Cisco Expressway – The First Step Towards a VPN-less Enterprise – Part 2
In this second part focused on VCS Expressway configuration, I will be detailing our current lab environment and providing specific configurations to make it all work. When I was initially tasked with deploying Expressway some 3+ months ago, I desperately searched for an article showing me why it was done a certain way and how to do it, I came up completely empty. As we all know, the esteemed collaboration documentation in Cisco land is so convoluted that finding a definitive answer to a problem is a major undertaking. The only rational response to this was to go out, deploy it own my own, and learn the do’s and dont’s. This article is for those folks.
NOTE: This is geared towards MRA (Mobile and Remote Access) and not Jabber Guest. If you are wanting to deploy both products, another set of Expressways is required.
Lets get a few pre-requisited out of the way first. If you are reading this, chances are, you already have these.
- CUCM 10.X
- Jabber Client (Windows or Mac)
- Access to DNS for your organization (Internal and External)
- Access to Public CA (Certificate Authority) to issue certificates
- VCS OVA file
Before we can start configuring anything, we need to get the OVA files deployed and licensed. Log into vSphere and select. From the properties window, assign an IP address. Boom! OVAs are deployed. Now onto to initial configuration. After you log into the GUI for the first time you are presented with multiple alarms in the top right hand corner. The most important one being to change the root password. SSH to your expressway servers you just deployed and login with Username:admin and Password: TANDBERG. Type passwd and type your new favorite password. Once we’re all set with the pre-requisites, we’re now ready to start setup.
Next up is to get these licensed. As mentioned in my previous post, I went over licenses you would need but not to much detail.
- LIC-EXP-RMS is your release key to get that annoying alarm from popping up
- LIC-EXP-TURN will enable TURN Relay Option
- LIC-EXP-E enables the Expressway-E feature
- LIC-EXP-AN enables the Advanced Network feature, giving you the ability to do dual NICs
After applying licenses you will see something interesting happen. VCS will change to either Expressway-C or Expressway-E. More or less, this is all the verification you need to ensure you applied the correct ones.
Now that everything is deployed and licensed, we can start making stuff work. As a good rule of thumb, I like to make sure all the small stuff is complete before I tackle big projects. Same principle is applied here. In my previous post, I detailed the DNS SRV records you will need, below are the actual records you should see on both external and internal DNS servers. As this may vary greatly depending on who hosts your DNS externall or how you manage it internally these may not mean much. However, all records are needed.
Got it? Cool. Thats the DNS piece of this. Since so much of the “just making it work” magic depends on DNS, this step is crucial. One of the quick and dirty ways I used during my journey was this command:
tail -f /Users/<username>/Library/Logs/Jabber/jabber.log
Entered into a Terminal window on OSX will show you everything thats going on with your Jabber client when troubleshooting. Really helpful when you have no clue whats wrong.
Typically, this is the part where I insert a hyperlink to an administration guide and tell you Good Luck! Fortunately, I have lots of time and really want to make someones life easier. Lets start with Expressway-E. The Expressway-E is configured with a traversal server zone to receive communications from the Expressway-C in order to allow inbound and outbound calls to traverse your NATd device. The Expressway-E is exposed to the outside world and is essentially your gateway of communication with Jabber clients outside the VPN network. Below are configurations for creating Zones. Go into
Next is Domains. On the Expressway-C under
Certificates also play a large role in this. Certificates are used by end devices, such as laptops or mobile phones to ensure you are who you say you are.
- Generate a CSR (Certificate Signing Request) with the FQDN of the host and domain to be used for login
- Generate a CSR (Certificate Signing Request) with theFQDN of the host and domain to be used for login
The respective CSRs will need to go to your CA of choice. After your CA has sent you back the certificates, they will need to be uploaded to the locations below
Maintenance>Security Certificates>Server Certificate
- Place the server certificate here
Maintenance>Security Certificates>Trusted CA certificate
- Place both the Intermediate and Trusted Root certificates here
NOTE: Make sure to Whitelist your Unity Connection server, and any other servers that Jabber will need access to. Unity Connection requires this for Visual Voicemail.
After the Traversal Zone is up and certificates are installed, we are now ready to test connectivity. I recommend testing from an outside network that uses a DNS server other than your internal. If all is well you should see a successful login!
I hope this has been a helpful article in getting your VPN-less obsession rolling. As more and more Enterprises look to simplify adminsitration and tighten security, solutions like Expressway are going to be cropping all up over the place. As always, if you have any question/concerns/opinions feel free to drop a comment below.
2 responses to “Cisco Expressway – The First Step Towards a VPN-less Enterprise – Part 2”
Thank you so much for your detailed explanation.
One of the best blog i have come across.
Can you please guide / overview the up gradation process in CUCM
like what are the pre-requisites, and important things need to do before upgrading.
Thanks! Are you referring to the pre-requs of CUCM to enable this functionality? If so, no configuration directly on CUCM is necessary. It is all done through the Expressways. They intelligently find the CM server and set up a neighbor zone to it over SIP. Let me know and I’ll be happy to help.