Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved. Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013.

Similar presentations


Presentation on theme: "Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved. Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013."— Presentation transcript:

1 Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved. Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013

2 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Product Naming & Positioning Solution Overview Deployment Considerations Expressway Setup Security Considerations UCM Requirements Platform Choices & Scale Licensing & Migration Competitive Landscape

3 Cisco Confidential 3 © 2011 Cisco and/or its affiliates. All rights reserved.

4 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Collaboration Edge: umbrella term describing Cisco’s entire collaboration architecture for edge... features and services that help bridge islands to enable any to any collaboration… …collaborate with anyone anywhere, on any device…. Collaboration Edge Architecture Core Products include Cisco Expressway CUBE TDM & Analog Gateways SRST Is Jabber VPN-less access Collab Edge? the Collaboration Edge architecture includes VPN-less access for Jabber this capability is enabled by the Cisco Expressway product specifically labeled “remote and mobile access” at the feature level delivered in the X8.1 software release

5 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Empower the workforce with in-office collaboration anywhere to anyone on any device Voice, Video, Messaging, Content Use Cisco’s simplified, secure deployments Easy for the end-user Easy for IT Design your network to leave no one behind Open, standards-based Accommodate legacy systems and endpoints © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 VideoIM&P VoiceContent

6 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Solution designed for and sold exclusively with UCM 9.1 and above Remote and mobile access for Jabber and fixed endpoints B2B Video and Audio for UC customers Jabber Guest Gateway 3 rd party UC solutions (Lync, Polycom) New Offering X8.1 “Expressway C” Or Core “Expressway E” Or Edge “VCS Control” No Change “VCS Expressway” No Change VCSExpressway Specialized video applications for video-only customer base (GK, SIP Proxy, interworking, traversal) For customers that require endpoints to register to VCS Gateway 3 rd party UC solutions (Lync, Polycom)

7 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 UCM with IM&P Expressway H rd party Internet Core Call Control & Endpoint Registration Any-to-Any Interoperability, Remote and Mobile Access, Video Applications B2B Remote & Mobile Registration to UCM IM&P Video and Audio Federation Remote & Mobile Registration to UCM IM&P Video and Audio Federation JabberG Interoperability HCS One Multiparty Deployment Model* * roadmap

8 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Seamless User Experiences Simple, Secure Access No One Left Behind Consumer to Business Integrated customer relationships re-imagined Jabber Guest Cisco Unified Communications Manager Remote and Mobile Worker Access Consistent user experience outside the corporate network Jabber Mobile, Desktop & TelePresence Endpoints Cloud Services Enterprise flexibility and scalability WebEx and TelePresence Together, Service Provider Offerings Business to Business Secure communications with partners, customers & suppliers over the internet Open, DNS-based URI dialing

9 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Unified CM & applications Expressway Firewall Traversal AnyConnect VPN Layer 3 VPN Solution Secures the entire device and it’s contents AnyConnect allows users access to any permitted applications & data New Offering Session-based firewall traversal Allows access to collaboration applications ONLY Personal data not routed through enterprise network

10 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 DeviceService CategoryType of ServiceService DeliveryPrimary CompetitorProduct Position Remote and MobileLine: Audio, Video, Directory Search, Visual Voic , Content Share Internet or PrivateMSFTExpressway (X8.1) Remote FixedLine: Audio, Video, Directory Search, Content Share Internet or PrivatePolycomExpressway (X8.1) Remote FixedLine: AudioHCSACMECUBE IPSec or TLS ProxyVPN Phone, CVO, CUBE PSTNTrunk: AudioPrivate SIP TrunkACMECUBE VideoTrunk: Video, Conferencing Private SIP TrunkExpressway or CUBE Remote FixedLine: Audio, Video, Directory Search, CTI/QBE Internet or PrivatePolycomAnyConnect (today) Expressway (CY14 roadmap) Jabber DX XX, 7XXX, 89XX, 99XX TelePresence SIP Trunk

11 Cisco Confidential 11 © 2011 Cisco and/or its affiliates. All rights reserved.

12 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 DMZEnterprise Network 1. Expressway E is the traversal server installed in DMZ. Expressway C is the traversal client installed inside the enterprise network. 2. Expressway C initiates traversal connections outbound through the firewall to specific ports on Expressway E with secure login credentials. 3. Once the connection has been established, Expressway C sends keep-alive packets to Expressway E to maintain the connection 4. When Expressway E receives an incoming call, it issues an incoming call request to Expressway C. 5. Expressway C then routes the call to UCM to reach the called user or endpoint 6. The call is established and media traverses the firewall securely over an existing traversal connection UCM FirewallExpressway E Firewall Expressway C Internet Outside Network Media Signaling

13 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 The X8.1 release delivers 3 key capabilities enabling the Expressway Remote and Mobile Access Feature XCP Router for XMPP traffic HTTPS Reverse proxy Proxy SIP registrations to UCM (details on new firewall port requirements covered later)

14 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Make voice and video calls Instant Message and Presence Access visual voic Search corporate directory Launch a web conference Share content Inside firewall (Intranet) Outside firewall (Public Internet) Collaboration Services Internet DMZ Expressway E Expressway C Unified CM

15 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Media Traversal “C” calls “A” on-premise Expressway solution provides firewall traversal for media Expressway C de-multiplexes media and forwards toward “A” Media Relay “C” calls “B” off-premise Media is relayed via Expressway C Optimized Media (roadmap ICE support) “B” calls “D” off-premise Both “B” and “D” are ICE-enabled STUN binding success Media flows are optimized between endpoints A Inside firewall (Intranet) Expressway E Expressway C Collaboration Services UCM Internet DMZOutside firewall B C D SIGNALING MEDIA UCM provides call control for both mobile and on-premise endpoints

16 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Cisco Expressway X8.1 (Dec 2013) Cisco Unified CM 9.1+ Cisco Jabber 9.6 Cisco TelePresence TC 7.0 Note: No support for Cisco Unified CM 8.6 ICE (STUN/TURN) support not included in Cisco Unified CM 10.0, on roadmap for 10.5

17 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Inside firewall (Intranet) Collaboration Services UCM Public DNS DNS SRV lookup _cisco-uds._tcp.example.com Not Found ✗ expwyNYC.example.com ✓ TLS Handshake, trusted certificate verification DNS SRV lookup _collab-edge._tls.example.com Outside firewall (Public Internet) DMZ HTTPS: get_edge_config?service_name=_cisco- uds&service_name=_cuplogin Expressway E Expressway C

18 Cisco Confidential 18 © 2011 Cisco and/or its affiliates. All rights reserved.

19 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 ProtocolSecurityService SIPTLSSession Establishment – Register, Invite, etc. via UCM MediaSRTPAudio, Video, Content Share, Advanced Control (RTP/SRTP, BFCP, iX/XCCP) HTTPSTLSLogon, Provisioning/Configuration, Contact Search, Visual Voic XMPPTLSInstant Messaging, Presence Unified CM IM&P Conference Resources Other UC Infrastructure & Resources Inside firewall (Intranet) Outside firewall (Public Internet) Expressway E Expressway C Collaboration Services Unified CM Internet DMZ

20 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Conference Resources Other UC Infrastructure & Resources Inside firewall (Intranet) Outside firewall (Public Internet) Unified CM Internet DMZ webex Messenger Collaboration Services ProtocolSecurityService SIPTLSSession Establishment – Register, Invite, etc. via UCM MediaSRTPAudio, Video, Content Share, Advanced Control (RTP/SRTP, BFCP, iX/XCCP) HTTPSTLSLogon, Provisioning/Configuration, Contact Search, Visual Voic XMPPTLSInstant Messaging, Presence Expressway E Expressway C

21 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Inside firewall (Intranet) Outside firewall (Public Internet) Internet DMZ LDAP webex Messenger Jabber allows for multiple contact source integrations LDAP Directory sync provides corporate directory to UCM Corporate directory is also exported to WebEx Messenger cloud All Jabber clients will use WebEx Messenger cloud as a contact source for contact search Collaboration Services sync Expressway E Expressway C Unified CM

22 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Inside firewall (Intranet) Outside firewall (Public Internet) Internet DMZ LDAP Jabber allows for multiple contact source integrations LDAP Directory sync provides corporate directory to UCM User Data Services (UDS) is a UCM RESTful API allowing for contact search, among other things All Jabber clients connecting via Expressway will use UDS for contact search Jabber clients deployed on- premise will use LDAP for directory search Jabber clients will automatically use UDS for directory search when connecting via Expressway The entire corporate directory needs to be sync’d on every UCM cluster for best contact search experience sync UDS EDI/BDI Collaboration Services Expressway E Expressway C Unified CM

23 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Cluster Expressways for scale and redundancy Expressway Clusters support up to 6 peers Expressway E and C node types cannot be mixed in the same cluster Deploy equal number of peers in Expressway C and E clusters Deploy same OVA sizes throughout cluster Expressway remote access is limited to one customer domain per cluster However customers can deploy multiple clusters for the same customer domain

24 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Inside firewall (Intranet) Outside firewall (Public Internet) Expressway E Cluster A Expressway C Collaboration Services Unified CM DMZ Expressway E Cluster B Internet This model is still supported for traditional VCS Expressway deployments But this is not supported for the new remote and mobile access functionality introduced in X8.1 Expressway X8.1remote access requires a Expressway C cluster for each Expressway E cluster Only one “Remote & Mobile Access” enabled Traversal zone per cluster

25 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 This deployment model is often used in environments with heightened security policies This model is still supported for traditional VCS deployments, or Expressway deployments do not require the remote and mobile access feature But this is not supported for the new remote and mobile access functionality introduced in X8.1 Only one “Remote & Mobile Access” enabled Traversal zone per cluster Inside firewall (Intranet) Outside firewall (Public Internet) Expressway C/E Traversal Server & Traversal Client Expressway C Traversal Client Collaboration Services Unified CM Internet DMZ B Expressway E Traversal Server DMZ A

26 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 _collab-edge record needs to be available in Public DNS Multiple records can be used to allow for HA A GEO DNS service can be used to provide unique DNS responses by geographic region _cisco-uds record needs be available only on internal DNS (available to Expressway C) _collab-edge._tls.example.com. SRV expwy1.example.com. _collab-edge._tls.example.com. SRV expwy2.example.com. _cisco-uds._tcp.example.com. SRV ucm1.example.com. _cisco-uds._tcp.example.com. SRV ucm2.example.com.

27 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 SIP Trunk SIP Line Expressway Traversal UCM regional clusters SME global aggregation USEuropeAsia US SME SJC DFW RTP PAR AMS LON EU SME Asia SME TKY HKG BGL Expressway edge access Geo DNS DNS SRV lookup _collab-edge._tls.example.com DNS SRV lookup _collab-edge._tls.example.com expwy.us.example.com expwy.uk.example.com expwy.jp.example.com

28 Cisco Confidential 28 © 2011 Cisco and/or its affiliates. All rights reserved.

29 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Enable Remote & Mobile Access feature toggle, Configuration > Unified Communications Provide a single IM&P Publisher address and supply admin credentials to discover all IM&P nodes deployed across the Enterprise Provide UCM Publisher address and supply admin credentials for each UCM cluster Expressway C connects to each Publisher and discovers all cluster nodes Neighbor Zone auto-generated for each UCM node Search Rules auto-generated for each UCM node Add the customer domain as type Unified CM Generate certificate signing requests and procure CA signed certs Configure Traversal Zone with Remote & Mobile Access feature enabled

30 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

31 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Expressway E server will be listening on TCP 8443 for HTTPS traffic Basic remote & mobile access configuration allows inbound authenticated HTTPS requests to the following destinations on the enterprise network All discovered UCM nodes TCP 6970 (TFTP file requests) & TCP 8443 (UDS API) All discovered IM&P nodes TCP 7400 (XCP Router) & TCP 8443 (SOAP API) HTTPS traffic to any additional hosts need to be administratively added to the allow list Provides a mechanism to support Visual Voice Mail access, contact photo retrieval, Jabber custom tabs, etc.

32 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 GET /dWNkZW1vbGFiLmNvbQ/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1 Authorization: Basic bWR1ZGU6dGhpc3Bhc3N3ZHdpbGxiZXJlc2V0 Host: collabedge1e.ucdemolab.com:8443 Accept: */* User-Agent: Jabber-Win-472 Base64 encoded credentials Base64 decode = ucdemolab.com Initial get_edge_config and internal SRV record request (decrypted) GET /dWNkZW1vbGFiLmNvbS9odHRwcy9jdWNtLXB1Yi51Y2RlbW9sYWIuY29tLzg0NDM/cucm- uds/clusterUser?username=mdude HTTP/1.1 Host: collabedge1e.ucdemolab.com:8443 Accept: */* Cookie: X-Auth=7f e61f-483a-8620-ed0b5d3792db User-Agent: Jabber-Win-472 Base64 decode = ucdemolab.com/https/cucm-pub.ucdemolab.com/8443 Subsequent home cluster discovery request (decrypted) Not a general purpose reverse proxy, intended for Cisco clients only! X-Auth token

33 Cisco Confidential 33 © 2011 Cisco and/or its affiliates. All rights reserved.

34 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 No inbound ports required to be opened on the internal firewall Internal firewall needs to allow the following outbound connections from Expressway C to Expressway E SIP: TCP 7001 Traversal Media: UDP to XMPP: TCP 7400 HTTPS (tunneled over SSH between C and E): TCP 2222 External firewall needs to allow the following inbound connections to Expressway SIP: TCP 5061 HTTPS: TCP 8443 XMPP: TCP 5222 TURN server control and media: UDP 3478 / Media: UDP to 59999

35 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 X8 scalability improvements require a media port range expansion X8 default media Port Range is now UDP – VCS systems upgraded from X7 to X8 will need to manually update port range, Configuration > Local Zone > Traversal Subzone

36 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Important change for existing VCS customers to understand X7 release included the ability to configure the Expressway Media demultiplexing RTP port and RTCP port Upon upgrading to X8 the traversal media ports are automatically migrated to UDP & Customers will need to coordinate X8 upgrade with firewall port change New X8 installs on the Large OVA (or new appliance) will use UDP – 36011, the expanded port range is required to support scalability improvements Configuration Removed in X8

37 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 HTTPS Clients supplies base64 encoded username and password to authenticate over HTTPS Authorization: Basic bWR1ZGU6dGhpc3Bhc3N3ZHdpbGxiZXJlc2V0 Credentials are forwarded to Expressway C and then used to authenticate against UCM, upon determination of the user’s home cluster Upon successful authentication, X-Auth token provided for future HTTPS requests (8 hour lifetime) Cookie: X-Auth=7f e61f-483a-8620-ed0b5d3792db SIP SIP Digest authentication used to authenticate the users registering on tcp 5061 Mutual TLS can be enforced on Expressway E by enabling default zone access rules

38 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 No matter which client authentication model is deployed, server authentication is always performed by the remote device i.e. remote Jabber clients and remote endpoints will always validate the Expressway E Server Certificate presented in the TLS handshake Jabber Clients will rely on the underlying platform trusted CA list TelePresence Endpoints will rely on a trusted CA list included in firmware No CTL requirement for Edge Server authentication

39 Cisco Confidential 39 © 2011 Cisco and/or its affiliates. All rights reserved. Expressway E Server Certificates will need to be signed by 3 rd party Public CA Public CA signed certificates allow Jabber clients and endpoints to validate the server certificate without a CTL Note: Jabber clients with a CTL will not use the CTL to validate Expressway certificate Expressway C server certificates can be signed by 3 rd party Public CA or Enterprise CA Expressway C server certificates need to include an extension allowing for client authentication No support for wildcard certificates No requirement to include Expressway certs in UCM’s CTL

40 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Set a cluster name (System > Clustering) even when starting with a single node Generate server certificate CSR with Common Name set to “FQDN of VCS Cluster” Build Traversal Server zone with the “TLS verify subject name” set to “Cluster FQDN”

41 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Maintenance > Security Certificates > Server Certificate Click to load this page ----->

42 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Customer’s primary domain required to be included as a DNS SAN in all Expressway E server certificates Primary domain as in example.com or cisco.com or DNS X509v3 Subject Alternative Name: DNS:ucdemolab.com This domain is used for SRV lookups and extracted from here This is a security measure that allows clients to verify connections to edge servers authoritative for their domain (RFC 6125) This requirement is consistent with existing UCM IM&P XMPP certificate requirements Most CAs will allow for this SAN usage, however there may be some resistance from enterprise InfoSec teams

43 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Trusted CA certificates can now be viewed in either a human-readable, decoded format, or in their raw, PEM format! X8 release will not include the default trusted CA certificate list VCS customers upgrading from X7 or prior should consider purging this list

44 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Certificate TypeExpressway CExpressway EComments Public CA cert chain used to sign Expressway E certificate  Required to establish Traversal Zone connection Public or Enterprise CA cert chain used to sign Expressway C certificate  Required to establish Traversal Zone connection UCM Tomcat certificates or CA chain  Only required when Expressway C configured to use TLS Verify mode on Unified CM discovery UCM CallManager certificates or CA chain  Only required when UCM is in mixed mode for end to end TLS UCM IM&P Tomcat certificates or CA chain  Only required when Expressway C configured to use TLS Verify mode on IM&P discovery UCM CAPF certificate(s)  Only required when remote endpoints authenticate with LSC certificate

45 Cisco Confidential 45 © 2011 Cisco and/or its affiliates. All rights reserved.

46 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46 Remote access provided by Expressway is, for the most part, transparent to UCM Think SIP line integration, versus SIP trunk No requirement to build a SIP trunk on UCM to VCS Control or Expressway Remote Jabber clients or TelePresence Endpoints registering to UCM through Expressway will appear to UCM as Expressway-C IP address No remote access policy mechanism to limit edge access to certain Jabber users or devices There will be a COP file made available for UCM 9.1 customers deploying Expressway remote and mobile access in production environments, shouldn’t be required for labs or POCs

47 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 Inside firewall (Intranet) Outside firewall (Public Internet) VCS Expressway Collaboration Services Unified CM Internet DMZ SIP trunk is not required between VCS and UCM for Expressway Remote Access deployment However, if UCM has an existing SIP trunk configured for VCS-C, UCM will reject any SIP registration attempts from remote Jabber or TP endpoints, as the register method is not accepted on UCM SIP trunk interface Update UCM SIP trunk security profile to listen on ports other than TCP 5060 or 5061 (you could use 5560, 5561, etc.) Port change allows for SIP trunk integration + Expressway remote access H.323 Video Endpoints VCS Control SIP Trunk can interfere with remote registrations SIP Video Endpoints

48 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 All Jabber clients connecting via Expressway will use UDS for directory search (assuming UCM IM&P deployment) TelePresence endpoints always use UDS for directory search For the best contact search experience, all Enterprise Users should be imported into every UCM cluster’s end user table Home cluster check box needs to be selected on only one cluster for each user UCM clusters support 80K end users, and can scale as high as 160K with BU megacluster approval

49 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 SFTP Server Tool used to simplify UCM Cluster certificate exchange All Clusters export TFTP (CallManager), Tomcat, and CAPF certificates to central SFTP server Certificates are consolidated into PKCS12 files Consolidated set of certificates are then imported to each publisher Cisco Certificate Change Notification Service replicates trusted certificates throughout the cluster

50 Cisco Confidential 50 © 2011 Cisco and/or its affiliates. All rights reserved.

51 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 CE 500 CE 1000 New appliances based on UCS C220 M3 Bare metal – no hypervisor Fixed configurations for high and low end deployment Solution for customers with security policies that do not allow VMware in the DMZ CE500 Single components, 1Gbps interfaces CE1000 Redundant components, 1 or 10Gbps interfaces Target FCS Q1 CY2014 Specs Based Virtual Machine Support OVA SizevCPUReserved RAM Disk Space vNIC(s) Small2 x 1.8 GHz 4GB132GB1Gb Medium2 x 2.4 GHz 6GB132GB1Gb Large8 x 3.3 GHz 8GB132GB10Gb Appliance Support Existing VCS Appliance New Offerings

52 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52 ServerCluster Platform Proxied Registrations Video Calls Audio Only Calls Proxied Registrations Video Calls Audio Only Calls Large OVA / CE1000 5, ,00020,0002,0004,000 Medium OVA2, , Small OVA (BE6K) 2, N/A Current VCS Appliance 2, ,

53 Cisco Confidential 53 © 2011 Cisco and/or its affiliates. All rights reserved.

54 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 UCM 9.1 Expressway C Expressway E No Additional Cost for Virtual Edition Internet

55 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 Existing VCS X8.1 customers with UCM 9.1+ Interested in deploying Remote and Mobile Access Existing VCS X8.1 customers with UCM 9.1+ Interested in deploying Remote and Mobile Access Option #1 – Deploy Expressway (Recommended) Deploy new Expressway C and E servers on VMware at no cost Leverage Investment Protection Programs: Traversal calls purchased on VCS E are converted to Expressway Rich Medial Sessions Non-traversal calls purchased on VCS C are converted to UCL Remaining H.323 endpoints continue to register to VCS (converted calls remain) Option #1 – Deploy Expressway (Recommended) Deploy new Expressway C and E servers on VMware at no cost Leverage Investment Protection Programs: Traversal calls purchased on VCS E are converted to Expressway Rich Medial Sessions Non-traversal calls purchased on VCS C are converted to UCL Remaining H.323 endpoints continue to register to VCS (converted calls remain) Option #2 Use existing VCS X8.1 deployment (Transitional) Enable “Remote and Mobile Access” on VCS License consumption based off of existing VCS licensing structure (e.g. traversal and non traversal calls) Scale capacities are based on documented VCS capabilities for appliance and virtual VCS Only applies to existing VCS customers Over long term, it is recommended that customers migrate to Expressway Option #2 Use existing VCS X8.1 deployment (Transitional) Enable “Remote and Mobile Access” on VCS License consumption based off of existing VCS licensing structure (e.g. traversal and non traversal calls) Scale capacities are based on documented VCS capabilities for appliance and virtual VCS Only applies to existing VCS customers Over long term, it is recommended that customers migrate to Expressway

56 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 VCS-EVCS-C Collaboration Services UCM Expressway E Expressway C B2B Video SIP & H.323 (inbound & outbound) Cisco Jabber Video for TelePresence Registration Cisco TelePresence Endpoints (TC) Registration WebEx Enabled TelePresence (outbound) Cisco Jabber Registration Cisco TelePresence Endpoints (TC) Registration Jabber Guest (inbound) B2B Video SIP & H.323 (inbound & outbound) WebEx Enabled TelePresence (outbound) Add _collab-edge SRV to Public DNS Deploy Jabber Guest Update _sip, _sips, _h323 SRV records to resolve to Expressway E Trunk MCU to UCM or Expressway C

57 Cisco Confidential 57 © 2011 Cisco and/or its affiliates. All rights reserved.

58 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 IssueMSFT claimCisco Position CostIt’s freeAttack: There are significant acquisition costs for MSFT Edge architecture (as much as $20-40K). These costs include servers, load-balancers, server software, etc. Cisco has included Collaboration Edge functionality in UCL enhanced, CUWL Standard and CUWL Pro for UCM 9.1 and above Adoption of H.264 SVCEverything else is legacyAttack: SVC is a small piece of the puzzle. MSFT can’t talk to existing technology without Cisco. Any IT strategy which introduces new technology should always include a plan for interop. VPN-less architectureNo need for clunky old VPN. Cisco doesn’t get it – they just want to sell you network. Attack: Don’t concede this point. First VPN has applicability, and should be used in certain cases. Second, Cisco has had a TLS based architecture for this application since about Mobile Supportsupports Windows Phone, iOS, and Android devices – IM, “Lync call” and “one touch” Lync meeting Neutralize: Jabber leverages common call control, video codec, and cross-platform libraries to create consistent collaboration features on all it’s platforms. Alpha-numeric URI…rather than an [old] phone number Neutralize: UCM and Expressway are fully alpha-numeric compatible SSO w/ADNeutralize: SAML-based SSO mandated across all CTG infrastructure. See roadmap Federation w/SkypeLync presence, IM, and peer-to- peer voice w/Skype users Neutralize: No video support. Also, interop requires potentially costly 3 rd party provider.

59 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59 November 2013

60 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 UC/video sessions into businesses … from desktop browsers, mobile clients Initiate from public web sites, mobile applications & URLs, e.g. Calls to individual employees, remote experts / customer care SDKs for Web & mobile app integration Release planned for Q4CY13/Q1CY14 * Images for illustration purpose only. Final UI subject to change.

61 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Via Jabber SDK Today PROOF of CONCEPT … Web version of Jabber for enterprise users PROOF of CONCEPT … Web version of Jabber for enterprise users NEW PRODUCT – Jabber Guest … Jabber for public to enterprise calls from desktop browsers & mobile devices NEW PRODUCT – Jabber Guest … Jabber for public to enterprise calls from desktop browsers & mobile devices Enterprise Users

62 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 Jabber Guest connects consumers and other non- Cisco telephony users with Cisco enterprise registered users via simple browser & mobile voice and video ** TRIAL AVAILABLE TODAY ** Currently in Beta, available from Collaboration User Group (CUG) … details in slide notes Guest/Public User Enterprise User

63 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 Point to Point Video Point to Video Conference Pre-Call video preview Mid-Call control Keypad Mute Audio/Video Full-Screen Camera/ Audio device Selection Self-View SDK’s to embed app in business applications (desktop Web & mobile native applications) WebRTC-compatible call control For media, browser plugin (desktop Web) & native apps (mobile) Future – WebRTC for media URI or DN Screenshot from Beta App

64 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 Cisco Confidential 64 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved.

65 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 Guest/Consumer Experience Real-Time Expert Help End-User Desktop Browser or Mobile Application Enterprise DMZ Cisco Expressway X8.1 Enterprise Network Jabber Guest Virtual Machine Cisco Expressway X8.1 Cisco UC Manager, Registered Endpoints Optional: MCU Required Components

66 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 Jabber Guest … Serves up Javascript call control based on URL For mobile, Cisco app from app store or integrated into 3 rd -party app For laptop browsers, initiates H.264 plugin install as needed for Cisco or 3 rd -party Web app Converts HTTP call request to SIP INVITE Expressway Core Expressway Edge HomeInternetDMZEnterprise CUCM HTTP-based call control (ROAP) SIP RTP/SRTP STUN/TURN Jabber Guest * Expressway X8.1 or later required Reverse Proxy integrated for X8.1

67 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 Subject to Change Client Mobile – iPhone, iPad (in App Store) Web – Windows (IE, Chrome, Firefox), plugin Web – Mac (Safari, Chrome, Firefox), plugin Call initiation via Web links Video call to CUCM endpoints (or VCS endpoints via CUCM-VCS SIP trunk) Firewall/NAT traversal via Collaboration Edge X8.1, TURN & reverse proxy In-call: Mute, DTMF, Video Start/Stop, Full Screen, End Far-end transfers, forwards Audio-only mode Pre-call confirmation page with video preview Audio/video device selection Video bridge support Bandwidth & CPU adaptation Web app “white list” security Problem reporting SRTP, HTTPS call control H.264 AVC, G.722.1, G.711, G.729 Localizations Accessibility (basic) SDK iOS – with sample app code Web – with widget REST API on server for link management Server Virtual machine (OVA) with Web server HTTP-to-SIP gateway Administration interface, including link management Clustering, redundancy Collaboration Edge X8.1 integration CTX interoperability, including meeting DN support Solution Remote Expert 1.9 SPT 1.3 NOTE: Android app and SDK targeted for release in MR1 … available sooner in beta

68 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 Desktop Browser Support Currently in EAP … purpose-built client & SDK Chrome 18+, Firefox 10+, IE 8+ (32-bit only, IE 11 TBD) – Windows Vista+ Chrome 18+, Firefox 10+, Safari 5+ – Mac OS X 10.7 and later Mobile Native Support September 2013 – iOS & Android clients added to EAP Purpose-built Jabber Guest mobile clients November 2013 – iOS & Android SDKs to EAP 10.0 FCS: iOS... iPhone 4S or later, iPad 2 or later … iOS 6.1 or later Android FCS 10.x: Q1 CY14... Samsung S4/S3/S2, Note II … Android 4.0+ * Subject to change pending final performance testing. Jabber Guest Virtual Machine (OVA) * RAM: 3GB CPU: 2 logical CPU’s with 1 core per CPU Storage: 100GB OS: Centos bit CPU and memory resource allocation are not defined, and are set to default values at the time of deployment. Cisco Expressway X8.1 Subject to Change Cisco Unified Communications Manager Targeting 8.6 or later … worst case 9.x or later

69 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 User Experience Desktop Browser SDK Sample HTML & Javascript provided to create video widget and set up event handler Mobile Native Application SDK iOS Android Easily embed Jabber Guest functionality into any web based or mobile application for a rich video experience

70 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 Administrator configured URL URL string, call destination, caller name, callee name, active time, etc Some examples: URI Dialling: 8-Digit DN: Custom: Server-side RESTful API for programmatic URL management Administrator may configure URL structure for desktop browser as well as mobile “Ad-hoc” calling maybe used for a more open approach

71 Mobile Collaboration and Jabber C Design Session © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 Expressway Core Expressway Edge HomeInternetDMZEnterprise Jabber Guest Reverse Proxy integrated for X8.1 Remote Expert & Jabber Guest … Video on Hold via MediaSense Wide variety of remote users catered for using Jabber Guest Rich Video experience, including HD UC System 10.0

72 Cisco Confidential 72 © 2011 Cisco and/or its affiliates. All rights reserved.

73 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Cisco Expressway is the evolution of VCS, specifically targeting UCM (9.1+) customers Cisco Expressway bridges the gap between the internet and UCM, delivering VPN-less access for Jabber B2B Video Jabber Guest WebEx Enabled TelePresence The two biggest deployment challenges will likely be DNS and certificates…understand the solution requirements and begin working through these sooner than later with your customers Jabber Guest provides easy B2B and B2C deployments

74 Thank you.


Download ppt "Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved. Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013."

Similar presentations


Ads by Google