[cisco-voip] Cisco Expressway for Jabber MRA query

Matthew Loraditch MLoraditch at heliontechnologies.com
Fri May 22 12:40:39 EDT 2015 

Inline

Matthew G. Loraditch - CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518

Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ahmed Abd EL-Rahman
Sent: Friday, May 22, 2015 12:31 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Cisco Expressway for Jabber MRA query


Hi Gents,

I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :

- Split horizon DNS.

- 2 domains as follows, Internal: domainX.local and external: domainX.com

- All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc.

- Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates.

- I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside.

I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet.



my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work?

I have the following concerns in this regard:

- If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

I would put the EXP-C on the internal domain.

- If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

As longs as you have the cas that issue the certificates in both trusted lists you will be fine

- is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay?

Same as above

- is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or I can just enable the non-secure phone profile without TLS, and if i can use the non-secure phone profile, do i have to enter this field when generating the EXP-C CSR or can I leave it blank ?

Not sure I don't do secure phone traffic.

If any on have a working setup kindly brief me about it specially the domains and certificates parts.



I have all of this working minus the secure phones. My Expressway Cs are on my .local domain and have their certs from my AD CA, my E's are setup dual NIC and their certs are "real" public ssl certs and are on my .com. No issues.





Best Regards

Ahmed Abd EL-Rahman
Senior Network Engineer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150522/5bd18262/attachment.html>

More information about the cisco-voip mailing list