To-Business Video Collaboration

BRKCOL-2018

Best Practices for Business- to-Business Video Collaboration

Luca Pellegrini - Technical Marketing Engineer Davide Preti - Technical Marketing Engineer Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2018

Enterprise Network DMZ Outside Network Expressway-C Standard client 1st try SIP/H.323 Use standard DNS SRV with SIP/H.323 Unified 2nd try MS variant CM Internet 2nd try SIP MS signaling and Expressway-E MS client to CMS media conversion

Cisco Meeting Server

• B2B Scenario including MS interop • Security, FW traversal, Certificates, TLS, MTLS, Reduced number of ports on external FW • Spam calls • Multiple edges not covered here: http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbc vd/edge.html

• Expressway Introduction

• Business-to-business Architecture • Signaling Encryption • Media Encryption • B2B Interop with Microsoft • Dial Plan

• Expressway Policy Protection

• Global Deployment Overview

• Minimizing or reducing UDP ports opened in the Internet firewall Expressway Introduction Cisco Expressway Cisco Expressway

Jabber Guest/WebRTC B2C Cisco Expressway

Jabber Guest/WebRTC B2C

Jabber, hw MRA devices Cisco Expressway

Jabber Guest/WebRTC B2C

Jabber, hw MRA devices

Endpoint Cisco video and registration 3rd party devices Cisco Expressway

Jabber Guest/WebRTC B2C

Jabber, hw MRA devices

Microsoft Integration

Endpoint Cisco video and registration 3rd party devices

Signaling and media gateway Cisco Expressway • CTI and AXL connection to UCM • EWS connection to Exchange

Jabber Guest/WebRTC B2C

Spark Connector Host

Jabber, hw MRA devices

Microsoft Integration

Endpoint Cisco video and registration 3rd party devices

Signaling and media gateway Cisco Expressway • CTI and AXL connection to UCM • EWS connection to Exchange

Jabber Guest/WebRTC B2C

Spark Connector Host

Jabber, hw MRA devices B2B Technology

Microsoft Integration

Endpoint Cisco video and registration 3rd party devices

Signaling and media gateway Cisco Expressway • CTI and AXL connection to UCM • EWS connection to Exchange

Jabber Guest/WebRTC B2C

Spark Connector Host

Jabber, hw MRA devices B2B Technology

Microsoft Integration Calls to and from Cisco Cloud (Spark, CMR) Endpoint Cisco video and registration 3rd party devices

Signaling and media gateway Cisco Expressway • CTI and AXL connection to UCM • EWS connection to Exchange

Jabber Guest/WebRTC B2C

Spark B2B Open Video Connector Federation Host

Jabber, hw MRA devices B2B Technology

Microsoft Integration Calls to and from Cisco Cloud (Spark, CMR) Endpoint Cisco video and registration 3rd party devices

Signaling and media gateway Licensing and Consumption Call scenarios that require Rich Media Session licenses to proceed Business to Business Business to Customer Interoperability Calls Calls Gateway Calls

Firewall Traversal Calls Jabber Guest Calls i.e. MS Interop calls, consume 1 x RMS on consume 1 x RMS on consume 1 x RMS on Expressway-E Expressway-E Expressway-C Gateway

Registered Calls (no RMS required) Calls between endpoints registered to Cisco Call control services1 Calls to Cisco conferencing infrastructure2 or cloud services3

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 For Expressway Zone Example Your Reference Expressway-C 10.10.10.10 1 Call From (IP/port) To (IP/port) Mapped Neighbor Zone A to Neighbor Zone B to to 192.168.10.10/5061 192.168.10.11/5061 5 Inbound 192.168.10.11/40307 10.10.10.10/5061 1 call on -C

B2B Traversal from UC Traversal from Inbound 10.10.10.11/7001 10.10.10.10/26202 2 10.10.10.10/26202 to 10.10.10.10/26209 to call on -C 2 10.10.10.11/7001 10.10.10.11/7002 Inbound 10.10.10.10/26209 10.10.10.11/7002 call on -E 3 Inbound 172.19.100.100/32001 10.10.10.11/5061 4 call on -E 3 B2B Traversal from UC Traversal from 10.10.10.11/7001 to 10.10.10.11/7002 to Call Routing Rule To (IP/port) Mapped 10.10.10.10/26202 10.10.10.10/26209 to 4 Outbound Send 8XXX to 192.168.10.10/5061 Default 5 Zone call on -C Neighbor Zone A Expressway-E 10.10.10.11

• When a call or reaches Expressway, Expressway classifies it based on source and destination address and port

• Based on classification, the call is sent to a specific «zone».

• Except for the Local Zone (not covered here), the other zones connects to remote systems as in the case of a SIP Trunk on CUCM

• Different policies can be applied per zone, such as: • signaling and media encryption • protocol usage (i.e. SIP and/or H.323) • message authentication (PAI header for SIP) • use of TLS with Mutual Authentication • Others

• Neighbor Zone: this is the zone most similar to a SIP Trunk

• Traversal Zone: it’s a special neighbor zone with firewall traversal capabilities

• DNS Zone: it’s a special neighbor zone used for outbound B2B calls supporting DNS SRV

• Default Zone: it’s a special neighbor zone used for inbound B2B calls

B2B Traversal B2B Traversal Client Zone H323 and SIP (B2B) Server Zone Expressway-C Expressway-E UC Traversal UC Traversal Zone SIP TLS and SRTP Zone mandatory (MRA) Cloud Traversal Cloud Traversal Client Zone SIP TLS and SRTP Server Zone recommended (Spark) Neighbor ENUM Neighbor Zone Zone Zone Default DNS B2B DNS Spark Default ENUM DNS Zone Zone Zone Zone Zone Zone UCM SIP B2B Outbound Trunk B2B Inbound calls calls Spark Hybrid Calls

Unified CM MRA

Does the alias Forbidden Apply Yes match a Transform transform? If “reject” No

Does calling or Yes Allow/ called match a Reject CPL rule?

Protocol Selection SIP/H.323/SIP Variants If “allow”

No Does the alias match a search rule? Next lower- priority rule until Yes end of rules or the alias is found Yes Is the alias Send call to found? target Zone

From CPL Logic

Found SIP Place Call

Not found

Found H.323 Place Call

Not found

Use SIP MS Variant Place Call

• A standard notation (POSIX), used in Unix and Linux editors

• Provide a concise and flexible means for matching and transforming strings

• Used simply, it is simple, but powerful

• One of the techniques available in Expressway for matching calls in zones

. Any single character \d Single digit ≡ [0-9] * 0 or more repetitions of previous character or expression + 1 or more repetitions of previous character or expression ? 0 or 1 repetitions of previous character or expression {n} n repetitions of previous character or expression [abc] A character from this set of characters [1-4] A character from this range of characters [^def] A character NOT including these characters ^ Start of line $ End of line \ Literalize, e.g. \* really is the * (asterisk character) | ‘or’ – match (wxy|wyx) ( ) Group digits and store in store id \n

Regex Meaning Replacement Result/Meaning

.* Any string of any length

.*@example\.com Internal domain

(?!.*@example\.com.*$).* All external (non-corporate) domains [09]\d*@example.com PSTN Access number

(8000\d{4})(@.*)? 8-digits internal dialplan \[email protected] [email protected]

• Proxy functionality is the native functionality of Expressway • B2BUA is a process internal to Expressway-C and Expressway-E, invoked by configuration • B2BUA fully terminates a call leg and establishes a new call leg. The two call legs are then bridged together and count as two different calls • B2BUA are of different kinds • 1.B2BUA for MRA and Business-to-Business • 2.B2BUA for SIP to H.323 Interworking • 3.B2BUA for MS Interop • If not explicitely stated, this presentation refers to B2BUA as to the 1st type

Expressway • Single call leg • No media termination Media leg Exp-C/E Proxy • B2B call traverses the Process Expressways • Under the following conditions:

1. SIP/RTP 1. SIP/RTP 2. H.323 2. H.323 Exp-C/E B2BUA 3. SIP/SRTP 3. SIP/SRTP 4. IPv4 4. IPv4 Process

Expressway-C/E

RTP SRTP Media leg 1 Exp-C/E Proxy Media leg 4 Process • The diagram shows the working principle

Media leg 2 Media leg 3 • In most cases the B2BUA talks directly to the endpoint or end system without going back to the Exp-C/E B2BUA Proxy Cisco Unified CM Process

Enterprise Network DMZ Outside Network

Unified Internet CM Expressway-C Firewall Expressway-E Firewall Signaling Media

1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the enterprise network.

2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with secure login credentials.

3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the connection

4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.

5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint

6. The call is established and media traverses the firewall securely over an existing traversal connection

SIP B2B _sips._tcp.domain 5061 TLS

_sip._tcp.domain 5060 TCP

_sip._udp.domain 5060 UDP

H.323 B2B _h323ls._udp.domain 1719 RAS

_h323cs._tcp.domain 1720 H.225

Calls [email protected]

Media acme.com? sip1.acme.com

INVITE sip: [email protected] to sip2.acme.com Cisco Unified CM Expressway-C Expressway-E sip2.acme.com

• H.323 and SIP enabled globally and at zone-level

• H.323/SIP protocol selection: native protocol first, alternative protocol as backup.

• Interworking has to be enabled

• SIP to H.323 interworking with media handling

• Protocol selection can be changed with search rules

Expressway-C 1. SIP VCS-C SIP 2. H.323

SIP to H323 B2BUA H.323 for signaling and media

• During validity check, standard browsers make sure that hostname matches SAN/CN, and that the cert has been signed by a trusted CA

• On Expressway this is optional and activated by the TLS verify mode set to “On” and configurable per zone

• Consequences: if you don’t setup TLS verification, TLS can be setup with self- signed certificate

• In both cases the call will be encrypted, but TLS verify mode set to “On” authenticates the other peer

Expressway-C connecting to Expressway-E via traversal zone

Peer1 certificate SAN: X509v3 Subject Alternative Name: DNS:example.com, DNS:expe.example.com

• If TLS verify mode is set to “Off”: Expressway won’t check hostname and that the cert is properly signed

• IP addresses can be used

• Note that IP address is not included in SAN of the remote peer (Expressway-E)

• TLS Verify Mode triggers MTLS

• Certificate CN or SAN is matched against the Peer Address

Peer1 certificate SAN: X509v3 Subject Alternative Name: DNS:example.com, DNS:us-cm-srv1.example.com

DNS Zone (outbound)

1 Client hello • TLS verify set to “On” checks expe.example.com the certificate. Good for closed host.mypreferredpartner.com video federation 3 • If TLS verify subject name is not known in advance (open video

federation), TLS verify mode host.mypreferredpartner.com must be turned off CERTIFICATE

2 Third-party Expressway-E Server hello Edge

• TLS Verify increases security by checking the certificate (signature, hostname, etc.) for the called.TLS verify requires to know the DNS hostname of the remote peer included in the certificate

• Recommended to turn it on on Traversal Zones and Neighbor Zones • If the hostnames in the DMZ uses a separate DNS and IP addresses are used instead of DNS names, TLS verify must be turned off

• Closed video federation (B2B communications with selected partners): turn TLS verify on (remote peers and certs are known; neighbor zone can be created)

• Open video federation (standard B2B): turn TLS verify off (remote peers and certs are not known)

Client hello TLS

Server hello followed by certificate Expressway-E

Client hello

Server hello MTLS followed by certificate Certificate Request Expressway-E

• Turn off SIP UDP

• Turn off SIP TCP

• Turn off H.323

• Enable TLS with Mutual Authentication

• Turning off TLS verify prevents for any sort of certificate check

• MTLS on port 5061 can be used to turn on certificate verification withouth specifying the TLS verify name

• Caveat: MRA is not compatible with MTLS on port 5061

• Caveat: doesn’t work B2BUA on Expressway-E

• If the calling doesn’t present a valid certificate, the connection will be rejected before any SIP message is sent

• If some partners don’t have a valid certificate, it’s possible to upload the self- signed certificate into the Expressway-E trust list. Not possible to use a certificate signed by a temporary CA.

• If a remote host is sending spam calls, the certificate will show in the log and it will be possible to create a rule to stop those calls

• Expressway Media Encryption Mode Applies to:

• Neighbor, DNS, Traversal, and Default Zones

• SIP and H.323 calls interworked to SIP

• Does NOT apply to H.323 (only) calls

Auto: No media encryption policy applied by Expressway Best Effort: Use encryption if available otherwise fallback to unencrypted Force Encrypted: All media must be encrypted Force Unencrypted: All outgoing media will be unencrypted

Default Zone CUCM Expressway-C Expressway-E Not configurable CM Neighbor Traversal Traversal Auto Zone Client Zone Server Zone TLS TLS TLS Outbound zone Auto Auto Auto DNS Zone RTP/SRTP TLS with SRTP or RTP Not configurable based on endpoints Auto negotiation Internet

3rd Party SIP Server • Auto: doesn’t engage B2BUA

• No control of media status; endpoints decide encryption settings

Default Zone Expressway-C Expressway-E Not configurable CM Neighbor Traversal Traversal Best Effort Zone Client Zone Server Zone TLS TLS TLS Outbound zone Best Effort Best Effort Best Effort DNS Zone

Not configurable Best Effort Internet RTP TLS/SRTP TLS/SRTP

rd • Lock icon shows closed because the first 2 call legs are encrypted 3 Party SIP Server

• Traffic Classification is a new powerful tool of Expressway X8.9+ • Traffic is recognized and classified in “SIP Variants” • Traffic can be routed based on these 4 classifications: • Standard-based • All Microsoft Variants • Microsoft AV&Share only • Microsoft SIP IM&P only

Similarly to H.323/SIP calls we can’t know upfront if a destination address is “Microsoft flavor” or “Standard SIP”, we must try both. Interoperability and interworking rely on “fallback mechanisms”. When a user places a call, Expressway searches for it as SIP/H.323/MSFT-SIP (plus several tcp/tls/udp transport protocols). An administrator can decide the priority order. Typically Standard SIP/H.323 first and, if it’s not found, we continue by involving CMS for transcoding. Expressway-E will then search for the Microsoft SRV Record for that domain. This order can be inverted or both can be tried at the same time (call forking). Starting with X8.9+ Expressway-E DNS Enhanced zone is now able to lookup for the Microsoft SRV Record (_sipfederationtls._tcp.company.com)

NOTE: CMS is also required for MS B2B Video Federations.

1 2 3 4 5

Search Rules consider FIVE parameters to determine a destination zone (target):

1. Protocol (i.e. SIP/H.323)

2. Source zone (i.e. a trunk)

3. Authentication (yes/no)

4. Pattern string (i.e. destination domain)

5. SIP Variant (key element for Microsoft Interop Federations) TIP: Always specify Source Zones to avoid loops and make troubleshooting easier

There’s a common misunderstanding about overlapping SRV Records we now must demystify:

• Microsoft SIP Federations require an SRV targeting _sipfederationtls._tcp.company.com

• Standard SIP Federations require two SRV records _sip._tcp.company.com; _sips._tcp.company.com There are NO overlapping SIP SRV Records between our Cisco solution and any Microsoft Lync/Skype for Business environment.

Confusion comes from an SRV record used by OCS R1 (10 years ago) for _sip._tcp. - for external TCP connections. This SRV record may be present in your customer environment but it’s not needed anymore and they can remove it. Microsoft documentation is pretty clear about that.

If the Expressway-E is not clustered: • Subject Common Name = FQDN of Expressway-E • Subject Alternate Names = FQDN of Expressway-E If the Expressway is clustered, with individual certificates per Expressway: • Subject Common Name = FQDN of Expressway-E • Subject Alternate Names = FQDN of Expressway; FQDN of cluster;

NOTE: Expressway-E FQDN (A-record) must be part of the SIP domain(s)*. You’ll need an alias for EVERY SIP domain (i.e. expressway-e.sipdomain.com; expressway-e.sipdomain2.com; etc) *this is a Microsoft requirement.

FQDN of Expressway-E FQDN of Expressway-E cluster

Standard SIP Microsoft SIP Endpoints XMPP/SIP: company.com XMPP CUCM Cluster MS SIP SIMPLE

CUCM CUCM IM&P

TURN WebRTC Server Business Partner/MRA Internet

Standard Endpoints Expressway-E Expressway-C

Business Partner

Lync/SfB Clients

A basic B2B interop federation scenario requires at least 6 Search Rules on Expressway-C: • 3 Search Rules for Video - 2 Outbound; 1 Inbound • 3 Search Rules for IM&P – 1 Outbound; 2 Inbound

• A basic B2B interop federation scenario requires no specific Search Rules on Expressway-E. Rules can match “any” SIP Variant. Satisfying Standard AND Microsoft traffic routing at the same time. • However, in order to make configurations “clean” and “easy to manage”, one could create rules based on specific SIP Variants. I.e. Standards-based; Microsoft Video; Microsoft IM&P

1 3 2

Cisco User John calls a Business Partner: [email protected] (Skype for Business)

1. John’s device is registered to CUCM. CUCM sends SIP invite to Expressway-C 2. Expressway-C recognizes this as “Standards-based” SIP Variant 3. According to the 5 parameters (protocol; source; authentication, pattern string and SIP Variant) a “Target Zone” is determined. Call is then routed to Expressway-E

1st try SIP/H.323 Standard Client

MS client

5 5 5 5 6 4

4. Expressway-E recognizes the call as “Standards-based” SIP Variant 5. According to the call parameters a “Target Zone” is determined 6. The call is routed to the DNZ Zone • Expressway-E will then lookup for “Standard SRV records” (i.e. _sips._tcp.federateddomain.com) • It won’t find the destination user/domain returning a “404 – Not Found” back to the Expressway-C.

1st try SIP/H.323 Use standard DNS SRV with SIP/H.323 Standard Client

MS client

7 7 9 8

11 10

7. Expressway-C will match the next relevant rule (in priority order) 8. Traffic is still classified as “Standards-based” 9. As sort of “fallback mechanism” we now hit a Search Rule involving CMS for transcoding 10. CMS generates a new call leg, now transcoded to Microsoft AV&Share traffic. 11. According to the call parameters a “Target Zone” is determined Call is now routed to Expressway-E as “Microsoft AV&Share

Standard Client 2nd try MS variant

2nd try SIP MS signaling and media to CMS MS client conversion

13 13 13 13 14 12

12.Expressway-E recognizes the call as “Microsoft AV&Share” SIP Variant 13.According to the call parameters a “Target Zone” is determined 14.The call is routed to the DNZ Zone Expressway-E will now lookup for the “Microsoft SRV Record” (i.e. _sipfederationtls._tcp.federateddomain.com) [email protected] is found.

Standard Client 2nd try MS variant Use MS DNS SRV with MS variant 2nd try SIP MS signaling and media to CMS MS client conversion

Standard SIP Microsoft SIP Endpoints XMPP/SIP: company.com XMPP CUCM Cluster MS SIP SIMPLE

CUCM CUCM IM&P

TURN WebRTC Server Business Partner/MRA Internet

Standard Endpoints Expressway-E Cisco Meeting Server Expressway-C

Business Partner

XMPP/SIP: company.com Lync/SfB Clients

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 SRV (among others): B2B Architecture for MS Interop _h323xs._tcp.company.com - B2B Standard Federations _sip._tcp.company.com - B2B Standard Federations SRV and combined features _sips._tcp.company.com - B2B Standard Federations _xmpp-server._tcp.company.com - XMPP Federations _collab-edge._tls.company.com – MRA _xmpp-client._ tcp.example.com – CMA registration XMPP/SIP: company.com Endpoints _sipfederationtls._tcp.company.com - MSFT Interop CUCM Cluster

CUCM CUCM IM&P

WebRTC TURN Server Business Partner/MRA Internet

Standard Endpoints Cisco Meeting Server Expressway-C Expressway-E

Business Partner

Lync/SfB Clients A single pair of Expressway-C/E can provide all federation, calling and registration services

Every B2B call consumes 1 RMS on Expressway-E node Audio only calls and Audio/Video calls consume 1 RMS each VCS Control & VCS Expressway still consume Traversal call licenses CMS needs SMP/PMP licenses for video transcoding

GENERAL RULE: All B2B calls are handled the same way. We don’t care if it is Audio/Video/Standard/Microsoft: It’s 1 RMS for each call.

In B2B scenarios all the hard work is done by CMS. So, no need for Microsoft Interop Option Key on Expressway/VCS. Expressway/VCS just do call routing and possibly, interworking (i.e. H323/SIP; encryption on-behalf of)

IM&P traffic doesn’t consume call licenses. It doesn’t require any specific license at all.

60 .*@example.com.* UCM Zone 60 .*@example.com.* B2B Traversal Server Zone

65 (?!.*@example.com. B2B Traversal Client 65 (?!.*@example.com. B2B DNS Zone *$).* Zone *$).* UCM

Expressway-C Expressway-E

• –E to –C and –C to UCM for all calls matching the internal domain • UCM routes outbound any URI different from Directory URI and not included in ILS table • Expressway-C and –E route outbound any URI not matching the internal domain

Priority Regex Source SIP Variant Target Continue Zone 60 .*@example.com.* Traversal Standards-based UCM Zone No Client

60 .*@example.com.* Traversal Microsoft AV CMS Zone No Expressway-C Client No Yes 65 (?!.*@example.com.*$).* UCM Zone Standards-based Traversal Yes Client MS? 70 (?!.*@example.com.*$).* UCM Zone Standards-based CMS Zone No 75 (?!.*@example.com.*$).* CMS Zone Microsoft AV Traversal No Client

Priority Regex Source Zone SIP Variant Target Continue

60 .*@example.com.* Default Zone All SIP Traversal No Expressway-E Variants Server

65 (?!.*@example.com.*$). Traversal All SIP DNS Zone Yes * Server Variants

Priority Regex Source SIP Variant Target Continue Zone 60 .*@example.com.* Traversal Standards-based UCM Zone No Client

60 .*@example.com.* Traversal Microsoft AV CMS Zone No Expressway-C Client 65 (?!.*@example.com.*$).* UCM Zone Standards-based Traversal Yes Client No First 70 (?!.*@example.com.*$).* UCM Zone Standards-based CMS Zone No try 75 (?!.*@example.com.*$).* CMS Zone Microsoft AV Traversal No Client Yes

Priority Regex Source Zone SIP Variant Target Continue Standard MS Expressway-E 60 .*@example.com.* Default Zone All SIP Traversal No Variants Server 65 (?!.*@example.com.*$).* Traversal All SIP DNS Zone Yes Server Variants

Access codes to PSTN (0,9) and to internal numbering plan (80…)

Traversal Zone

Authenticated Unauthenticated

Expressway-C Expressway-E

Call policy rules applied to the source zone or to unauthenticated traffic

Source Type From Rule Applies To Source Destination Action Address Pattern Pattern

Authenticated vs Configurable Configurable with Allow/Reject unauthenticated with Regex Regex traffic

Zone Originating Zone Destination Pattern Action

Drop-down menu Configurable with Regex Allow/reject

• If source type is selected the CPL applies for all calls coming from a specific zone that match the configured called ID pattern (no calling ID)

• With «from address», it is possible to specify both the calling and the called ID pattern. However, this traffic will apply to authenticated or unauthenticated calls

• Calling alias of a call hitting the Default Zone (B2B) shouldn’t contain: • Corporate domain (example.com) • Expressway IPs • Enterprise Cisco Spark domains

From Rule Applies To Source Pattern Destination Action Example Address Pattern

Unauthenticated (.*)@example\.com.* .* Reject Call from [email protected] rejected

Unauthenticated (.*)@10\.10\.10\.1[12] .* Reject Call from [email protected] or [email protected] rejected

• Block PSTN access

• Block any numeric range that is not supposed to receive B2B calls (if esists)

• Allow any other destination that contains the domain

• Final deny-all

Zone Originating Zone Destination Pattern Action Example

Default [09]\d+@example\.com.* Reject [email protected]

Default Zone 8001\d{4}@example\.com.* Reject [email protected]

Default Zone (.*)@example\.com.* Allow @example.com

Default Zone .* Reject Anything else

Routing stops immediately since CPL {IP Addr/port No} are the first checked … If you want to be invisible you have to deploy an IPS. Details in the Appendix

• Outbound calls can be directed by UCM to the Expressway that is nearest the calling endpoint by using CSS and Partitions

• Inbound calls can be delivered by using two mechanisms: • Geo DNS • Directory Expressway

SIP Trunk US Europe SIP Line

Expressway Expressway Asia Traversal edge access

SME global EU SME Asia SME aggregation US SME Unified CM regional clusters RTP PAR LON TKY SJC BGL

DFW AMS HKG

SRV Record Priority Weight Expressway-E

_sips._tcp.example.com _sip._tcp.example.com 10 10 us-expe1.example.com us-expe default for calling devices in Location: US 10 10 us-expe2.example.com US

20 10 emea-expe1.example.com emea-expe as backup for calling devices in 20 10 emea-expe2.example.com US

10 10 emea-expe1.example.com Location: EMEA emea-expe default for calling devices 10 10 emea-expe2.example.com in EMEA

20 10 us-expe1.example.com us-expe as backup for calling devices 20 10 us-expe2.example.com in EMEA

[email protected]

UCM2 UCM1 Inbound CSS trunks doesn’t Inbound CSS trunks doesn’t include the partition for the include the partition for the Route Route Pattern to remote Pattern to remote cluster. Works cluster. Works with Directory with Directory URI with ILS URI with ILS. Expressway3-C2 Expressway-C12

Expressway-E1 Expressway-E2

Call: [email protected]

[email protected]

Expressway-E1 2 Directory Expressway-E 2 Expressway-E2 1

Call: [email protected]

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Minimizing UDP Ports open to Expressway-E Filtering ACLs for B2B calls: External Firewall Port Requirements Transport Based on medium/small OVA with non-specific configured Source IP Source Port Dest. IP Dest. port multiplexed ports Protocol H.323 calls using Assent (Natted endpoints) Q.931/H.225 and H.245 Any >=1024 TCP ExpE LAN2 2776 RTP Assent Any >=1024 UDP ExpE LAN2 36000* RTCP Assent Any >=1024 UDP ExpE LAN2 36001* H.323 endpoints with public IP addresses or remote Edge systems Q.931/H.225 Any >=1024 TCP ExpE LAN2 1720 H.245 Any >=1024 TCP ExpE LAN2 15000 to 19999 RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999* SIP endpoints or remote Edge systems SIP TCP Any >=1024 TCP ExpE LAN2 5060 SIP UDP Any >=1024 UDP ExpE LAN2 5060 SIP TLS Any >=1024 TCP ExpE LAN2 5061 RTP & RTCP Any >=1024 UDP ExpE LAN2 36002 to 59999*

- On large systems, default allocation for multiplexed media is 36000 to 36011 - On small/medium systems, two configurable ports are allocated for multimedia traffic. Defaults are 2776 and 2777 and might be changed, but if admin chooses not to configure those ports, Expressway will listen to 36000 and 36001

• Traversal Media Port Range is set on Configuration > Traversal Subzone menu on both Expressway C & E, defaults to 36000 – 59999

• B2BUA could be engaged on Expressway-C and/or Expressway-E in order to perform encrypted to unencrypted call

• The proxy component is always used on both Expressway-C and Expressway-E

• This media port range is divided and shared • 1st half goes to Proxy • 2nd half goes to B2BUA

• The following example is taken with a port range 36000 to 59999: 36000 to 47999 goes to Proxy 48000 to 59999 goes to B2BUA

• When Proxy only is engaged (all zones set to “auto”) on Expressway-E the number of ports is reduced by a half compared to the situation where B2BUA and Proxy are engaged

• Enabling encryption on Expressway-C instead of Expressway-E reduces the number of ports opened on external firewall

• With B2BUA: 24 ports engaged per call

• Without B2BUA: 12 ports engaged

• 50 concurrent B2B calls

• Total 600 (50x12) ports on external FW without B2BUA

• Ports to be opened on external FW without B2BUA engaged • Range configured on Expressway: 1200 ports, from 50000 to 51199 • First half goes to Proxy: 50000 to 50599. These ports will be opened on external FW

• Important Note: If you are restricting media ports on Expressway-E make sure that B2BUA is not engaged on Expressway-E, but on Expressway-C

• B2B architectures for single edge Expressway-C and Expressway-E with dual network interfaces

• SIP Variants

• How to protect the dialplan

• How to minimize ports opened on external firewall

• Quick overview on multiple Expressway deployment options

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2018

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Thank you BRKCOL-2018101 Use a IPS to Block Spam and Scan Calls from the Internet To make Expressway invisible, use an IPS to block unwanted traffic Expressway-E Expressway-C

NGIPS

- Traffic analysis based on (customized) signature - Inspects packets - Drop unwanted traffic before it reaches Expressway-E - Drop traffic that doesn’t match the internal dial plan - As an example: userID of 8 characters, might end with a digit, needs to have the domain - Block SIP OPTIONS and SIP INVITE that don’t match the internal dial plan - Added as an example only. Currently not supported!

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Customized Rules offset 1. SIP TCP RULE FOR INVITE: alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100001; msg:"SIP SPAM - invalid INVITE Request URI with metadata:service sip"; rev:8; resp:reset_both; content:"INVITE|20|sip:"; nocase; distance:-11; pcre:!"/sip:[a-z]{2,7}[a-z0- 9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )

2. SIP UDP RULE FOR INVITE: alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100006; msg:"SIP SPAM - invalid INVITE UDP Request URI with metadata:service sip"; rev:1; resp:reset_both; content:"INVITE|20|sip:"; nocase; content:"INVITE|20|"; distance:-11; pcre:!"/sip:[a- z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )

3. SIP TCP RULE FOR SIP OPTIONS: alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100007; msg:"SIP SPAM - invalid OPTIONS TCP Request URI with metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12; pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )

4. SIP UDP RULE FOR SIP OPTIONS: alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (sid:1100008; msg:"SIP SPAM - invalid OPTIONS UDP Request URI with metadata:service sip"; rev:1; resp:reset_both; content:"OPTIONS|20|sip:"; nocase; content:"OPTIONS|20|"; distance:-12; pcre:!"/sip:[a-z]{2,7}[a-z0-9](\.cmr)?@example\.com/iR"; metadata:service sip; classtype:unknown; )

CURRENTLY NOT SUPPORTED! SHOWN AS REFERENCE ONLY

Expressway-C Expressway-E

TCP 25026 TCP (SYN SYN/ACK ACK) + MTLS TCP 7999

SIP TLS OPTIONS PING

Source Port Dest Port 200 OK Destination Port Source Port 25026 7999 25026 7999 SIP INVITE

SIP INVITE

Source Port Dest Port UDP connection 48210 RTP audio 48211 RTCP audio 48212 RTP video Probes to 2776/2777 48213 RTCP video 48214 RTP duo video 2776 RTP 48215 RTCP duo video 2777 RTCP 48216 BFCP Destination Port Source Port 48217 (not used) 48218 iX 48210 RTP audio 48219 RTCP iX 48211 RTCP audio 48212 RTP video 48213 RTCP video Return Traffic 48214 RTP duo video 2776 RTP 48215 RTCP duo video 2777 RTCP 48216 BFCP 48217 (not used) Media flows bidirectionally 48218 iX 48219 RTCP iX

• UserID rule: from 2 to 8 digits, starting with a letter, ending with a letter or a number. Might include .cmr for personal CMR

• [a-z]{2,7}[a-z0-9](\.cmr)?@example\.com

• UserID rule: name.surname. Might include an ending letter to distinguish between users with the same userID »[a-z]+\.[a-z]+[0-9](\.cmr)?@example\.com

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 DNS SRV Records for B2B SRV record format for SIP and H.323 (RFC 2782) _sips. _tcp.example.com 86400 IN SRV 10 60 5061 expe.example.com

DNS Class. Always Protocol and “IN” domain name (TCP, UDP...) Priority: Lowest priority Name of the means “preferred”. service Port: TCP or Weight: load- UDP port for the balances records service with same priority

DNS Time-To-Live: how much time the server caches the record before it flushes the cache Targed: hostname or IP Address for the host Providing the service

BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com. Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.

Smallbox

Backupbox

40%

_sips._tcp.example.com? Bigbox 60% Dial: [email protected]

SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 _sips._tcp.example.com. 86400 IN SRV 10 60 5061 bigbox.example.com. Service Discovery _sips._tcp.example.com. 86400 IN SRV 10 40 5061 smallbox.example.com. _sips._tcp.example.com. 86400 IN SRV 20 0 5061 backupbox.example.com.

Smallbox

Backupbox

40%

Bigbox 60% Dial: [email protected]

SIP Server BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe1.example.com. _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe2.example.com. Real Scenario _sips._tcp.example.com. 86400 IN SRV 10 10 5061 expe3.example.com.

expe3.example.com

expe2.example.com

33%

expe1.example.com 33% Dial: SIP Server [email protected]

• Recommended solution

• Expressway-E LAN1 interface (internal) is used for clustering

• Expressway-E LAN1 interface can be translated by static NAT

• Expressway-E LAN2 interface (external) can be translated by static NAT

• Expressway-C interface can be translated by NAT

• Expressway Protocol Selection • Expressway Transport Protocol Selection • Encryption for Signaling • Encryption for Media • Encryption and lock icon

• Neighbor zones and Traversal zones: interworks if the outgoing transport type is different from the incoming UCM ExpC ExpE SIP/TLS SIP/TLS/TCP/UDP

UCM zone set Traversal zone Expressway-E Default to TCP set to TLS Zone accepts SIP TLS to TCP UDP/TCP/TLS

• DNS zones: based on priority (TLS/TCP/UDP). DNS zone always tries TLS first UCM ExpC ExpE 1. SIP/TLS SIP/TLS 2. SIP/TCP Traversal zone set to TLS 3. SIP/UDP

• In case of TLS/TCP protocol translation, B2BUA is not engaged

Default Zone Expressway-C Expressway-E Not configurable CM Neighbor Traversal Traversal Best Effort Zone Client Zone Server Zone TLS TLS TLS Outbound zone Auto Best Effort Best Effort DNS Zone

Not configurable Best Effort RTP TCP/RTP or Internet TLS/RTP TLS/SRTP Remote Edge

• Best Effort-Auto example: 3 call legs due to “3-in-a-row” rule optimization Minimizes number of ports open on external firewall

Neighbor Zone to Unified CM

Turn off H.323

Set port other than 5061 if Expressway if shared between MRA and B2B. TLS verify mode triggers Mutual TLS.

Best Effort: Expressway will try SRTP first and RTP if the remote endpoint is non-encrypted. Mixed mode required on Unified CM BRKCOL-2018 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 Neighboring Expressway to Cisco Unified CM Zone Configuration • DNS names mandatory if TLS verification is set to “on” (MTLS). They will be checked against the certificate SAN. IP addresses require TLS verify mode set to “off” • OPTIONS PING to monitor status Documentation says to create a custom http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway zone with Call /config_guide/X8-8/Cisco-Expressway-SIP-Trunk-to-Unified-CM- Deployment-Guide-CUCM-8-9-10-11-and-X8-8.pdf signaling routed mode set to “always”

• This check box enables Secure Real-Time Protocol (SRTP) SIP Trunk connections and also allows the SIP trunk to fall back to Real-Time Protocol (RTP) if the endpoints do not support SRTP.

• In order for this check box to be effective, Cisco Unified CM must be in mixed mode

• SIP TLS trunk doesn’t require mixed mode if RTP only is used

SIP Trunk settings

Mutual TLS: has to match with the SANs of the remote system cert Unified CM listening port. Has to match the port on the Unified CM neighbor zone configured on Expressway

• Note: CPL are analyzed top-down

• 1. Reject malformed calling aliases

• 2. Reject forbidden destinations in called aliases • PSTN access • Specific numeric ranges not allowed from B2B

• 3. Allow for called destination matching the internal domain

• 4. Deny all

• Point 3. could be much more granular than this! i.e. • Allow [a-z]*\.[a-z]*(\d)?@ent-pa\.com • Allow 8002[12]\d{3}@example\.com

[email protected]

Expressway-E1 2 Directory Expressway-E 2 Expressway-E2 1

Call: [email protected]

Expe1 Expe2 Expe3 Expe4

TLS Dir Expe • When an Expressway performs TCP to TLS Neighbor interworking, Expressway can’t remove itself for Zones TLS/TCP Default Zone the signaling path TLS media Media: Auto Not configurable • Media will flow around if default and neighbors are Media: Auto TCP set to “auto”, but signaling will flow through • No licensing optimization happens in this case: DirExpe license is engaged for the rest of the call

• Optimization happens for TCP or TLS only