Re: Expressway E internal and external dns

plp_pnlr · ‎10-25-2021

Does the internal and external dns for expway e must have the same domain name? I have configured dual nic on E. And traversal zone is working but jabber can't connect to internal server.

b.winter · ‎10-25-2021

Hello,

what you mean with dns?

The configured DNS-servers in EXP-E? Or the DNS-names of EXP-E?

As far as I have in my head, the EXP-E the only DNS-entries that it needs to resolve for MRA to work is it's own A-record and the corresponding PTR at your public DNS-provider.

The most that you my have to be sure is, that EXP-E can resolve the A-Record and PTR of EXP-C too.

So for MRA, it would then need an internal DNS-server, that can resolve the EXP-C related DNS-entries.

Nithin Eluvathingal · ‎10-25-2021

Its not mandatory to have the same domain. I have customer using MRA feature who's Internal and external domains are different.

Take logs from Both E and C and run it on CSA tool. Its give you more information.

You can access CSA tool from https://cway.cisco.com/csa/

Detailed steps to collect the logs has been mentioned on below document.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213360-collect-expressway-vcs-diagnostic-log-fo.html

Mahmoud Belhaj · ‎10-25-2021

Hello @plp_pnlr

Does the internal and external dns for expway e must have the same domain name?

Domain name in DNS Server with MRA can working with same domain or with different domain like expe.local - expe.com or expe.com(internal) - expe.com (external) - SRV cisco-uds for internal and collab-edge for external .

but insure from domain is configured correctly in expe (expe.com as external)

Best Regards

plp_pnlr · ‎10-25-2021

Hi Mahmoud,

is there a way in expe to identify if its for external? because on Domains you can add domain names?

Nithin Eluvathingal · ‎10-25-2021

Assume that your internal domain as abc.local and external domain as abc.com.

Configure Expressway-C System>> Dns :-

System host name:- ExpreswayC

Domain name:- abc.local

Configure Expressway-E System>> Dns :-

System host name:- ExpreswayE

Domain name:- abc.com

Have you taken logs from Expressway E and C and run it on CSA tool. It gives you more insight to your problem.

plp_pnlr · ‎10-26-2021

on CSA, it says no issues were found. but jabber recieves 'can't communicate with the server' error. on Configuration>domains, do I need to add both internal and external domains? and in exp-C zones>peer address, do I need to put also the exp-eexternal address? b'cause I think it should be only the internal address.

b.winter · ‎10-26-2021

Assuming, you have split DNS internally, under "configuration --> domains" you need to set all external domains, for which the users login from external via MRA.

Taking Nithin's example: "abc.com".

Exp-C then needs to resolve the SRV "_cisco-uds._tcp.abc.com" via it's internal DNS server.

Under "Exp-C zones --> peer address" it depends what you need to set.

If Exp-C can resolve the external FQDN of EXP-E, then you can set this as peer address.

If it only can resolve the internal FQDN of EXP-E, then you can set this as peer address.

If it can resolve both, then you can choose.

But: whatever FQDN you choose, it has to be in the certificate of the EXP-E!!!

If it isn't, you get a TLS connection error.

Note:

Some of the public CA's don't accept internal domains in the CSR's.

Therefore, the only option is to use an external FQDN in the cert of EXP-E --> therefore, the peer address in EXP-C also needs to point to the external FQDN.

Nithin Eluvathingal · ‎10-26-2021

Lets Assume,

Expressway C iP address 192.168.10.10 and hostname express-C.
Expressway E internal ip address 192.168.10.11 and hostname express-E .
Your Static IP as 72.72.72.11
Domain abc.local and abc.com

On internal DNS:-

Domain abc.local

A-record :- express-C.abc.local 192.168.10.10

Domain abc.com (sub zone)

A-record :- express-E.abc.com 192.168.10.11

Public DNS:-

A-record :- express-E.abc.com 72.72.72.11

_collab-edge._tls.abc.com   SRV service location:
          priority       = 3
          weight         = 7
          port           = 8443
          svr hostname   = express-E.abc.com

Configure Expressway-C System>> Dns :-

System host name:- ExpreswayC

Domain name:- abc.local

Configure Expressway-E System>> Dns :-

System host name:- ExpreswayE

Domain name:- abc.com

Add both domains on Expressway C

Expressway C >>Configurations >>Domain

Certificate:-

Expressway C

it can be internal CA signed certificate.

Expressway E:- it should be public CA signed certificate. When generating CSR for expressway E, "Make sure you add abc.com as DNS filed"

ausjustin · ‎04-04-2022

Regarding the certificate, Is it the expressway E has to add on FQDN expressway C ? if yes, the Public CA no accept the internal domain name.

Nithin Eluvathingal · ‎04-04-2022

Expressway E certificate must contain the external domain as the dns field.

when generating csr add this files as dns.

there is no need to add the expressway c details on E certificate.

plp_pnlr · ‎10-31-2021

The problem is now solved. Not only the FQDN of exp-E must be on its certificate but also the domain name of public DNS. also tcp was not enabled on the MRA setting. Thank you all for your help.

Mahmoud Belhaj · ‎11-01-2021

Yes always the issue happened with

FQDN you choose, it has to be in the certificate.

If it isn't, you get a TLS connection error.

best regards and aorry for late

ausjustin · ‎04-04-2022

is it missing the FQDN for express C when generate CSR on Expressway E ？