Mobile And Remote Access Through Expressway; Deployment Scenarios - Cisco 7800 Series Administration Manual

Cisco IP Phone Administration

Mobile and Remote Access Through Expressway

Mobile and Remote Access Through Expressway lets remote workers easily and securely connect into the
corporate network without using a virtual private network (VPN) client tunnel. Expressway uses Transport
Layer Security (TLS) to secure network traffic. For a phone to authenticate an Expressway certificate and
establish a TLS session, a public Certificate Authority that the phone firmware trusts must sign the Expressway
certificate. It is not possible to install or trust other CA certificates on phones for authenticating an Expressway
certificate.
The list of CA certificates embedded in the phone firmware is available at
http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-7800-series/products-technical-reference-list.html.
Mobile and Remote Access Through Expressway works with Cisco Expressway. You must be familiar with
the Cisco Expressway documentation, including the Cisco Expressway Administrator Guide and the Cisco
Expressway Basic Configuration Deployment Guide. Cisco Expressway documentation is available at
http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/tsd-products-support-series-home.html.
Only the IPv4 protocol is supported for Mobile and Remote Access Through Expressway users.
For additional information about working with Mobile and Remote Access Through Expressway, see:
• Cisco Preferred Architecture for Enterprise Collaboration, Design Overview
• Cisco Preferred Architecture for Enterprise Collaboration, CVD
• Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide
• Cisco TelePresence Video Communication Server (VCS), Configuration Guides
During the phone registration process, the phone synchronizes the displayed date and time with the Network
Time Protocol (NTP) server. With Mobile and Remote Access Through Expressway, the DHCP option 42
tag is used to locate the IP addresses of the NTP servers designated for time and date synchronization. If the
DHCP option 42 tag is not found in the configuration information, the phone looks for the
0.tandberg.pool.ntp.org tag to identify the NTP servers.
After registration, the phone uses information from the SIP message to synchronize the displayed date and
time unless an NTP server is configured in the Cisco Unified Communications Manager phone configuration.
Note
If the phone security profile for any of your phones has TFTP Encrypted Config checked, you cannot use the
phone with Mobile and Remote Access. The MRA solution does not support device interaction with Certificate
Authority Proxy Function (CAPF).

Deployment Scenarios

The following table shows various deployment scenarios for Mobile and Remote Access Through Expressway.
Scenario
On-premises user logs in to the enterprise network,
after deploying Mobile and Remote Access Through
Expressway.
Cisco IP Phone 7800 Series Administration Guide for Cisco Unified Communications Manager
Mobile and Remote Access Through Expressway
Actions
The enterprise network is detected, and the phone
registers with Cisco Unified Communications
Manager as it would normally.
135