Cisco Expressway
Cisco ExpresswayConfiguration ReportSample Report ExpresswayAs-Built Documentation for projectChapter: 1 Report InformationOctober 21, 20191
Cisco ExpresswayConfiguration ReportDocument Information - UniversalVersion StatusRelease Number1.0DateOctober 21, 2019Reason for VersionReleaseClient InformationPrepared for:Large Company Inc.Name:Title:Address:Telephone:Email:H. BossCEOCorporate Way1 (555) 56987424hboss@largecompany.comPresenter InformationPrepared by:Config Reports Ltd.Name:Title:Address:Telephone:Email:Jennifer SMITHMs.22 Main Street123456787JSmith@email.comPage 2 of 49
Cisco ExpresswayConfiguration ReportTable of Content1 Report Information . 51.1 Report Summary . 52 Information . 53 System . 63.1 Administration . 63.2 Network Interfaces . 73.2.1 Ethernet . 73.2.2 IP . 73.2.3 Static Routes . 83.3 DNS . 83.4 Time . 83.5 SNMP. 93.6 Clustering . 93.7 Protection . 103.7.1 Automated Detection . 103.8 Quality of Service . 113.9 External Manager . 114 Configuration . 114.1 Protocols . 114.1.1 H.323 . 114.1.2 SIP. 124.1.3 Interworking. 134.2 Registration . 134.2.1 Registration Configuration . 134.2.2 Registration Allow List . 134.2.3 Registration Deny List . 144.3 Authentication . 144.3.1 Outbound Connection Credentials . 144.3.2 Devices . 144.4 Call Routing . 154.5 Local Zone . 164.5.1 Default Subzone . 164.5.2 Traversal Subzones . 164.5.3 Subzones . 174.5.4 Subzone Membership Rules . 184.6 Zones . 184.6.1 Zones . 184.7 Domains . 224.8 Unified Communications . 234.8.1 Configuration . 234.8.2 Deployments . 234.8.3 Unified CM Servers . 244.8.4 IM and Presence Service Nodes. 244.8.5 Unity Connection Servers . 24Page 3 of 49
Cisco ExpresswayConfiguration Report4.8.6 Jabber Guest Servers . 244.9 Dial Plan . 244.9.1 Configuration . 244.9.2 Transforms . 254.9.3 Search Rules . 254.9.4 Policy Services . 264.10 Bandwidth . 274.10.1 Configuration . 274.10.2 Links . 274.10.3 Pipes . 274.11 Call Policy . 284.11.1 Configuration . 284.12 Traversal . 284.12.1 Ports . 284.12.2 TURN . 294.12.3 Locally registered endpoints . 295 Applications. 295.1 Conference Factory . 295.2 Presence . 305.3 FindMe . 306 Users. 306.1 Password Security . 306.2 Administrator Accounts . 316.3 Administrator Groups . 316.4 LDAP Configuration . 317 Maintenance . 317.1 Logging Configuration . 317.2 Maintenance Mode. 327.3 Language . 327.4 Diagnostics . 327.4.1 Incident Reporting . 327.4.2 Advanced . 32Page 4 of 49
Cisco ExpresswayConfiguration Report1 Report InformationThe Cisco TelePresence Video Communication Server (VCS) software simplifies session management and controlof telepresence conferences. It provides flexible and extensible conferencing applications, enabling organizations tobenefit from increased employee productivity and enhanced communication with partners and customers.The VCS delivers exceptional scalability and resiliency, secure communications, and simplified large-scaleprovisioning and network administration in conjunction with Cisco TelePresence Management Suite (Cisco TMS).The VCS interworks transparently with Cisco Unified Communications Manager (Unified CM), bringing richtelepresence services to organizations with Unified CM. It also offers interoperability with third-party unifiedcommunications, IP telephony networks, and voice-over-IP (VoIP) systems.The VCS supports on-premises and cloud applications and is available as a dedicated appliance or as a virtualizedapplication on VMware, with additional support for Cisco Unified Computing System (Cisco UCS) platforms.You can deploy the VCS as the VCS Control for use within an enterprise and as the VCS Expressway for businessto-business and remote and mobile worker external communication. An alternative solution, suited to small tomedium-sized businesses (SMBs), is the VCS Starter Pack Express.Optional packages that you can deploy include FindMe, Device Provisioning, and Advanced Networking (VCSExpressway only).1.1 Report SummaryThis report was generated with the following settings.Report InfoReport Date21/10/2019 4:06:29 PMReport generated forSample Report ExpresswayDescriptionAs-Built Documentation for projectServer InfoExpressway versionX12.5.5Expressway IP10.5.1.130Report SettingsReport TypeDirect ReportVisual StyleBlu Dark.cssReport ContentAll objectsTemplate HTMLExpressway ReportTemplate.htmTemplate WordTriangle Blue-universal.docReport Tool InfoReport Tool Version12.0.19 / 19 Oct 2019Report Tool LicenseLicensed [Prof all]2 InformationThe following section provides details of the software, hardware, and time settings of the Expressway.System InformationGeneralSystem nameExpWay1255ProductTANDBERG VCSSoftwareSoftware versionX12.5.5Software buildoak v12.5.5 rc 1Software release date2019-08-14Software names42700Software Release KeyPage 5 of 49
Cisco ExpresswayConfiguration ReportHardwareHardware versionVMwareSerial number0C95079ETime InformationSystem time (UTC)2019-10-21 14:06:26Time zoneEtc/GMT 1Local time2019-10-21 14:06:26Uptime6 days 23 hours 53 minutes 55 secondsOptionsNon-Traversal Calls1Traversal Calls1Registrations3TPRoom0TURN seFindMeTrueDual Network InterfacesFalseAdvanced Account SecurityFalseStarter PackFalseEnhanced OCS CollaborationFalseExpresswaySeriesFalse3 SystemThis section shows network services and settings related options that appear under the System menu of the webinterface. These options help to configure the VCS in relation to the network in which it is located, for example its IPsettings, firewall rules, intrusion protection and the external services used by the VCS (for example DNS, NTP andSNMP).3.1 AdministrationThe System Administration shows the name of the Cisco TelePresence Video Communication Server system andmethods by which the system may be accessed by administrators. Although you can administer the CiscoTelePresence Video Communication Server through a PC connected directly to the unit with a serial cable, you maywant to access the system remotely over IP. You can do this using the web interface via HTTPS, or through acommand line interface via SSH. Configurable options are for: System NameEphemeral Port RangeServicesSession LimitsSystem ProtectionWeb Server ConfigurationAdministrationSystem NameSystem nameExpWay1255Ephemeral Port RangeStart31111End35999ServicesSerial port / consoleOnSSH serviceOnWeb interface (over HTTPS)OnSession LimitsPage 6 of 49
Cisco ExpresswayConfiguration ReportSession time out (minutes)90Per-account session limit150System session limit55System ProtectionAutomatic discovery protectionOnWeb Server ConfigurationRedirect HTTP requests to HTTPSOnHTTP strict transport security (HSTS)OnClient certificate-based securityNotRequired3.2 Network InterfacesThis section shows settings for: EthernetIPStatic Routes3.2.1 EthernetThis section shows configuration of speed for the connections between the Expressway and the Ethernet networksto which it is connected. The speed and duplex mode must be the same at both ends of the connection. If youinstalled the Advanced Networking option, you can configure the speed and duplex mode for each Ethernet port. Thedefault Speed is Auto, which means that the Expressway and the connected switch will automatically negotiate thespeed and duplex mode.EthernetNameDetailsLAN 1MAC address00:0C:29:79:43:3ASpeed10000fullIP Address10.5.1.130IP Mask255.255.255.03.2.2 IPThe IP section shows configuration of the IP protocols and network interface settings of the Expressway.Expressway can be configured to use IPv4, IPv6 or Both protocols. The default is Both. IPv4: it only takes calls between two endpoints communicating via IPv4. It communicates with other systemsvia IPv4 only.IPv6: it only takes calls between two endpoints communicating via IPv6. It communicates with other systemsvia IPv6 only.Both: it takes calls using either protocol. If a call is between an IPv4-only and an IPv6-only endpoint, theExpressway acts as an IPv4 to IPv6 gateway. It communicates with other systems via either protocol.All IPv6 addresses configured on the Expressway are treated as having a /64 network prefix length.EthernetNameConfigurationDetailsIP protocolIPv4Use dual network interfacesNoExternal LAN interfaceLAN 1 - InternalIPv4 gateway10.5.1.1IPv4 Address10.5.1.130IPv4 subnet Mask255.255.255.0IPv4 static NAT modeIPv4 static NAT addressPage 7 of 49
Cisco ExpresswayConfiguration Report3.2.3 Static RoutesThis section shows Static Routes from the Expressway to an IPv4 or IPv6 address range.Static routes are sometimes required when using the Advanced Networking option and deploying the Expressway ina DMZ. They may also be required in other complex network deployments.Static RoutesName10.5.1.077.77.0.099.99.99.99DetailsIP address10.5.1.0Prefix length24Gateway10.5.1.131InterfaceAutoIP address77.77.0.0Prefix length16Gateway10.5.1.1InterfaceAutoIP address99.99.99.99Prefix length32Gateway10.5.1.1InterfaceAuto3.3 DNSThe Domain name is used when attempting to resolve unqualified server addresses (for example ldapserver). It isappended to the unqualified server address before the query is sent to the DNS server. If the server address is fullyqualified (for example ldapserver.mydomain.com) or is in the form of an IP address, the domain name is notappended to the server address before querying the DNS server.DNSDNS SettingsSystem host nameEW1255Domain namelab.testDNS requests port rangeUse the ephemeral port rangeDefault DNS serversAddress 110.5.1.166Address 28.8.8.8Address 38.8.4.4Address 4Address 5Per-domain DNS ServersPer-domain DNS serversServerAddressDomain namesServer 110.5.1.166lab.test3.4 TimeThe Time section shows configuration of the Expressway's NTP servers and the local time zone. An NTP server is aremote server with which the Expressway synchronizes in order to ensure its time is accurate. The NTP serverprovides the Expressway with UTC time. Accurate time is necessary for correct system operation.TimeNameDetailsNTP ServersNTP serversServer nameAddressNTP Server 10.ntp.tandberg.comNTP Server 21.ntp.tandberg.comPage 8 of 49
Cisco ExpresswayConfiguration ReportTimeNameDetailsNTP Server 32.ntp.tandberg.comNTP Server 410.5.1.100Time ZoneTime zoneEtc/GMT 13.5 SNMPThis section shows the Expressway's SNMP settings. Tools such as Cisco TelePresence Management Suite (CiscoTMS) or HP OpenView may act as SNMP Network Management Systems (NMS). They allow monitoring of networkdevices, including the Expressway, for conditions that might require administrative attention. The Expresswaysupports the most basic MIB-II tree (.1.3.6.1.2.1) as defined in RFC 1213. The information made available by theExpressway includes the following: system uptimesystem namelocationcontactinterfacesdisk space, memory, and other machine-specific statisticsBy default, SNMP is Disabled, therefore to allow the Expressway to be monitored by an SNMP NMS (including CiscoTMS), alternative SNMP mode must be selected.SNMPConfigurationSNMP modev3 plus TMS supportDescriptionSNMPv2Community namepublicSystem eadminv3 AuthenticationAuthentication modeoff3.6 ClusteringAn Expressway can be part of a cluster of up to six Expressways. Each Expressway in the cluster is a peer of everyother Expressway in the cluster. When creating a cluster, the cluster name should be defined and one peer must benominated as the master from which all relevant configurations are replicated to the other peers in the cluster.Clusters are used to: Increase the capacity of your Expressway deployment compared with a single Expressway.Provide redundancy in the rare case that an Expressway becomes inaccessible (for example, due to anetwork or power outage) or while it is in maintenance mode (for example, during a software upgrade).ClusteringConfigurationCluster name (FQDN for provisioning)excluster.lab.testConfiguration master1Peer 1 IP address1.2.3.4Peer 2 IP addressPeer 3 IP addressPeer 4 IP addressPeer 5 IP addressPeer 6 IP addressCluster Address MappingPage 9 of 49
Cisco ExpresswayConfiguration ReportCluster address mapping enabledFalse3.7 ProtectionThe Protection section shows settings for intruder protection, used to detect and block malicious traffic and to helpprotect the VCS from dictionary-based attempts to breach login security.The Automatic Detection works by parsing the system log files to detect repeated failures to access specific servicecategories, such as SIP, SSH and web/HTTPS access. When the number of failures within a specified time windowreaches the configured threshold, the source host address (the intruder) and destination port are blocked for aspecified period of time. The host address is automatically unblocked after that time period so as not to lock out anygenuine hosts that may have been temporarily misconfigured.The report shows the Automated Detection Configuration, Exemptions and Blocked Addresses.3.7.1 Automated DetectionThe automated protection service can be used to detect and block malicious traffic and to help protect the VCS fromdictionary-based attempts to breach login security.It works by parsing the system log files to detect repeated failures to access specific service categories, such as SIP,SSH and web/HTTPS access. When the number of failures within a specified time window reaches the configuredthreshold, the source host address (the intruder) and destination port are blocked for a specified period of time. Thehost address is automatically unblocked after that time period so as not to lock out any genuine hosts that may havebeen temporarily misconfigured.3.7.1.1 ConfigurationThe Configuration is used to enable and configure the VCS's protection categories, and to view current activity.Automated protection should be used in combination with the Firewall Rules feature - use automated protection todynamically detect and temporarily block specific threats, and use firewall rules to permanently block a range ofknown host addresses.Automated detection overviewNameDescription Enabled Detection Trigger BlockTotalCurrently TotalCurrently Excludedwindowlevelduration blocked blockedfailures tp-ceresource accessFalse60056003.7.1.2 ExemptionsThe Exemptions section shows IP addresses that are to be exempted always from one or more protectioncategories. No records found Page 10 of 49
Cisco ExpresswayConfiguration Report3.8 Quality of ServiceThe Quality of Service (QoS) shows configuration of QoS options for outbound traffic from the Expressway. Thisallows the network administrator to tag all signalling and media packets flowing through the Expressway with onespecific QoS tag and hence provide the ability to prioritize video traffic over normal data traffic. Management traffic,for example SNMP messages, is not tagged.Quality of ServiceConfigurationDSCP Signaling value21DSCP Audio value22DSCP Video value23DSCP XMPP value243.9 External ManagerThe External Manager shows the configuration of Expressway's connection to an external management system. Anexternal manager is a remote system, such as the Cisco TelePresence Management Suite (Cisco TMS), used tomonitor events occurring on the Expressway, for example call attempts, connections and disconnections, and as aplace for where the Expressway can send alarm information. The use of an external manager is optional.External otocolHTTPCertificate verification modeOff4 ConfigurationThis section shows settings for: ProtocolsRegistrationAuthenticationCall RoutingLocal ZoneZonesDial PlanBandwidthTraversalCall PolicyUnified Communications4.1 ProtocolsThis section provides information about how to configure the Expressway to support the SIP and H.323 protocols. Configuring H.323Configuring SIPConfiguring domainsConfiguring SIP and H.323 interworking4.1.1 H.323The H.323 shows configuration for H.323 settings on the Expressway, including whether H.323 is enabled or not,Gatekeeper and Gateway settings.H.323ConfigurationH.323 modeOnPage 11 of 49
Cisco ExpresswayConfiguration ReportGatekeeperRegistration UDP port1719Registration conflict modeOverwriteCall signaling TCP port1720Call signaling port range start15000Call signaling port range end19999Time to live1800Call time to live120Auto discoverOnGatewayCaller IDIncludePrefix4.1.2 SIPThe SIP section shows the configuration for SIP settings on the Expressway, including: SIP functionality and SIP-specific transport modes and portsCertificate revocation checking modes for TLS connectionsRegistration ControlsAuthenticationAdvanced settings with SIP Maximum Size and the TCP Connect Timeout.SIPConfigurationSIP modeOffUDP modeOffUDP port5060TCP modeOffTCP port5060TLS modeOnTLS port5061Mutual TLS modeOffMutual TLS port5062TCP outbound port start25000TCP outbound port end29999Session refresh interval (seconds)1800Minimum session refresh interval (seconds)500TLS handshake timeout (seconds)5Certificate Revocation CheckingCertificate revocation checking modeOffRegistration ControlsStandard registration refresh strategyMaximumStandard registration refresh minimum (seconds)45Standard registration refresh maximum (seconds)60Outbound registration refresh strategyVariableOutbound registration refresh minimum (seconds)300Outbound registration refresh maximum (seconds)3600SIP registration proxy modeOffAdvancedSIP max size32768SIP TCP connect timeout10SIP Tls DH key size1024SIP Tls versionsTLSv1.2Page 12 of 49
Cisco ExpresswayConfiguration Report4.1.3 InterworkingThe Interworking section contains configurations indicating whether or not the Expressway acts as a gatewaybetween SIP and H.323 calls. The translation of calls from one protocol to the other is known as "interworking".InterworkingConfigurationH.323 - SIP interworking modeRegistered Only4.2 RegistrationFor an endpoint to use the VCS as its H.323 gatekeeper or SIP registrar, the endpoint must first register with theVCS. The VCS can be configured to control which devices are allowed to register with it by using the followingmechanisms: A device authentication process based on the username and password supplied by the endpointA registration restriction policy that uses either Allow Lists or Deny Lists or an external policy service to specifywhich aliases can and cannot register with the VCSRestrictions based on IP addresses and subnet ranges through the specification of subzone membershiprules and subzone registration policiesThese mechanisms can be used together. For example, authentication can be used to verify an endpoint's identityfrom a corporate directory, and registration restriction to control which of those authenticated endpoints may registerwith a particular VCS.4.2.1 Registration ConfigurationThe Registration configuration page is used to control how the VCS manages its registrations, with the RegistrationPolicy setting to be used while determining which endpoints may register with the system. None: no restriction.Allow List: only endpoints attempting to register with an alias listed on the Allow List may register.Deny List: all endpoints, except those attempting to register with an alias listed on the Deny List, mayregister.Policy service: only endpoints that register with details allowed by the remote policy service may register.This option comes with its own settingsDefault: NoneRegistration ConfigurationConfigurationRestriction PolicyPolicyServiceProtocolHTTPSCertificate verification modeOnHTTPS ce
Per-domain DNS servers Server Address Domain names Server 1 10.5.1.166 lab.test 3.4 Time The Time section shows configuration of the Expressway's NTP servers and the local time zone. An NTP server is a remote server with which the Expressway synchronizes in order to ens
Unified Communications : Control (private) to Expressway (DMZ) Expressway-C source port Expressway-E server (listening) port Message direction Inbound and outbound calls Open firewall Private to DMZ IP address IP address of Expressway-C IP address of Expressway-E rts XMPP (IM and Presence) TCP Ue 30000 to 35999 TCP 7400 SSH (HTTP/S tunnels) TCP Ue
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
Open Source Used In Cisco Expressway Series and Cisco TelePresence Video Communication Server X14.2.1 1 Open Source Used In Cisco Expressway Series and Cisco TelePresence Video Communication Server X14.2.1 Cisco Systems, Inc. . 1.43 syslog-ng 3.36.1 1.43.1 Available under license 1.44 d-bus 1.13.22 1.44.1 Available under license 1.45 python 2 .
Mobile and Remote Access Through Cisco Expressway Deployment Guide First Published: April 2014 Last Updated: December 2016 Cisco Expressway X8.9.n Cisco Unified Communications Manager 10 or later Cisco Unified Communications Manager IM and Presence Service 10 or later Cisco Unity Connection 10 or later CiscoSystems,Inc. www.cisco.com
Mobile and Remote Access Through Cisco Expressway Deployment Guide First Published: April 2014 Last Updated: October 2018 Cisco Expressway X8.8.n Cisco Unified Communications Manager 9.1(2)SU4 or later Cisco Unified Communications Manager IM and Presence Service 9.1(1)SU6a or later Cisco Unity Connection 9.1(2)SU4 or later
Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se
Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single
Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .
