Troubleshooting

ExpressWay & Mobile Remote

Access
Michael Huang
Customer Support Engineer - China TAC Collaboration
Agenda

 Overview, ExpressWay and Mobile Remote Access

 ExpressWay Configuration
- Firewall Settings
- Certificate Requirements
- Traversal Zone setup
- UC server discovery
- Domain and DNS
 ExpressWay serviceability
 Jabber registration and call walk through
What is ‘Mobile and Remote Access’ feature?

 Mobile and Remote Access

The mobile and remote access solution supports a hybrid on-premise
and cloud-based service model, providing a consistent experience inside and
outside the enterprise.
It provides a secure connection for Jabber application traffic without having to
connect to the corporate network over a VPN.

AnyConnect VPN

Unified CM &
applications
Expressway
Firewall Traversal
What can a Jabber client do with Expressway?
Access visual
voicemail

Inside firewall DMZ Outside firewall

(Intranet) (Public Internet)

Collaboration Instant Message

Internet
Services and Presence

Unified Expressway Expressway

CM C E Make voice and
video calls

Launch a web
conference
Share content
Search corporate
directory
Software Requirements

 CUCM 9.1(2)SU1 or above

 CUP 9.1(1) or above
 ExpressWay/VCS X8.1.1
 Jabber 9.7 (windows)
ExpressWay Configuration

6
ExpressWay Configuration
Main configuration steps

1. System configuration
2. Firewall configuration
3. Certificate configuration and deployment
4. Traversal zone configuration
5. UC server discovery
6. DNS and domain configuration/deployment
Configuration System configuration

 System name and domain must be set for each server

 Each server must have proper DNS configuration

> System > DNS

Configuration System configuration

 Each system must be synched with NTP server

> System > Time
Configuration System Configuration

 If NTP is not configured and synchronized on ExpressWay-C and

ExpressWay-E Jabber Telephony registration to CUCM will not
succeed.
 Security mechanism based on SIP SERVICE messages.
1. Expressway-E time-stamps a SERVICE message
2. Expressway-E sends the SERVICE message to Expressway-C
3. Expressway-C verifies the SERVICE is received within 60 secs error
margin
Configuration System Configuration

 Enable Mobile and Remote Access

Configuration > Unified Communications > Configuration

 Check the Administrator guide for more help on system configuration

topics
Firewall Configuration
Firewall Configuration
 What traffic does the firewall need to pass?
 HTTPS proxy for secure provisioning of endpoints
 SIP/TLS, RTP/SRTP for audio/video media
 XCP/XMPP for IM&P for Jabber
 Visual Voicemail (REST/HTTPS)
 Traversal Connection between ExpressWay C and E

ExpressWay C ExpressWay E
 Firewall Configuration
To which ports does this translate?
 Port usage: ExpressWay C to Expressway E
DMZ

IM&P Internet
CUCM-UDS ExpressWay C ExpressWay E

ExpressWay C ExpressWay E
Source Port Listening Port
TCP & TLSA = Configurable TCP Outbound ports range
Management Control Inbound and outbound calls
TCP & TLSB = Configurable traversal port for traversal link
Open Firewall Private to DMZ
between Control and Expressway (i.e. 7001, 7002, etc.)

IP Address
IP address of IP address of Ue = Configurable TCP ephemeral port range
- ExpressWay C - ExpressWay E

XMPP (IM and Presence)

TCP Ue
TCP 7400 YC = Configurable traversal media ports range (on Control/C)
30000 to 35999 *

SSH TCP Ue
TCP 2222 YE = Configurable traversal media ports range (on
(HTTP/S tunnels) 30000 to 35999 *
IP Ports

Expressway/E)
TCP & TLSA TCP & TLSB
SIP signaling
25000 to 29999 7001
* Default ephemeral ports range (X8.1) for is 30000 – 35999
SIP media
UDP YC UDP YE which configurable
36000 to 59999 ** 36000 to 59999 **

** Default media ports range (X8.1) is 36000 – 59999 which

configurable
 Firewall Configuration
Where to configure these ports?

 ExpressWay C > System > Administration

ExpressWay C ExpressWay E
Source Port Listening Port

Management Control Inbound and outbound calls

Open Firewall Private to DMZ

IP address of IP address of
IP Address
- ExpressWay C - ExpressWay E

TCP Ue
XMPP (IM and Presence) TCP 7400
30000 to 35999 *

SSH TCP Ue
TCP 2222
(HTTP/S tunnels) 30000 to 35999 *

TCP & TLSA TCP & TLSB

SIP signaling
25000 to 29999 7001

UDP YC UDP YE
SIP media
36000 to 59999 ** 36000 to 59999 **
 Firewall Configuration
Where to configure these ports?

 ExpressWay C > Protocols > SIP

ExpressWay C ExpressWay E
Source Port Listening Port

Management Control Inbound and outbound calls

Open Firewall Private to DMZ

IP address of IP address of
IP Address
- ExpressWay C - ExpressWay E

TCP Ue
XMPP (IM and Presence) TCP 7400
30000 to 35999 *

SSH TCP Ue
TCP 2222
(HTTP/S tunnels) 30000 to 35999 *

TCP & TLSA TCP & TLSB

SIP signaling
25000 to 29999 7001

UDP YC UDP YE
SIP media
36000 to 59999 ** 36000 to 59999 **
 Firewall Configuration
Where to configure these ports?

 ExpressWay C > Configuration > Traversal Subzone

ExpressWay C ExpressWay E
Source Port Listening Port

Management Control Inbound and outbound calls

Open Firewall Private to DMZ

IP address of IP address of
IP Address
- ExpressWay C - ExpressWay E

TCP Ue
XMPP (IM and Presence) TCP 7400
30000 to 35999 *

SSH TCP Ue
TCP 2222
(HTTP/S tunnels) 30000 to 35999 *

TCP & TLSA TCP & TLSB

SIP signaling
25000 to 29999 7001

UDP YC UDP YE
SIP media
36000 to 59999 ** 36000 to 59999 **
 Firewall Configuration
Where to configure these ports?

 ExpressWay E > Configuration > Zone > Traversal

Zone
ExpressWay C ExpressWay E
Source Port Listening Port

Management Control Inbound and outbound calls

Open Firewall Private to DMZ

IP address of IP address of
IP Address
- ExpressWay C - ExpressWay E

TCP Ue
XMPP (IM and Presence) TCP 7400
30000 to 35999 *

SSH TCP Ue
TCP 2222
(HTTP/S tunnels) 30000 to 35999 *

TCP & TLSA TCP & TLSB

SIP signaling
25000 to 29999 7001

UDP YC UDP YE
SIP media
36000 to 59999 ** 36000 to 59999 **
 Firewall Configuration
To which ports does this translate?
 Port usage: Expressway E to/from Public Internet
DMZ

IM&P Internet
CUCM-UDS ExpressWay C Expressway E

Expressway E Internet SIP UA

Source Port Listening Port

Management Control Outbound to SIP UA in the Internet

N = ExpressWay wait unit it receives media, then it sends its

Open Firewall DMZ to Internet
media to the IP port from which media was received (egress
IP Address
Public IP address of IP address of port of the media from the far end non SIP-aware firewall)
- ExpressWay E - Any (or specific IP)

XMPP (IM and Presence) N/A N/A S = Source port, typically >=1024

UDS
N/A N/A
YE = Configurable traversal media ports range (on
(Provisioning and Phonebook)
Expressway/E)
IP Ports

TURN Server Control N/A N/A

** Default media ports range (X8.1) is 36000 – 59999 which
SIP signaling
TLS TLS S configurable
25000 to 29999 >= 1024

UDP YE UDP N
Media
36000 to 59999 ** >= 1024
 Firewall Configuration
To which ports does this translate?
 Port usage: Expressway E to/from Public Internet
DMZ

IM&P Internet
CUCM-UDS ExpressWay C ExpressWay E
Expressway C Internet SIP UA
Listening Port Source Port

Management Control Inbound from SIP UA in the Internet

N = ExpressWay wait unit it receives media, then it sends its

Open Firewall Internet to DMZ
media to the IP port from which media was received (egress
IP address of IP address of port of the media from the far end non SIP-aware firewall)
IP Address
- VCS Expressway - Any (or specific IP)

TCP S S = Source port, typically >=1024

XMPP (IM and Presence) TCP 5222
>= 1024

UDS TCP S YE = Configurable traversal media ports range (on

TCP 8443
(Provisioning) >= 1024 Expressway/E)
IP Ports

UDP S
TURN Server Control UDP 3478
>= 1024 ** Default media ports range (X8.1) is 36000 – 59999 which
TLS S configurable
SIP signaling TLS 5061
>= 1024

UDP YE UDP N
Media
36000 to 59999 ** >= 1024
 Firewall Configuration
To which ports does this translate?
 Port usage: ExpressWay C to Unified CM and IM&P
DMZ

IM&P Internet
CUCM-UDS ExpressWay C ExpressWay E

CUCM&CUP System ExpressWay C

Listening Port Source Port

Ue = Configurable TCP ephemeral port range

Management Control Private Network

Open Firewall N/A

* Default ephemeral ports range (X8.1) for is 30000 – 35999
which configurable
IP address of IP address of
IP Address - Unified CM - ExpressWay C
- IM & Presence Server

TCP 7400 TCP Ue

XMPP (IM and Presence)
(IM&P Server) 30000 to 35999 *
IP Ports

UDS TCP 8443 TCP Ue

(Provisioning and Phonebook) (CUCM Server) 30000 to 35999 *

TCP 6970 TCP Ue

TFTP
(TFTP Server) 30000 to 35999 *

TCP 443 TCP Ue

CUC (Voicemail)
(CUC server) 30000 to 35999 *
Firewall Setup
Dual NIC consideration

FWB FWA

10.30.0.0 10.20.0.0 10.10.0.0

IM&P .1 .1 .1
CUCM-UDS ExpressWay C ExpressWay E

 ExpressWay-E has default GTW 10.10.0.1

 When FWB does NAT for 10.30.0.0 there is no problem
 When FWB does no NAT for 10.30.0.0 a static route needs to be
added
xCommand RouteAdd Address: 10.30.0.0 PrefixLength: 24 Gateway: 10.20.0.1 Interface: LAN1
Firewall Setup
Dual NIC consideration with static NAT & NAT Reflection

FWB FWA

10.30.0.0 10.20.0.0 10.10.0.0

IM&P .1 .1 .1
CUCM-UDS ExpressWay C ExpressWay E

 ExpressWay-C traversal client points to public IP on ExpressWay-E

 FWA must support NAT Reflection
Firewall Setup
Port Status and Configuration

 Maintenance > Tools > Port Usage

HTTP Server Allow list
ExpressWay C
 Some services are relying on HTTP Reverse Proxy functionality in Expressways
Example :
- “Unity Connection Voicemail Player”
- “Customized Jabber HTTP Contact Photos”
- “Customizes Jabber plugins”
HTTP Server Allow list
ExpressWay C
 > Configuration > Unified Communications > Configuration

 The hostname or IP address of an HTTP server that a Jabber client located outside of
the enterprise is allowed to access.

Access is granted if the server portion of the client-supplied URI matches the name
entered here, or if it resolves via DNS lookup to an IP address specified here.
Certificates
Certificates
 Maintenance > Security Certificate > Server Certificate
Certificates

 Maintenance > Security Certificate > Trusted CA Certificate

ExpressWay C – Certificate Requirements

 CA Signed

- Must be CA signed
- Used with ExpressWay E for traversal zone connection
- Used with CUCM when endpoint security mode is Authenticated
or Encrypted (TLS transport used)
- CA Root must be appended to “Trusted CA certificate” on both
ExpressWay’s
- CA Root must be uploaded to Callmanager-trust store on every node
in the cluster
ExpressWay C – Certificate Requirements
CA Root not uploaded on ExpressWay E
 Traversal Zone State Failed

 Expressway-C Diagnostics logs (traversal client)

xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25016"

Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-
name="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872”
 Expressway Event logs
ExpressWay C – Certificate Requirements
CA Root not uploaded on CUCM

 Softphone Registration fails (other will work) when endpoint security

settings are authenticated or encrypted
ExpressWay C – Certificate Requirements

 SAN must include ‘Chat node alias’ from IM&P server (CUP)

- Required for XMPP federation

- Get auto-added in CSR after IM&P discovery
- For manual configuration go to CUPADMIN > Messaging > Group
Chat Server Alias Mapping, click find.
ExpressWay C – Certificate Requirements
CUPADMIN > Messaging > Group Chat Server Alias Mapping
ExpressWay C – Certificate Requirements

 SAN must include ‘Device Security Profile Name’

- Required for CUCM to accept the TLS Connection

- X509 from certificate presented is that one of ExpressWay C
- CUCM needs to validate using SAN matching the security profile
name
- Some (public) CA’s do not allow hostname in SAN
If so, the profile name must have FQDN format
ExpressWay C – Certificate Requirements

System > Security > Phone Security Profile

ExpressWay C – Certificate Requirements
Security Profile not added as SAN
ExpressWay E – Certificate Requirements

 CA Signed

- Must be CA signed
- Used with ExpressWay C for traversal zone connection
- CA Root must be appended to “Trusted CA certificate” on both
ExpressWay’s
ExpressWay E – Certificate Requirements
CA root not uploaded to ExpressWay C
 Traversal Zone State

 ExpressWay E diagnostic logs

xwaye tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Src-port="25006"
Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1"
UTCTime="2014-03-25 09:52:36,680”
 ExpressWay E event logs
Common
 If Expressway does not have a valid signed certificate that contains either the FQDN or domain of Expressway, then this fails and the Jabber client fails to log in.

 If this issue occurs, the customer should use the Certificate Signing Request (CSR) tool on Expressway, which automatically includes the FQDN of Expressway
as a Subject Alternative Name (SAN).

 Expressway-C Server Certificate Requirements:

 The Chat Node Aliases configured on the IM&P servers. This is required if you perform Extensible Messaging and Presence Protocol (XMPP) federation.
Expressway-C should automatically include these in the CSR provided that an IM&P server has already been discovered on Expressway-C.

 The names in FQDN format of all Phone Security Profiles in CUCM configured for TLS and used on devices configured for MRA. This allows for secure
communication between the CUCM and Expressway-C for the devices that use those Phone Security Profiles.

 Expressway-E Server Certificate Requirements:

 All domains configured for Unified Communications. This includes the domain of Expressway-E and C, email address domain configured for Jabber, and any
Presence domains.

 The Chat Node Aliases configured on the IM&P servers. This is required if you perform XMPP federation.
Traversal Zone Setup
Traversal Zone Setup
Firewall Traversal
 Expressway-E is traversal server in DMZ
 Expressway-C is traversal client inside the network
 Establish traversal link between both using traversal zone configuration

Enterprise Network DMZ Outside Network

CUCM
Internet
Expressway-C Expressway-E Endpoint B
Traversal Client Traversal Server Traversal Link Management
Signal
Media Payload
Endpoint A
Traversal Zone Setup
ExpressWay E – Traversal Server

Select Type : Unified Communications traversal

Configure username to be used by Traversal

Client to authenticate with server
Traversal Zone Setup
ExpressWay E – Traversal Server
Port is default 7001, listening port for traversal client
connection
Must match CN from Certificate presented by Traversal Client
(ExpressWay C)

Must be set to ‘Do not check ..’

(expressway does not register any endpoint)
Traversal Zone Setup
ExpressWay C – Traversal Client

Type: Unified Communication traversal

Configure same username and

password as added on the Traversal
Server (Expressway E)
Traversal Zone Setup
ExpressWay C – Traversal Client

Destination port Traversal Server is

listening on

Must be set to ‘Do not check ..’

(expressway does not register any
endpoint)
Traversal Zone Setup
ExpressWay C – Traversal Client

- Must be FQDN
- Must be DNS resolvable
Traversal Zone Setup
Peer Address not matching CN

 Peer Address configured as IP address

 ExpressWay diagnostic logs

2014-03-25T14:08:16+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25697" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="Peer's TLS certificate identity was unacceptable" Protocol="TLS" Common-
name="10.48.55.99" Level="1" UTCTime="2014-03-25 14:08:16,699”

 ExpressWay Event logs

Traversal Zone Setup
Peer Address not matching CN

 Peer Address/FQDN not matching CN

 ExpressWay diagnostic logs

2014-03-25T14:16:36+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25714" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="Peer's TLS certificate identity was unacceptable" Protocol="TLS" Common-
name="xwy.coluc.com" Level="1" UTCTime="2014-03-25 14:16:36,699"

 ExpressWay Event logs

 Traversal Zone Setup
Password incorrect

 Traversal Client will show for this zone

 ExpressWay C diagnostic logs

Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="xwaye.coluc.com" Type="A and AAAA”
Module="network.dns" Level="DEBUG": Detail="Resolved hostname to: ['IPv4''TCP''10.48.55.99'] (A/AAAA) Number of
relevant records retrieved: 1”
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="TCP Connecting”
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="TCP Connection Established"
….
Password incorrect

 ExpressWay C event log

 ExpressWay E event log

UC Server Discovery
UC Server Discovery
Configuration > Unified Communications
ExpressWay – Mobile and Remote Access
UC Server discovery

 Scenario 1
- CUCM set to none-secure

Expressway C Internal DNS CUCM IM＆P Server

expwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com
ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery

Expressway C Internal DNS CUCM

expwayC.domain1.com cucm.domain1.com

What do I enter here?

- When TLS verify mode is On >
Must match CN from Tomcat Certificate
- When TLS verify mode Off >
IP Address Publisher or
Hostname Publisher or
FQDN Publisher
ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery

Expressway C Internal DNS CUCM

expwayC.domain1.com cucm.domain1.com

Set to off for non-secure

When set to ‘On’
what other configuration is required?

- Self Signed Tomcat Certificate must

be appended to “Trusted CA Cert”
Or
- CA certificate must be appended
(And address must match CN from Tomcat
certificate)
ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery

Expressway C Internal DNS CUCM

expwayC.domain1.com cucm.domain1.com

How does Server configuration on CUCM impact the discovery?

ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery
- When hostname is returned shows
Active when xway can DNS resolve
<hostname>@<domain Xway>
or
<hostname>
where <hostname> is
what is configured in CCMADMIN

- This creates a problem when

Expressway/VCS and CUCM servers
are in different domains
ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery – Different Server Domain

Expressway C Internal DNS CUCM

expwayC.edge1.com colcm9pub.coluc.com

DNS query fails for

colcm9pub.edge.com
colcm9pub
 ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery

 How to solve?
1) Use FQDN for server configuration on CCMADMIN

2) Use IP address for server configuration on CCMADMIN

ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery
When FQDN is returned shows
‘Active’ when xway can DNS resolve
<hostname>@<domain> as configured
in CCMADMIN

Here colcm9pub.coluc.com
and colcm9sub1.coluc.com
ExpressWay Mobile and Remote Access – Scenario 1
CUCM Server Discovery
No DNS query is required as IP
address is used.
Will always show Active
ExpressWay – Mobile and Remote Access
UC Server discovery

 Scenario 2
- CUCM set to secure (mixed-mode)

Expressway C Internal DNS CUCM IM＆P Server

expwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com
ExpressWay – Mobile and Remote Access
UC Server discovery

 What does change when CUCM cluster is set to mixed mode?

- Same steps need to be followed
- Status will show ‘TLS/TCP’
ExpressWay – Mobile and Remote Access
UC Server discovery
 TLS and TCP zone is auto-added per discovered node
These are Non-configurable neighbor zones “CEtcp-<UCMName>” or/and
“CEtls-<UCMName>”
ExpressWay – Mobile and Remote Access
UC Server discovery
ExpressWay – Mobile and Remote Access
UC Server discovery

 Search Rule on ExpressWay C is automatically added

ExpressWay – Mobile and Remote Access
UC Server discovery

 Search Rules on none-configurable

DNS and Domain configuration
Domain Configuration
ExpressWay C – Domain Configuration

> Configurations > Domains

Domain Configuration
ExpressWay C & E – DNS Configuration

 System > DNS

Collaboration Edge Service Record (SRV)

 For a Jabber client to be able to log in successfully with MRA, a specific collaboration edge SRV record must be created
and accessible externally. When a Jabber client is initially started, it makes DNS SRV queries:

 _cisco-uds: This SRV record is used in order to determine if a CUCM server is available.

 _cuplogin: This SRV record is used in order to determine if an IM&P server is available.

 _collab-edge: This SRV record is used in order to determine if MRA is available.

Client Service Discovery
 Service discovery enables clients and endpoints to automatically detect and
locate service.
 The client/endpoint does query DNS servers to retrieve service (SRV) records
that provide the location of servers.
 Clients/endpoints outside the internal network must be able to resolve ‘_collab-
edge._tls.<domain>’ SRV record which must point to the ExpressWay E server.
 Clients/endpoints but also ExpressWay C must be able to resolve ‘_cisco-
uds._tcp.<domain>’ SRV record which must point to the CUCM cluster.
 The external DNS may not resolve ‘_cisco-uds._tcp’ SRV records
 The internal DNS may not resolve ‘_collab-edge._tls’ SRV records
Client Service Discovery

 If the Jabber client is started and does not receive an SRV answer for _cisco-uds and
_cuplogin and does receive an answer for _collab-edge, then it uses this answer to try to
contact the Expressway-E listed in the SRV answer.

 The _collab-edge SRV record should point to the Fully Qualified Domain Name (FQDN) of
Expressway-E with port 8443. If the _collab-edge SRV is not created, or is not externally
available, or if it is available, but port 8443 is not reachable, then the Jabber client fails to log in.
ExpressWay Mobile and Remote Access
Domain & DNS configuration

 Scenario
- Flat domain structure
- ExpressWay Servers : domain1.com
- UC servers : domain1.com
- IM&P domain : domain1.com

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server

expwayE.domain1 com expwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server

expwayE.domain1 com expwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com

Question : How do I login?

Answer : With <userid>@domain1.com
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayE.domain1 com xwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com

Question: How is my external DNS configured?

Answer:
Entry Resolves to
SRV record ‘_collab-edge._tls.domain1.com’ xwayE.domain1.com port 8443
A record ‘xwayE.domain1.com’ External IP address ExpressWay E
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayC.domain1.com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com

Question: How is my ExpressWay E configured?

Answer:
> System > DNS >
- System host name ‘xwayE’
- Domain name ‘domain1.com’
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayE.domain1 com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com
Question: How is my ExpressWay C configured?
Answer:
> System > DNS >
- System host name ‘xwayC’
- Domain name ‘domain1.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for ‘UCM registrations’
and ‘IM and Presence’
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayE.domain1 com xwayC.domain1 com cucm.domain1.com cup.domain1.com

with
IM and Presence Domain =
domain1.com

Question: How is my Internal DNS configured?

Answer:
Entry Resolves to
SRV record ‘_cisco-uds._tcp.domain1.com’ cucm.domain1.com port 8443
A record ‘cucm.domain1.com’ IP address of CUCM
SRV record ‘_cuplogin._tcp.domain1.com cup.domain1.com port 8443
A record ‘cup.domain1.com’ IP address of CUP
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayE.domain1 com xwayC.domain1 com cup.domain1.com

with
IM and Presence Domain =
domain1.com

Question: How is my CUCM configured?

Answer:
> CCMADMIN > System > Server
- Server with hostname ‘cucm’
> CLI ‘set network domain ‘domain1.com’
ExpressWay Mobile and Remote Access
Domain & DNS configuration

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM＆P Server

xwayE.domain1 com xwayC.domain1 com cucm.domain1.com

Question: How is my CUP configured?

Answer:
> CUPAdmin > Clustertopology
- Node configuration with ‘cup.domain1.com
- IM and Presence Domain with ‘domain1.com’(*)
(*) Only 1 is supported
ExpressWay Mobile and Remote Access
ExpressWay or UC Server Domain not configured

 ExpressWay or UC server domain not added

or not enabled for Unified Communications
 Jabber login will fail – Cannot communicate with the server
 Diagnostic logs will show
HTTPMSG:|GET
https:///Y29sdWMuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443
Accept: */*User-Agent: Jabber-Win-345

HTTPMSG:|HTTP/1.1 403 Forbidden

Date: Decodes to ‘coluc.com’
Mon, 17 Mar 2014 16:07:20 GMT
Connection: closeServer:
CE_EContent-Length: 0|
ExpressWay Mobile and Remote Access
IM&P Domain not configured (UC Domain)
 IM&P domain not added or not enabled for IM&P
 Jabber login will fail – Cannot communicate with the server
 Diagnostic logs will show
xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310"
ThreadID="140582990952192" Module="Jabber" Level="INFO " CodeLocation="deliver.c:1492"
Detail="bouncing a packet to 'domain3.com” from 'cm-1_jsmcp-1.xwaye-domain1.com'”

xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864"

Module="cm-1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198"
Detail="Failed to query auth component for SASL mechanisms"
Serviceability ExpressWay

85
ExpressWay C “Unified Communications” status
 Status > Unified Communications
ExpressWay C “Unified Communications” status

 Unified Communications > View provisioned sessions

ExpressWay E – “Unified Communications” status
 Status > Unified Communications
ExpressWay C – “Call Status”
 Status > Calls > Calls (active) or History
 ExpressWay C – Traversal Call
 ExpressWay C
B2BUA Call
 ExpressWay C – CUCM Call
ExpressWay E – “Call Status”
 ExpressWay E
Inbound Call
 Inbound Call Media Statistics
ExpressWay Tools

 Maintenance > Tools > Network Utilities

Ping
DNS lookup (also flush dns cache from DNS configuration)
TraceRoute
TracePath
DNS Lookup

 > Maintenance > Tools > Network Utilities > DNS Lookup (for internal DNS)

 Online Tools (for external) e.g http://dnsrlookup.onlinetoolkit.org/

ExpressWay Diagnostic Logs
 Maintenance > Diagnostics > Diagnostic Logging

(When using dual NIC will take TCPdump on internal interface, when
required from external need to SSH into ExpressWay (root) and run e.g
“tcpdump -s 0 –w -i eth1 /tmp/trace-1.pcap” and use wincp to transfer)
Jabber Registration
Walk Through

99
Jabber pre-requirements

 Jabber 9.6 (Win/iOS) requires configuration key in jabber-config.xml

to enable Mobile Remote Access:

</Policies>
<RemoteAccess>ON</RemoteAccess>
</Policies>
 For local testing purposes, user can set the RemoteAccess configuration key
on their device editing jabberLocalConfig.xml (J4Win)

<Jabber>
<userConfig name="remoteaccess" value="ON"/>
</Jabber>

 In the officially supported version of Jabber (9.7)

Mobile and Remote Access will be enabled by default
Jabber URL transform

- Jabber transforms original Url: http://colcm9pub:6970/CSFxwayj.cnf.xml

- Base Url with appended Edge domain: coluc.com/
- Base Url with appended protocol: coluc.com/http/
- Base Url with appended host: coluc.com/http/colcm9pub
- Base Url before encoding: coluc.com/http/colcm9pub/6970
- Encoded Base64 Url: Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA=
- Transformed Url:
https://xwaye.coluc.com:8443/Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA=/C
SFxwayj.cnf.xml
Jabber URL Transfer

 A good way to verify that the basic MRA components are in place is to run the first
HTTP request Jabber would do.
 To do this verification, open a browser and enter the following URL to verify that the
HTTP Reverse proxy is working, and that the ExpressWay-C can discover the DNS.

https://xwaye.coluc.com:8443/Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA=/ge
t_edge_config
 Use a CUCM User credentials when prompted by the browser
 Use http://www.base64decode.org/ to encode/decode
Jabber URL Transform
 Expressway E certificate not trusted (Jabber client will prompt same)
Jabber URL Transform

 Provide CCM user credentials

Jabber URL Transform

 Service Config
Jabber URL Transform

 Edge Configuration
 Common Issue 1
Softphone is Not Able to Register, SIP/2.0 405 Method Not Allowed

A diagnostic log from Expressway-C shows a SIP/2.0 405 Method Not Allowed message in response to the Registration request sent by the Jabber client. This is likely due to an existing Session Initiation Protocol (SIP) trunk
between Expressway-C and CUCM using port 5060/5061.

SIP/2.0 405 Method Not Allowed

Via: SIP/2.0/TCP 10.10.40.108:5060;egress-zone=CollabZone;branch=z9hG4bK81e7f5f1c1
ab5450c0b406c91fcbdf181249.81ba6621f0f43eb4f9c0dc0db83fb291;proxy-call-id=da9e25aa-
80de-4523-b9bc-be31ee1328ce;rport,SIP/2.0/TLS 10.10.200.68:7001;egress-zone=Traversal
Zone;branch=z9hG4bK55fc42260aa6a2e3741919177aa84141920.a504aa862a5e99ae796914e85d35
27fe;proxy-call-id=6e43b657-d409-489c-9064-3787fc4919b8;received=10.10.200.68;rport=
7001;ingress-zone=TraversalZone,SIP/2.0/TLS
192.168.1.162:50784;branch=z9hG4bK3a04bdf3;received=172.18.105.10;rport=50784;
ingress-zone=CollaborationEdgeZone
From: <sip:5151@collabzone>;tag=cb5c78b12b4401ec236e1642-1077593a
To: <sip:5151@collabzone>;tag=981335114
Date: Mon, 19 Jan 2015 21:47:08 GMT
Call-ID: [email protected]
Server: Cisco-CUCM10.5
CSeq: 1105 REGISTER
Warning: 399 collabzone "SIP trunk disallows REGISTER"
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

In order to correct this issue, change the SIP port on the SIP Trunk Security Profile that is applied to the existing SIP trunk configured in CUCM and the Expressway-C neighbor zone for CUCM to a different port such as 5065.
This is explained further in the MRA Deployment Guide on Page 39.

Configuration Summary

CUCM:

1.Create a new SIP Trunk security profile with a listening port other than 5060 (5065).
2.Create a SIP Trunk associated to the SIP Trunk Security Profile and destination set to the Expressway-C IP address, port 5060.

Expressway-C:

1.Create a neighbor zone to CUCM(s) with a target port other than 5060 (5065) to match the CUCM configuration.
2.In Expressway-C Settings > Protocols > SIP, make sure Expressway-C still listens on 5060 for SIP.
Common Issue 2
Unable to Log In Because of an Existing WebEx Connect Subscription

Jabber for Windows logs show this:

Workaround:
2014-11-22 19:55:39,122 INFO [0x00002808] [very\WebexCasLookupDirectorImpl.cpp(134)]
[service-discovery] [WebexCasLookupDirectorImpl::makeCasLookupWhenNetworkIs In the short-term, you can utilize one of these two options to exclude it from the lookup.
Available] - makeCasLookupForDomain result is 'Code: IS_WEBEX_CUSTOMER; Server:
http://loginp.webexconnect.com; •Add this parameter to the jabber-config.xml. Then upload the jabber-config.xml file to the TFTP
Url: http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com';;;.2014-11-22 server on CUCM. It requires that the client logs in internally first.
19:55:39,122 INFO [0x00002808] [overy\WebexCasLookupDirectorImpl.cpp(67)]
[service-discovery] [WebexCasLookupDirectorImpl::determineIsWebexCustomer] - <?xml version="1.0" encoding="utf-8"?>
Discovered Webex Result from server. Returning server result.2014-11-22 19:55:39,122 <config version="1.0">
DEBUG [0x00002808] [ery\WebexCasLookupUrlConfigImpl.cpp(102)] <Policies>
[service-discovery] [WebexCasLookupUrlConfigImpl::setLastCasUrl] - setting last_cas_ <ServiceDiscoveryExcludedServices>WEBEX<
lookup_url : http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com2014-11-22 /ServiceDiscoveryExcludedServices>
19:55:39,123 DEBUG [0x00002808] [pters\config\ConfigStoreManager.cpp(286)] </Policies>
[ConfigStoreManager] [ConfigStoreManager::storeValue] - key : [last_cas_lookup_url] </config>
value : [http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com]2014-11-22
19:55:39,123 DEBUG [0x00002808] [common\processing\TaskDispatcher.cpp(29)]
[TaskDispatcher] [Processing::TaskDispatcher::enqueue] - Enqueue ConfigStore::persist •From an application perspective, run this: msiexec.exe /i CiscoJabberSetup.msi /quiet
Values - Queue Size: 02014-11-22 19:55:39,123 DEBUG [0x00002808] [pters\config\ConfigStore CLEAR=1 AUTHENTICATOR=CUP EXCLUDED_SERVICES=WEBEX
Manager.cpp(140)]
[ConfigStoreManager] [ConfigStoreManager::getValue] - key : [last_cas_lookup_url]
skipLocal : [0] value: [http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com]
success: [true] configStoreName: [LocalFileConfigStore]

The login attempts are directed to WebEx Connect.

For a permanent resolution, you must contact WebEx in order to have the site decommissioned.
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Expected signaling flow for Jabber Client logon and registration on simple IM&P based
deployment

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

Jabber login with

[email protected]
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

DNS Query

SRV _cisco-uds._tcp.coluc.com

Query Response

Not Found

DNS Query

SRV _cuplogin._tcp.coluc.com

Query Response

Not Found
 Jabber Registration – Walk Trough
• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

DNS Query

SRV _collab-edge._tls.coluc.com

Query Response

(Contain “Answers” including SRV and A/AAAA record)

Service: collab-edge
Protocol: tls
Name: coluc.com
Type: SRV
Port: 8443
Target: xwaye.coluc.com
SRV coluc.com

DNS Query

A xwaye.coluc.com

Query Response

(Contain “Answers” including A/AAAA record)

Name: xwaye.coluc.com
Type: A
Addr: 122.208.118.4
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS VCS Expressway VCS Control Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SSL: Client Hello

SSL: Server Hello Establish secure communication channel

SSL: Certificate, Server Hello Done
between VCS-E

HTTPS

HTTPS: GET /get_edge_config

HTTPMSG:
GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password Client requests Edge Configuration data
Host: xwaye.coluc.com:8443
User-Agent: Jabber-Win-746

HTTPS

HTTPS: GET /get_edge_config

HTTPMSG:
GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: vcs_control.coluc.com:8443
User-Agent: Jabber-Win-746
X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received from
Via: https/1.1 vcs[7AD07604] (ATS)
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server
When DNS record is not cached ExpressWay C will send out following DNS queries
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response

(Target: colcm9pub.coluc.com)

SRV _cisco-phone-tftp._tcp.coluc.com
Query Response

(Target: colcm9pub.coluc.com)
DNS Query

A colcm9pub.coluc.com

Query Response

(Addr: 172.16.1.36
 Mobile and Remote Access
- Jabber client connect through MRA
• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

DNS Query

SRV _cuplogin._tcp.coluc.com

Query Response

(Target: colcup.coluc.com)

DNS Query

A colcup.coluc.com

Query Response

(Addr: 172.16.1.33)
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

HTTP(S)

HTTPS: GET //<cucm-fqdn>/cucm-uds/clusterUser?<user-name>

Requesting CUCM home node information HTTPMSG:
GET //colcm9pub:8443/cucm-uds/clusterUser?username=xwayj HTTP/1.1

HTTP(S) 200 OK

HTTPMSG:
HTTP/1.1 200 OK
Content-Type: application/xml
Server:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucm-
uds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucm-
Should see “Found user cluster” and “Found UDS server” internal status log this point in diagnostic log uds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>
===========================================================
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj"
Cluster="172.16.1.36“

Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36"
UdsServer="colcm9pub“
===========================================================
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

HTTP(S)

HTTPS: GET //<cucm-fqdn>/cucm-uds/user/<user-name>/devices

HTTPMSG:
Get Devices GET //colcm9pub:8443/cucm-uds/user/xwayj/devices HTTP/1.1
Authorization: <CONCEALED>

HTTP(S) 200 OK

HTTPMSG:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONIDSSO=xxxxx, Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=xxxxx; Path=/cucm-uds/; Secure; HttpOnly
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices version="9.1.2" uri="https://colcm9pub:8443/cucm-
uds/user/xwayj/devices"><device hasPrimaryNumber="false" uri="https://colcm9pub:8443/cucm-
uds/user/xwayj/device/663e40ed-b3bd-3060-5483-b6721d04c32e"><id>663e40ed-b3bd-3060-5483-
b6721d04c32e</id><name>CSFxwayj</name><model>Cisco Unified Client Services Framework</model> …..
</device></devices> |
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

HTTPS 200 OK

HTTPMSG:
Returned configuration: HTTP/1.1 200 OK
1) IMP, CUCM, TFTP SRV Server: CE_C ECS
2) SIP edge Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-
3) Randomized list of UDS phone-
4) XMPP edge tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
5) HTTP edge server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
etc.

HTTPS 200 OK

HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_cisco-
phone-
tftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> ….. </edgeConfig></getEdgeConfigResponse>|
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

HTTPS

HTTPS: GET /jabber-config.xml

HTTPMSG:
GET https:///...../jabber-config.xml HTTP/1.1
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746

HTTPS: POST /EPASSoap/service/ login

HTTPMSG:
POST https:///...../EPASSoap/service/v80 HTTP/1.1
Host: xwaye.coluc.com:8443
User-Agent: gSOAP/2.8
User-Agent: Jabber-Win-746
Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com“
SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"

….
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

HTTPS

HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlv

HTTPMSG:
GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746

HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xml

HTTPMSG:
GET https:///....../CSFxwayj.cnf.xml HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP - REFER

REFER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1000 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
Client includes the route set received at
To: <sip:8300100@colcm9pub> startup negotiation
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-
id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP 407 Proxy

Authentication Required
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP - REFER

REFER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zone-
id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP - REFER

REFER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
Refer-To: <cid:[email protected]>
Referred-By: <sip:[email protected]>
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:[email protected]>

SIP - REFER

REFER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 1001 REFER
Refer-To: <cid:[email protected]>
Referred-By: <sip:[email protected]>
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:[email protected]>
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP

SIP 202 Accepted

SIP 202 Accepted

202 Accepted

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: [email protected]
CSeq: 101 REGISTER
Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-
081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000-
081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";video
Registration request including Contact and
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf all Route information
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zone-
id=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP 407 Proxy

Authentication Required
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..
CSeq: 102 REGISTER
Contact: <sip:[email protected]:50036;transport=tls>…..
+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=“xxxxx", opaque=“xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5
 Jabber Registration – Walk Trough

• Register Jabber client on UCM via MRA

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P
UDS Server Server

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0

Via information include; Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706
1) Edge zone name ;ingress-zone=CollaborationEdgeZone
2) Client local and NAT address with CSeq: 102 REGISTER
port number From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>

SIP - REGISTER

REGISTER sip:colcm9pub SIP/2.0

Via: SIP/2.0/TCP 172.16.1.30:5060;egress-zone=CEtcpcolcm9pub;…..;proxy-call-id=…..
Proxy registration to CUCM Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;…..;proxy-call-id=…..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=…..;received=64.104.46.217;rport=9706
;ingress-zone=CollaborationEdgeZone
Cseq number for REGISTER is managing CSeq: 101 REGISTER
separately From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>

SIP
100 Trying
References

126
References

 X8.1.1 Mobile and Remote Access deployment guide

<to be released soon>
 Jabber for Windows 9.7 install/config guide.
(check chapter on deployment options for more on service discovery)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/JAB
W_BK_C4C679C9_00_cisco-jabber-for-windows-97.html
 Jabber for Windows 9.7 release notes
Doublecheck what is supported and what not when in edge mode
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/JAB
W_BK_CF8F083D_00_cisco-jabber-for-windows-97.html
References

 Base64 encode/decode
http://www.base64decode.org/
New Endpoint Support

Inside firewall DMZ Outside firewall

(Intranet) (Public Internet) DX650, DX70, DX80

Collaboration Internet
Services

Unified Expressway Expressway

CM C E 8811, 8841, 8851, 8861

7821, 7841, 7861

Thank you.