deploying b2b uri dialing with cisco uc manager and...
TRANSCRIPT
Deploying B2B URI Dialing with Cisco UC Manager and VCS Expressway Solution BRKUCC-2340
Kevin Roarty, Technical Marketing Engineer
John Burnett, Technical Marketing Engineer
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Abstract
3
With the 9.0 release of Cisco Unified Communications Manager, SIP URI dialing is now a mainstream feature that is easy to deploy within the enterprise.
URI dialing also enables elegant business reachability for voice + video or voice alone over the internet.
But how does a typical Cisco UC Manager voice deployment enable internet facing URI dialing?
And how can you enable this reachability without compromising your voice environment?
This session will cover the steps required to enable URI dialing on Cisco UC Manager including the integration with the VCS Expressway solution, emphasizing secure deployment considerations every step along the way.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Associated Sessions
4
BRKEVT-2319 Business to Business Video
BRKUCC-2008 Enterprise Dial Plan Fundamentals
BRKUCC-3000 Advanced Dial Plan Design for Unified Communications Networks
BRKUCC-2501 Cisco UC Manager Security
BRKEVT-2801 Cisco TelePresence: best practices for call control integration
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Agenda
5
Reference Architecture and Targeted Call Flows
Enabling SIP URI dialing in UCM, plus SIP trunk
VCS Control Setup, including UCM neighbor zone
Expressway Setup
Define the Security Threats, discuss expanded attack surface
Protecting your environment w/ security in layers
Q & A
4
12
7
5
4
8
Targeting 40 content slides
Laying the groundwork…
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Standards Based Voice and Video Federation Unified Call Control Reference Architecture
7
EX90 @ Home
Inside firewall (Intranet)
Outside firewall (Public Internet)
VCS
Expressway
VCS
Control
Collaboration
Services
UCM
Internet
DMZ
on-premise endpoints
SIP Phones @ Partner
EX90 @ Partner
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Call Flows in Focus ( 1 of 2 )
8
EX90 @ Home
Inside firewall (Intranet)
Outside firewall (Public Internet)
VCS
Expressway
VCS
Control
Collaboration
Services
UCM
Internet
DMZ
SIP Phones @ Partner
EX90 @ Partner
B2B SIP URI call between on-premise
endpoint and partner’s video endpoint on-premise endpoints
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Call Flows in Focus ( 2 of 2 )
9
EX90 @ Home
Inside firewall (Intranet)
Outside firewall (Public Internet)
VCS
Expressway
VCS
Control
Collaboration
Services
UCM
Internet
DMZ
SIP Phones @ Partner
EX90 @ Partner
on-premise endpoints
B2B SIP URI call between remote
endpoint registered to VCS Expressway
and partner’s video endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM and VCS Versions
UCM 9.1.1
VCS X7.2
10
SIP URI dialing in UCM
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM Trivia Question
UCM 8.6 supports SIP URI dialing and routing?
UCM 8.6 allows endpoints to register with an alphanumeric SIP URI?
UCM 8.6 allows local endpoints to be reached by alphanumeric SIP URI?
UCM 9.0 supports SIP URI dialing and routing?
UCM 9.0 allows endpoints to register with an alphanumeric SIP URI?
UCM 9.0 allows local endpoints to be reached by alphanumeric SIP URI?
True or False
12
T
F
F
T
F
T
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
SIP URI in UCM
UCM treats URIs as aliases for directory numbers (DNs)
Endpoints have no notion of their associated URI(s), they still register with DN
A call to a URI behaves as if the call was made directly to the DN
Calls from an endpoint will include a URI in the caller ID if assigned to the DN
A call from an endpoint always includes the DN in the caller ID so it can be presented to a device that doesn’t support URIs, and those devices can return the call
13
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM SIP URI Overlay Dial Plan
URI Dial Plan overlays existing (and required) numeric dial plan
Each DN can have up to 5 SIP URI aliases
Each DN with a SIP URI will have a primary SIP URI for caller id purposes
Benefits of the URI overlay
– All UCM endpoints are reachable at SIP URI: SIP, SCCP, Analog
– Not all IP phones can dial SIP URI’s, but Speed Dials are an option
– Use SIP alpha URI for SNR Remote Destination
14
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Import and Assign SIP URI
How do I add SIP URIs to my existing dial plan? Easiest approach via LDAP Directory Integration
– Recommendation is to map the mail attribute to Directory URI
– Issue w/ msRTCSIP attribute, CSCub73272
Set end user primary line if not already set, to associate Directory URI associated DN
Other URI import options include
– Bulk Admin Tool
– AXL API
– Manual update to DN page
15
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM Directory URI Partition
End User Directory URIs will be added to Directory URI partition
Directory URI partition needs to be included in the dial plan by either
– Adding the partition to existing Calling Search Spaces
– Alias the Directory URI partition to an existing partition
16
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM SIP Profile for SIP Endpoints
SIP Profile for endpoints should be set to use, Use Fully Qualified Domain Name in SIP Requests
If this parameter is not enabled, the endpoint might end up with strange looking connected party id, instead of seeing the dialed URI
Avoid this: [email protected]
17
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM SIP Profile for SIP Trunk
Start by copying the Standard SIP Profile For Cisco VCS
SIP Profile should be set to use, Use Fully Qualified Domain Name in SIP Requests
The SIP Profile can be configured for different dial string interpretation settings
SIP OPTIONS ping enabled
18
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM SIP Trunk
Recommendation is to set the Calling and Connected Party Info Format to “Deliver URI only in connected party, if available”
Associate SIP Trunk Profile created for VCS
Configure trunk with one or more VCS Control IP addresses
Set appropriate CSS allowing for inbound access to local URIs
Integration point with VCS Control
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
UCM SIP Route Patterns
Use the SIP Route Pattern’s Domain Routing option
* character is a wildcard, matching all numbers, alpha chars, “.” and “-”
Simplest approach is using * pattern to match any domain, good for a default route to VCS
Option to route/block using more specific patterns (*.com, cisco.com, , *.org, *.xxx)
Starting w/ UCM 9, SIP Route Patterns can now utilize SIP Trunk or a Route List
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Enterprise Parameters of Interest
URI Lookup Policy controls URI case sensitive treatment
– Default is case sensitive, per RFC 3261
– Suggest Case Insensitive
Specify an Organization Top Level Domain (OTLD) to allow end users to dial only the user portion of a URI (left hand side)
Also include Cluster Fully Qualified Domain Name(s) to allow routing to numeric URIs
21
VCS enabling video federation and remote access
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Trivia Question
Did version X2.0 of VCS support URI dialing?
The VCS only support URI dialing for SIP registered endpoints.
The VCS only supports URI dialing for IPv4 based endpoints.
URI dialing via DNS is the best way to reach all endpoints globally.
The VCS cannot provide B2B video for immersive TIP based calls.
The VCS can enforce security for all SIP URI based calls.
- True or False
23
T
F
F
T
F
T
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Zone Configuration
24
Transport
protocol
Signaling port
Neighbor
information
Neighbor
availability status
Profile for
different
integrations
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM Cisco
VCS
Option ping
Option ping response in 200 OK
Option Ping for reachability
Trunks In-Service if response received
Trunks Out-of-service if 408 request timeout, 503 service unavailable or no response
Calls from CUCM not sent to out-of-service servers
Avoids SIP message retry and timeouts
Can be used for all nodes in trunk
DNS SRV queries and all hosts of the SRV responses
Option ping response in 200 OK, 408/503
Unified CM Cisco
VCS
Option ping
Option ping
Option ping response in 200 OK ✔
✘
✔
SIP Trunk with Option Ping
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Advanced Zone Profile Optimized zone profile settings for “Cisco Unified Communication Manager”
26
SIP based
Presentation
channel
Presentation
channel
SIP signaling
SIP Invite
SIP signaling
OFF
OFF
OFF
On
Yes
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Advanced Zone Profile Current Option Optimized zone profile settings for CUCM “Custom”
27
SIP based
Presentation
channel
Presentation
channel
SIP signaling
SIP Invite
OFF
OFF
On
ALWAYS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Search Rule Configuration VCS Control Dial Plan Setup
28
Pattern Mode
Priority
Continue or Stop
Destination Zone
Pattern Behavior
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Transform Configuration VCS Control Dial Plan Setup
29
Pattern String
Priority
Replacement
String
Pattern Behavior
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Expressway Traversal Client Zone
30
Traversal
password
Traversal
username
Traversal Type
Traversal Port
(unique)
Media Encryption
Mode
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Expressay Traversal Server Zone
31
Traversal
username
Traversal Type
Traversal Port
(unique)
Media Encryption
Mode
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Expressway DNS Zone
32
H.323 Mode
Zone Type
Address of
Record)
Media Encryption
Mode
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
DMZ Outside Network Inside Network
How VCS Expressway Firewall Traversal Works…
1. No inbound ports need to be opened on internal firewall to VCS Control, minimizing any potential attack area
2. VCS Control initiates outbound connection through the firewall to VCS Expressway using secure login credentials
3. VCS Control sends keep-alive packets to the VCS Expressway, to maintain the connection through the firewall
4. When VCS Expressway receives an incoming call, it issues an incoming call request to VCS Control
5. The VCS Control then initiates connection to the endpoint
6. The call is established and media traverses the firewall securely
A VCS
Expressway
B VCS
Control
Internet
33
Once again from the inside out, this time focusing on security
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Security Threats
Eavesdropping
– Listening or recording data without approval
Denial of Service (DoS) or Distributed Denial of Service (DDoS)
– Flood bandwidth or resources of a targeted system
Impersonation
– Attempt to be something or someone that you are not
Modification
– RTP stream mixing/insertion
Toll fraud
– Making calls that the users are not approved to do, usually long distance calls
SPIT
– Calls generate annoyance for users, lower productivity
What else? 35
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM Dial Plan Segmentation
What if you don’t want all end users to be reachable from the internet by their SIP URI?
SIP URI import via LDAP sync results in all URIs in a default Directory URI partition
Directory URIs are associated with a user, and also a DN when a user has a primary line configured
SIP URIs can also be directly assigned to DNs
When directly assigning to a DN, the SIP URIs can reside in any partition
Multiple options on how to import URIs, including what partition they reside in
Don’t forget about the Directory URI Alias Partition Enterprise Parameter
Partitions for SIP URIs
36
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM Dial Plan Segmentation
SIP Trunk CSS allow you to shield gateways, conferencing resources, messaging applications, etc.
Verify existing partitions in the dial plan offer enough segmentation
Consider creating a new CSS specifically for the VCS SIP Trunk inbound traffic
If necessary create a second SIP Trunk to VCS on a different port, with a CSS specifically for B2B traffic and new sip trunk security profile
Consider Time of Day routing to deactivate segments of the dial plan after hours
“Drop Ad hoc Conferences” + “Block OffNet to OffNet transfer” (Service Parameter)
Don’t forget to monitor Call Detail Records
Calling Search Spaces & Service Parameters
37
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM Dial Plan Segmentation
Can I limit what domains my end users can and cannot call directly on UCM?
A * wildcard SIP Route Pattern routing to the VCS SIP trunk in a route partition accessible to end users provides access to any domain
SIP Route patterns can also be set to block outbound calls to specific or wildcard domains
How can I support HA B2B reachability?
SIP Route patterns now support Route List if there is a need to route to multiple VCS clusters with 2 or more trunks
SIP Route Pattern pointing directly at a SIP Trunk defined with multiple VCS nodes
SIP Route Patterns
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM SIP Trunk Security
Interested in end to end encryption on B2B calls?
UCM needs to be in mixed mode to support secure endpoints
Upload VCS certificates to CallManager-Trust
Create SIP Trunk Security profile specifically for the VCS trunk, using Encrypted mode, and including the VCS X.509 certificate subject name(s)
Generally not advisable to allow for SRTP if not using TLS
39
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Unified CM TelePresence Encryption Support
TE6.0 & TC6.0 firmware updates allow for the following security features when registered to CUCM
Support for CTL, CAPF, LSC
Encrypted SIP Signaling
sRTP for Audio and Video streams
Compatible with CUCM 8.6.2+
C/SX/EX/MX Series Endpoints
40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Security in Video (Layered)
Internet
Endpoint
Hardening
Endpoint
Hardening
Secure
Conferencin
g
Secure
Conferencin
g
*TMS ‘strong
security’ or
JITC
VCS
Encryption
Auto
CUCM Trunks
+ endpoints
configured for
security
VCS
Encryption
On
SIP-TLS ASSENT/SIP-TLS SIP-TLS
SRTP/SDES
SRTP/SDES
SRTP/SDES
SRTP/SDES
SIP-TLS
SIP-TLS
SIP-TLS
H.235/AES-128
H.235/AES-128
SIP-TLS
H.323 H.323 H.323 H.460.18/19
H.323
MCU
TMS
C
A
MCU
VCS-E
Traversal Server VCS-C
Traversal Client FW FW
CUCM
B
41
HTTPS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Secure Device Authentication
The VCS Supports local database authentication, H.350 extended LDAP Directory, and Active Directory authentication for Jabber Video (Movi)
Endpoint can be authenticated for registration and provisioning
Endpoints are authenticated with name and password if using the local database
Endpts are authenticated with username, authentication credentials (generated from password), and alias when using H.350 directory.
Use TLS to encrypt connection to any external LDAP server
42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Call Authentication
Allow all calls through but differentiate between authenticated and unauthenticated calls
Set Do Not Check Credentials on VCS Expressway default zone.
– This ensures all calls from outside your organization come through as unauthenticated.
– Any P-asserted identity field headers are stripped.
Set specific search rules for any valued resources such as ISDN gateway. (Toll Fraud)
– Use CPL Rules to block unauthenticated access to valued resources
– Set authentication in the specific search rule to Check Credentials
43
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Call Authentication
Use authentication for all registered devices in the configured subzone
Set specific membership rules in the subzone where possible
Turn off registration to the default subzone
Use Registration Allow rules to specify who can register
44
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Active FW/NAT Traversal
No ports inbound need to be opened on the internal firewall
Expressway in DMZ allowed to have non-public/private IP
Static NAT on VCS Expressway, requires Dual Network interface option
Minimize inbound ports to documented ranges that need to be opened through public facing firewall
Endpoints can register directly to VCS Expressway
Non-registered endpoints can send calls to VCS Expressway
VCS Firewall traversal (recommended most secure)
45
A B
VCS
Control VCS Expressway
FW / NAT FW / NAT Private IP address
Internet
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Secure Signaling and Media
Auto: No media encryption policy applied by the VCS
Best Effort: Use encryption if available otherwise fallback to unencrypted
Force Encrypted: All media must be encrypted
Expressway Media Encryption RTP to SRTP
46
A VCS Control VCS Expressway
Media
Encryption
mode: On Media Encryption
mode: Force Encrypted
SRTP
RTP SRTP
Unified CM
TLS
TLS
TCP Media Encryption
mode: Best Effort
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Configuring Security on VCS Side
47
SIP Port for TLS
Active on Port
5061
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Configuring Security on VCS Side
48
Generate CSR
Register Secure
Endpoint
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Secure Administrative Best Practices
HTTP, HTTPS, Telnet, SSH and SNMP are all protocols used to manage and monitor the VCS
Setup remote account authentication for AD authentication of admin user access to the VCS
– Use TLS & Secure LDAP (port 636) for encrypted connection to AD server.
If web access is desirable to administer the VCS, disable HTTP and use HTTPS
Load PKI certificates for HTTPS
Enable CRL’s and HTTPS client certificate validation
Use Firewall Rules in the VCS to set access from specific IP addresses or IP address range to the VCS
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
VCS Secure Administrative Best Practices
Disable SNMP or use SNMPv3 with firewall rules
Set your session timeout period to a nonzero value
Disable remote logging
Use TLS encryption for login account access to LDAP server
Set CRL checking to all
Do not enable incident reporting
Use HTTPS for external management i.e. for TMS and enable certificate checking
Apply best practices for perimeter security to the VCS. i.e. block external access to well know ports below 1024
Recommendations
50
Wrapping things up…
51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Key Takeaways
SIP URI dialing enables simple voice and video reachability
UCM 9 allows for an elegant SIP URI overlay on your existing dial plan
VCS Expressway provides open, standards based voice and video federation
You are now armed with the knowledge to deploy secure B2B SIP URI dialing for your employees or customers
52
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Reference Deployment Guides
VCS and UCM Deployment Guide http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Cisco_Unified_Communications_Manager_Deployment_Guide_CUCM_8_9_and_X7-2.pdf
Unified CM System Guide SIP URI Chapter http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/9_1_1/ccmsys/CUCM_BK_C5565591_00_cucm-system-guide-91_chapter_010011.html
VCS Basic Configuration VCS Control with Expressway Deployment Guide http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf
VCS IP port usage for firewall traversal http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf
53
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Reference Deployment Guides
54
VCS Authenticating Accounts Deployment Guide
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Accounts_Using_LDAP_Deployment_Guide_X7-2.pdf
VCS Authenticating Devices Deployment Guide
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-2.pdf
VCS Administration Guide
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Reference Blog Posts
UCM SIP Trunk TLS Configuration and Troubleshooting
https://supportforums.cisco.com/docs/DOC-18689
IP Phone Security and CTL
https://supportforums.cisco.com/docs/DOC-18834
Communications Manager Security By Default and ITL Operation and Troubleshooting - Cisco Support Community
https://supportforums.cisco.com/docs/DOC-17679
Thanks to the Cisco Support Community
55
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Reference Cisco Press Text
Akhil Behl, CCIE No. 19564
Solutions Architect, Cisco Advanced Services
http://www.ciscopress.com/title/1587142953
Published August 31, 2012
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKUCC-2340 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Daily Challenge points for each session evaluation you complete.
Complete your session evaluation online now through either the mobile app or internet kiosk stations.
57