© 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Public
Technical Overview of the Preferred
Architecture for Enterprise
Collaboration

Glen Lavers, Technical Marketing Engineer

BRKCOL-1614

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco Spark
Ask Questions, Get Answers, Continue the Experience

Use Cisco Spark to communicate with the Speaker and fellow

participants after the session

Download the Cisco Spark app from iTunes or Google Play

1. Go to the Cisco Live Berlin 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKCOL-1614
5. Join the conversation!

The Spark Room will be open for 2 weeks after Cisco Live

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• What is the “Preferred Architecture”?
• Call Control
• Conferencing
• Collaboration Edge
• Unified Messaging
• Prime Management Services
• Simplified Sizing
• Bandwidth Management
• Security
• Hybrid Services in the PA

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is a “Preferred Architecture”?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Preferred Architecture (CPA)
What products to use to enable users for Collaboration and
Unified Communications for simple deployments.
Prescriptive Concise Tested best
recommendations Documents practices
• Preferred Architecture provides prescriptive design guidance that simplifies
and drives design consistency for Cisco Collaboration deployments
• Preferred Architecture can be used as a design base for any customer using a
modular and scalable approach
• Preferred Architecture team provides feedback on solution level gaps to product
teams
• Preferred Architecture will help you scale!

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Preferred Architecture
Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
MPLS WAN Services
Router
Call Control Collaboration Edge

Unity Cisco Meeting Server

Connectio Remote Site
n PSTN
TelePresence
Management
Voice Messaging Conferencing Suite
Cisco Prime Collaboration
Deployment License Manager Provisioning

Collaboration Management Services

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Collaboration Preferred Architectures & CVDs
www.cisco.com/go/cvd/collaboration !

PA CVD PA Applications CVD

PA Overview (Cisco Validated Design) (Cisco Validated Design)

Pre-Sales Post-Sales Post-Sales

Process process Process
• Design Overview Document • Detailed Design and Deployment • Detailed Design and Deployment
Guidance Guidance
• Targeted to Pre-Sales
• Post Sales Design and • Post Sales Design and
• Summarizes Solution and
Deployment Deployment
Components
• Process Driven Guide • Process Driven Guide
• Plugs into the PA CVD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferred Architecture for Collaboration
Enterprise Cisco Validated Design (CVD)

Call Control • Functions: Dial Plan (Dialing Habits,

Endpoints/ILS/GDPR), Trunking, SRST, CTI,
UCM, IM&P, ISR, CUBE DNS, Provisioning, EM

Conferencing Architecture:
• Functions: Instant, Permanent, Scheduled
UCM, TMS, CMS Component S
Edge
Role, HA, i
• Functions: Mobile Remote Access (MRA), B2B, Scalability
UCM, Expressway, CUBE, ISR IM&P Federation, PSTN Access, ISDN Video z
i
Prime Services Management • Functions: Deployment, Licensing, Monitoring
PCD, PLM, PCP and Troubleshooting Deployment: n
Process and g
Unified Messaging • Functions: Unified Messaging Configuration –
Unity Connection High Level
Bandwidth Management • Functions: QoS and Admission Control

Security • Functions: Infra/Network Security, DoS, Toll-

All Components Fraud, Encryption, Cert Mgmt, …
• Functions: Sizing numbers for products built on
Sizing a set of calculated assumptions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferred Architecture Process
Figure it out:
Define Collaboration
Preferred Architecture

Feedback: Build and

Feed gaps found validate:
during the “build and
validate” phase back Build it in the lab and
into product teams validate concepts

Write it down: Extend:

Move it into GB test
Document Preferred
beds, Cisco on
Architectures for the
Cisco, Alpha and
field and partners
EFT process
Define
Define additional
Preferred Architectures
(Voice, Video)
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 New to the PA for 11.6 Release
• Security
• Infrastructure and Network Security
• Prevent Unauthorized Access and Toll Fraud
• Encryption and Authentication (all components)
• Certificate Management
• Cisco Meeting Server Solution
• Integration with TelePresence Management Suite (TMS)
• Prime Services Management
• Prime License Manager (pre-existing)
• Prime Collab Deployment (pre-existing)
• Prime Collab Provisioning for MACD (New 11.6)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Anecdotal usage of the Collaboration Preferred
Architecture
• Greenfield Enterprise Collaboration Deployments
• A Guideline for Updating Brownfield Collaboration Deployments
• Training For New Collaboration Engineers

What’s the best way to design your collaboration

deployment?!?!

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Call Control

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Headquarters

Expressway-E

Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Collaboration Edge
Call Control
Unity Cisco Meeting Server
Connection Remote Site
PSTN

TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration

Deployment License Provisioning
Manager

Collaboration Management Services

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Call Control Functions Endpoints

IM and
Presence SIP
• User / Endpoint Identities & Status DMZ
Expressway-C Expressway-E

• Endpoint Registration & Management

Unified
• Session Management Communications Collaboration Edge
MRA
Endpoints
Manager

• Central “Dial Plan” Authority Cisco Meeting Server

• Application Integration Call Control

• Third-Party Interoperability Conferencing

TelePresence
Management Suite
APIs

Prime Unity
Prime Prime
License Connection
Deployment Provisioning
Manager

Collaboration Management Services Voice Messaging

Unified Communications Manager is the Heart of the Architecture.

The “Glue” that binds it all together.
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Call Control

• Core Components / Roles • Key Benefits

• Unified CM provides call control, • Call control is centralized at a single
endpoint registration and location that serves multiple remote sites.
configuration, call admission control,
codec negotiation, trunk protocol • Management and administration are
translation, and CTI centralized.

• Unified CM IM and Presence Service • Common telephony features are available

provides on-premises instant across voice and video endpoints.
messaging and presence • Single call control and a unified dial plan
• Cisco Integrated Services Router are provided for voice and video
(ISR) provides remote site survivability endpoints.
(SRST) • Critical business applications are highly
available and redundant.
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Unified CM with IM & Presence Cluster
Unified CM Cluster IM & Presence Cluster
• Two databases
DB Sync
• Each DB has:
DB Publisher SOAP / XML Publisher Subscriber • One publisher
Call Processing • Multiple subscribers
SIP
TFTP 1 CTI/QBE • CM subscriber:
Primary Secondary
• Call processing pairs
TFTP 2 Subscriber Subscriber • TFTP pairs
Call Processing
... • IM&P publisher part
of pair
Primary Secondary
Up to 6 nodes
...
Up to 21 nodes

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
PA Clustering Guidelines
• Call Processing Subscribers always added in pairs
• 1:1 redundancy only
• Single TFTP Subscriber pair
• Call Processing Subscriber and IM&P pairs added to match scale requirements
• MoH function co-located with Call Processing Subscribers

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
DNS “A Fundamental Solution Requirement”
• DNS is Critical in a Collaboration Solution!
• Forward and Reverse Lookup!
• SRV for Redundancy and Load Balancing!
• DNS for User Data Service (UDS) & Certificate Validity

• Recommendation:
• Enable DNS forward (A record) and reverse (PTR record) lookup for all UC
servers
• Dedicated zone for cluster simplifies configuration of cluster fully qualified
domain name (CFQDN – Enterprise Parameter): *.emea-uc.example.org
• SRV record for each Unified CM node
• Best load balancing of initial UDS requests during registration

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Deployment Considerations: Numeric Dial Plan
• Use +E.164 as DN addressing
• Benefit: ensure uniform phone number formatting across all enterprise contacts
• Use XXXX abbreviated intra-site dialing
• Benefit: allow abbreviated dialing for intra-site calls
• Use site-code based abbreviated inter-site dialing
• e.g.: 8+<site code>+<extension>
• Benefit: use a normalized approach for inter-site calls
• Non-DID addresses in line with site-code based abbreviated inter-site dialing
• Unique addresses
• Additional site-codes per site or non-overlapping extensions

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Example Dialing Habits/Numbering
Non-DID Addressing Based on Dialing Habits
Site +E.164 Abbr. Intra-Site* Call Conferencing***
Park**
SFO +14085559XXX 9XXX 4XXX 8 099 [12]XXX
NYC +12125551XXX 1XXX 4XXX 8099[12]XXX
RTP +19195551XXX 1XXX 4XXX 8099[12]XXX

* site specific translation patterns in site specific partition mapping to +E.164

** single call park range in global partition or site specific call park ranges in site
specific partitions
*** single dialing habit (single route pattern) in global partition
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Reference +E.164 Dial Plan
CSSs Partitions Route Lists Route Groups

DN
Line CSS SJCInternational All IP Phone DNs (+E.164), urgent

All dialing normalisation is NOT

CoS specific!
SJCtoE164
DN All normalisation patterns can be
1XXX, Prefix +1408555
re-used

9.[2-9]XXXXXX, Pre-Dot, Prefix +1408

UStoE164 LRG based egress GW selection

9011.!, Urgent, Pre-Dot, Prefix +
9011.!#, Urgent, Pre-Dot, Prefix +
9.1[2-9]XX[2-9]XXXXXX, XYZ RG
Pre-Dot, Prefix +

Routing is CoS specific.

Site specificity only on site PSTNInternational
specific CoS (like “local”) USPSTNNational Local
Route
SJCPSTNLocal LOC RL Group
\+1408[2-9]XXXXXX, Urgent

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
SIP Trunking Recommendations
• Use Best Effort Early Offer on ALL Trunks
• Minimize number of SIP profiles
• Consider default profiles first
• avoid per-trunk SIP profiles
• provision SIP profile per group of equivalent trunks
• Recommended SIP profile settings:
• “Use Fully Qualified Domain Name in SIP Requests” set on all trunks and for video
enabled endpoints; prevents IP address of Unified CM to show up in host portion of URIs in
calling identity headers
• Enable SIP OPTION ping for real-time status monitoring
• SIP trunk redundancy achieved by provisioning
multiple peer user agents per trunk (CMS,
Expressway-C, …)
• Avoids multiple trunk configuration

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Multi-cluster Support SIP
XMPP

IM&P UCM IM&P UCM IM&P UCM

Branch1 Branch2 Branch1 Branch2 Branch1 Branch2

• Recommendation: Centralized Call Processing Model (Single Call Processing

Cluster)
• Full-Mesh Distributed Call Processing Deployment Model when required. This
model is based on multiple iterations of the Centralized Call Processing
Deployment Model. Session Management Edition is out of scope for the PA.

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Conferencing

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Headquarters

Expressway-E
Cisco
WebEx
Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server

Connection Remote Site
PSTN /
ISDN
TelePresence
Voice Messaging Management Suite
Conferencing
Cisco Prime Collaboration
License
Deployment Manager Provisioning

Collaboration Management Services

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco Meeting Server

Conferencing TelePresence
Management Suite
Conferencing
Key Benefits
Core Components
• Simplified, optimal user experience
• Cisco Meeting Server for audio
and video conference resources • Flexible, extendable architecture that supports
deployment of one or more permanent,
and resource management scheduled, and/or instant conference resources
• Cisco TelePresence • Dynamic optimization of conference resources
Management Suite (TMS) for
• High availability of conference resources
conference provisioning,
monitoring, and scheduling • Media resilience and rate adaptation in the video
• TMSXE for interfacing with network
Microsoft Exchange room and • A single tool for hosts to schedule participants
resource calendars and conference rooms for a meeting
• Multiparty licensing that enables full access to all
conference resources on the bridge
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Conferencing Architecture
Conferencing with Cisco Meeting Server
Unified Communications
Manager
Expressway-C Expressway-E
DMZ
Internet

• How to deploy the components (Call Bridge,

TMS
Web Bridge, XMPP, Database)
• Support for multiple Conference types (Instant,
Permanent, Scheduled)

Instant, Permanent
and Scheduled

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
TMS Scheduled Meeting Components / Roles
Active Nodes
CMS TMS TMSXE

HTTPS/REST

Single virtual
IP address

Active
tms.ent-pa.com Network Load
SQL Directory
Balancer

SSH keep-alive between

1. FQDN of TMS is configured in TMS Active/Passive nodes
Network Settings
Managed
Devices 2. The FQDN should resolve to the NLB
virtual IP for TMS

3. TMS will send managed devices TMS TMSXE

FQDN that resolves to NLB for
communications with TMS Passive Nodes

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
TMS Scheduling Request – Components / Roles
5
Managed
Devices
CMS
Outlook Scheduling
TMS TMSXE Request
HTTPS/REST

1. Outlook scheduling request 1

3
2. Exchange uses Exchange Web Services
(EWS) to sync request with TMSXE via the 4 2
Network Load Balancer (NLB)

3. TMSXE sync directly with Exchange MS Exchange

4
4. TMSXE routes request to Active TMS via 2
NLB
Network Load
Balancer
5. TMS sends confirmation email to user
Single virtual
IP address
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco Meeting Server Architecture
Scalable and Resilient Deployment

Resiliency
Web Bridge Call Bridge Web Bridge Call Bridge
Scale
New York
XMPP Server Database XMPP Server Database
San Francisco

Cluster of 3
Servers
Call Bridge
Dallas

XMPP Server Database

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco Meeting Server – Spaces
Spaces are virtual meeting Go to: https://join.ent-pa.com
rooms that have audio, video
And enter Conference ID or User Credentials
and content sharing capability CMS
and are accessible using
Space URI, directory number Immersive WebRTC
or URL? Endpoints
Dial URI [email protected]
pa.com or DN 8801000 WebRTC
Spaces
CMA

Non-Immersive
Endpoints

Dial: +1(408)555-5555

phone Enter IVR plus Space Call ID

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco Meeting App (CMA)
• CMA can be a native desktop app, mobile app or a WebRTC supported browser
application.
• With CMA, users can login and join the conference with audio and video along
with content sharing.
• With the WebRTC browser client, users without an account in CMS can join the
conference as a guest. In addition, users can use CMA to run their meetings
such as view participants, mute and remove participants, start and stop
recording as well as create and edit their own Spaces.

Note: Cisco Meeting App can be deployed inside or outside of the enterprise
network to join a conference but only the former is covered in the PA.

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Conferences Instant vs Schedule/Permanent
Configuration
Instant Conference

Media Resource Media Resource Conferencing SIP Trunk to CMS

Group List Group Bridge w/ HTTP Interface

Permanent and Scheduled Conferences

Route Pattern Route List Route Group SIP Trunk to CMS

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 Instant Conference Call Flow
Unified CM Unified CM routes
Unified CM selects the call to the CMS
Endpoint selects initiates the CMS creates a
MRGL/MRG of the bridge hosting the
“conference” or conference to CMS temporary space
device to locate the relevant
“join/merge” button via HTTP (XML- for the conference
conference bridge. conference space
RPC)
via the SIP Trunk

Other
Participants

Unified CM
Host (UCM) CMS

CMS creates
Instant Conference Instant Conference conference space on
Request Initiated by UCM bridge

UCM Routes call(s) to

CMS Space
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Scheduled Conference Call Flow
Endpoint dials a CMS matches the
scheduled Unified CM matches called number to
At scheduled time Unified CM routes
conference alias the dialed string to a the user portion of
TMS activates the call to CMS via
(URI or DN) (SIP) route pattern the space URI and
space on CMS the SIP trunk
provided by TMS or route string creates the
through the Invite conference

Unified CM
Host TMS CMS
(UCM)

At scheduled time TMS

activates space on CMS
Dial conference alias
(URI or DN) Alias matched
Participants
Unified CM routes call(s) to CMS Space

Dial conference alias Unified CM routes call(s) to CMS Space

Dial conference alias Unified CM routes call(s) to CMS Space

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Collaboration Edge

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Headquarters

Expressway-E
Cisco
WebEx
Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control
Collab Edge
Unity Cisco Meeting Server
Connection Remote Site
PSTN /
ISDN
TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration

License
Deployment Manager Provisioning

Collaboration Management Services

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Edge
Core Components Key Benefits
• Connect to customers and partners,
• Cisco Expressway-C and independent of the technology they are
Expressway-E, for Internet implementing and the public network
connectivity and firewall they are using.
traversal for voice and video • Provide for a resilient, flexible and
extendable architecture.
• Cisco Unified Border
• Provide any hardware and software
Element, for audio PSTN client with the ability to access any
connectivity via IP trunks public network (Internet and PSTN).
• PSTN Voice Gateway (IOS), • Provide secure VPN-less access to
for direct audio PSTN collaboration services for Cisco mobile
and remote clients and endpoints.
connectivity
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Mobile and Remote Access

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Expressway for Internet Connectivity (MRA / B2B)
Enterprise Network DMZ Outside Network

Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Mobile and Remote Access
Delivers 3 key capabilities enabling the Expressway Mobile and Remote Access
feature
• XCP Router for XMPP traffic (IM&P)
• HTTPS Reverse proxy (Provisioning) Unity
• Proxy SIP registration to Unified CM
Cisco Unified CM
HTTPs (provisioning, visual voicemail,
directory)
SIP (audio, video)

XMPP (IM&P)

IM and Presence

Expressway C Firewall Expressway E

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Protocol Workload Summary
Inside firewall DMZ Outside firewall
(Intranet) (Public Internet) Protocol Security Service
SIP TLS Session Establishment –
Collaboration Internet Register, Invite, etc.
Services
Media SRTP Audio, Video, Content Share

Unified Expressway Expressway

CM C E HTTPS TLS Logon,
Unified CM IM&P Provisioning/Configuration,
Contact Search, Visual
Voicemail
Unity Connection
XMPP TLS Instant Messaging,
Presence

Conferencing Resources

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Split DNS SRV Record Requirements
• _collab-edge record needs to be available in public DNS
• Multiple SRV records (and Expressway-E hosts) should be deployed for HA
• A GEO DNS service can be used to provide unique DNS responses by
geographic region
_collab-edge._tls.example.com. SRV 10 10 8443 expwy1.example.com.
_collab-edge._tls.example.com. SRV 10 10 8443 expwy2.example.com.

• _cisco-uds record needs to be available only in internal DNS

_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm1.example.com.

_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm2.example.com.

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Expressway & Jabber Service Discovery

DNS SRV lookup _cisco-uds._tcp.example.com

Inside firewall DMZ Outside firewall
(Intranet) (Public Internet)

✗ Not Found
Collaboration
Services DNS SRV lookup _collab-edge._tls.example.com
Public DNS

✓ expwyNYC.example.com
Unified
CM Expressway Expressway
C E

TLS Handshake, trusted certificate verification

HTTPS:
get_edge_config?service_name=_cisco-
uds&service_name=_cuplogin

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Device Mobility

Device Mobility for MRA • Location

• SRST Reference
RTP 1. Register me with
10.10.20.50
• Local Route Group
• Media Resources

2. Device in RTP
• ….

3. Register me with
BLD 10.10.30.50

Device Mobility
IP Subnet Device Pool Location
Info

10.10.20.50 RTP_EXP1_DMI RTP_EXP_DP RTP

4. Device in BLD
10.10.30.50 BLD_EXP1_DMI BLD_EXP_DP BLD

10.10.40.50 SJC_EXP1_DMI SJC_EXP_DP SJC

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Device Mobility for MRA
Device
Device Pool Location
Mobility Info

RTP_EXP1_DMI
Redundant 10.10.20.50/32
Expressway-C RTP_EXP_DP RTP
Pair RTP RTP_EXP2_DMI
10.10.20.51/32

BLD_EXP1_DMI
Redundant 10.10.30.50/32
BLD_EXP_DP BLD
Expressway-C
Pair BLD BLD_EXP2_DMI
10.10.30.51/32

SJC_EXP1_DMI
Redundant 10.10.40.50/32
SJC_EXP_DP SJC
Expressway-C
Pair SJC SJC_EXP2_DMI
10.10.40.51/32

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Business-to-Business
Communications
BRKCOL-2018 Best Practices for Business to Business Video
Collaboration - Tuesday, Feb 21, 2:15 p.m.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Messaging

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Headquarters

Expressway-E
Cisco
WebEx
Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server

Connection Remote Site
PSTN /
ISDN
TelePresence
Unified Conferencing Management Suite
Messaging
Cisco Prime Collaboration
Deployment License Provisioning
Manager

Collaboration Management Services

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Unified Messaging
Cisco Unity Connection: Architecture
Directory
• Redundant Unity Connection nodes
Voicemail Unity Connection
Publisher Directory Microsoft • SIP Trunk integration to Unified CM
synchronization Active
Unified CM Directory
• Integrations to directory and mail:
» Microsoft Active Directory
Messaging
Subscriber (On-Premise or » Microsoft Exchange
Cloud-Based)

Mailbox • Call forwarding to Unity Connection

SIP synchronization
Microsoft
Exchange
• Direct call to voicemail or visual
Voicemail access mailbox navigation (Visual Voicemail)
via VoIP to TUI or
via REST/HTTPS
(Visual Voicemail)
• Email access to voicemail (Single Inbox)
SIP
Email access to
VoIP or
voicemail REST/HTTPS
(Single Inbox) Email
(SMTP/HTTPS)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Prime Management Services

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Headquarters

Expressway-E
Cisco
WebEx
Mobile/Teleworker
DMZ
Endpoints Expressway-C

IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router

Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

Unity Cisco Meeting Server

Connection Remote Site
PSTN /
ISDN
TelePresence
Voice Messaging Conferencing Management Suite

Cisco Prime Collaboration

License
Deployment Manager Provisioning

Collaboration Management Services © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Core Applications
Core Components Key Benefits
• Cisco Prime License • Cisco Prime Collaboration
Deployment (PCD) eases deployment
Manager (PLM) management of new infrastructure components,
of user-based licensing, enabling faster initial setup
including license fulfillment.
• Cisco Prime Licensing Manager
• Cisco Prime Collaboration (PLM) single tool to enable license
Deployment (PCD) deploys workflows and manage licensing for
new clusters of Unified CM collaboration infrastructure
components.
and IM and Presence servers
and Unity Connection • Cisco Prime Collaboration
Provisioning (PCP) used for
• Cisco Prime Collaboration user/endpoint enablement and Moves,
Provisioning (PCP) Add, Changed and Deletions (MACD)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Cisco Prime Collaboration Deployment
Cisco Prime Collaboration Deployment: Architecture
CM_Pub IM&P_Pub UCXN_Pub
VM VM VM • Cisco collaboration application .iso install
CM_Sub IM&P_Sub UCXN_Sub
files located on Prime Collaboration
VMWare
EXSi
VM VM VM Deployment (PCD).
host CM_Sub IM&P_Sub
VM VM • PCD network file system (NFS) mount on
ESXi host(s) to facilitate .iso file access.
• Collaboration application node virtual
machines (VMs) manually created on the
.iso ESXi host.
.iso
.iso
• PCD installs collaboration application
Prime Collaboration Deployment clusters on the target VMs.
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 Cisco Prime License Manager
Cisco Prime License Manager: Architecture
Unified CM Unity Connection
• Cisco Prime License Manager (PLM) enables
license fulfillment:

Publisher
» Electronic [requires Internet connectivity]
Publisher
OR
» Manual license file request

• Licenses received (over the network or via

email)
• Licenses applied to system and propagated
Cisco.com to synchronized application instances.
Prime License
Manager
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cisco Prime Collaboration Provisioning
Application Program
Interface (API)

Unified CM

Unified IM&P AXL SOAP

over HTTP(S)
Prime
Provisioning

Unity
Connection
Directory

REST/SQL LDAP over

HTTP(S) Microsoft
over HTTP(S) Active
Directory

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 Cisco Prime Collaboration Provisioning (MACD)
On-boarding / Off-boarding of Users
US Cluster EMEA Cluster

IM&P CUC IM&P CUC

3
UCM UCM 1
Importing users from Active Users imported from
Directory into Provisioning Active Directory to
triggers Automatic Service Unified CM
Provisioning
3 1

2
Users imported from
2
Cisco Prime Active Directory to Microsoft
Collaboration Provisioning Active
Provisioning Directory
4 Help desk administrators log into
Cisco Prime Provisioning for
configuration updates (MACDs)
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cisco Prime Collaboration Provisioning for Initial
Installation – Using Batch File Process
• Should this be added to the PA?

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Simplified Sizing

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PA Simplified Sizing vs. Collaboration Sizing Tool
Deployment within the
PA Sizing Assumptions?

Use PA Use Collaboration

Simplified Sizing Sizing Tool

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Sizing Cisco Unified CM
Between 5k and 10k
< 5k devices and users devices and users
Publisher Publisher
TFTP 1 TFTP 2 TFTP 1 TFTP 2

Call Processing subscriber pair Call Processing subscriber pair

Call Processing subscriber pair

7.5k OVA (2 vCPUs) is deployed for both deployments

7.5k OVA supported on BE7000M or larger

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Sizing Unified CM – PA Assumptions
• 1:1 Server Redundancy
• Simplified User Sizing
• Sizing Assumptions for Unified CM:
• Avg up to 4 BHCA per user
• Avg up to 2 DNs per device
• Extension Mobility for ALL Users
• Up to 500 Shared Lines per Call Processing Pair
• Up to 500 CTI ports and 100 CTI Route Points per Call Processing pair
• Up to 3,000 partitions, 6,000 CSS, 12,000 Translation Patterns
• Up to 40k users synched with AD (5k or 10k active)
• etc…
• Refer to the Preferred Architecture CVD for the complete list of assumptions
http://www.cisco.com/go/cvd/collaboration
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Deployment example with 5k users / 5k devices

BE7KM

BE7KM

CMS 1000 /
BE7KM CMS 2000

349651
BE7KM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bandwidth Management
New in Revision 11.0

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed vs. Unmanaged Networks
Where do your media packets go?

On-premise Call Control

UC Services How do you preserve user
experience when media traverses
Central
Site
the Internet?

Cloud Services
B2B
QoS-
capable
B2C
Managed
WAN Internet
MPLS DMVPN
VPN

Remote Sites Home/Mobile Users

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 Our Strategy
“Smart” Media Techniques QoS Tools Design & Deployment
LTRF1 LTRF1

P1 P3
P2 P4
P5
P1
P5 EF Audio
P2 P4
... ... ... ... Queue
Encoder Decoder
? EF
AF42

WAN Link
OOS (P4) ACK LTRF1

AF42 Video
Encoder Decoder
Queue
AF41

LTRF 0111010001 R1 FEC

AF41
1000011001

Repair-P R1 0001100
1001000100
0011001011
1011110
FEC
1110010101

... ... R2 1011010010

1010010

R2

Leverage media resilience and

• Consolidate mechanisms to
rate adaptation to enable
• Use media resilience to
pervasive video deployments
reduce impact of packet loss identify Collaboration media
through:
• Apply rate adaptation to • Evolve classification and • simplified provisioning
reduce network congestion scheduling recommendations
• optimized bandwidth
utilization
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
 WAN Queuing Considerations
Summary
AF41 WRED thresholds
(i.e., drop AF41 last) • Map audio streams of voice and
video calls (EF) to a priority queue
EF
Audio of
IP Phone
EF • Map video streams of video calls
PQ
Audio of Video EF (AF41 and AF42) to a class-based

BW Assigned to LLQ Classes

Audio of Jabber EF queue with WRED:
• AF41: higher drop thresholds
(e.g., 50-100% of queue depth)
Video of Video AF41 Video
CBWFQ
• AF42: lower drop thresholds
(e.g., 15-35% of queue depth)
other queues
Video of Jabber AF42
• During congestion, AF42 traffic is
dropped first:
AF42 WRED thresholds • Packet loss triggers rate adaptation
(i.e., drop AF42 first)
• Media resilience limits the impact

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Dual video queue
EF
Audio of IP Phone
EF PQ

BW Assigned to LLQ Classes

Audio of Desktop Video
TelePresence CS4
AF41
CBWFQ
Video of Desktop Video
TelePresence CS4
AF41

Audio of Desktop Video AF41

CBWFQ
Video of Desktop Video AF41

other queues
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single video queue
EF
Audio of IP Phone
EF PQ

BW Assigned to LLQ Classes

Audio of Desktop Video
TelePresence AF41
AF42

Video of Desktop Video

TelePresence AF41
AF42 Video
CBWFQ
Audio of Desktop Video AF42

Video of Desktop Video AF42

other queues
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Trust and Enforcement
Devices and Places in the Network Multiple Access Policies
NOT IDEAL
Conditionally-Trusted Endpoints
Access Distribution Core WAN Edge

Immersive Endpoints

CDP Support required

IOS SIP Gateway
IP Phones, DX, TC, TX, CTS Mac/PC

Trusted Endpoints / Devices

SRST Gateway

WiFi AP
PC/GPO MAC Handheld

Unified BE

Untrusted Endpoints / Devices

Trusted
Trusted Devices
Untrusted
Conditionally
MAC Handheld
PC Trusted
Instant Messaging TelePresence
Unified CM
Unity
And Presence Servers IOS Router
Expressway
Connection Remarking
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Trust and Enforcement Single Access Policy
Devices and Places in the Network IDEAL
SX, MX and IX Series Endpoints Access Distribution Core WAN Edge

Immersive and Room

System endpoints IOS SIP Gateway

SRST Gateway

IP Phones Jabber and DX Series

Endpoints
Unified BE

IP Phones
Trusted
Jabber Trusted Devices
Untrusted
Smart Desktop Conditionally
Trusted
Instant Messaging TelePresence
Unified CM And Presence Servers IOS Router
Mac/PC Unity Expressway
Connection Remarking
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Identification and Classification 4 SINGLE
ACL Remark
UDP Ports DSCP

3xxx EF
5xxx Jabber classification:
AF42
• Audio streams w/ UDP Port
5060 / Range 3xxx (voice-only
CS3
5061 Untrusted and video calls) marked EF
Jabber • Video streams w/ UDP Port
Range 5xxx marked AF42

Match SWITCH IP Phone, Smart Desktop,

EF TelePresence Endpoints:
UDP Ports AF41 • Audio streams w/ UDP Port
IP Phone / Smart Desktop DSCP
Range 17xxx and marked
CS3 EF (voice-only and video
EF 17xxx calls) mark EF
• Video streams w/ UDP Port
AF41 17xxx
Range 17xxx marked AF41
TelePresence Endpoints 5060 / remark AF41
CS3
5061
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Region Matrices for Max Video Bit Rate
Example: Matrix with 3 groups
• Re-use regions configured for audio-only IP phones
• Per-site regions may not be needed if a single audio codec is used for both
intra-region and inter-region calls
• Consider the default region settings to simplify a more complex matrix
Endpoint Room System +
Groupings Jabber Immersive + MCU
Smart Desktop
Jabber 1500 1500 1500
Room System +
1500 2500 2500
Smart Desktop

Immersive + MCU 1500 2500

20000
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Control Plane
NO

E-LCAC
YES
?

Call Admission Control

QoS
Scheduling + Queuing

IP WAN

Data Plane © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Audio and Video Admission Control
Considerations
No Admission Control
• Over-provision queues
• Rely on Video Rate Adaptation and Media Resiliency Capabilities
• Audio is much easier to over-provision in pervasive video deployments
• QoS is critical and rate adaption is highly beneficial for both managed/unmanaged
networks
• Benefits: Simplicity
Admission Control
• Strict provisioning (Mapping CAC to Queuing)
• Mobility? Device Mobility feature (Adds OPEX)
• Benefits:
• Manage lower bandwidth links, use Automated Alternate Routing (AAR) for PSTN redirect
• Ensure quality audio during the busy hour by avoiding oversubscription and packet loss
• Safe when over-provisioning is not an option

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Summary
• Combine QoS tools, media resilience and dynamic adaptation to build a self-
regulating system that makes optimal use of available network resources
• Leverage rate adaptation and media resilience mechanisms in managed
network to deploy pervasive video. Prioritized video for room system and
hard endpoints, opportunistic video for Jabber endpoints.
• Use CAC when and where needed
• When managing bandwidth with Media Resilience and Rate Adaptation techniques is
not an option (i.e. extreme contention on WAN bandwidth)

BRKCOL-2616: QoS Strategies and Smart Media Techniques for

Collaboration Deployments - Tuesday, Feb 21, 2:15 p.m

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Security
New in Revision 11.6
Security Session #

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Examples of IP Communications Threats
• Denial of Service (DoS) • Eavesdropping
Affecting call quality or ability to place calls Listening to another’s call or Theft of
intellectual property
• SPAM
SPIM, SPIT, and more SPAM • Media tampering

• Toll fraud • Data Modification

Unauthorized or unbillable resource utilization • Impersonating others
• Learning private information Identity Theft
Caller ID, DTMF, password/accounts, • Learning private information
calling patterns, Presence Information
Caller ID, DTMF, passwords/accounts,
calling patterns, Presence information

• Session replay
Replay a session, such as a bank transaction

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Unauthorized Access
• Prevent Unauthorized Access – Platforms, Edge, Endpoints
• Default AND non-default configurations and what they do
• Example: Endpoints
• Configure 802.1X
• Disable web access / SSH access
• Disable PC port if not needed
• TFTP configuration file encryption (Optional)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Mitigate Toll Fraud
• Unified CM
• Calling Search Space (CSS) / Partitions for dial-plan segmentation, transfer back to
PSTN
• Unity Connection
• CSS and Rerouting CSS on Unity SIP Trunk to include only the required partitions
• Restriction Tables (phone numbers): Transfer, message notification, etc…
• Expressway
• Call Policy Rules (CPL) to allow or reject calls from the Default Zone. For example a
CPL to reject any B2B calls with 9 as a prefix to avoid unauthorized calls to the PSTN.
• Unified Border Element / IOS Gateway
• For Toll Fraud and Performance use the telephony denial-of-service (TDoS) attack
mitigation feature: Prevents responding to SIP requests arriving from untrusted IP
addresses
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Unified CM Security – Eliminate Toll Fraud Examples
• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial plan after hours
• Require Forced Authentication Codes on route patterns to restrict access on long
distance or international calls.
• “Drop Ad hoc Conferences” (CallManager Service Parameter)
• Monitor Call Detail Records
• Employ Multilevel Administration

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Unified CM Security – Eliminate Toll Fraud
(Transfers 1)
• Deny unauthorized calls
• Partitions and Calling search spaces provide dial plan segmentation and access control
• Example: Avoid Unified CM sending back to the PSTN a call coming from the PSTN
• Don’t include in Trunk CSS the partition for route patterns to PSTN
Unified CM Voice or
Video GW 4 signaling
3
media

2
PSTN

Inbound CSS 1
PSTN access partition
DN partition
Multiparty meeting
partition

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
 1010 1000101010101000111
011 01011011101001 00010

Encryption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Links to Encrypt
• Administrative and user interfaces
• SIP trunks
• Endpoint Encryption
• Within Data Center
• Multiple clusters

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Links to Encrypt • Typically:
• Authentication: Certificates
• Administrative and user interfaces • Authorization: X.509 Subject Name in SIP
Trunk Security Profile
• SIP trunks
• Does not require Unified CM in mixed-
• Phone Encryption (requires Unified mode
CM in mixed-mode)
• SIP trunk encryption is recommended
• Within Data Center
• Multiple clusters: ILS and LBM Cisco Meeting Server

Unity Connection

Expressway

CUBE / VG

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
 Mixed-Mode

Links to Encrypt
• Administrative and user interfaces SRTP

• SIP trunks
• Encryption for the phone media and
• Endpoint Encryption signaling requires Unified CM to be in
“Mixed-Mode”
• Within Data Center
• Requires Export Restricted version of
• Multiple clusters Unified CM
• IM messages are encrypted by default
and do not required mixed-mode
• Secure call has a lock icon shown on the
endpoint display

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
 Unified CM: Non-Secure vs. Mixed-Mode
Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration  * |  New
in 11.5
Signed & Encrypted Phone Configs  
Signed Phone Firmware  
Secure Phone Services (HTTPS)  
CAPF + LSC  
IP VPN Phone  
SIP Trunk encryption  
Secure Endpoints (TLS & SRTP)  
BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Encrypted Endpoint – Basic Configuration

• With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all
the endpoints get a CTL (Certificate Trust List) file
• Notes:
 There is also a Phone security profile which is independent from the phone type: Universal
Device Template. Useful when deploying MRA
 Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed
Certificate (MIC) requires additional step

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
MRA – Voice/Video Encryption
• Voice/Video streams always SRTP encrypted between Exp-C and MRA client
• SIP TLS always enforced between MRA clients & Exp-E, Exp-C & Exp-E
• * Unified CM mixed mode required to achieve SRTP on internal network and SIP
TLS between Exp-C and Unified CM
Media and Signaling always encrypted

SIP TLS* SIP TLS SIP TLS

SIP TCP

SRTP

Expressway-C DMZ Expressway-E External

Firewall Firewall

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Certificate Management

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Do We Need Certificates?
• What is a Digital Certificate?
• Includes public key and name of the certificate holder, signature
• Goal
• Authentication and encryption
• Two types of authentication
• One-way authentication
Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual
voice mail)
• Two-way authentication
Endpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to
Expressway)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Endpoint Certificates
Certificate Type

MIC LSC
Manufacturer Installed Certificate Locally Significant Certificate

• Required for Media/Signaling encryption and TFTP config file

encryption
• Also can be used for phone VPN and 802.1x
• When both LSC and MIC are installed on a device, LSC takes preference

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
 Cisco CA
Endpoint Certificates - MIC
MIC
Manufacturer Installed Certificate

Manufacturer Installed Certificate (MIC)

» Cisco IP Phones ship from the factory with a unique MIC pre-installed
» MIC is valid for 10 years
» No certificate revocation support

Notes:
• New Manufacturing SHA2 CA: signs Cisco’s newest IP Phones (88xx)
Unified CM 10.5(1)+ includes and trusts the new SHA2 certificates
For older Unified CM release, download the SHA2 CA certificates at
http://www.cisco.com/security/pki/certs/cmca2.cer
88xx
• No MIC on Jabber

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
 CAPF Service
Endpoint Certificates - LSC
LSC
Locally Significant Certificate
Locally Significant Certificates (LSC)
» LSC signed by Certificate Authority Proxy Function (CAPF) Service running on Unified CM Publisher (or signed by
external CA)
» Preferred certificate for endpoint identity
» Endpoint support includes IP Phones, TelePresence, Jabber clients
» LSC can be installed, re-issued, deleted in bulk with Unified CM Bulk Admin Tool

Enhancements in Unified CM 11.5

» LSC signed by CAPF valid for up to 5 years (validity configurable in 11.5, previously fixed at 5 years) New in
» Can track certificate expiration (new in 11.5, previously required a paper process)
11.5
» SHA2 support
» RSA key length up to 4096 (previously up to 2048). Use Cisco Unified Reporting to verify phone support

Only LSC are available with Jabber. LSCs required for configuration file signature and signaling/media
encryption (except for Jabber over MRA)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Endpoint Certificates - MIC vs. LSC
• MIC: Out of box certificate. Goal is to prove the phone is a genuine Cisco phone
• But…
• MIC is not specific to your own Unified CM cluster
It doesn’t prove the phone is part of your Unified CM cluster
• MIC cannot be customized/updated/deleted

Recommendation:
Use MIC certificates to authenticate with CAPF for LSC certificate installation
Use LSC for everything else (SIP TLS, VPN, 802.1x)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Monitor Certificate Expiration
• Monitor the server certificate expiration (OS Administration page)

• Monitor LSC certificate

expiration
(new in 11.5)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Receive Certificate Expiration Notifications

New
in 11.5

• Receive email notifications when certificates are about to expire

• For server certificates and for LSC certificates (since 11.5)

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Conclusion
• Security in Layers
• Physical security, network security, host access security, encryption
• Protection against toll-fraud
• Monitor CDR, logs, search history
• Encryption
• Encrypt admin interfaces, SIP trunks, LDAP
• Enable Unified CM mixed-mode and encrypt media and signaling for the endpoints
• For multi-cluster deployment, encrypt ILS and LBM-LBM communications
• Certificates
• Endpoints: Use LSCs for SIP TLS, 802.1x, VPN. Only use MIC to get a LSC
• Get some certificates signed by a CA: Tomcat, CallManager, XMPP, Expressway,
TelePresence
• Expressway-E certificates to be signed by a public CA
• Use multi-server certificates wherever possible

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Hybrid Services in the PA

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Architecture
Expressway-C
with Connectors

Management Connector

Calendar Connector

Call Connector

Active Directory Directory Connector

Management Connector
Calendar Connector
Call Connector
Directory Connector
Expressway-C Expressway-E
SIP signaling and media
Internal FW DMZ FW
Internet

Cisco Unified CM

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Spark Hybrid Services
Spark Hybrid Services Deployment Document:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/maroon/hybridswp.pdf

Related Breakout Sessions – VoD available in a few weeks

• BRKCOL-2607 Understanding Cloud and Hybrid Cloud Collaboration
Deployment - Tuesday, Feb 21, 11:15 a.m. - 12:45 p.m. | Hall 7.3 Breakout
Room 731
• BRKCOL-1120 Cisco Spark Hybrid Media Node - Tuesday, Feb 21, 11:15 a.m. -
12:45 p.m. | CityCube Level 1, Breakout Room 104

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Learn More

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preferred Architectures Links
• Contact us via email: [email protected]
• Mid-Market and Enterprise PA Documents:
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html
• Cisco Preferred Architecture for Enterprise Collaboration 11.6, Design Overview - June 2015
http://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/enterprise/11x/clbpa116.pdf
• Cisco Preferred Architecture for Enterprise Collaboration 11.6, CVD - November 2015
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbcvd.html
• DCloud: Cisco Preferred Architecture for Enterprise Collaboration 11.0 Lab v1
http://dcloud.cisco.com/  Collaboration  Cisco Preferred Architecture for Enterprise
Collaboration 11.0 Lab v1

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Collaboration Cisco Education Offerings
Course Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE® Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP® Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP® Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.

Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.

Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA® Collaboration
(CICD) Manager and Cisco Unified Communications Manager.

Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKCOL-1614 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Thank You

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public