Cisco Cisco Expressway
an IP address; we recommend using FQDNs when TLS verify mode is On.
Note that these credentials are stored permanently in the Expressway database. The Unified CM user
must have the Standard AXL API Access role.
Note that these credentials are stored permanently in the Expressway database. The Unified CM user
must have the Standard AXL API Access role.
c. We recommend leaving TLS verify mode set to On to ensure Expressway verifies the certificates
presented by the Unified CM server (its tomcat certificate for AXL and UDS queries, and its
CallManager certificate for subsequent SIP traffic).
CallManager certificate for subsequent SIP traffic).
o
If the Unified CM server is using self-signed certificates, the Expressway-C's trusted CA list must
include a copy of the tomcat certificate and the CallManager certificate from every Unified CM
server.
include a copy of the tomcat certificate and the CallManager certificate from every Unified CM
server.
o
If the Unified CM server is using CA-signed certificates, the Expressway-C's trusted CA list must
include the root CA of the issuer of the tomcat certificate and the CallManager certificate.
include the root CA of the issuer of the tomcat certificate and the CallManager certificate.
d. Click Add address.
The system then attempts to contact the publisher and retrieve details of its associated nodes.
3. Repeat for every Unified CM cluster.
After configuring multiple publisher addresses, you can click Refresh servers to refresh the details of the
nodes associated with selected addresses.
nodes associated with selected addresses.
Automatically generated zones and search rules
Expressway-C automatically generates non-configurable neighbor zones between itself and each discovered
Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is
configured with a Cluster Security Mode (
Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is
configured with a Cluster Security Mode (
System > Enterprise Parameters > Security Parameters
) of 1
(Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
Expressway-C will verify the CallManager certificate for subsequent SIP communications. Each zone is
created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
Expressway-C will verify the CallManager certificate for subsequent SIP communications. Each zone is
created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.
A non-configurable search rule, following the same naming convention, is also created automatically for each
zone. The rules are created with a priority of 45. If the Unified CM node that is targeted by the search rule has
a long name, the search rule will use a regex for its address pattern match.
zone. The rules are created with a priority of 45. If the Unified CM node that is targeted by the search rule has
a long name, the search rule will use a regex for its address pattern match.
Note that load balancing is managed by Unified CM when it passes routing information back to the registering
endpoints.
endpoints.
Setting up the Expressway-E
This section describes the configuration steps required on the Expressway-E.
Unified Communications: Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.1.1)
Page 17 of 36
Configuring mobile and remote access on Expressway