Cisco Cisco Expressway
Task 1: Prepare Expressway-C for Microsoft Interoperability
1.
Install the Expressway-C and configure it for networking.
When adding IP addresses, make sure to also give it local DNS and NTP servers that are used by the other
infrastructure elements in this deployment.
infrastructure elements in this deployment.
—
Cisco Expressway Virtual Machine Installation Guide on the
.
—
Cisco Expressway CE1100 Appliance Installation Guide on the
2.
Sign in to the web interface and follow the service setup wizard to get Expressway-C licensed for the
Microsoft Interoperability service.
Microsoft Interoperability service.
3.
Give the Expressway-C a system name and a cluster name, even if it is not going to be part of a cluster.
4.
Install a server certificate that has the peer FQDN as common name and has the cluster FQDN and peer FQDN
as SANs. The certificate’s signing authority must be trusted by the other infrastructure elements.
as SANs. The certificate’s signing authority must be trusted by the other infrastructure elements.
5.
[Optional] Repeat the previous sequence on up to 5 more Expressway-Cs and then cluster them.
6.
Enable SIP TLS mode.
Figure 3 Prepare the Expressway-C for Microsoft Interoperability
Task 2: Create a SIP TLS Trunk Between Cisco Unified Communications Manager
and Expressway-C
and Expressway-C
1.
Put the CUCM in Mixed Mode and check its basic configuration.
We recommend using TLS to secure all connections in this deployment. However, you can choose to leave
Unified CM in Non Secure mode, and create a TCP trunk towards Expressway-C.
Unified CM in Non Secure mode, and create a TCP trunk towards Expressway-C.
In this case, you must configure the Expressway-C to encrypt/decrypt on behalf of Unified CM, because the
rest of the deployment mandates TLS.
rest of the deployment mandates TLS.
2.
Install a server certificate that is signed by a CA trusted by the other infrastructure elements.
3.
Configure a SIP trunk security profile with these parameters:
Incoming and outgoing transports = TLS, inbound port = 5061, device security mode = encrypted, accept
unsolicited notification checked, accept replaces header checked, X.509 subject = Expressway-C cluster
FQDN.
unsolicited notification checked, accept replaces header checked, X.509 subject = Expressway-C cluster
FQDN.
4.
Create a new SIP trunk that uses the security profile you just created and trunks to destination port 5061.
5.
Make sure that Jabber is using a secure phone profile (the profile must have Device Security Mode =
Encrypted).
Encrypted).
Cisco Systems, Inc.
7