Cisco Cisco Expressway Release Notes
Upgrading to X8.8.2
Prerequisites and Software Dependencies
Upgrade Caution, PLEASE READ:
X8.8 is more secure than earlier versions. Upgrading could cause your
deployments to stop working as expected, so you must check for the following environmental issues before you
upgrade to X8.8:
upgrade to X8.8:
■
Minimum versions of Unified Communications infrastructure: Unified CM, IM and Presence Service, and Cisco
Unity Connection have all been patched with CiscoSSL updates. Check that you're running the minimum
versions described in the Mobile and Remote Access deployment guide, before you upgrade Expressway to
X8.8.
Unity Connection have all been patched with CiscoSSL updates. Check that you're running the minimum
versions described in the Mobile and Remote Access deployment guide, before you upgrade Expressway to
X8.8.
IM and Presence Service 11.5 is an exception. You must upgrade Expressway to X8.8 before you upgrade
IM and Presence Service to 11.5.
IM and Presence Service to 11.5.
■
Certificates: Certificate validation has been tightened up in X8.8.
—
Try the secure traversal test before and after upgrade (Maintenance > Security certificates > Secure
traversal test) to validate TLS connections.
traversal test) to validate TLS connections.
—
Are your Unified Communications nodes using valid certificates that were issued by a CA in the
Expressway-Cs' trust list?
Expressway-Cs' trust list?
—
If you are using self-signed certificates, are they unique? Does the trusted CA list on Expressway have the
self-signed certificates of all the nodes in your deployment?
self-signed certificates of all the nodes in your deployment?
—
Are all entries in the Expressway's trusted CA list unique? You must remove any duplicates.
—
If you have TLS verify enabled on connections to other infrastructure (always on by default for Unified
Communications traversal zone, and optional for zones to Unified Communications nodes) you must ensure
that the hostname is present in the CN or SAN field of the host's certificate. We do not recommend
disabling TLS verify mode, even though it may be a quick way to resolve a failing deployment.
Communications traversal zone, and optional for zones to Unified Communications nodes) you must ensure
that the hostname is present in the CN or SAN field of the host's certificate. We do not recommend
disabling TLS verify mode, even though it may be a quick way to resolve a failing deployment.
■
DNS entries: Do you have forward and reverse DNS lookups for all infrastructure systems that the Expressway
interacts with?
interacts with?
Important!
From version X8.8, you must create forward and reverse DNS entries for all Expressway-E
systems, so that systems making TLS connections to them can resolve their FQDNs and validate their
certificates.
certificates.
If the Expressway cannot resolve hostnames and IP addresses of systems, your complex deployments (eg.
MRA) could stop working as expected after you upgrade.
MRA) could stop working as expected after you upgrade.
■
Cluster peers: Do they have valid certificates? If they are using default certificates you should replace them
with (at least) internally generated certificates and update the peers' trust lists with the issuing CA.
with (at least) internally generated certificates and update the peers' trust lists with the issuing CA.
Note:
If you are upgrading to X8.8 or later from an earlier version, clustering communications changed in X8.8
to use TLS connections between peers instead of IPSec. TLS verification is not enforced (by default) after you
upgrade, and you'll see an alarm reminding you to enforce TLS verification.
upgrade, and you'll see an alarm reminding you to enforce TLS verification.
Hybrid Services
Your Management Connector must be up to date before you upgrade your Expressway. You must authorize and
accept any upgrades advertised by the Cisco Collaboration Cloud before attempting to upgrade.
accept any upgrades advertised by the Cisco Collaboration Cloud before attempting to upgrade.
Note:
X8.7.1 is now the minimum version required for Hybrid Services. If you are using Hybrid Services with X8.7, you
must upgrade to X8.7.1 or later.
Existing TMS Agent (Legacy Mode) Provisioning Deployments
Expressway X8.1 and later no longer supports TMS Agent (legacy mode) provisioning. Before you upgrade to X8 or
later, if you are using TMS Agent (legacy mode) for provisioning you must first migrate to Cisco TelePresence
later, if you are using TMS Agent (legacy mode) for provisioning you must first migrate to Cisco TelePresence
16
Cisco Expressway Series Release Notes
Upgrading to X8.8.2