Cisco Cisco Expressway
Expressway X8.6 and later:
Mobile and Remote Access is now officially supported with the Cisco IP Phone 78/8800 Series, when the phones are
running firmware version 11.0(1) or later. We recommend Expressway X8.7 or later for use with these phones.
running firmware version 11.0(1) or later. We recommend Expressway X8.7 or later for use with these phones.
■
■
MRA is officially supported with the Cisco DX Series endpoints running firmware version 10.2.4(99) or later. This
support was announced with Expressway version X8.6.
support was announced with Expressway version X8.6.
■
■
■
When deploying DX Series or IP Phone 78/8800 Series endpoints to register with Cisco Unified Communications
Manager via Mobile and Remote Access, you need to be aware of the following:
Manager via Mobile and Remote Access, you need to be aware of the following:
■
Phone security profile:
If the phone security profile for any of these endpoints has TFTP Encrypted Config
checked, you will not be able to use the endpoint via Mobile and Remote Access. This is because the
MRA solution does not support devices interacting with CAPF (Certificate Authority Proxy Function).
MRA solution does not support devices interacting with CAPF (Certificate Authority Proxy Function).
■
Trust list:
You cannot modify the root CA trust list on these endpoints. Make sure that the Expressway-E's
server certificate is signed by one of the CAs that the endpoints trust, and that the CA is trusted by the
Expressway-C and the Expressway-E.
Expressway-C and the Expressway-E.
■
Bandwidth restrictions:
The Maximum Session Bit Rate for Video Calls on the default region on Cisco
Unified Communications Manager is 384 kbps by default. The Default call bandwidth on Expressway-C is also
384 kbps by default. These settings may be too low to deliver the expected video quality for the DX Series.
384 kbps by default. These settings may be too low to deliver the expected video quality for the DX Series.
Configuration Summary
EX/MX/SX Series Endpoints (Running TC Software)
Ensure that the provisioning mode is set to Cisco UCM via Expressway.
On Unified CM, you need to ensure that the IP Addressing Mode for these endpoints is set to IPV4_ONLY.
These endpoints must verify the identity of the Expressway-E they are connecting to by validating its server
certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server
certificate in their list of trusted CAs.
certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server
certificate in their list of trusted CAs.
These endpoints ship with a list of default CAs which cover the most common providers (Verisign, Thawte, etc). If the
relevant CA is not included, it must be added. See 'Managing the list of trusted certificate authorities' in the
endpoint's administrator guide.
relevant CA is not included, it must be added. See 'Managing the list of trusted certificate authorities' in the
endpoint's administrator guide.
Mutual authentication is optional; these endpoints are not required to provide client certificates. If you do want to
configure mutual TLS, you cannot use CAPF enrolment to provision the client certificates; you must manually apply
the certificates to the endpoints. The client certificates must be signed by an authority that is trusted by the
Expressway-E.
configure mutual TLS, you cannot use CAPF enrolment to provision the client certificates; you must manually apply
the certificates to the endpoints. The client certificates must be signed by an authority that is trusted by the
Expressway-E.
Jabber Clients
Jabber clients must verify the identity of the Expressway-E they are connecting to by validating its server certificate.
To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their
list of trusted CAs.
To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their
list of trusted CAs.
Jabber uses the underlying operating system's certificate mechanism:
■
Windows: Certificate Manager
■
MAC OS X: Key chain access
8
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Configuration Overview