Installing Cisco Expressway it is not terrible difficult, but the whole process itself is extremely finicky and although the servers won’t complain if we skip a few steps they will definitely come back to bit us. I’ll try to break down all the steps, but this may vary depending on the version since more features and functionalities are constantly being added.
The key to success is preparation! Let’s review a few interesting details that most guides omit.
- Create an Android  and iPhone  specific SIP Profile.
- External and internal SRV record must be created .
- Wildcard certificates are NOT supported .
- Open the correct port in your network .
- Request your licenses in advance .
Step 1 – Download and install the Expressway .ova file from cisco.com. Expressway C and E share the same image, it is the license file what determine its capabilities. If you need additional guidance, please check this video from Paul Stryer.
Interestingly enough I hit a kernel panic bug right after installation (Bug ID CSCvq39993) the fix it is super simple and faster than redeploying the whole VM again.
Expressway X12.5.2, X12.5.3 or X12.5.4 has been freshly deployed from OVA on VMware, and has not been upgraded since initial VM installation.
kernel: #PF error: [normal kernel read fault]
kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
kernel: rcu: INFO: rcu_sched self-detected stall on CPU
Upgrade the VM Expressway deployment using the tar.gz file in the web admin UI, to any version, including the same version that was originally deployed. For example, you can upgrade X12.5.4 to X12.5.4 to resolve the issue. Cisco recommends upgrading to the latest available version.
Step 1.5 – Change default password for the admin (GUI) and root (CLI).
Step 2 – Configure NTP servers and time zone under System > Time.
Step 3 – Configure DNS servers, System host name and Domain name under System > DNS.
Step 4 – Configure system name under System > Administration.
Step 5 – Install the correct option keys under Maintenance > Option Keys.
- LIC-EXP-E (only on EXP-E)
- LIC-EXP-AN (Optional for EXP-E if using Dual-NIC)
- LIC-EXP-RMS (Optional for B2B calls)
Step 6 – Set the Unified Communications mode to “Mobile and Remote access” under Configuration > Unified Communications > Configuration.
OAuth is the recommended authentication method , but what nobody tell you is that OAuth also needs to be enabled on CUCM and Unity to work.
On EXP-C it looks like this:
On CUCM and Unity under Enterprise Parameters the OAuth with Refresh Login Flow parameter must be set to Enabled.
Additionally on Unity go to Authz Server to create a new authorization server pointing to the CUCM Publisher .
Step 7 – Define SIP domains under Configuration > Domains.
EXP-C requires the external and internal domain defined (example.com and internal.local)
Step 8 – Link EXP-C with CUCM under Configuration > Unified Communications > Unified CM servers.
A dedicated user with Standard AXL API Access role is recommended.
Repeat the above process for IM&P and Unity.
Step 9 – Generate a Certificate signing request (CSR) under Maintenance > Security > Server certificate.
The certificate must contain at minimum the Common Name (expe.example.com) and the domain name as one of the Alternative Names (example.com) listed. .
Once the CSR is signed by a trusted CA, the following files need to be uploaded, in this order.
Root certificate – Maintenance > Security > Trusted CA certificate.
Server certificate – Maintenance > Security > Server certificate.
Revocation list – Maintenance > Security > CRL management.
Step 10 – Configure the traversal zones under Configuration > Zones > Zones.
Set the zone type as Unified Communications traversal.
Define the traversal Username and Password.
From drop down menu set the Authentication Policy to Treat as Authenticated.
EXP-E should be configured with the EXP-C cluster FQDN.
EXP-C must have the EXP-E Cluster FQDN along with all the EXP-E servers names.
Confirm connectivity by checking the newly created zone.
Step 11 – Enable SIP.
Under Configuration > Protocol > SIP
Make sure SIP and TCP modes are enable for EXP-C and SIP and TLS modes for EXP-E.
Step 12 – Set the HTTP allow list [Pending official documentation].
I had a lot of problems integrating MRA with Cisco Unity for voicemail, EXP-C rejected almost all the HTTP request towards Unity, so I had to add a few entries to the HTTP allow list.
The different variations of the URLs I saw on the logs being rejected with traffic_server: Event=”Request Failed” Detail=”Access denied” Reason=”No match in HTTP allow list” were the followings:
I created the following rules:
NOTE: Although I’m just showing the entries for my Publisher server, I had to create the same rules for all my Subscribers.
Step 13 – Once everything is ready, we can review your deployment with this online tool: https://cway.cisco.com/csa/ and using our Jabber clients.