Cisco Expressway – The First Step Towards a VPN-less Enterprise – Part 2


In this second part focused on VCS Expressway configuration, I will be detailing our current lab environment and providing specific configurations to make it all work. When I was initially tasked with deploying Expressway some 3+ months ago, I desperately searched for an article showing me why it was done a certain way and how to do it, I came up completely empty. As we all know, the esteemed collaboration documentation in Cisco land is so convoluted that finding a definitive answer to a problem is a major undertaking. The only rational response to this was to go out, deploy it own my own, and learn the do’s and dont’s. This article is for those folks.

NOTE: This is geared towards MRA (Mobile and Remote Access) and not Jabber Guest. If you are wanting to deploy both products, another set of Expressways is required.

Lets get a few pre-requisited out of the way first. If you are reading this, chances are, you already have these.

  • CUCM 10.X
  • Jabber Client (Windows or Mac)
  • Access to DNS for your organization (Internal and External)
  • Access to Public CA (Certificate Authority) to issue certificates
  • VCS OVA file

Before we can start configuring anything, we need to get the OVA files deployed and licensed. Log into vSphere and select File >Deploy OVF Template. From the properties window, assign an IP address. Boom! OVAs are deployed. Now onto to initial configuration. After you log into the GUI for the first time you are presented with multiple alarms in the top right hand corner. The most important one being to change the root password. SSH to your expressway servers you just deployed and login with Username:admin and Password: TANDBERG. Type passwd and type your new favorite password. Once we’re all set with the pre-requisites, we’re now ready to start setup.

Next up is to get these licensed. As mentioned in my previous post, I went over licenses you would need but not to much detail.



  • LIC-EXP-RMS is your release key to get that annoying alarm from popping up
  • LIC-EXP-TURN will enable TURN Relay Option
  • LIC-EXP-E enables the Expressway-E feature
  • LIC-EXP-AN enables the Advanced Network feature, giving you the ability to do dual NICs

After applying licenses you will see something interesting happen. VCS will change to either Expressway-C or Expressway-E. More or less, this is all the verification you need to ensure you applied the correct ones.

Screen Shot 2015-08-23 at 8.54.24 PM Screen Shot 2015-08-23 at 8.55.02 PM

Now that everything is deployed and licensed, we can start making stuff work. As a good rule of thumb, I like to make sure all the small stuff is complete before I tackle big projects. Same principle is applied here. In my previous post, I detailed the DNS SRV records you will need, below are the actual records you should see on both external and internal DNS servers. As this may vary greatly depending on who hosts your DNS externall or how you manage it internally these may not mean much. However, all records are needed.

Internal-SRV Records

Screen Shot 2015-08-23 at 8.40.15 PM

Screen Shot 2015-08-23 at 8.40.25 PM

Internal-A Record

Screen Shot 2015-08-23 at 8.44.23 PM

Screen Shot 2015-09-03 at 1.08.09 PM

External-SRV Record

Screen Shot 2015-08-23 at 8.42.18 PM

Screenshot 2016-03-15 15.12.05.png

External-A Record

Screen Shot 2015-08-23 at 8.42.04 PM


Got it? Cool. Thats the DNS piece of this. Since so much of the “just making it work” magic depends on DNS, this step is crucial. One of the quick and dirty ways I used during my journey was this command:

tail -f /Users/<username>/Library/Logs/Jabber/jabber.log

Entered into a Terminal window on OSX will show you everything thats going on with your Jabber client when troubleshooting. Really helpful when you have no clue whats wrong.

Typically, this is the part where I insert a hyperlink to an administration guide and tell you Good Luck! Fortunately, I have lots of time and really want to make someones life easier. Lets start with Expressway-E. The Expressway-E is configured with a traversal server zone to receive communications from the Expressway-C in order to allow inbound and outbound calls to traverse your NATd device. The Expressway-E is exposed to the outside world and is essentially your gateway of communication with Jabber clients outside the VPN network. Below are configurations for creating Zones. Go into Configuration >Zones>Zones>New. When the window comes up, select Traversal Server. For what we are doing, the default settings are fine. It goes without saying that since we are creating the Traversal Server on the E, then we need to repeat this similar process on the C, except using Traversal Client. This communication can be secure or not. For a lab, it doesnt really matter, however, I recommend securing it with certificates over TLS. Just a simple check box and some certificates. Like most things, setting up a 2-way communication between devices will require some credentials. The username/password will be the credentials of the neighboring machine.

Next is Domains. On the Expressway-C under Configuration >Domains is where we will start. It may seem simple, but the domains you will be listing here are those that will be used to sign into the Jabber client. Typically, this is only one, but if your organization has multiple or you use an ad-hoc made up internal domain this is where you will put it. 

Certificates also play a large role in this. Certificates are used by end devices, such as laptops or mobile phones to ensure you are who you say you are.

  • Expressway-C
  • Generate a CSR (Certificate Signing Request) with the FQDN of the host and domain to be used for login
  • Expressway-E
  • Generate a CSR (Certificate Signing Request) with theFQDN of the host and domain to be used for login

The respective CSRs will need to go to your CA of choice. After your CA has sent you back the certificates, they will need to be uploaded to the locations below

Maintenance>Security Certificates>Server Certificate

  • Place the server certificate here

Maintenance>Security Certificates>Trusted CA certificate

  • Place both the Intermediate and Trusted Root certificates here

NOTE: Make sure to Whitelist your Unity Connection server, and any other servers that Jabber will need access to. Unity Connection requires this for Visual Voicemail.

After the Traversal Zone is up and certificates are installed, we are now ready to test connectivity. I recommend testing from an outside network that uses a DNS server other than your internal. If all is well you should see a successful login!

I hope this has been a helpful article in getting your VPN-less obsession rolling. As more and more Enterprises look to simplify adminsitration and tighten security, solutions like Expressway are going to be cropping all up over the place. As always, if you have any question/concerns/opinions feel free to drop a comment below.