Home Blog Local Gateway Deployment: Connect Webex Calling to On Prem PBX

Blog

May 8
Local Gateway Deployment: Connect Webex Calling to On Prem PBX
Posted by Freddy Tabet

The migration to cloud-based communication solutions offers significant advantages. However, organizations can maintain a measured pace and seamlessly integrate existing on-premises PBX or PSTN infrastructure with Webex Calling through Local Gateway Deployment. This approach allows you to capitalize on your previous investments while enjoying the benefits of cloud calling. 

In this blog, we will delve into the deployment process for Local Gateway, focusing on the registration-based trunk configuration method. 

Local Gateway Deployment: A Hybrid Solution 

Local Gateway bridges the gap between your on-premises environment and Webex Calling. It acts as a translator, seamlessly routing calls between your existing PBX or PSTN and the Webex cloud. This hybrid approach ensures a smooth transition to the cloud while preserving the functionality of your on-premises infrastructure. 

Registration-Based Trunk Configuration 

This blog will explore the registration-based trunk configuration for Local Gateway. We will provide a detailed explanation of this method, outlining the steps involved and best practices to ensure a successful implementation. 

Important Considerations: SIP Trunk Configuration 

It is important to note that this blog focuses on Local Gateway deployment and does not cover SIP trunk configuration on Call Manager. Separate configuration is required to define the SIP trunk with the appropriate port usage to avoid conflicts between the trunks connecting to your PSTN and Webex Calling. 

By following this guide and ensuring proper SIP trunk configuration, you can successfully deploy Local Gateway and establish a seamless connection between your on-premises environment and Webex Calling. 

Prerequisites, Requirements & Assumptions: 

  1. CUCM on premises
  2. Webex Calling deployment 
  3. On Premises CUBE 
  4. CUBE needs to a minimum release of Cisco IOS XE 16.12 or IOS-XE17.3 
  5. Only Cisco CUBEs Support Registration-Based Local Gateway. 
  6. Ensure you have a Layer 3 interface with routable IP addresses. 
  7. CUBE needs a DNS IP server configured on it for Domain Name Lookup 

 

Now we will go over configuring the requirements to complete the deployment: 

Step 1: Enable TLS and configure a Trust Point for SIP-UA 

configure terminal 

crypto pki trustpoint TLS-TP 

revocation-check crl 

exit 

 

sip-ua 

crypto signaling default trustpoint TLS-TP cn-san-validate server 

transport tcp tls v1.2 

tcp-retry 1000 

end 

 

Step 2: Update the Local Gateway trust Pool 

  1. We need to do this to include DigiCert ROOT CA or IdenTrust Commercial certificates that are needed to validate the server-side certificate during TLS connection with Webex Calling. 
  2. Download the latest “Cisco Trusted Core Root Bundle” http://www.cisco.com/security/pki/ 
  3. Or from the CUBE CLI: 
    crypto pki trustpool import clean url flash:ios_core.p7b
  4. Verify that those certificates are now included on the CUBE: 

 show crypto pki trustpool | include DigiCert 

cn=DigiCert Global Root CA 

o=DigiCert Inc 

cn=DigiCert Global Root CA 

o=DigiCert Inc 

 

show crypto pki trustpool | include IdenTrust Commercial 

cn=IdenTrust Commercial Root CA 1 

cn=IdenTrust Commercial Root CA 1 

 

Step 3: Revise the Port Reference Information for Webex Calling and Configure Voice Service VoIP 

 

  1. https://help.webex.com/en-us/article/b2exve/Port-Reference-Information-for-Webex-Calling
  2. Add the below IP subnets to the ip address trusted list under voice service voip: 

    voice service voip 

     ip address trusted list 

      ipv4 23.89.0.0 255.255.0.0 

      ipv4 85.119.56.0 255.255.254.0 

      ipv4 128.177.14.0 255.255.255.0 

      ipv4 128.177.36.0 255.255.255.0 

      ipv4 135.84.168.0 255.255.248.0 

      ipv4 139.177.64.0 255.255.248.0 

      ipv4 139.177.72.0 255.255.254.0 

      ipv4 144.196.33.0 255.255.255.128 

      ipv4 150.253.156.128 255.255.255.128 

      ipv4 150.253.209.128 255.255.255.128 

      ipv4 170.72.0.0 255.255.0.0 

      ipv4 170.133.128.0 255.255.192.0 

      ipv4 185.115.196.0 255.255.252.0 

      ipv4 199.19.196.0 255.255.254.0 

      ipv4 199.19.199.0 255.255.255.0 

      ipv4 199.59.64.0 255.255.248.0 

  3. Continue with the Voice Service VoIP Configuration 

    Voice service voip 

    media statistics 

     media bulk-stats 

     allow-connections sip to sip 

     no supplementary-service sip refer 

     no supplementary-service sip handle-replaces 

     fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none 

     stun 

      stun flowdata agent-id 1 boot-count 5 

      stun flowdata shared-secret 0 Password 123$ 

     sip 

      bind control source-interface GigabitEthernet0/0/0 

      bind media source-interface GigabitEthernet0/0/0 

      asymmetric payload full 

      early-offer forced 

      midcall-signaling passthru 

      privacy-policy passthru 

      g729 annexb-all 

Revise the following document for more details regarding the above configuration: 

https://help.webex.com/en-us/article/jr1i3r/Configure-Local-Gateway-on-Cisco-IOS-XE-for-Webex-Calling#id_100573 

 

Step 4: Configure SIP Profile 200 

 

  1. The role of this profile is modify SIP headers so that they  interoperate well with Webex Calling: 

     voice class sip-profiles 200 

    rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1" 

    rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1" 

    rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1" 

    rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>"  

    rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1" 

    rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1" 

    rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1" 

    rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>" 

    rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1" 

  2. We will later update the value for that otg in the sip profile 

 

Step 5: Configure Codec, STUN Definition and SRTP Crypto Suite 

voice class codec 99 

  codec preference 1 g711ulaw 

  codec preference 2 g711alaw 

  codec preference 3 opus 

 

voice class srtp-crypto 200 

 crypto 1 AES_CM_128_HMAC_SHA1_80 

voice class stun-usage 200 

 stun usage firewall-traversal flowdata 

 stun usage ice lite 

 

Step 6: Configure a Trunk on Webex Control Hub. 

  1. Login to admin.webex.com
  2. Go to Calling > Call Routing > Trunk > Add Trunk
  3. Select a location, enter a name, For type select Registration based.
  4. Click Save
  5. Make a snapshot or copy the information presented on the pop up window. 

Local Gateway Deployment: Connect Webex Calling to On Prem PBX

 

Step 7: Configure Voice Class Tenant 200 and adjust OTG in Voice Class sip-profiles 200 

  1. Based on the information you got after you created a trunk, configure the tenant and adjust sip-profiles 200.  Use below snapshot as a guide.
  2. For binding, use whatever interface is supposed to face Webex Calling. It could be a single interface that services both on prem CUCM and Cloud Webex Calling. 

Local Gateway Deployment: Connect Webex Calling to On Prem PBX

voice class tenant 200 

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls  

credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks 

authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks 

authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-bcld.com 

no remote-party-id 

sip-server dns:40462196.cisco-bcld.com 

connection-reuse 

srtp-crypto 200 

session transport tcp tls  

url sips  

error-passthru 

asserted-id pai  

bind control source-interface GigabitEthernet0/0/1 

bind media source-interface GigabitEthernet0/0/1 

no pass-thru content custom-sdp  

sip-profiles 200  

outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com   

privacy-policy passthru 

 

Update the SIP profile 200 rule 20 to include the correct otg 

rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>" 

This should take care about the integration between Webex Calling and Local Gateway. Not you should configure the dial-peers.  

 

Step 8: Create Voice Class tenant for Call Manager Dial-Peers 

voice class tenant 100  

session transport udp 

url sip 

error-passthru 

bind control source-interface GigabitEthernet0/0/0 

bind media source-interface GigabitEthernet0/0/0 

no pass-thru content custom-sdp 

 

Step 9: Configure Dial-Peers to enable Call Routing between Webex Calling and Call Manager

  1. Inbound/Outbound Dial-Peer for Webex Calling 

    dial-peer voice 201 voip 

    description Inbound/Outbound Webex Calling 

    destination-pattern BAD.BAD 

    session protocol sipv2 

    session target sip-server 

    voice-class codec 99 

    dtmf-relay rtp-nte 

    voice-class stun-usage 200 

    no voice-class sip localhost 

    voice-class sip tenant 200 

    srtp 

    no vad 

  2. Outbound dial-peer toward Call Manager 

    dial-peer voice 301 voip 

    description Outgoing dial-peer towards CUCM 

    destination-pattern BAD.BAD 

    session protocol sipv2 

    session server-group 301 

    voice-class codec 99 

    voice-class sip bind control source-interface GigabitEthernet 0/0/0 

    voice-class sip bind media source-interface GigabitEthernet 0/0/0 

    dtmf-relay rtp-nte 

    voice-class sip tenant 100 

    no vad 

    • Session server-group 301 would contain Call Manager IP addresses. 


  3. Incoming Dial-Peer for Call Manager Calls with Webex Calling as a destination: 

    dial-peer voice 300 voip 

    description Incoming dial-peer from CUCM for Webex Calling 

    session protocol sipv2 

    destination dpg 200 

    incoming uri via 300 

    voice-class codec 99 

    dtmf-relay rtp-nte 

    voice-class sip tenant 300 

    no vad 

 

Step 10: Create Dial-Peer Groups that tie Dial-Peers Together 

  1.  DPG 300 Ties Webex Incoming Dial-Peer to CUCM Outgoing Dial-Peer 

    voice class dpg 300 

    dial-peer 301 preference 1 

  2. DPG 200 Ties CUCM Incoming Dial-Peer to Webex Calling Outgoing Dial-Peer 

    voice class dpg 200 

    dial-peer 201 preference 1 

 

Step 11: Create URI 

  1. URI 300 to match incoming calls from CUCM going to Webex Calling 

    voice class uri 300 sip 

    pattern :5065 

  2. URI 200 to match calls coming from Webex Calling 

    voice class uri 200 sip 

    pattern dtg=hussain2572.lgu 

 

Step 12: Update Dial Peers with DPG and URIs 

dial-peer voice 201 voip 

description Inbound/Outbound Webex Calling 

max-conn 250 

destination dpg 300 

incoming uri request 200 

 

dial-peer voice 300 voip 

description Incoming dial-peer from CUCM for Webex Calling 

destination dpg 200 

incoming uri via 300 

 

This concludes the configuration you would need to set up communication between Webex Calling and Call Manager leveraging a Cisco CUBE. A reminder, a SIP trunk still needs to be configured from Call Manager pointing to this CUBE with a sip trunk security profile using port 5065.  

 For more information always revise the following links: 

 https://help.webex.com/en-us/article/jr1i3r/Configure-Local-Gateway-on-Cisco-IOS-XE-for-Webex-Calling#managing-cisco-ios-xe-gateways-through-control-hub 

 https://help.webex.com/en-us/article/b2exve 

 https://help.webex.com/en-us/article/n0xb944/Configure-trunks,-route-groups,-and-dial-plans-for-Webex-Calling 

 


As always if you have any questions and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!
Contact Us

 

Written By:

Freddy Tabet, Network Engineer

subscribe to our blog

Get New Unique Posts