[cisco-voip] Cisco Expressway for Jabber MRA query

Ahmed Abd EL-Rahman Ahmed.Rahman at bmbgroup.com
Fri May 22 12:30:44 EDT 2015


Hi Gents,

I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :

- Split horizon DNS.

- 2 domains as follows, Internal: domainX.local and external: domainX.com

- All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc.

- Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates.

- I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside.

I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet.



my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work?

I have the following concerns in this regard:

- If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

- If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

- is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay?

- is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or I can just enable the non-secure phone profile without TLS, and if i can use the non-secure phone profile, do i have to enter this field when generating the EXP-C CSR or can I leave it blank ?

If any on have a working setup kindly brief me about it specially the domains and certificates parts.





Best Regards

Ahmed Abd EL-Rahman
Senior Network Engineer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150522/04d0b0c3/attachment.html>


More information about the cisco-voip mailing list