Cisco Cisco Expressway
SIP Trunks Between Unified CM and Expressway-C
Expressway deployments for mobile and remote access do not require SIP trunk connections between Unified CM
and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each
discovered Unified CM node are not SIP trunks.
and Expressway-C. Note that the automatically generated neighbor zones between Expressway-C and each
discovered Unified CM node are not SIP trunks.
However, you may still configure a SIP trunk if required (for example, to enable B2B calls to endpoints registered to
Unified CM).
Unified CM).
If a SIP trunk is configured, you must ensure that it uses a different listening port on Unified CM from that used for SIP
line registrations to Unified CM. An alarm is raised on Expressway-C if a conflict is detected.
line registrations to Unified CM. An alarm is raised on Expressway-C if a conflict is detected.
Configuring line registration listening ports on Unified CM
The listening ports used for line registrations to Unified CM are configured via System > Cisco Unified CM.
The SIP Phone Port and SIP Phone Secure Port fields define the ports used for TCP and TLS connections
respectively and are typically set to 5060/5061.
respectively and are typically set to 5060/5061.
Configuring SIP trunk listening ports
The ports used for SIP trunks are configured on both Unified CM and Expressway.
On Unified CM:
1.
Go to System > Security > SIP Trunk Security Profile and select the profile used for the SIP trunk.
If this profile is used for connections from other devices, you may want to create a separate security profile for
the SIP trunk connection to Expressway.
the SIP trunk connection to Expressway.
2.
Configure the Incoming Port to be different from that used for line registrations.
3.
Click Save and then click Apply Config.
On Expressway:
1.
Go to Configuration > Zones > Zones and select the Unified CM neighbor zone used for the SIP trunk.
(Note that the automatically generated neighbor zones between Expressway-C and each discovered Unified
CM node for line side communications are non-configurable.)
CM node for line side communications are non-configurable.)
2.
Configure the SIP Port to the same value as the Incoming Port configured on Unified CM.
3.
Click Save.
Cisco TelePresence Cisco Unified Communications Manager with Expressway (SIP Trunk) Deployment Guide
for
more information about configuring a SIP trunk.
Configuring Secure Communications
This deployment requires secure communications between the Expressway-C and the Expressway-E, and between
the Expressway-E and endpoints located outside the enterprise. This involves the mandating of encrypted TLS
communications for HTTP, SIP and XMPP, and, where applicable, the exchange and checking of certificates. Jabber
endpoints must supply a valid username and password combination, which will be validated against credentials held
in Unified CM. All media is secured over SRTP.
the Expressway-E and endpoints located outside the enterprise. This involves the mandating of encrypted TLS
communications for HTTP, SIP and XMPP, and, where applicable, the exchange and checking of certificates. Jabber
endpoints must supply a valid username and password combination, which will be validated against credentials held
in Unified CM. All media is secured over SRTP.
Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered Unified
CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a
Cluster Security Mode (System > Enterprise Parameters > Security Parameters) of 1 (Mixed) (so that it can
support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if
the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the
CallManager certificate for subsequent SIP communications.
CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a
Cluster Security Mode (System > Enterprise Parameters > Security Parameters) of 1 (Mixed) (so that it can
support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if
the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the
CallManager certificate for subsequent SIP communications.
Note:
Secure profiles are downgraded to use TCP if Unified CM is not in mixed mode.
37
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Additional Information