Thanks for the reply Jaime,

I was reading up more on the process that Jabber takes to connect.  Seems like it would be a DNS thing to update.  Right?  So when Jabber opens up it looks for the domain.  If internal it see's the Server's from the internal DNS Servers.  If outside of network then it see's DNS from the public DNS servers and connects through Expressway.  Now jabber continues to monitor so once vpn is connected it see's internal DNS servers and reconnects automatically.  Obviously we want to use internal DNS servers when on VPN so we can access network resources for everything else.

Now I can't mess with the internal DNS servers....  If I block the subnets for the voice servers on the vpn, then it would just fail.

hmmmm, trying to think through this and decide how I would pull this off...

Thank you for your reply.  I do like this option.  If I am reading this correctly.  When users are on our internal network, all will work as normal.  If I was able to determine how to setup the view feature, I wouldn't block the IP network of the VPN but just the CUCM entries forcing them to look at a public DNS server?  If we have two internal DNS servers, as far as vpn dns servers assignments these would be the top two and I would have to add a public DNS server as a 3rd option then so it would look there and then connect through expressway?

I understand that ideally it would be great to have users connect through the vpn, however we are currently experiencing some major microbursts on our WAN router where VPN users traverse through.  I don't believe voice is causing the issue, but sure is being affected by it.  All my reports from users point to using vpn outside of the office for jabber.  So this is my step to try to resolve the voice quality issues while we work on the micro burst's. 

Hi Ammar, 

Thank you for your reply as well.  With your suggestion correct me if I am understanding this wrong.  However your suggestion would make them connect through expressway even when internally on the network?  I wouldn't want them to essentially leave the network to come back in to make internal calls or even external calls over our SIP.

Or was I misinterpreting your recommendation.  Which very well could be so I apologize if I am. 

this ASA doc is great. it does block the internal SRVs being resolved by vpn clients.  however the vpn jabber clients still send queries to internal DNS to reslove _collab-edge._tls which doesn't exist internally so the client fails to find MRA via expressway.  

our idea is to have jabber client connected via expressway regardless vpn is connected or not.

any suggestion is appreciated.

thanks. Vijay

update:: after fully reading the doc , i realized that corporate DNS must also have the A records for exp E along with SRV records for _collab-edge._tls.  i believe this is normally not required unless there is a requirement to enable jabber client to stay connected via expressway regardless of VPN.  thanks.

AFAIK you would need have another record in combination with the SRV as this record need to point to something.

Hi Guys, We are using Zscaler for the VPN connectivity and have bypassed SRV records "_cisco-uds._tcp.<domain>" & "_collab-edge._tls.domain." we can see that jabber connects via expressway.

However we see every time the laptop comes out of sleep/Hibernation the Jabber client tries to reconnect to the CUCM already discovered previously. These are creating log of logs in the Zscaler. 

Any thoughts on a scenario where the jabber is connected via expressway however looses network connectivity would the Jabber retry the discovered UC Apps via VPN & does that mean we should also bypass the UCApps and not just the SRV.

I would say that since Jabber caches the result of the service discovery it would likely be advisable to bypass/exclude all the FQDNs for any UC system that the client connects with after the service discovery has completed.

Hello Sandesh

i am trying to do the same thing with Zscaler ZPA and I keep having issues connecting to the sever. I have created an application segment to bypass the two records you mentioned as well as the _cuplogin.domain.com. However we are getting can<t connect toi server reply. When we look at the wireshark traces we are not seeing a query for the _cuplogin.domain.com however the two FQDN server names that are associated with the service record are queried (we have also added them to the bypass segment) the response comes back as no such name but yet we can<t connect ti the server.

Can you share some more info on how you have set this up.

Thanks

Not directly an answer to your question, but  _cuplogin service discovery only applies to old versions of Jabber. If you’re not using pre 9.6 version of Jabber you do not need to have this SRV record.