Intercompany Media Engine System Test Configuration
This page provides a reference configuration for Cisco Intercompany Media Engine within the Cisco Unified Communications deployment. The configuration information is based primarily on testing performed on test beds having Cisco Intercompany Media Engine configured during Cisco Unified Communications system releases.
The intended audiences for this article are system administrators and implementors who have already implemented Cisco Unified Communications Manager clusters and ASA in Unified Communications environment.
TIP: Use Unified IME (Project Features Tested label) as a keyword to search for related test cases in System Test Results for IP telephony.
This topic does not contain detailed step-by-step procedures; for detailed information about configuring Cisco Intercompany Media Engine, refer to the Unified Communications Manager documentation.
Cisco Intercompany Media Engine (IME) is another variation of a multisite deployment with distributed call processing; however, with IME the sites are separate enterprise organizations. This technology allows for the business-to-business extension of Unified Communications capabilities such as high-fidelity codecs, enhanced caller ID, and video telephony outside the corporate networks. The solution learns routes in a dynamic, secure manner and provides for secure communications between organizations across the internet. Organizations that work closely together and have high levels of intercompany communications will benefit most from the enhanced communications offered by IME.
Figure 1: Business-to-Business Communication Between Enterprises Using Intercompany Media Engine.
In the above scenario, Intercompany Media Engine creates dynamic SIP trunks between Enterprise A and B, so that these enterprises that work together looking like one giant business with inter-cluster trunks between them. IME allows enterprises to interconnect on-demand, over the Internet.
The IME solution requires that IME servers and the IME-enabled ASA having publicly reachable IP addressing; therefore, they are most commonly placed in an organization’s DMZ. The solution also requires Cisco Unified CM 8.x or Unified CM Session Management Edition 8.x to participate in IME. Unified CM communicates with IME servers to upload the IME designated directory numbers to the distributed cache ring and sends call records to IME for PSTN calls made by these directory numbers. Unified CM also receives IME learned routes that are validated by IME servers and initiates dynamic SIP trunk calls to the remote directory numbers in these IME learned routes.
For information on design considerations and guidelines for configuring Intercompany Media Engine, see Cisco Unified Communications Manager 8.x Solution Reference Network Design (SRND).
For information on Intercompany Media Engine specific deployments and sites where system testing was performed, see Tested Deployments and Site Models for IP telephony.
This section contains Cisco Intercompany Media Engine deployment scenario and call flows in system test environment.
During Cisco Unified Communications 8.0(2) Release system testing, Intercompany Media Engine was implemented and tested in following three deployment models.
Figure 2: Intercompany Media Engine Implementation in System Testing Environment.
1. Site A is a Unified Communications Manager cluster having centralized call control with distributed branches, single Intercompany Media Engine server and two off-path ASA are deployed in a redundant mode.
2. Site B is a Unified Communications Manager CoW site which consists of two data center sites: Site B-1 and Site B-2.
- Both Site B-1 and Site B-2 will host two Intercompany Media Engine servers each. The Intercompany Media Engine servers are setup in a failover mode wherein if the active server in Site B-1 fails then the standby server in Site B-2 will provide Intercompany Media Engine services. Similarly, if the active Intercompany Media Engine server in Site-B-2 fails then the standby server in Site B-1 will provide Intercompany Media Engine services.
- Intercompany Media Engine-enabled ASA are deployed in Site B-1 and Site B-2. These ASA also act as the external ASA to the enterprise. These ASA will perform all Intercompany Media Engine related functionality and perform the role of external firewall and NAT device.
3. Site C is a single Unified Communications Manager server running in a co resident mode (CUCMBE). This site will host a single Intercompany Media Engine server and an Intercompany Media Engine-enabled ASA providing perimeter security functions.
The system testing mainly focused on Intercompany Media Engine inter-operability with other voice applications and components.
The following functionalities were also tested:
- Intercompany Media Engine call processing with NANP dial pattern
- Inline ASA and Offpath ASA
- Support for TLS with ASA including SIP to SIP/TLS
- Quality of Service for Intercompany Media Engine calls and Mid-call PSTN Fallback
- Intercompany Media Engine trunk management using CUSM and CUOM
- Failover mode
For more information on Cisco IME tested functionality, see IP Telephony Test Results. Use Unified IME (Project Features Tested label) as a keyword to search for related test cases.
Call Flow Diagram
This section provides the high-level tasks and related information for configuring Intercompany Media Engine. Default and recommended values specified in the product documentation were used during system testing to configure Intercompany Media Engine, except as noted.
The following table provide this information:
- Configuration Tasks: List of high-level configuration tasks
- System Test Specifics: System test variations from procedures and settings documented in the product documentation.
- More Information: Links to product documentation for detailed configuration information related to the high-level tasks.
Table 1: Intercompany Media Engine Configuration on Unified Communications Manager and ASA.
|Configuration Task||System Test Specific Configuration||More information|
|Make sure that you have installed the Cisco Intercompany Media Engine software on the server and performed the post-installation tasks, including uploading the license file and enrolling the certificates.||See the Installation and Cisco IME Server Configuration section in Cisco Intercompany Media Engine Installation and Configuration Guide.|
|Configure the Cisco Intercompany Media Engine (Cisco IME) feature in Cisco Unified Communications Manager Administration.||See the Cisco IME Configuration Checklist section in Cisco Intercompany Media Engine Installation and Configuration Guide.|
|Configure Cisco ASA Firewall for Cisco Intercompany Media Engine.||See Cisco ASA Configuration in Cisco Intercompany Media Engine Installation and Configuration Guide.|
Inline Deployment with Unsecured SIP Trunk within the Enterprise
The following is a typical Intercompany Media Engine-ASA configuration for inline deployment with unsecured SIP trunks within the enterprise:
object network IME-SERVER host <IME server local address> object network CUCM host <CUCM local address> object network IME-SERVER nat (dmz,outside) static <IME server global address> object network CUCM nat (inside,outside) static <CUCM global address>
More than one Unified CM nodes may participate in Intercompany Media Engine. Each would be NAT'ed, and placed in the IME-ENABLED-CUCM group for easier management:
object-group network IME-ENABLED-CUCM network-object object CUCM ! access-list IME-INBOUND-SIP-ACL extended permit tcp any object-group IME-ENABLED-CUCM eq <IME SIP trunk port> access-list IME-OUTBOUND-SIP-ACL extended permit tcp object-group IME-ENABLED-CUCM any eq <IME SIP trunk port>
The configuration of the IME-TP trust-point referenced below is omitted. It holds the ASA's own certificate that is used to identify this device to the remote IME-ASA.
tls-proxy LOCAL-TO-REMOTE-IME client trust-point IME-TP client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 ! tls-proxy REMOTE-TO-LOCAL-IME server trust-point IME-TP client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 ! media-termination IME-MEDIA-TERMINATION address <global media termination address> interface outside address <local media termination address> interface inside ! uc-ime IME-PROXY media-termination IME-MEDIA-TERMINATION ucm address <CUCM local address> trunk-security-mode non-secure ticket epoch 1 password ***** class-map IME-OUTBOUND-SIP match access-list IME-OUTBOUND-SIP-ACL class-map IME-INBOUND-SIP match access-list IME-INBOUND-SIP-ACL ! policy-map global_policy class IME-INBOUND-SIP inspect sip uc-ime IME-PROXY tls-proxy REMOTE-TO-LOCAL-IME class IME-OUTBOUND-SIP inspect sip uc-ime IME-PROXY tls-proxy LOCAL-TO-REMOTE-IME ! service-policy global_policy global
Inline Deployment with Encrypted SIP Trunk within the Enterprise
If the SIP trunk needs to be encrypted within enterprise as well, some parts of the configuration change.
We need both a client and a server trust-point for both TLS proxy entities:
tls-proxy LOCAL-TO-REMOTE-IME client trust-point IME-TP server trust-point LOCAL-TP client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 ! tls-proxy REMOTE-TO-LOCAL-IME server trust-point IME-TP client trust-point LOCAL-TP client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
The LOCAL-TP trust point holds the ASA's own certificate that is used to identify this device to the local Unified CM.
The trunk security mode has to be set to "secure":
uc-ime IME-PROXY ucm address <CUCM local address> trunk-security-mode secure
Off Path Deployment
If the IME-ASA is deployed in off-path mode, some additional configuration is necessary.
Outside IP addresses need to be NAT'd to make sure that responses from the inside IP addresses are routed back to the off-path IME ASA:
object network EVERYONE-OUTSIDE subnet 0.0.0.0 0.0.0.0 object network EVERYONE-OUTSIDE nat (outside,inside) dynamic interface
Mapping service needs to be configured to make sure that calls originating from the inside are routed through the off-path IME ASA:
uc-ime IME-PROXY mapping-service listening-interface inside listening-port 8060 uc-ime-interface outside
For related information about Intercompany Media Engine, see Unified Communications Manager Documentation at:
For information on troubleshooting IME, see Troubleshooting Cisco Intercompany Media Engine
For information on the IME installation and configuration, see Cisco Intercompany Media Engine Installation and Configuration Guide
For information on IME port usage, see Cisco Intercompany Media Engine Release 8.0(2) TCP and UDP Port Usage
For information on IME CLI commands, see Cisco Intercompany Media Engine Command Line Interface Reference Guide
For information on the results obtained from the system testing, see IP Telephony Test Results
For information on configuring the security components, see Security System Configurations.