Cisco Cisco Expressway Maintenance Manual
■
The Expressway-C now defaults to SHA-256 for signing SSO requests it gives to clients, and you can change
it to use SHA-1 if required. In version X8.5, when the SSO feature was previewed, the Expressway-C
defaulted to SHA-1 and there was no way to select a different algorithm.
it to use SHA-1 if required. In version X8.5, when the SSO feature was previewed, the Expressway-C
defaulted to SHA-1 and there was no way to select a different algorithm.
Note:
If you were using the SSO feature with X8.5, this change may cause it to stop working after upgrade to
X8.5.1. You have two options to resolve this: leave the new default on the Expressway-C, and you may need
to reconfigure the IdP to expect requests to be signed with SHA-256 (recommended for better security); the
other option is to revert the Expressway-C's signing algorithm to SHA-1 for your IdP (go to Configuration
> Unified Communications > Identity Providers (IdP), locate your IdP row, then in Actions column click
Configure Digest).
to reconfigure the IdP to expect requests to be signed with SHA-256 (recommended for better security); the
other option is to revert the Expressway-C's signing algorithm to SHA-1 for your IdP (go to Configuration
> Unified Communications > Identity Providers (IdP), locate your IdP row, then in Actions column click
Configure Digest).
X8.2
Unified Communications: Jabber Guest
Cisco Jabber Guest is a consumer to business (C2B) solution that extends the reach of Cisco's enterprise telephony
to people outside of a corporate firewall who do not have phones registered with Cisco Unified Communications
Manager.
to people outside of a corporate firewall who do not have phones registered with Cisco Unified Communications
Manager.
External XMPP federation
External XMPP federation enables users registered to Unified CM IM & Presence to communicate via the Expressway-
E with users from a different XMPP deployment.
E with users from a different XMPP deployment.
TURN media over TCP
The Expressway-E TURN server supports TURN media over TCP.
This allows clients to use TURN services in environments where UDP connections are not supported or blocked.
Configuration of the supported protocols is available only through the CLI command
Configuration of the supported protocols is available only through the CLI command
xConfiguration Traversal Server
TURN ProtocolMode
.
New 'Unified Communications traversal' zone type
To simplify the configuration of secure traversal client and traversal server zones for Unified Communications, you
must now use the new zone type of Unified Communications traversal when configuring zones via the web interface.
must now use the new zone type of Unified Communications traversal when configuring zones via the web interface.
This automatically configures an appropriate traversal zone (a traversal client zone when selected on a Expressway-
C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with TLS verify mode set to On,
and Media encryption mode set to Force encrypted.
C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with TLS verify mode set to On,
and Media encryption mode set to Force encrypted.
This replaces the previous Unified Communications services setting that was available when configuring traversal
client and traversal server zones. Existing zones configured in previous software versions for Unified
Communications services are automatically converted to use the new Unified Communications traversal zone type.
client and traversal server zones. Existing zones configured in previous software versions for Unified
Communications services are automatically converted to use the new Unified Communications traversal zone type.
Note that this zone type applies to the web interface only, the underlying CLI configuration settings have not
changed.
changed.
Support for
X-cisco-srtp-fallback
Support has been added for the
X-cisco-srtp-fallback
package, allowing the Expressway's B2BUA to use Cisco
Unified Communications Manager-style best effort media encryption for the automatically generated TLS neighbor
zones.
zones.
RTP and RTCP media demultiplexing ports
In Small/Medium systems, 1 pair of RTP and RTCP media demultiplexing ports are used. These can now either be
explicitly specified (Configuration > Traversal > Ports) or they can be allocated from the start of the general range of
traversal media ports. In previous X8 releases they were always allocated from the start of the traversal media ports
range.
explicitly specified (Configuration > Traversal > Ports) or they can be allocated from the start of the general range of
traversal media ports. In previous X8 releases they were always allocated from the start of the traversal media ports
range.
In Large systems, 6 pairs of RTP and RTCP media demultiplexing ports are used. These are still always allocated from
the start of the traversal media ports range.
the start of the traversal media ports range.
After upgrading to X8.2, all existing traversal media port configurations / firewall requirements are maintained.
385
Cisco Expressway Administrator Guide
Reference Material