<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Follow up two....</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">We ran into the following issues (and resolutions). Hopefully this helps someone who's going through the design phase.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">C-E Tunnel Issues: we had errors with the secondary C server trying to establish the tunnel. Turns out you actually _do_ need the cluster name and/or the partner C server in the SAN of the secondary C server certificate. Reissuing the C certs fixed that. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Cannot Communicate to Server issues: turns out there's a bug that requires the host/domain of the E server to match that which is found in the SRV record results. We had tried to follow our established conventions of naming hosts based on their inside interface and with a data centre subzone. We had to resolve this by modifying the E host name and domain to match the SRV records. N1: it might actually only be domain that matters here, especially if the cert has the correct host name. N2: we ended up scraping the internal and external host names and went with one host name that had different address resolutions based on the split view DNS results. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Cannot login: we just had to reissue the cert with the domain of the IM&P server added as a SAN. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">In the end, we couldn't get away with single name certs for the C, and ended up getting multi domain ssls for each server. </div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Jun 9, 2016, at 5:04 PM, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>> wrote:<br><br></div><blockquote type="cite"><div><div style="font-family: Verdana; font-size: 10pt; color: #000000"><div><br></div><div>Just to follow up, we did add our top domain to the SAN, since we own it. Why not. </div><div><br></div><div>From reading the notes below, we _don't_ need the "collab-edge.domain.xxx" included.</div><div><br></div><div>We'll see how that goes.</div><div><br></div><div>Worse part is, right now, we don't have any signed certificates for our collab servers, unity or im&p, so we'll still get warnings.</div><div><br></div><div>We'll see how it goes.</div><div><br></div><div>Lelio</div><div><br></div><div><br></div><div><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst, Network Infrastructure<br>Computing and Communications Services (CCS)<br>University of Guelph<br><div><br></div>519‐824‐4120 Ext 56354<br><a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a><br><a href="http://www.uoguelph.ca/ccs">www.uoguelph.ca/ccs</a><br>Room 037, Animal Science and Nutrition Building<br>Guelph, Ontario, N1G 2W1<span name="x"></span><br></div><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Anthony Holloway" <<a href="mailto:avholloway+cisco-voip@gmail.com">avholloway+cisco-voip@gmail.com</a>><br><b>To: </b>"Lelio Fulgenzi" <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>><br><b>Cc: </b>"cisco voip" <<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>><br><b>Sent: </b>Thursday, June 9, 2016 3:27:43 PM<br><b>Subject: </b>Re: [cisco-voip] certificates and SANs - what's really needed in there?<br><div><br></div><div dir="ltr">This information might be a bit dated, but do note that Jabber will behave differently in depending on the version you have.  Therefore, what looks like it's working today, could break at the next Jabber update.<div><br></div><div>I'm sanitizing the below for privacy</div><div><br></div><div>---Begin Original Email---</div><div><br></div><div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">Today I noticed that when I started with a fresh install of <span class="">Jabber</span> 11.1(2), but did have the Root CA cert installed on my machine, <span class="">Jabber</span> still warned about the <span class="">Expressway</span>-E server cert (<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>).  Have any of you seen that also?</div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">I didn't think anything changed with our cert, so I figured it had to be <span class="">Jabber</span> that changed.  So, I uninstalled 11.1(2) and worked my way backwards through the versions until the warning went away.  Luckily, I only had to go back to 11.1(0), just two versions back.</div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">I compared the logs from 11.1(0) with 11.1(2) and here's the difference.  I removed some of the log data for brevity.  Notice the blue lines are different, and the entire red section is new in 11.1(2).<br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><b>GOOD - <span class="">Jabber</span> 11.1(0)</b></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::http::CurlHttpUtils::curlTraceCallback] - Request #34 post connect phase: 'Connected to <a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a> (A.B.C.D) port 8443 (#0)'<br></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="background-color:rgb(207,226,243)" data-mce-style="background-color: #cfe2f3;">[csf::cert::BaseCertVerifier::verifyCertificate] - verifyCertificate using ctx. Identity: </span><span style="background-color:rgb(234,153,153)" data-mce-style="background-color: #ea9999;">Reference identifiers: ['<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'];</span><span style="background-color:rgb(207,226,243)" data-mce-style="background-color: #cfe2f3;"> Identifier to display: '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span><br></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="background-color:rgb(217,234,211)" data-mce-style="background-color: #d9ead3;">[csf::cert::BaseCertVerifier::checkIdentity] - About to verify the Subject Alt Name.</span><br></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::CertVerifier::checkIdentifier] - Verifying identity '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::AltNameParserImpl::verify] - Match for '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>' found in dnsNames index: 0</span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded. Matched identifier : '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span></div></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::PlatformVerificationHandler::handlePlatformVerificationResultSynchronously] - <span style="background-color:rgb(255,242,204)" data-mce-style="background-color: #fff2cc;">Verification result : SUCCESS</span> reason : [VALID]</span><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><b>BAD - <span class="">Jabber</span> 11.1(2)</b></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::http::CurlHttpUtils::curlTraceCallback] - Request #3 post connect phase: 'Connected to <a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a> (A.B.C.D) port 8443 (#0)'<br></span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="background-color:rgb(207,226,243);font-size:12.8px" data-mce-style="background-color: #cfe2f3; font-size: 12.8px;">[csf::cert::BaseCertVerifier::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(207,226,243)" data-mce-style="background-color: #cfe2f3;">verifyCertificate] - verifyCertificate using ctx. Identity: Mandatory reference identifier: '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'; </span><span style="background-color:rgb(234,153,153)" data-mce-style="background-color: #ea9999;">Reference identifiers: ['<a href="http://company.com" target="_blank" data-mce-href="http://company.com">company.com</a>, '<a href="http://collab-edge.company.com" target="_blank" data-mce-href="http://collab-edge.company.com">collab-edge.company.com</a>'];</span><span style="background-color:rgb(207,226,243)" data-mce-style="background-color: #cfe2f3;"> Identifier to display: '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span></span><br></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="background-color:rgb(217,234,211)" data-mce-style="background-color: #d9ead3;">[csf::cert::BaseCertVerifier::checkIdentity] - About to check for an Identity Match.</span><br></span></div><div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::CertVerifier::checkIdentifier] - Verifying identity '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::AltNameParserImpl::verify] - Match for '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>' found in dnsNames index: 0</span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded. Matched identifier : '<a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a>'</span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf::cert::CertVerifier::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">checkIdentifier] - Verifying identity '<a href="http://company.com" target="_blank" data-mce-href="http://company.com">company.com</a>'</span></span></span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf::cert::AltNameParserImpl:</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">:verify] - No Match Found for '<a href="http://company.com" target="_blank" data-mce-href="http://company.com">company.com</a>'</span></span></span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf::cert::CertVerifier::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">checkIdentifier] - Verifying identity '<a href="http://collab-edge.company.com" target="_blank" data-mce-href="http://collab-edge.company.com">collab-edge.company.com</a>'</span></span></span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf::cert::AltNameParserImpl:</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">:verify] - No Match Found for '<a href="http://collab-edge.company.com" target="_blank" data-mce-href="http://collab-edge.company.com">collab-edge.company.com</a>'</span></span></span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf.cert.] [csf::cert::BaseCertVerifier::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">checkIdentifiers] - Verification of identity: '<a href="http://company.com" target="_blank" data-mce-href="http://company.com">company.com</a>' '</span><a href="http://collab-edge.company.com" target="_blank" data-mce-href="http://collab-edge.company.com">collab-edge.company.com</a><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">'  failed.</span></span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::common::PolicySet::getPolicy] - Successfully found Policy with nature IGNORE_INVALID_CERT_CONDITION [IGNORE_REVOCATION_INFO_UNAVAILABLE_ERRORS]</span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::BaseCertVerifier::applyIgnoreInvalidCertConditionPolicy] - About to enforce ignore invalid cert condition policy.</span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::IgnoreInvalidCertConditionPolicy::removeIgnoredStatuses] - No statuses have been removed from the verification status.</span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::IgnoreInvalidCertConditionPolicy::enforce] - Policy enforced</span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::CertificateDataImpl::parseSubjectCNField] - size of Subject CN field : 17</span></span></div><div><span style="background-color:rgb(244,204,204)" data-mce-style="background-color: #f4cccc;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">[csf::cert::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">CertificateDataImpl::</span><span style="font-size:12.8px" data-mce-style="font-size: 12.8px;">parseSubjectCNField] - Subject CN field : <a href="http://video.company.com" target="_blank" data-mce-href="http://video.company.com">video.company.com</a></span></span></span></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">[csf::cert::PlatformVerificationHandler::handlePlatformVerificationResultSynchronously] - <span style="background-color:rgb(255,242,204)" data-mce-style="background-color: #fff2cc;">Verification result : FAILURE</span> reason : [CN_NO_MATCH]</span></div></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">So, the problem seems obvious now.  <span class="">Jabber</span> 11.1(2) is checking for <i><b><a href="http://company.com" target="_blank" data-mce-href="http://company.com">company.com</a> and <a href="http://collab-edge.company.com" target="_blank" data-mce-href="http://collab-edge.company.com">collab-edge.company.com</a></b></i> in the cert, whereas Jabber 11.1(0) was not checking for either.</div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">So, I wanted to know more.  I went to the MRA guides, and <span class="">Expressway</span> Admin guide, and I found this passage in the Admin guide:</div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><i>Select the DNS format and manually specify the required FQDNs. Separate the FQDNs by commas if you need multiple domains. You may select CollabEdgeDNS format instead, which simply adds the prefix collab-edge. to the domain that you enter. This format is recommended if you do not want to include your top level domain as a SAN (see example in following screenshot). </i><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">Link: <a href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-5-2.pdf" target="_blank" data-mce-href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-5-2.pdf">http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/<span class="">expressway</span>/admin_guide/Cisco-<span class="">Expressway</span>-Administrator-Guide-X8-5-2.pdf</a> (Page 63 of 403)</div></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">I found the following section of the <span class="">Expressway</span>-E configuration for <span class="">certificates</span>, and I modified/added the two red circled values, then generated a new CSR, followed by signing it again with our private CA.</div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><image.png><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">It fixed the warning in <span class="">Jabber</span> 11.1(2).</div></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;"><br></div><div style="font-size:12.8px" data-mce-style="font-size: 12.8px;">---End Original Email---</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 9, 2016 at 11:15 AM, Lelio Fulgenzi <span dir="ltr"><<a href="mailto:lelio@uoguelph.ca" target="_blank" data-mce-href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div><div style="font-family:Verdana;font-size:10pt;color:#000000" data-mce-style="font-family: Verdana; font-size: 10pt; color: #000000;"><div><br></div><div>Our lab expressway cluster is on it's way to be completed... only thing missing is the certificates.</div><div><br></div><div>I read up a little on the archives, but still not so clear.</div><div><br></div><div>We're going to be getting individual certs for each Exp-C and Exp-E member (a cluster of 2xC, 2xE).</div><div><br></div><div>I don't believe I need any SANs for the Exp-C. But I'm not sure if I need the cluster name in the certificate.</div><div><br></div><div><ul><li>CERT 1: CN=<a href="http://exp-c-a.acme.com" target="_blank" data-mce-href="http://exp-c-a.acme.com">exp-c-a.acme.com</a>, SAN=<a href="http://exp-c-cluster.acme.com" target="_blank" data-mce-href="http://exp-c-cluster.acme.com">exp-c-cluster.acme.com</a></li><li><span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;">CERT 2: CN=</span><a href="http://exp-c-b.acme.com" target="_blank" data-mce-href="http://exp-c-b.acme.com">exp-c-b.acme.com</a>, <span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;">SAN=<a href="http://exp-c-cluster.acme.com" target="_blank" data-mce-href="http://exp-c-cluster.acme.com">exp-c-cluster.acme.com</a></span></li></ul></div><div><br></div><div>For the Exp-E, I'd like to add the hostname for the outside interface, as well as the CNAME for the services domain, and the CNAME/ALIAS I'm using for the collab-edge resolution.</div><div><div style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;"><ul><li>CERT 1: CN=<a href="http://exp-e-a.acme.com" target="_blank" data-mce-href="http://exp-e-a.acme.com">exp-e-a.acme.com</a>, SAN=<a href="http://exp-e-cluster.acme.com" target="_blank" data-mce-href="http://exp-e-cluster.acme.com">exp-e-cluster.acme.com</a>, <a href="http://exp-e-a-out.acme.com" target="_blank" data-mce-href="http://exp-e-a-out.acme.com">exp-e-a-out.acme.com</a>, <a href="http://myjabber.acme.com" target="_blank" data-mce-href="http://myjabber.acme.com">myjabber.acme.com</a>, <a href="http://proxy-a.acme.com" target="_blank" data-mce-href="http://proxy-a.acme.com">proxy-a.acme.com</a></li><li><span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;">CERT 2: CN=</span><a href="http://exp-e-b.acme.com" target="_blank" data-mce-href="http://exp-e-b.acme.com">exp-e-b.acme.com</a>, <span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;">SAN=<a href="http://exp-e-cluster.acme.com" target="_blank" data-mce-href="http://exp-e-cluster.acme.com">exp-e-cluster.acme.com</a>, <span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;"><a href="http://exp-e-b-out.acme.com" target="_blank" data-mce-href="http://exp-e-b-out.acme.com">exp-e-b-out.acme.com</a>, <span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;"><a href="http://myjabber.acme.com" target="_blank" data-mce-href="http://myjabber.acme.com">myjabber.acme.com</a>, <span style="font-size:13.3333px" data-mce-style="font-size: 13.3333px;"><a href="http://proxy-b.acme.com" target="_blank" data-mce-href="http://proxy-b.acme.com">proxy-b.acme.com</a></span></span></span></span></li></ul></div></div><div><br></div><div>In our use case, _collab-edge SRV records resolve to proxy-a and proxy-b, and those resolve to the exp-e-a-out and exp-e-b-out interfaces respectively.</div><div><br></div><div>Anything special to get off-prem hardware devices like the 88/98xx , DX and SX to work properly via MRA?</div><div><br></div><div><span></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst, Network Infrastructure<br>Computing and Communications Services (CCS)<br>University of Guelph<br><div><br></div><a href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354" target="_blank" data-mce-href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354">519‐824‐4120 Ext 56354</a><br><a href="mailto:lelio@uoguelph.ca" target="_blank" data-mce-href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a><br><a href="http://www.uoguelph.ca/ccs" target="_blank" data-mce-href="http://www.uoguelph.ca/ccs">www.uoguelph.ca/ccs</a><br>Room 037, Animal Science and Nutrition Building<br>Guelph, Ontario, N1G 2W1<span></span><br></div><div><br></div></div></div><br>_______________________________________________<br> cisco-voip mailing list<br> <a href="mailto:cisco-voip@puck.nether.net" target="_blank" data-mce-href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br> <a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank" data-mce-href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br> <br></blockquote></div><br></div></div><div><br></div></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br></div></blockquote></body></html>