Cisco Cisco Expressway
—
The Expressway includes a built-in mechanism to generate a certificate signing request (CSR) and is the
recommended method for generating a CSR:
recommended method for generating a CSR:
•
Ensure that the CA that signs the request does not strip out the client authentication extension.
•
The generated CSR includes the client authentication request and any relevant subject alternate names
for the Unified Communications features that have been enabled (see
for the Unified Communications features that have been enabled (see
).
—
To generate a CSR and /or to upload a server certificate to the Expressway, go to Maintenance > Security
certificates > Server certificate. You must restart the Expressway for the new server certificate to take
effect.
certificates > Server certificate. You must restart the Expressway for the new server certificate to take
effect.
2.
Install on both Expressways the trusted Certificate Authority (CA) certificates of the authority that signed the
Expressway's server certificates.
Expressway's server certificates.
There are additional trust requirements, depending on the Unified Communications features being deployed.
For mobile and remote access deployments:
—
The Expressway-C must trust the Unified CM and IM&P tomcat certificate.
—
If appropriate, both the Expressway-C and the Expressway-E must trust the authority that signed the
endpoints' certificates.
endpoints' certificates.
For Jabber Guest deployments:
—
When the Jabber Guest server is installed, it uses a self-signed certificate by default. However, you can
install a certificate that is signed by a trusted certificate authority. You must install on the Expressway-C
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
install a certificate that is signed by a trusted certificate authority. You must install on the Expressway-C
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
To upload trusted Certificate Authority (CA) certificates to the Expressway, go to Maintenance > Security
certificates > Trusted CA certificate. You must restart the Expressway for the new trusted CA certificate to
take effect.
certificates > Trusted CA certificate. You must restart the Expressway for the new trusted CA certificate to
take effect.
for full information about how to create and
upload the Expressway’s server certificate and how to upload a list of trusted certificate authorities.
Configuring Encrypted Expressway Traversal Zones
To support Unified Communications features via a secure traversal zone connection between the Expressway-C and
the Expressway-E:
the Expressway-E:
■
The Expressway-C and Expressway-E must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with
TLS verify mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with
TLS verify mode set to On, and Media encryption mode set to Force encrypted.
■
Both Expressways must trust each other's server certificate. As each Expressway acts both as a client and as
a server you must ensure that each Expressway’s certificate is valid both as a client and as a server.
a server you must ensure that each Expressway’s certificate is valid both as a client and as a server.
■
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your Expressway-C and Expressway-E as follows:
1.
Go to Configuration > Zones > Zones.
2.
Click New.
13
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Unified Communications Prerequisites