previous arrow
next arrow
Slider
Cisco Expressway-E and Expressway-C – System Configuration

Cisco Expressway-E and Expressway-C – System Configuration

Cisco Expressway offers users outside your firewall simple, highly secure access to all collaboration workloads, including video, voice, content, IM, and presence. Collaborate with people who are on third-party systems and endpoints or in other companies. Help teleworkers and Cisco Jabber mobile users work more effectively on their device of choice.

 

Setting the System Name

The​​ System​​ name​​ defines​​ the​​ name​​ of​​ the​​ Expressway.​​ It​​ appears​​ in​​ various​​ places​​ in​​ the​​ web​​ interface​​ and​​ is​​ also used​​ by​​ Cisco​​ TMS.​​ We​​ recommend​​ using​​ a​​ name​​ that​​ lets​​ you​​ easily​​ and​​ uniquely​​ identify​​ the​​ Expressway.

To configure the​​ System name:

    • Go to​​ System >​​ Administration.

    • Configure​​ the​​ System​​ name​​ as​​ follows:

 

 

Expressway-C

Expressway-E

System name

Enter​​ EXPc

Enter​​ EXPe

    • Click​​ Save.

 

Expressway-E

 

Configuring DNS

System​​ Host​​ Name

The​​ System​​ host​​ name​​ defines​​ the​​ DNS​​ hostname​​ that​​ this​​ system​​ is​​ known​​ by.​​ Note​​ that​​ this​​ is​​ not​​ the​​ fully- qualified​​ domain​​ name,​​ just​​ the​​ host​​ label​​ portion.

Note​​ that​​ <System​​ host​​ name>.<Domain​​ name>​​ =​​ FQDN​​ of​​ this​​ Expressway. To​​ configure​​ the​​ System​​ host​​ name:

  • Go​​ to​​ System >​​ DNS.

  • Configure​​ the​​ System​​ host​​ name​​ as​​ follows:

 

 

Expressway-C

Expressway-E

System host name

Enter​​ expc

Enter​​ expe

  • Click​​ Save.

 

Domain Name

The​​ Domain​​ name​​ is​​ the​​ name​​ to​​ append​​ to​​ an​​ unqualified​​ host​​ name​​ before​​ querying​​ the​​ DNS​​ server.​​ To configure the​​ Domain​​ name:

 

 

  • Go to​​ System >​​ DNS.

  • Configure​​ the​​ Domain​​ name​​ as​​ follows:

 

 

Expressway-C

Expressway-E

Domain name

Enter​​ internal-domain.net

Enter​​ example.com

  • Click​​ Save.

The fully qualified domain name for the​​ Expressway-C is now​​ expc.internal-domain.net

The fully qualified domain name for the Expressway-E is now​​ expe.example.com

 

DNS Servers

The​​ DNS​​ server​​ addresses​​ specify​​ the​​ IP​​ addresses​​ of​​ up​​ to​​ five​​ domain​​ name​​ servers​​ to​​ be​​ used​​ for​​ resolving​​ domain​​ names.​​ In​​ either​​ of​​ the​​ following​​ cases​​ you​​ must​​ specify​​ at​​ least​​ one​​ default​​ DNS​​ server​​ for​​ address​​ resolution:

  • To​​ use​​ fully​​ qualified​​ domain​​ names​​ instead​​ of​​ IP​​ addresses​​ when​​ specifying​​ external​​ addresses.​​ For​​ example, for​​ LDAP​​ and​​ NTP​​ servers,​​ neighbor​​ zones​​ and​​ peers.

  • To​​ use​​ features​​ such​​ as​​ URI​​ dialing​​ or​​ ENUM​​ dialing.

The​​ Expressway​​ queries​​ one​​ server​​ at​​ a​​ time.​​ If​​ that​​ server​​ is​​ unavailable​​ the​​ Expressway​​ tries​​ another​​ server​​ from​​ the list.

In the example deployment two DNS servers are​​ configured for each Expressway, which provides a level of DNS server redundancy. The Expressway-C is configured with DNS servers which are located on the internal network. The Expressway-E is configured with DNS servers which are publicly routable.

To configure the​​ Default DNS server​​ addresses:

  • Go to​​ System >​​ DNS.

  • Configure​​ the​​ DNS​​ server​​ Address​​ fields​​ as​​ follows:

 

 

Expressway-C

Expressway-E

Address 1

Enter​​ 10.0.0.11

Enter​​ 194.72.6.57

Address 2

Enter​​ 10.0.0.12

Enter​​ 194.73.82.242

  • Click​​ Save.

Expressway-C has a fully qualified domain name of expc.internal-domain.net​​ Expressway-E has a fully qualified domain name of expe.example.com

Replacing the Default Server Certificate

For​​ extra​​ security,​​ you​​ may​​ want​​ to​​ have​​ the​​ Expressway​​ communicate​​ with​​ other​​ systems​​ (such​​ as​​ LDAP​​ servers,​​ neighbor​​ Expressways,​​ or​​ clients​​ such​​ as​​ SIP​​ endpoints​​ and​​ web​​ browsers)​​ using​​ TLS​​ encryption.

For this to work successfully in a connection between a client and server:

  • The​​ server​​ must​​ have​​ a​​ certificate​​ installed​​ that​​ verifies​​ its​​ identity.​​ The​​ certificate​​ must​​ be​​ signed​​ by​​ a Certificate Authority​​ (CA).

  • The​​ client​​ must​​ trust​​ the​​ CA​​ that​​ signed​​ the​​ certificate​​ used​​ by​​ the​​ server.

The Expressway lets you install a certificate that can​​ represent the Expressway as either a client or a server in connections using TLS. The Expressway can also authenticate client connections (typically from a web browser) over

 

 

 

 

 

HTTPS.​​ You​​ can​​ also​​ upload​​ certificate​​ revocation​​ lists​​ (CRLs)​​ for​​ the​​ CAs​​ used​​ to​​ verify​​ LDAP​​ server​​ and​​ HTTPS client​​ certificates.

The​​ Expressway​​ can​​ generate​​ server​​ certificate​​ signing​​ requests​​ (CSRs).​​ This​​ removes​​ the​​ need​​ to​​ use​​ an​​ external mechanism to generate certificate​​ requests.

For​​ secure​​ communications​​ (HTTPS​​ and​​ SIP/TLS),​​ we​​ recommend​​ that​​ you​​ replace​​ the​​ Expressway​​ default certificate​​ with​​ a​​ certificate​​ generated​​ by​​ a​​ trusted​​ certificate​​ authority.

 

Table 3 Expressway Role in Different Connection Types

 

In connections...

The Expressway acts as...

To an​​ endpoint.

TLS server.

To an LDAP server.

Client.

Between two Expressway systems.

Either​​ Expressway​​ may​​ be​​ the​​ client.​​ The​​ other​​ Expressway​​ is​​ the​​ TLS​​ server.

Over HTTPS.

Web browser is the client. Expressway is the server.

TLS​​ can​​ be​​ difficult to​​ configure. For example, when using it with​​ an​​ LDAP​​ server we recommend verifying​​ that​​ the system​​ works​​ correctly​​ over​​ TCP, before​​ you​​ attempt​​ to​​ secure​​ the​​ connection​​ with​​ TLS.​​ We​​ also​​ recommend​​ using​​ a third-party​​ LDAP​​ browser​​ to​​ verify​​ that​​ your​​ LDAP​​ server​​ is​​ correctly​​ configured​​ for​​ TLS.

Note:​​ Be​​ careful​​ not​​ to​​ allow​​ your​​ CA​​ certificates​​ or​​ CRLs​​ to​​ expire. This​​ may​​ cause​​ certificates​​ signed​​ by​​ those​​ CAs to​​ be​​ rejected.

To load the trusted CA list, go to​​ Maintenance > Security > Trusted CA​​ certificate.

To​​ generate​​ a​​ CSR​​ and/or​​ upload​​ the​​ Expressway's​​ server​​ certificate,​​ go​​ to​​ Maintenance​​ >​​ Security​​ >​​ Server certificate.

Additional server certificate requirements apply when configuring your Expressway system for Unified Communications.​​ 

 

Configuring NTP Servers

The​​ NTP​​ server​​ address​​ fields​​ set​​ the​​ IP​​ addresses​​ or​​ Fully​​ Qualified​​ Domain​​ Names​​ (FQDNs)​​ of​​ the​​ NTP​​ servers​​ to​​ be​​ used​​ to​​ synchronize​​ system​​ time.​​ The​​ Time​​ zone​​ sets​​ the​​ local​​ time​​ zone​​ of​​ the​​ Expressway.

Note:​​ You​​ can​​ synchronize​​ the​​ Expressway-C​​ and​​ Expressway-E​​ with​​ different​​ NTP​​ servers,​​ if​​ the​​ result​​ is​​ that​​ the Expressway traversal pair are​​ synchronized.

To configure the NTP server address and time zone:

    • Go to​​ System >​​ Time.

    • Configure​​ the​​ fields​​ as​​ follows,​​ on​​ both​​ Expressway-C​​ and​​ Expressway-E:

 

 

Expressway-C

Expressway-E

NTP server 1

Enter​​ pool.ntp.org

Enter​​ pool.ntp.org

Time zone

GMT​​ in this example

GMT​​ in this example

    • Click​​ Save.

 

Configuring SIP Domains

The​​ Expressway​​ acts​​ as​​ a​​ SIP​​ Registrar​​ for​​ configured​​ SIP​​ domains,​​ accepting​​ registration​​ requests​​ for​​ any​​ SIP endpoints​​ attempting​​ to​​ register​​ with​​ an​​ alias​​ that​​ includes​​ these​​ domains.

  • Registration​​ restriction​​ (Allow​​ or​​ Deny)​​ rules​​ can​​ be​​ configured​​ to​​ limit​​ acceptable​​ registrations.​​ 

  • If​​ authentication​​ is​​ enabled,​​ only​​ devices​​ that​​ can​​ properly​​ authenticate​​ themselves​​ will​​ be​​ allowed​​ to register.

To configure a SIP domain:

  • Go to​​ Configuration​​ >​​ Domains.

  • Click​​ New.

  • Enter​​ the​​ domain​​ name​​ into​​ the​​ Name​​ field​​ (on​​ both​​ Expressway-C​​ and​​ Expressway-E):

 

 

Expressway-C

Expressway-E

Name

Enter​​ example.com

Enter​​ example.com

  • Click​​ Create​​ domain.

  • The​​ Domains​​ page​​ displays​​ all​​ configured​​ SIP​​ domain​​ names.

Leave a Reply

Close Menu