Ruslan,

Yes, this issues were solved. The key problem was with certificates on UC servers, issued only with server authentication. Certificates should be issued by CA with appropriate template including server authentication, client authentication, IP security end system.

thank you for answer

yeah it's common problem with all those certificates for MRA.

in my case I couldn't get it work earlier because of non-mixed mode of my cluster. however I still can't get phone services working on Jabber for iPhone but JfW, for Android is ok.

I am having trouble with my secure SIP profiles.  Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.

I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?

hi,

I created certificate generation template in Windows Server CA as mentioned in this document - http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf, in "Appendix 5: Configuring Windows Server Manager with a "client and server" certificate template" and after that signed my CSR from Expressway.

and as I remeber correctly IPsec authentication is included by default, but I may be wrong. try to sign up you certificate and check it after.
don't forget to include subject alternative names for security profiles:

this screenshot from the certificate requirements for Expressway-C. it's from guide mentioned above. you can find there certificate requirements for both - Expressway-C and Expressway-E.
does your UCM cluster is in Mixed Security Mode?

that is the steps I am following, my UCM is in mixed security mode.  What format are your phone security profile names using?  It mentions in the guide that they need a FQDN format.  I have created mine with:

iPhone = "CDMIphone.lab-cucm01.lab.local"

Android = "cdmAndroid.lab-cucm01.lab.local"

should these have an external address instead?

I have configured them with the following:

Device Security Mode: Encrypted

Authentication Mode: By Authentication String

Key Size: 1024

Sip Phone Port: 5061

I have a SIP trunk to the Expressway-C for outbound calls using SIP port 5065. Should these security profiles be using the same SIP port?

does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html

no, those security profiles can use usual secure SIP port - 5061.

does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html

no, those security profiles can use usual secure SIP port - 5061.

I am having trouble with my secure SIP profiles.  Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.

I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?