Cisco Expressway

In this article we will break down the tasks required for the installation and configuration of both the Cisco Expressway C and E servers to allow for mobile remote access to Cisco telephone services and Cisco Jabber.

Cisco Expressway OVA deployment in VMWARE

The following section describes how to deploy the Cisco Expressway ova file to the host using vCenter. If you are using vSphere, skip this section and go to Deploying OVA to Standalone ESXi Host.

Step 1

If the .ova file is already preloaded onto the ESXi Host datastore (for example, in Cisco Business Edition 6000 deployments):

  • Using a web browser, go to https:///folder supplying any required credentials (typically the same username and password as used to log into vCenter ). Navigate through the index of datacenters to find the .ova file you want to deploy from the datastore.
  • Right click on the .ova file and select Copy Link Location. (If the .ova file is not preloaded on the datastore, you can select and upload it in the following steps.)

Step 2

Log in to vCenter to access the ESXi Host.

Step 3

Select File > Deploy OVF Template.

Step 4

If the .ova file is already preloaded onto the ESXi Host datastore, paste the URL you copied from step 1 above. You may have to re-enter username and password credentials so that vCenter can access the web server.

If the .ova file is not preloaded on the datastore, Browse to the location of the .ova file.

Step 5

On the OVF Template Details page, check that the Publisher certificate is valid and click Next.

Step 6

On the End User License Agreement page:

  1. Read the EULA.
  2. If you accept the EULA, click Accept then Next.

Step 7

On the Name and Location page enter a Name for this Expressway VM guest, for example “Virtual_ Expressway” and click Next.

Important – When deploying a VM to ESXi version 6.0 or later, you must not use a backslash or forward slash in the VM name as the characters are unsupported and it can cause errors during the deployment. You must remove the slash from the default name of Cisco Expressway/VCS Base.

Step 8

On the Deployment Configuration page, select the appropriately sized deployment: Select Small, Medium or Large depending on the capabilities of the VMware host. The default is Medium. See System Requirements for details about resource requirements. If the VMware host has insufficient resources, the virtual Expressway will fail to power on / boot.

Click Next.

Step 9

On the Host / Cluster page, select where you want to run the virtual Expressway and click Next.Figure 5. Select Host or Cluster

Step 10

On the Resource Pool page, select where you want to run the virtual Expressway and click Next.

Step 11

On the Storage page, select the location onto which the virtual Expressway will be deployed and click Next.

Step 12

On the Disk Format page, ensure that the default disk format of Thick Provision Lazy Zeroed is selected and then click Next.

Step 13

On the Network Mapping page, select the network mapping that applies to your infrastructure (the default is VM Network) and then click Next.

Important In Cisco Expressway versions 12.5.3 and earlier, the network name must contain only ASCII characters. From 12.5.4 release, network name can also contain non-ASCII characters.

Step 14

On the Properties page, configure the network properties of the virtual Expressway and click Next. The properties you can set include the Cisco Expressway IPv4 and IPv6 settings, the timezone, hostname and domain, up to five NTP servers, and up to five DNS servers. For automated deployments you can also enter an RSA SSH public key to securely set the root and admin passwords via SSH. If you do not enter a public key, you must set the passwords during the Install Wizard process.

Important The hostname and domain name must contain only ASCII characters.

Step 15

On the Ready to Complete page:Confirm the deployment settings.Select the Power on after deployment check box.Click Finish.The installation process will begin and a progress bar will be displayed.

Cisco Expressway C Configuration

License Installation

  • To install the license first login into Expressway C.
  • Post login, click on Maintenance > Option Keys
  • Under Software Option > Add Option Key > Enter the Key you have received.
  • Click on Add Option
  • Follow the same steps to add additional licenses you want to install.
  • You need to reboot the Expressway, click on Maintenance > Restart Options > Click Restart
  • Once the Server is up and running, you would see Cisco Expressway-C banner post login.

Configuring the System Name

  • Navigate to System > Administration
  • System Name > Enter a Name which defines the name of the Expressway, like “EU-ExpresswayC
  • Click on Save

Configuring the DNS Settings

  • Navigate to System > DNS
  • System Host Name > Enter the Hostname of Expressway like “ExpresswayC“.
  • Domain Name > Enter the Domain Name like “uccollabing.com”.
  • Default DNS Servers > Address 1 > Enter the IP Address of the Internal DNS Server to be used when resolving domain names.
  • Click on Save

Configuring Time on Expressway C

  • Navigate to System > Time
  • NTP Server 1 > Enter NTP Server IP Address or NTP Server FQDN.
  • Time Zone > Select appropriate Time zone.
  • Click on Save

Configuration of Domains

  • Navigate to Configuration > Domains
  • Click on New
  • Domain Name > Enter the domain name like “uccollabing.com”
  • Click on Save


Unified Communications Configuration

  • Navigate to Configuration > Unified Communications > Configuration
  • Unified Communication Mode > Select Mobile and remote Access from drop down menu
  • Click on Save

Modify Domains Configuration

  • Navigate to Configuration > Domains > 
  • Click on the domain that you have configured in the previous step. In our example it was “uccollabing.com”
  • SIP registrations and provisioning on Expressway > Select “ON” from drop down menu
  • Click on Save

Configure Unified CM Server

  • Navigate to Configuration > Unified Communications > Unified CM Servers
  • Click on New
  • Unified CM publisher address > Enter the IP Address or FQDN of CUCM Publisher. I have used cucmpub.uccollabing.com as my FQDN
  • Username > Enter the CUCM Username
  • Password > Enter the CUCM Password
  • TLS Verify Mode > Select OFF from drop down menu
  • Click on Save


Configure IM and Presence Service nodes

  • Navigate to Configuration > Unified Communications > IM and Presence Service nodes
  • Click on New
  • IM and Presence Service database publisher node > Enter IP Address or FQDN of IM&P. I have used cups.uccollabing.com as my FQDN.
  • Username > Enter the Username of CUPS
  • Password > Enter the Password of CUSP
  • TLS Verify Mode > Select OFF from drop down menu
  • Click on Save 


Installation & Configuration of Cisco Expressway E

I followed the same procedure to install Expressway E like Expressway C

License Installation

  • To install the license first login into Expressway E.
  • Post login, click on Maintenance > Option Keys
  • Under Software Option > Add Option Key > Enter the Key you have received.
  • Click on Add Option
  • Follow the same steps to add additional licenses you want to install.
  • You need to reboot the Expressway, click on Maintenance > Restart Options > Click Restart 

Configuring the DNS Settings

  • Navigate to System > DNS
  • System Host Name > Enter the Hostname of Expressway like “ExpresswayE“.
  • Domain Name > Enter the Domain Name like “uccollabing.com”.
  • Default DNS Servers > Address 1 > Enter the IP Address of the External DNS Server to be used when resolving domain names.
  • Click on Save
  • Once the Server is up and running, you would see Cisco Expressway-E banner post login. 

Configuring the System Name

  • Navigate to System > Administration
  • System Name > Enter a Name which defines the name of the Expressway, like “EU-ExpresswayE
  • Click on Save

 Configuring the IP Address on LAN1 and LAN2 – Dual Network Interface

  • IP Protocol > IPv4 Only
  • Use dual network interface > Select Yes from drop down menu
  • External LAN interface > Select appropriate LAN interface from drop down menu
  • IPv4 Gateway > Enter the Gateway IP Address
  • Lan 1 – Internal > Fill the information with appropriate details and IPv4 static NAT mode to be OFF
  • LAN 2 > External > Fill the information with appropriate details and IPv4 static NAT mode to be ON

 Configuring Time on Expressway E

  • Navigate to System > Time
  • NTP Server 1 > Enter NTP Server IP Address or NTP Server FQDN.
  • Time Zone > Select appropriate Time zone.
  • Click on Save

Enabling Mobile and Remote Access on Expressway E

  • Navigate to Configuration > Unified Communications > Configuration
  • Unified Communications Mode > Select Mobile and remote access from drop down menu
  • Click on Save

Generate Certificates for Expressway C and E

To generate Certificates, i installed Microsof Active Directory Certificate Services (Certificate Authority) on Windows Server 2012. I used the same server to generate certificates. The steps to generate certificate is very important and should be followed carefully, else the Traversal Zone may fail or you could hit other issues.

Download CA Certificate from CA Server: 

If you are using Microsoft Certificate Authority, you can use the CA Server URL to generate the certificate. The URL would be http://IP_Address/certsrv/   (replace IP_Address with your Microsoft CA Server IP Address)

  • Enter CA Server Username
  • Enter CA Server Password
  • Under Select a task > Click on Download a CA Certificate, certificate chain or CRL
  • Encoding Method > Radio Check Base 64
  • Click on Download CA Certificate and rename it to CARootCertificate or any name which you remember easily.

Upload CA Certificate On Expressway C

  • Navigate to Maintenance > Security Certificate > Trusted CA Certificate
  • Click on Browse
  • Select the CARootCertificate file which you downloaded in the above step
  • Click on Append CA Certificate
  • Once the certificate is uploaded, ensure that the certificate is valid.

Generate CSR on Expressway C

  • Navigate to Maintenance > Server Certificate
  • Click on Generate CSR
  • Common Name > I will leave it as default.
  • Subject Alternative Name > It has to include internal and external domain.
  • IM & Presence Chat Node Aliases > Fill this information with your CUPS Group Chat Alias Mapping
    (Login to CUPS > Navigate to Messaging > Group Chat Server Alias Mapping)
  • Unified CM Phone security profile name > I left it as blank
  • Key Length (in bits) > 4096
  • County > Fill this information
  • State or Province > Fill this information
  • Locality (town name) > Fill this information
  • Organization (Company Name) > Fill this information
  • Organization Unit > Fill this information
  • Click on Generate CSR
  • Download Certificate Signing Request (CSR)
  • Open the file using Notepad or Notepad++ or any text editor
  • Copy all the text from the notepad – Ensure that whatever is downloaded is what you have copied. No characters or spaces are extra.

Request a Certificate for Expressway C

  • Go back to the Microsoft CA Certificate URL
  • Click on Request a Certificate
  • Click on Advanced Certificate Request
  • Click on Submit a certificate by using a base-64-encoded CMC or PKCS #10 file. or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Base-64-encoded certificate request > Paste the text that you have copied from the previous step
  • Client Certificate Template > Select Web Client and Server Template from drop down
  • Click on Submit
  • Radio check > Base 64 encoded
  • Click on Download Certificate
  • Save the file in your PC and name the file as Cert_ExpC_Cert

Upload the Certificate in Expressway C

  • Go back to Expressway C
  • Navigate to Maintenance > Security Certificate > Server Certificate
  • Upload New Certificate > Click on Browse and upload the certificate that you have downloaded in the previous step
  • Click on Upload Server Certificate Data
  • Restart Expressway C

Repeat the same process for Expressway E

  • Upload CA Certificate On Expressway E
  • Generate CSR on Expressway E
  • Request a Certificate for Expressway E
  • Upload the Certificate in Expressway E

Configuring Traversal Zone on Expressway C and Expressway E

  • Login to Expressway E
  • Navigate to Configuration > Zones > Zones
  • Click on New
  • Name > TraversalZoneExpE
  • Type > Select Unified Communications traversal
  • Click Create Zone
  • Click on Add/Edit local authentication database and a pop-up window will open
  • Click on New
  • Name > Enter a username like “TraversalAdmin”
  • Password > Enter a password
  • Click on Create Credential
  • SIP Port > 7001
  • TLS Verify Subject Name > Enter FQDN of Expressway C
  • Authentication Policy > Select Treat as Authenticated from drop down menu
  • Click on Save
  • Login to Expressway C
  • Navigate to Configuration > Zones > Zones
  • Click on New
  • Name > TraversalZoneExpC
  • Type > Select Unified Communications traversal
  • Click Create Zone
  • Name > Enter the username which you created in the above step. In our case it is “TraversalAdmin”
  • Password > Enter a password
  • SIP Port > 7001
  • Authentication Policy > Select Treat as Authenticated from drop down menu
  • Peer 1 address > Enter the IP Address or FQDN of Expressway E. In our case it is ExpresswayE.uccollabing.com
  • Click on Save
  • Ensure that the status is Active once you save the settings

Allow Jabber to access voicemail

  • Login to Expressway C
  • Navigate to Configuration > Unified Communications > Configuration
  • Under Advanced > HTTP server allow list > Click on Configure HTTP server allow list
  • Click on New
  • Server Hostname > Enter IP Address of Unity Connection
  • Description > Enter a short description
  • Click on Save

DNS SRV Lookup – Internal Network and over Internet

Internal Network – Verification :  

  • Login to the Windows Machine where you Jabber is installed within the network
  • Go to Start > Run > Type CMD and hit enter
  • Type  nslookup and hit Enter
  • Type set type=srv  and hit enter
  • Type _cisco-uds._tcp.yourdomain.com  and hit enter
  • This should give you the IP Address pointing to your CUCM
  • Type set type=srv  and hit enter
  • Type _cuplogin._tcp.yourdomain.com  and hit enter
  • This should give you the IP Address pointing to your CUPS

External Network – Verification

  • Login to Windows Machine where your Jabber is installed outside the network
  • Go to Start > Run > Type CMD and hit enter
  • Type  nslookup and hit Enter
  • Type set type=srv  and hit enter
  • Type _collab-edge._tls.yourdomain.com  and hit enter
  • This should give you the IP Address pointing to your Expressway E.
  • Make sure that the CUCM, CUPS and Expressway C is not reachable from outside network.

Jabber Testing

  • Login from Internal Network windows machine where jabber is installed
  • Login with username@domain.com and password for jabber
  • You should be able to login successfully.
  • Login from External Network windows machine where jabber is installed
  • Login with username@domain.com and password for jabber
  • You should be able to login successfully
  • Also check your jabber diagnostic by pressing Ctrl + Shift + D on your jabber Window. This will display you the information on how the jabber is registered and other important details.
  • Now make calls from Internal network jabber client to external network jabber client and the call should work

Note: I have tested this in my lab and it worked as expected.

Leave a Reply