Cisco Cisco Expressway Manuel De Maintenance
2.
Install on both Expressways the trusted Certificate Authority (CA) certificates of the authority that signed the
Expressway's server certificates.
Expressway's server certificates.
There are additional trust requirements, depending on the Unified Communications features being deployed.
For mobile and remote access deployments:
—
The Expressway-C must trust the Unified CM and IM&P tomcat certificate.
—
If appropriate, both the Expressway-C and the Expressway-E must trust the authority that signed the
endpoints' certificates.
endpoints' certificates.
For Jabber Guest deployments:
—
When the Jabber Guest server is installed, it uses a self-signed certificate by default. However, you can
install a certificate that is signed by a trusted certificate authority. You must install on the Expressway-C
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
install a certificate that is signed by a trusted certificate authority. You must install on the Expressway-C
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
To upload trusted Certificate Authority (CA) certificates to the Expressway, go to Maintenance > Security
certificates > Trusted CA certificate. You must restart the Expressway for the new trusted CA certificate to
take effect.
certificates > Trusted CA certificate. You must restart the Expressway for the new trusted CA certificate to
take effect.
upload the Expressway’s server certificate and how to upload a list of trusted certificate authorities.
Configuring Encrypted Expressway Traversal Zones
To support Unified Communications features via a secure traversal zone connection between the Expressway-C and
the Expressway-E:
the Expressway-E:
■
The Expressway-C and Expressway-E must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with TLS
verify mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a Expressway-C, or a traversal server zone when selected on an Expressway-E) that uses SIP TLS with TLS
verify mode set to On, and Media encryption mode set to Force encrypted.
■
Both Expressways must trust each other's server certificate. As each Expressway acts both as a client and as
a server you must ensure that each Expressway’s certificate is valid both as a client and as a server.
a server you must ensure that each Expressway’s certificate is valid both as a client and as a server.
■
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your Expressway-C and Expressway-E as follows:
1.
Go to Configuration > Zones > Zones.
2.
Click New.
57
Cisco Expressway Administrator Guide
Unified Communications