Enhanced Survivability prerequisites
The network requirements for Enhanced Survivability solution are described based on Firewall, Proxy, and DNS settings. It describes the network requirements and lists the addresses, ports, and protocols used for connecting your endpoints to the services.
This document provides tasks to be done on-premises by the customer before activating the Enhanced Survivability Node (ESN) from the Control Hub.
- Prerequisites to be done before the activation of the Enhanced Survivability Node.
- ESN installation parameters to be used during the installation of the node in remote site(s).
Consider the following key specifications for an Enhanced Survivability Node before deploying:
-
In a single Unified CM cluster, you can deploy a maximum of 8 Enhanced Survivability Nodes
- The round-trip time (RTT) between the Unified CM cluster in Dedicated Instance and the enhanced survivability node must be equal to or less than 200 ms.
- A maximum of 7500 devices are registered on the Enhanced Survivability Node during the Survivability event.
- The feature is supported only on Edge Connect or Partner Connect cloud connectivity options.
- Deploy the PSTN Local Gateway in the site for the PSTN routing of Emergency and PSTN calls.
- On-net calling is possible only between devices that are registered to the same ESN and for other calls, it must be routed through the PSTN Local Gateway.
- The Enhanced Survivability Node is added only as the tertiary node in the Unified CM group. Hence, you must make sure the integrations and devices/clients support the tertiary TFTP or ESN IP configurable in the application.
Changes to be done on customer’s firewall
The customer’s firewall should allow the following ports before starting the activation of Enhanced Survivability Node in the Control Hub.
Ports to be allowed in firewall
List of ports to be allowed in the customer firewall.
| Protocol | TCP/UDP | Source | Destination | Source Port | Destination Port | Direction | Purpose |
|
SFTP SSH | TCP |
ESN |
Cisco Monitoring Tool and Unified CM | Greater than 1023 | 22 | Bidirectional |
|
| NTP | UDP | ESN | Unified CM | Greater than 1023 | 123 | Bidirectional | Clock sync to publisher in Dedicated Instance cloud. |
| SNMP | UDP | Cisco Monitoring Tool | ESN | Greater than 1023 | 161 | Bidirectional | SNMP service response (requests from management applications) |
| SNMP | UDP | ESN | Cisco Monitoring servers | Greater than 1023 | 162 | Bidirectional | SNMP traps |
| HTTPS | TCP | Cisco monitoring, management servers | ESN | Greater than 1023 | 443 | Bidirectional | Communications between subscriber to publisher, Used for Cisco User Data Services (UDS) requests, admin UI to Unified CM, Unified CM to CSSM |
| Syslog | UDP | ESN | Cisco Monitoring servers | Greater than 1023 | 514 | Bidirectional |
Monitoring
|
| Cisco AMC Service | TCP | ESN | Unified CM | Greater than 1023 | 1090 | Bidirectional | Monitoring |
| Cisco AMC Service | TCP | ESN | Unified CM | Greater than 1023 | 1099 | Bidirectional | Monitoring |
| Database Connection | TCP | ESN | Unified CM | Greater than 1023 | 1500 | Bidirectional | Database Replication between the Dedicated Instance Unified CM cluster and ESN. |
| Database Connection | TCP | ESN | Unified CM | Greater than 1023 | 1501 | Bidirectional |
Database Replication, secondary connection |
| Database Connection | TCP | ESN | Unified CM | Greater than 1023 | 1510 | Bidirectional | Database Replication CAR Cisco Identity Service DB. CAR Cisco Identity Service engine listens on waiting for connection requests from the clients. |
| Database Connection | TCP | ESN | Unified CM | Greater than 1023 | 1511 | Bidirectional |
Database Replication, CAR Cisco Identity Service DB. An alternate port used to bring up a second instance of CAR Cisco Identity Service during upgrade. |
| Database Connection | TCP | ESN | Unified CM | Greater than 1023 | 1515 | Bidirectional |
Database replication between nodes during installation. |
| Cisco Extended Functions DB Replication | TCP | ESN | Unified CM | Greater than 1023 | 2551 | Bidirectional |
Database Replication within the cluster for communication between Cisco Extended Services for Active/Backup. |
| Cisco Extended Functions DB Replication | TCP | ESN | Unified CM | Greater than 1023 | 2552 | Bidirectional |
Database Replication. Allows subscribers to receive Unified CM database change notification |
| RIS server | TCP | ESN | Unified CM | Greater than 1023 | 2555 | Bidirectional | Monitoring, Real-time Information Services (RIS) database server |
| RIS client | TCP | ESN | Unified CM | Greater than 1023 | 2556 | Bidirectional | Monitoring, Real-time Information Services (RIS) database client for Cisco RIS |
| CTI | TCP | ESN | Unified CM | Greater than 1023 | 2748 | Bidirectional | Call Control, CTI application server |
| Trunk-based SIP service | TCP | ESN | Unified CM | Greater than 1023 | 5060 | Bidirectional | SIP service |
| Trunk-based SIP service | TCP | ESN | Unified CM | Greater than 1023 | 5061 | Bidirectional | SIP service |
| Database change notification | TCP | ESN | Unified CM | Greater than 1023 | 8001 | Bidirectional | Database Replication |
| SDL | TCP | ESN | Unified CM | Greater than 1023 | 8002 | Bidirectional | Call Control |
| SDL (CTI) | TCP | ESN | Unified CM | Greater than 1023 | 8003 | Bidirectional | Call Control |
| Diagnosis | TCP | ESN | Unified CM | Greater than 1023 | 8080 | Bidirectional |
Monitoring, Communication between servers used for diagnostic tests. |
| Cisco Control Center between Nodes | TCP | ESN | Unified CM | Greater than 1023 | 8443 | Bidirectional | Cisco Control Center between Nodes. |
| Monitoring | TCP | Cisco Monitoring Tool | ESN | Greater than 1023 | 8443 | Bidirectional | Monitoring |
| Intra-Cluster Replication | TCP | ESN | Unified CM | Greater than 1023 | 8500 | Bidirectional | Database Replication, Intracluster replication of system data by IPSec Cluster Manager |
| Location Bandwidth Manager | TCP | ESN | Unified CM | Greater than 1023 | 9004 | Bidirectional | Call Control, Intracluster communication between LBMs |
| Secure Web socket | TCP | ESN | Unified CM | 9560 | n/a | Bidirectional | LPNS notification from DI cloud |
| Connectivity Validation | ICMP | ESN | Unified CM | n/a | n/a | - | Ping |
Dedicated Instance subnets to be allowed in the customer’s firewall
The below-mentioned IP addresses need to be allowed in the Customer’s firewall for the Enhanced Survivability Nodes to communicate with the Dedicated Instance UCM cluster.
| Dedicated Instance Region | Subnet |
| U.S. | 69.168.17.0/24 |
| EMEA | 178.215.138.0/24 |
| EU | 178.215.131.0/24 |
| APJC | 103.232.71.0/24 |
| AUS | 178.215.128.0/24 |
| UK | 178.215.135.0/24 |
DNS requirements
Customer needs to configure conditional forwarders in the customer’s internal DNS servers, towards the Dedicated Instance DNS, to allow resolution of cloud devices. For more information regarding the Dedicated Instance DNS server IPs, refer DNS requirements. To support failover to the ESN, the customer must also configure pinpoint DNS entries. These entries are site specific and will allow devices to find the correct address of the local ESN based on the source IP Address.
For each ESN, it is important to include both forward and reverse lookups in the customer’s local DNS.
Example for reverse lookup, local IP to esn-hostname.cust1.amer.wxc-di.webex.com.
During the survivability event, hard devices and already logged in soft devices, will failover to the tertiary entry in the CallManager Group, the ESN node. The local DNS will respond with the correct address based on the pinpoint entry, a record for the ESN.
For example, esn-hostname.cust1.amer.wxc-di.webex.com - A record mapped to local IP.
Soft clients that need to complete service discovery need to resolve the _cisco-uds._tcp SRV record. To ensure that the correct response is returned for the local ESN node this needs to be site specific, it should be resolved based upon the source IP Address of the query, listing A records for the DI cloud and the local ESN. For example,
_cisco-uds._tcp.cust1.amer.wxc-di.webex.com – SRV record mapped as follows
cXXXX011ccm4.cust1.amer.wxc-di.webex.com priority 10 weight 10
cXXXX021ccm5.cust1.amer.wxc-di.webex.com priority 10 weight 10
esn-hostname.cust1.amer.wxc-di.webex.com priority 20 weight 10
To create PinPoint entries in a Microsoft DNS, that resolve based on the device source IP address, use Resolution Policies and Zone Scopes. If you are using BIND this is achieved using Views.
For more information about adding PIN point entries in refer, How to Create PinPoint DNS Entry.
Proxy settings
Enhanced Survivability node has a module which needs to register to the Control Hub for telemetry and monitoring. This requires the node to reach the cloud over the internet. For the same, there can be proxy server used or direct access to the internet. There are three different options to configure the Enhanced Survivability Node to reach the Control Hub:
- If you don’t have a proxy to reach the internet, then the Enhanced Survivability Node needs to reach the Control Hub directly without any proxy server.
- You can configure the proxy server settings in the Unified CM publisher installed on-premises using the CLI admin console.
- utils ucmgmt proxy add
- You provide the proxy server details in the Control Hub during the activation form, and automation configures the proxy server details in the Node during the activation.
If a proxy server is present in the customer’s site, then the below mentioned URLs need to be allowed in the Firewall > Proxy server and firewall.
| URLs | Purpose |
| *.ucmgmt.cisco.com | Control Hub |
| *.webex.com | Control Hub Telemetry |
Virtualization specification
ESN's supported ESXi versions, VM specs and hardware requirements match that of a single Unified CM Medium OVA size mentioned in this document, virtualization specs.
Local push notification service (LPNS) settings
You need to enable LPNS in Dedicated Instance Unified CM cluster for your Webex App/Jabber clients running on Apple iOS devices to receive notifications during survivability event. For more information, refer Push Notifications (On-Premises Deployments).
Local PSTN gateway
Deploy the Local PSTN gateway in every survivability site, as during the survivability event the Local PSTN Gateway is used for intercluster, intersite, emergency, and PSTN calls from the Enhanced Survivability Node. If there’s a central PSTN gateway and a local PSTN gateway only for survivability, a separate SIP trunk needs to be configured from the ESN to the local PSTN gateway, along with the required dial plan changes for routing the calls to Local Gateway during the survivability event.
Supported devices
All Cisco phone models that are supported by the Unified CM can fail over and register to the Enhanced Survivability Node. But only 78XX/88XX phones while registering to the Enhanced Survivability Node displays “Service Interruption. Few Features may not be available”.
