Brkcol 2614

Technical Overview
of the Preferred
Architecture for
Enterprise
Collaboration 11.6
Matt Jordy, Technical Marketing Engineer
BRKCOL-2614
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click Join the Discussion
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKCOL-2614

available until July 3, 2017.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKCOL-2614
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Dont forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKCOL-2614: Cisco Enterprise Mobile Collaboration
Session Logistics
Attendees should have some familiarity with Cisco collaboration solutions.
More slides in Appendix + For
= homework
Your
Reference
Please consult the latest applicable

Session time: 120 minutes product documentation for specific
Please ask questions as we go feature, software version, and
hardware version support requirements
Questions I'll answer
Questions I'll defer to later in the session
Questions I don't know the answer to, outside the scope of our session, or those that
consume too much time
Come see me after the session, send me an email, or Spark message

(mjordy@cisco.com) with your question and I will get back to you.
BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
What is the Preferred Architecture?
Call Control
Conferencing
Collaboration Edge
Unified Messaging
Collaboration Management Services
Simplified Sizing
Bandwidth Management
Security
Future Evolution of the PA
What is the Preferred Architecture?
Collaboration Preferred Architecture (CPA)
What products to use to enable users for Collaboration and
Unified Communications for simple deployments.
Prescriptive Concise Tested best
recommendations Documents practices
Preferred Architecture provides prescriptive design guidance that simplifies

and drives design consistency for Cisco Collaboration deployments
Preferred Architecture can be used as a design base for any customer using a
modular and scalable approach
Preferred Architecture assumes greenfield deployment, but is still relevant to
existing deployments for migration towards the target architecture
Preferred Architecture team provides feedback on solution level gaps to product
teams
Preferred Architecture Process
Figure it out:
Define Collaboration
Preferred Architecture
Feedback: Build and

Feed gaps found validate:
during the build and
validate phase back Build it in the lab and
into product teams validate concepts
Write it down: Extend:

Move it into system
Document Preferred
test beds, Cisco on
Architectures for the
Cisco, Alpha and
field and partners
EFT process
Define:
Define additional
Preferred Architectures
(Voice, Video, Hybrid)
Collaboration Preferred Architectures & CVDs
Available at www.cisco.com/go/cvd/collaboration !
PA CVD PA Applications CVD

PA Overview (Cisco Validated Design) (Cisco Validated Design)
Pre-Sales Post-Sales Post-Sales

Process process Process
Design Overview Document Detailed Design and Deployment Detailed Design and Deployment
Guidance Guidance
Targeted to Pre-Sales
Post Sales Design and Post Sales Design and
Summarizes Solution and
Deployment Deployment
Components
Process Driven Guide Process Driven Guide
BRKCOL-2614
Plugs into the PA CVD
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Collaboration Preferred Architecture for the Enterprise
Current PA version
is 11.6 aligned with
the CSR 11.6
Includes:
Unified CM / IM&P 11.5(1) SU2
Unity Connection 11.5(1) SU2
Expressway X8.9(1)
Cisco Meeting Server 2.1
ENDPOINTS & FW VERSIONS
For more information about Cisco Jabber 11.8
7811/88xx 11.7(1)
components and versions, 8831 10.3(1)
refer to the product list at: DX70/80 CE 8.3(1)
http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/ MX / SX series CE 8.3(1)
enterprise/11x/116/collbcvd/appendix.html IX Series IX 8.2
New Chapters & Updates for 11.6 Collaboration PA
Conferencing chapter update
Removed TelePresence Server & Conductor,
replaced with Cisco Meeting Server
New chapters:
Collaboration Management
Services
Prime Collaboration Deployment
Prime License Manager, and
Prime Collaboration Provisioning
Security
Security in Layers (including
Toll Fraud), Encryption and
Authentication, and Certificate
Management
Preferred Architecture for Collaboration For
Enterprise Cisco Validated Design (CVD) Your
Reference
CALL CONTROL Functions: Dial Plan (Dialing Habits, Endpoints/

Unified CM, IM&P, ISR / CUBE (PSTN) ILS/GDPR), Trunking, SRST, CTI, Provisioning
CONERENCING Functions: Instant, Permanent, Scheduled

Unified CM, TP Management Suite, Cisco Meeting Server
Architecture:
EDGE Functions: Mobile Remote Access (MRA), B2B,
IM&P Federation, PSTN Access, ISDN Video
Component S
Unified CM, Expressway, CUBE / ISR Role, HA, i
PRIME SERVICES MANAGEMENT Functions: Deployment, Licensing, Monitoring Scalability
z
Prime Collab Deployment, License Manager, & Provisioning and Troubleshooting i
UNIFIED MESSAGING Functions: Unified Messaging Deployment: n
Unity Connection Process and g
Configuration
BANDWIDTH MANAGEMENT Functions: QoS and Admission Control High Level
Unified CM, Endpoint Firmware, IOS / IOS-XE / AireOS
SECURITY Functions: Infrastructure/Network Security, DoS,
All Components Toll-Fraud, Encryption, Certificate Management
SIZING Functions: Sizing numbers for products built on
Endpoints, Users, Calls, and Virtual Machines a set of calculated assumptions
Usage of the Collaboration Preferred Architecture
Collaboration Preferred Architecture assumes greenfield enterprise collaboration
deployments
However, this isnt the only usage of the architecture
Guideline for updating brownfield collaboration deployments - architecture target
Training for new collaboration engineers
Answers the question:
Whats the best way to design your collaboration deployment?
Call Control
Headquarters
Expressway-E
Mobile/Teleworker
DMZ
Endpoints Expressway-C
IM and
Unified
Communications
Internet
Presence Manager
Integrated/Aggregated Third-Party Solution
Services Router
Integrated
Services Router
MPLS WAN
Collaboration Edge
Call Control
Unity Cisco Meeting Server
Connection Remote Site
PSTN
TelePresence
Voice Messaging Conferencing Management Suite
Cisco Prime Collaboration

Deployment License Provisioning
Manager

Call Control Functions Endpoints
User / endpoint identities and status IM and

Presence
DMZ
Single cluster for call routing and IM&P Expressway-C Expressway-E
with 1:1 redundancy

Central Dial Plan authority E.164 Unified
Communications Collaboration Edge
MRA
Endpoints
dial plan Manager
SIP
Centralized SIP endpoint registration Cisco Meeting Server
and management Call Control
SIP application integration APIs TelePresence

Conferencing Management Suite
Expressway for firewall traversal and
mobile and remote access (MRA) Prime
Prime Prime Unity
License Connection
Provisioning
Management and third-party Deployment Manager
interoperability with APIs

LDAP provisioning and authentication Collaboration Management Services Voice Messaging
Unified Communications Manager is the Heart of the Architecture.

The Glue that binds it all together.
IM and Unified
Presence Communications
Manager
Call Control
Call Control
Core Components / Roles Key Benefits
Unified CM provides call control, Call control is centralized at a single

location that serves multiple remote
endpoint registration and sites.
configuration, call admission
control, codec negotiation, trunk Management and administration are
protocol translation, and CTI centralized.
Common telephony features are
Unified CM IM and Presence available across voice and video
Service provides on-premises endpoints.
instant messaging and presence
Single call control and a unified dial
Cisco Integrated Services plan are provided for voice and video
Router (ISR) provides PSTN endpoints.
connectivity and remote site Critical business applications are highly
survivability (SRST) available and redundant.
Unified CM with IM & Presence Cluster
Unified CM Cluster IM & Presence Cluster
DB Sync Two databases
Each DB has:
DB Publisher SOAP / XML
Publisher Subscriber One publisher
Call Processing Multiple subscribers
SIP
TFTP 1 CTI/QBE CM subscriber:
Primary Secondary
Call processing pairs
TFTP 2 Subscriber Subscriber TFTP pairs
Call Processing
... IM&P publisher part
of pair
Primary Secondary
Up to 6 nodes
...
Up to 21 nodes
Preferred Architecture Clustering Guidelines
Call Processing Subscribers always added in pairs
1:1 redundancy only
Single TFTP Subscriber pair
Call Processing Subscriber and IM&P pairs added to match scale requirements
Music on Hold function co-located with Call Processing Subscribers
DNS A Fundamental Solution Requirement
Domain Name Service (DNS) is Critical for Collaboration Solutions
Forward and Reverse Lookup
SRV for Redundancy and Load Balancing
DNS for User Data Service (UDS) and Certificate Validity
Recommendation:
Enable DNS forward (A record) and reverse (PTR record) lookup for all UC
servers and applications
Dedicated zone for cluster simplifies configuration of cluster fully qualified
domain name (CFQDN Enterprise Parameter): *.us-uc.ent-pa.com
SRV record for each Unified CM node
Best load balancing of initial UDS requests during registration
For
Deployment Considerations: Numeric Dial Plan Your

Reference
Use +E.164 as DN addressing

Benefit: Ensure uniform phone number formatting across all enterprise contacts
Use XXXX abbreviated intra-site dialing
Benefit: Allow abbreviated dialing for intra-site calls
Use site-code based abbreviated inter-site dialing
e.g.: 8+<site code>+<extension>
Benefit: Use a normalized approach for inter-site calls
Non-DID addresses in line with site-code based abbreviated inter-site dialing

Unique addresses
Additional site-codes per site or non-overlapping extensions
SIP Trunking Recommendations
Use Best Effort Early Offer on ALL Trunks
Minimize number of SIP profiles
Consider default profiles first
Avoid per-trunk SIP profiles
Provision SIP profile per group of equivalent trunks
Recommended SIP profile settings:
Use Fully Qualified Domain Name in SIP Requests set on all trunks and
for video enabled endpoints; prevents IP address of Unified CM to show up
in host portion of URIs in calling identity headers
Enable SIP OPTION ping for real-time status monitoring
SIP trunk redundancy achieved by provisioning
multiple peer user agents per trunk
(Cisco Meeting Server, Unity Connection, Expressway-C, etc.)
Avoids multiple trunk configurations
Multi-cluster Support SIP
XMPP
CLUSTER 1 CLUSTER 2 CLUSTER 3
IM&P UCM IM&P UCM IM&P UCM
Branch1 Branch2 Branch1 Branch2 Branch1 Branch2
Recommendation: Centralized Call Processing Model (Single Call Processing Cluster)

Full-Mesh Distributed Call Processing Deployment Model when required. This
model is based on multiple iterations of the Centralized Call Processing
Deployment Model. Session Management Edition is out of scope for the PA.
Business-to-Business
Communications
BRKUCC-2008 Enterprise Dial Plan Fundamentals
- Tuesday, Jun 27, 8:00 am
Conferencing
Headquarters
Expressway-E
Mobile/Teleworker
DMZ
IM and
Unified
Communications
Internet
Presence Manager
Services Router
Integrated
Services Router
MPLS WAN
Call Control Collaboration Edge

NEW PSTN
TelePresence
Voice Messaging Management Suite
Conferencing
Manager

Cisco Meeting Server
Conferencing TelePresence
Management Suite
Conferencing
Core Components Key Benefits
Simplified, optimal user experience
Cisco Meeting Server for audio
and video conference resources Flexible, extendable architecture that supports
and resource management deployment of one or more permanent,
scheduled, and/or instant conference resources
Cisco TelePresence
Dynamic optimization of conference resources
Management Suite (TMS) for
conference provisioning, High availability of conference resources
monitoring, and scheduling Media resilience and rate adaptation in the video
TMSXE for interfacing with Microsoft network
Exchange room and resource
calendars A single tool for hosts to schedule participants
and conference rooms for a meeting
Multiparty licensing that enables full access to all
conference resources on the bridge
Conferencing Architecture
Conferencing with Cisco Meeting Server
Unified Communications
Manager
Expressway-C Expressway-E
DMZ
Internet
TMS
How to deploy the components (Call
Bridge, Web Bridge, XMPP, Database)
Support for multiple Conference types
(Instant, Permanent, Scheduled)
Instant, Permanent
and Scheduled
Cisco Meeting Server Spaces
Spaces are virtual meeting Go to URL: https://join.ent-pa.com
rooms that have audio, video
And enter Conference ID or User Credentials
and content sharing capability CMS
and are accessible using
Space URI, directory number Immersive WebRTC
or URL. Endpoints
Dial URI user.space@cms.ent-pa.com or
DN 8801000 WebRTC
Spaces
CMA
Non-Immersive
Endpoints
Permanent and Scheduled Meetings
Dial: +1(408)555-5555
phone Enter IVR plus Space Call ID
Conferences Instant vs Schedule/Permanent
High-Level Configuration Steps
Instant Conference (Ad hoc: +(Add) or Conference Sofktey)
Conferencing Media Resource Media Resource

SIP Trunk to CMS
Bridge Group Group List
POINTS TO
Permanent and Scheduled Conferences (URI or DN)
Route Pattern Route Group Route List SIP Trunk to CMS
CONTAINS
TMS Scheduled Meeting Components / Roles
Active Nodes
CMS TMS TMSXE
HTTPS/REST
Single virtual
IP address
Active
tms.ent-pa.com Network Load
SQL Directory
Balancer
SSH keep-alive between

1. FQDN of TMS is configured in Active/Passive nodes
Managed TMS Network Settings
Devices
2. The FQDN should resolve to the
NLB virtual IP for TMS
TMS TMSXE
3. TMS will send managed devices
FQDN that resolves to NLB for Passive Nodes
communications with TMS
TMS Scheduling Request Components / Roles
5
Managed
Devices
CMS
Outlook Scheduling
TMS TMSXE Request
HTTPS/REST
1. Outlook scheduling request 1

3
2. Exchange uses Exchange Web Services
(EWS) to sync request with TMSXE via the 4 2
Network Load Balancer (NLB)
3. TMSXE sync directly with Exchange MS Exchange

4
4. TMSXE routes request to Active TMS via 2
NLB
Network Load
Balancer
5. TMS sends confirmation email to user
Single virtual
IP address
Cisco Meeting Server Architecture
Scalable and Resilient Deployment
Resiliency
Web Bridge Call Bridge
Scale Web Bridge Call Bridge
XMPP Server Database
San Francisco
RTP
Cluster of 3
Servers
Call Bridge
Richardson
Collaboration
Edge
Headquarters
Expressway-E
Mobile/Teleworker
DMZ
IM and
Unified
Communications
Internet
Presence Manager
Services Router
Integrated
Services Router
MPLS WAN
Call Control
Collab Edge
PSTN
TelePresence

Manager

Integrated/Aggregated Expressway-C
Expressway-E
Services Router
Collaboration Edge Collab Edge DMZ

Cisco Expressway-C and Connect to customers and partners,
Expressway-E, for Internet independent of the technology they
connectivity and firewall traversal are implementing and the public
network they are using.
for voice and video
Provide for a resilient, flexible and
Cisco Unified Border Element, extendable architecture.
for audio PSTN connectivity via IP
trunks Provide any hardware and software
client with the ability to access any
PSTN Voice Gateway (IOS), for public network (Internet and PSTN).
direct audio PSTN connectivity Provide secure VPN-less access to
collaboration services for Cisco
mobile and remote clients and
endpoints.
Mobile and Remote Access (MRA)
Expressway for Internet Connectivity (MRA / B2B)
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway-C Firewall Expressway-E Firewall
Signaling
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside the
enterprise network.
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-E with
secure login credentials.
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to maintain the
connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
6. The call is established and media traverses the firewall securely over an existing traversal connection
Expressway Mobile and Remote Access Capabilities
Three key capabilities when enabling Expressway Mobile and Remote Access:
XCP Router for XMPP traffic (IM&P)
HTTPS Reverse proxy (provisioning and other services)
Proxy SIP registration to Unified CM Unity Connection
Unified CM XMPP (IM&P)
HTTPs (provisioning, visual voicemail,

directory)
SIP (audio, video)
IM and Presence
Expressway C Firewall Expressway E

Mobile & Remote Access Protocol Workload Summary
Inside firewall DMZ Outside firewall
(Intranet) (Public Internet) Protocol Security Service
Session Establishment
Collaboration SIP TLS
Internet Register, Invite, etc.
Services
Audio, Video, Content
Media SRTP
Unified CM Expressway Expressway Share
C E
Logon, Provisioning /
Unified CM IM&P HTTPS TLS Configuration, Contact
Search, Visual Voicemail
XMPP TLS Instant Messaging,

Unity Connection
Presence
Conferencing Resources
Split DNS SRV Record Requirements
_collab-edge record needs to be available only in public DNS
Multiple SRV records (and Expressway-E hosts) should be deployed for HA
_collab-edge._tls.example.com. SRV 10 10 8443 expwy1.ent-pa.com.
_collab-edge._tls.example.com. SRV 10 10 8443 expwy2.ent-pa.com.
A GEO DNS service can be used to provide unique DNS responses by
geographic region
_cisco-uds record needs to be available only in internal DNS

_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm1.ent-pa.com.
_cisco-uds._tcp.example.com. SRV 10 10 8443 ucm2.ent-pa.com.
Expressway MRA and Jabber Service Discovery
DNS SRV lookup _cisco-uds._tcp.example.com

Inside firewall DMZ Outside firewall

(Intranet) (Public Internet)
Not Found
Collaboration
Services DNS SRV lookup _collab-edge._tls.example.com
Public DNS

Unified
CM Expressway Expressway expwyNYC.example.com
C E
TLS Handshake, trusted certificate verification
HTTPS:
get_edge_config?service_name=_cisco-
uds&service_name=_cuplogin
Device Mobility for Expressway MRA
Expressway-E Expressway-C Device Mobility
RTP 1. Register me with
Location
10.10.20.50
SRST Reference
Local Route Group
2. Device in RTP Media Resources
.
Expressway-E Expressway-C
3. Register me with
RCD 10.10.30.50
Device Mobility
IP Subnet Device Pool Location
Info
4. Device in RCD 10.10.20.50 RTP_EXP1_DMI RTP_EXP_DP RTP
10.10.30.50 RCD_EXP1_DMI RCD_EXP_DP RCD
10.10.40.50 SJC_EXP1_DMI SJC_EXP_DP SJC
Device Mobility for Expressway MRA Redundancy
Device
Device Pool Location
Mobility Info
RTP_EXP1_DMI
Redundant 10.10.20.50/32
Expressway-C RTP_EXP_DP RTP
Pairs @ RTP RTP_EXP2_DMI
10.10.20.51/32
RCD_EXP1_DMI
Redundant 10.10.30.50/32
Expressway-C RDC_EXP_DP RCD
Pairs @ RCD RCD_EXP2_DMI
10.10.30.51/32
SJC_EXP1_DMI
Redundant 10.10.40.50/32
Expressway-C SJC_EXP_DP SJC
Pairs @ SJC SJC_EXP2_DMI
10.10.40.51/32
Communications
BRKCOL-2018 Best Practices for Business to Business
Video Collaboration - Wednesday, June 28, 8:00 am
Unified
Messaging
Headquarters
Expressway-E
Mobile/Teleworker
DMZ
IM and
Unified
Communications
Internet
Presence Manager
Services Router
Integrated
Services Router
MPLS WAN

PSTN
TelePresence
Unified Conferencing Management Suite
Messaging
Manager

Unity
Connection
Unified Messaging
Unified
Core Components Key Benefits Messaging
Cisco Unity Connection, for Users can access the voicemail

voice and unified messaging system and retrieve their messages
service to Unified CM registered using their IP phones, mobile devices,
endpoints or email client applications with either
a dialed number or a SIP URI.
Microsoft Exchange and Active
Directory, for email and directory Users are able to customize personal
integrations settings from a web browser.
Offers a natural and robust speech-
activated user interface that allows
users to browse and manage voice
messages using simple and natural
speech command.
Unified Messaging
Cisco Unity Connection: Architecture
Directory Redundant Unity Connection nodes
Voicemail Unity Connection SIP Trunk integration to Unified CM
Publisher Directory Microsoft
Unified CM
synchronization Active
Directory
Integrations to directory and mail:
Microsoft Active Directory
PIN Sync Messaging Microsoft Exchange
Subscriber (On-Premise or
Cloud-Based)
Call forwarding to Unity Connection
Mailbox
SIP synchronization
Microsoft
Direct call to voicemail or visual
Voicemail access
Exchange mailbox navigation (Visual Voicemail)
via VoIP to TUI or
via REST/HTTPS
Email access to voicemail (Single Inbox)
(Visual Voicemail)
SIP
11.6 Update PIN
Email access to
VoIP or synchronization between Unified
voicemail
(Single Inbox)
REST/HTTPS CM and Unity Connection
Email
(SMTP/HTTPS)
NEW
Headquarters
Expressway-E
Mobile/Teleworker
DMZ
IM and
Unified
Communications
Internet
Presence Manager
Services Router
Integrated
Services Router
MPLS WAN

PSTN
TelePresence

Manager
NEW
Collaboration Management Services BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Manager
Core Applications
Cisco Prime License Manager Single tool to enable license
(PLM) management of user-based workflows and manage licensing for
licensing, including license fulfillment. collaboration infrastructure
components.
Deployment (PCD) deploys new Eases deployment of new
clusters of Unified CM and IM and infrastructure components, enabling
Presence servers and Unity faster initial setup
Connection
Rapid and automated user/endpoint
Cisco Prime Collaboration enablement along with moves, adds,
Provisioning (PCP) provisions and changes and deletions (MACD)
configures users and endpoints
Cisco Prime Collaboration Deployment
Cisco Prime Collaboration Deployment: Architecture
UCM_Pub VM IM&P_Pub VM UCxn_Pub VM
Cisco collaboration application .iso install

UCM_Sub VM IM&P_Sub VM UCxn_Sub VM
VMWare files located on Prime Collaboration

ESXi Deployment (PCD).
Host UCM_Sub VM IM&P_Sub VM
PCD network file system (NFS) mount on

ESXi host(s) to facilitate .iso file access.
Collaboration application node virtual
machines (VMs) manually created on the
.iso ESXi host.
.iso
.iso
SFTP PCD installs collaboration application
Prime Collaboration Deployment clusters on the target VMs.
Cisco Prime License Manager
Cisco Prime License Manager: Architecture
Unified CM Unity Connection
Cisco Prime License Manager (PLM) enables
license fulfillment:
Publisher
Electronic [requires Internet connectivity]
Publisher
OR
Manual license file request
Licenses received (over the network or via

email)
Licenses applied to system and propagated
Cisco.com to synchronized application instances.
Prime License
Manager
Cisco Prime Collaboration Provisioning
Application Program
Interface (API)
Unified CM
Unified IM&P AXL SOAP

over HTTP(S)
Prime
Provisioning
Unity
Connection
Directory
REST/SQL LDAP over

HTTP(S) Microsoft
over HTTP(S) Active
Directory
Cisco Prime Collaboration Provisioning (MACD)
On-boarding / Off-boarding of Users
US Cluster EMEA Cluster
3 Importing users from Active IM&P CUC IM&P CUC

Directory into Prime Collaboration
Provisioning triggers Automatic 1
UCM UCM
Service Provisioning Users imported from
Active Directory to
Unified CM
3 1
2
2 Users imported from Active
Cisco Prime Directory to Prime Microsoft Active
Directory
Collaboration Collaboration Provisioning
Provisioning
4 Help desk administrators log into Cisco Prime Collaboration
Provisioning for configuration updates (MACDs)
Simplified Sizing
PA Simplified Sizing vs. Collaboration Sizing Tool
Deployment within the Preferred
Architecture Sizing Assumptions?
Use PA Use Collaboration

Simplified Sizing Sizing Tool
Sizing Cisco Unified CM for the Preferred Architecture
< 5,000 devices and users Between 5,000 and 10,000
Publisher
devices and users
TFTP 1 TFTP 2 Publisher
TFTP 1 TFTP 2
Call Processing subscriber pair

Call Processing subscriber pair
7,500 OVA (2 vCPUs) is used for both Call Processing subscriber pair
deployments
7,500 OVA supported on BE7000M or larger
Sizing Unified CM PA Assumptions
1:1 Server Redundancy
Simplified User Sizing
Sizing Assumptions for Unified CM:
Average up to 4 BHCA per user
Average up to 2 DNs per device
Extension Mobility for ALL Users
Up to 500 Shared Lines per Call Processing Pair
Up to 500 CTI ports and 100 CTI Route Points per Call Processing pair
Up to 3,000 Partitions, 6,000 Calling Search Spaces, 12,000 Translation Patterns
Up to 40,000 users synched with AD (5,000 or 10,000 active)
Refer to the Preferred Architecture CVD for the complete list of assumptions
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbcvd.html
For
Sizing IM & Presence for the Preferred Architecture Your

Reference
In the PA, IM & Presence is deployed with 2 servers

The number of users (full UC) dictate which OVA is used
Less than Between Between

2,000 users 2,000 and 5,000 users 5,000 and 15,000 users
2,000-user OVA 5,000-user OVA 15,000-user OVA

(1 vCPU) (2 vCPUs) (4 vCPUs)
These 3 OVAs are supported on BE7000M or larger
For
Sizing TMS for the Preferred Architecture Your

Reference
TelePresence Management Suite (TMS) < 5,000 controlled systems

< 200 controlled systems < 1,800 concurrent participants
< 100 concurrent participants < 250 concurrent ongoing scheduled
< 50 concurrent ongoing scheduled conference
conference < 48,000 Collaboration Meeting Rooms
<1000 Collaboration Meeting Rooms
TMS/TMSPE TMS/TMSPE
TMS/ TMS/
TMSPE/TMSXE TMSPE/TMSXE
TMSXE TMSXE
Regular Deployment (1 vCPU OVA)
All OVAs are supported on BE6000M or larger

Large Deployment (4 vCPUs OVAs)
For
Sizing Unity Connection for the Preferred Architecture Your

Reference
Cisco Unity Connection is deployed with 2 servers in an active/active mode

The number of users dictate which OVA is used
Between Between
1,000 and 5,000 users 5,000 and 10,000 users
5,000-user OVA 10,000-user OVA

(2 vCPUs) (4 vCPUs)
Both OVAs are supported on BE7000M or larger
Deployment Example with 5,000 Users / Devices
BE7KM
BE7KM
CMS 1000 /
BE7KM CMS 2000
349651
BE7KM
Cisco Meeting Server Platforms and Capacities For
Your
Reference
Cisco Meeting Cluster HD 1080p30 HD 720p30 SD 480p

Server Platform 1 Support Port Capacity 2 Port Capacity 2 Port Capacity 2
Yes, up to 8 nodes
Cisco Meeting
for a standard 48 96 192
Server 1000
cluster
Yes, up to 8 nodes
Cisco Meeting
for a standard 250 500 1000
Server 2000
cluster
1.CiscoMeeting Servers support a maximum of 3,000 audio connections for any standalone
deployment or cluster with any audio codec.
2.Assumes content sharing at 720p resolution and 5 frames per second (fps).
Bandwidth
Management
Managed vs. Unmanaged Networks
Where do your media packets go?
On-premise Call Control

UC Services How do you preserve user
Central
experience when media
Site traverses the Internet?
Cloud Services
B2B
QoS-
capable
B2C
Managed
WAN Internet
MPLS DMVPN
VPN
Remote Sites Home/Mobile Users

Our Strategy
Smart Media Techniques QoS Tools Design & Deployment
LTRF1 LTRF1
P1 P3
P2 P4
P5
P1
P5 EF Audio
P2 P4
... ... ... ... Queue
Encoder
?
Decoder
EF
AF42
WAN Link
OOS (P4) ACK LTRF1
AF42 Video
Encoder Decoder
Queue
AF41
R1 FEC
AF41
LTRF 0111010001
1000011001
Repair-P R1 0001100
1001000100
0011001011
1011110
FEC
1110010101
... ... R2 1011010010

1010010
R2
Leverage media resilience and

Consolidate mechanisms to
rate adaptation to enable
Use media resilience to
identify Collaboration media pervasive video deployments
reduce impact of packet loss through:
Apply rate adaptation to Evolve classification and Simplified provisioning
reduce network congestion scheduling recommendations
Optimized bandwidth
utilization
DSCP Class DSCP ToS Prec.
Classification: DSCP Classes none
CS1
0
8
0
1
AF11 10 1
EF: Expedited Forwarding (PQ) AF12 12 1
Used for voice media AF13 14 1
CS2 16 2
AF: Assured Forwarding (CWBFQ) AF21 18 2
AF22 20 2
Used for video media AF23 22 2
SIP
Signaling CS3 24 3
CS: Class Selector AF31 26 3
Used for signaling AF32 28 3
AF33 30 3
Priority video media CS4 32 4
(TelePresence, desktop) AF41 34 4
AF42 36 4
Opportunistic video AF43 38 4
media (Jabber) CS5 40 5
EF 46 5
Voice
CS6 48 6
media CS7 56 7
WAN Queuing Considerations
Single Video Queue, Dual QoS Markings
Opportunistic Video and Prioritized Audio Map audio streams of voice and
AF41 WRED thresholds
video calls (EF) to a priority queue
(i.e., drop AF41 last)
Map video streams of video calls
EF
Audio of (AF41 and AF42) to a single class-
IP Phone
EF PQ based queue with WRED:
Audio of Video EF
AF41: higher drop thresholds
BW Assigned to LLQ Classes

Audio of Jabber EF (e.g., 50-100% of queue depth)
AF42: lower drop thresholds
Video of Video AF41 (e.g., 15-35% of queue depth)
Video
CBWFQ
During congestion, AF42 traffic
other queues
Video of Jabber AF42 (opportunistic video) is dropped first:

Packet loss triggers rate adaptation
Opportunistic video
Media resilience limits the impact
AF42 WRED thresholds
(i.e., drop AF42 first)
WAN Queuing Considerations Coming
Soon
Single Video Queue, Single QoS Marking
Single QoS Marking for Video Map audio streams of voice and
with Prioritized Audio video calls (EF) to a priority queue
In deployments where dual QoS
EF
Audio of marking is not practical, map
IP Phone
EF PQ video streams of all video calls
Audio of Video EF (desktop/TelePresence and
BW Assigned to LLQ Classes

Audio of Jabber EF Jabber) to a single class-based
queue
Video of Video
AF41 Video
AF41: Marking for all video
CBWFQ
During congestion, if traffic is
other queues
All video
Video of Jabber
AF41 dropped:
Packet loss triggers rate adaptation
Media resilience limits the impact
Summary
Combine QoS tools, media resilience and dynamic adaptation to build a self-
regulating system that makes optimal use of available network resources
Leverage rate adaptation and media resilience mechanisms in managed
network to deploy pervasive video. Prioritized video for room system and
hard endpoints, opportunistic video for Jabber endpoints.
Use CAC when and where needed
When managing bandwidth with Media Resilience and Rate Adaptation techniques is
not an option (i.e. extreme contention on WAN bandwidth)
Security
NEW
Examples of IP Communications Threats
Denial of Service (DoS) Eavesdropping
Affecting call quality or ability to place calls Listening to anothers call or Theft of
intellectual property
SPAM
SPIM, SPIT, and more SPAM
Media tampering
Toll fraud Data Modification

Unauthorized or unbillable resource Impersonating others
utilization
Identity Theft
Learning private information
Session replay
Password/accounts, Caller ID, DTMF,
calling patterns, presence information Replay a session, such as a bank transaction
Man-in-the-middle attacks Virus and malware

Insertion of rogue user/device to intercept
traffic and communications
Prevent Unauthorized Access - Platforms
Hardened Platform: Unified CM, IM & P, Unity Connection, Expressway
Host-based intrusion protection (SELinux),
not enabled by default on Expressway
Host-based firewall (iptables), firewall
rules (Expressway)
3rd party software installation not allowed
Software digitally signed, OS and applications software
digitally signed and installed with a single package
Root account disabled
Secure management interfaces (HTTPS, SSH, SFTP)
Audit logging
Additional by Configuration
If applicable, change default passwords (e.g. Expressway)
Complex password/credentials policy
Disable unnecessary protocols
Prevent Unauthorized Access - Endpoints
Security features by default
Authenticates the firmware/configuration and protects against
tampering
Signed firmware (.sbn extension)
Signed configuration files (<devicename>.cnf.xml.sgn)*
Additional by Configuration
Physically secure the phones
Disable gratuitous ARP
Configure 802.1X
Disable web access / SSH access. Or configure ACL
Disable PC port if not needed
Optionally enable TFTP configuration file encryption*
* With Jabber, Unified CM needs to be in Mixed-Mode for secure and encrypted config (CTL required)
For
Your
Toll Fraud Mitigation Reference
Unified CM
Calling Search Space (CSS) / Partitions for dial-plan segmentation, transfer back to
PSTN
Unity Connection
CSS and Rerouting CSS on Unity SIP Trunk to include only the required partitions
Restriction Tables (phone numbers): Transfer, message notification, etc.
Unified Border Element / IOS Gateway

For Toll Fraud and Performance use the telephony denial-of-service (TDoS) attack
mitigation feature: Prevents responding to SIP requests arriving from untrusted IP
addresses
Expressway
Call Policy Rules (CPL) to allow or reject calls from the Default Zone. For example a
CPL to reject any B2B calls with 9 as a prefix to avoid unauthorized calls to the PSTN.
1010 1000101010101000111
Encryption 011 01011011101001 00010
NEW
Enable Encryption
Protect against eavesdropping, data modification, session replay,
impersonation
Provides privacy, integrity, and authentication
Authentication provided through certificates
Can be one-way authentication or mutual authentication (MTLS)
SIP trunk encryption is recommended
Encrypted Links - UCM Unified CM mixed-mode not required
SIP Trunk
SIP trunks
SRTP Allowed checked
Endpoint Encryption SIP destination port(s) 5061
SIP Trunk Security Profile
Security mode Encrypted with transport type TLS
X.509 Subject Name set to CN of remote cert and
incoming port set to 5061 (MTLS)
Enable
encryption
using TLS
Unity Connection
CN of remote
party
Expressway
Use a different port (e.g. 5561) for CUBE / Voice Gateway

Expressway when both B2B and MRA are
enabled. (No SIP trunk for MRA-only).
Encrypted Links - Endpoints Mixed-Mode
SIP trunks
SRTP
Endpoint Encryption
Encryption for the phone media and
signaling requires Unified CM to be in
Mixed-Mode
Requires Export Restricted version of
Unified CM
IM messages are encrypted by default
and do not required mixed-mode
Secure call has a lock icon shown on the
endpoint display
Unified CM: Non-Secure vs. Mixed-Mode
Feature Non Secure Cluster Mixed Mode Cluster
Auto-registration * |
Signed & Encrypted Phone Configs New in
Unified
Signed Phone Firmware CM 11.5
Secure Phone Services (HTTPS)

CAPF + LSC
IP VPN Phone
SIP Trunk encryption
Secure Endpoints (TLS & SRTP)
* Unified CM versions prior to 11.5
Unified CM Mixed-Mode
Enable Mixed-Mode
PA
Hardware Security Token

Tokenless CTL
(USB Security Tokens)
Migration
See Unified CM Security Guide and TAC note
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html
Encrypted Endpoint Basic Configuration
With Unified CM in mixed-mode, not all endpoints need to be configured with encryption, but all the
endpoints download the CTL (Certificate Trust List) file
Notes:
Phone security profile independent from the phone type: Universal Device Template. Useful when
deploying MRA
Encryption using the Locally Significant Certificate (LSC) instead of Manufacturing Installed
Certificate (MIC) (requires CAPF enrollment)
Certificate Management
NEW
Why Do We Need Certificates?
What is a Digital Certificate?
Includes public key and name of the certificate holder, signature
Goal
Authentication and encryption
Two types of authentication
One-way authentication
With Web browsers or with Jabber login (UDS, XMPP, Unity Connection visual
voice mail)
Two-way authentication
Endpoints in encrypted mode, MTLS trunks (e.g. Unified CM SIP trunk to
Expressway)
Endpoint Certificates - MIC vs. LSC
MIC: Out of box certificate. Proves the phone is a genuine Cisco phone
But
MIC is not specific to your Unified CM cluster. It does not prove the phone is part of
your Unified CM cluster
MIC cannot be customized/updated/deleted
Recommendation:
PA Use MIC certificates to authenticate with CAPF for LSC certificate installation
Use LSC for everything else (SIP TLS, VPN, 802.1X*)
* The LSC is not used for wireless 802.1x. Wirelessly connected endpoints requires a
user installed certificate for 802.1X (via web interface).
Server Certificates CA-signed
If using self-signed certificates: Must import remote
certificate in the local trust store. Otherwise, warning
message is displayed or connection is NOT established
Importing self-signed certificates creates excessive
management overhead particularly with large deployments containing many service nodes
If using certificates signed by an external Certification Authority (CA), only the CA root
certificate/certificate chain needs to be imported into the trust store,simplifying management.
Recommendation:
Use CA-signed certificates for:
PA Tomcat (Unified CM, IM & P, Unity Connection)
CallManager, CUP-XMPP, CUP-XMPP-S2S, Expressway-C/E Server, Cisco Meeting
Server Shared server and Database Client
Note: All certificates do NOT need to be CA-signed (e.g. Unified CM TVS, CAPF, and ITLRecovery, IM&P CUP)
Multi-Server Certificate Support
Unified CM Cluster
One CA-signed Multi-Server certificate for

the entire Unified CM cluster
Unified CM nodes IM&P nodes
To simplify certificate management in clustered environments

One single CA signed certificate and private key across all nodes in a cluster
Each Unified CM / IM & P and Unity Connection cluster nodes FQDN included
as Subject Alternative Name (SAN) in a single certificate, custom SANs can also
be included
Recommendation:
Use Multi-Server certificates wherever available:
PA
Tomcat (Unified CM, IM & P, Unity Connection)
CallManager, CUP-XMPP, CUP-XMPP-S2S
Public CA v. Private CA
Certificates for Cisco collaboration infrastructure or application service nodes may be
signed by public CAs (GeoTrust, Verisign/Symantec, GoDaddy, etc.) or by an
organizations private CA (Microsoft CA, openssl, etc.).
The tradeoff between the two options typically comes down to cost
Public CAs have a higher cost per certificate, but are broadly trusted in browsers,
MRA-capable endpoint firmware, most mobile devices and desktop operating systems.
Your organizations private CA typically has a minimal cost per cert (if not $0) but are
not broadly trusted, cost involves maintaining the CA and distributing CA certificate to
end users and devices via MDM, MS Group Policy, etc.
Recommendation:
PA Public CA for Expressway-E certificates (required for hardware endpoints)
Public or Private CA for other certificates (Tomcat, CallManager, CUP-XMPP/
XMPP-S2S, Expressway-C, Cisco Meeting Server)
BRKUCC-2501 Cisco UC Manager Security & Certificate
Communications
Deep Dive Monday, Jun 26, 8:00 am
LTRCOL-2130 Collaboration Security for the Enterprise
Preferred Architecture Thursday, June 29, 8:00 am
Future Evolution of PA
Cisco Spark Hybrid Services for the
Collaboration Preferred Architecture
NEW
Cisco Spark Hybrid Services for the Collaboration PA
Collaboration Preferred Architecture maroon document NEW
Cisco Spark Hybrid Services Design Guide

https://www.cisco.com/c/en/us/td/docs/solutions/PA/maroon/spark/hybdsrvs.html
AVAILABLE
Builds upon the Enterprise Collaboration Preferred Architecture TODAY
Includes coverage for:

Cisco Directory Connector with Active Directory for enterprise
directory integration
Cisco Calendar Connector with Microsoft Exchange for enterprise calendar integration
Cisco Call Connector with Unified CM for enterprise call control integration,
leveraging Expressway-C/E for enterprise firewall traversal.
Cisco Spark Hybrid Services PA Architecture
Expressway-C
with Connectors
Microsoft
Exchange Management Connector
Calendar Connector
Call Connector
Active Directory Directory Connector
Management Connector
Calendar Connector
Call Connector
Directory Connector
Expressway-C Expressway-E
SIP signaling and media
Internal FW DMZ FW
Unified Internet
CM
Communications
BRKCOL-2202 Cisco Spark Hybrid Services
Architectural Design - Thursday, June 29, 8:30 am
Collaboration Preferred Architecture
Roadmap
Subject
to
Change
Preferred Architecture: Cisco Spark Hybrid Services
Cisco Preferred COMING
Headquarters
Architecture for SOON Expressway-E
Cisco Spark Hybrid

Services Endpoints
DMZ
Expressway-C
Unified Hybrid Media
Both PA Overview Communications
Manager
Node
and PA CVD Mobile/Teleworker
Expressway-C
Connector Host
Expected content: Call Control Hybrid Media
Internet
Cisco Directory Microsoft

Directory, Calendar, Call Connector Active Directory Third-Party Solution
Integrated/Aggregated
Connector integrations* Services Router

MPLS WAN
Integrated
Services
Hybrid media services with Directory
Router
Collaboration Edge
Hybrid Media Node
Microsoft PSTN Enterprise Branch
Exchange
Spark Call for Enterprise Branch
Subject
to
Calendar
Change
* Already available in the Cisco Spark
Hybrid Services Design Guide (to be deprecated) BRKCOL-2614 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Preferred Architecture: Enterprise Collaboration 12.0
Cisco Preferred Headquarters
UPDATE
Architecture for COMING Cisco Prime Cisco Prime
Expressway-E
SOON Collaboration Collaboration
Enterprise Deployment Provisioning
Collaboration 12.0 DMZ

Mobile/Teleworker
Collaboration Management Services Expressway-C

Both PA Overview and PA CVD
IM and
Unified
Communications
Internet
Presence Manager
Expected updates: Integrated/Aggregated
Services Router
Third-Party Solution
Cisco Smart Licensing to replace MPLS WAN

Integrated
Services
Router
Cisco Prime License Manager Call Control Collaboration Edge

Transport Layer Security (TLS) 1.2 Connection Remote Site
PSTN
Jabber iOS APNS
TelePresence


Subject
to
Change Endpoints
Learn More
Preferred Architectures Links
Contact us via email: pa-feedback@cisco.com
Mid-Market and Enterprise PA Documents:
https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-collaboration/index.html
Cisco Preferred Architecture for Enterprise Collaboration 11.6, Design Overview February 2017
https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/enterprise/11x/clbpa116.pdf
Cisco Preferred Architecture for Enterprise Collaboration 11.6, CVD February 2017
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/116/collbcvd.html
dCloud: Cisco Preferred Architecture for Enterprise Collaboration 11.0 Lab v1
https://dcloud.cisco.com/ Collaboration Cisco Preferred Architecture for Enterprise
Collaboration 11.0 Lab v1
Cisco Spark Hybrid Services Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/PA/maroon/spark/hybdsrvs.html
Complete Your Online
Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Dont forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Thank you
Collaboration Cisco Education Offerings
Course Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.
Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.
Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA Collaboration
(CICD) Manager and Cisco Unified Communications Manager.
Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth
APPENDIX
Example Dialing Habits/Numbering
Non-DID Addressing Based on Dialing Habits
Site +E.164 Abbr. Intra-Site* Call Conferencing***

Park**
SFO +14085559XXX 9XXX 4XXX 8 099 [12]XXX
NYC +12125551XXX 1XXX 4XXX 8099[12]XXX
RTP +19195551XXX 1XXX 4XXX 8099[12]XXX
* site specific translation patterns in site specific partition mapping to +E.164

** single call park range in global partition or site specific call park ranges in site
specific partitions
***single dialing habit (single route pattern) in global partition
Reference +E.164 Dial Plan
For
Your
Reference
CSSs Partitions Route Lists Route Groups
DN
Line CSS SJCInternational All IP Phone DNs (+E.164), urgent
All dialing normalisation is NOT

CoS specific!
SJCtoE164 All normalisation patterns can be
DN
1XXX, Prefix +1408555
re-used
9.[2-9]XXXXXX, Pre-Dot, Prefix +1408
UStoE164 LRG based egress GW selection

9011.!, Urgent, Pre-Dot, Prefix +
9011.!#, Urgent, Pre-Dot, Prefix +
9.1[2-9]XX[2-9]XXXXXX, XYZ RG
Pre-Dot, Prefix +
Routing is CoS specific.

Site specificity only on site PSTNInternational
specific CoS (like local) USPSTNNational Local
Route
SJCPSTNLocal LOC RL Group
\+1408[2-9]XXXXXX, Urgent
Cisco Meeting App (CMA)
CMA can be a native desktop app, mobile app or a WebRTC supported browser
application.
With CMA, users can login and join the conference with audio and video along
with content sharing.
With the WebRTC browser client, users without an account in CMS can join the
conference as a guest. In addition, users can use CMA to run their meetings
such as view participants, mute and remove participants, start and stop
recording as well as create and edit their own Spaces.
Note: Cisco Meeting App can be deployed inside or outside of the enterprise
network to join a conference but only the former is covered in the PA.
Instant Conference Call Flow
Unified CM Unified CM routes
Unified CM selects the call to the CMS
Endpoint selects initiates the CMS creates a
MRGL/MRG of the bridge hosting the
conference or conference to CMS temporary space
device to locate the relevant
join/merge button via HTTP (XML- for the conference
conference bridge. conference space
RPC)
via the SIP Trunk
Other
Participants
Unified CM
Host (UCM) CMS
CMS creates
Instant Conference Instant Conference conference space on
Request Initiated by UCM bridge
UCM Routes call(s) to

CMS Space
Scheduled Conference Call Flow
Endpoint dials a CMS matches the
scheduled Unified CM matches called number to
At scheduled time Unified CM routes
conference alias the dialed string to a the user portion of
TMS activates the call to CMS via
(URI or DN) (SIP) route pattern the space URI and
space on CMS the SIP trunk
provided by TMS or route string creates the
through the Invite conference
Unified CM
Host TMS CMS
(UCM)
At scheduled time TMS

activates space on CMS
Dial conference alias
(URI or DN) Alias matched
Participants
Unified CM routes call(s) to CMS Space
Dial conference alias Unified CM routes call(s) to CMS Space
Dial conference alias Unified CM routes call(s) to CMS Space

For
Cisco Meeting Server Port Capacity (Based on Video Quality) Your

Reference

1080p Ports 2 720p Ports 2 480p Ports 2
Capacity Unit 1
4 2 4 8
8 4 8 16
12 6 12 24
24 12 24 48
48 24 48 96
1.The number of capacity units that can be deployed on a Cisco Meeting Server depends on
the platform.
2.Assumes a separate content channel sharing at a maximum of 720p resolution and 5 fps.
Toll Fraud Mitigation: Unified CM (1)
Deny unauthorized calls
Partitions and Calling search spaces provide dial plan segmentation and
access control
Example: Avoid Unified CM sending back to the PSTN a call coming from the
PSTN
Dont include in Trunk CSS the partition for
route patterns to PSTN Voice or
Video GW
4
3
2 PSTN
Unified CM
Inbound CSS
signaling
1
PSTN access partition
X DN partition
Multiparty meeting
media
partition
Block offnet to offnet transfer (CallManager service parameter)
Unified CM Voice or
Video GW
4
3 PSTN
2 1
signaling
media
Auto-registration: Create dedicated Calling Search Space to limit access to
dial plan
Employ Time of day routing to deactivate segments of the dial plan after hours
Require Forced Authentication Codes on route patterns to restrict access on
long distance or international calls.
Drop Ad hoc Conferences (CallManager Service Parameter)
Monitor Call Detail Records
Employ Multilevel Administration
Toll Fraud Mitigation: Unity Connection
Unity Connection could be used to transfer a call
Recommendations
Use restriction tables to allow or block call
patterns (Unity Connection)
Change partition/PSTN route pattern access
from the Rerouting CSS on SIP trunk to
Unity Connection (Unified CM)
Reference
Cisco Unity Connection Security Guide:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_11xcucsecx.html
Troubleshoot Toll Fraud via Unity Connection TAC tech note:

https://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/119337-technote-cuc-00.html
System Administration guide:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag/b_cucsag_chapter_0101.html
Toll Fraud Mitigation: Edge
CUBE
Call Source Authentication (IOS 15.1(2)T feature) enabled by default.
Do not disable via no ip address trusted authenticate Example:
Only calls from trusted source IP addresses will be voice service voip
ip address trusted list
accepted ipv4 10.10.1.10
ipv4 10.10.2.10
Expressway
Call Policy Rules (CPL)
Encrypted Links
Administrative and user interfaces
SIP trunks
Endpoint Encryption
Encrypted Links
Administrative and user interfaces
SIP trunks
Endpoint Encryption
Most interfaces are encrypted by default (e.g. Unified

CM admin web interface and end-user portal)
Ensure passwords are not sent in clear
Set LDAP port If integrated with LDAP, configure LDAP over SSL
to 636 and
check the (import LDAP certificate into Tomcat-trust store)
Use TLS box
Expressway
Encrypted Links - Expressway

Expressway Unified CM
server configuration for MRA
Server Certificate SAN:
X509v3 Subject Alternative Name: TLS verify mode
DNS:ent-pa.com, DNS:us-cm-pub.ent-pa.com triggers MTLS
Use a port other than 5061 (e.g. 5561)

for Unified CM Neighbor Zone for
Expressway B2B
Expressway Neighbor Zone
Enable TLS
to Unified CM for B2B MTLS
Peer 1 certificate SAN:
X509v3 Subject Alternative Name:
DNS:ent-pa.com, DNS:us-cm-pub.ent-pa.com
Certificate CN or SAN is matched
against the peer address
Unity
Connection
Encrypted Links Unity Connection

Enable SIP signaling encryption between Unified CM and Unity Connection
Enable media and signaling encryption between endpoints and Unity
Connection voicemail ports
Configure Unity Connection SIP Security
Profile for TLS on port 5061
Enable TLS
Enable Next Generation Encryption with with SIP port
Secure RTP on the Port Group 5061
(Unified CM mixed-mode required)

Add Unified CM TFTP servers under
Unity Connection Port Group to TLS Security
Enable NGE and
automatically download the CallManager Secure RTP Profile
certs to the local CallManager-trust
store on Port Group reset
For
Your
USB Security Tokens vs. Tokenless PA

Reference
Hardware Security Token

Tokenless
(USB Security Tokens)
Pros:
Pros:
Private keys never change: less situations where
endpoints loose trust relationship with Unified CM Easier to manage: No need to purchase USB security
and easier to recover from this scenario tokens, no need to install CTL client, easier to update
CTL file
Can be used across multiple Unified CM clusters
and facilitates migration between clusters SAST Key length can be 2048 bits or even higher
Once Unified CM is in mixed mode, the tokens are Cons:
off-line Private keys are regenerated when the admin renews
Cons: the certs: more situations where endpoints loose trust
relationship with Unified CM and more complex to
Have to purchase 2+ USB Security tokens
recover from this scenario
Requires CTL Client installation on a Windows box
Requires more steps when migrating clusters
Loose USB keys => Loose trust
Not full feature parity: ASA or other certificates (phone
SAST Key length only 1024 bits, SHA1 CTL trust).
Expressway MRA Voice/Video Encryption
Voice/video streams always SRTP encrypted between Expressway-C MRA client
SIP TLS always enforced between MRA clients and Expressway-E,
Expressway-C and Expressway-E
* Unified CM mixed-mode (and security profile with encryption enabled) required to achieve
SRTP on internal network and SIP TLS between Expressway-C and Unified CM
Media and Signaling always encrypted
SIP TLS *
SIP TLS SIP TLS
SIP TCP
SRTP
Expressway-C DMZ Expressway-E External
Firewall Firewall
Endpoint Certificates
Certificate Type
MIC LSC
Manufacturer Installed Certificate Locally Significant Certificate
Required for Media/Signaling encryption and TFTP config file encryption

Also can be used for phone VPN and 802.1x
When both LSC and MIC are installed on a device, LSC takes preference
Monitor Certificate Expiration
Monitor the server certificate expiration (OS Administration page)
Monitor LSC certificate

expiration
Receive Certificate Expiration Notifications
Receive email notifications when certificates are about to expire

For server certificates and for LSC certificates

Brkcol 2614

Uploaded by

Copyright:

Available Formats

Brkcol 2614

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkcol 2614

Uploaded by

Copyright:

Available Formats

Technical Overview

Cisco Spark spaces will be cs.co/ciscolivebot#BRKCOL-2614

Dont forget: Cisco Live sessions will be

Please consult the latest applicable

Come see me after the session, send me an email, or Spark message

Preferred Architecture provides prescriptive design guidance that simplifies

Feedback: Build and

Write it down: Extend:

PA CVD PA Applications CVD

Pre-Sales Post-Sales Post-Sales

CALL CONTROL Functions: Dial Plan (Dialing Habits, Endpoints/

CONERENCING Functions: Instant, Permanent, Scheduled

Answers the question:

Whats the best way to design your collaboration deployment?

Cisco Prime Collaboration

Collaboration Management Services

User / endpoint identities and status IM and

Single cluster for call routing and IM&P Expressway-C Expressway-E

with 1:1 redundancy

and management Call Control

SIP application integration APIs TelePresence

interoperability with APIs

Unified Communications Manager is the Heart of the Architecture.

Unified CM provides call control, Call control is centralized at a single

Deployment Considerations: Numeric Dial Plan Your

Use +E.164 as DN addressing

Non-DID addresses in line with site-code based abbreviated inter-site dialing

IM&P UCM IM&P UCM IM&P UCM

Branch1 Branch2 Branch1 Branch2 Branch1 Branch2

Recommendation: Centralized Call Processing Model (Single Call Processing Cluster)

Unity Cisco Meeting Server

Collaboration Management Services

Permanent and Scheduled Meetings

Conferencing Media Resource Media Resource

Permanent and Scheduled Conferences (URI or DN)

Route Pattern Route Group Route List SIP Trunk to CMS

SSH keep-alive between

1. Outlook scheduling request 1

3. TMSXE sync directly with Exchange MS Exchange

XMPP Server Database

Cisco Prime Collaboration

Collaboration Management Services

Collaboration Edge Collab Edge DMZ

Core Components Key Benefits

Unified CM XMPP (IM&P)

HTTPs (provisioning, visual voicemail,

SIP (audio, video)

Expressway C Firewall Expressway E

XMPP TLS Instant Messaging,

_cisco-uds record needs to be available only in internal DNS

DNS SRV lookup _cisco-uds._tcp.example.com

TLS Handshake, trusted certificate verification

4. Device in RCD 10.10.20.50 RTP_EXP1_DMI RTP_EXP_DP RTP

10.10.30.50 RCD_EXP1_DMI RCD_EXP_DP RCD

10.10.40.50 SJC_EXP1_DMI SJC_EXP_DP SJC

Unity Cisco Meeting Server

Collaboration Management Services

Cisco Unity Connection, for Users can access the voicemail

Unity Cisco Meeting Server