Cisco Cisco Expressway 维护手册
The /get_edge_sso request from the client asks whether the client may try to authenticate the user by
SSO. In this request, the client provides an identity of the user that the Expressway-C can use to find the
user's home cluster:
SSO. In this request, the client provides an identity of the user that the Expressway-C can use to find the
user's home cluster:
n
The default option is Yes to Check for internal SSO availability:
The Expressway-E passes the request to the Expressway-C. The Expressway-C uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the Expressway-C the outcome. The Expressway-C then tells the
Expressway-E which responds true or false to the client.
The Expressway-E passes the request to the Expressway-C. The Expressway-C uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the Expressway-C the outcome. The Expressway-C then tells the
Expressway-E which responds true or false to the client.
n
If you select No to Check for internal SSO availability:
The Expressway-E always responds true to /get_edge_sso requests. It does not make the inwards
request to the user's home Unified CM, and thus cannot know whether SSO is really available there.
The Expressway-E always responds true to /get_edge_sso requests. It does not make the inwards
request to the user's home Unified CM, and thus cannot know whether SSO is really available there.
When the client receives a true response from Expressway-E, it will try to /get_edge_config via SSO.
If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which are
independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not actually
enabled on the user's home node, then /get_edge_config will fail and the client will not try the other
authentication option.
If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which are
independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not actually
enabled on the user's home node, then /get_edge_config will fail and the client will not try the other
authentication option.
The option you should choose depends entirely on your implementation. If you have a homogenous
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
Checking the status of Unified Communications services
You can check the status of the Unified Communications services on both Expressway-C and Expressway-
E.
E.
1. Go to
Status > Unified Communications
.
2. Review the list and status of domains, zones and (Expressway-C only) Unified CM and IM&P servers.
Any configuration errors will be listed along with links to the relevant configuration page from where you
can address the issue.
can address the issue.
Mobile and remote access port reference
This section summarizes the ports that need to be opened on the firewalls between your internal network
(where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the
DMZ and the public internet.
(where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the
DMZ and the public internet.
Outbound from Expressway-C (private) to Expressway-E (DMZ)
Purpose
Protocol
Expressway-C (source)
Expressway-E (listening)
XMPP (IM and Presence)
TCP
Ephemeral port
7400
SSH (HTTP/S tunnels)
TCP
Ephemeral port
2222
Traversal zone SIP signaling
TLS
25000 to 29999
7001
Cisco Expressway Administrator Guide (X8.5.1)
Page 77 of 399
Unified Communications
Mobile and remote access