Configure Business to Business Audio and Video Calls Through Expressway Integrated with CUCM

Today I am going to talk about the configuration example of business to business audio and video calls through Expressway integrated with CUCM. Expressway with the Mobile Remote Access (MRA) feature provides seamless registration of Jabber and TC endpoints located outside the enterprise network as is shown in network diagram below. 

Fig 1.1- Basic Network Topology
Step 1. SIP trunk between CUCM and Expressway-C
After CUCM discovery is done by Expressway-C, Neighboring zone(s) are automatically configured for each node and transport protocol discovered.

When the CUCM cluster is configured in mixed mode there is 1 zone for Transmission Control Protocol (TCP) for none-secure traffic with destination port 5060 and 1 zone for TLS (Transport Layer Security) for secure traffic with destination port 5061. These ports cannot be changed.

The 2 zones are used for all edge calls to and from the edge endpoints. Inbound calls from the edge endpoints take the route of these auto-added zones and hence target TCP 5060 or TLS 5061 on CUCM. Through the established sockets edge endpoints register and place/receive calls. 

Fig 1.2
For B2B calls, configure a SIP trunk in CUCM that points to Expressway-C where typically CUCM listen on port 5060 or 5061 for inbound traffic from this gateway.

Since edge traffic comes from the same source IP with port 5060/5061, you need to use a different listening port for this trunk in CUCM. Otherwise edge traffic is routed to the SIP trunk device in CUCM and not to the endpoint device (CSF or EX).

For Expressway-C side use ports 5060 and 5061 for Session Initiation Protocol (SIP) TCP/TLS.
An example where CUCM listens on port 6060/6061 for inbound traffic on this trunk is shown in the image.

Fig 1.3
These are the different configuration steps documented for this deployment. Both for secure and non-secure deployments.

Add a new SIP Trunk Security Profile
From the CUCM Administration page, navigate to > Device > Trunk.
Configure a different Incoming port then 5060/5061, here use 6060 for TCP and 6061 for TLS.

Fig 1.4
Secure SIP Trunk profile

For TLS you also need to configure the X.509 Subject name that matches the CN of the certificate presented by the Expressway-c. In addition, also upload the Expressway-C or the CA certificate (which issued the Expressway-C certificate) to the CUCM Certificate trust store.

Fig 1.5
Configure the SIP trunk on CUCM
Through this trunk all B2B calls flows to and from CUCM. The SIP trunk configuration parameters are standard for CUCM with VCS deployments. Ensure to associate the security profile created in step 1.

Configure a neighbor zone on Expressway-C

A neighbor zone needs to be configured on Expressway-C to target CUCM. This zone is used to route inbound B2B traffic to CUCM.

The configuration is standard except that you must ensure to configure the destination port corresponds to the listening port configured on the SIP Trunk Security profile assigned to the SIP trunk on CUCM.

In this example the destination port used is 6060 for SIP/TCP and 6061 for SIP/TLS. (refer to step 1) as shown in the image. From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration

Fig 1.6 
Neighbor zone for SIP TLS - with TLS verify mode on
When TLS verify mode is set to on you must ensure the peer address matches the CN or SAN from the certificate presented by CUCM. Typically, with TLS verify mode on you configure the FQDN of the CUCM node for peer address.

From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration

Fig 1.7
Neighbor zone for SIP TLS - with TLS verify mode off
When TLS verify mode is set to off the peer address can be either the IP address, hostname or Fully Qualified Domain Name (FQDN) of the CUCM node.

From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration

Fig 1.8
Check Certificates
For TLS, ensure that:
Expressway-C server certificate or CA root (used to sign certificate) is uploaded to the CUCMTrust store on all servers in the CUCM cluster.
Call manager certificate or CA root (used to sign certificate) is uploaded to the Trusted CA Certificate list on the Expressway-C server.

Step 2. Configure traversal zone between Expressway-C and Expressway-E

A separate traversal zone has to be configured to route the B2B traffic between Expressway-C and Expressway-E.This is a standard traversal zone configuration, but similar as with the SIP trunk on CUCM a different port then the port used by the UC Traversal zone for Edge traffic must be configured.

The standard port for the UC Traversal zone is 7001. For the B2B Traversal zone you can e.g configure 7003. UC Traversal Zone for edge traffic as shown in the image

Fig 1.9A
Fig 1.9B 
Traversal zone configuration for B2B traffic on Expressway-C

Expressway-C is the traversal zone client, in this example the destination port is 7003. With TLS verify mode set to on ensure the Peer Address configured matches the CN or SAN of the presented certificate by Expressway-E

From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration.

Fig 1.10 
Traversal zone configuration for B2B traffic on Expressway-E

Expressway-E is the traversal zone server, in this example the listening port is 7003. With TLS verify mode set to on ensure the TLS verify subject name configured matches the CN or SAN of the presented certificate by Expressway-C

From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration.

Fig 1.11
Step 3. Configure DNS zone on Expressway-E

To route the B2B traffic, configure a DNS zone on Expressway-E. Expressway-E, for traffic destined to this zone performs a DNS SRV lookup for ether _sip or _sips and this for the domain derived from the domain partition of the SIP URI.

The SRV target returned by the DNS server used to route the SIP call to the configuration is a standard DNS zone configuration.

From Expressway Administration page, navigate to Configuration > Zones

Fig 1.12

Step 4. Configure dial plan

a. Transforms and/or Search Rules on Expressway-C and E

From Expressway Administration page, navigate to Configuration > Dial Plan > Transforms y Configuration > Dial Plan > Transform or Search Rules

b. SIP Route pattern(s) in CUCM
c. For SIP call routing, SRV records must be created on the public DNS servers.
d. Configure the Cluster Fully Qualified Domain Name in CUCM.
e. Create a transform on Expressway-C which removes the port from the URI received in the Invite from CUCM.

Step 5. Upload rich media licenses to Expressway

Rich media licenses (aka Traversal Zone licenses) must be uploaded to each Expressway Server.

In case these are missed or due to improper configuration calls are released with this error message:  "Call license limit reached: You have reached your license limit of concurrent traversal call licenses"