I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :
- Split horizon DNS.
- 2 domains as follows, Internal: domainX.local and external: domainX.com
- All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc.
- Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates.
- I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside.
I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet.
my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work?
I have the following concerns in this regard:
- If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?
- If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?
- is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay?
- is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or i can just enable the non-secure phone profile without TLS, and if i can use the non secure phone profile, do i have to enter this field when generating the EXP-C CSR or can i leave it blank ?
If any on have a working setup kindly brief me about it specially the domains and certificates parts.
PLEASE, DO NOT post duplicate posts, this is the 4th post, with the exact same question I've seen!
Still, no excuse for spamming the forum. And IMHO, a free forum, with not even a guarantee you will get an answer, should not be the place to look for urgent assistance.
1. You can place the EXP-C either in the internal or external domain, both deployments are supported as stated in an administration guide.
2. Personally, I don't see any reason to put the EXP-C in the external domain if it's actually in the internal one. By doing so, you'd violate your domain design.
3. If placed the EXP-C in the internal domain communication between EXP-C and UC servers will be fine regardless of certificates trust relations (unless you use TLS). Only the EXP-C and EXP-E must be able to trust their certs each other.
4.Yes, you can have the EXP-C cert signed by local CA and the EXP-E one by public CA. You just need to upload a local CA's cert to the EXP-E trusted CA list so it can trust the EXP-C cert.
5. "Unified CM phone security profile names" aren't necessary while CSR generation unless you use TLS in phone security profiles on CUCM. Remember that every MRA call is encrypted by default.
From my personal experience I strongly recommend you (before implementing MRA on expressways) to prepare a thorough documentation for a DNS and firewall team stating which SRV records they should add and which ports to allow on firewall.
Below is a DNS design guide I prepared for myself when I deployed a split-domain MRA, maybe you'll find it useful. It's checked and works like a charm at client's site.
Last but not least, remember to add both domains on the EXP-C in Configuration->Domains (it's probably not put in an admin guide).