Cisco Cisco Expressway 维护手册
Note:
This feature is distinct from the multiple deployments feature released in X8.5. That feature is limited to one
domain per deployment, where all IM and Presence Service clusters within a deployment serve a single domain. This
feature is different because it concerns MRA support for all IM and Presence Service clusters within a deployment
serving a common set of one or more Presence domains.
feature is different because it concerns MRA support for all IM and Presence Service clusters within a deployment
serving a common set of one or more Presence domains.
Each new domain impacts the Expressway’s performance. We currently recommend that you do not exceed 50
domains.
domains.
X8.5
Feature previews
The following features are implemented in this version for the purpose of previewing with dependent systems. They
are not currently supported and should not be relied upon in your production environment. Full support for these
features is planned for a future release of the Expressway software.
are not currently supported and should not be relied upon in your production environment. Full support for these
features is planned for a future release of the Expressway software.
(Preview) Single sign-on over MRA
Enables single sign-on (common identity) for SSO-capable clients that are accessing on-premises Unified
Communications services from outside the network.
Communications services from outside the network.
(Preview) MRA support for new endpoints
Mobile and Remote Access is extended in this release to include support for the Cisco DX Series endpoints, and the
8800 Series and 7800 Series IP phones, registering to Cisco Unified Communications Manager. Some features on the
IP phones, particularly where they rely on DTMF/KPML pass-through, were not available in X8.5. This limitation was
resolved in X8.5.2.
8800 Series and 7800 Series IP phones, registering to Cisco Unified Communications Manager. Some features on the
IP phones, particularly where they rely on DTMF/KPML pass-through, were not available in X8.5. This limitation was
resolved in X8.5.2.
Single sign-on over MRA
Use this feature to enable single sign-on for endpoints accessing Unified Communications services from outside the
network. Single sign-on over the edge relies on the secure traversal capabilities of the Expressway pair at the edge,
and trust relationships between the internal service providers and the externally resolvable identity provider (IdP).
network. Single sign-on over the edge relies on the secure traversal capabilities of the Expressway pair at the edge,
and trust relationships between the internal service providers and the externally resolvable identity provider (IdP).
The endpoints do not need to connect via VPN; they use one identity and one authentication mechanism to access
multiple Unified Communications services. Authentication is owned by the IdP, and there is no authentication at the
Expressway, nor at the internal Unified CM services.
multiple Unified Communications services. Authentication is owned by the IdP, and there is no authentication at the
Expressway, nor at the internal Unified CM services.
Supported endpoints
■
Cisco Jabber 10.6 or later
Supported Unified Communications services
■
Cisco Unified Communications Manager 10.5(2) or later
■
Cisco Unity Connection 10.5(2) or later
■
Cisco Unified Communications Manager IM and Presence Service 10.5(2) or later
■
Other internal web servers, for example intranet
How it works
Cisco Jabber determines whether it is inside the organization's network before it requests a Unified Communications
service. If it is outside the network, then it requests the service from the Expressway-E on the edge of the network. If
single sign-on is enabled at the edge, the Expressway-E redirects Jabber to the IdP with a signed request to
authenticate the user.
service. If it is outside the network, then it requests the service from the Expressway-E on the edge of the network. If
single sign-on is enabled at the edge, the Expressway-E redirects Jabber to the IdP with a signed request to
authenticate the user.
The IdP challenges the client to identify itself. When this identity is authenticated, the IdP redirects Jabber's service
request back to the Expressway-E with a signed assertion that the identity is authentic.
request back to the Expressway-E with a signed assertion that the identity is authentic.
The Expressway-E trusts the IdP, so it passes the request to the appropriate service inside the network. The Unified
Communications service trusts the IdP and the Expressway-E, so it provides the service to the Jabber client.
Communications service trusts the IdP and the Expressway-E, so it provides the service to the Jabber client.
359
Cisco Expressway Administrator Guide