Thursday, July 15, 2021

Integrating WebEx Calling and Communications Manager Express 1/2

 Cisco now supports WebEx Calling locations that use Cloud Connected PSTN to also integrate with a local gateway (CUBE) for on-net dialing to a PBX. The new trunk, route group, and dial plan configuration options in the WebEx Control Hub facilitate this. Cisco has guides published that reference the configuration to support Communications Manager as that PBX specifically. These two posts will take it in a slightly different direction and explore integrating with Communications Manager Express. While not explicitly called out as supported by Cisco I've had success with the integration with a little assistance from Cisco TAC. This integration may help folks migrating off of existing CME deployments and onto WebEx Calling.

This first post will call out some caveats I ran into at a high level. The second post of two will go into more detail about how I addressed the caveats.


The Communications Manager Express (WebEx local gateway / CUBE) requires a security license. While this makes sense now it wasn't explicitly called out in the documentation and I missed this requirement initially. The documentation does say, "The trunk between the local gateway and the Webex cloud is always secured using SIP TLS transport and SRTP for media between the local gateway and the Webex Calling Access SBC". Read, get a security license on that CUBE. (along with the CUBE licensing that is stated as required in the documentation)

The CME phone directory numbers will by default register to the WebEx Control Hub. This can cause confusion/issues with the trunk authentication between the CUBE and the WebEx Control Hub. The first time I integrated a CME it didn't present as an issue but the 2nd time I integrated one the trunk wouldn't authenticate. Cisco TAC requested that I removed the registration from the CME phone directory numbers to the WebEx Control Hub.

The WebEx Calling location in the WebEx Control Hub needs to have a main phone number associated with it. "You will not be able to make or receive calls until this number is added" Even though this location will not host phones in the WebEx Control Hub the WebEx Calling location must have a main number defined or the location will not process calls. 

The CME dial-peers directed at the WebEx cloud didn't present the SIP signaling in a way that the WebEx cloud expected to see it. Cisco TAC suggested hair-pinning the dial peers to obfuscate CME from WebEx Calling. We also needed to do a little bit of dial-plan manipulation prefixing digits so that the CUBE didn't drop the calls as a "loop". Technically TAC said CME isn't specially called out as being supported however, this workaround allowed the SIP signaling to present to the WebEx cloud in the way they typically expect to see it.

Monday, February 8, 2021

Bulk Update WLC WebAuth Certificate

It's that time again. I’m updating the webauth cert for a good number of WLCs. The newer WLC code has an option to generate a certificate signing request directly from the WLC. While that option is great for a single WLC, it is cumbersome repeating the process to update a large number of WLCs. Instead, I'll trade off by spending more time upfront preparing one certificate file I can use on all of the WLCs. I’m going with the good 'ole OpenSSL method to generate a CSR for a wildcard cert. I’ll have it signed by a public CA, combine the device cert, intermediate CA cert, and root CA cert. Then I’ll massage it with OpenSSL to include the private key (created by OpenSSL during the CSR process). That version of the certificate file will then be uploaded to all of the different WLCs in the organization.

The Tech Note write-up from Cisco with the specific CLI commands for OpenSSL is at the following URL.

Document Name: Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC

Document ID: 109597

Tuesday, January 12, 2021

Wildcard Cert ASA

Happy New Year! Here's to hoping 2021 is a great year!


This is a quick reminder to myself on how to import wildcard SSL certs into an ASA. I refer to "Tony's Geek stuff" and the great write-up there. Please see the following URL.


Also, the ADSM allowed me to generate a CSR and I was able to generate a wildcard certificate against that CSR. If I'm still supporting ASA's next year this should prove to come in handy.


Integrating WebEx Calling and Communications Manager Express 1/2

 Cisco now supports WebEx Calling locations that use Cloud Connected PSTN to also integrate with a local gateway (CUBE) for on-net dialing t...