Monday, 18 September 2017

Cisco Meeting Server – Integrating Core and Edge CMA and WebRTC

Cisco Meeting Server – Integrating Core and Edge CMA and WebRTC

How’s call flow going to work in a diagram

In this Lab, services work in Core server:
  • XMPP
  • Call Bridge
  • Webadmin
In the Edge, there is no license required:
  • Loadbalancer
  • TURN
  • Web Bridge
  • SIP Edge


Certificates

CMS-Edge


CMS-Core

Enable Loadbalancer on CMS-Edge

edge1.voicelab.ca> loadbalancer create Edge1toLB
edge1.voicelab.ca> loadbalancer auth Edge1toLB voicelab.key voicelab.cer voicelab.cer
edge1.voicelab.ca> loadbalancer trunk Edge1toLB a:4999
edge1.voicelab.ca> loadbalancer public Edge1toLB a:5222 lo:5222
edge1.voicelab.ca> loadbalancer enable Edge1toLB
edge1.voicelab.ca>  loadbalancer list
*** Edge1toLB
Trunk interface         : a:4999
Public interface        : a:5222
Public interface        : lo:5222
Enabled                 : true
TLS private key         : voicelab.key
TLS public cert         : voicelab.cer
TLS trusted certs       : voicelab.cer


Enable TURN on CMS-Edge

edge1.voicelab.ca> turn credentials turnuser PASSWORD voicelab.ca
edge1.voicelab.ca> turn list a
edge1.voicelab.ca> turn public-ip PUBLIC_IP
edge1.voicelab.ca> turn enable
edge1.voicelab.ca> turn
Enabled       : true
Username      : turnuser
Password      : YOUR_TURN_PASSWORD
Realm         : voicelab.ca
Public IP     : PUBLIC_IP
Relay address : 10.38.0.41
Listen interface a


If the credential is incorrect, the debug message will show on the Core Server
call 1353: ICE failure 4 (unauthorized - check credentials)

Enable Webbridge on CMS-Edge

edge1.voicelab.ca> webbridge certs voicelab.key voicelab.cer voicelab_root.cer
edge1.voicelab.ca> webbridge trust voicelab.cer
edge1.voicelab.ca> webbridge listen a
edge1.voicelab.ca> webbridge http-redirect enable
edge1.voicelab.ca> webbridge
Enabled                 : true
Interface whitelist     : a:443
Key file                : voicelab.key
Certificate file        : voicelab.cer
CA Bundle file          : voicelab_root.cer
Trust bundle            : voicelab.cer
HTTP redirect           : Enabled
Clickonce URL           : none
MSI download URL        : none
DMG download URL        : none
iOS download URL        : none


Enable SIPEdge on CMS-Edge

edge1.voicelab.ca> sipedge public a:5061
edge1.voicelab.ca> sipedge public-ip EDGE_PUBLIC_IP
edge1.voicelab.ca> sipedge private a:3061
edge1.voicelab.ca> sipedge certs voicelab.key voicelab.cer
edge1.voicelab.ca> sipedge
Enabled                 : true
Public interface        : a:5061 (NAT address XXX.XXX.XXX)
Private interfaces      : a:3061
Certificate             : voicelab.cer
Key                     : voicelab.key
Trusted certificates    : voicelab_root.cer

Enable Trunk on CMS-Core

callbridge1.voicelab.ca> trunk create trunktoEdge1 xmpp
callbridge1.voicelab.ca> trunk auth trunktoEdge1 voicelab.key voicelab.cer voicelab.cer
callbridge1.voicelab.ca> trunk edge trunktoEdge1 edge1.voicelab.ca 4999
callbridge1.voicelab.ca> trunk enable trunktoEdge1
callbridge1.voicelab.ca> trunk list
*** trunktoEdge1
Enabled                 : true
Edge name               : edge1.voicelab.ca
Edge port               : 4999
Local port              : 5222
TLS private key         : voicelab.key
TLS public cert         : voicelab.cer
TLS trusted certs       : voicelab.cer
callbridge1.voicelab.ca> trunk debug trunktoEdge1
Trying to connect to trunk local service, port 5222
Success
Resolved name edge1.voicelab.ca to the following:
10.38.0.41:4999
Trying to connect to 10.38.0.41:4999
Connection created [10.38.0.41:4999 -> 10.41.40.116:60116]
Diagnostics request written to edge
Reading diagnostics
{
   "0": {
       "core": {
           "connection": "[::ffff:10.41.40.116:60112 -> ::ffff:10.38.0.41:4999]"
       }
   },
   "process": {
       "memory": {
           "size": "11875",
           "resident": "1817",
           "share": "1581",
           "text": "196",
           "lib": "0",
           "data": "345",
           "dt": "0"
       }
   }
}

Enable XMPP on CMS-Core

callbridge1.voicelab.ca> xmpp
Enabled                 : true
Clustered               : false
Domain                  : voicelab.ca
Listening interfaces    : a
Key file                : voicelab.key
Certificate file        : voicelab.cer
CA Bundle file          : voicelab_root.cer
Max sessions per user   : unlimited
STATUS                  : XMPP server running


Public DNS

Loadbalancer A record:
XMPP to loadbalancer
Webbridge


7 comments:

  1. Hello.

    Have you tried to configure Expressway-E as the Edge server?

    ReplyDelete
  2. Yes, please see the post here:

    https://colinzhong.blogspot.ca/2017/09/cisco-meeting-server-227-single.html

    ReplyDelete
  3. Hello Colin,

    Can 1 CMS-Core work with 2 CMS-Edge ? If there are two cms edge are configured Loadbalancer, TURN, Web Bridge, How does CMA select Loadbalancer and TURN to connect ?

    ReplyDelete
    Replies
    1. good question, I guess there is no other way for internal only to use a F5. create multiple A records will have round-robin lookups. you could also consider to use Exp as TURN but will give up CMA

      Delete
    2. Hi Colin,
      If using 2 Exp that is configure as a cluster, and create multiple SRV records same weight and priority. So can load balance the call to expressways ? Some Cisco documents say if use CMS-Edges, CMA choose TURN server based on round-time trip. What is happen if CMA choose Turn server on CMS-Edge2 but Callbridge choose on CMS-Edge2 ?

      Delete
    3. I just copy the answer from Cisco Community, J:
      https://community.cisco.com/t5/telepresence-and-video/cms-clustering-question/td-p/3185136

      Do i need to configure A records on internal and external DNS for cms join webrtc?

      R: Yes, but it depends on your topology

      In my case, with 2 edge servers, do i need 2 A records pointing to both servers?

      R: Yes. You will have DNS round robin characteristic

      In case of one of the edge servers is down, the DNS will automatically resolve to the second edge?

      R: When you have two DNS A records, both are informed and the DNS server may change the order randomly. The initiator will contact the first one and in case it is not reachable it will try the second one (but here it is the behavior of the session initiator). You may also decrease the TTL to speed up the order changes.

      Delete
  4. So which certificates can be created as selfsigned and which ones to be created as pki csr?... which ones to be signed in internal CA and which ones in External CA?

    ReplyDelete