Cisco Cisco Expressway
Expressway-C
Expressway-E
Peer 1 address
Enter the FQDN of the
Expressway-E.
Expressway-E.
Note that if you use an IP
address (not recommended),
that address must be present
in the Expressway-E server
certificate.
address (not recommended),
that address must be present
in the Expressway-E server
certificate.
Not applicable
Peer 2...6 address
Enter the FQDNs of additional
peers if it is a cluster of
Expressway-Es.
peers if it is a cluster of
Expressway-Es.
Not applicable
4. Click Create zone.
Server certificate requirements for Unified Communications
Cisco Unified Communications Manager certificates
The two Cisco Unified Communications Manager certificates that are significant for Mobile and Remote
Access are the CallManager certificate and the tomcat certificate. These are automatically installed on the
Cisco Unified Communications Manager and by default they are self-signed and have the same common
name (CN).
Access are the CallManager certificate and the tomcat certificate. These are automatically installed on the
Cisco Unified Communications Manager and by default they are self-signed and have the same common
name (CN).
We recommend using externally-signed certificates for best end-to-end security between external endpoints
and internal endpoints. However, if you do use self-signed certificates, the two certificates must have
different common names. This is because the Expressway does not allow two self-signed certificates with
the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's
trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure
SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
and internal endpoints. However, if you do use self-signed certificates, the two certificates must have
different common names. This is because the Expressway does not allow two self-signed certificates with
the same CN. If the CallManager and tomcat self-signed certs have the same CN in the Expressway's
trusted CA list, then it can only trust one of them. This means that either secure HTTP or secure
SIP, between Expressway-C and Cisco Unified Communications Manager, will fail.
Also, when generating tomcat certificate signing requests for any products within the Cisco Collaboration
Systems Release 10.5.2, you need to be aware of
Systems Release 10.5.2, you need to be aware of
. You need to work around this issue to
ensure that the FQDNs of the nodes are in the certificates as Subject Alternative Names. The Expressway
X8.5.2 Release Notes have the details of the workarounds.
X8.5.2 Release Notes have the details of the workarounds.
Expressway certificates
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject
alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on
that Expressway.
alternate name (SAN) entries as appropriate for the Unified Communications features that are supported on
that Expressway.
The following table shows which CSR alternative name elements apply to which Unified Communications
features:
features:
CSR SAN element
Mobile and remote access
Jabber Guest
XMPP federation
Unified CM registrations domains
ü
(Expressway-E only)
X
X
XMPP federation domains
X
X
ü
(Expressway-E only)
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5.3)
Page 18 of 54
Unified Communications prerequisites