Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide.
Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
I have a Cisco SF102-24 switch I just installed in my office. I have network access but no internet. ISP provider is Time Warner Cable. I can access the internet via a direct cable to PC connection but there is no internet when going through the switch. There was only a small pamplet in the box and no other connection setup documentation. Is there a place I can get a diagram of how to connect between the router and switch that may be causing the problem?
Please post your question in the "Discussion" tab through link below and your question will surely be answered.
I'm using Global Catalogue for user search within the enterprise and I use a custom jabber-config.xml. When the user logs into Jabber over the internet, they can't search some contacts? why?
Mobile & Remote Access feature only supports Cisco UDS for contact search, any custom config in jabber-config.xml is ignored when Jabber registers over the internet using MRA. So if you're using the GC, I would suggest using GC to sync users within CUCM, this way all users would be populated within CUCM and then Jabber when connected via internet, should be able to search all users.
I have a question on DNS with internal and external domains on a collaboration edge deployment I am working on. The customer has IM & P setup on Call Manager 10 internally with a domain such as example.local which obviously has no public DNS records. The services for IM & P are added to the local DNS for the example.local domain. They have an external domain such as example.com so is it possible for them to use firstname.lastname@example.org when they login locally and email@example.com when they are outside the system to login or what would be best to do in this circumstance when adding collaboration edge?
This is a corner case, where the users' login changes. Typically the user experience should remain the same, irrespective of where they login i.e. inside or outside. In your specific scenario, users will have to login using firstname.lastname@example.org even when they are outside. I don't think there's a tweak that can enable users to use a separate domain when trying to login from the outside. I'm checking internall if anyone has come across such a setup.
1. If users login as email@example.com inside the enterprise, are they only using Jabber for internal IM & Presence i.e. no federation ?
Internally they have only used it inside with no federation. I am checking with customer on their DNS setup and whether they have an internal DNS server for example.com so we could change the CUPS to use the public domain.
Most likely you may have to populate voiceservicesdomain as example.com in jabber-config.xml. Once it gets the config from the Exp-E, the users will have to login as firstname.lastname@example.org. By default, Jabber will strip the domain and ask for password. I've not personally tested this scenario, however I would suggest testing this in the lab, prior to roll out. And it will make more sense to use example.com as the presence domain as this will place the customer in a better position to use Inter Domain Federation in the future.
Yes, there are some requirements for certificates in Expressway.
Expressway Core (Exp-C)
- Can be signed by either External or Internal CA
- Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
- Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
- If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
- The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
- For TLS b/w CUCM, IM-P & Exp-C
+ If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
+ If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
+ Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
+ Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
Expressway Edge (Exp-E)
- Signed by External CA
- Configured Unified Communications domain as Subject Alternate Name
- If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
- If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
We have collaboration edge setup such that we can login to IM/P server using the latest iOS and Android Jabber clients outside of our corporate network without VPN.
We are however also using another XMPP client (on iOS), which doesn't work when we are outside the corporate network because the IM/P server host address isn't public. Is there anyway we can get this client to work (we have access to the source and could modify it).
I won't be able to help in this regard. This discussion is specific to Cisco endpoints with Collaboration Edge. I've not seen a document that mentions support of 3rd party endpoints with Collaboration Edge.