports UDP Ports Type
Clients/endpoints Hybrid Media Node 52000-52099 53000-62999 Audio
Clients/endpoints Hybrid Media Node 52100-52299 63000-64999 Video
Hybrid Media Node Collaboration Cloud 53000-62999 5004 Audio
Hybrid Media Node Collaboration Cloud 63000-64999 5004 Video
Hybrid Media Node Hybrid Media Node 34000-34999 5004, 5006 Voice, Video
Hybrid Media Node Hybrid Media Node 5004,5006 34000-34999 Voice, Video
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Hybrid Media Node Management Considerations
Transport Destinations Source Destination Destination IP Protocol Ports
Computer Management Hybrid Media Node TCP 443 Any
UDP -> NTP 123
Hybrid Media Node Collaboration Cloud UDP -> DNS 53 Any
TCP -> HTTPS 444
Hybrid Media Node Hybrid Media Node TCP -> HTTPS 5000 Any
*.wbx2.com Hybrid Media Node Collaboration Cloud TCP -> HTTPS 443 *.idbroker.webex.com
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Cisco Spark Port Usage Summary (Endpoints -> Cloud Direction Shown)
Source IP Destination IP Source Destinations Recommended Media Address Address UDP Ports UDP Ports DSCP Type
Clients/endpoints Collaboration Cloud 52000-52099 5004 EF Audio
Clients/endpoints Collaboration Cloud 52100-52299 5004 AF41 Video
Clients/endpoints Hybrid Media Node 52000-52099 53000-62999 EF Audio
Clients/endpoints Hybrid Media Node 52100-52299 63000-64999 AF41 Video
Hybrid Media Node Collaboration Cloud 52000-52099 5004 EF Audio
Hybrid Media Node Collaboration Cloud 52000-52099 5004 AF41 Video
BRKCOL-2930 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74