Cisco Cisco Expressway
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
Expressway-C will verify the CallManager certificate for subsequent SIP communications. Note that secure
profiles are downgraded to use TCP if Unified CM is not in mixed mode.
Expressway-C will verify the CallManager certificate for subsequent SIP communications. Note that secure
profiles are downgraded to use TCP if Unified CM is not in mixed mode.
The Expressway neighbor zones to Unified CM use the names of the Unified CM nodes that were returned
by Unified CM when the Unified CM publishers were added (or refreshed) to the Expressway. The
Expressway uses those returned names to connect to the Unified CM node. If that name is just the host
name then:
by Unified CM when the Unified CM publishers were added (or refreshed) to the Expressway. The
Expressway uses those returned names to connect to the Unified CM node. If that name is just the host
name then:
n
it needs to be routable using that name
n
this is the name that the Expressway expects to see in the Unified CM's server certificate
If you are using secure profiles, ensure that the root CA of the authority that signed the Expressway-C
certificate is installed as a CallManager-trust certificate (
certificate is installed as a CallManager-trust certificate (
Security > Certificate Management
in the
Cisco
Unified OS Administration
application).
Expressway automated intrusion protection
You may need to enable the Automated protection service (
System > System administration
) if it is not
yet running.
To protect against malicious attempts to access the HTTP proxy, you can configure automated intrusion
protection on the Expressway-E (
protection on the Expressway-E (
System > Protection > Automated detection > Configuration
).
We recommend that you enable the following categories on the Expressway-E:
n
HTTP proxy authorization failure and HTTP proxy protocol violation. Note: Do not enable the HTTP
proxy resource access failure category.
proxy resource access failure category.
n
XMPP protocol violation
Note: The Automated protection service uses Fail2ban software. It protects against brute force attacks
that originate from a single source IP address.
that originate from a single source IP address.
Unified CM denial of service threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This
is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold
(
(
System > Service Parameters
, and select the Cisco CallManager service) to 750 KB/second.
Limitations
n
The IPV4 protocol only is supported for mobile and remote access users
n
SIP Early Media is not supported
n
In Expressway-E systems that use dual network interfaces, XCP connections (for IM&P XMPP traffic)
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the Expressway-E internal interface is on a separate network segment and is used for
system management purposes only, and where the traversal zone on the Expressway-C connects to the
Expressway-E's external interface.
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the Expressway-E internal interface is on a separate network segment and is used for
system management purposes only, and where the traversal zone on the Expressway-C connects to the
Expressway-E's external interface.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5.1)
Page 40 of 50
Additional information