When speaking about Unified Communications products and services offered by Cisco, there is one solution that comes in mind more often than not: Cisco Expressway.
Cisco Expressway offers highly secure remote access for users to all collaboration tools and services inside your organization, including voice, content, IM & Presence and video. Furthermore, Expressway can unite your organization with other organizations that have similar services in place.
The advanced Cisco Expressway collaboration gateways are a significant enhancement for your Unified communications environment and should be considered by everyone who has not yet implemented it.
Stack8 has a solid experience, built over the past seven-plus years, on implementing and troubleshooting the various features of Cisco Expressway collaboration gateways.
With this article, we will try to explain the different pitfalls and challenges that organizations meet when is time to implement Expressway within the organization’s Network. We will not be listing all the Firewall ports nor DNS records that need to be configured with a typical deployment, because this part is already well documented by Cisco.
The purpose of this article is to guide you on the details and steps that are particular or need special attention, as well as methods of troubleshooting during or after your deployment process.
Internal and External DNS A and SRV records:
You have to configure multiple DNS SRV records, internal and external for your organization.
Important to remember is that your Internal A record for the Edge should point towards the internal interface IP address (in a dual NIC deployment).
Configure internal DNS server reference for your Core servers and External (Public) DNS server reference for your Edge servers.
Cisco provides a handy tool that can help with your Expressway deployment. The Collaboration Solutions Analyser (SRV checker section) will verify if all External DNS records are configured. You can filter the records per feature, see below example for Stack8.com domain (All features selected):
Also, make sure to deploy following SRV records explicitly in your internal network. _Cisco-uds and _cuplogin should not resolve on the internet:
Firewall Design Considerations
Should you be using Single or Dual NIC on the Cisco Expressway EDGE for your deployment? Stack8 recommends the use of Dual NIC. Drawbacks from the use of Single NIC are multiple. NAT Reflection used with Single NIC has asymmetric routing design. In such case scenarios, there is a security concern. Second, not all firewalls support hair-pinned media. There is also a concern with excessive bandwidth consumption. Lastly, you may deal with public IP exposure in SIP signaling to B2BUA.
Next, disable ALG and/or SIP inspections on the Firewall. The ALG is also referred to as the Inspection or Application Awareness, where the firewall would identify SIP and H.323 traffic and will modify the payload by replacing Public with the Private IP. In some instances, with SIP TLS the firewall will not be able to apply the inspection rules. Therefore the best course of action is to disable Inspection. Then the external interface of the EDGE server will be configured in Static NAT mode (Advanced networking option key required).
If your organization is using an IDS or an IPS, make sure to accurately identify SIP TLS traffic (SIP TLS uses port 5061). We have seen cases where SIPs identified under SSL traffic, and TCP session timeout creates a race condition with the SIP session refresh timer which will result in SIPs sessions dropped. The workaround is to increase the TCP session timeout. SIP Session refresh interval in Expressway is the maximum time allowed between session refresh requests for SIP calls. The default value is 1800; range is from 90 to 86400.
You can use the automated protection service to detect and block malicious traffic and to help protect the Cisco Expressway from dictionary-based attempts to breach login security.
It works by parsing the system log files to detect repeated failures to access specific service categories, such as SIP, SSH and web/HTTPS access. When the number of failures within a specified time window reaches the configured threshold, the source host address (the intruder) and destination port are blocked for a specified period of time.
Stack8 has seen cases where regular users are blocked because the “HTTP proxy resource access requests” or “HTTP proxy authorization requests” failed more than the configured threshold within the configured detection window. That could happen if a user has numerous devices that are requesting registration or device information from CUCM and are behind same IP address outside your corporate network. Stack8 recommends that either you configure a reasonable “Trigger level” or turn off “HTTP proxy resource access failures” and “HTTP proxy authorization requests” from the System Protection, Automated detection configuration page.
Below are the default settings for HTTP proxy resource access failure:
If your organization has already purchased CUWL Std or CUWL Pro licenses, Expressway MRA comes with no additional cost. All you need is to request from your Cisco Account Manager the Expressway activation keys and option keys for MRA deployment. On the other hand, if you will wish to implement a Business-to-Business (B2B) feature, you will have to purchase additional RMS licenses for the traversal calls. There is an additional cost for Telepresence or Room kit units registration; you will have to buy licenses to be able to use the Expressway for call control.
Expressway Troubleshooting Tools
The first thing that you will be asked when opening a TAC case for Cisco Expressway related problems is to upload Diagnostic logs from both servers, Edge and Core. From Expressway web administration page, go to Maintenance, Diagnostics, Diagnostic logging, make sure to select “Take tcpdump while logging” option and start the logging. Once problem replicated, you can stop the logging and download the logs.
As mentioned earlier in this blog, Cisco developed multiple useful tools for validating Expressways configuration during deployment as well as troubleshooting problems with different expressway features.
The Collaboration Solutions Analyser has four sections:
- The first tool is the “SRV checker” which allows verifying all necessary DNS records per feature you want to deploy.
- The second tool is the "CollabEdge validator" which can verify your MRA deployment; you need to provide domain, username, and password of your test user.
The third tool is the "B2B call tester" which can generate a testing space for you that would be used to make and receive test calls with both SIP and H.323 protocols.
- The final tool is the Log analyzer; you can use it with Diagnostic logs previously downloaded from your Expressway servers. The tool will execute a deep analysis of your system based on the logs uploaded and will provide you with a report on the features deployed, bug and problems discovered.
The Stack8 professional services team are experts in implementing and troubleshooting Cisco Expressway and will help you with any challenges.