There are 4 reference guides that is useful for the setup. You should cross reference each of those when it is needed. The way I use it is as follow:
Cisco-Expressway-Basic-Configuration-Deployment-Guide-X8-1
Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1
Cisco-Expressway-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-and-X8-1
Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1
The purpose of this post is to help you to setup Expressway-C and E with MRA features at one single place. Hope you find it useful.
My environment: UCM 10.5, CUP 10.5, Expressway 8.1
Basic Expressway Configuration
1. First download the Expressway .ova from CCO. Expressway C and E, as well as VCS-C and E are sharing the same base image, and use license file to determine the capability.
2. Setting IP address for Expressway C and E. In Expressway E I am using a dual-NIC deployment, and the advanced networking license comes for free so it is fine. Remember to use the "xconfiguration ip route" or "xconfiguration routeadd" command to add host route back to your internal network, as your default route is pointing to your Internet service provider gateway.
3. System > Administration to set the System Name
4. System > DNS to set the System host name and domain name. hostname.domain_name = FQDN of Expressway
5. System > DNS to set Default DNS servers. For Expressway-C it is configured with the internal DNS server and Expressway-E is configured with public DNS server. This is important, because later on you will need your Expressway-C to resolve so internal SRV record to complete the Jabber and endpoint registration.
6. System > Time to setup the NTP server
Certificate and CA
In my lab I have created my own CA and sign the certificate for Exp-C, Exp-E, UCM tomcat and CUP tomcat.
1. Go to Maintenance > Security certificates > Server certificate to generate CSR
2. The Common name is your Expressway FQDN, you don't need to fill up. The Subject Alternative Name (SAN) should includes your domain name, both internal and external domain (e.g. pandaeatsbamboo.com, uc.pandaeatsbamboo.com). For Expressway C you should include the chat node aliases in SAN. You can find that under CUP admin page > Messaging > Group Chat Server Alias Mapping. For Expressway E, you should include your collaboration edge SRV record. So the SAN in your cert should look like this:
Expressway-C Subject Alternative Name: DNS:expc.uc.pandaeatsbamboo.com, DNS:conference-2-StandAloneClusterda021.uc.pandaeatsbamboo.com, DNS:conference-3-StandAloneClusterda021.uc.pandaeatsbamboo.com
Expressway-E Subject Alternative Name: DNS:expe.pandaeatsbamboo.com, DNS:_collab-edge._tls.pandaeatsbamboo.com, DNS:expe.uc.pandaeatsbamboo.com, DNS:pandaeatsbamboo.com, DNS:uc.pandaeatsbamboo.com, DNS:conference-2-StandAloneClusterda021.uc.pandaeatsbamboo.com, DNS:conference-3-StandAloneClusterda021.uc.pandaeatsbamboo.com
3. Download your CSR
4. If you have your CA in place, please skip the following steps. In my lab I am using my MacBook with OpenSSL as the CA. I have created several folders under /System/Library/OpenSSL
mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial
5. Copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory, rename it to openssl_local.cfg
6. Modify openssl_local.cfg, under [CA_default] section, ensure the line "copy_extensions = copy" does not have a # at the beginning of the line. Change "policy = policy_match" to "policy = policy_anything". Change "dir = ./demoCA" to "dir = ." Change "default_days = 365" to 3650 (10 years)
7. Generate private key for CA with the command:
openssl genrsa -aes256 -out private/cakey.pem 4096
Enter your password to make sure you remember this, as you need this when you sign your cert.
8. Generate CA cert:
openssl req -new -x509 -days 3650 -key private/cakey.pem -config openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
9. Enter the passphrase for the key, and enter the data requested. Keep the CA cert cacert.pem and you will need this for Expressway and endpoints later on.
10. Copy the previously generated CSR from Expressway-C and E to the demoCA folder, and sign it with the command:
openssl ca -config openssl_local.cfg -cert cacert.pem -keyfile private/cakey.pem -in expc.csr -out certs/expc.pem -md sha1
11. Upload the signed certificate - Expressway > Maintenance > Server certificate > Upload Server Certificate.
12. Upload your CA certificate if you are using your self-created OpenSSL CA - Expressway > Trusted CA certificate, choose the cacert.pem and upload.
13. Restart Expressway after certificate installation
Note: If you generate different certs with the same common name, you will get the error "openssl failed to update database. TXT_DB error number 2". If that is the case, modify your index.txt.attr file, change the unique_subject to no.
Note: If you generate different certs with the same common name, you will get the error "openssl failed to update database. TXT_DB error number 2". If that is the case, modify your index.txt.attr file, change the unique_subject to no.
Configuring the traversal zone
1. Configure Expressway-C as traversal client zone, Expressway-E as traversal server zone. Configuration > Zones > Zones
2. Click New, and fill in the fields. Make sure the username and password is created in Exp-E under Configuration > authentication > local database. Disable H.323 mode, and change the SIP TLS verify mode to "On". Make sure Media encryption mode is "Force encrypted". In Expressway-C, input FQDN instead of IP address in the Peer address field. Make sure this FQDN is in Expressway-E SAN or Common name.
Expressway-C Traversal Zone configuration
Expressway-E Traversal Zone configuration
Configuring traversal zone search rules
Configuration > Dial Plan > Search Rules
Configuring DNS Zone
Configuration > Zones > Zones
Configuring DNS zone search rules
Configuration > Dial Plan > Search rules
Configuring external (unknown) IP address routing
Configuration > Dial Plan > Configuration
Configuration > Dial Plan > Search Rules
Configuring Unified CM for an Expressway trunk
1. UCM > System > Region information > Region. Set "Maximum Session Bit Rate for Video Calls" to a suitable upper limit for the system say for 6000 kbps.
2. For the SIP profile that applies to phones, select the check box "Use Fully Qualified Domain in SIP Requests" and "Allow Presentation Sharing using BFCP".
3. UCM > System > Security > SIP Trunk Security Profile, select Non Secure SIP Trunk Profile, checked the option "Accept Unsolicited Notification" and "Accept Replaces Header". Change the port to something else other than 5060 and 5061, in my case I used 5062.
4. Create the SIP trunk. UCM > Device > Trunk > Add New. Choose SIP Trunk as the Trunk Type, SIP as Device Protocol, None for Trunk Service Type.
5. Save your configuration and reset the trunk.
6. Configure the cluster FQDN on UCM. UCM > System > Enterprise parameters, set the cluster fully qualified domain name to the same domain as the video network.
7. Call Routing > SIP Route Pattern > Add New. In my lab I use the * wildcard to route everything in SIP URI format to Expressway via the Expressway trunk.
Configuring a neighbor zone on Expressway for Unified CM
Expressway-C > Configuration > Zones > Zones
Then you can create search rules back to Unified CM based on your dial plan.
Create your jabber-config.xml
This is my sample jabber-config.xml
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Client>
<CachePasswordMobile>true</CachePasswordMobile>
</Client>
<Directory>
<DirectoryServerType>BDI</DirectoryServerType>
<BDIPhotoUriSubstitutionEnabled>True</BDIPhotoUriSubstitutionEnabled>
<BDIPhotoUriSubstitutionToken>sAMAccountName</BDIPhotoUriSubstitutionToken>
<BDIPhotoUriWithToken>http://10.1.90.51/jabber/sAMAccountName.jpg
</BDIPhotoUriWithToken>
<BDIPrimaryServerName>10.1.90.10</BDIPrimaryServerName>
<BDIPresenceDomain>uc.pandaeatsbamboo.com</BDIPresenceDomain>
<BDIServerPort1>389</BDIServerPort1>
<BDISearchBase1>OU=Cisco,DC=uc,DC=xcloud-hk,DC=com</BDISearchBase1>
</Directory>
<Policies>
<EnableSIPURIDialling>true</EnableSIPURIDialling>
</Policies>
</config>
This allows SIP URI Dialing, and BDI for non-Windows domain users such as Jabber on iPhone, iPad, Android, Mac users, etc.
Configuring Expressway-C for Mobile and Remote Access (MRA)
1. Configuration > Unified Communications > Configuration
2. Configuration > Domains
3. Discover UCM and CUP on Expressway-C. First of all, make sure you have replaced the tomcat cert on UCM and CUP. Generate CSR on UCM and CUP on Unified Operating System Administration > Security > Certificate Management > Generate CSR. Under Certificate Purpose drop down box, choose tomcat. Click generate and download the CSR. Sign the certificate with your CA, in my case I used my OpenSSL CA that created in prior steps. Click "Upload Certificate / Certificate chain", choose "tomcat-trust" and upload your CA cert (e.g. cacert.pem) and click upload. Then Upload your signed tomcat cert using similar steps, but this time choose "tomcat" instead of tomcat-trust. Restart tomcat after you upload the cert. Do the same thing for your subscribers as well. Repeat the same steps for CUP.
4. Discover your UCM and CUP, make sure TLS verify mode is on. Since TLS verify is on, you need to use FQDN instead of IP address, and this FQDN should includes in your tomcat cert common name or SAN. (Probably you need to sign your CallManager cert and upload your CA as CallManager-trust in order to get the TLS verify mode to work)
5. New zones and search rules are automatically generated after discovery
Configuring Expressway-E for Mobile and Remote Access (MRA)
1. Configuration > Unified Communications > Configuration to enable mobile and remote access, similar to what you have done on Exp-C
2. Check Status > Unified Communications, make sure all Unified Communications Services are Active.
Configuring Service Discovery on Public DNS
Service: _collab-edge
Protocol: _tls
Priority: 10
Weight: 10
Port number: 8443
Host: expe.pandaeatsbamboo.com
Service: _sips
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com
Service: _sips
Protocol: _tls
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com
Service: _sip
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 5060
Host: expe.pandaeatsbamboo.com
Service: _sip
Protocol: _udp
Priority: 10
Weight: 10
Port number: 5060
Host: expe.pandaeatsbamboo.com
Service: _sip
Protocol: _tls
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com
Service: _h323ls
Protocol: _udp
Priority: 10
Weight: 10
Port number: 1719
Host: expe.pandaeatsbamboo.com
Service: _h323cs
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 1720
Host: expe.pandaeatsbamboo.com
Service: _h323rs
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 1719
Host: expe.pandaeatsbamboo.com
Configuring Service Discovery on Internal DNS server
Domain: pandaeatsbamboo.com (not uc.pandaeatsbamboo.com)
Service: _cisco-uds
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 8443
Host: ucm1.uc.pandaeatsbamboo.com
Domain: pandaeatsbamboo.com (not uc.pandaeatsbamboo.com)
Service: _cuplogin
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 8443
Host: cup1.uc.pandaeatsbamboo.com
If your internal domain name (e.g. uc.pandaeatsbamboo.com) is different from external domain name (e.g. pandaeatsbamboo.com), you still need to make sure the above SRV record are under the root domain but only resolvable internally. You should not able to query the cuplogin and cisco-uds SRV record in public internet, otherwise the _collab-edge SRV record will not work and your Jabber MRA will not work.
Configure Voicemail and Jabber Photo web server access
To allow your Jabber to access voicemail, and the web server which contains the Jabber profile picture, you can configure the "HTTP server allow list" on Expressway-C:
MRA using Jabber
Download Jabber on iPhone / iPad via App Store and Jabber on Android via Google Play and give it a try!
To register EX via Expressway to UCM from Internet
Make sure you are using TC 7.1 onwards, and upload your OpenSSL CA cert to the unit. From the EX web interface, Configuration > Security > CAs > Add Certificate Authority, upload your cacert.pem file and reload the unit.
After reload, use the touch panel to run the Provisioning wizard, and choose the option Cisco UCM via Expressway. Enter your credential and it will work. Make sure on UCM you have created your device already and you have associated your users to your phone devices. On UCM you can see your EX is registered, and the IP address instead of your device internet IP address, it is your Expressway-C IP address.
That's all! This is a long post but I hope it helps!