Cisco Cisco Expressway
■
To use fully qualified domain names instead of IP addresses when specifying external addresses. For example,
for LDAP and NTP servers, neighbor zones and peers.
for LDAP and NTP servers, neighbor zones and peers.
■
To use features such as URI dialing or ENUM dialing.
The Expressway queries one server at a time. If that server is unavailable the Expressway tries another server from the
list.
list.
In the example deployment two DNS servers are configured for each Expressway, which provides a level of DNS
server redundancy. The Cisco Expressway-C is configured with DNS servers which are located on the internal
network.
server redundancy. The Cisco Expressway-C is configured with DNS servers which are located on the internal
network.
To configure the Default DNS server addresses:
1.
Go to System > DNS.
2.
Configure the DNS server Address fields as follows:
Address 1
Enter 10.0.0.11
Address 2
Enter 10.0.0.12
3.
Click Save.
Task 5: Replacing the Default Server Certificate
For extra security, you may want to have the Expressway communicate with other systems (such as LDAP servers,
neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.
neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.
For this to work successfully in a connection between a client and server:
■
The server must have a certificate installed that verifies its identity. This certificate must be signed by a
Certificate Authority (CA).
Certificate Authority (CA).
■
The client must trust the CA that signed the certificate used by the server.
The Expressway allows you to install a certificate that can represent the Expressway as either a client or a server in
connections using TLS. The Expressway can also authenticate client connections (typically from a web browser) over
HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS
client certificates.
connections using TLS. The Expressway can also authenticate client connections (typically from a web browser) over
HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS
client certificates.
The Expressway can generate server certificate signing requests (CSRs). This removes the need to use an external
mechanism to generate certificate requests.
mechanism to generate certificate requests.
For secure communications (HTTPS and SIP/TLS) we recommend that you replace the Expressway default certificate
with a certificate generated by a trusted certificate authority.
with a certificate generated by a trusted certificate authority.
Note that in connections:
■
to an endpoint, the Expressway acts as the TLS server
■
to an LDAP server, the Expressway is a client
■
between two Expressway systems, either Expressway may be the client with the other Expressway being the
TLS server
TLS server
■
via HTTPS, the web browser is the client and the Expressway is the server
TLS can be difficult to configure. For example, when using it with an LDAP server we recommend that you confirm
the system is working correctly over TCP before attempting to secure the connection with TLS. We also recommend
using a third party LDAP browser to verify that your LDAP server is correctly configured for TLS.
the system is working correctly over TCP before attempting to secure the connection with TLS. We also recommend
using a third party LDAP browser to verify that your LDAP server is correctly configured for TLS.
Note:
Be careful not to allow your CA certificates or CRLs to expire. This may cause certificates signed by those CAs
to be rejected.
To load the trusted CA list, go to Maintenance > Security certificates > Trusted CA certificate.
15
Cisco Expressway Registrar Deployment Guide
Expressway System Configuration