Cisco Cisco Expressway
On the Expressway-E:
1.
Go to Configuration > Unified Communications > Configuration.
2.
Locate Single Sign-on support and select On or Exclusive.
Select the same value on the Expressway-C and Expressway-E.
—
On: The clients will attempt authentication at the IdP; if they fail, they can fall back on authenticating at the
home node through the Expressway.
home node through the Expressway.
—
Exclusive: Clients may only authenticate at the IdP. This selection disables authentication at the home
node through the Expressway.
node through the Expressway.
3.
Click Save.
Check for Internal SSO Availability
[Optional, when Single Sign-on Support is On]
Choose how the Expressway-E reacts to
/get_edge_sso
requests by selecting whether or not the Expressway-C
should check the home nodes.
The
/get_edge_sso
request from the client asks whether the client may try to authenticate the user by SSO. In this
request, the client provides an identity of the user that the Expressway-C can use to find the user's home cluster:
■
The default option is Yes to Check for internal SSO availability:
The Expressway-E passes the request to the Expressway-C. The Expressway-C uses a round-robin algorithm
to select a Unified CM node, and makes a UDS query for the supplied identity against that node. The Unified
CM determines which node is the user's home node, and whether it is capable of doing SSO for the user, and
then tells the Expressway-C the outcome. The Expressway-C then tells the Expressway-E which responds
to select a Unified CM node, and makes a UDS query for the supplied identity against that node. The Unified
CM determines which node is the user's home node, and whether it is capable of doing SSO for the user, and
then tells the Expressway-C the outcome. The Expressway-C then tells the Expressway-E which responds
true
or
false
to the client.
■
If you select No to Check for internal SSO availability:
The Expressway-E always responds
true
to
/get_edge_sso
requests. It does not make the inwards request to
the user's home Unified CM, and thus cannot know whether SSO is really available there.
When the client receives a
true
response from Expressway-E, it will try to
/get_edge_config
via SSO. If it gets
false
, it
will try
/get_edge_config
using whatever credentials it has - credentials which are independent from the identity
managed by UDS inside the enterprise. If it gets
true
and SSO is not actually enabled on the user's home node, then
/get_edge_config
will fail and the client will not try the other authentication option.
The option you should choose depends entirely on your implementation. If you have a homogenous environment, in
which all Unified CM nodes are capable of SSO, you can reduce response time and overall network traffic by
selecting No. By contrast, if you want clients to use either mode of getting the edge configuration - during rollout or
because you cannot guarantee that SSO is available on all nodes - you should select Yes.
which all Unified CM nodes are capable of SSO, you can reduce response time and overall network traffic by
selecting No. By contrast, if you want clients to use either mode of getting the edge configuration - during rollout or
because you cannot guarantee that SSO is available on all nodes - you should select Yes.
Dial via Office-Reverse through MRA
Your mobile workers need the same high quality, security and reliability that they experience when placing calls in the
office. You can assure them of just that when you enable the Dial via Office-Reverse (DVO-R) feature and they are
using Cisco Jabber on a dual-mode mobile device. DVO-R routes Cisco Jabber calls through the enterprise
automatically.
office. You can assure them of just that when you enable the Dial via Office-Reverse (DVO-R) feature and they are
using Cisco Jabber on a dual-mode mobile device. DVO-R routes Cisco Jabber calls through the enterprise
automatically.
DVO-R handles call signaling and voice media separately. All call signaling, including the signaling for Mobile and
Remote Access on Expressway, traverses the IP connection between the client and Cisco Unified Communications
Manager. Voice media traverses the cellular interface and hairpins at the enterprise Public Switched Telephone
Network (PSTN) gateway.
Remote Access on Expressway, traverses the IP connection between the client and Cisco Unified Communications
Manager. Voice media traverses the cellular interface and hairpins at the enterprise Public Switched Telephone
Network (PSTN) gateway.
Moving audio to the cellular interface ensures high-quality calls and securely maintained audio even when the IP
connection is lost.
connection is lost.
You can configure DVO-R so that, when a user makes a call, the return call from Cisco Unified Communications
Manager goes to either:
Manager goes to either:
39
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Dial via Office-Reverse through MRA