Cisco Expressway offers users outside your firewall simple, highly secure access to all collaboration workloads, including video, voice, content, IM, and presence. Collaborate with people who are on third-party systems and endpoints or in other companies. Help teleworkers and Cisco Jabber mobile users work more effectively on their device of choice.
Setting the System Name
The System name defines the name of the Expressway. It appears in various places in the web interface and is also used by Cisco TMS. We recommend using a name that lets you easily and uniquely identify the Expressway.
To configure the System name:
Go to System > Administration.
Configure the System name as follows:
System Host Name
The System host name defines the DNS hostname that this system is known by. Note that this is not the fully- qualified domain name, just the host label portion.
Note that <System host name>.<Domain name> = FQDN of this Expressway. To configure the System host name:
Go to System > DNS.
Configure the System host name as follows:
System host name
The Domain name is the name to append to an unqualified host name before querying the DNS server. To configure the Domain name:
Go to System > DNS.
Configure the Domain name as follows:
The fully qualified domain name for the Expressway-C is now expc.internal-domain.net
The fully qualified domain name for the Expressway-E is now expe.example.com
The DNS server addresses specify the IP addresses of up to five domain name servers to be used for resolving domain names. In either of the following cases you must specify at least one default DNS server for address resolution:
To use fully qualified domain names instead of IP addresses when specifying external addresses. For example, for LDAP and NTP servers, neighbor zones and peers.
To use features such as URI dialing or ENUM dialing.
The Expressway queries one server at a time. If that server is unavailable the Expressway tries another server from the list.
In the example deployment two DNS servers are configured for each Expressway, which provides a level of DNS server redundancy. The Expressway-C is configured with DNS servers which are located on the internal network. The Expressway-E is configured with DNS servers which are publicly routable.
To configure the Default DNS server addresses:
Go to System > DNS.
Configure the DNS server Address fields as follows:
Expressway-C has a fully qualified domain name of expc.internal-domain.net Expressway-E has a fully qualified domain name of expe.example.com
Replacing the Default Server Certificate
For extra security, you may want to have the Expressway communicate with other systems (such as LDAP servers, neighbor Expressways, or clients such as SIP endpoints and web browsers) using TLS encryption.
For this to work successfully in a connection between a client and server:
The server must have a certificate installed that verifies its identity. The certificate must be signed by a Certificate Authority (CA).
The client must trust the CA that signed the certificate used by the server.
The Expressway lets you install a certificate that can represent the Expressway as either a client or a server in connections using TLS. The Expressway can also authenticate client connections (typically from a web browser) over
HTTPS. You can also upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS client certificates.
The Expressway can generate server certificate signing requests (CSRs). This removes the need to use an external mechanism to generate certificate requests.
For secure communications (HTTPS and SIP/TLS), we recommend that you replace the Expressway default certificate with a certificate generated by a trusted certificate authority.
Table 3 Expressway Role in Different Connection Types
The Expressway acts as...
To an endpoint.
To an LDAP server.
Between two Expressway systems.
Either Expressway may be the client. The other Expressway is the TLS server.
Web browser is the client. Expressway is the server.
TLS can be difficult to configure. For example, when using it with an LDAP server we recommend verifying that the system works correctly over TCP, before you attempt to secure the connection with TLS. We also recommend using a third-party LDAP browser to verify that your LDAP server is correctly configured for TLS.
Note: Be careful not to allow your CA certificates or CRLs to expire. This may cause certificates signed by those CAs to be rejected.
To load the trusted CA list, go to Maintenance > Security > Trusted CA certificate.
To generate a CSR and/or upload the Expressway's server certificate, go to Maintenance > Security > Server certificate.
Additional server certificate requirements apply when configuring your Expressway system for Unified Communications.
Configuring NTP Servers
The NTP server address fields set the IP addresses or Fully Qualified Domain Names (FQDNs) of the NTP servers to be used to synchronize system time. The Time zone sets the local time zone of the Expressway.
Note: You can synchronize the Expressway-C and Expressway-E with different NTP servers, if the result is that the Expressway traversal pair are synchronized.
To configure the NTP server address and time zone:
Go to System > Time.
Configure the fields as follows, on both Expressway-C and Expressway-E:
NTP server 1
GMT in this example
GMT in this example
Configuring SIP Domains
The Expressway acts as a SIP Registrar for configured SIP domains, accepting registration requests for any SIP endpoints attempting to register with an alias that includes these domains.
Registration restriction (Allow or Deny) rules can be configured to limit acceptable registrations.
If authentication is enabled, only devices that can properly authenticate themselves will be allowed to register.
To configure a SIP domain:
Go to Configuration > Domains.
Enter the domain name into the Name field (on both Expressway-C and Expressway-E):
Click Create domain.
The Domains page displays all configured SIP domain names.