Cisco Cisco Expressway
Ensure that the cisco-uds and _cuplogin SRV records are NOT resolvable outside of the internal
network, otherwise the Jabber client will not start mobile and remote access negotiation via the Expressway-
E.
network, otherwise the Jabber client will not start mobile and remote access negotiation via the Expressway-
E.
Firewall
n
Ensure that the relevant ports have been configured on your firewalls between your internal network (where
the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ
and the public internet. See
the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ
and the public internet. See
for more information.
n
If your Expressway-E has one NIC enabled and is using static NAT mode, note that:
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer
address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN,
rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by
all types of firewalls.
See the Advanced network deployments appendix, in the
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer
address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN,
rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by
all types of firewalls.
See the Advanced network deployments appendix, in the
Unified CM
1. If you have multiple Unified CM clusters, you must confgure ILS (Intercluster Lookup Service) on all of
the clusters.
This is because the Expressway needs to communicate with each user's home Unified CM cluster, and
to discover the home cluster it sends a UDS (User Data Service) query to any one of the Unified CM
nodes.
Search for "Intercluster Lookup Service" in the
This is because the Expressway needs to communicate with each user's home Unified CM cluster, and
to discover the home cluster it sends a UDS (User Data Service) query to any one of the Unified CM
nodes.
Search for "Intercluster Lookup Service" in the
2. Ensure that the Maximum Session Bit Rate for Video Calls between and within regions (
System
> Region Information > Region
) is set to a suitable upper limit for your system, for example 6000 kbps.
for more information.
3. The Phone Security Profiles in Unified CM (
System > Security > Phone Security Profile
) that are
configured for TLS and are used for devices requiring remote access must have a Name in the form of an
FQDN that includes the enterprise domain, for example jabber.secure.example.com. (This is because
those names must be present in the list of Subject Alternate Names in the Expressway-C's server
certificate.)
FQDN that includes the enterprise domain, for example jabber.secure.example.com. (This is because
those names must be present in the list of Subject Alternate Names in the Expressway-C's server
certificate.)
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5)
Page 12 of 50
Configuration overview