To host Webex Meetings without a PIN on on-premises devices, your Cisco Expressway-E must offer signed certificates from a trusted Root Certificate Authorities (RCA) for Mutual TLS (mTLS) connections. You can find the list of root CAs that Cisco trusts in this article. We only allow connections that have valid signed certificates.

If you use your Expressway-E for Webex for Government, you must enable mTLS.
1

Go to Maintenance > Security > Server Certificate.

2

Check whether the current Expressway certificate is exists and is accurate.

3

If the certificate is installed, check the expiry date of the certificate to see if is valid or not and replace it with a valid certificate.

4

Check which root CA signed this certificate and ensure that the name is listed in the Enterprise Deployment Guide.

5

Check if the certificate has the proper SAN (Subject Alternative Name) configured that matches the organization settings.

6

Using a video device, call into your personal room. If you are able to connect, then the connection is successful.

7

After you complete the configurations move to the next section.

If any of the following are true, then generate a CSR.

  • If you don’t have an Expressway server certificate

  • If the certificate has expired

  • If the SAN needs to be updated, that is the SAN name doesn't match the SIP user name

1

Generate the CSR (Certificate signing request) process.

2

Make sure that the SAN that you need in the certificate is listed on the Additional alternate name field.

3

Submit your CSR to the root CA of your choice. Choose a CA from the supported list. Refer to the Generate Certificate Signing Request section in the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings.

4

Get the certificate signed from the root CA.

5

If you used an external system to generate the CSR, you must also upload the server private key PEM file that was used to encrypt the server certificate. (The private key file will have been automatically generated and stored earlier if the Expressway was used to produce the CSR for this server certificate.)

  • The server private key PEM file must not be password protected.

  • You can’t upload a server private key if a certificate signing request is in progress.

6

Click Upload server certificate data.

7

After you complete the configurations move to the next section.

1

Make sure that the issuing certificate authority for Webex’s certificate is listed under the Trusted CA certificate list. Go to Maintenance > Security > Trusted CA Certificate.

For uninterrupted services, install the primary and secondary Root CAs. Quovadis Root CA is current and the DSTx3 Root CA is reserved for future use. Both these certificates need to be present.

2

The trusted CA certificate list contains the QuoVadis certificate. To check if it is the most current certificate, refer to the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings.

3

Click the trusted CA certificate, find the QuoVadis certificate, and click the View decoded button on the far right.

4

Check the attributes (SHA256) of the certificate.

X509v3 Authority Key

Identifier:keyid:1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6BDirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2serial:05:09

DSTx3 root CA

O=Digital Signature Trust Co./CN=DST Root CA X3 Fingerprint (SHA1) dac9024f54d8f6df94935fb1732638ca6ad77c13C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 Fingerprint (SHA1) ca3afbcf1240364b44b216208880483919937cf7

5

Click trusted CA.

The Authority Key is subject to change as they rotate the keys.

6

If the CA certificate is not present, refer to the Configure the Trusted CA list in the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings.

  • Check if you have a Domain Name System (DNS) zone configured on your Expressway.

  • Two types of calls that use DNS are B2B (existing) and Webex calls. If the B2B calls are already set up, we recommend a unique DNS zone for Webex calls that force it to use mTLS.

On Expressway versions X8.10 and above, use the steps to modify and create and DNS Zone.

Before you go ahead with the expressway configurations, take a back up of your existing settings, so you can always revert your settings and go back to an operational state.

1

Go to Configuration > Zones > Zones

2

If you have an existing DNS Zone, select the zone and edit it.

3

If a DNS zone doesn't exist, perform the steps below:

  1. Go to Configuration > Zones > Zones > Default Zone access rules.

  2. Configure a new DNS Zone for subject name: sip.webex.com.

  3. Add the new search rule to route the call on a new DNS route.

    If you already have a search rule for routing the traffic to Webex, edit it instead of creating a new rule.

4

Make sure that the calls are validated and the B2B calls are not affected.

To avoid DNS resolution issues, click here.

5

After you complete the configurations move to the next section.

Configure the firewall for your network components so that you get the highest quality Webex experience on your computers, mobile devices, and video devices.

  1. Check the Media port ranges used by video devices.

    These ports are provided as a reference. Refer to the deployment guide and manufacturer recommendation for full details.

    Table 1. Default Ports used by Video Collaboration Devices

    Protocol

    Port Number(s)

    Direction

    Access Type

    Comments

    TCP

    5060-5070

    Outbound

    SIP signaling

    The Webex media edge listens on 5060 - 5070. For more information, please see the configuration guide on the specific service used: Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings.

    TCP

    5060, 5061, and 5062

    Inbound

    SIP signaling

    Inbound SIP signaling traffic from the Cisco Webex cloud

    TCP / UDP

    Ephemeral Ports 36000-59999

    Inbound and Outbound

    Media ports

    If you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you’re using a third-party video device or call control, they need to be configured to use this range.

For more information on Firewall settings, see How Do I Allow Webex Meetings Traffic on My Network.