Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Expressway Design Session Cisco’s Collaboration Edge Architecture Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013.

Similar presentations


Presentation on theme: "Cisco Expressway Design Session Cisco’s Collaboration Edge Architecture Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013."— Presentation transcript:

1 Cisco Expressway Design Session Cisco’s Collaboration Edge Architecture
Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013

2 Agenda Product Naming & Positioning Solution Overview
Deployment Considerations Expressway Setup Security Considerations UCM Requirements Platform Choices & Scale Licensing & Migration Competitive Landscape

3 Product Naming & Positioning

4 Terminology Decode Collaboration Edge: umbrella term describing Cisco’s entire collaboration architecture for edge ... features and services that help bridge islands to enable any to any collaboration… …collaborate with anyone anywhere, on any device…. Collaboration Edge Architecture Core Products include Cisco Expressway CUBE TDM & Analog Gateways SRST Is Jabber VPN-less access Collab Edge? the Collaboration Edge architecture includes VPN-less access for Jabber this capability is enabled by the Cisco Expressway product specifically labeled “remote and mobile access” at the feature level delivered in the X8.1 software release

5 Cisco Collaboration Edge Architecture Summary
Empower the workforce with in-office collaboration anywhere to anyone on any device Voice, Video, Messaging, Content Use Cisco’s simplified, secure deployments Easy for the end-user Easy for IT Design your network to leave no one behind Open, standards-based Accommodate legacy systems and endpoints Video IM&P Experienced & Proven 7K+ customers deployed Cisco SIP trunking in 160 countries 15K+ customers deployed Cisco B2B & remote worker video solutions Market Share Leader: SBCl, TDM gateway & video edge solutions Architectural Flexibility Most comprehensive suite of solutions for any to any collaboration Scale from smallest to largest solutions/sites Supports all SIP trunk architectures with elegant path to SIP trunking Open standards-based interoperability Secure Execution Technology Leadership in standards forums Go-to-market and partner capabilities Voice Content © Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

6 X8 Product Line Options X8.1 VCS Expressway
Specialized video applications for video-only customer base (GK, SIP Proxy, interworking, traversal) For customers that require endpoints to register to VCS Gateway 3rd party UC solutions (Lync, Polycom) Solution designed for and sold exclusively with UCM 9.1 and above Remote and mobile access for Jabber and fixed endpoints B2B Video and Audio for UC customers Jabber Guest Gateway 3rd party UC solutions (Lync, Polycom) VCS New Offering Expressway “VCS Control” No Change “VCS Expressway” No Change “Expressway C” Or Core “Expressway E” Or Edge

7 Deployment Simplification
UCM with IM&P Expressway Internet B2B HCS JabberG Remote & Mobile Registration to UCM IM&P Video and Audio Federation H.323 3rd party Interoperability Any-to-Any Interoperability, Remote and Mobile Access, Video Applications Core Call Control & Endpoint Registration One Multiparty Deployment Model* * roadmap

8 Cisco Expressway Use Cases
Business to Business Secure communications with partners, customers & suppliers over the internet Open, DNS-based URI dialing Consumer to Business Integrated customer relationships re-imagined Jabber Guest Cloud Services Enterprise flexibility and scalability WebEx and TelePresence Together, Service Provider Offerings Remote and Mobile Worker Access Consistent user experience outside the corporate network Jabber Mobile, Desktop & TelePresence Endpoints Legacy & 3rd Party Interoperability Investment Protection and return on investment IP4 to IP6, H.323-SIP, Standards-based 3rd Party Video People want to collaboration from anywhere, with anyone using the workload they need and the device they want in a simple and secure way. These actions should be as simple as a phone call or as secure as sending an . Yet today, rich media collaboration is not universal, and found only within islands. For example, typically, rich media collaboration is confined to an enterprise location or to users on the same network or using the same kind of application and/or device. Rich media collaboration often breaks down when employees leave their office or reach out to suppliers, customers or partners who are not using the same systems, networks or devices. Complicating things further is the number of devices (company and employee-owned). Key barriers are: Usability – the technology must be intuitive and simple for end-users Incompatible or proprietary systems, applications and/or endpoints Security and deploy-ability – must be secure and cost-effective to deploy These barriers force people to collaborate at a lower or the lowest common denominator like, using a phone or , despite video or another collaboration mode being more productive and efficient. The opportunity to gain competitive advantages in todays’ challenging economy from stronger, deeper relationships and faster decision making can be lost. What is Cisco Collaboration Edge Architecture? Cisco Collaboration Edge Architecture is a set of features and services that helps enable any to any collaboration. It lays the foundation for our customers, no matter what their size, to collaborate with anyone anywhere, on any device using any workload. Its success relies on simplicity, security and open standards/interoperability to break down barriers between these islands. The Collaboration Edge Architecture supports a broad set of use cases: Remote and Mobile Worker Collaboration – extends and simplifies collaboration outside the corporate network for remote and mobile workers. Allows them to securely collaborate like they are in the office on any device anywhere, without requiring a separate VPN client and connection from your device to the network B2B and B2C Collaboration – borderless rich media collaboration with outside organizations & consumers IP PSTN & PSTN Connectivity - communicate with anyone via service provider TDM or SIP trunking Intra-Enterprise Connectivity –extend collaboration services within the enterprise to users on PBXs, IP PBXs and 3rd party devices – even analog devices Cloud Connectivity – seamlessly connect to the cloud and enjoy all of the “any to any” benefits of Cisco premise-based solutions These use cases are enabled by products throughout our portfolio to provide the best user experiences and the broadest reach. Products include Cisco Gateways, Cisco Expressway, capabilities within Cisco Unified Communications Manager and Cisco Business Edition , Cisco Unified Border Element (CUBE) to name a few. Cisco Unified Communications Manager Seamless User Experiences Simple, Secure Access No One Left Behind

9 Cisco Jabber Remote Access Options
Layer 3 VPN Solution Secures the entire device and it’s contents AnyConnect allows users access to any permitted applications & data Unified CM & applications AnyConnect VPN New Offering Session-based firewall traversal Allows access to collaboration applications ONLY Personal data not routed through enterprise network Expressway Firewall Traversal

10 Product Positioning – Major Edge Solutions
Device Service Category Type of Service Service Delivery Primary Competitor Product Position Remote and Mobile Line: Audio, Video, Directory Search, Visual Voic , Content Share Internet or Private MSFT Expressway (X8.1) Remote Fixed Line: Audio, Video, Directory Search, Content Share Polycom Line: Audio HCS ACME CUBE IPSec or TLS Proxy VPN Phone, CVO, CUBE PSTN Trunk: Audio Private SIP Trunk Video Trunk: Video, Conferencing Expressway or CUBE Line: Audio, Video, Directory Search, CTI/QBE AnyConnect (today) Expressway (CY14 roadmap) Jabber TelePresence 69XX, 7XXX, 89XX, 99XX SIP Trunk DX 650

11 Solution Overview

12 How Expressway Traversal Works…
Enterprise Network DMZ Outside Network Internet UCM Expressway C Firewall Expressway E Firewall Signaling Media Expressway E is the traversal server installed in DMZ. Expressway C is the traversal client installed inside the enterprise network. Expressway C initiates traversal connections outbound through the firewall to specific ports on Expressway E with secure login credentials. Once the connection has been established, Expressway C sends keep-alive packets to Expressway E to maintain the connection When Expressway E receives an incoming call, it issues an incoming call request to Expressway C. Expressway C then routes the call to UCM to reach the called user or endpoint The call is established and media traverses the firewall securely over an existing traversal connection

13 X8.1 Firewall Traversal Capabilities Expanded
The X8.1 release delivers 3 key capabilities enabling the Expressway Remote and Mobile Access Feature XCP Router for XMPP traffic HTTPS Reverse proxy Proxy SIP registrations to UCM (details on new firewall port requirements covered later)

14 What can a Jabber client do with Expressway
What can a Jabber client do with Expressway? A fully featured client outside the network Access visual voic Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Collaboration Services Internet Instant Message and Presence Unified CM Expressway C Expressway E Make voice and video calls Launch a web conference Share content Search corporate directory

15 UCM provides call control for both mobile and on-premise endpoints
Media Path Summary Media Traversal “C” calls “A” on-premise Expressway solution provides firewall traversal for media Expressway C de-multiplexes media and forwards toward “A” UCM provides call control for both mobile and on-premise endpoints B Inside firewall (Intranet) DMZ Outside firewall Media Relay “C” calls “B” off-premise Media is relayed via Expressway C Collaboration Services Internet C UCM Expressway C Expressway E Optimized Media (roadmap ICE support) “B” calls “D” off-premise Both “B” and “D” are ICE-enabled STUN binding success Media flows are optimized between endpoints ICE support (roadmap) allows for optimized media and also the usage of the TURN server on Expressway E, which is the last resort for ICE candidate negotiations SIGNALING D MEDIA A

16 Solution Components: software version requirements
Cisco Expressway X8.1 (Dec 2013) Cisco Unified CM 9.1+ Cisco Jabber 9.6 Cisco TelePresence TC 7.0 Note: No support for Cisco Unified CM 8.6 ICE (STUN/TURN) support not included in Cisco Unified CM 10.0, on roadmap for 10.5

17 Expressway & Service Discovery
Cisco Jabber Client DNS SRV lookup _cisco-uds._tcp.example.com Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Not Found Collaboration Services DNS SRV lookup _collab-edge._tls.example.com Public DNS UCM expwyNYC.example.com Expressway C Expressway E TLS Handshake, trusted certificate verification HTTPS: get_edge_config?service_name=_cisco-uds&service_name=_cuplogin

18 Deployment Considerations

19 Protocol Workload Summary
Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Protocol Security Service SIP TLS Session Establishment – Register, Invite, etc. via UCM Media SRTP Audio, Video, Content Share, Advanced Control (RTP/SRTP, BFCP, iX/XCCP) HTTPS Logon, Provisioning/Configuration, Contact Search, Visual Voic XMPP Instant Messaging, Presence Collaboration Services Internet Unified CM IM&P Conference Resources Other UC Infrastructure & Resources Unified CM Expressway C Expressway E No traversal support for CTI/QBE, CAPF certificate enrollment

20 Hybrid Deployment - Cloud based IM&P
Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Protocol Security Service SIP TLS Session Establishment – Register, Invite, etc. via UCM Media SRTP Audio, Video, Content Share, Advanced Control (RTP/SRTP, BFCP, iX/XCCP) HTTPS Logon, Provisioning/Configuration, Contact Search, Visual Voic XMPP Instant Messaging, Presence Collaboration Services Internet Conference Resources Other UC Infrastructure & Resources Unified CM Expressway C Expressway E webex Messenger

21 Contact Search Considerations (Cloud based IM&P)
Jabber allows for multiple contact source integrations LDAP Directory sync provides corporate directory to UCM Corporate directory is also exported to WebEx Messenger cloud All Jabber clients will use WebEx Messenger cloud as a contact source for contact search Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Collaboration Services Internet Unified CM Expressway C Expressway E sync webex Messenger LDAP

22 Contact Search Considerations (on-premise IM&P)
Jabber allows for multiple contact source integrations LDAP Directory sync provides corporate directory to UCM User Data Services (UDS) is a UCM RESTful API allowing for contact search, among other things All Jabber clients connecting via Expressway will use UDS for contact search Jabber clients deployed on- premise will use LDAP for directory search Jabber clients will automatically use UDS for directory search when connecting via Expressway The entire corporate directory needs to be sync’d on every UCM cluster for best contact search experience Inside firewall (Intranet) DMZ Outside firewall (Public Internet) UDS Collaboration Services Internet Unified CM Expressway C Expressway E sync UDS Scale limitations Limit of 80K end users in standard UCM database (no hard enforcement within the application) 160K w/ BU megacluster team approval EDI/BDI LDAP

23 Expressway Clustering, 4+2
Cluster Expressways for scale and redundancy Expressway Clusters support up to 6 peers Expressway E and C node types cannot be mixed in the same cluster Deploy equal number of peers in Expressway C and E clusters Deploy same OVA sizes throughout cluster Expressway remote access is limited to one customer domain per cluster However customers can deploy multiple clusters for the same customer domain

24 Unsupported: Unbalanced Expressway Deployments
This model is still supported for traditional VCS Expressway deployments But this is not supported for the new remote and mobile access functionality introduced in X8.1 Expressway X8.1remote access requires a Expressway C cluster for each Expressway E cluster Only one “Remote & Mobile Access” enabled Traversal zone per cluster Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Collaboration Services Unified CM Expressway C Expressway E Cluster A Internet Expressway E Cluster B

25 Unsupported: Expressway Chained Traversal
This deployment model is often used in environments with heightened security policies This model is still supported for traditional VCS deployments, or Expressway deployments do not require the remote and mobile access feature But this is not supported for the new remote and mobile access functionality introduced in X8.1 Only one “Remote & Mobile Access” enabled Traversal zone per cluster Inside firewall (Intranet) DMZ B DMZ A Outside firewall (Public Internet) Collaboration Services Internet Unified CM Expressway C Traversal Client Expressway C/E Traversal Server & Traversal Client Expressway E Traversal Server

26 DNS SRV Records _collab-edge record needs to be available in Public DNS Multiple records can be used to allow for HA A GEO DNS service can be used to provide unique DNS responses by geographic region _cisco-uds record needs be available only on internal DNS (available to Expressway C) _collab-edge._tls.example.com. SRV expwy1.example.com. _collab-edge._tls.example.com. SRV expwy2.example.com. _cisco-uds._tcp.example.com. SRV ucm1.example.com. _cisco-uds._tcp.example.com. SRV ucm2.example.com.

27 Global Deployment Topology & Geo DNS
DNS SRV lookup _collab-edge._tls.example.com Geo DNS expwy.jp.example.com expwy.us.example.com US Europe Asia SIP Trunk SIP Line Expressway Traversal expwy.uk.example.com Expressway edge access Asia SME SME global aggregation EU SME US SME Geo DNS provides DNS responses based upon src ip address No option for remote access session aggregation at SME layer UCM regional clusters RTP SJC PAR LON TKY BGL DFW AMS HKG

28 Expressway Setup

29 Expressway Configuration Summary
Enable Remote & Mobile Access feature toggle, Configuration > Unified Communications Provide a single IM&P Publisher address and supply admin credentials to discover all IM&P nodes deployed across the Enterprise Provide UCM Publisher address and supply admin credentials for each UCM cluster Expressway C connects to each Publisher and discovers all cluster nodes Neighbor Zone auto-generated for each UCM node Search Rules auto-generated for each UCM node Add the customer domain as type Unified CM Generate certificate signing requests and procure CA signed certs Configure Traversal Zone with Remote & Mobile Access feature enabled

30 Unified Communications Configuration

31 Allowed Reverse Proxy Traffic
Expressway E server will be listening on TCP 8443 for HTTPS traffic Basic remote & mobile access configuration allows inbound authenticated HTTPS requests to the following destinations on the enterprise network All discovered UCM nodes TCP 6970 (TFTP file requests) & TCP 8443 (UDS API) All discovered IM&P nodes TCP 7400 (XCP Router) & TCP (SOAP API) HTTPS traffic to any additional hosts need to be administratively added to the allow list Provides a mechanism to support Visual Voice Mail access, contact photo retrieval, Jabber custom tabs, etc.

32 Reverse proxy usage Initial get_edge_config and internal SRV record request (decrypted) GET /dWNkZW1vbGFiLmNvbQ/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1 Authorization: Basic bWR1ZGU6dGhpc3Bhc3N3ZHdpbGxiZXJlc2V0 Host: collabedge1e.ucdemolab.com:8443 Accept: */* User-Agent: Jabber-Win-472 Base64 encoded credentials Base64 decode = ucdemolab.com Subsequent home cluster discovery request (decrypted) GET /dWNkZW1vbGFiLmNvbS9odHRwcy9jdWNtLXB1Yi51Y2RlbW9sYWIuY29tLzg0NDM/cucm-uds/clusterUser?username=mdude HTTP/1.1 Host: collabedge1e.ucdemolab.com:8443 Accept: */* Cookie: X-Auth=7f e61f-483a-8620-ed0b5d3792db User-Agent: Jabber-Win-472 X-Auth token Base64 decode = ucdemolab.com/https/cucm-pub.ucdemolab.com/8443 Not a general purpose reverse proxy, intended for Cisco clients only!

33 Security Considerations

34 Firewall Port Details No inbound ports required to be opened on the internal firewall Internal firewall needs to allow the following outbound connections from Expressway C to Expressway E SIP: TCP 7001 Traversal Media: UDP to 36011 XMPP: TCP 7400 HTTPS (tunneled over SSH between C and E): TCP 2222 External firewall needs to allow the following inbound connections to Expressway SIP: TCP 5061 HTTPS:  TCP 8443 XMPP: TCP 5222 TURN server control and media: UDP 3478 / Media: UDP to 59999

35 Media Port Range Expansion
X8 scalability improvements require a media port range expansion X8 default media Port Range is now UDP – 59999 VCS systems upgraded from X7 to X8 will need to manually update port range, Configuration > Local Zone > Traversal Subzone

36 Traversal Media Port Changes
Important change for existing VCS customers to understand X7 release included the ability to configure the Expressway Media demultiplexing RTP port and RTCP port Upon upgrading to X8 the traversal media ports are automatically migrated to UDP & 36001 Customers will need to coordinate X8 upgrade with firewall port change New X8 installs on the Large OVA (or new appliance) will use UDP – 36011, the expanded port range is required to support scalability improvements Configuration Removed in X8

37 Client Authentication at the Edge
HTTPS Clients supplies base64 encoded username and password to authenticate over HTTPS Authorization: Basic bWR1ZGU6dGhpc3Bhc3N3ZHdpbGxiZXJlc2V0 Credentials are forwarded to Expressway C and then used to authenticate against UCM, upon determination of the user’s home cluster Upon successful authentication, X-Auth token provided for future HTTPS requests (8 hour lifetime) Cookie: X-Auth=7f e61f-483a-8620-ed0b5d3792db SIP SIP Digest authentication used to authenticate the users registering on tcp 5061 Mutual TLS can be enforced on Expressway E by enabling default zone access rules Only client certificate option is LSC from CAPF service on UCM Publisher LSC enrollment with CAPF is not supported over Expressway traversal

38 Edge Server Authentication
No matter which client authentication model is deployed, server authentication is always performed by the remote device i.e. remote Jabber clients and remote endpoints will always validate the Expressway E Server Certificate presented in the TLS handshake Jabber Clients will rely on the underlying platform trusted CA list TelePresence Endpoints will rely on a trusted CA list included in firmware No CTL requirement for Edge Server authentication

39 Expressway E Server Certificates
Expressway C Server Certificates Expressway E Server Certificates will need to be signed by 3rd party Public CA Public CA signed certificates allow Jabber clients and endpoints to validate the server certificate without a CTL Note: Jabber clients with a CTL will not use the CTL to validate Expressway certificate Expressway C server certificates can be signed by 3rd party Public CA or Enterprise CA Expressway C server certificates need to include an extension allowing for client authentication No support for wildcard certificates No requirement to include Expressway certs in UCM’s CTL X.509v3

40 Expressway Certs and Clustering
Set a cluster name (System > Clustering) even when starting with a single node Generate server certificate CSR with Common Name set to “FQDN of VCS Cluster” Build Traversal Server zone with the “TLS verify subject name” set to “Cluster FQDN”

41 Expressway Certificate Signing Request (CSR)
Maintenance > Security Certificates > Server Certificate Click to load this page ----->

42 Subject Alternative Name (SAN) requirements
Customer’s primary domain required to be included as a DNS SAN in all Expressway E server certificates Primary domain as in example.com or cisco.com or DNS X509v3 Subject Alternative Name: DNS:ucdemolab.com This domain is used for SRV lookups and extracted from here This is a security measure that allows clients to verify connections to edge servers authoritative for their domain (RFC 6125) This requirement is consistent with existing UCM IM&P XMPP certificate requirements Most CAs will allow for this SAN usage, however there may be some resistance from enterprise InfoSec teams

43 Expressway Trusted CA Certificates
Trusted CA certificates can now be viewed in either a human-readable, decoded format, or in their raw, PEM format! X8 release will not include the default trusted CA certificate list VCS customers upgrading from X7 or prior should consider purging this list

44 Expressway Trusted CA Certificates
Certificate Type Expressway C Expressway E Comments Public CA cert chain used to sign Expressway E certificate Required to establish Traversal Zone connection Public or Enterprise CA cert chain used to sign Expressway C certificate UCM Tomcat certificates or CA chain Only required when Expressway C configured to use TLS Verify mode on Unified CM discovery UCM CallManager certificates or CA chain Only required when UCM is in mixed mode for end to end TLS UCM IM&P Tomcat certificates or CA chain Only required when Expressway C configured to use TLS Verify mode on IM&P discovery UCM CAPF certificate(s) Only required when remote endpoints authenticate with LSC certificate

45 UCM Requirements

46 Expressway Remote Access from UCM Perspective
Remote access provided by Expressway is, for the most part, transparent to UCM Think SIP line integration, versus SIP trunk No requirement to build a SIP trunk on UCM to VCS Control or Expressway Remote Jabber clients or TelePresence Endpoints registering to UCM through Expressway will appear to UCM as Expressway-C IP address No remote access policy mechanism to limit edge access to certain Jabber users or devices There will be a COP file made available for UCM 9.1 customers deploying Expressway remote and mobile access in production environments, shouldn’t be required for labs or POCs

47 Interaction with existing VCS-C --- SIP trunk --- UCM
SIP Trunk can interfere with remote registrations SIP trunk is not required between VCS and UCM for Expressway Remote Access deployment However, if UCM has an existing SIP trunk configured for VCS-C, UCM will reject any SIP registration attempts from remote Jabber or TP endpoints, as the register method is not accepted on UCM SIP trunk interface Update UCM SIP trunk security profile to listen on ports other than TCP 5060 or (you could use 5560, 5561, etc.) Port change allows for SIP trunk integration + Expressway remote access Inside firewall (Intranet) DMZ Outside firewall (Public Internet) Collaboration Services Internet Unified CM VCS Control VCS Expressway SIP Video Endpoints H.323 Video Endpoints

48 UDS Directory Search All Jabber clients connecting via Expressway will use UDS for directory search (assuming UCM IM&P deployment) TelePresence endpoints always use UDS for directory search For the best contact search experience, all Enterprise Users should be imported into every UCM cluster’s end user table Home cluster check box needs to be selected on only one cluster for each user UCM clusters support 80K end users, and can scale as high as 160K with BU megacluster approval

49 UCM Bulk Certificate Management
Tool used to simplify UCM Cluster certificate exchange All Clusters export TFTP (CallManager), Tomcat, and CAPF certificates to central SFTP server Certificates are consolidated into PKCS12 files Consolidated set of certificates are then imported to each publisher Cisco Certificate Change Notification Service replicates trusted certificates throughout the cluster Export: This step creates a PKCS12 file that contains certificates for all nodes in the cluster. Every participating cluster must export certificates to the same SFTP server and SFTP directory. A cluster must export its certificates whenever the Tomcat, TFTP, CAPF certificate(s) are regenerated on any of its nodes. Consolidate: This step consolidates all PKCS12 files in the SFTP server to form a single file. Only one of the participating clusters needs to perform consolidation. If new certificates are exported after they are consolidated, consolidation needs to be performed again to pick up the newly exported certificates. Import: This step imports the consolidated PKCS12 files from the SFTP server into the local cluster. All clusters should re-import when any participating cluster makes an export. Perform import after a central administrator consolidates the certificates. SFTP Server

50 Expressway Platform Options + Scale

51 New Compute Platforms for X8
Specs Based Virtual Machine Support Appliance Support Existing VCS Appliance CE 500 CE 1000 OVA Size vCPU Reserved RAM Disk Space vNIC(s) Small 2 x 1.8 GHz 4GB 132GB 1Gb Medium 2 x 2.4 GHz 6GB Large 8 x 3.3 GHz 8GB 10Gb New Offerings New appliances based on UCS C220 M3 Bare metal – no hypervisor Fixed configurations for high and low end deployment Solution for customers with security policies that do not allow VMware in the DMZ CE500 Single components, 1Gbps interfaces CE1000 Redundant components, 1 or 10Gbps interfaces Target FCS Q1 CY2014

52 Expressway X8 Scalability Targets
Server Cluster Platform Proxied Registrations Video Calls Audio Only Calls Large OVA / CE1000 5,000 500 1,000 20,000 2,000 4,000 Medium OVA 2,500 100 200 10,000 400 800 Small OVA (BE6K) N/A Current VCS Appliance

53 Licensing + Migration

54 How will all of this be licensed?
Fixed and Mobile Users at no additional cost Mobile and Fixed Endpoint registration IM & Presence Video and Audio Media Sessions No Cost with UCM 9.x No Additional Cost for Virtual Edition Expressway C Expressway E Internet UCM 9.1 Business to Business – Concurrent Sessions Business to Business Video and Audio Media Sessions Expressway Rich Media Session $1500 a la carte

55 Existing VCS Customers and Expressway
Existing VCS X8.1 customers with UCM 9.1+ Interested in deploying Remote and Mobile Access Option #1 – Deploy Expressway (Recommended) Deploy new Expressway C and E servers on VMware at no cost Leverage Investment Protection Programs: Traversal calls purchased on VCS E are converted to Expressway Rich Medial Sessions Non-traversal calls purchased on VCS C are converted to UCL Remaining H.323 endpoints continue to register to VCS (converted calls remain) Option #2 Use existing VCS X8.1 deployment (Transitional) Enable “Remote and Mobile Access” on VCS License consumption based off of existing VCS licensing structure (e.g. traversal and non traversal calls) Scale capacities are based on documented VCS capabilities for appliance and virtual VCS Only applies to existing VCS customers Over long term, it is recommended that customers migrate to Expressway Remote & Mobile access for Jabber and TP endpoints (registering to UCM) available on VCS product line on a trial basis No option key required to enable this feature Provides existing customers ability to trial new feature on existing infrastructure Customers encouraged to deploy Expressway for production deployments Future VCS software release will remove this trial feature capability

56 Migrating Services from VCS to Expressway
Add _collab-edge SRV to Public DNS Update _sip, _sips, _h323 SRV records to resolve to Expressway E Deploy Jabber Guest Trunk MCU to UCM or Expressway C B2B Video SIP & H.323 (inbound & outbound) Cisco Jabber Video for TelePresence Registration Cisco TelePresence Endpoints (TC) Registration WebEx Enabled TelePresence (outbound) Collaboration Services UCM VCS-C VCS-E Cisco Jabber Registration Cisco TelePresence Endpoints (TC) Registration Jabber Guest (inbound) B2B Video SIP & H.323 (inbound & outbound) WebEx Enabled TelePresence (outbound) Expressway C Expressway E

57 Competitive Landscape

58 Competitive Positioning: MSFT Lync 2013
Issue MSFT claim Cisco Position Cost It’s free Attack: There are significant acquisition costs for MSFT Edge architecture (as much as $20-40K). These costs include servers, load-balancers, server software, etc. Cisco has included Collaboration Edge functionality in UCL enhanced, CUWL Standard and CUWL Pro for UCM 9.1 and above Adoption of H.264 SVC Everything else is legacy Attack: SVC is a small piece of the puzzle. MSFT can’t talk to existing technology without Cisco. Any IT strategy which introduces new technology should always include a plan for interop. VPN-less architecture No need for clunky old VPN. Cisco doesn’t get it – they just want to sell you network. Attack: Don’t concede this point. First VPN has applicability, and should be used in certain cases. Second, Cisco has had a TLS based architecture for this application since about 2007. Mobile Support supports Windows Phone, iOS, and Android devices – IM, “Lync call” and “one touch” Lync meeting Neutralize: Jabber leverages common call control, video codec, and cross-platform libraries to create consistent collaboration features on all it’s platforms. Alpha-numeric URI …rather than an [old] phone number Neutralize: UCM and Expressway are fully alpha-numeric compatible SSO w/AD Neutralize: SAML-based SSO mandated across all CTG infrastructure. See roadmap Federation w/Skype Lync presence, IM, and peer-to-peer voice w/Skype users Neutralize: No video support. Also, interop requires potentially costly 3rd party provider.

59 Cisco Jabber Guest (Project Name: JabberC)
November 2013

60 Jabber Guest – Public-to-Enterprise Communications
UC/video sessions into businesses … from desktop browsers, mobile clients Initiate from public web sites, mobile applications & URLs, e.g. Calls to individual employees, remote experts / customer care SDKs for Web & mobile app integration Release planned for Q4CY13/Q1CY14 * Images for illustration purpose only. Final UI subject to change.

61 Cisco Jabber: Leading User Experience Across Broadest Range of Platforms, Devices … Enterprise & Guest Users Desktop Tablet Smartphone Web NEW PRODUCT – Jabber Guest … Jabber for public to enterprise calls from desktop browsers & mobile devices PROOF of CONCEPT … Web version of Jabber for enterprise users Enterprise Users No support for VCS registered end-points Another unique differentiator of Jabber is that it works on such a broad range of platforms, browsers, and devices. You get broad capabilities and a consistent experience across leading platforms and devices, including PCs, Macs, tablets (e.g. iPad, Cius) and smart phones (iPhone, Android, Blackberry). You get a rich collaboration experience from anywhere and can choose when, how, and on what device to interact. People want flexibility in how they work with a user experience that is intuitive, uncomplicated and consistent across devices. Cisco believes this is accomplished only with a unified architectural approach in which our Collaboration suite in a common user interface hosted on a network that is media-ready. The result is the right communication experience for the task at hand.  Providing capabilities that span Presence, IM, voice, video, conferencing across different devices lets users choose the right communications experience for the task at hand. Consistent user-interface and experience across devices and features, spend more time collaborating and less time learning “how to”. This leads to increased adoption across the collaboration portfolio and better/faster ROI. By running on a wide range of devices and platforms, Cisco Jabber (and WebEx) lets organizations address new BYOD device ownership models, where employees want to use enterprise apps on their personal devices. Leading organizations support multiple platforms, browsers, and devices because that’s what their brightest and best want. With the Cisco Jabber Software Development Kit (SDK), you can integrate Cisco Unified Communications capabilities into any web application-easily and quickly. Application developers, customers, and partners alike can take advantage of this powerful SDK to incorporate voice, video, instant messaging (IM), presence, voice messaging, and conferencing capabilities. Use the power of the web browser to connect, communicate, and collaborate within your line of business application or web portal. You'll save time, streamline workflows, and increase workforce collaboration and productivity. Via Jabber SDK Today

62 What is Jabber Guest? Guest/Public User Enterprise User
** TRIAL AVAILABLE TODAY ** Currently in Beta, available from Collaboration User Group (CUG) … details in slide notes Jabber Guest connects consumers and other non- Cisco telephony users with Cisco enterprise registered users via simple browser & mobile voice and video Guest/Public User Enterprise User The JabberC Beta trial is being hosted in the private Collaboration User Group community space. You must join the Collaboration User Group first if you haven’t already, and then you will have access to the private Collaboration User Group where you can register for the Project JabberC Beta. Getting Started 1.       Please go to the Cisco Collaboration User Group public landing page <https://communities.cisco.com/community/technology/collaboration/usergroups?view=overview> and sign in with your CCO/cisco.com account 2.       If you are not currently a Collaboration User Group member, click on the link titled  “Click here for step by step instructions. It’s easy and free!”.  Follow the instructions to join the user group.   3.       After joining, click on the link “Go to the private community to participate” 4.       Once you are in the Private - Collaboration User Group space, scroll down to the Beta Trials section and choose the “Project JabberC Beta” 5.       Read the Requirements and Register for the Beta After completing the Beta registration, you will have immediate access to the private JabberC Beta community. *Non Cisco Employees Please allow business days for the team to configure your access to the software download server. You will be notified via when you have access to the software.

63 Jabber Guest Experience
Screenshot from Beta App Point to Point Video Point to Video Conference Pre-Call video preview Mid-Call control Keypad Mute Audio/Video Full-Screen Camera/ Audio device Selection Self-View SDK’s to embed app in business applications (desktop Web & mobile native applications) WebRTC-compatible call control For media, browser plugin (desktop Web) & native apps (mobile) Future – WebRTC for media URI or DN

64 Solution Components

65 Required Components – Foundation
Real-Time Expert Help Guest/Consumer Experience Video Chat Required Components End-User Desktop Browser or Mobile Application Enterprise DMZ Cisco Expressway X8.1 Enterprise Network Jabber Guest Virtual Machine Cisco Expressway X8.1 Cisco UC Manager, Registered Endpoints Optional: MCU

66 Example Call Flow – Planned for FCS
Home Internet DMZ Enterprise Expressway Edge Expressway Core Reverse Proxy integrated for X8.1 Jabber Guest CUCM Jabber Guest … Serves up Javascript call control based on URL For mobile, Cisco app from app store or integrated into 3rd-party app For laptop browsers, initiates H.264 plugin install as needed for Cisco or 3rd-party Web app Converts HTTP call request to SIP INVITE HTTP-based call control (ROAP) SIP RTP/SRTP STUN/TURN * Expressway X8.1 or later required

67 Targeted Capabilities in First Release
Subject to Change Client Mobile – iPhone, iPad (in App Store) Web – Windows (IE, Chrome, Firefox), plugin Web – Mac (Safari, Chrome, Firefox), plugin Call initiation via Web links Video call to CUCM endpoints (or VCS endpoints via CUCM-VCS SIP trunk) Firewall/NAT traversal via Collaboration Edge X8.1, TURN & reverse proxy In-call: Mute, DTMF, Video Start/Stop, Full Screen, End Far-end transfers, forwards Audio-only mode Pre-call confirmation page with video preview Audio/video device selection Video bridge support Bandwidth & CPU adaptation Web app “white list” security Problem reporting SRTP, HTTPS call control H.264 AVC, G.722.1, G.711, G.729 Localizations Accessibility (basic) SDK iOS – with sample app code Web – with widget REST API on server for link management Server Virtual machine (OVA) with Web server HTTP-to-SIP gateway Administration interface, including link management Clustering, redundancy Collaboration Edge X8.1 integration CTX interoperability, including meeting DN support Solution Remote Expert 1.9 SPT 1.3 NOTE: Android app and SDK targeted for release in MR1 … available sooner in beta

68 Targeted Requirements
Subject to Change Jabber Guest Virtual Machine (OVA) * RAM: 3GB CPU: 2 logical CPU’s with 1 core per CPU Storage: 100GB OS: Centos bit CPU and memory resource allocation are not defined, and are set to default values at the time of deployment. Mobile Native Support September 2013 – iOS & Android clients added to EAP Purpose-built Jabber Guest mobile clients November 2013 – iOS & Android SDKs to EAP 10.0 FCS: iOS ... iPhone 4S or later, iPad 2 or later … iOS 6.1 or later Android FCS 10.x: Q1 CY Samsung S4/S3/S2, Note II … Android 4.0+ Cisco Expressway X8.1 Desktop Browser Support Currently in EAP … purpose-built client & SDK Chrome 18+, Firefox 10+, IE 8+ (32-bit only, IE 11 TBD) – Windows Vista+ Chrome 18+, Firefox 10+, Safari 5+ – Mac OS X 10.7 and later Cisco Unified Communications Manager Targeting 8.6 or later … worst case 9.x or later * Subject to change pending final performance testing.

69 Embed Jabber Guest Widget
User Experience Desktop Browser SDK Sample HTML & Javascript provided to create video widget and set up event handler Mobile Native Application SDK iOS Android Easily embed Jabber Guest functionality into any web based or mobile application for a rich video experience

70 Call URL Configuration
Administrator configured URL URL string, call destination, caller name, callee name, active time, etc Some examples: URI Dialling: 8-Digit DN: Custom: Server-side RESTful API for programmatic URL management Administrator may configure URL structure for desktop browser as well as mobile “Ad-hoc” calling maybe used for a more open approach

71 Remote Expert & Jabber Guest
Home Internet DMZ Enterprise Expressway Edge Expressway Core Reverse Proxy integrated for X8.1 Jabber Guest Remote Expert & Jabber Guest … Video on Hold via MediaSense Wide variety of remote users catered for using Jabber Guest Rich Video experience, including HD UC System 10.0

72 Closing Thoughts

73 Key Take Aways Cisco Expressway is the evolution of VCS, specifically targeting UCM (9.1+) customers Cisco Expressway bridges the gap between the internet and UCM, delivering VPN-less access for Jabber B2B Video Jabber Guest WebEx Enabled TelePresence The two biggest deployment challenges will likely be DNS and certificates…understand the solution requirements and begin working through these sooner than later with your customers Jabber Guest provides easy B2B and B2C deployments

74


Download ppt "Cisco Expressway Design Session Cisco’s Collaboration Edge Architecture Alejandro Rodriguez Collaboration Systems Engineer Nov 20, 2013."

Similar presentations


Ads by Google