topic Re: MRA with multi external domain in Collaboration Applications

MRA with multi external domain

h.hajamor — Mon, 18 Mar 2019 02:30:09 GMT

hi,

I am deploying a cisco MRA solution using EXPC and EXPE.

In my case, I have one internal domain (domain0.local) and multiple external domain that have different SRV records pointing to the same public address of my EXPE.

_collab-edge._tls.domain1.com --> expe.domain1.com (EPXE pulbic@)

_collab-edge._tls.domain2.com --> expe.domain2.com (EPXE pulbic@)

_collab-edge._tls.domain3.com --> expe.domain3.com (EPXE pulbic@)

during the configuration, I tried one domain, it work fine.

when i add the second, both of them have different issues:

-HTTP allow list

-cant determine home UCM

-....

BTY, I have upgrade both EXP to 8.10.4.

Is there a solution or a specific guide that coud help to resolve my problem

Re: MRA with multi external domain

Slavik Bialik — Fri, 27 Apr 2018 11:39:02 GMT

Hi, I'm having a feeling that it has something to do with the:

<VoiceServicesDomain>domain1</VoiceServicesDomain>

That is located in your jabber-config.xml file.

Just out of curiosity, try to change the value of the first external domain that you put in the above XML tag, to the second domain that you're currently not being able to login with. And then try to make a login with this second domain. If it works, so I'm not sure how to solve it, because you can enter only one external domain in the VoiceServicesDomain tag. I think a possible solution for that is applying a Transformation rule on the Expressway server that'll replace all the domains to the first domain (the main one, that currently is working).

If it's still not working, review the configurations, maybe you didn't add those SIP domains in the Expressway-C server, you have under configurations a settings page named "Domains" you must enter them all there.

Plus, you need to enter all the relevant domains in the IM&P server under Domains also.

Re: MRA with multi external domain

h.hajamor — Fri, 27 Apr 2018 16:45:51 GMT

dear Slavik,
about <VoiceServicesDomain>, I am sure that tha jabber-config.xml dosn't support multidomain,
I am trying to go through with the transformation method
but i think that the transformation is needed only for SIP routing and not jabber AUTH for MRA.
best regards

Re: MRA with multi external domain

Slavik Bialik — Fri, 27 Apr 2018 18:00:02 GMT

Yeah, I think you are right about the transformation. It won't affect the authentication.

Anyway, how are the users from domain2 are trying to make their login? They're using "username@domain2" or "username@domain1" ?

If each one of them is using a different domain, I think that the solution is using the Directory URI field for all of users. Is this field currently contains some information or is it blank for all of the users?

If it's blank, you can change the LDAP Directory configuration for this field to sync from the "mail" attribute from Active Directory, and then it'll contain "username@domain2" or "mailuser@domain2", depending on if the username is different from the email address of the person.

Because then, the IM&P server will try to locate users that has this Directory URI based on user's input when he's trying to login, and currently there's no match probably therefore authentication fails. (But of course, do not forget to add the domains as I said in my previous comment in the Expressway-C and IM&P servers)

Re: MRA with multi external domain

Ayodeji Okanlawon — Tue, 01 May 2018 09:21:41 GMT

For this to work, you have to make some serious changes and here are the reasons why

1. Your IM and P server if using the default presence domain structure must match the domain in your JID. Eg If your users sign in using adam@domain1.com, then your IM and P server presence domain has to be domain1.com.

Now if you have multiple users on different external domain, then you will have issues. If you have another user on adam@domain2.com, your login will fail, because domain2.com is not configured on your IM and P server, hence it is not responsible to process requests for that domain.

There is only one possible solution for this and that is to use flexible JID on your IM and Presence server. Now this comes with a caveat, your users "mail or msRTCSIP-primaryuseraddress" address must be mapped to the directory uri and this directory uri is what they must use to login to jabber.

For example, when you change IM and P to use directory uri, then your users "mail or msRTCSIP-primaryuseraddress" attributes in AD must match as follows

1. users on domain1: adam@domain1.com

2. users on domain2: adam@domain2.com

3. users on domain 3: adam@domain3.com

Now once this is taken care, IM and P will allow users to login using any of the matched directory URI..But you still need to sort out expressway.

To allow expressway-e to accept the login request, you will need to then tell jabber to use the domain on the expressway-e for its service discovery. Lets assume your expressway-e is on domain1 and your cucm and IP and P servers are on internal domain. You will need to do the following:

jabber: SERVICES_DOMAIN=domain1.com ( note you dont need voice_services_domain: this is only required if you are using hybrid services). Y our discovery domain is actually your services_domain

So when Jabber runs its query for collab-edge, it will look for _collab-edge._tls.domain1.com> resolve to expwe eg expwe01.domain1.com

Now internally, expressway-C will query UDS records for domain1.com, so you need to then create a forward lookup rulezone on DNS to point all the request for domain1.com to your internal domain where your CUCM and IM and P lives

Re: MRA with multi external domain

Risat — Sun, 16 Aug 2020 09:03:39 GMT

Hi Ayodeji,

Thanks for the detailed description (+5),do you think by this method, the same user can use different domains to login, for eg: a user name john, can he login with john@domain1.com, john@domain2.com and john@domain3.com, there is only one directory-URI for one user-id right ?

Re: MRA with multi external domain

Ayodeji Okanlawon — Sun, 16 Aug 2020 09:22:52 GMT

No you can't have multiple user IDs for one user. So this won't be possible.

Re: MRA with multi external domain

Sebastien Denoncin — Sat, 15 May 2021 08:25:33 GMT

Hello,

I am in the same situation as Hajmor.

On IM and P, I use the directory URI for my users. In the team, we manage several branches from different countries in our company.

The goal is to put a Jabber over MRA on the mobiles.

I think I did as Ayodeji says.

I created an internal DNS zone called MRA.domain1.com (with the srv UDS and cup)
On the public DNS, I did the same thing and configured the Collabedge SRV on my domain MRA.domain1.com
My eu expressways are configured with my domain.local --> expe1.domain.local. Is this a problem?

The Jabbers on mobile will be configured and pushed via airwatch. The domain service will therefore be mra.domain1.com.

So I think I match what Ayodeji mentioned.

But my question is, how will the users authenticate on my jabber. Because internally we use a global domain for all branches. And the local jabber you just need to put your userid to log in because the service domains are pushed through the jabber bootstrap.

Thanks for your help.