Cisco Cisco Expressway 维护手册
Expressway-C server certificate requirements
The Expressway-C server certificate needs to include the following elements in its list of subject alternate
names:
names:
n
The Chat Node Aliases that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note
that Unified Communications XMPP federation will be supported in a future Expressway release).
The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note
that Unified Communications XMPP federation will be supported in a future Expressway release).
The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a
set of IM&P servers.
n
The names, in FQDN format, of all of the Phone Security Profiles in Unified CM that are configured for
encrypted TLS and are used for devices requiring remote access. This ensures that Unified CM can
communicate with Expressway-C via a TLS connection when it is forwarding messages from devices that
are configured with those security profiles.
encrypted TLS and are used for devices requiring remote access. This ensures that Unified CM can
communicate with Expressway-C via a TLS connection when it is forwarding messages from devices that
are configured with those security profiles.
A new certificate may need to be produced if chat node aliases are added or renamed, such as when an IM
and Presence node is added or renamed, or if new TLS phone security profiles are added. You must restart
the Expressway-C for any new uploaded server certificate to take effect.
and Presence node is added or renamed, or if new TLS phone security profiles are added. You must restart
the Expressway-C for any new uploaded server certificate to take effect.
Expressway-E server certificate requirements
The Expressway-E server certificate needs to include the following elements in its list of subject alternate
names:
names:
n
All of the domains which have been configured for Unified Communications. They are required for secure
communications between endpoint devices and Expressway-E.
This should include the email address domain entered by users of the client application (e.g. Jabber) and
any presence domains (as configured on the Expressway-C) if they are different. There is no need to
include the domains in DNS-SEC deployments.
communications between endpoint devices and Expressway-E.
This should include the email address domain entered by users of the client application (e.g. Jabber) and
any presence domains (as configured on the Expressway-C) if they are different. There is no need to
include the domains in DNS-SEC deployments.
n
The same set of Chat Node Aliases as entered on the Expressway-C's certificate, if you are deploying
federated XMPP.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
federated XMPP.
Note that the list of required aliases can be viewed (and copy-pasted) from the equivalent
Generate CSR
page on the Expressway-C.
A new certificate must be produced if new presence domains or chat node aliases are added to the system.
You must restart the Expressway-E for any new uploaded server certificate to take effect.
You must restart the Expressway-E for any new uploaded server certificate to take effect.
create and upload the Expressway’s server certificate and how to upload a list of trusted certificate
authorities.
authorities.
Setting up secure Expressway traversal zones
You must configure a secure traversal zone connection between the Expressway-C and the Expressway-E.
n
The traversal client zone and the traversal server zone must be configured to use SIP TLS with TLS verify
mode set to On, and Media encryption mode must be Force encrypted.
mode set to On, and Media encryption mode must be Force encrypted.
n
Both Expressways must trust each other's server certificate. As each Expressway acts both as a client
and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a
server.
and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a
server.
n
If a H.323 or a non-encrypted connection is required, a separate pair of traversal zones must be configured.
To set up a secure traversal zone, configure your Expressway-C and Expressway-E as follows:
Cisco Expressway Administrator Guide (X8.1)
Page 58 of 344
Unified Communications
Configuring mobile and remote access on Expressway