topic Yes, I have it running all in in Unified Communications Infrastructure

Jabber MRA without Firewall

karen.johnson5801 — Tue, 19 Mar 2019 19:25:40 GMT

Hi experts,

for lab purpose, can we run Jabber MRA without firewall ? I have 1 BE6K that I plan to use for lab (UCM , IMP, Exp-C and Exp-E).

if possible, can share some steps and notes here?

thanks,

Yes, I have it running all in

Jaime Valencia — Sat, 13 May 2017 18:47:37 GMT

Yes, I have it running all in the same subnet, with just one NIC while I get a second subnet for my lab.

Basic steps are all the same, you just don't need to worry to poke holes for network traffic as you would in a real network.

My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration.

If you do have two networks, what you won't need to do, is to configure NAT in the "external" network but point directly to that IP, and I'd place the DNS and test machines in that network as well (that's what I'm planning to do in my lab). Or just point devices to that special DNS which would only resolve _collab-edge, or use split-horizon DNS.

Thanks Jamie,

karen.johnson5801 — Tue, 16 May 2017 22:04:26 GMT

Thanks Jamie,

I am trying to understand here. So if I choose all in one subnet for Exp-C and Exp-E and UCM.

Do you mind writing down detailed steps here ?

Sorry I am bit confuse on this statement "My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration "

Thanks,

Hi Karen,

Alok Jaiswal — Wed, 17 May 2017 09:00:40 GMT

Hi Karen,

Yes, that's correct, you can choose everything in same subnet.

But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.

Nic 1- 172.17.17.210

Nic 2- 172.17.18 210

Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.

You need to build two DNS servers for simulating internal & external login scenarios.

When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.

When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record.

Regards,

Alok

hi Alok,

karen.johnson5801 — Thu, 18 May 2017 20:51:24 GMT

hi Alok,

Assuming if I just use all internal for Exp-E , I have internal DNS.

For external DNS I have few questions :

- Do I need to install new AD with different domain for external DNS ?

- what is different in setting and install for this external DNS?

- This external DNS just in same subnet with internal DNS ?

tks,

Hi Karen,

Alok Jaiswal — Thu, 18 May 2017 23:41:22 GMT

Hi Karen,

For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.

For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.

You can use the certificates on Exp-C & E generated via internal CA.

Regards,

Alok

Thanks Alok,

karen.johnson5801 — Thu, 18 May 2017 23:44:33 GMT

Thanks Alok,

One more question : Possible to combine internal AD and external AD on same server?

Best,

No, i don't think so, its

Alok Jaiswal — Fri, 19 May 2017 00:05:11 GMT

No, i don't think so, its possible in this scenario.

Jabber always runs the _cisco-uds query first to find the servers, if it doesn't finds it then only it goes to _collab-edge.

If you use same DNS server, then jabber always be able to find the _cisco-uds record and will never fall to _collab-edge. It can be done if you have for e.g. an ASA in your environment. In that case you can use the capability of ASA to do SRV filtering and then ASA will drop _cisco-uds record query which will allow Jabber to fall back to _collab-edge.

Look at the document below.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_CollabEdge.html

Not sure if anyone else has any other ideas for this.

Regards,

Alok

Thanks Alok and also great

karen.johnson5801 — Fri, 19 May 2017 16:40:00 GMT

Thanks Alok and also great doc.