Cisco Cisco Expressway
Unified Communications prerequisites
Configuring a Secure Traversal Zone Connection for Unified
Communications
Communications
To support Unified Communications features (such as mobile and remote access or Jabber Guest), there
must be a Unified Communications traversal zone connection between the Expressway-C and the
Expressway-E. This involves:
must be a Unified Communications traversal zone connection between the Expressway-C and the
Expressway-E. This involves:
n
Installing suitable security certificates on the Expressway-C and the Expressway-E.
n
Configuring a Unified Communications traversal zone between the Expressway-C and the Expressway-E
Note: You should configure only one Unified Communications traversal zone per Expressway.
Installing Expressway Security Certificates
You must set up trust between the Expressway-C and the Expressway-E:
1. Install a suitable server certificate on both the Expressway-C and the Expressway-E.
l
The certificate must include the Client Authentication extension. The system will not allow you to
upload a server certificate without this extension when Unified Communications features have been
enabled.
upload a server certificate without this extension when Unified Communications features have been
enabled.
l
The Expressway includes a built-in mechanism to generate a certificate signing request (CSR) and is
the recommended method for generating a CSR:
the recommended method for generating a CSR:
o
Ensure that the CA that signs the request does not strip out the client authentication extension.
o
The generated CSR includes the client authentication request and any relevant subject alternate
names for the Unified Communications features that have been enabled (see
names for the Unified Communications features that have been enabled (see
l
To generate a CSR and /or to upload a server certificate to the Expressway, go to
Maintenance >
Security certificates > Server certificate
. You must restart the Expressway for the new server
certificate to take effect.
2. Install on both Expressways the trusted Certificate Authority (CA) certificates of the authority that signed
the Expressway's server certificates.
There are additional trust requirements, depending on the Unified Communications features being
deployed.
For mobile and remote access deployments:
There are additional trust requirements, depending on the Unified Communications features being
deployed.
For mobile and remote access deployments:
l
The Expressway-C must trust the Unified CM and IM&P tomcat certificate.
l
If appropriate, both the Expressway-C and the Expressway-E must trust the authority that signed the
endpoints' certificates.
endpoints' certificates.
For Jabber Guest deployments:
l
When the Jabber Guest server is installed, it uses a self-signed certificate by default. However, you
can install a certificate that is signed by a trusted certificate authority. You must install on the
Expressway-C either the self-signed certificate of the Jabber Guest server, or the trusted CA
certificates of the authority that signed the Jabber Guest server's certificate.
can install a certificate that is signed by a trusted certificate authority. You must install on the
Expressway-C either the self-signed certificate of the Jabber Guest server, or the trusted CA
certificates of the authority that signed the Jabber Guest server's certificate.
To upload trusted Certificate Authority (CA) certificates to the Expressway, go to
Maintenance >
Security certificates > Trusted CA certificate
. You must restart the Expressway for the new trusted
CA certificate to take effect.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.6)
Page 17 of 55
Unified Communications prerequisites