Preferred Architecture for Cisco Webex Hybrid Services, Design Overview (October 22, 2021)
Available Languages
Table of Contents
Preferred Architecture for Cisco Webex Hybrid Services
Documentation for Preferred Architectures
The Benefits of Webex Hybrid Services
Webex Hybrid Calling Architecture
Preface
Cisco Preferred Architectures provide tested and recommended deployment models for specific market segments based on common use cases. They incorporate a subset of products from the Cisco Collaboration portfolio that is best suited for the targeted market segment and defined use cases. These deployment models are prescriptive, out-of-the-box, and built to scale with an organization as its business needs change. This prescriptive approach simplifies the integration of multiple system-level components and enables an organization to select the deployment model that best addresses its business needs.
Documentation for Preferred Architectures
The following types of Cisco documents describe and explain the Preferred Architectures:
- Preferred Architecture (PA) Design Overview Guides help customers and sales teams select the appropriate architecture based on an organization's business requirements; understand the products that are used within the architecture; and obtain general design best practices. These guides support pre-sales processes.
- Preferred Architecture Cisco Validated Design (CVD) Guides are post-sales documents that describe the Preferred Architectures in detail, provide design and deployment recommendations and best practices, and outline the PA deployment procedures and steps at a high level.
- Alternative Design Guides are post-sales documents that describe optional designs that can be deployed as alternatives to the Preferred Architectures described in the PA overview guides and CVDs. The alternative design always starts with the main PA as a foundation and builds upon it; therefore, each alternative design guide should be used in conjunction with its corresponding PA overview guide and CVD.
Figure 1 illustrates how to use the PA guides.
Figure 1 Preferred Architecture Documentation
About This Guide
The Preferred Architecture for Webex Hybrid Services is for:
- Sales teams that design and sell collaboration solutions
- Customers and sales teams who want to understand the overall hybrid architecture, its components, and general design best practices
Readers of this guide should have a general knowledge of Cisco Collaboration products and services along with a basic understanding of how to deploy those products.
This guide simplifies the design and sales process by:
- Recommending products and services in the Cisco Collaboration portfolio that are built for the enterprise and that provide appropriate feature sets for this market
- Detailing a collaboration architecture and identifying general best practices for deploying in enterprise organizations
For detailed information about configuring, deploying, and implementing this architecture, consult the related CVD documents for the Cisco Collaboration Preferred Architectures.
Introduction
More and more, organizations are choosing collaboration services from the cloud because cloud services:
- Are easier and faster to deploy
- Don't require the upfront capital investment of on-premises systems
- Provide predictable recurring expenditures through subscription-based user licensing
- Can free up IT staff to focus on other priorities
Many organizations, however, are unable or unwilling to move all their services to the cloud. Often, they are not ready to replace everything they have on-premises, or they simply want to augment their current collaboration tools with those from the cloud. But having tools from both the cloud and the premises can create inconsistent, disjointed user experiences.
Cisco solves this problem with Webex Hybrid Services. These services connect what you have on-premises with Webex in the cloud to provide a single integrated experience. If you like the capabilities of Webex, you can integrate those capabilities with what you currently have deployed for an even better end-user and administrator experience.
The Preferred Architecture (PA) for Webex Hybrid Services is a Cisco Validated Design (CVD) in the Preferred Architectures umbrella that was created as a supplement to the PA for Cisco Collaboration Enterprise on-premises deployments. It requires many of the same products and infrastructure as well as the architecture and planning incorporated in the PA for on-premises deployments. Therefore we expect you to follow and implement the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments, available at https://www.cisco.com/go/pa, prior to deploying the PA for Webex Hybrid Services.
As part of implementing the PA for Webex Hybrid Services, there are a number of products and integrations covered in the latest version of the Preferred Architecture for Cisco Collaboration Enterprise On-Premises Deployments that overlap with, and thus are not part of, the PA for Webex Hybrid Services. The areas of overlap include Cisco Meeting Server, Cisco Unified Communications Manager IM and Presence Service, and Cisco Jabber. This does not mean that these products and services cannot be deployed in an environment with Webex Hybrid Services, but that this PA for Webex Hybrid Services will not discuss or treat any design considerations around these on-premises products and services when they overlap with those included in the Webex Hybrid Services solution.
Technology Use Cases
Organizations want to streamline their business processes, optimize employee productivity, and enhance relationships with partners and customers. The Preferred Architecture (PA) for Webex Hybrid Services delivers capabilities that enable organizations to realize immediate gains in productivity and enhanced relationships. Additionally, the following technology use cases offer organizations opportunities to develop new, advanced business processes that deliver even more value in these areas:
- Meetings — Bring people together to create, communicate, and collaborate in one continuous work stream before, during, and after the meeting so that teams can be more effective while using any mobile or video device. Invite others to join meetings from their desk, a branch office, their homes, or the road with Webex App or on their Cisco on-premises endpoint or room device.
- Messaging — Exchange messages and share files with another person or a group of people. Message anyone; choose someone from your company directory or simply enter an email address and start messaging customers, partners, or anyone you need to work with.
- Calling — Webex App includes cloud-based calling. With the Webex App, you can make calls to any other Webex App user in any company, as well as calls to any endpoint or room device deployed in your Cisco Enterprise on-premises solution. You can make and receive calls from a phone connected to the Webex service in the office or from the Webex App on your mobile phone or desktop. When integrated with Webex Hybrid Services, Webex App also supports enterprise dialing habits such as numerical dialing to on-premises endpoints and the PSTN. (PSTN connectivity is provided through Cisco Unified Communications Manager deployed on the enterprise premises.)
- Enhanced user experience — The Webex App is central to Webex. The application gives the user the ability to access, use, and control the meetings, messaging, whiteboarding, and calling capabilities of Webex, depending on the user's license entitlement. Users can also share content when in a meeting, when messaging, or while on a call. The Webex App is how users access the service on their smartphones, via a browser, or via a dedicated application on their Mac or Windows PC.
- Incorporate video, desktop sharing, and persistent messaging into meetings — Improve communications, relationships, and productivity by making it easier to meet face-to-face over distance.
- Extend telephony with video — Facilitate face-to-face video communications directly from end-user phones or softphone applications.
- Support teleworkers and branch offices — Let employees work from multiple locations, whether satellite offices, home offices, or over the Internet when mobile.
- Collaborate with external organizations — Easily share information, interact in real time, and communicate using technologies beyond email and phones.
- Create flexible work areas and office spaces — Scale office space and create work areas that foster employee inclusiveness, collaboration, innovation, and teamwork.
The Benefits of Webex Hybrid Services
Webex Hybrid Services provide:
- Consistent, unified user experience — End users and IT administrators get the best of cloud and on-premises technology. Webex Hybrid Services combine the cloud and on-premises services for an integrated experience. Examples include the ability to share your desktop instantly, automatic directory synchronization, and simplified scheduling of meetings.
- Easier transition to the cloud — Webex Hybrid Services help your organization take advantage of Cisco Collaboration cloud-based services without discarding your existing on-premises investments. Instead, you can integrate them together for a better user experience and move to cloud services as and when you like.
- High level of security — Security is integral to Webex and its hybrid services. Cisco has used its extensive experience gained from securing the world's largest networks. Combining this knowledge with the hardware and the software elements of our market-leading communications and cloud services, we've built Webex and its hybrid capabilities to be secure from the ground up.
Architectural Overview
The Preferred Architecture (PA) for Webex Hybrid Services provides end-to-end collaboration targeted for deployments where a Cisco Collaboration solution based on Cisco Unified Communications Manager has been deployed. This architecture incorporates high availability for critical applications. The consistent user experience provided by the overall architecture facilitates quick user adoption. Additionally, the architecture supports an advanced set of collaboration services that extend to mobile workers, partners, and customers through the following key services:
- Voice and video communications
- Messaging
- Meetings that incorporate high-definition video, web conferencing, whiteboarding and content sharing capabilities
- Services for mobile and remote workers
The PA for Webex Hybrid Services, illustrated in Figure 2, provides highly available and centralized on-premises and cloud services. These services extend easily to remote offices and mobile workers, providing availability of critical services even if communication to headquarters is lost. Centralized on-premises and cloud-based services also simplify management and administration of an organization's collaboration deployment.
Figure 2 Preferred Architecture for Webex Hybrid Services
Table 1 lists the products in this architecture. For simplicity, products are grouped into modules to help categorize and define their roles. The content in this guide is organized in the same modules.
High Availability
The PA for Webex Hybrid Services provides high availability for all deployed on-premises applications by means of the underlying clustering mechanism present in all Cisco Unified Communications applications. Clustering replicates the administration and configuration of deployed applications to backup instances of those applications. Likewise, cloud services are natively redundant by virtue of elastic computing and highly available service distribution within the cloud platform.
If an instance of an application or service fails, Cisco on-premises and cloud-based services (such as endpoint registration, call processing, messaging, and many others) continue to operate on the remaining instance(s) of the application or service. This failover process is transparent to the users. In addition to clustering, the PA for Webex Hybrid Services provides high availability using of redundant power, network connectivity, and elastic storage.
In the PA for Webex Hybrid Services, the following cloud services are deployed redundantly:
Sizing Considerations
Sizing a deployment can become complex for large enterprises with sophisticated requirements. The Preferred Architecture for Webex Hybrid Services, Cisco Validated Design (CVD) Guide, presents some examples that simplify the sizing process.
Licensing
Details about the individual licenses for the endpoints and infrastructure components in the Preferred Architecture for Webex Hybrid Services are beyond the scope of this document. For information about licensing, see the Cisco Collaboration Flex Plan.
Endpoints
Cisco Collaboration endpoints provide a wide range of features, functionality, and user experiences. Because Cisco endpoints range from low-cost, single-line phones and soft clients to presentation, whiteboard, and multi-screen Cisco video endpoints, an organization can deploy the right variety of endpoints to meet users' needs (Figure 3). Additionally, these devices enable users to access multiple communication services such as:
Figure 3 Architecture for Endpoints
Recommended Deployment
In the PA for Webex Hybrid Services, both Cisco Unified Communications Manager (Unified CM) on-premises call control and Webex provide endpoint registration and collaboration services.
We recommend the endpoints listed in the following tables because they provide optimal features for this design. Cisco has a range of Collaboration Endpoints with various features and functionality that an organization can also use to address its business needs.
Webex Core Services
The PA for Webex Hybrid Services includes the following foundational functionality and services that underlie the entire Webex Hybrid Services solution:
The web hosted online Webex Control Hub, available at https://admin.webex.com/, is used to administer and manage the organization's Webex Hybrid Services.
This basic feature of the Webex App and the Webex platform provides one-to-one and group messaging with file sharing. This feature delivers persistent instant messaging with Webex spaces, where users can message and share files.
Webex Meetings provides audio and video conferencing with content sharing by leveraging the Webex conferencing service. Webex Meetings builds upon the messaging and file sharing capabilities of Webex Messaging. Webex Meetings also enables advanced features such as meeting recording and permanent Personal Meeting Rooms (PMR) to provide users with personalized permanent voice and video meeting spaces. Users can join conferences using Webex devices as well as Webex App and Webex Meetings.
The Cisco Expressway-C Connector Host is a standard Cisco Expressway-C server deployed within the customer's organization to provide an integration point between the on-premises and cloud collaboration services. The integration between the Cisco Expressway-C server and Webex is facilitated via micro-services installed and managed on the Expressway-C Connector Host by Webex. These micro-services enable hybrid services integration.
The Management Connector is included in the Expressway-C base software and is used by the administrator to register Expressway to Webex and to link the Expressway interface with the Webex management interfaces.
All of these services and components are relevant for the deployment of the PA for Webex Hybrid Services and will be referenced as appropriate in the remainder of this document.
Hybrid Directory Service
Webex Hybrid Directory Service is the common identity component for any hybrid deployment. It provides a common directory shared between the enterprise and Webex through synchronization of the on-premises Microsoft Active Directory and Webex. This enables synchronization not only of users but also of resources such as enterprise room systems.
Cisco Directory Connectors are deployed on-premises. They communicate and synchronize over the enterprise network with Microsoft Active Directory, and they communicate over the Internet to Webex (Figure 4).
Figure 4 Architecture for Webex Hybrid Directory Service
Table 6 lists the roles of the Cisco Hybrid Directory Service components in this architecture and the services they provide.
Provides user and resource synchronization between Microsoft Active Directory and Webex |
||
Provides the full list of corporate resources and users and their attributes |
Webex Hybrid Directory Service enables an administrator to populate the identity store of their company's Webex organization with users and resources from their corporate Microsoft Active Directory. Once the cloud identity store for the company's organization has been populated, administrators can easily manage Webex corporate user accounts. Administrators may configure user accounts, enable specific features, and provision users for collaboration services within the Webex organization.
As shown in Figure 5, Cisco Directory Connectors synchronize with Microsoft Active Directory using Microsoft application programming interfaces (APIs) over the on-premises network. At the same time, Cisco Directory Connectors push directory data and communicate over the Internet through the secure enterprise boundary and corporate firewall with the cloud identity service within Webex. HTTPS is used for communications between Cisco Directory Connectors and Webex.
Figure 5 Hybrid Enterprise Directory Integration
The Directory Connector servers run on Microsoft Windows Servers and must be actively joined to the Active Directory domain. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) A read-only administrator account is used to authenticate the Directory Connector to the Windows domain.
The customer organization administrator must log in to Control Hub and download the Directory Connector software to the Windows servers. Once Directory Connectors are installed and configured, synchronization takes place and users, and resources are pushed to the Webex identity store for the customer's organization through HTTPS connections. Because these are outbound connections from the Cisco Directory Connectors to the Internet, they do not require any inbound ports to be opened on the internal or external firewall.
Directory Connectors are configured to pull information from the Microsoft Active Directory. (See the Deployment Guide for Cisco Directory Connector for the latest version support information.) Directory information can be pulled from the entire domain or from specific containers and organizational units. It is also possible to create LDAP filters if more granularity is needed.
Users log in to Webex App via their email address, which corresponds to the mail LDAP attribute.
Recommended Deployment
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the following:
- Webex users correlate to Unified CM end users by means of email addresses. For this reason, make sure that the end-user account mail ID field in the Unified CM End User database contains the user's email address. With LDAP directory integration, the mail ID field for Unified CM end users is typically mapped from the mail field of the LDAP directory during synchronization.
- When registering room systems as Webex devices, it is recommended to map an LDAP attribute (e.g. ipPhone) to the Webex attribute name sipAddresses;type-enterprise. Then, populate the mapped LDAP attribute with a unique full SIP URI (e.g. sip:conf_room01@ent-pa.com) for each device to ensure the Webex directory contains a dialable enterprise SIP URI for each room system.
- Install Directory Connectors and Active Directory Domain Service or Active Directory Lightweight Directory Services on separate Windows servers.
- After the Directory Connector installations finish, run a first synchronization. Then configure full synchronization and incremental synchronization schedules to keep the Directory Connectors (and in turn Webex) updated when user information changes (user update, deletion, or addition) within Microsoft Active Directory.
Webex Hybrid Calendar Service
Webex Hybrid Calendar Service enables enterprise calendar integration with Webex collaboration services. It provides calendar synchronization between on-premises Microsoft Exchange or cloud-based Microsoft 365 and Webex.
Cisco Calendar Connector is deployed on the Cisco Expressway-C Connector Host on-premises for on-premises Microsoft Exchange deployment. The Expressway-C Connector Host communicates and synchronizes over the enterprise network with Microsoft Exchange, and it communicates over the Internet to Webex (Figure 6).
Figure 6 Architecture for Cisco Webex Hybrid Calendar Service
In the case of cloud-based Microsoft 365 calendaring, a Webex cloud-based Calendar Connector communicates and synchronizes securely with the organizations Microsoft 365 environment.
Note
Although Webex Hybrid Calendar Service also supports integration to G Suite by Google Cloud, these integrations are not discussed or covered in this PA for Webex Hybrid Services. For information about these integrations, refer to the latest version of the Deployment Guide for Cisco Webex Hybrid Calendar Service, available at https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html.
Table 7 lists the roles of the Webex Hybrid Calendar Service components in this architecture and the services they provide.
Webex Hybrid Calendar Service enables a tight integration between the user's enterprise Microsoft calendar, Microsoft Outlook invitations, and Webex Messaging. The Calendar Connector service provides two key features:
When @meet is added to the location field of an Outlook calendar invitation, Calendar Connector (on-premises or cloud) and the cloud calendar service create a Webex meeting and a new Webex collaboration space with a name that matches the invitation subject. All users in the calendar invitation are added to the Webex space and are invited to the meeting. This facilitates collaboration and allows the meeting organizer and attendees to communicate and share material prior to, during, and even after the meeting. If a calendar invitation includes a distribution list, users on the distribution list will not be added to the Webex space automatically; however, they will receive the meeting invitation.
When @webex is added to the location field of an Outlook calendar invitation, Calendar Connector (on-premises or cloud) automatically populates the invitation with the user's Webex Personal Room information.
Hybrid calendar integration also enables:
- Synchronization of users' Microsoft enterprise calendar with their Webex App calendar and meeting list
- Sharing of users' out-of-office status from Microsoft Outlook with Webex
As shown in Figure 7, the Calendar Connector service running on the Expressway-C Connector Host synchronizes with Microsoft Exchange using Exchange Web Services (EWS) over the on-premises network. Alternatively, the Cloud Calendar Connector service in the Webex cloud synchronizes with the customer’s Microsoft/Office 365 organization using the Microsoft Graph API. At the same time, Calendar Connector (on-premises or cloud) pushes calendar data and communicates over the Internet through either the secure enterprise boundary and corporate firewall or the Microsoft/Office 365 data center to the calendar service within Webex. Calendar Connector also integrates with Webex Personal Rooms for @webex functionality. HTTPS is used for communications between Calendar Connector on the Expressway-C Connector Host and Webex. Because this is an outbound connection from the Cisco Calendar Connector to the Internet, it does not require any inbound ports to be opened on the internal or external firewall.
Figure 7 Hybrid Enterprise Calendar Integration
Note As shown in Figure 7, the on-premises Expressway-C Connector Host does not pair with the Expressway-E server and, in the case of hybrid calendar integration, does not rely on Expressway-C and Expressway-E firewall traversal capabilities to communicate with Webex.
Calendar Connector is configured to pull calendar and meeting information from Microsoft Exchange using an impersonation account. (For the latest version support information, see the Deployment Guide for Webex Hybrid Calendar Service.) This meeting information is used to create the appropriate Webex Teams meeting and space with all invitees (@meet) and a Webex personal meeting room (@webex).
For more information about Webex Hybrid Calendar Service, consult the Deployment Guide for Webex Hybrid Calendar Service.
Recommended Deployment
To deploy Webex Hybrid Calendar Service in the PA for Webex Hybrid Services, we recommend the following:
- For on-premises calendar deployments, deploy a pair of dedicated Cisco Expressway-C hosts using the Expressway-C OVA. They will serve as your Cisco Expressway-C Connector Hosts. These Expressway-C servers do not pair with Expressway-E servers and, in the case of hybrid calendar integration, do not rely on Expressway-C and Expressway-E firewall traversal.
- The application impersonation role must be configured in Microsoft Exchange and Office 365 (in the case of hybrid Exchange/Office 365 environment) and is used in the Exchange Calendar Connector configuration on the Expressway-C interface. The application impersonation management role in Microsoft Exchange enables applications to impersonate users in an organization to perform tasks on behalf of the users. The impersonation account does not have to be an administrator, but it must have a mailbox. In the case of cloud Calendar Connector, a global administrator must initially sign in the tenant to grant application permissions, once that happens, the Microsoft Graphs API is used to subscribe to and receive notifications for changes made to users’ calendars.
Webex Hybrid Call Service
Webex Hybrid Call Service provides the integration of Cisco Unified Communications call services with Webex call services. The PA for Webex Hybrid Call Service includes Cisco Unified Communications Manager (Unified CM), Cisco Expressway-C and Expressway-E, and the Webex Device Connector (Figure 8).
The hybrid calling architecture consists of two main calling features:
- Hybrid Calling for Webex devices and phones: enabling video room systems to make and receive calls using the same enterprise dialing used by endpoints directly registered with Unified CM. Webex devices are also registered to Webex to get the best of both worlds. This architecture is referred to as “Webex Edge for Devices” and is facilitated through the use of Cisco Webex Device Connector as provisioning tool. We will refer to these endpoints as “Webex-linked devices”.
- Hybrid Calling for Webex App (Unified CM): enabling Webex users to make and receive calls using the Webex App directly registered to Unified CM. Cisco Webex Device Connector is not required for Webex App.
Figure 8 Architecture for Webex Hybrid Call Service
Table 8 lists the roles of the components in this architecture and the services they provide.
A key component of Webex Hybrid Call Service is the Webex Device Connector, hosted on a PC (Windows or Mac). Webex Device Connector provides Webex Edge for Devices calling configuration and provisioning for Webex Devices.
By deploying and provisioning Webex devices with the appropriate call routing configuration on Control Hub, Unified CM, and Expressway, these Unified CM registered room systems integrate with the same user experience of a cloud-registered device.
This architecture also introduces hybrid calling for Webex with the application registering directly to Unified CM for enterprise calling capabilities. With hybrid calling for Webex Teams (Unified CM), the Webex App fully integrates with enterprise call control enabling enterprise calling to reach other enterprise users and devices as well as the PSTN. Further, Webex App users who are outside the enterprise are able to securely access these enterprise calling capabilities with Expressway mobile and remote access.
Recommended Deployment
Figure 9 illustrates the architecture for Webex Hybrid Call Service.
Figure 9 Architecture for Webex Hybrid Call Service
The following guidelines apply to the architecture shown in Figure 9:
- Webex App connects to Unified CM using SIP and to Webex using the native protocol. Calls to numeric destinations are routed through Unified CM, calls to Webex services are routed by Webex
- Webex devices and Webex App connect over the Internet to Webex services for meetings using their native protocol. Calls to meetings are routed by Webex and do not require Unified CM or Expressway
- Webex devices connect to Unified CM using SIP. Point-to-point calls are routed via Unified CM and Expressway
- A Webex device dialing into a Webex meeting sends sRTP traffic to Webex directly
- A Webex device dialing any point-to-point destination will send the sRTP directly to the other party if the party is on the same network, or through Expressway if it is on another network
- Webex App sends media (RTP or sRTP) directly to the far-end endpoint (or bridge or gateway). This might involve Expressway if the far-end is on another network sRTP for calls to Webex services are always sent via Webex
- Webex Device Connector connects to Unified CM using AXL and to Webex over the Internet using HTTPS for provisioning.
- Cisco Unified CM connects to Expressway-C and Expressway-E for firewall traversal using SIP.
- Redundant configurations of Cisco Unified CM, Expressway-C, and Expressway-E are recommended.
Webex Hybrid Calling Architecture
Webex Hybrid Calling enables integration of both Webex devices and Webex App with enterprise calling.
In the case of Webex devices, room systems register to Cisco Unified CM. Calls are routed through Unified CM except in the case where the destination is a Webex meeting. In this case the call will be routed through Webex, bypassing Unified CM and Expressway. Cisco Unified CM, Expressway, and Webex perform the following operations as shown in Figure 10:
- Calls placed from a Webex-linked device are routed through Unified CM. If the call is for a Webex meeting, this call will be routed via Webex.
Figure 10 Hybrid Calling Integration: Webex Devices
In the case of Webex App, the application will register to Unified CM for call services. Note that Webex App continues to leverage Webex services from the cloud including messaging and meeting. Cisco Unified CM and Expressway perform the following operations as shown in Figure 11:
- Enterprise or PSTN originated calls to the Webex App user's enterprise number will be extended via SIP (or SIP TLS). Once answered, the media will traverse directly between the Webex App and the calling user/device. The calling device may be a desk phone registered to Unified CM (see #1) or another enterprise registered Webex App and that application might be connected over Expressway mobile and remote access (see #2).
- Calls placed from an enterprise registered Webex App destined for a specific enterprise or PSTN number are extended by Unified CM to the called device or user (just like any other registered endpoint). Once answered, the media will travel directly between the application and the called device or user (see #1).
Figure 11 Hybrid Calling Integration: Webex App (Unified CM)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)