Cisco expressway

- In many enterprise networks, we have a firewall that's going to protect the enterprise network from the untrusted internet. And the way a firewall will typically function is it will allow connections that originate on the enterprise network to go out to the internet, but not vice versa. That's going to protect the enterprise network from malicious traffic that might be coming in from the internet. But sometimes an enterprise will want a subset of their devices to be able to be reached from the internet. For example, maybe we have a corporate web server that internet users should be able to reach. Maybe we have a corporate email server and internet users should be able to send email to our corporate email server. What we can do is have another zone of security in our network called a DMZ or demilitarized zone. And it's in the DMZ where we can put those servers that should be reachable from the internet using specific ports. There is some security there but we are allowing very select traffic from the internet to come in. And that's what we have in this example. Firewall One is protecting the enterprise network not just from the internet, but also from the DMZ. And Firewall Two is protecting collectively the enterprise network and the DMZ from the internet. And with this security in place, let's take a look at what challenge that might pose to a Cisco Unified Communications Endpoint. First let's consider a Cisco Jabber client that's inside of the enterprise network. When it comes up and is attempting to register with a Cisco Unified Communications Manager server. It's going to send out a DNS request asking for that IP address of the CUCM server. And it's going to hit an internal DNS server that says here's the IP address to the CUCM server. And the Jabber client will set up a direct registration with the Cisco Unified Communications Manager server. However, what about a Jabber client out on the internet? How can it come in through the firewall? Because it's session will be originating on the internet and the firewalls protect us against that. Well, one option and an option that has been used for years is to set up a VPN, a virtual private network. Where we either have VPN software on the laptop running Cisco Jabber or maybe we've got a router or some device at our office that has set up a secure VPN connection with the enterprise network. That's a little bit more difficult to set up on the part of the end user. It adds a layer of complexity. So Cisco gives end users a much more elegant solution and they use Cisco Expressway to do that. Here's what's happening. We have two Cisco Expressway servers notice we have an Expressway C server and that lives inside of the enterprise network and the C stands for core. So it lives in the core of our network. We also have an Expressway E server and the E stands for edge. It sits at the edge of our network here it's in the DMZ. And since we can set up a session from the enterprise network to the DMZ. The Expressway C server sets up a secure session usually a TLS session between itself and the Expressway E server. And this is an open pathway such that if the Expressway E server has something to send into the enterprise network, it can send it over that established session that was established by the Expressway C server. So visualize we've got this open path that will now permit bidirectional communication between those two expressway servers. Now, let's consider Cisco Jabber out on the internet. It wants to get into the enterprise network and also register with our CUCM server. Well, it's not going to be able to resolve the IP address of that CUCM server, but it can from an external DNS server. It can get the IP address of our Expressway E server. And it's going to send a registration message over to the Expressway E server that lives in the DMZ. The Expressway E server, remember it's got an open, a communication channel with the Expressway C server. The Expressway C server set that up and it's going to take that registration message. And it's going to send that into the Expressway C server and say, "Hey we've got somebody out on the internet that wants to register with a Cisco Unified Communications Manager", and the Expressway C server will take that and forward it on to Cisco Unified Communications Manager. And now the Jabber client on the internet. It has successfully registered with the CUCM server in the enterprise network without the need for a VPN. And since we were able to go through a firewall and in this case, a couple of firewalls a term we give to that is Firewall Traversal. We're able to traverse a firewall and firewalls oftentimes do network address translation where we're translating between a publicly ratable IP address on the internet and a private IP address in the enterprise network. So not only have we done Firewall Traversal, we may have also done Nat Traversal. And the specific feature that Cisco Expressway gives us that you'll read about in the literature is MRA which stands for Mobile and Remote Access. And in this example, I said that we have a Cisco Jabber client on the internet and that is one device that can leverage Cisco Expressway. But another type of device is a Cisco Telepresence Endpoint or even some Cisco IP phones. They can also use Cisco Expressway.