Cisco Call Manager Express remote working / branch office example

Hi, thanks for getting back to me. I was beginning to think the Cisco product offering was too complicated for my needs.

But, I have seen Cisco promoting their IP Phone / IP Communicator Softphone - so users can connect to the office with their Softphones from home.
How does this work then, as obviously they do not have a CME router at home or in thier hotel room - they must 'somehow' VPN to the office and be able to use a real IP address to say surf the net while somehow being able to TFTP the CIPC phone image from the office, or am I missing something here?

I am sure it's possible...well I think it is...

Cisco has a Cisco SIP server solution but ofcourse quite expensive compared with the open source SIP solutions.

Cisco CME alone cannot communicate with a remote IP phone without a SIP server somewhere along the line.  see

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_configuration_example09186a00808f9666.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#diag2

Thanks Guys,

Looks like I now have to delve into the abyss of VPNs to try this out. I did think it was possible - if you know of any nice config examples It would be much appreciated.

So, I just setup a nice simple VPN from my 'Hotel' to my 'Office' - somehow, then point my IP Communicator to a VPN interface which will appear and away I go? Sounds good. I am not too bothered about QoS - this is more of an evaluation.

Will give it a whirl.

I'm afraid I don't have a specific configuration handy myself. I did find this site:
http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_Router_as_a_Remote_VPN_Server_using_SDM_Configuration_Example

It explains how to configure through SDM, but there is a config pasted at the end, with descriptions for the different components.

Note that this part is just setting up a VPN connection on your router. Once you have your VPN connection up and running you can register and use your IP Communicator like you would at the office.

JG

I disagree with Jay_Gridley  vpn theory and i look forward to the solution working. The IP phone communicator will need a SIP server to connect with a CME.

Meanwhile please have a look at this Cisco document on cisco CME features particularly page 3-47, 3-48 and 3-55 where the restrictions are clearly stated out.

http://www.hh.se/download/18.59906e3a11ee92e66ac80009688/3_4_CME_Features_Functionality.pdf

I would like to add that I may have interpreted things incorrectly and I could be wrong.
It would be a shame, though,  if you were required to actually buy CUCM or run an expensive SIP solution for this to work...

I'm very looking forward to the findings of TS.

JG

Hi Jay, what i find baffling is cisco CME recognises the IP phones via their mac-addresses; so will the mac-address be able go through the vpn tunnel ?

I tried using CME to setup a commercial voip (similar to vonage) at a time and couldn't get it working but i never tried vpn but i don't think i would have tried it really because of the extra configuration and resources on the network when i am able to implement same thing  almost free with a SIP solution like asterisk and that was what i did at the end of the day.

But like i said earlier i am interested in the vpn solution with cisco CME if it works.

Hi 602650528 and Jay,

Well this is certainly getting interesting, as pointed out in a couple of the links from 602650528 "Cisco CME does not support remotely registered phones" which is pretty clear. But the document is from 2005 so maybe this is now supported.

I say this as I found this: http://www.sadikhov.com/forum/index.php?/topic/150309-configure-a-remote-ephone-with-cme/page__mode__threaded__pid__781630

Which sounds promising, but there is no confirmed config posted.

I setup a VPN (for the first time) in my lab yesterday and discovered a few things - the Cisco Doc posted by Jay helped enormously - http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_Router_as_a_Remote_VPN_Server_using_SDM_Configuration_Example

I noticed you cannot establish a VPN without a DHCP range or address being applied to the client at the remote office. As soon as I disabled DHCP no connection would establish. So this caused me an issue.

I currently have my Cisco 7906 phones plugged into my CMERouter and an old Cisco switch, these obtain a DHCP address in the 10.0.0.0 subnet, option 150 is enabled to TFTP the files to the phones and this works. However to get my remote VPN to work, I was forced by SDM to use a different subnet for the remote DHCP addresses - so they were getting 172.16.0.0 addresses and so simply would not register with the CME router (obviously). What I am not sure is whether I can issue the DCHP Option 150 to TFTP the CIPC image to the remote IP Communicator in the 172.16.0.0 subnet as well as those in the 10.0.0.0

I only remembered the Option 150 command while driving home lastnight - and am kicking myself for not trying it before I left the office! :-(

I am now away from the office until Wednesday but will be straight back at it to get this sorted with your help. I have posted below my config from my router if you are interested, I am hoping I can just add Option 150 to the second VPN DHCP address range and it will work. I am hoping the sadikhov link will be a good indicator of this being able to work.

Current configuration : 5016 bytes
!
! Last configuration change at 16:48:27 GMT Thu Aug 6 2009 by admin
! NVRAM config last updated at 16:38:29 GMT Thu Aug 6 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CMERouter
!
boot-start-marker
boot system flash c2800nm-adventerprisek9_ivs-mz.124-15.T5.bin
boot-end-marker
!
enable secret 5 $1$FPj/$OhYZbP7RYNsPbQO4./
!
aaa new-model
!
!aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone GMT 0
dot11 syslog
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool voippool
   network 10.0.0.0 255.255.0.0
   option 150 ip 10.0.0.1
   default-router 10.0.0.1
   lease 7
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
username admin password 0 cisco
username bob privilege 15 secret 5 $1$sBsEFWD.qPcMUZ5PKGYvX/
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpn2
 key vpnpassword
 pool SDM_POOL_1
 acl 100
crypto isakmp profile sdm-ike-profile-2
   match identity group vpn2
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile2
 set transform-set ESP-3DES-SHA1
 set isakmp-profile sdm-ike-profile-2
!
!crypto ctcp port 10000
!
!interface FastEthernet0/0
 ip address 10.0.0.1 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 duplex auto
 speed auto
!
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile2
!
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
ip http path flash:/gui
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
!
!
tftp-server flash:/phone/7906-7911/apps11.8-3-2-27.sbn alias apps11.8-3-2-27.sbn
tftp-server flash:/phone/7906-7911/cnu11.8-3-2-27.sbn alias cnu11.8-3-2-27.sbn
tftp-server flash:/phone/7906-7911/cvm11sccp.8-3-2-27.sbn alias cvm11sccp.8-3-2-27.sbn
tftp-server flash:/phone/7906-7911/dsp11.8-3-2-27.sbn alias dsp11.8-3-2-27.sbn
tftp-server flash:/phone/7906-7911/jar11sccp.8-3-2-27.sbn alias jar11sccp.8-3-2-27.sbn
tftp-server flash:/phone/7906-7911/SCCP11.8-3-3S.loads alias SCCP11.8-3-3S.loads
tftp-server flash:/phone/7906-7911/term06.default.loads alias term06.default.loads
tftp-server flash:/phone/7906-7911/term11.default.loads alias term11.default.loads
!
control-plane
!
!
gatekeeper
 shutdown
!
!
telephony-service
 no auto-reg-ephone
 load 7906 SCCP11.8-3-3S.loads
 max-ephones 5
 max-dn 5
 ip source-address 10.0.0.1 port 2000
 time-zone 21
 time-format 24
 date-format dd-mm-yy
 max-conferences 8 gain -6
 time-webedit
 transfer-system full-consult
 create cnf-files version-stamp 7960 Aug 03 2009 08:53:18
!
!
ephone-dn  1
 number 1001
 name Mike
!
!
ephone-dn  2
 number 1002
 name Village
!
!
ephone-dn  3  dual-line
 number 1003
 name Laptop
!
!
ephone  1
 device-security-mode none
 mac-address 0021.A0D9.802F
 speed-dial 1 1002
 speed-dial 2 1003
 type 7906
 button  1:1
!
ephone  2
 device-security-mode none
 mac-address 0021.A02B.DC58
 speed-dial 1 1001
 speed-dial 2 1003
 type 7906
 button  1:2
!
ephone  3
 device-security-mode none
 description Laptop Softphone
 mac-address 0017.4279.1AE9
 speed-dial 1 1001
 speed-dial 2 1002
 type CIPC
 button  1:3
!
!
alias exec b show ip interface brief
alias exec att show ephone attempted-registrations
alias exec nt show ip nat translations
!
line con 0
 logging synchronous
line aux 0
line vty 5 15
!
scheduler allocate 20000 1000
ntp clock-period 17180142
ntp master
ntp update-calendar
ntp server 10.0.0.2
!
end

Thanks for  your help and insight guys, hope to get this working Wednesday/Thursday - much appreciated, enjoy your weekends.

Hi Jay,

My thinking is that CME is designed for small office environment while Callmanager 6.1 is designed for larger enterprise environment . That is the scenario i have seen CME deployed so far
http://www.cisco-tips.com/call-manager-express-cme-deployment-scenarios/

 t think Cisco call manager 6.1 supports SIP in-built which is necessary to locate the the remote IP phones since they could be very mobile. What protocol runs between the remote IP phones and Cisco Call Manager 6.1 in the working one for you ?

HI 602650528,

I've always assumed the protocol to be SCCP. We don't usually configure SIP phones, as there's no need in the Cisco - Cisco environment.
I also recall that when you configured a phone as SIP it should also tell you this in the icon by the phone number. It does not contain the SIP icon.

On the other hand, I'm not 100% sure it's not SIP. I think I'll have a look when I'm back in the office. :-)

Thanks for clearing this up cordeos!

Hi guys, going to climb right back into this on Wednesday when I am back in the office, no doubt asking Cordeos for some more valuable insight into the mechanics of his working scenario.

Thanks to all 3 of you at least I now know I am attempting to at least do the possible which is a start!! :-)

Hi Guys,

Well it's true, Cordeos was in fact correct, it can be done as I now have it working. The CME Router and the Cisco 7906G phones are in the office and I can VPN in using my laptop and connect my Cisco IP Communicator Softphone up, ping my CME Router and make calls.

The config of the CME Router is exactly as was posted a few days ago, noting had to change. Where I did have a problem was with making the VPN connection. The only VPN endpoint we have here is a Juniper SSG320 (no Cisco VPNs here) - I know I could use the Cisco CME as a VPN Endpoint, but I wanted to leave that in the Enterprise behind the existing Juniper we use in Production - so had to use the Juniper. I was unable to use the Cisco VPN Clinet to play nicely with the Juniper as there didn't seem to be anywhere in the Cisco client to configure all the IKE Phase 1 and IKE Phase 2 settings. I gave up with trying the Cisco --> Juniper solution for the VPN, but stumbled upon the rather excellent (and free) Shrewsoft VPN client. (http://www.shrew.net/software) this sat happily on my Laptop, connected to the Juniper, established the VPN connection and I was able to ping and hence connect to my CME Router and make calls from here in the UK to my UK office. Will be testing it in various locations around the world in the next few weeks to see how latency, jitter etx affect it.

So, it can be done and thank you for the help and support alog the way. If anyone knows how to get the Cisco VPN client to work with a Juniper that would be great, but failing that I'll use the shrewsoft VPN client for my testing.

Cheers Guys,

Mike

Excellent !!! Thanks all for this enriching experience

No worries, think we all learned a few things on this one!