Collab Edge MRA for 7800/8800/DX Series Endpoints

Cisco recently posted Expressway (and VCS) X8.5.2 and 10.3.1 firmware for the 8800 and 7800 series phones.  The combination of these products allows these phones to register remotely to CUCM utilizing Collaboration Edge MRA.  (The DX-series (650/70/80) is expected to support MRA in the next release of code due out shortly.)

This functionality isn’t TAC supported yet, and has been released in a “feature preview” form.  I’ve set it up and tested it and it works well for the most part.  However, there is not full feature parity for a phone registered via MRA vs directly registered to CUCM, but for testing and basic calls, it works well.

In order to set it up, make sure your Expressway MRA deployment for Jabber is working properly.  MRA for the 7800/800 series phones uses the same service discovery process that Jabber uses, so if you have Jabber working, you’ll have 95% of the work done.

One important piece of information to know is that the phone firmware trusts 100+ public root CA certificates.  If your Expressway-E server does not have a certificate signed by one of these CA’s it’s not going to work for the phones.

Here’s the basic procedure I followed to make it work:

  1. Installed the 8800 10.3.1 COP file via OSadmin and restarted the TFTP service.
  2. Logged in to Jabber via MRA to ensure the correct functionality of my MRA system and my login credentials.
  3. Defined the phone in CUCM and then connected the phone directly to CUCM so that it would pull the version of firmware that supports MRA.  (My 8851 phone shipped with an older version of code that did not have MRA support.)
  4. Took the phone off of the corporate network to an internet-access only network.
  5. I had initial problems with the phone not attempting MRA lookup after being connected to the internet-only network, so I followed the troubleshooting process of resetting the Network settings on the phone.  It then started to try the MRA process.

Steps the phone follows in MRA registration:

1) Phone attempts normal TFTP registration/_cisco-uds._tcp.domain.com lookup process:

IMG_1456

This fails because the phone has no direct access to CUCM.

2) Firmware now prompts for MRA credentials (These would be the same credentials you use for Jabber MRA login — in my case it is set to use LDAP/AD for authentication):

IMG_1458

Phone now attemps  _collab-edge._tls.domain.com service record lookup (like Jabber does) to discover the Expressway-E/VCS-E host.

3) Phone completes MRA login process

IMG_1459

The phone is now registered and usable.

I’ve read conflicting information about the number of calls supported, and number of lines supported via MRA.  In my experience I have two lines on the phone registered and am able to make two calls per line.  (I’ve not tested more than two calls per line.)  The list of features that may work or not is extensive, so be careful as things like Barge or Intercom may not work yet.

The phone also upgraded code via MRA successfully which is good to know.

IMG_1454

I’ve noticed some oddities with on-hook vs. off-hook dialing.  I know there are some limitations around KPML currently.  In my experience it seems to off-hook dial fine on the primary line, but on a secondary line or when attempting a second call on the primary line you MUST on-hook dial.

Phone registration isn’t supported via TAC yet so feel free to post here and we can collectively attempt to assist.  Remember the most basic step to troubleshoot is to see if your Jabber can successfully login.

88 thoughts on “Collab Edge MRA for 7800/8800/DX Series Endpoints

  1. Great to see someone try this and share findings in detail! especially the user experience of how it works (i half expected it to ask for email and figure out the service discovery domain but i can see it has to be input manually). Wondering if MWI and CTI work via MRA?

    • MWI and missed call logs do work (just tested it). CTI doesn’t work yet. On-hook vs. Off-hook dialing is also hit and miss. I think the official word is that you are supposed to on-hook dial everything because of KPML support issues.

  2. Great stuff..just had my guys start this and they are doing some testing tonight. Will also provide feedback.

    Ps I have a dx80 waiting very patiently to test as well so cant wait for that code release

  3. Thanks a lot Michael, Question…what happends if a root CA is not on the list, can I install a root certificate on the phone? And another question is I see that you need to login with the end user like jabber but the associated end user with that phone need to be enabled for IM & P if we only want to register the phone? Thanks a lot.

    • Hi Manuel. You cannot install different certificates on the phone. It only works with the pre-installed ones.

      Excellent second question. It is my understanding that the user has to be provisioned for IM&P as well. I will check into the possibility of only allowing phone MRA and not giving the user Jabber.

  4. Did anyone else get through with this? Trying and no luck, firmware upgraded but not prompting for a user and password when off the internal network.

    Jabber mra is working fine

    • It’s not planned based on everything I’ve heard. You’ll use the existing ASA-based VPN Phone solution for the 9900/8900 series (or some sort of HW-based VPN).

  5. Hey Mike,
    First of all, thanks for sharing this, as you mentioned, Cisco TAC is not supporting this yet and Cisco 8841 doc for Expressway, looks limited.
    We are facing the same issue as Arvind – when we connect the 8841 phone outside, it doesn’t prompt for login (as shows on the second picture), phone stays all the time like the first pic.
    I’ve seen the info regarding the Network reset when changing from inside to outside environment, tried that many times, but no luck.
    The firmware we have on the phone is 10.3.1.20, which came already with, and it’s the only 8841 10.3 firmware available for download, so I think we are ok on this part.
    Any tip/help would be greatly appreciated.
    Regards,

    • Does your DHCP scope provide a DNS server and no option 150 TFTP? I had to double-check that on mine. We need DNS for the service discovery process, and we don’t want TFTP. 10.3.1(20) is the code I’m using successfully. Let me know what you find there.

  6. Hi Mike,
    Thanks so much for your reply – even though the alternate tftp was set to off, the fact that the tftp server field had an IP address, it was blocking the phone to start on Expressway mode. I could bypass this by setting the dhcp to off and erase the tftp field manually – after phone reboot, it finally showed login screen.
    The problem now is, the phone is trying to register but it doesn’t go through – phone has CUCM certificates as I made it register internally first.
    Just to confirm: does it need to have VCS-E CA certificate by any chance?
    Best Regards,

    • I’m going to bet that the VCS-E cert has to be signed by a CA that is on the trusted list of the phone firmware. I didn’t have any problem with this when I deployed mine. (GoDaddy is the CA I used.) You should be able to generate a problem report on the phone (I forget where it is on the phone menu system, but there is an option) and send that to yourself and see the exact reason the phone is failing.

    • If I may

      I only sorted this tonight and our cert was an issue
      I created an internal cert when I was initially testing mra and I installed the cert on all my remote sx devices. I bought (grudingly) a public cert a few days go whilst testing.
      As mentioned, no prompt was coming up.

      Things I did were
      1. Removed all my internal certs and reset to default ca on both vcs-c and e.
      2. I lost the traversal zone as the cert wasnt known now.
      3. I also had the traversal zone set to 7002 and changed to 7001
      4. Put in the public cert and also readded my private certs to each box
      5. Restarted boxes
      6. Went into the cert test tool to check the zone and did a test which initially failed until I changed the port from 7002 to 7001 as mentioned before
      7. I had my phone set using static ips so I manually removed the tftp. Of course I was now off the internal network
      8. Phone advised that it will erase the trust list as well
      9. Once that did it I was able to get the prompt and login.

  7. I’ve got this working on Expressway 8.5.2 and UCM 9.1.2 code. We’ve had MRA for Jabber working for ages so there wasn’t any configuration required to get this working.

    Seems to work well enough, although there is a problem where the phone will randomly log out/unregister when connection via MRA. Looking into the problem report now, but it might be a function of the 9.1.2 code.

    • I’ve noticed the same thing. My 8851 gets logged out every 24 hours or so. I’m not sure if this is a firewall TCP session timeout thing between the phone and Exp-E, or soemthing Expressway/VCS related. I’d be curious to know what other people are seeing too.

      • Yeah I’m planning to spend some more time and check out the PR next week, and hope that it has something useful in there. There’s also an annoying bug where when it does unregister, you have to delete your password and enter it again, even though it appears on the screen to be cached.

      • Hi:

        I went thought the setup and found out the solution for the login timeout…

        Check out this guide, there is a persistent setting under CM..

        http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8811_8841_8851_8861/10_5/english/adminguide/P881_BK_C0632068_00_cisco-ip-phone-8811-8841/P881_BK_C0632068_00_cisco-ip-phone-8811-8841_chapter_01011.html#P881_RF_CA0E0271_00

        quote :

        Configure User Credentials Persistent for Expressway Sign-In
        When signing in to the network with Mobile and Remote Access Through Expressway, a user is prompted for a service domain, username, and password. If you enable the User Credentials Persistent for Expressway Sign-In parameter, you can store users’ login credentials so that they do not need to reenter this information. This parameter is disabled by default.
        • Enable User Credentials Persistent for Expressway Sign-In for a Phone
        • Enable User Credentials Persistent for Expressway Sign-In for Phone Group
        • Enable User Credentials Persistent for Expressway Sign-In Across Network
        Enable User Credentials Persistent for Expressway Sign-In for a Phone

  8. @DVST, I don’t have any problems with the saved password when logging back in after being disconnected. Odd that you are hitting it. Is that with an 8800 series?

    • Mike, it is an 8841. I’m running it against a 9.1.2 UCM cluster though, so your mileage may vary.

      @Wing Mo – what version of UCM are you running? I’ve didn’t expect that in 9.1.2, but I’ve got a 10.5.2 cluster and it doesn’t show any of those settings in the product specific section.

      • Mike or Wing Mo,

        I am having the same issues with Cisco 7821 series phones running in CUCM 9.1.2 and Expressway X8.5.2. The phone seems to logout after some time, maybe it’s 24 hours. Am wondering if anyone found the fix or where the settings are to change this.

      • Mike or Wing Mo,

        I am having the same issue. I have a cisco 7821 registered over MRA and it logs out after about 24 hours. i could not find these setting anywhere. has anyone figured this out and where to make the changes if that is possible. I am running CUCM 9.1.2 and Expressway X8.5.2

  9. Hi Mike,
    I’m still troubleshooting as I couldn’t make my 8841 phone to register on Expressway mode.
    Quick question: did you do an option 42 configuration on your DHCP scope, to make sure the phone had a NTP reference when outside?
    Thanks very much again,

    • Hi Rick,

      Do you have Jabber working over MRA? So long as you’ve got that working with the correct Public CA signed certificates, it should work fine with no extra configuration required.

      You can also get the 88XXs to generate a problem report, which might be helpful for you.

    • Hi Rick, are you adding option 150 in your DHCP pool? If so, that needs to be removed as it tries to connect to CUCM directly if it hits that option.

  10. Hi Mike,

    Very good demo !
    Could I know the Expressway-E whether require RMS License ?
    And the “Trusted public CA chain” is mean we must purchase from outside cert company ? free self-cert also ok ?

    thanks much.

    Regards,
    Victor

    • RMS is not required for MRA for phones. RMS is just for business-to-business calls.

      A self-signed certificate will not work for Phone MRA. The Phone only has about 130 trusted public CA certificates, and your Expressway-E cert must be signed by one of these 130 or the phone won’t trust your Expressway and won’t register.

  11. Do you need VCS/EXPW 8.5.2+ to use new MRA enabled firmware? Will this work on 8.5.1? (8.5.2 isn’t on CCO, only 8.5.3)

    Cheers!

    • Phone security profile is needed on SAN of the C, see page 17 of the MRA deployment guide 8.5.. E’s SAN is for chat node alias. C’s SAN is only for phone security profile that’s fqdn and requires TLS. But that’s only between C and CUCM, unless you want to do TLS between C and CUCM ( why? cluster security mode to 1 in restrict cucm version), then there is really NO reason for you to use the TLS on the phone security profile, the standard none secure profile for any device will work. Hope this helps.

  12. I have this strange certificate issue..

    MRA login works fine with Jabber 10.6 and with MX300G2 endpoint – No ssl issues. Expressway-C & E release is X8.5.3

    MRA login with 8841 phone (10.3.1 firmware) fails with TLS handshake errror. Same credentials used as with Jabber client.

    8841 Phone error report complains that “Certificate doesn’t match”:

    edge_gateway-Verify Cert[3]: Issuer = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    edge_gateway-Verify Cert[3]: Subject = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    edge_gateway-Verify Cert[3]: Certificate doesn’t match
    edge_gateway-TLS – Handshake failed: [SSL_ERROR_SSL]
    edge_gateway-EDGE_TLSSEC:Failed to connect. result 1
    edge_gateway-getEdgeConfig: Error in createTlsSecConn rc:106

    Our Expressway-E has Symantec/Verisign issued server cert installed.

    The Server cert is issued by the Intermediate Cert “Symantec Class 3 Secure Server CA – G4”
    The intermediate Cert “Symantec Class 3 Secure Server CA – G4” is issued by another intermediate cert “VeriSign Class 3 Public Primary Certification Authority – G5”
    The intermediate cert “VeriSign Class 3 Public Primary Certification Authority – G5” is issued by the Symantec root cert “Class 3 Public Primary Certification Authority”

    The following Intermediate certs are installed on the Expressways:
    – Symantec Class 3 Secure Server CA – G4
    – VeriSign Class 3 Public Primary Certification Authority – G5
    and the root cert:
    – Class 3 Public Primary Certification Authority

    The root cert “Class 3 Public Primary Certification Authority” keysize is 1024 bit sha1RSA and is listed in the Certificate Authority Trust List in the 8841 phone -> http://tinyurl.com/on7k4mt

    Any ideas why the TLS handshake fails..?

    • Make sure the CA cert for the 8841, it’s the signer’s cert, from the way you have discribed, should be the intermediate CA, no the root CA, so the “Symantec Class 3 Secure Server CA – G4” needs to be in the embedded firmware of the 8841, which i don’t see.

  13. Any one have one way audio with the 8851 over MRA? I have a fully functional Jabber MRA system with public certs and using various clients. I can get the 8851 to register over the expressway but I get one way audio, I can sign in with jabber for mac on the same network and I get 2 way audio. I have jabber on my iphone and that works fine as well on LTE. I would have thought one way audio would be seen on all my devices not just the 8851. Im running 10.3.1.20 on the phone. I just started trouble shooting but wanted to see if anyone else has seen this.

    Also, Has anyone successfully got the DX80 to register over MRA?

  14. Im having an issue where MRA for jabber is working 100% without issue… but the phone is failing to register. I get the MRA login and it says its connected to the expressway server… but than expressway throws an error about not being able to register the device due to unknown domain. Any idea’s?

    • I got passed this and got the phone working. However, it’s not using TLS for voice traffic (not a huge deal since the sip trunk to the PSTN is non secure anyway). Ideally I would like to get TLS working but if i change the phone security certificate to TLS on port 5061, i get the above results. the domain that is the name of the security profile is part of the SAN on the both expressway-e and expressway-c certs.

  15. 8851 phone successfully connects to the Expressway server, but then cannot subsequently register with CUCM. MRA is working fine for soft clients. Any ideas?

      • Hello Mike,

        I have the same issue. The device has previously been registered in cucm.

        Cucm version 10.5.2
        Exp 8.5.3
        Firmware 10.3
        Phone model 8861

        Any assistance? Told by tac exp needs to be 8.6 or greater however i see you have had it working in earlier versions.

        Cheers,
        Tez

      • The system is live atm, it may come to upgrading, not sure if this will require an additional Public certificate to be generated. I would like to find a way to have it to work currently.

  16. Is Jabber (Mac or J4W) over MRA supported while a 88xx is connected over MRA (both have same username and DN)? I recently got my 8851 working over MRA but noticed instability logging into my Jabber over MRA since then.

    • We’re seeing the same thing here. As soon as you connect an 88XX via MRA, any soft clients (mobile or desktop) immediately stop working.

    • Just in case you didn’t figure this out already, this was a phone firmware bug. You can go to https:///edgestatushttpproxyrequests and sort by expire time to see one every 5 seconds. This was causing Collaboration Edge HTTP Intrusion Protection to kick in and block requests. It should be fixed in the 11.0 firmware release and above. Wasn’t able to find the bug link though.

  17. Hey guys great blog….. Im trying to work with Expressway-E connecting 78xx and 88xx and I actually get connected just fine. However, after connecting a call it loses audio at the 15:00 mark consistently. Im running 10.5.2 on CUCM and the latest relase on the Exp E 8.6.

    • Hi Clarence, 15:00 sounds like a firewall issue to me. Look into SIP ALG/FIXUP and make sure the settings are correct. (Usually I see documentation saying to turn these features off.) The other issue I’ve seen in a SIP session timer setting in VCS/Expressway you can adjust. But 99% of the time I’ve seen this it’s the firewall dropping the session.

      • Thanks Mike. I thought that all along but I don’t know enough about firewalls to get the guys to look. I’ll throw your suggestion out there and see what they find. I’ll circle back with the results

  18. Hello all…wondering if someone can help me out. I am trying to do MRA Certificate based authentication on my 88xx. I am trying to avoid our users having to enter their password and close a security hole by having it remember the password. MRA works just fine for credential based authentication.

  19. Hello everyone, I’m new to VoIP, SIP and all this fun stuff. I was wonder if the Cisco 8800 series phones can be used without expressway? Can it be configured to work on say, Vonage Business? Thanks in advance🙂

    • Cisco sells a different versions of the 8800 series phones for use with non-Cisco SIP call control. I’m not sure if vonage would be supported, but anyone running standards based SIP would likely work. These phones are identical to normal 8800 series but with a different boot loader and firmware. A 8800 phone for Cisco call control can’t be converted for use with third party. You’ve got to buy the specific third party version.

  20. Hey Mike, fantastic website. You are the reason I have Expressway MRA up and running for Jabber and Endpoints and it’s amazing!!!

    I did have a question about the voice services domain. Do you know of a way we can pre-populate this on endpoints?

  21. Hi All

    I want to register DX650 through MRA.

    1)Will it work ? We have MRA working fine for a year now.

    2)We also have CP-8865 working in few regions over MRA.

    PS. We are using CM 10.5.1 and Latest firmware on DX650.

  22. Is it possible to use an existing SAN certificate that I have with Godaddy and just add my expressway-e domain name as a subject alternate name to it?

  23. Hello everyone,
    When I plug my phone 8851 it register and ask for service domain, username and password. When I tried to input my password it select something different for instance I want to type 9 when I press the key before I select 9 something is already being selected. it looks like the selection is going too fast.

      • Hi Mike,
        i hit the key multiple time to get to 9 same thing i am getting connecting on the phone screen stay there for a while and hung i unplug and restart again same thing. My jabber for mac and android are working fine using MRA but my 8851 still not connecting after i put my credentials. i can’t tell if it is my password selection i mentioned above is the issue. any help ?

  24. I’m implementing MRA with 7821, thats works fine, but I don’t know.

    What is the procedure to make a Xfer without KPML..?

    • I fix the KPML issue with SIP Dial Rules, but I made upgrade to Expressway X8.7.3 and c7821 to 11.0(1) and KPML works fine.

  25. We are just deploying this solution and have everything working fine, other than the fact that the phones seemingly randomly de-register. We have had network teams check Firewall’s etc, but nothing has been found. Was wandering whether anyone has suffered this?

    When the de-registration occurs, it sometimes reboots the phones and sometimes prompts to logon with MRA creds (which are sometimes pre-populated and sometimes aren’t). Note, no local network (i.e. home broadband) failure is occurring at the same time as the de-registration event.

    If anyone has suffered something similar, please let me know!

  26. Anyone have the new 8821 wireless ip phone working with MRA. I have a phone that registers to cucm fine. I have EW working fine as other phones register via MRA. But when I clear the CTL and the ITL files I associate to a internet wifi with no opttions 150 I am never prompted with any MRA credentials. I am running sip8821.11-0-2hee-10

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s