Webex Calling Registration Based Local Gateway Utility

By: Anthony Holloway

📝 Notes Below 👇

Webex Details

Trunk Group OTG/DTG

Outbound Proxy

Registrar Domain

Line/Port

Username

Password

CUCM Details

CUCM Primary IP

CUCM Secondary IP

Configuration Template

key config-key password-encrypt $encryptkey$ ; Optional: Customize this password
password encryption aes
crypto pki trustpoint wxctrustpoint
 revocation-check none
!
sip-ua
 timers connection establish tls 5
 crypto signaling default trustpoint wxctrustpoint cn-san-validate server
 transport tcp tls v1.2
 tcp-retry 1000
!
crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios_core.p7b 
voice service voip
 ip address trusted list
  ipv4 0.0.0.0 0.0.0.0 ; Optional: Specify all WxC and on-prem signaling addresses
 !
 mode border-element ; Note: Will require a reboot
 allow-connections sip to sip
 media statistics
 media bulk-stats
 no supplementary-service sip refer
 stun
  stun flowdata agent-id 1 boot-count 4
  stun flowdata shared-secret 0 $stunsecret$ ; Optional: Customize this password
 !
 sip
  asymmetric payload full
  early-offer forced
 !
!
voice class sip-profiles 1000
 rule 11 request ANY sip-header SIP-Req-URI modify "sips:" "sip:"
 rule 12 request ANY sip-header To modify "<sips:" "<sip:"
 rule 13 request ANY sip-header From modify "<sips:" "<sip:"
 rule 14 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>" 
 rule 15 request ANY sip-header P-Asserted-Identity modify "sips:" "sip:"
 rule 16 request ANY sip-header From modify ">" ";otg={{WxCTrunkOTGDTG}}>"
 rule 21 response ANY sip-header To modify "<sips:" "<sip:"
 rule 22 response ANY sip-header From modify "<sips:" "<sip:"
 rule 23 response ANY sip-header Contact modify "<sips:" "<sip:"
!
voice class codec 1
 codec preference 1 g711ulaw
!
voice class srtp-crypto 1
 crypto 1 AES_CM_128_HMAC_SHA1_80
!
voice class stun-usage 1
 stun usage firewall-traversal flowdata
 stun usage ice lite
!
voice class tenant 1000
 registrar dns:{{WxCTrunkRegistrarDomain}} scheme sips expires 240 refresh-ratio 50 tcp tls
 credentials number {{WxCTrunkLineAndPort}} username {{WxCTrunkUsername}} password 0 {{WxCTrunkPassword}} realm BroadWorks
 authentication username {{WxCTrunkUsername}} password 0 {{WxCTrunkPassword}} realm BroadWorks
 authentication username {{WxCTrunkUsername}} password 0 {{WxCTrunkPassword}} realm {{WxCTrunkRegistrarDomain}}
 no remote-party-id
 sip-server dns:{{WxCTrunkRegistrarDomain}}
 connection-reuse
 srtp-crypto 1
 session transport tcp tls
 no session refresh
 url sips
 error-passthru
 rel1xx disable
 asserted-id pai
 no pass-thru content custom-sdp
 sip-profiles 1000
 outbound-proxy dns:{{WxCTrunkOutboundProxy}}
 privacy-policy passthru
!
voice class tenant 2000 
 session transport udp
 url sip
 error-passthru
 no pass-thru content custom-sdp
!
voice class uri 1100 sip
 pattern dtg={{WxCTrunkOTGDTG}}
!
voice class uri 2100 sip
 host ipv4:{{CUCM1}}
 host ipv4:{{CUCM2}}
!
voice class server-group 2200
 ipv4 {{CUCM1}}
 ipv4 {{CUCM2}}
!
voice class dpg 1200
voice class dpg 2200
dial-peer voice 1100 voip
 description Webex Calling Incoming Call Leg
 session protocol sipv2
 incoming uri request 1100
 destination dpg 2200
 voice-class stun-usage 1
 no voice-class sip localhost
 voice-class sip tenant 1000
 voice-class codec 1
 dtmf-relay rtp-nte
 srtp
 no vad
!
dial-peer voice 1200 voip
 description Webex Calling Outgoing Call Leg
 session protocol sipv2
 destination-pattern ABC123
 session target sip-server
 voice-class stun-usage 1
 no voice-class sip localhost
 voice-class sip tenant 1000
 voice-class codec 1
 dtmf-relay rtp-nte
 srtp
 no vad
!
dial-peer voice 2100 voip
 description CUCM Incoming Call Leg
 session protocol sipv2
 incoming uri via 2100
 destination dpg 1200
 voice-class sip tenant 2000
 voice-class codec 1
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 2200 voip
 description CUCM Outgoing Call Leg
 session protocol sipv2
 destination-pattern ABC123
 session server-group 2200
 voice-class sip tenant 2000
 voice-class codec 1
 dtmf-relay rtp-nte
 no vad
!
voice class dpg 1200
 dial-peer 1200 preference 1
!
voice class dpg 2200
 dial-peer 2200 preference 1
!

Notes

Official Guide
2024 Cisco Live LGW Troubleshooting Session
UCK9 and SecurityK9 licenses required
Template assumes a single interface; hence no bind commands. If you want multiple interfaces, you may need to consider your binds.
I prefer to decouple the WxC subnets in the trust list. If you prefer to define them, please do so.
Numbering convention for dial-peers and the like
- Four digit numbers XYZZ
  - First digit "X" is the leg; 1 = Webex, 2 = CUCM
  - Second digit "Y" is the direction; 0 = Agnostic, 1 = Incoming, 2 = Outgoing
  - Next two digits "ZZ" are not used in this template
    - Could be used if you switched away from DPGs and use destination patterns instead
Destination pattern is ABC123 because we need the command, but the value is ignored
This template is designed for two CUCM servers, but feel free to adapt it for more servers or for another PBX (e.g., Avaya)
This template is designed for a vanilla CUCM SIP trunk, but do consider the following
- Device Pool and therefore CMG, Location and Region
- Inbound CSS
- Non-secure SIP Trunk Security Profile
- SIP Profile with Early Offer Best Effort and OPTIONS