In modern enterprise networks, enabling secure remote access for collaboration tools such as Cisco Jabber is critical. Users expect seamless connectivity for voice, video, presence, and instant messaging—whether they are inside the corporate network or working remotely.
While Jabber works flawlessly on an internal network protected by your corporate firewall, allowing remote access introduces a layer of complexity. Exposing internal Unified Communications resources directly to the Internet is risky and often impossible due to stateful firewall restrictions. This is where Cisco Expressway becomes essential.
In this guide, we’ll provide a comprehensive overview of Cisco Expressway, how it works, its architecture, key configuration considerations, and practical deployment tips from real-world experience.
What is Cisco Expressway?
Cisco Expressway is a secure gateway that enables remote and mobile users to connect to internal Unified Communications services without requiring a VPN. It works alongside Cisco Unified Communications Manager (CUCM) and other collaboration solutions to facilitate:
- Jabber client registration and communication
- Video endpoints and conferencing traversal
- Secure inter-organization federation (SIP trunks)
- Firewall traversal for voice and video traffic
At its core, Expressway provides firewall traversal. Firewalls are typically stateful, meaning that sessions initiated internally are allowed, but external connections are blocked unless explicitly permitted. Expressway allows external Jabber clients to establish secure sessions through the firewall while keeping your internal network protected.
Real-World Insight: Many organizations attempt to expose CUCM services directly to the Internet, which often results in blocked connections or security vulnerabilities. Expressway mitigates this by acting as a controlled intermediary.
Cisco Expressway Architecture
Deploying Cisco Expressway requires two servers to manage both internal and external communications:
1. Expressway-C (Core Server)
- Deployed inside the internal network
- Handles communication with CUCM and internal endpoints
- Acts as a trusted internal controller for traversal and policy enforcement
2. Expressway-E (Edge Server)
- Deployed in a DMZ (demilitarized zone)
- Receives connections from external devices
- Forwards communication securely to Expressway-C over the DMZ
- Ensures that the internal network remains isolated from direct external access
This architecture enables Jabber clients and other remote endpoints to connect from anywhere without a VPN, while maintaining security and compliance.
Firewall Traversal Explained
Firewalls typically block inbound connections to prevent unauthorized access. Expressway allows controlled traversal using:
- TLS for signaling
- SRTP for media (voice and video encryption)
- Secure tunneling between Expressway-E and Expressway-C
The Expressway-E server acts as the publicly accessible gateway. It terminates external sessions and forwards requests to Expressway-C over the firewall. Expressway-C then communicates with CUCM or other internal services.
Expert Tip: Ensure that your firewall allows TCP ports 443, 5061, and 8443 between Expressway-E and Expressway-C for proper traversal. Also, verify that SIP and H.323 ports for video endpoints are open as required.
DNS and SRV Records: The Critical Step
From experience, misconfigured DNS or SRV records are the most common source of connection failures for Jabber clients.
- DNS Records: Ensure that both internal and external DNS resolve correctly. For example:
- Internal clients should resolve CUCM and Expressway-C by FQDN.
- External clients should resolve Expressway-E by FQDN.
- SRV Records (Service Locator Records): Allow Jabber clients to locate services automatically without hardcoding server IPs. These include:
_cisco-uds._tcp.domain.comfor Jabber service discovery_collab-edge._tls.domain.comfor external registration
Practical Tip: Use consistent FQDN naming conventions for CUCM, Expressway-C, and Expressway-E. Mismatched or missing SRV records are a frequent cause of “cannot connect to server” errors.
Step-by-Step Deployment Overview
Here’s a high-level workflow for deploying Cisco Expressway:
- Prepare the Environment
- Ensure CUCM and other collaboration services are properly configured.
- Verify internal DNS and Active Directory integration.
- Allocate DMZ IP addresses for Expressway-E.
- Install Expressway-C
- Deploy inside the corporate network.
- Connect to CUCM and configure traversal zones.
- Test internal device registration and communication.
- Install Expressway-E
- Deploy in DMZ.
- Establish traversal zone connection to Expressway-C.
- Configure firewall rules to allow Expressway-E to communicate with Expressway-C.
- Configure DNS and SRV Records
- Ensure external clients resolve Expressway-E.
- Add SRV records to allow Jabber automatic service discovery.
- Verify Jabber Connectivity
- Test internal Jabber clients (through Expressway-C).
- Test external Jabber clients (through Expressway-E).
- Monitor logs for TLS or registration errors.
Real-World Best Practices
Based on field experience, the following practices improve Expressway deployments:
- Redundancy: Deploy a secondary Expressway-C and Expressway-E server for high availability.
- Certificate Management: Use CA-signed certificates on Expressway servers to avoid trust issues on Jabber clients.
- Firewall Hardening: Only open the necessary traversal ports; do not expose CUCM directly.
- Monitoring: Use Expressway logs to monitor registrations, media connections, and errors proactively.
- Regular Updates: Keep firmware updated for both Expressway-C and E to maintain compatibility with CUCM and Jabber clients.
Expert Insight: On multiple deployments, incorrect traversal zone configuration was responsible for 90% of initial connectivity failures. Ensure both Expressway-C and E trust each other before testing remote clients.
Troubleshooting Tips
Common issues and remedies include:
- Jabber cannot register externally
- Verify SRV records for the domain.
- Confirm that firewall ports are open.
- Certificate trust errors
- Ensure CA-signed certificates are installed on both Expressway-C and E.
- Check expiration dates and validity chain.
- Media fails (voice/video issues)
- Inspect SRTP configuration.
- Ensure media ports (TCP/UDP) are allowed through firewall traversal.
- Intermittent connectivity
- Check network latency and firewall session timeout.
- Consider load balancing Expressway-E if handling many external clients.
Cisco Expressway is a powerful and secure solution for enabling remote access to Cisco Jabber and Unified Communications services. By deploying Expressway-C internally and Expressway-E in the DMZ, you can maintain a seamless, VPN-free experience for users, while keeping your internal network secure.
From my real-world experience, DNS/SRV misconfigurations and firewall traversal settings are the most frequent causes of initial connectivity problems. Careful planning, proper deployment, and adherence to best practices ensure that Jabber clients—both internal and external—can reliably access CUCM services for voice, video, and instant messaging.
Whether you are supporting a small office or a multi-branch enterprise, Cisco Expressway allows your organization to expand collaboration beyond the corporate firewall safely and efficiently.
Key Takeaway: Success with Cisco Expressway comes down to careful network planning, accurate DNS/SRV configuration, and disciplined firewall traversal setup. Follow these guidelines, and remote collaboration becomes frictionless and secure.
SuperTechman – Installation and Configuration of Cisco Expressway C & E
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.