cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2576
Views
15
Helpful
8
Replies

Cisco Expressway – DNS/CERT Design Verification

Austin Sabio
Level 4
Level 4

Hello,

I am looking to confirm below is a supported DNS design along with other recommendations by the cisco UC engineers/experts here.

Objectives

  • To utilize Expressway in standard MRA deployment (SIP) in large OVA size with no additional services.
  • Expressway-C resides on the INSIDE and Expressway-E resides on the DMZ with dual NIC deployment using single Firewall
  • CUCM Versions CUCM 11.5
  • Expressway version 12.5.9          
  • Selecting the calling in Webex Teams (Unified CM)

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/wbxt/ucmcalling/unified-cm-wbx-teams-deployment-guide/unified-cm-wbx-teams-deployment-guide_chapter_01.html

CUCM Nodes

cucmpub.organization.local

10.7.1.2

cucmsub1.organization.local

10.7.1.3

cucmsub2.organization.local

10.7.1.4

impub1.organization.local

10.7.1.5

imsub1.organization.local

10.7.1.6

Unity nodes

unitypub1.organization.local

10.7.1.7

unitysub1.organization.local

10.7.1.8

DNS Design                          

By utilizing same single DNS domain ‘example.com’ internally and externally.

Internal

  • example.com                    | selected
  • example.local                                     
  • organization.local              | where CUCM and UC system(s) live

External

  • example.com                    | selected

INTERNAL DNS A-Records

Expressway -C

expc.example.com

cluster in round robin

10.10.10.1 10.10.10.2 10.10.10.3

expc1.example.com

node#1

10.10.10.1

expc2.example.com

node#2

10.10.10.2

expc3.example.com

node#3

10.10.10.3

Expressway –E                                    

expe.example.com

cluster in round robin

10.10.1.11 10.10.1.12 10.10.1.13

 

expe1.example.com

node#1

NIC#1 10.10.1.11

NIC#2 10.10.2.11

NIC#2 is Nated on the Firewall

expe2.example.com

node#2

NIC#1 10.10.1.12

NIC#2 10.10.2.12

NIC#2 is Nated on the Firewall

expe3.example.com

node#3

NIC#1 10.10.1.13

NIC#2 10.10.2.13

NIC#2 is Nated on the Firewall

Internal DNS SRV Records

Domain

Service

Protocol

Priority

Weight

Port

Target host

example.com

cisco-uds

tcp

10

10

8443

cucmsub1.organization.local

example.com

cisco-uds

tcp

10

10

8443

cucmsub2.organization.local

example.com

cuplogin

tcp

10

10

8443

impub1.organization.local

example.com

cuplogin

tcp

10

10

8443

imsub1.organization.local

EXTERNAL DNS- A Records                                                           | round robin using Public DNS provider

Domain

IP Address

Target host

example.com

11.0.0.1

expe1.example.com

example.com

11.0.0.2

expe2.example.com

example.com

11.0.0.3

expe3.example.com

External DNS SRV Records

Domain

Service

Protocol

Priority

Weight

Port

Target host

example.com

collab-edge

tls

10

10

8443

expe1.example.com

example.com

collab-edge

tls

10

10

8443

expe2.example.com

example.com

collab-edge

tls

10

10

8443

expe3.example.com

example.com

sips

tcp

10

10

5061

expe1.example.com

example.com

sips

tcp

10

10

5061

expe2.example.com

example.com

sips

tcp

10

10

5061

expe3.example.com

According to Expressway 12.5.x documentation,

1- Please verify above design looks good

2- The recommendation is to utilize single domain ‘Example.com’ with split DNS structure. Correct?

Single Domain with Split DNS - Recommended

A single domain means that you have a common domain (example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_0100.html#reference_4A7B85A13AF724850DB878F71F4D27D0

3- No concerns as Expressway systems (C and E) do NOT share the same domain with CUCM nodes per same documentation link. Correct?

Unified CM and Expressway in Different Domains Deployment

Unified CM nodes and Expressway peers can be located in different domains. For example, your Unified CM nodes may be in the enterprise.com domain and your Expressway system may be in the edge.com domain.

In this case, Unified CM nodes must use IP addresses or FQDNs for the Server host name / IP address to ensure that Expressway can route traffic to the relevant Unified CM nodes.

Unified CM servers and IM and Presence Service servers must share the same domain.

DNS Host Name / FQDN

The first character of the DNS host name defined for the Unified CM must be a letter (do not start with a digit or special character).

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_0101.html#concept_3531D38AC83226D6C969C01E3CB8237

4- Review Expressway certificates requirements - an example would be helpful

Certificates

  • Expressway –C = CSR SANs should contain?
    • Unified CM phone security profile names           | no need as our cluster is unsecured and not in mixed mode- so I would assume this is not required- correct?
    • IM and Presence chat node aliases (federated group chat) | our IM is maintained through single domain no federation with other -sub- organization so I would assume this is not required- correct?
  • Expressway –E = CSR SANs should contain?
    • Unified CM registrations domains | I would assume it should include *organization.local
    • XMPP federation domains | | our IM is maintained through single domain no federation with other -sub- organization so I would assume this is not required- correct?
    • IM and Presence chat node aliases (federated group chat) | same as above.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_0101.html#reference_FE1E533834C1742CE8C77EAB51262634

I appreciate your assistance in advance.

Thanks.

1 Accepted Solution

Accepted Solutions

single domain:-

  • client email address is xyz.com.
  • UC applications domain is xyz.com.
  • expressway and E& C in xyz.com. 

 

multi domain:-

  • client email xyz.com. 
  • UC application domain is xyz.local
  • expressway C domain is xyz.local
  • expressway E domain is xyz.com

single domain is pretty easy as all your applications will be in  xyz.com. 

 

  • keep all servers in xyz.com
  • internal A record UC.xyz.com
  • internal SRV for UDS xyz.com
  • public A record Edge xyz.com
  • public SRV Edge xyz.com

 

 

Multi domain you need to play with DNS.

 

  • UC applications and Expressway C in xyz.local
  • expressway E in xyz.com
  • internal SRV for UDS xyz.local
  • internal DNS will have xyz.com subzone
  • xyz.com subzone contain  A record expresswayE Ponting to expressway E's internal Nic IP.
  • public A record Edge xyz.com
  • public SRV Edge xyz.com

 

Both case user will login with email address. 

 



Response Signature


View solution in original post

8 Replies 8

Looks good to me. One note, you don’t need to have the cuplogin SRV records. It is only used by very old versions of Jabber and is described in the service discovery process that it’s no longer necessary.



Response Signature


Noted. Indeed the documentation doesn't state the 'cuplogin' is required.

Thanks for the feedback.

 

Roger, 

could you please take a second look into the external DNS A-records? Do we need a specific one for the cluster E itself? see below table. 

EXTERNAL DNS- A Records                                                           | round robin using Public DNS provider

Domain

IP Address

Target host

example.com

11.0.0.1

11.0.0.2

11.0.0.3

expe.example.com

example.com

11.0.0.1

expe1.example.com

example.com

11.0.0.2

expe2.example.com

example.com

11.0.0.3

expe3.example.com

Thanks.

Roger - it appears there's no requirement for MRA - cluster DNS A- record for the Exp-C cluster or Exp-E cluster. This is only needed for other Expressway deployments. Thanks anyway!

single domain is when all your applications both internal and external are in example.com.

 

but you case, internal and external is different. 

 

i use below DNS entries if internal and external domains is  different.

 

expressway c can be on  .organization.local as your UC applications. these are internal servers.

 

you need to have two zones in internal DNS, one for organization.local and second example.com where u create a DNS A record for expresswaye.example.com pointing to internal ip of Expressway E.

 

And Internal DNS SRV Records   as mentioned below.

 

Domain

Service

Protocol

Priority

Weight

Port

Target host

organization.local

cisco-uds

tcp

10

10

8443

cucmsub1.organization.local

organization.local

cisco-uds

tcp

10

10

8443

cucmsub2.organization.local

       
       

 

When generating CSR for expressway E make sure that u add public domain in DNS field.



Response Signature


Nithin- Good catch. I thought the single domain split DNS is from the enterprise level so it can support Exp-C and Exp-E using the same domain. Hence, I was proposing to use 'Example.com' additionally as noted in point#3 'Unified CM and Expressway in Different Domains Deployment' so they can be in different domains.

Here's my case:

1- Example.com is the domain associated with the users email/exchange so its a preferred path.

2- Currently, IM users are using 'Example.com' domain from the inside based on SRV records

Internal DNS SRV Records

Domain

Service

Protocol

Priority

Weight

Port

Target host

example.com

cisco-uds

tcp

10

10

8443

cucmsub1.organization.local

example.com

cisco-uds

tcp

10

10

8443

cucmsub2.organization.local

example.com

cuplogin

tcp

10

10

8443

impub1.organization.local

example.com

cuplogin

tcp

10

10

8443

imsub1.organization.local

3- Potentially, by next summer we are planning to upgrade CUCM and move them into 'Example.com' domain /same IPs.

considering this - would you see any issues with the original design and do we need to add the two domains 'Example.com' and 'organization.local' into Expressway 'configurations- domains menu' for both Exp-C and E?

Thank you!

single domain:-

  • client email address is xyz.com.
  • UC applications domain is xyz.com.
  • expressway and E& C in xyz.com. 

 

multi domain:-

  • client email xyz.com. 
  • UC application domain is xyz.local
  • expressway C domain is xyz.local
  • expressway E domain is xyz.com

single domain is pretty easy as all your applications will be in  xyz.com. 

 

  • keep all servers in xyz.com
  • internal A record UC.xyz.com
  • internal SRV for UDS xyz.com
  • public A record Edge xyz.com
  • public SRV Edge xyz.com

 

 

Multi domain you need to play with DNS.

 

  • UC applications and Expressway C in xyz.local
  • expressway E in xyz.com
  • internal SRV for UDS xyz.local
  • internal DNS will have xyz.com subzone
  • xyz.com subzone contain  A record expresswayE Ponting to expressway E's internal Nic IP.
  • public A record Edge xyz.com
  • public SRV Edge xyz.com

 

Both case user will login with email address. 

 



Response Signature


Thank you for clarifying this. I truly appreciate it. After running this with TAC - it looks like below is a supported DNS design as well. 

Mixed domain
client email address is @xyz.com.
UC application domain is xyz.local
expressway C domain is xyz.com //local dns enterprise
expressway E domain is xyz.com //global dns provider

Review DNS 

Single Domain with Split DNS - Recommended
Dual Domain without Split DNS
Single Domain without Split DNS

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_mra-expressway-deployment-guide/exwy_b_mra-expressway-deployment-guide_chapter_0100.html#reference_4A7B85A13AF724850DB878F71F4D27D0