Preferred Architecture for Cisco Webex Hybrid Services
Documentation for Preferred Architectures
The Benefits of Webex Hybrid Services
Webex Hybrid Calling Architecture
Cisco Preferred Architectures provide tested and recommended deployment models for specific market segments based on common use cases. They incorporate a subset of products from the Cisco Collaboration portfolio that is best suited for the targeted market segment and defined use cases. These deployment models are prescriptive, out-of-the-box, and built to scale with an organization as its business needs change. This prescriptive approach simplifies the integration of multiple system-level components and enables an organization to select the deployment model that best addresses its business needs.
The following types of Cisco documents describe and explain the Preferred Architectures:
Figure 1 illustrates how to use the PA guides.
Figure 1 Preferred Architecture Documentation
The Preferred Architecture for Webex Hybrid Services is for:
Readers of this guide should have a general knowledge of Cisco Collaboration products and services along with a basic understanding of how to deploy those products.
This guide simplifies the design and sales process by:
For detailed information about configuring, deploying, and implementing this architecture, consult the related CVD documents for the Cisco Collaboration Preferred Architectures.
More and more, organizations are choosing collaboration services from the cloud because cloud services:
Many organizations, however, are unable or unwilling to move all their services to the cloud. Often, they are not ready to replace everything they have on-premises, or they simply want to augment their current collaboration tools with those from the cloud. But having tools from both the cloud and the premises can create inconsistent, disjointed user experiences.
Cisco solves this problem with Webex Hybrid Services. These services connect what you have on-premises with Webex in the cloud to provide a single integrated experience. If you like the capabilities of Webex, you can integrate those capabilities with what you currently have deployed for an even better end-user and administrator experience.
The Preferred Architecture (PA) for Webex Hybrid Services is a Cisco Validated Design (CVD) in the Preferred Architectures umbrella that was created as a supplement to the PA for Cisco Collaboration Enterprise on-premises deployments. It requires many of the same products and infrastructure as well as the architecture and planning incorporated in the PA for on-premises deployments. Therefore we expect you to follow and implement the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments, available at https://www.cisco.com/go/pa, prior to deploying the PA for Webex Hybrid Services.
As part of implementing the PA for Webex Hybrid Services, there are a number of products and integrations covered in the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments that overlap with, and thus are not part of, the PA for Webex Hybrid Services. The areas of overlap include Cisco Meeting Server, Cisco Unified Communications Manager IM and Presence Service, and Cisco Jabber. This does not mean that these products and services cannot be deployed in an environment with Webex Hybrid Services, but that this PA for Webex Hybrid Services will not discuss or treat any design considerations around these on-premises products and services when they overlap with those included in the Webex Hybrid Services solution.
Organizations want to streamline their business processes, optimize employee productivity, and enhance relationships with partners and customers. The Preferred Architecture (PA) for Webex Hybrid Services delivers capabilities that enable organizations to realize immediate gains in productivity and enhanced relationships. Additionally, the following technology use cases offer organizations opportunities to develop new, advanced business processes that deliver even more value in these areas:
Webex Hybrid Services provide:
The Preferred Architecture (PA) for Webex Hybrid Services provides end-to-end collaboration targeted for deployments where a Cisco Collaboration solution based on Cisco Unified Communications Manager has been deployed. This architecture incorporates high availability for critical applications. The consistent user experience provided by the overall architecture facilitates quick user adoption. Additionally, the architecture supports an advanced set of collaboration services that extend to mobile workers, partners, and customers through the following key services:
The PA for Webex Hybrid Services, illustrated in Figure 2, provides highly available and centralized on-premises and cloud services. These services extend easily to remote offices and mobile workers, providing availability of critical services even if communication to headquarters is lost. Centralized on-premises and cloud-based services also simplify management and administration of an organization's collaboration deployment.
Figure 2 Preferred Architecture for Webex Hybrid Services
Table 1 lists the products in this architecture. For simplicity, products are grouped into modules to help categorize and define their roles. The content in this guide is organized in the same modules.
The PA for Webex Hybrid Services provides high availability for all deployed on-premises applications by means of the underlying clustering mechanism present in all Cisco Unified Communications applications. Clustering replicates the administration and configuration of deployed applications to backup instances of those applications. Likewise, cloud services are natively redundant by virtue of elastic computing and highly available service distribution within the cloud platform.
If an instance of an application or service fails, Cisco on-premises and cloud-based services (such as endpoint registration, call processing, messaging, and many others) continue to operate on the remaining instance(s) of the application or service. This failover process is transparent to the users. In addition to clustering, the PA for Webex Hybrid Services provides high availability using of redundant power, network connectivity, and elastic storage.
In the PA for Webex Hybrid Services, the following cloud services are deployed redundantly:
Sizing a deployment can become complex for large enterprises with sophisticated requirements. The Preferred Architecture for Webex Hybrid Services, Cisco Validated Design (CVD) Guide, presents some examples that simplify the sizing process.
Details about the individual licenses for the endpoints and infrastructure components in the Preferred Architecture for Webex Hybrid Services are beyond the scope of this document. For information about licensing, see the Cisco Collaboration Flex Plan.
Cisco Collaboration endpoints provide a wide range of features, functionality, and user experiences. Because Cisco endpoints range from low-cost, single-line phones and soft clients to presentation, whiteboard, and multi-screen Cisco video endpoints, an organization can deploy the right variety of endpoints to meet users' needs (Figure 3). Additionally, these devices enable users to access multiple communication services such as:
Figure 3 Architecture for Endpoints
In the PA for Webex Hybrid Services, both Cisco Unified Communications Manager (Unified CM) on-premises call control and Webex provide endpoint registration and collaboration services.
We recommend the endpoints listed in the following tables because they provide optimal features for this design. Cisco has a range of Collaboration Endpoints with various features and functionality that an organization can also use to address its business needs.
The PA for Webex Hybrid Services includes the following foundational functionality and services that underlie the entire Webex Hybrid Services solution:
The web hosted online Webex Control Hub, available at https://admin.webex.com/, is used to administer and manage the organization's Webex Hybrid Services.
This basic feature of the Webex App and the Webex platform provides one-to-one and group messaging with file sharing. This feature delivers persistent instant messaging with Webex spaces, where users can message and share files.
Webex Meetings provides audio and video conferencing with content sharing by leveraging the Webex conferencing service. Webex Meetings builds upon the messaging and file sharing capabilities of Webex Messaging. Webex Meetings also enables advanced features such as meeting recording and permanent Personal Meeting Rooms (PMR) to provide users with personalized permanent voice and video meeting spaces. Users can join conferences using Webex devices as well as Webex App and Webex Meetings.
The Cisco Expressway-C Connector Host is a standard Cisco Expressway-C server deployed within the customer's organization to provide an integration point between the on-premises and cloud collaboration services. The integration between the Cisco Expressway-C server and Webex is facilitated via micro-services installed and managed on the Expressway-C Connector Host by Webex. These micro-services enable hybrid services integration.
The Management Connector is included in the Expressway-C base software and is used by the administrator to register Expressway to Webex and to link the Expressway interface with the Webex management interfaces.
All of these services and components are relevant for the deployment of the PA for Webex Hybrid Services and will be referenced as appropriate in the remainder of this document.
Webex Hybrid Directory Service is the common identity component for any hybrid deployment. It provides a common directory shared between the enterprise and Webex through synchronization of the on-premises Microsoft Active Directory and Webex. This enables synchronization not only of users but also of resources such as enterprise room systems.
Cisco Directory Connectors are deployed on-premises. They communicate and synchronize over the enterprise network with Microsoft Active Directory, and they communicate over the Internet to Webex (Figure 4).
Figure 4 Architecture for Webex Hybrid Directory Service
Table 6 lists the roles of the Cisco Hybrid Directory Service components in this architecture and the services they provide.
Provides user and resource synchronization between Microsoft Active Directory and Webex |
||
Provides the full list of corporate resources and users and their attributes |
Webex Hybrid Directory Service enables an administrator to populate the identity store of their company's Webex organization with users and resources from their corporate Microsoft Active Directory. Once the cloud identity store for the company's organization has been populated, administrators can easily manage Webex corporate user accounts. Administrators may configure user accounts, enable specific features, and provision users for collaboration services within the Webex organization.
As shown in Figure 5, Cisco Directory Connectors synchronize with Microsoft Active Directory using Microsoft application programming interfaces (APIs) over the on-premises network. At the same time, Cisco Directory Connectors push directory data and communicate over the Internet through the secure enterprise boundary and corporate firewall with the cloud identity service within Webex. HTTPS is used for communications between Cisco Directory Connectors and Webex.
Figure 5 Hybrid Enterprise Directory Integration
The Directory Connector servers run on Microsoft Windows Servers and must be actively joined to the Active Directory domain. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) A read-only administrator account is used to authenticate the Directory Connector to the Windows domain.
The customer organization administrator must log in to Control Hub and download the Directory Connector software to the Windows servers. Once Directory Connectors are installed and configured, synchronization takes place and users, and resources are pushed to the Webex identity store for the customer's organization through HTTPS connections. Because these are outbound connections from the Cisco Directory Connectors to the Internet, they do not require any inbound ports to be opened on the internal or external firewall.
Directory Connectors are configured to pull information from the Microsoft Active Directory. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) Directory information can be pulled from the entire domain or from specific containers and organizational units. It is also possible to create LDAP filters if more granularity is needed.
Users log in to Webex App via their email address, which corresponds to the mail LDAP attribute.
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the following:
Webex Hybrid Calendar Service enables enterprise calendar integration with Webex collaboration services. It provides calendar synchronization between on-premises Microsoft Exchange or cloud-based Microsoft 365 and Webex.
Cisco Calendar Connector is deployed on the Cisco Expressway-C Connector Host on-premises for on-premises Microsoft Exchange deployment. The Expressway-C Connector Host communicates and synchronizes over the enterprise network with Microsoft Exchange, and it communicates over the Internet to Webex (Figure 6).
Figure 6 Architecture for Cisco Webex Hybrid Calendar Service
In the case of cloud-based Microsoft 365 calendaring, a Webex cloud-based Calendar Connector communicates and synchronizes securely with the organizations Microsoft 365 environment.
Note Although Webex Hybrid Calendar Service also supports integration to G Suite by Google Cloud, these integrations are not discussed or covered in this PA for Webex Hybrid Services. For information about these integrations, refer to the latest version of the Deployment Guide for Cisco Webex Hybrid Calendar Service, available at https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html.
Table 7 lists the roles of the Webex Hybrid Calendar Service components in this architecture and the services they provide.
Webex Hybrid Calendar Service enables a tight integration between the user's enterprise Microsoft calendar, Microsoft Outlook invitations, and Webex Messaging. The Calendar Connector service provides two key features:
When @meet is added to the location field of an Outlook calendar invitation, Calendar Connector (on-premises or cloud) and the cloud calendar service create a Webex meeting and a new Webex collaboration space with a name that matches the invitation subject. All users in the calendar invitation are added to the Webex space and are invited to the meeting. This facilitates collaboration and allows the meeting organizer and attendees to communicate and share material prior to, during, and even after the meeting. If a calendar invitation includes a distribution list, users on the distribution list will not be added to the Webex space automatically; however, they will receive the meeting invitation.
When @webex is added to the location field of an Outlook calendar invitation, Calendar Connector (on-premises or cloud) automatically populates the invitation with the user's Webex Personal Room information.
Hybrid calendar integration also enables:
As shown in Figure 7, the Calendar Connector service running on the Expressway-C Connector Host synchronizes with Microsoft Exchange using Exchange Web Services (EWS) over the on-premises network. Alternatively, the Cloud Calendar Connector service in the Webex cloud synchronizes with the customer’s Microsoft/Office 365 organization using the Microsoft Graph API. At the same time, Calendar Connector (on-premises or cloud) pushes calendar data and communicates over the Internet through either the secure enterprise boundary and corporate firewall or the Microsoft/Office 365 data center to the calendar service within Webex. Calendar Connector also integrates with Webex Personal Rooms for @webex functionality. HTTPS is used for communications between Calendar Connector on the Expressway-C Connector Host and Webex. Because this is an outbound connection from the Cisco Calendar Connector to the Internet, it does not require any inbound ports to be opened on the internal or external firewall.
Figure 7 Hybrid Enterprise Calendar Integration
Note As shown in Figure 7, the on-premises Expressway-C Connector Host does not pair with the Expressway-E server and, in the case of hybrid calendar integration, does not rely on Expressway-C and Expressway-E firewall traversal capabilities to communicate with Webex.
Calendar Connector is configured to pull calendar and meeting information from Microsoft Exchange using an impersonation account. (For the latest version support information, see the Deployment Guide for Webex Hybrid Calendar Service.) This meeting information is used to create the appropriate Webex Teams meeting and space with all invitees (@meet) and a Webex personal meeting room (@webex).
For more information about Webex Hybrid Calendar Service, consult the Deployment Guide for Webex Hybrid Calendar Service.
To deploy Webex Hybrid Calendar Service in the PA for Webex Hybrid Services, we recommend the following:
Webex Hybrid Call Service provides the integration of Cisco Unified Communications call services with Webex call services. The PA for Webex Hybrid Call Service includes Cisco Unified Communications Manager (Unified CM), Cisco Expressway-C and Expressway-E, and the Webex Device Connector (Figure 8).
The hybrid calling architecture consists of two main calling features:
Figure 8 Architecture for Webex Hybrid Call Service
Table 8 lists the roles of the components in this architecture and the services they provide.
A key component of Webex Hybrid Call Service is the Webex Device Connector, hosted on a PC (Windows or Mac). Webex Device Connector provides Webex Edge for Devices calling configuration and provisioning for Webex Devices.
By deploying and provisioning Webex devices with the appropriate call routing configuration on Control Hub, Unified CM, and Expressway, these Unified CM registered room systems integrate with the same user experience of a cloud-registered device.
This architecture also introduces hybrid calling for Webex with the application registering directly to Unified CM for enterprise calling capabilities. With hybrid calling for Webex Teams (Unified CM), the Webex App fully integrates with enterprise call control enabling enterprise calling to reach other enterprise users and devices as well as the PSTN. Further, Webex App users who are outside the enterprise are able to securely access these enterprise calling capabilities with Expressway mobile and remote access.
Figure 9 illustrates the architecture for Webex Hybrid Call Service.
Figure 9 Architecture for Webex Hybrid Call Service
The following guidelines apply to the architecture shown in Figure 9:
Webex Hybrid Calling enables integration of both Webex devices and Webex App with enterprise calling.
In the case of Webex devices, room systems register to Cisco Unified CM. Calls are routed through Unified CM except in the case where the destination is a Webex meeting. In this case the call will be routed through Webex, bypassing Unified CM and Expressway. Cisco Unified CM, Expressway, and Webex perform the following operations as shown in Figure 10:
Figure 10 Hybrid Calling Integration: Webex Devices
In the case of Webex App, the application will register to Unified CM for call services. Note that Webex App continues to leverage Webex services from the cloud including messaging and meeting. Cisco Unified CM and Expressway perform the following operations as shown in Figure 11:
Figure 11 Hybrid Calling Integration: Webex App (Unified CM)