topic Re: Cisco Expressway – DNS/CERT Design Verification in Collaboration Applications

Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Thu, 08 Oct 2020 00:32:52 GMT

Hello,

I am looking to confirm below is a supported DNS design along with other recommendations by the cisco UC engineers/experts here.

Objectives

To utilize Expressway in standard MRA deployment (SIP) in large OVA size with no additional services.
Expressway-C resides on the INSIDE and Expressway-E resides on the DMZ with dual NIC deployment using single Firewall
CUCM Versions CUCM 11.5
Expressway version 12.5.9
Selecting the calling in Webex Teams (Unified CM)

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/wbxt/ucmcalling/unified-cm-wbx-teams-deployment-guide/unified-cm-wbx-teams-deployment-guide_chapter_01.html

CUCM Nodes

cucmpub.organization.local	10.7.1.2
cucmsub1.organization.local	10.7.1.3
cucmsub2.organization.local	10.7.1.4
impub1.organization.local	10.7.1.5
imsub1.organization.local	10.7.1.6

Unity nodes

unitypub1.organization.local	10.7.1.7
unitysub1.organization.local	10.7.1.8

DNS Design

By utilizing same single DNS domain ‘example.com’ internally and externally.

Internal

example.com | selected
example.local
organization.local | where CUCM and UC system(s) live

External

example.com | selected

INTERNAL DNS A-Records

Expressway -C

expc.example.com	cluster in round robin	10.10.10.1 10.10.10.2 10.10.10.3
expc1.example.com	node#1	10.10.10.1
expc2.example.com	node#2	10.10.10.2
expc3.example.com	node#3	10.10.10.3

Expressway –E

expe.example.com	cluster in round robin	10.10.1.11 10.10.1.12 10.10.1.13
expe1.example.com	node#1	NIC#1 10.10.1.11 NIC#2 10.10.2.11	NIC#2 is Nated on the Firewall
expe2.example.com	node#2	NIC#1 10.10.1.12 NIC#2 10.10.2.12	NIC#2 is Nated on the Firewall
expe3.example.com	node#3	NIC#1 10.10.1.13 NIC#2 10.10.2.13	NIC#2 is Nated on the Firewall

Internal DNS SRV Records

Domain	Service	Protocol	Priority	Weight	Port	Target host
example.com	cisco-uds	tcp	10	10	8443	cucmsub1.organization.local
example.com	cisco-uds	tcp	10	10	8443	cucmsub2.organization.local
example.com	cuplogin	tcp	10	10	8443	impub1.organization.local
example.com	cuplogin	tcp	10	10	8443	imsub1.organization.local

EXTERNAL DNS- A Records | round robin using Public DNS provider

Domain	IP Address	Target host
example.com	11.0.0.1	expe1.example.com
example.com	11.0.0.2	expe2.example.com
example.com	11.0.0.3	expe3.example.com

External DNS SRV Records

Domain	Service	Protocol	Priority	Weight	Port	Target host
example.com	collab-edge	tls	10	10	8443	expe1.example.com
example.com	collab-edge	tls	10	10	8443	expe2.example.com
example.com	collab-edge	tls	10	10	8443	expe3.example.com
example.com	sips	tcp	10	10	5061	expe1.example.com
example.com	sips	tcp	10	10	5061	expe2.example.com
example.com	sips	tcp	10	10	5061	expe3.example.com

According to Expressway 12.5.x documentation,

1- Please verify above design looks good

2- The recommendation is to utilize single domain ‘Example.com’ with split DNS structure. Correct?

Single Domain with Split DNS - Recommended

A single domain means that you have a common domain (example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_0100.html#reference_4A7B85A13AF724850DB878F71F4D27D0

3- No concerns as Expressway systems (C and E) do NOT share the same domain with CUCM nodes per same documentation link. Correct?

Unified CM and Expressway in Different Domains Deployment

Unified CM nodes and Expressway peers can be located in different domains. For example, your Unified CM nodes may be in the enterprise.com domain and your Expressway system may be in the edge.com domain.

In this case, Unified CM nodes must use IP addresses or FQDNs for the Server host name / IP address to ensure that Expressway can route traffic to the relevant Unified CM nodes.

Unified CM servers and IM and Presence Service servers must share the same domain.

DNS Host Name / FQDN

The first character of the DNS host name defined for the Unified CM must be a letter (do not start with a digit or special character).

4- Review Expressway certificates requirements - an example would be helpful

Certificates

Expressway –C = CSR SANs should contain?
- Unified CM phone security profile names | no need as our cluster is unsecured and not in mixed mode- so I would assume this is not required- correct?
- IM and Presence chat node aliases (federated group chat) | our IM is maintained through single domain no federation with other -sub- organization so I would assume this is not required- correct?
Expressway –E = CSR SANs should contain?
- Unified CM registrations domains | I would assume it should include *organization.local
- XMPP federation domains | | our IM is maintained through single domain no federation with other -sub- organization so I would assume this is not required- correct?
- IM and Presence chat node aliases (federated group chat) | same as above.

I appreciate your assistance in advance.

Thanks.

Re: Cisco Expressway – DNS/CERT Design Verification

Roger Kallberg — Thu, 08 Oct 2020 05:57:36 GMT

Looks good to me. One note, you don’t need to have the cuplogin SRV records. It is only used by very old versions of Jabber and is described in the service discovery process that it’s no longer necessary.

Re: Cisco Expressway – DNS/CERT Design Verification

Nithin Eluvathingal — Thu, 08 Oct 2020 10:23:51 GMT

single domain is when all your applications both internal and external are in example.com.

but you case, internal and external is different.

i use below DNS entries if internal and external domains is different.

expressway c can be on .organization.local as your UC applications. these are internal servers.

you need to have two zones in internal DNS, one for organization.local and second example.com where u create a DNS A record for expresswaye.example.com pointing to internal ip of Expressway E.

And Internal DNS SRV Records as mentioned below.

Domain	Service	Protocol	Priority	Weight	Port	Target host
organization.local	cisco-uds	tcp	10	10	8443	cucmsub1.organization.local
organization.local	cisco-uds	tcp	10	10	8443	cucmsub2.organization.local

When generating CSR for expressway E make sure that u add public domain in DNS field.

Re: Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Thu, 08 Oct 2020 13:45:53 GMT

Noted. Indeed the documentation doesn't state the 'cuplogin' is required.

Thanks for the feedback.

Re: Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Thu, 08 Oct 2020 15:14:09 GMT

Nithin- Good catch. I thought the single domain split DNS is from the enterprise level so it can support Exp-C and Exp-E using the same domain. Hence, I was proposing to use 'Example.com' additionally as noted in point#3 'Unified CM and Expressway in Different Domains Deployment' so they can be in different domains.

Here's my case:

1- Example.com is the domain associated with the users email/exchange so its a preferred path.

2- Currently, IM users are using 'Example.com' domain from the inside based on SRV records

Internal DNS SRV Records

Domain	Service	Protocol	Priority	Weight	Port	Target host
example.com	cisco-uds	tcp	10	10	8443	cucmsub1.organization.local
example.com	cisco-uds	tcp	10	10	8443	cucmsub2.organization.local
example.com	cuplogin	tcp	10	10	8443	impub1.organization.local
example.com	cuplogin	tcp	10	10	8443	imsub1.organization.local

3- Potentially, by next summer we are planning to upgrade CUCM and move them into 'Example.com' domain /same IPs.

considering this - would you see any issues with the original design and do we need to add the two domains 'Example.com' and 'organization.local' into Expressway 'configurations- domains menu' for both Exp-C and E?

Thank you!

Re: Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Thu, 08 Oct 2020 15:58:26 GMT

Roger,

could you please take a second look into the external DNS A-records? Do we need a specific one for the cluster E itself? see below table.

EXTERNAL DNS- A Records | round robin using Public DNS provider

Domain	IP Address	Target host
example.com	11.0.0.1 11.0.0.2 11.0.0.3	expe.example.com
example.com	11.0.0.1	expe1.example.com
example.com	11.0.0.2	expe2.example.com
example.com	11.0.0.3	expe3.example.com

Thanks.

Re: Cisco Expressway – DNS/CERT Design Verification

Nithin Eluvathingal — Thu, 08 Oct 2020 17:02:25 GMT

single domain:-

client email address is xyz.com.
UC applications domain is xyz.com.
expressway and E& C in xyz.com.

multi domain:-

client email xyz.com.
UC application domain is xyz.local
expressway C domain is xyz.local
expressway E domain is xyz.com

single domain is pretty easy as all your applications will be in xyz.com.

keep all servers in xyz.com
internal A record UC.xyz.com
internal SRV for UDS xyz.com
public A record Edge xyz.com
public SRV Edge xyz.com

Multi domain you need to play with DNS.

UC applications and Expressway C in xyz.local
expressway E in xyz.com
internal SRV for UDS xyz.local
internal DNS will have xyz.com subzone
xyz.com subzone contain A record expresswayE Ponting to expressway E's internal Nic IP.
public A record Edge xyz.com
public SRV Edge xyz.com

Both case user will login with email address.

Re: Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Fri, 09 Oct 2020 17:30:18 GMT

Thank you for clarifying this. I truly appreciate it. After running this with TAC - it looks like below is a supported DNS design as well.

Mixed domain
client email address is @xyz.com.
UC application domain is xyz.local
expressway C domain is xyz.com //local dns enterprise
expressway E domain is xyz.com //global dns provider

Review DNS

Single Domain with Split DNS - Recommended
Dual Domain without Split DNS
Single Domain without Split DNS

Re: Cisco Expressway – DNS/CERT Design Verification

Austin Sabio — Fri, 09 Oct 2020 17:33:00 GMT

Roger - it appears there's no requirement for MRA - cluster DNS A- record for the Exp-C cluster or Exp-E cluster. This is only needed for other Expressway deployments. Thanks anyway!