Back to Unified Communications FAQ
Is vTP FIPS compliant??
No, it's currently not compliant, see this bug: CSCut14575 TelePresence Server is not FIPS compliant
How to create the CSR for vTS using openSSL??
You can use this handy site for such purpose, it will generate the string you need to input into openssl for your CSR and key
What is the role of Conductor??
TP Conductor is, as the name implies, the equivalent of an orchestra conductor. It will pool your MCUs and TP Servers into resource pools, so you can separate resources depending on what kind of conference they need (ad-hoc, rendezvous or scheduled). It will make sure that your resources are optimized, so that calls get accounted correctly, depending on the resolution they're using. It will be a single point of conference for CUCM for ad-hoc and rendezvous, instead of needing to create two separate configurations per conference resource.
You can go through the data sheet for some more info: Cisco TelePresence Conductor Data Sheet
Is Conductor FIPS compliant??
No, it's currently not compliant, see this enhancement bug: CSCut14699 Conductor is not FIPS compliant
Why do I have a different screen layout for the same conference that is handled by Conductor??
If you're using more than one vTS or MCU, even if it's the same conference, the layout is kept independent per bridge.
What options do I have to deploy a Conductor??
The 3 options are:
- Cisco TelePresence Conductor Essentials
- Cisco TelePresence Conductor Select
- Cisco TelePresence Conductor
Full info is here: Cisco TelePresence Conductor Data Sheet
Please notice that even though you can deploy and configure Conductor without a license, this model is NOT TAC supported. Support for this particular Conductor model is via Cisco Support Communities only
I'm having problems integrating Conductor as an ad-hoc CFB over HTTPS, what's wrong??
This can manifest in two ways:
- Conductor will show as Unregistered under CFB
- Ad-hoc conferences will fail
For Conductor showing as Unregistered, you have the SIP trunk configured using IP address, and Override SIP Trunk Destination as HTTP address is unchecked, but you have Use HTTPS checked
Under such circumstances, you're hitting bug: cscut10254 HTTPS fails between CUCM and Conductor
All you need to do, is uncheck Use HTTPS and it will register.
The second scenario would be that it registers but ad-hoc still fails, as you checked the Override SIP Trunk Destination as HTTP address options and type in the FQDN of Conductor, and it's present in the SAN from Conductor certificate.
Then you're hitting bug: cscut22572 Unable to create HTTPS connection between Conductor and CUCM using FQDN
The problem here is that Conductor is not doing the reverse DNS lookup, and it fails to create the conference.
So, in the end, you will need to rely on IP address to register them both, and also avoid using HTTPS.
Can I configure DX series endpoints in TMS??
No, there is an enhancement request for that: CSCup84943 TMS Support for DX series
How can I install signed certificates to TMS??
The procedure has been nicely outlined here:
Can I use SQL 2012 for TMSAE??
Please review the information from this bug: CSCus73220 Add support for SQL 2012 for TMSAE
What is the RTT requirements if I'm going to deploy the DB server in a separate location for TMSXE to work??
It follows the same guideline as TMS:
Network The latency between the Cisco TMS server and the SQL server must not exceed 20 ms.
Cisco TMS Installation and Upgrade Guide
VCS & Expressways
Where can I download the Expressway images for install??
There are no Expressway images, the same installation file for VCS, is used to create both VCSs and both Expressways, what product, and capabilities it ends up with, depends completely in the licenses that you will upload to them
What is the difference between VCS and Expressways??
The expressways are a subset of the features offered by the VCSs, the main difference is that EXP-C does not allow for registration of devices, it only works as a proxy for CUCM registration, and that Expressways always need to be deployed in pairs to work, whereas you can use VCS-C without a VCS-E.
How to configure a secure SIP trunk to CUCM??
This is really a very basic procedure, specially if you have already signed all your CSRs with a public CA, or an internal CA, all steps are outlined here:
Secure SIP Trunk between CUCM and VCS Configuration Example
Where can I find the MRA configuration guides??
They're all under the VCS documentation, under Configuration Guides
How can I configure B2B??
I will part from the point in which you already have MRA configured and working, then we will add B2B on top of that configuration.
I will use the terms VCS and Expressways as the same thing over this explanation.
As this is not a basic feature from CUCM or VCS, I assume a good level of familiarity and experience is in place before doing this, if not, then I strongly suggest you to review the MRA configuration guides and VCS guides here: VCS
The first step, will be to create a SIP trunk from CUCM to your VCS-C, since you have MRA configured, ports 5060 and 5061 are already taken by that configuration, so make sure to use another set of ports for the SIP trunk from CUCM to VCS-C, we'll use 6060 and 6061.
In CUCM create a new SIP trunk security profile for non-secure with settings:
- Device security mode = Non Secure
- Incoming Transport Type = TCP+UDP
- Outgoing Transport Type = TCP
- Incoming port = 6060
- Accept unsolicited notification = checked
- Accept replaces header = checked
And create a secure profile with settings:
- Device security mode = Encrypted
- Incoming Transport Type = TLS
- Outgoing Transport Type = TLS
- X.509 Subject Name = FQDN of EXP-C
- Incoming port = 6061
You can use either one, then you need to configure a SIP trunk to VCS-C using one of the above SIP profiles, this will only secure the communication between VCS-C and CUCM, nothing else, either can be used. It's up to personal preference, and / or business requirements.
On your VCS-C configure a neighbor zone to CUCM, make sure to change the port according to the transport type you choose, 6060 or 6061, if you fail to do so, and leave 5060 or 5061 this will fail. If you will be using TLS, if you set TLS verify mode to ON, the Peer address will need to be the FQDN, if you set it to Off, then you can use IP address. For non-secure zones, you can use either one, usually IP is the preferred option.
Now, a separate traversal zone will be required between EXP-C and EXP-E, additional to the one that was created for MRA, once again, you need to set another port for this, or you will break the MRA configuration. The default port is 7001, we will be using 7003
Create your new traversal zone between the VCS servers, and make sure to set the port as 7003.
One EXP-E a DNS zone will be required for the outbound routing, create a new DNS zone, choose whether you want H.323 and SIP, or only SIP. If SIP, which most likely will be the one you want, choose the TLS verify mode as you require, remember that if you want to set it to on, you will need to have Public CA signed certificates. Same for media encryption, that will depend on business needs, and the configuration from the other end, as they will ultimately dictate whether the call fails or is established.
Now, to the required routing for this to work
On CUCM, you will configure a SIP route pattern, that matches anything (*.*), and sends it towards the SIP trunk you created. Make sure you have properly configure the Cluster Fully Qualified Domain Name under the Service Parameters.
On VCS-C, configure whatever transform rules you want to be applied, and the search rule pointing to the traversal zone
On VCS-E, configure a catch all search rule that points to the DNS zone
Very important, this calls will consume Rich Media Session licenses (or traversal calls licenses), you will consume 1 license per call, on each server, so make sure you have the same amount of licenses on both.
The SRV records that will be used for B2B are: _sips._tcp.domain.com port 5081 _sip._tcp.domain.com port 5080 _sip._udp.domain.com port 5080 _h323ls._udp.domain.com port 1719 _h323cs._tcp.domain.com port 1720
If you're a partner, you can review:
- PVT Collaboration - Edge track - Collaboration Edge design for B2B solutions
- Cisco Expressway - PIW - TAC Troubleshooting: Expressway Features
- Collaboration - Collaboration Edge Design - Partner Pre-Release 11 Day 4 This one is particularly good and covers MRA, XMPP Federation and B2B in very good detail, along with sample configuration for VCSs
- You can find more resources on PEC by searching for VCS or B2B, there's a great one that also contains samples of a routing plan for this, I'll try to remember which one was and post it
Is SSO over MRA supported??
Yes, but you require VCS 8.5.2, CUCM / IM&P / CUC 10.5(2) and Jabber 10.6 for this to work.
Page 29 Single Sign-On (SSO) over the Collaboration Edge
Is it possible to use both Jabber MRA and Jabber guest in an existing VCS cluster?
A: No, the Jabber Guest and MRA are two separate entities. As long as you are using two separate VCS pairs for each, then you should be good. There is no design guide that includes both. Below are links for each.
What can I do if I need a VCS-E / EXP-E for my DMZ, but want a dedicated appliance??
Unfortunately since x8.5 there are no longer appliances you can physically place in the DMZ. From a configuration point of view, you can simply use different NICs from the same server to have servers in your internal network, and others with access to the DMZ, however, many customers have a dedicated physical space which is separated from the internal network for the DMZ and won't allow that, on those scenarios, a dedicated virtualization server (or an existing one) would be required to deploy them.
What is the recommended MRA deployment, single NIC or dual NIC??
The recommendation is to use dual NIC to avoid NAT reflection and using more resources per call, compared to a dual NIC deployment where the call flow is simplified as it only traverses from the external NIC to the internal NIC. Any deployment should look in first place to do a dual NIC deployment.
Are there any tools to troubleshoot MRA calls??
Yes, it was recently made available an Expressway SIP Call Analyzer, it can be found here:
Can I configure mutual TLS authentication??
This is not currently possible, not sure when this might happen, but there is an enhancement request for that:
- CSCuu05976 Expressway doesn't verify the Mobile Remote Access client certificate.
Can I limit user access via MRA to just certain users / groups??
This is something that has come up quite often lately, how to limit the users who can use MRA, or how to limit them to just a subset of the features they have internally. For example Full UC on-prem but just IM&P over MRA, or phone-only over MRA.
This is currently not possible, there is already an enhancement request asking for this:
- CSCux35528 Block some users from having Access to MRA
- CSCus94318 Support the ability to restrict Collaboration Edge login for given users
The few methods you can use, and this are just workarounds are:
- Multiple domains
As the name implies, you'd need to configure, at least, two domains in your organization, they will both work internally, but you will only configure one for MRA. This is obviously a very big change, and would mean anyone who is in the domain not configured for MRA on EXP-C, would not be able to login. If you're already running multi-domain and want to prevent users from a certain domain to use MRA, but allow the other ones, this option would be perfect for you.
I know about this method, but I'm not an SSO expert, but if you're using SSO for MRA, you can use security groups to prevent the authentication. (if someone knows how this would work and is willing to explain, reach me). I'm assuming it might be able to do something like split horizon DNS and prevent login from outside the organization, not sure.
- RemoteAccess parameter
I'll start by saying that this would be a NOT SUPPORTED METHOD and it seems only works halfway.
The RemoteAccess parameter was only meant to be used with Jabber 9.6, but not with any higher release, and since then has stopped being supported:
- CSCuy21990 Remove RemoteAccess from Jabber Configuration Parameters guide
I have not tested this, but it seems it would only prevent you from registering to CUCM, but you would still get IM&P services, I have not tried this method, I'll try to test this. My assumption was that the Jabber code had removed the ability to parse that parameter, but it seems some releases still use it. I'll confirm that in the logs once I test it.
If you still want to try it:
<Policies> <RemoteAccess>OFF</RemoteAccess> </Policies>
And once again, the previous method is NOT OFFICIALLY SUPPORTED as the bug states that the parameter is no longer supported.
Cannot connect a 78XX via RMA??
This is probably a bug, but I haven't seen it, if you're running a FW release on the 11 train, it will not work. You just need to download to a 10.x FW release for the device, and MRA should work without any problems.
Back to Unified Communications FAQ
Any comments, questions, suggestions, contributions, etc. please send them to email@example.com. Please make sure the subject is formatted "UC FAQ <anything else>" as I'll have rules in my mail to match them, otherwise, they'll end up in my spam folder.