Cisco Cisco Expressway
Configuring encrypted Expressway traversal zones
To support Unified Communications features via a secure traversal zone connection between the
Expressway-C and the Expressway-E:
Expressway-C and the Expressway-E:
n
The Expressway-C and Expressway-E must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when
selected on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses
SIP TLS with TLS verify mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when
selected on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses
SIP TLS with TLS verify mode set to On, and Media encryption mode set to Force encrypted.
n
Both Expressways must trust each other's server certificate. As each Expressway acts both as a client
and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a
server.
and as a server you must ensure that each Expressway’s certificate is valid both as a client and as a
server.
n
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your Expressway-C and Expressway-E as follows:
1. Go to
Configuration > Zones > Zones
.
2. Click New.
3. Configure the fields as follows (leave all other fields with default values):
Expressway-C
Expressway-E
Name
"Traversal zone" for example
"Traversal zone" for example
Type
Unified Communications
traversal
traversal
Unified Communications traversal
Connection credentials
section
Username
"exampleauth" for example
"exampleauth" for example
Password
"ex4mpl3.c0m" for example
Click Add/Edit local authentication database,
then in the popup dialog click New and enter the
Name ("exampleauth") and Password
("ex4mpl3.c0m") and click Create credential.
then in the popup dialog click New and enter the
Name ("exampleauth") and Password
("ex4mpl3.c0m") and click Create credential.
SIP
section
Port
7001
7001
TLS verify subject name
Not applicable
Enter the name to look for in the traversal client's
certificate (must be in either the Subject
Common Name or the Subject Alternative Name
attributes). If there is a cluster of traversal clients,
specify the cluster name here and ensure that it
is included in each client's certificate.
certificate (must be in either the Subject
Common Name or the Subject Alternative Name
attributes). If there is a cluster of traversal clients,
specify the cluster name here and ensure that it
is included in each client's certificate.
Location
section
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.2)
Page 22 of 40
Configuring a secure traversal zone connection for Unified Communications