Preferred Architecture for

Cisco Webex Hybrid Services

Design Overview

First Published: June 14, 2016

Last Updated: September 14, 2018

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners.
The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 2016-2018 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc.

www.cisco.com
 Preface

Preface
Cisco Preferred Architectures provide tested and recommended deployment models for specific market
segments based on common use cases. They incorporate a subset of products from the Cisco
Collaboration portfolio that is best suited for the targeted market segment and defined use cases. These
deployment models are prescriptive, out-of-the-box, and built to scale with an organization as its
business needs change. This prescriptive approach simplifies the integration of multiple system-level
components and enables an organization to select the deployment model that best addresses its business
needs.

Documentation for Preferred Architectures

The following types of Cisco documents describe and explain the Preferred Architectures:
• Preferred Architecture (PA) Design Overview guides help customers and sales teams select the
appropriate architecture based on an organization's business requirements; understand the products
that are used within the architecture; and obtain general design best practices. These guides support
pre-sales processes.
• Preferred Architecture Cisco Validated Design (CVD) guides provide details for deploying
components within the Cisco Preferred Architectures. These guides support planning, deployment,
and implementation.
• Solution Reference Network Design (SRND) guides provide detailed design options for Cisco
Collaboration. The SRND should be referenced when design requirements are outside the scope of
Cisco Preferred Architectures.
Figure 1 illustrates how to use the PA guides.

Figure 1 Preferred Architecture Documentation

Preferred Architecture Preferred Architecture

Overview Guides Cisco Validated Design (CVD) Guides

Pre-Sales Post-Sales Enterprise CVDs

Process Process for on-premises
and hybrid
deployments

For on-premises and

hybrid deployments

Midmarket CVDs
for on-premises
deployments
313117

Preferred Architecture for Cisco Webex Hybrid Services

2 September 14, 2018
 Preface

About This Guide

The Preferred Architecture for Cisco Webex Hybrid Services is for:
• Sales teams that design and sell collaboration solutions
• Customers and sales teams who want to understand the overall hybrid architecture, its components,
and general design best practices
Readers of this guide should have a general knowledge of Cisco Collaboration products and services
along with a basic understanding of how to deploy those products.
This guide simplifies the design and sales process by:
• Recommending products and services in the Cisco Collaboration portfolio that are built for the
enterprise and that provide appropriate feature sets for this market
• Detailing a collaboration architecture and identifying general best practices for deploying in
enterprise organizations
For detailed information about configuring, deploying, and implementing this architecture, consult the
related CVD documents for the Cisco Collaboration Preferred Architectures.

A New Collaboration Platform with a Familiar Name

Previously the Cisco Collaboration portfolio included two separate platforms: Cisco WebEx and Cisco
Spark. Cisco has now converged those two collaboration products into a single platform that is simpler
to use and provides a more uniform and enjoyable user experience than the two separate platforms, with
new and enhanced features as well. This new collaboration platform is called Cisco Webex.
The Cisco Spark application that has been incorporated into Webex is called Webex Teams. Some of the
features and functions described in this document still use the Cisco Spark name and terminology, but
that terminology will change with future releases of Cisco Webex.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 3
 Introduction

Introduction
More and more, organizations are choosing collaboration services from the cloud because cloud
services:
• Are easier and faster to deploy
• Don't require the upfront capital investment of on-premises systems
• Provide predictable recurring expenditures through subscription-based user licensing
• Can free up IT staff to focus on other priorities
Many organizations, however, are unable or unwilling to move all their services to the cloud. Often, they
are not ready to replace everything they have on-premises, or they simply want to augment their current
collaboration tools with those from the cloud. But having tools from both the cloud and the premises can
create inconsistent, disjointed user experiences.
Cisco solves this problem with Webex Hybrid Services. These services connect what you have
on-premises with Webex Teams in the cloud to provide a single integrated experience. If you like the
capabilities of Webex Teams, you can integrate those capabilities with what you currently have deployed
for an even better end-user and administrator experience.
The Preferred Architecture (PA) for Webex Hybrid Services is a Cisco Validated Design (CVD) in the
Preferred Architectures umbrella that was created as a supplement to the PA for Cisco Collaboration
Enterprise on-premises deployments. It requires many of the same products and infrastructure as well as
the architecture and planning incorporated in the PA for on-premises deployments. Therefore we expect
you to follow and implement the latest version of the Preferred Architecture for Cisco Collaboration
Enterprise On-Premises Deployments, available at https://www.cisco.com/go/pa, prior to deploying the
PA for Webex Hybrid Services.
As part of implementing the PA for Webex Hybrid Services, there are a number of products and
integrations covered in the latest version of the Preferred Architecture for Cisco Collaboration Enterprise
On-Premises Deployments that overlap with, and thus are not part of, the PA for Webex Hybrid Services.
The areas of overlap include Cisco Meeting Server, Cisco Unified Communications Manager IM and
Presence Service, and Cisco Jabber. This does not mean that these products and services cannot be
deployed in an environment with Webex Hybrid Services, but that this PA for Webex Hybrid Services
will not discuss or treat any design considerations around these on-premises products and services when
they overlap with those included in the Webex Hybrid Services solution.

Technology Use Cases

Organizations want to streamline their business processes, optimize employee productivity, and enhance
relationships with partners and customers. The Preferred Architecture (PA) for Cisco Webex Hybrid
Services delivers capabilities that enable organizations to realize immediate gains in productivity and
enhanced relationships. Additionally, the following technology use cases offer organizations
opportunities to develop new, advanced business processes that deliver even more value in these areas:
• Meetings — Bring people together to create, communicate, and collaborate in one continuous work
stream before, during, and after the meeting so that teams can be more effective while using any
mobile or video device. Invite others to join meetings from their desk, a branch office, their homes,
or the road with Webex Teams or on their Cisco on-premises endpoint or room device.
• Messaging — Exchange messages and share files with another person or a group of people. Message
anyone; choose someone from your company directory or simply enter an email address and start
messaging customers, partners, or anyone you need to work with.

Preferred Architecture for Cisco Webex Hybrid Services

4 September 14, 2018
 Introduction

• Calling — Webex Teams includes cloud-based calling. With Webex Teams, you can make calls to
any other Webex Teams user in any company via SIP dialing, as well as calls to any endpoint or room
device deployed in your Cisco Enterprise on-premises solution. You can make and receive calls from
a phone connected to the Webex Teams service in the office or from the Webex Teams application
on your mobile phone or desktop. When integrated with Webex Hybrid Services, Webex Teams
applications also support enterprise dialing habits such as numerical dialing to on-premises
endpoints and the PSTN. (PSTN connectivity is provided through Cisco Unified Communications
Manager deployed on the enterprise premises.)
• Enhanced user experience — The Webex Teams application is central to Webex Teams. The
application gives the user the ability to access, use, and control the meetings, messaging, white
boarding, and calling capabilities of Webex Teams, depending on the user's license entitlement.
Users can also share content when in a meeting, when messaging, or while on a call. The Webex
Teams application is how users access the service on their smartphones, via a browser, or via a
dedicated application on their Mac or Windows PC.
• Incorporate video, desktop sharing, and persistent messaging into meetings — Improve
communications, relationships, and productivity by making it easier to meet face-to-face over
distance.
• Extend telephony with video — Facilitate face-to-face video communications directly from
end-user phones or softphone applications.
• Support teleworkers and branch offices — Let employees work from multiple locations, whether
satellite offices, home offices, or over the Internet when mobile.
• Collaborate with external organizations — Easily share information, interact in real time, and
communicate using technologies beyond email and phones.
• Create flexible work areas and office spaces — Scale office space and create work areas that foster
employee inclusiveness, collaboration, innovation, and teamwork.

The Benefits of Webex Hybrid Services

Cisco Webex Hybrid Services provide:
• Consistent, unified user experience — End users and IT administrators get the best of cloud and
on-premises technology. Webex Hybrid Services combine the cloud and on-premises services for an
integrated experience. Examples include the ability to share your desktop instantly, automatic
directory synchronization, and simplified scheduling of meetings.
• Easier transition to the cloud — Webex Hybrid Services help your organization take advantage of
Cisco Collaboration cloud-based services without discarding your existing on-premises
investments. Instead, you can integrate them together for a better user experience, and move to cloud
services as and when you like.
• High level of security — Security is integral to Webex Teams and its hybrid services. Cisco has
used its extensive experience gained from securing the world's largest networks. Combining this
knowledge with the hardware and the software elements of our market-leading communications and
cloud services, we've built Webex Teams and its hybrid capabilities to be secure from the ground up.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 5
 Introduction

Architectural Overview
The Preferred Architecture (PA) for Cisco Webex Hybrid Services provides end-to-end collaboration
targeted for deployments where a Cisco Collaboration solution based on Cisco Unified Communications
Manager has been deployed. This architecture incorporates high availability for critical applications.
The consistent user experience provided by the overall architecture facilitates quick user adoption.
Additionally, the architecture supports an advanced set of collaboration services that extend to mobile
workers, partners, and customers through the following key services:
• Voice and video communications
• Messaging
• Meetings that incorporate high-definition video, web conferencing, and content sharing capabilities
• Services for mobile and remote workers
Because of the adaptable nature of Cisco endpoints and their support for IP networks, this architecture
enables an organization to use its current data network and the Internet to support both voice and video
calls. The Preferred Architecture (PA) provides a holistic approach to bandwidth management,
incorporating an end-to-end QoS architecture and video rate adaptation and resiliency mechanisms to
ensure the best possible user experience for deploying pervasive video over managed and unmanaged
networks.
The PA for Webex Hybrid Services, illustrated in Figure 2, provides highly available and centralized
on-premises and cloud services. These services extend easily to remote offices and mobile workers,
providing availability of critical services even if communication to headquarters is lost. Centralized
on-premises and cloud-based services also simplify management and administration of an organization's
collaboration deployment.

Preferred Architecture for Cisco Webex Hybrid Services

6 September 14, 2018
 Introduction

Figure 2 Preferred Architecture for Cisco Webex Hybrid Services

Headquarters

Expressway-E
Cisco

Endpoints
DMZ
Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker

Expressway-C
Connector Host
Video Mesh
Internet
Call Control

Cisco Directory Microso

Connector Acve Directory Third-Party Soluon
Integrated/Aggregated
Services Router
MPLS WAN
Integrated
Services Router

Directory Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange

313270
Calendar

Table 1 lists the products in this architecture. For simplicity, products are grouped into modules to help
categorize and define their roles. The content in this guide is organized in the same modules.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 7
 Introduction

Table 1 Components of the Preferred Architecture for Cisco Webex Hybrid Services

Module Component Description

Endpoints Cisco IP Phones, Cisco Video Endpoints Enable real-time message, meet, and voice/video
and Room Devices, and Cisco Webex communications for users
Teams
Cisco Webex Core Cisco Webex Control Hub Web portal that enables provisioning and management
Services of Webex Teams users and services, registration of the
Expressway-C Connector Host to Webex, Expressway
connector upgrades, and registration of Webex calling
devices
Cisco Webex Teams Messaging Provides persistent messaging and content sharing
Cisco Webex Meetings Provides audio/video meetings, with content sharing
and web conferencing capabilities for meetings
Cisco Expressway-C Connector Host Enables connectors hosted on Expressway-C to be
Management Connector managed by the Webex Control Hub
Cisco Webex Hybrid Cisco Directory Connector Provides user synchronization between Microsoft
Directory Service Active Directory and Webex
Microsoft Active Directory Provides the full list of corporate users and their
attributes
Cisco Webex Hybrid Cisco Expressway-C Connector Host Provides integration between the enterprise
Calendar Service Calendar Connector calendaring application and Webex
Microsoft Exchange Provides corporate calendaring services
Cisco Webex Video Cisco Webex Video Mesh Node Provides on-premises media processing capabilities
Mesh for Webex. This includes voice, video, and desktop
sharing.
Cisco Webex Hybrid Cisco Unified Communications Manager Provides endpoint registration, call processing, and
Call Service (Unified CM) media resource management
Cisco Expressway-C Connector Host Call Provides integration between on-premises call
Connector processing services and Webex
Cisco Expressway-C and Expressway-E Enable interoperability and firewall traversal with
Webex

Preferred Architecture for Cisco Webex Hybrid Services

8 September 14, 2018
 Introduction

High Availability
The PA for Webex Hybrid Services provides high availability for all deployed on-premises applications
by means of the underlying clustering mechanism present in all Cisco Unified Communications
applications. Clustering replicates the administration and configuration of deployed applications to
backup instances of those applications. Likewise, cloud services are natively redundant by virtue of
elastic computing and highly available service distribution within the cloud platform.
If an instance of an application or service fails, Cisco on-premises and cloud-based services (such as
endpoint registration, call processing, messaging, and many others) continue to operate on the remaining
instance(s) of the application or service. This failover process is transparent to the users. In addition to
clustering, the PA for Webex Hybrid Services provides high availability through the use of redundant
power, network connectivity, and elastic storage.
In the PA for Webex Hybrid Services, the following cloud services are deployed redundantly:
• Cisco Webex Control Hub
• Cisco Webex Teams Messaging
• Cisco Webex Meetings

Sizing Considerations
Sizing a deployment can become complex for large enterprises with sophisticated requirements. The
Preferred Architecture for Cisco Webex Hybrid Services, Cisco Validated Design (CVD) Guide, presents
some examples that simplify the sizing process.

Licensing
Details about the individual licenses for the endpoints and infrastructure components in the Preferred
Architecture for Webex Hybrid Services are beyond the scope of this document. For information about
licensing, see the Cisco Collaboration Flex Plan.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 9
 Endpoints

Endpoints
Cisco Collaboration endpoints provide a wide range of features, functionality, and user experiences.
Because Cisco endpoints range from low-cost, single-line phones and soft clients to presentation, white
board, and multi-screen Cisco TelePresence endpoints, an organization can deploy the right variety of
endpoints to meet users' needs (Figure 3). Additionally, these devices enable users to access multiple
communication services such as:
• Voice and video calling
• Meetings
• Messaging
• Desktop and content sharing
• White boarding

Figure 3 Architecture for Endpoints

Headquarters

Expressway-E
Cisco
Endpoints
DMZ Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker

Expressway-C
Connector Host
Video Mesh
Internet
Call Control

Cisco Directory
r Microso
Connector Acve Directory
r Third-Party
Third-Part
r y Soluon
Integrated/Aggregated
Serv
Services
r ices Router
MPLS W
WA
WAN
AN
Integrated
Serv
r ices Router
Services

Directory
r Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange
313271

Calendar

Preferred Architecture for Cisco Webex Hybrid Services

10 September 14, 2018
 Endpoints

Recommended Deployment
In the PA for Webex Hybrid Services, both Cisco Unified Communications Manager (Unified CM)
on-premises call control and Cisco Webex provide endpoint registration and collaboration services.
We recommend the endpoints listed in the following tables because they provide optimal features for this
design. Cisco has a range of Collaboration Endpoints with various features and functionality that an
organization can also use to address its business needs.

Table 2 Cisco IP Phones – Unified CM Only

Product Registration Description

Cisco IP Phone 8800 Series Unified CM General office use, multiple-line phone
Cisco IP Phone 8832 Unified CM On-premises IP conference phone

Table 3 Cisco TelePresence and Video Endpoints – Unified CM or Cisco Webex Room Device

Product Registration Description

1
Cisco Webex DX80 Unified CM Personal TelePresence endpoint for the desktop
Cisco MX Series Unified CM or Webex Room Device TelePresence multipurpose room endpoint
Cisco SX Series Unified CM or Webex Room Device Integrator series TelePresence endpoint
Cisco Webex Room Series Unified CM or Webex Room Device Integrator and multipurpose TelePresence endpoints
1. Cisco Webex DX80 endpoints run CE firmware.

Table 4 Cisco Webex Board

Product Description
Cisco Webex Board All-in-one presentation, white board, and audio/video multipurpose room
endpoint

Table 5 Cisco Webex Teams Application

Product Description
Cisco Webex Teams application: Application with cloud-based integrated
voice/video call, message, meeting, and content
• Mobile
sharing services for mobile devices, personal
– Cisco Webex Teams for Android computers, and web browsers
– Cisco Webex Teams for iPhone and iPad
• Desktop
– Cisco Webex Teams for Mac
– Cisco Webex Teams for Windows
• Web
– Cisco Webex Teams web application

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 11
 Endpoints

Table 6 Comparison of Endpoint Features and Capabilities

Cisco
Content Unified CM Cisco Webex
Product(s) Audio Video Sharing Registration Registration Whiteboarding
1 2
Cisco IP Phone 8800 Series Y Y N Y Y N
Cisco IP Phone 8832 Y N N Y N N
Cisco Webex DX80 Y Y Y Y Y N
Cisco MX Series Y Y Y Y Y N
Cisco SX Series Y Y Y Y Y N
3
Cisco Webex Room Series Y Y Y Y Y N
Cisco Webex Board Y Y Y N Y Y
Cisco Webex Teams Mobile Y Y Y N Y Y
Cisco Webex Teams Desktop Y Y Y N Y Y4
Cisco Webex Teams Web Y Y Y N Y Y4
1. Only the Cisco IP Phones 8845 and 8865 support video.
2. While cloud registration is supported with these endpoints, for the purposes of this PA these endpoints register to Cisco Unified CM.
3. Cisco Webex Room Series endpoints support 4K video resolution.
4. View capability only.

Preferred Architecture for Cisco Webex Hybrid Services

12 September 14, 2018
 Cisco Webex Core Services

Cisco Webex Core Services

The PA for Cisco Webex Hybrid Services includes the following foundational functionality and services
that underlie the entire Webex Hybrid Services solution:
• Cisco Webex Control Hub
The web-hosted online Webex Control Hub, available at https://admin.webex.com/, is used to
administer and manage the organization's Webex Hybrid Services.
• Cisco Webex Teams Messaging
This basic feature of the Webex Teams application and the Webex platform provides one-to-one and
group messaging with file sharing. This feature delivers persistent instant messaging with Webex
Teams spaces, where users can message and share files.
• Cisco Webex Meetings
Webex Meetings provides audio and video conferencing with content sharing by leveraging the
Webex conferencing service. Webex Meetings builds upon the messaging and file sharing
capabilities of Webex Teams Messaging. Webex Meetings also enables advanced features such as
meeting recording and permanent Personal Meeting Rooms (PMR) to provide users with
personalized permanent voice and video meeting spaces. Users can join conferences using Webex
Teams devices as well as Webex Teams and Webex Meetings applications.
• Cisco Expressway-C Connector Host Management Connector
The Cisco Expressway-C Connector Host is a standard Cisco Expressway-C server deployed within
the customer's organization to provide an integration point between the on-premises and cloud
collaboration services. The integration between the Cisco Expressway-C server and Cisco Webex is
facilitated via micro-services installed and managed on the Expressway-C Connector Host by
Webex. These micro-services enable hybrid services integration.
The Management Connector is included in the Expressway-C base software and is used by the
administrator to register Expressway to Webex and to link the Expressway interface with the Webex
management interfaces.
All of these services and components are relevant for the deployment of the PA for Webex Hybrid
Services and will be referenced as appropriate in the remainder of this document.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 13
 Cisco Webex Hybrid Directory Service

Cisco Webex Hybrid Directory Service

Cisco Webex Hybrid Directory Service is the common identity component for any hybrid deployment.
It provides user synchronization between on-premises Microsoft Active Directory and Cisco Webex.
Cisco Directory Connectors are deployed on-premises. They communicate and synchronize over the
enterprise network with Microsoft Active Directory, and they communicate over the Internet to Webex
(Figure 4).

Figure 4 Architecture for Cisco Webex Hybrid Directory Service

Headquarters

Expressway-E
Cisco
Endpoints
DMZ Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker

Expressway-C
Connector Host
Video Mesh
Internet
Call Control

Cisco Directory Microso

Connector Acve Directory Third-Party
Third-Part
r y Soluon
Integrated/Aggregated
Serv
r ices Router
Services
MPLS W
WA
WAN
AN
Integrated
Serv
r ices Router
Services

Directory Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange

313272
Calendar

Table 7 lists the roles of the Cisco Webex Hybrid Directory Service components in this architecture and
the services they provide.

Table 7 Components for Cisco Webex Hybrid Directory Service

Module Component Description

Cisco Webex Hybrid Cisco Directory Connector Provides user synchronization between
Directory Service Microsoft Active Directory and Cisco Webex
Microsoft Active Directory Provides the full list of corporate users and their
attributes

Preferred Architecture for Cisco Webex Hybrid Services

14 September 14, 2018
 Cisco Webex Hybrid Directory Service

Webex Hybrid Directory Service enables an administrator to populate the common identity store of their
company's Webex Teams organization with users from their corporate Microsoft Active Directory. Once
the cloud identity store for the company's organization has been populated, administrators can easily
manage Webex Teams corporate user accounts. Administrators may configure user accounts, enable
specific features, and provision users for collaboration services within the Webex Teams organization.
As shown in Figure 5, Cisco Directory Connectors synchronize with Microsoft Active Directory using
Microsoft application programming interfaces (APIs) over the on-premises network. At the same time,
Cisco Directory Connectors push directory data and communicate over the Internet through the secure
enterprise boundary and corporate firewall with the cloud identity service within Webex. HTTPS is used
for communications between Cisco Directory Connectors and Cisco Webex.

Figure 5 Hybrid Enterprise Directory Integration

HYBRID DIRECTORY INTEGRATION

Microso Cisco Directory

Acve Directory Connector

Microso
APIs Cisco
Expressway-C Expressway-E
Webex
HTTPS (REST) Internet
Unified
Communicaons
Manager

313273
Endpoints Microso Expressway-C
Exchange Connector Host

The Directory Connector servers run on Microsoft Windows Servers and must be actively joined to the
Active Directory domain. (See the Deployment Guide for Cisco Directory Connector for the latest
version support information.) A read-only administrator account is used to authenticate the Directory
Connector to the Windows domain.
The customer organization administrator must log in to the Webex Control Hub and download the
Directory Connector software to the Windows servers. Once Directory Connectors are installed and
configured, synchronization will take place and users will be pushed to the Webex identity store for the
customer's organization through HTTPS connections. Because these are outbound connections from the
Cisco Directory Connectors to the Internet, they do not require any inbound ports to be opened on the
internal or external firewall.
Directory Connectors are configured to pull user information from the Microsoft Active Directory. (See
the Deployment Guide for Cisco Directory Connector for the latest version support information.) User
information can be pulled from the entire domain or from specific containers and organizational units.
It is also possible to create LDAP filters if more granularity is needed.
Users log in to Webex Teams via their email address, which corresponds to the mail LDAP attribute.
Once provisioned for Webex Teams Messaging, each user receives an automatic email from Webex and
is prompted to confirm their email address and specify a password.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 15
 Cisco Webex Hybrid Directory Service

Recommended Deployment
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the
following:
• Webex Teams users correlate to Cisco Unified CM end users by means of email addresses. For this
reason, make sure that the end-user account mail ID field in the Unified CM End User database
contains the user's email address. With LDAP directory integration, the mail ID field for Unified CM
end users is typically mapped from the mail field of the LDAP directory during synchronization.
• Install Directory Connectors and Active Directory Domain Service or Active Directory Lightweight
Directory Services on separate Windows servers.
• After the Directory Connector installations finish, run a first synchronization. Then configure full
synchronization and incremental synchronization schedules to keep the Directory Connectors (and
in turn Webex) updated when user information changes (user update, deletion, or addition) within
Microsoft Active Directory.

Preferred Architecture for Cisco Webex Hybrid Services

16 September 14, 2018
 Cisco Webex Hybrid Calendar Service

Cisco Webex Hybrid Calendar Service

Cisco Webex Hybrid Calendar Service enables enterprise calendar integration with Webex collaboration
services. It provides calendar synchronization between on-premises Microsoft Exchange and Cisco
Webex.
Cisco Calendar Connector is deployed on the Cisco Expressway-C Connector Host on-premises. It
communicates and synchronizes over the enterprise network with Microsoft Exchange, and it
communicates over the Internet to Webex (Figure 6).

Figure 6 Architecture for Cisco Webex Hybrid Calendar Service

Headquarters

Expressway-E
Cisco
Endpoints
DMZ Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker
Expressway-C
Connector Host

Video Mesh
Internet
Call Control

Cisco Directory
r Microso
Connector Acve Directory
r Third-Party
Third-Part
r y Soluon
Integrated/Aggregated
Serv
r ices Router
Services
MPLS W
WA
WAN
AN
Integrated
Serv
r ices Router
Services

Directory
r Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange

313274
Calendar

Note Although Webex Hybrid Calendar Service also supports integration to Microsoft Office 365 or G Suite
by Google Cloud, these integrations are not discussed or covered in this PA for Webex Hybrid Services.
For information about these integrations, refer to the latest version of the Deployment Guide for Cisco
Webex Hybrid Calendar Service, available at
https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list
.html.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 17
 Cisco Webex Hybrid Calendar Service

Table 8 lists the roles of the Webex Hybrid Calendar Service components in this architecture and the
services they provide.

Table 8 Components for Cisco Webex Hybrid Calendar Service

Module Component Description

Cisco Webex Hybrid Cisco Expressway-C Connector Host Calendar Provides integration between the enterprise
Calendar Service Connector calendaring application and Webex
Microsoft Exchange Provides corporate calendaring services

Webex Hybrid Calendar Service enables a tight integration between the user's enterprise Microsoft
Exchange calendar, Microsoft Outlook invitations, and Webex Teams Messaging. The Calendar
Connector service provides two key features:
• @meet
When @meet is added to the location field of an Outlook calendar invitation, Calendar Connector
and the cloud calendar service create a Webex Teams meeting and a new Webex Teams collaboration
space with a name that matches the invitation subject. All users in the calendar invitation are added
to the Webex Teams space and are invited to the meeting. This facilitates collaboration and allows
the meeting organizer and attendees to communicate and share material prior to, during, and even
after the meeting. If a calendar invitation includes a distribution list, users on the distribution list
will not be added to the Webex Teams space automatically; however, they will receive the meeting
invitation.
• @webex
When @webex is added to the location field of an Outlook calendar invitation, Calendar Connector
automatically populates the invitation with the user's Webex Personal Room information.
Hybrid calendar integration also enables:
• Synchronization of users' Microsoft Exchange enterprise calendar with their Webex Teams
application calendar and meeting list
• Sharing of users' out-of-office status from Microsoft Outlook with Webex Teams
As shown in Figure 7, the Cisco Calendar Connector service running on the Expressway-C Connector
Host synchronizes with Microsoft Exchange using Exchange Web Services (EWS) over the on-premises
network. At the same time, Cisco Calendar Connector pushes calendar data and communicates over the
Internet through the secure enterprise boundary and corporate firewall with the calendar service within
Webex. Cisco Calendar Connector also integrates with Webex Personal Rooms for @webex
functionality. HTTPS is used for communications between Cisco Calendar Connector on the
Expressway-C Connector Host and Webex. Because this is an outbound connection from the Cisco
Calendar Connector to the Internet, it does not require any inbound ports to be opened on the internal or
external firewall.

Preferred Architecture for Cisco Webex Hybrid Services

18 September 14, 2018
 Cisco Webex Hybrid Calendar Service

Figure 7 Hybrid Enterprise Calendar Integration

Microso Cisco Directory

Acve Directory Connector

Expressway-C Expressway-E
Cisco
Webex
Internet
EXCHANGE WEB HTTPS (REST)
Unified SERVICES
Communicaons
Manager (EWS)
Expressway-C
Endpoints Microso Connector Host:
Exchange CALENDAR
CONNECTOR

HYBRID CALENDAR INTEGRATION

@meet

313275
@webex

Note As shown in Figure 7, the Expressway-C Connector Host does not pair with the Expressway-E server
and, in the case of hybrid calendar integration, does not rely on Expressway-C and Expressway-E
firewall traversal capabilities to communicate with Webex.

Calendar Connector is configured to pull calendar and meeting information from Microsoft Exchange
using an impersonation account. (For the latest version support information, see the Deployment Guide
for Cisco Webex Hybrid Calendar Service.) This meeting information is used to create the appropriate
Webex Teams meeting and space with all invitees (@meet) and a Webex personal meeting room
(@webex).
For more information about Webex Hybrid Calendar Service, consult the Deployment Guide for Cisco
Webex Hybrid Calendar Service.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 19
 Cisco Webex Hybrid Calendar Service

Recommended Deployment
To deploy Webex Hybrid Calendar Service in the PA for Webex Hybrid Services, we recommend the
following:
• Deploy a pair of dedicated Cisco Expressway-C hosts using the Expressway-C OVA. They will serve
as your Cisco Expressway-C Connector Hosts. These Expressway-C servers do not pair with
Expressway-E servers and, in the case of hybrid calendar integration, do not rely on Expressway-C
and Expressway-E firewall traversal.
• The application impersonation role must be configured in Microsoft Exchange and is used in the
Exchange Calendar Connector configuration on the Expressway-C interface. The application
impersonation management role in Microsoft Exchange enables applications to impersonate users
in an organization to perform tasks on behalf of the users. The impersonation account does not have
to be an administrator, but it must have a mailbox.

Preferred Architecture for Cisco Webex Hybrid Services

20 September 14, 2018
 Cisco Webex Video Mesh

Cisco Webex Video Mesh

Cisco Webex Video Mesh is a component of the PA for Cisco Webex Hybrid Services that enables
organizations to deploy an instance of media processing on-premises. This means that Webex Teams
room devices and clients, as well as Unified CM registered endpoints dialing into Webex meetings, can
terminate media on-premises instead of sending all media to the cloud.
The benefits of Webex Video Mesh include:
• Improved call quality because media stays local, which reduces latency and packet loss
• Reduced consumption of Internet bandwidth
• Simplified on-premises deployment via Webex Control Hub
• Reduced utilization of Expressway for Unified CM registered endpoints connecting to Webex
Meetings
The PA for Webex Hybrid Services addresses these needs with the Webex Video Mesh architecture
shown in Figure 8.
The central component of Webex Video Mesh is the Video Mesh Node. Webex Video Mesh can be
deployed as a virtual machine on a Cisco Unified Computing System (UCS) server or on
specifications-based hardware in the organization’s data center(s). (See the Cisco Webex Video Mesh
Data Sheet for more information.) The Video Mesh Node registers to Webex, and most management
tasks are performed from the Webex Control Hub. The Webex Control Hub also provides automatic
software updates and usage reports.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 21
 Cisco Webex Video Mesh

Figure 8 Architecture for Cisco Webex Video Mesh

Headquarters

Expressway-E
Cisco
Endpoints
DMZ Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker

Expressway-C
Connector Host
Video Mesh
Internet
Call Control

Cisco Directory
r Microso
Connector Acve Directory
r Third-Party
Third-Part
r y Soluon
Integrated/Aggregated
Serv
r ices Router
Services
MPLS W
WA
WAN
AN
Integrated
Serv
r ices Router
Services

Directory
r Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange

313276
Calendar

Table 9 lists the components and roles of Cisco Webex Video Mesh.

Table 9 Components for Cisco Webex Video Mesh

Module Component Description

Cisco Webex Video Mesh Cisco Webex Video Mesh Node Provides on-premises media processing capabilities for
Webex Meetings. This includes voice, video, and
desktop sharing.
Cisco Webex Control Hub Provides central administration for Webex Teams
components.

Every Webex Teams call is considered to be a meeting. In a Webex Teams meeting, signaling and media
are sent to and from Webex. For example, Figure 9 shows a three-party Webex Teams meeting. Each
party in the meeting sends and receives media to and from Webex via the Internet. As the number of
concurrent calls increases, the organization’s bandwidth usage to the Internet increases. The three-party
Webex Teams call in Figure 9 uses up to 7 MB of the organization’s Internet bandwidth (client
bandwidth requirements shown in this example are average values).

Preferred Architecture for Cisco Webex Hybrid Services

22 September 14, 2018
 Cisco Webex Video Mesh

Figure 9 Media Path of a Webex Teams Meeting

Corporate Network

“Small” Cisco Webex

Room Device 1.2 MB Cisco

“Large” Cisco Webex

2.5 MB Webex
Room Device Internett

1.5 MB

313277
Cisco Webex Teams App Media

The Video Mesh Node bridges the media locally, resulting in network edge bandwidth savings as well
as decreased overall latency. Figure 10 shows the same three-party call with the media bridged locally
on the Video Mesh Node within the enterprise, resulting in no bandwidth utilization for media over the
Internet.

Figure 10 Media Path of a Webex Teams Meeting with Video Mesh Node

Corporate Network

“Small” Cisco Webexx

Room Device 1.2 MB Cisco

“Large” Cisco Webex

2.5 MB
Video Mesh
Mes
Webex
Room Device Node
1.5 MB 313278

Cisco Webex Teams App Media

Video Mesh Node Discovery Process

When a Webex Teams endpoint starts up, it registers to Cisco Webex. Webex provides the endpoint with
a list of cloud-based media services and available on-premises Video Mesh clusters associated with that
Webex Teams organization. (Clusters are groups of nodes that are used in the same region.) The Webex
Teams endpoint then performs two tests to decide which media node cluster it should use for calls:
• A Serial Tunneling (STUN) test to check if the media nodes are reachable
• A latency test to measure the round-trip delay between the endpoint and each media node
The Webex Teams endpoint performs these tests whenever there is a network change event on the local
device or when the cache expires.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 23
 Cisco Webex Video Mesh

The Webex Teams endpoint will choose to send media to the media node with the lowest round-trip delay
(RTD) duration. A Video Mesh Node that is reachable should have the lowest RTD for a Webex Teams
endpoint that is on the corporate network.
A single Video Mesh Node can accommodate up to 100 concurrent calls. Video can scale up to 1080p at
30 frames per second. If a Video Mesh cluster is full, the next Webex Teams endpoint in the organization
that joins the meeting will send its media to Webex, and the Video Mesh Node will cascade the call to
the cloud media services. The cascade link carries up to 6 HD streams, which allows picture-in-picture
and layout controls on specific endpoints.
A cascade link is created when a remote participant joins the call and their Webex Teams endpoint may
not be able to reach the Video Mesh Node. In this scenario, shown in Figure 11, the remote Webex Teams
endpoint sends media to the cloud media services, and a cascade link is created between that cloud media
services and the Video Mesh Node hosting the call.

Figure 11 Cascading the Call to the Cloud for External Participants

Corporate Network

Cisco
Webex
Video Mesh
Mes
Node

Media

313279
Cascade Link Media

The Video Mesh Node can host Webex meetings that include both Webex Teams endpoints and clients
as well as Unified CM registered endpoints. Webex Video Mesh bridges on-premises Unified CM
registered endpoints in meetings with Webex Teams endpoints and applications. Unified CM
communicates to the Video Mesh Node via SIP trunking, thus allowing on-premises registered endpoints
to join Webex Meetings with media termination at the Webex Video Mesh Node. (See Figure 12.)

Preferred Architecture for Cisco Webex Hybrid Services

24 September 14, 2018
 Cisco Webex Video Mesh

Figure 12 Media Path of a Webex Teams Meeting with Video Mesh Node and Unified CM
Registered Endpoints

Corporate Network
Cisco Unified Communicaons
Manager – Call Control

Cisco
Webex
Video Mesh
Node

Media

313280
Cascade Link Media

Recommended Deployment
The Video Mesh Node can be deployed on the corporate network or in the DMZ. We recommend
deploying the Video Mesh Node on the corporate network. With this deployment model, internal Webex
Teams endpoints will connect to available Video Mesh Nodes and external Webex Teams endpoints will
connect to the cloud media services. Calls will be cascaded from Video Mesh Nodes to the cloud when
Webex Teams endpoints from outside the organization’s network connect to a call with internal
participants.
Recommended deployment models are discussed in brief here. For further details and use cases, refer to
the Cisco Validated Design (CVD) guide for the Preferred Architecture for Cisco Webex Hybrid
Services.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 25
 Cisco Webex Video Mesh

We recommend that you deploy Video Mesh Nodes only in large campus sites that have direct Internet
access (DIA), as shown in Figure 13. This will ensure that the Video Mesh Nodes are available for large
user populations. It will also ensure that media will cascade from the Video Mesh Nodes directly to the
cloud instead of traveling across a WAN to another site with direct Internet access.

Figure 13 Video Mesh Nodes Deployed in a Large Site with Direct Internet Access (DIA)

Large Campus with DIA

Cisco
Vide
Video
eo
eo Mes
M h
Mesh
Cluster
err A Webex

MPLS WAN

Branch Office – no DIA

313281
Media
Cascade Link Media

We recommend deploying Video Mesh Nodes in clusters. This provides high availability for internal
users in case a single Video Mesh Node becomes unavailable. It also allows Webex Teams endpoints to
overflow to a Video Mesh Node on the corporate network instead of overflowing to the cloud, thus saving
bandwidth on the corporate network Internet edge (see Figure 14).

Preferred Architecture for Cisco Webex Hybrid Services

26 September 14, 2018
 Cisco Webex Video Mesh

Figure 14 Multiple Video Mesh Clusters Cascading a Call to Webex

Large Campus Site A with DIA

Vide
Video
eo
eo Mesh
M h
Cluster
err A

Cisco
MPLS WAN Webex
Large Campus Site B with DIA

Vide
Video
eo
eo Mesh
M h
Cluster
err B

313282
Media
Cascade Link Media

We recommend sizing the Video Mesh cluster based on the number of calls expected for the
organization’s site. There is no maximum size for a Video Mesh cluster, and each Video Mesh Node can
support up to 100 concurrent calls. Avoid clustering Video Mesh Nodes over the WAN. Clustering Video
Mesh Nodes over the WAN could lead to excessive consumption of WAN bandwidth as call are cascaded
between nodes over the WAN.
The Video Mesh Node requires a number of open firewall ports to enable cloud management, signaling,
and media traffic flow. We recommend opening media ports for both TCP and UDP traffic flows. Ensure
that media is marked with appropriate QoS markings to improve call quality on the corporate network.
(See the Bandwidth Management section for details.)

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 27
 Cisco Webex Hybrid Call Service

Cisco Webex Hybrid Call Service

Cisco Webex Hybrid Call Service provides the integration of Cisco Unified Communications call
services with Webex call services. The PA for Webex Hybrid Services includes Cisco Unified
Communications Manager (Unified CM), Cisco Expressway-C and Expressway-E, and the
Expressway-C Connector Host for the Hybrid Call Service solution (Figure 15).

Figure 15 Architecture for Cisco Webex Hybrid Call Service

Headquarters

Expressway-E
Cisco
Endpoints
DMZ Webex
Expressway-C
Unified Video Mesh
Communicaons Nodes
Manager

Mobile/Teleworker

Expressway-C
Connector Host
Video Mesh
Internet
Call Control

Cisco Directory
r Microso
Connector Acve Directory
r Third-Party
Third-Part
r y Soluon
Integrated/Aggregated
Serv
r ices Router
Services
MPLS W
WA
WAN
AN
Integrated
Serv
r ices Router
Services

Directory
r Collaboraon Edge

Microso PSTN Enterprise Branch

Exchange

313283
Calendar

Table 10 lists the roles of the components in this architecture and the services they provide.

Table 10 Components for Cisco Webex Hybrid Call Service

Module Component Description

Cisco Webex Hybrid Cisco Unified Communications Manager Provides endpoint registration, call processing, and media
Call Service (Unified CM) resource management
Cisco Expressway-C Connector Host Provides integration between on-premises call processing
Call Connector services and Webex
Cisco Expressway-C and Expressway-E Enables interoperability and firewall traversal with Webex
services

Preferred Architecture for Cisco Webex Hybrid Services

28 September 14, 2018
 Cisco Webex Hybrid Call Service

A key component of the Webex Hybrid Call Service is the Call Connector, hosted on the Cisco
Expressway-C Connector Host. Call Connector provides the following services:
• Call Service Aware
• Call Service Connect

Call Service Aware

The Call Connector on Cisco Expressway-C notifies Webex when two Webex Teams users are engaged
in the same call with their on-premises devices, so that their respective Webex Teams applications can
offer the option to start desktop sharing. Call Service Aware does not require any media traversal
capability or license. Expressway-C communicates with Webex using an outbound HTTPS connection;
Expressway-E is not involved.
The Call Connector on Expressway-C integrates with Cisco Unified Communications Manager through
specific APIs that allow for configuration reading and writing (AXL) and device monitoring (CTI-QBE).
When a user of Webex is enabled for Call Service Aware, the Call Connector uses AXL connectivity to
find devices associated to that user on Cisco Unified Communications Manager (Unified CM), and then
it sends this information to Webex.
For all line appearances monitored by the Call Connector, Cisco Unified CM sends notifications to the
Call Connector, which then relays this information to Webex. This way Webex always knows if a specific
user's device is engaged on a call or not. Based on this information, a one-to-one Webex Teams space is
created or pushed to the top of the list in Webex Teams applications of users in a one-to-one call on their
Unified CM registered endpoints. This one-to-one space presents the option to add desktop sharing
capabilities to both users involved in the call.
With Call Service Aware, desktop sharing is available to all physical devices (either audio or
video-based) registered to Cisco Unified CM.
Figure 16 illustrates the Call Service Aware architecture

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 29
 Cisco Webex Hybrid Call Service

Figure 16 Webex Call Service Aware Used for Desktop Sharing

Microso Microso Cisco Directory

Exchange Acve Directory Connector

Cisco
Expressway-E Webex
Cisco
isco Webex TTeams Unified
Communicaons
Manager Expressway-C Internet

Darryl
HTTPS (REST)
Internal DMZ
CTI-QBE & AXL FW FW

Expressway-C
Connector Host:
CALL CONNECTOR
RTP
Desktop HYBRID CALL INTEGRATION
share

Raja
Raj
a

313284
Cisco Webex Team
Teams

Call Service Connect

Call Service Connect allows integration between Webex Teams and Cisco Unified Communications
Manager (Unified CM). A prerequisite for Call Service Connect is that Call Service Aware must be
deployed and configured.
If a user has an endpoint registered to Cisco Unified CM and a Webex Teams application, both the
endpoint and the Webex Teams application will receive the call regardless of whether the call is initiated
by another Webex Teams application or any other endpoint. Call Service Connect not only enables
ringing on Webex Teams and Cisco Unified CM, but also allows Webex Teams users to place calls using
enterprise dialing habits.
In order to achieve this, Expressway-C and Expressway-E must be deployed for firewall traversal, so that
secure communications to and from the cloud will always be possible. In order to account for security
requirements, the call will always be encrypted for both signaling and media.

Preferred Architecture for Cisco Webex Hybrid Services

30 September 14, 2018
 Cisco Webex Hybrid Call Service

Recommended Deployment
Figure 17 illustrates the architecture for Call Service Connect and Call Service Aware.

Figure 17 Architecture for Webex Hybrid Call Service Connect and Call Service Aware

Microso Microso Cisco Directory

Exchange Acve Directory Connector

Cisco
RTP / sRTP
Expressway-E
Webex
SIP / Internet
SIP TLS Expressway-C

HTTPS (REST)
Endpoints Internal DMZ
CTI-QBE & AXL FW FW

Unified Expressway-C
Communicaons Connector Host:
Manager CALL CONNECTOR

313285
HYBRID CALL INTEGRATION

The following guidelines apply to the architecture shown in Figure 17:

• Cisco Unified CM connects to Expressway-C for firewall traversal using SIP.
• The same Expressway-C can be used as the Connector Host and for the hybrid SIP signaling and
media traffic to and from Expressway-C in the following cases:
– Up to 500 users with Cisco Business Edition 6000 (BE6000)
– Up to 2,000 users with Cisco Business Edition 7000 (BE7000) in a redundant deployment
• In all other cases, a dedicated Cisco Expressway-C runs the Call Connector, as shown in Figure 17.
• Call Connector can be co-resident with Calendar Connector.
• Cisco Unified CM connects to Expressway-C Call Connector using CTI-QBE and AXL.
• We recommend deploying redundant configurations of Cisco Unified CM, Cisco Expressway-C
Connector Host, and firewall traversal with Expressway-C, and Expressway-E.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 31
 Cisco Webex Hybrid Call Service

Call Service Connect Architecture

Call Service Connect enables ringing on both Webex Teams and Cisco Unified CM devices associated
with the same user. In addition, it keeps the user experience consistent so that the user of Webex Teams
has the same dialing habits, calling ID, and unified call history as any other user on Cisco Unified CM.
To achieve this consistent user experience, Cisco Unified CM and Webex perform the following
operations:
• For every call received on Cisco Unified CM for a specific user, the call is extended to Webex
through Expressway-C and Expressway-E.
• For every call received on the Webex Teams application, the call is extended to Cisco Unified CM
through Expressway-E and Expressway-C.
• When the call reaches Cisco Unified CM, Unified CM changes the calling ID to match the enterprise
calling ID. Thus, when the call is delivered to the destination, the called user does not know if the
call is coming from Webex Teams or from an internal endpoint.
• When the call reaches Cisco Unified CM, Unified CM recognizes that it is a Webex Hybrid Call
Service call for a specific Unified CM registered user, and Unified CM assigns the call to the class
of services (CoS) associated with that user. In this way, if a Cisco Unified CM user is not entitled to
call specific destinations, this limitation is also extended to the Webex Teams application.
• Cisco Unified CM dialing habits (including PSTN access codes) are preserved for Webex Teams
users.
Figure 18 shows the global reachability on both the Webex Teams application and the Cisco Unified CM
device when a user is provisioned for Call Service Connect.

Preferred Architecture for Cisco Webex Hybrid Services

32 September 14, 2018
 Cisco Webex Hybrid Call Service

Figure 18 Reachability of Webex Teams and Unified CM Destinations with Call Service Connect

Expressway-C
Connector Host

Bob A B C Alice calls Bob from a Unified CM device

1 2 3 Alice calls Bob from a Cisco Webex

Teams applicaon

B 3
Expressway-C Expressway-E

Cisco Cisco
2 2
Unified
CM Webex
B

C
A 2
Internet
1

Alice

313286
Bob Alice

Media Encryption
Media is encrypted with Secure Real-time Transport Protocol (SRTP) between Cisco Webex and Cisco
Expressway. Depending on the configuration, different scenarios can be achieved:
• End-to-end encryption
This requires Cisco Unified CM to be in mixed mode and the endpoints and the SIP trunk to
Expressway to be provisioned for encryption.
• Expressway-terminated encryption
If Cisco Unified CM is not in mixed mode and uses non-encrypted RTP media traffic to send the call
to Expressway-C, then Expressway-C can terminate the RTP connection from the Unified CM
endpoint and open another call leg using SRTP to Webex. Any time Cisco Expressway performs
RTP-to-SRTP conversion, it engages a back-to-back user agent (B2BUA). If Cisco Expressway
performs RTP-to-SRTP conversion, we recommend enabling it on Expressway-C instead of
Expressway-E so that the traffic in the DMZ will be encrypted.
Figure 19 illustrates these two encryption options.

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 33
 Cisco Webex Hybrid Call Service

Figure 19 Webex Hybrid Services: Expressway Media Encryption Options

Media: End-to-end encryption

Cisco Expressway-E
Unified CM
MTLS MTLS

Expressway-C

MTLS Cisco
Webex
SRTP

Media: Expressway-terminated encryption

Cisco
Unified CM B2BUA Expressway-E
TCP MTLS

Expressway-C
MTLS
Cisco

313287
RTP SRTP Webex

Considerations for Deploying Multiple Unified CM Clusters

Webex Hybrid Call Service supports multiple Cisco Unified CM clusters. However, due to the call
routing method used by Webex Hybrid Services, the calls are always sent to the Cisco Unified CM
cluster where the calling user is registered, before being sent to the destination. This is called home
cluster routing and is necessary for the preservation of class of service (CoS) and calling ID.

Preferred Architecture for Cisco Webex Hybrid Services

34 September 14, 2018
 Bandwidth Management

Bandwidth Management
Bandwidth management is about providing the best possible user experience end-to-end for all media
capable endpoints, clients, and applications in the collaboration solution. The Preferred Architecture for
Cisco Webex Hybrid Services incorporates a holistic approach to bandwidth management that includes
an end-to-end Quality of Service (QoS) architecture with video rate adaptation and resiliency
mechanisms to provide the best possible user experience for deploying pervasive video over managed
and unmanaged networks.

Architecture for Webex Hybrid Services: QoS, Media Assure, and the
Self-Regulating Video Network
The PA for Webex Hybrid Services applies the bandwidth management strategy of the Preferred
Architecture for Cisco Collaboration 12.0 Enterprise On-Premises Deployments to the Webex Teams
endpoints, clients, and infrastructure components. This bandwidth management strategy starts with QoS.
QoS ensures reliable, high-quality voice and video by reducing delay, packet loss, and jitter for media
endpoints and applications. QoS provides a foundational network infrastructure technology that is
required to support the transparent convergence of voice, video, and data networks. The bandwidth
management strategy for Webex Hybrid Services includes identifying and marking Webex Room Device
and Webex Teams client signaling and media traffic as well as updating the QoS policies in the LAN,
WAN, and Internet edge equipment in the on-premises solution.

Overview of Preferred Architecture On-Premises Bandwidth Management Solution Concepts and Strategy
With the increasing amount of interactive applications – particularly voice, video, and immersive
applications – real-time services are often required from the network. Because these resources are finite,
they must be managed efficiently and effectively. If the number of flows contending for such priority
resources were not limited, then as those resources become oversubscribed, the quality of all real-time
traffic flows would degrade, eventually to the point of becoming useless. The intelligent media
techniques used for media resiliency and rate adaptation in all Cisco endpoints, clients, and conferencing
architecture – referred to as Media Assure – coupled with QoS, ensure that real-time applications and
their related media do not oversubscribe the network or the bandwidth provisioned for those
applications, thus providing efficient use of bandwidth resources.
The self-regulating video network, prioritized audio, and opportunistic video are all bandwidth
management concepts as well as a combined QoS strategy. A self-regulating video network consists of
leveraging the intelligent media techniques and rate adaptation mentioned previously, along with proper
provisioning and QoS to allow the video endpoints to maximize their video resolution during times when
video bandwidth is not fully utilized in the network and to rate-adapt or throttle down their bit rate to
accommodate more video flows during the busy hour of the day. Prioritized audio for both audio-only
and audio of video calls ensures that all audio is prioritized in the network and is thus not impacted by
any loss that can occur in the video queues. Prioritizing voice from all types of collaboration media
ensures that, even during times of extreme congestion when video is experiencing packet loss and
adjusting to that loss, the audio streams are not experiencing packet loss and are allowing the users to
have an uninterrupted audio experience. In addition, opportunistic video allows for a group of video
endpoints to be strategically marked with a lower class of video, thus enabling them to use available
bandwidth opportunistically for optimal video resolution during times when the network is less busy and
more bandwidth is available, or conversely to down-speed their video more aggressively than the
prioritized class of video during times of congestion when the network is in its busy hour. This concept
of opportunistic video coupled with prioritized audio maintains an acceptable video experience while
simultaneously ensuring that voice media for these opportunistic video calls is not compromised. This,

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 35
 Bandwidth Management

of course, applies to the managed network, since an unmanaged network such as the Internet is not
QoS-enabled and thus provides no guarantees with regard to packet loss. Nevertheless, the media
resiliency and rate adaptation mechanisms also attempt to ensure that media over unmanaged networks
such as the Internet has the best possible quality in the face of packet loss, delay, and jitter.
Figure 20 illustrates the approach to QoS used in the PA for the Cisco Collaboration Enterprise
on-premises solution and that is followed in this Webex Hybrid Services solution:
• Classification and marking — Refers to concepts for identifying media and signaling for
endpoints. It also includes the process of mapping the identified traffic to the correct DSCP to
provide the media and signaling with the correct per-hop behavior end-to-end across the network.
• Queuing and scheduling — Consists of general WAN queuing and scheduling, the various types of
queues, and recommendations for ensuring that collaboration media and signaling are correctly
queued on egress to the WAN.
• Provisioning and admission control — Refers to provisioning the bandwidth in the network and
determining the maximum bit rate that groups of endpoints will utilize.
• Monitoring, troubleshooting, and optimization — Ensures the proper operation and management
of voice and video across the network.

Figure 20 Architecture for Bandwidth Management

Cisco
Webex
INTERNET
Edge

EF INTERNET
AF41
ON-PREMISES
C
CS3
WAN

Monitoring,
Queuing and
Classificaon Marking Provisioning Troubleshoong,
313288

Scheduling
and Opmizaon

Preferred Architecture for Cisco Webex Hybrid Services

36 September 14, 2018
 Bandwidth Management

Recommended Deployment
To deploy bandwidth management in the PA for Webex Hybrid Services, we recommend the following:
• Identify Webex Teams traffic.
• Configure an on-premises LAN QoS policy for Webex Teams traffic classification and marking:
– Mark all audio with Expedited Forwarding class EF. (This includes all audio of both voice-only
and video calls.)
– Mark all video from clients, desktop and room devices, as well as Expressway Edge components
with an Assured Forwarding class of AF41 for prioritized video or AF42 for opportunistic
video. (This will depend on the strategy taken in the on-premises solution configuration.)
• Update the WAN Edge policies for identifying, classifying, marking, and queuing Cisco
Collaboration traffic with Webex Teams information:
– WAN edge ingress re-marking policy
– WAN edge egress queuing and scheduling policy

Preferred Architecture for Cisco Webex Hybrid Services

September 14, 2018 37
 Bandwidth Management

Preferred Architecture for Cisco Webex Hybrid Services

38 September 14, 2018