Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2003
Views
30
Helpful
12
Replies

Jabber 14 / IMP 11.5SU6 Change IM Address Scheme to Directory URI

Go to solution
rchaseling
Level 4
Level 4

‎01-21-2022 08:42 AM

Hi,

I always deploy IMP with Address Scheme of Directory URI but have come a cross a site that still have default domain configured. I've never actually changed this on a production system to know what happens. Customer needs to test a new subdomain via MRA as they are deploying new side by side Expressways and using a sub-domain to test them. Logins are currently failing even though test users have user@subdomain.external.com as their email/directory URI

 

  1. I assume there is no way to get a user logged in using the subdomain via MRA without changing the Address scheme to Directory URI ?
  2. What impact will changing this have on existing users? Will their existing contacts will become invalid and they will have to re-add them ?  Or am i right in saying it will be seamless because their existing JID will not change because their UserID@[DefaultDomain] is exactly the same as their directory URI (mail)already

 

They use UDS for directory & I have the correct XML parameters to upload in new jabber-config.xml file to support the new . address scheme. They don't use federation at all

 

Thanks

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 04:40 AM - edited ‎01-24-2022 04:41 AM

I have many customers with multiple domains and MRA is working fine. No matter if you are syncing users with ID@external.com. You dont need Flexible JID to make it work. 

 

Can you disable Oauth on EXPC and only allow username & password credentials. Resync the IMP & CUCM servers.

Are both domains added to EXPC. and both have CUCM + IMP features turned ON.

Have you added voiceservicedomain =sub.external.com in your jabber UC config?

Also, test your account in the link below under collab edge section and post the output. This tool will show why exactly it is failing.

https://cway.cisco.com/csa/

 

 

 

 

View solution in original post

12 Replies 12

Go to solution
Ammar Saood
Spotlight
Spotlight

‎01-23-2022 05:25 AM

As I understood, you have different Internal and External domain, and your CUCM, IMP and Jabber SIP domain are in your internal domain say external.com. However, you want to test sub.external.com for MRA logins via expressway.

 

In that case, you need to do few things in internal DNS, Expressway C, and Jabber-xml file.

Step1.

  • add additional _cisco-uds records in your internal DNS server for sub.external.com and point them to cucm.external.com
  • add additional _cuplogin records  in your internal DNS server for sub.external.com and point them to imp.external.com  assuming you already have A & SRV records for the domain external.com.

Step2.

  • create a jabber xml file and add the parameter voiceservicedomain = sub.external.com. Consider voice service domain as an "alternate domain".
  • assign this xml file to the users who want to login as user@sub.external.com.

Step3.

  • In ExpC, add 2 SIP domains.  external.com and sub.external.com.
  • For external.com = CUCM =ON, IMP= OFF
  • For sub.external.com  CUCM=ON, IMP=ON

I am assuming you already have Expressway-E setup in sub.external.com with SSL certificate, public IP, proper collab-edge DNS records for sub.external.com, and FW ports open.

 

You can follow this guide to spin up new MRA EXP cluster, setup multiple domains and login Jabber internally or over MRA using any domain. Subdomain or different domain it doesn't matter only if you can create internal DNS records for that domain which ExpC uses for UDS discovery.

 

webex-community.png

 

Go to solution
rchaseling
Level 4
Level 4

‎01-24-2022 02:22 AM

HI,

 

Thanks for the detailed response.

 

I have cisco-uds records setup in Public DNS for sub.external.com and have the two SIP domains configured on Expressway C. When I open Jabber MRA and put in user@sub.external.com it hits the new Expressways and CUC & I get the black Cisco oAuth login screen. I put in credentials but it just hangs before saying "cannot connect to server" - going through logs it looks like its authenticating successfully but is then failing because the JID is user@external.com where's the email address I'm putting in to use the new Expressway's is user@sub.extrnal.com and I believe that's why its failing which means I'd need to change the IM Address scheme in CUPS to Directory URI

 

I'm happy to do this but just want to make sure it has no affect on current users. IF I change this I don't believe production users JID will change because it will still be user@external.com but I've never done it in production to know for sure

 

The only way

0 Helpful

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 04:07 AM

Quoting your comment

"I have cisco-uds records setup in Public DNS for sub.external.com and have the two SIP domains configured on Expressway C."

 

Please re-read step1. Cisco-uds and cuplogin records should not be in the Public DNS.

Public DNS should only have one SRV record which is _collab-edge._tls

 

 

0 Helpful

Go to solution
rchaseling
Level 4
Level 4
In response to Ammar Saood

‎01-24-2022 04:14 AM

Apologies - typo! I meant collab-edge not cisco-uds.

 

I'm getting to OAuth screen and authenticating but then its failing - to me this is because I'm logging in with email address that is differetn from the JID because the Address scheme is not set to Directory URI

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 04:40 AM - edited ‎01-24-2022 04:41 AM

I have many customers with multiple domains and MRA is working fine. No matter if you are syncing users with ID@external.com. You dont need Flexible JID to make it work. 

 

Can you disable Oauth on EXPC and only allow username & password credentials. Resync the IMP & CUCM servers.

Are both domains added to EXPC. and both have CUCM + IMP features turned ON.

Have you added voiceservicedomain =sub.external.com in your jabber UC config?

Also, test your account in the link below under collab edge section and post the output. This tool will show why exactly it is failing.

https://cway.cisco.com/csa/

 

 

 

 

Go to solution
rchaseling
Level 4
Level 4
In response to Ammar Saood

‎01-24-2022 04:56 AM

Hi,

 

OK I thought flexible JID was a pre-req

 

Yes both domain added to Expressway C and both have CUCM & IM features turned on

I haven't added anything extra to Jabber-config.xml as it needs to be able to login first to be able to pull it down right....or maybe I'm wrong here?

I also don't have cisco-uds SRV records in the internal DNS for sub.external.com but I see it finding the CUCM cluster anyway in the logs as I beleive Expressway will use the default domain as last resort anyway. I'll get them put in now anyway to rule it out

 

Unfortunately I can't use that tool as they have firewall rules locked down to my public IP only during testing

 

 

0 Helpful

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 05:39 AM

Please find my answers in bold.

OK I thought flexible JID was a pre-req

NO its not.

Yes both domain added to Expressway C and both have CUCM & IM features turned on

CUCM Domain ext.com= ON   IMP domain ext.com=off

CUCM domain 2 sub.ext.com= ON  IMP domain2 sub.ext.com=ON

I haven't added anything extra to Jabber-config.xml as it needs to be able to login first to be able to pull it down right....or maybe I'm wrong here?

No it was old method. You just add  voiceservicedomain= sub.external.com

I also don't have cisco-uds SRV records in the internal DNS for sub.external.com but I see it finding the CUCM cluster anyway in the logs as I beleive Expressway will use the default domain as last resort anyway. I'll get them put in now anyway to rule it out.

EXPC was finding cisco-uds because its DNS domain is domain1.com. You need ExpC to look IDs using your external domain(sub.external.com). So you must add a forward lookup zone of (sub.external.com) in your InternalDNS server and its SRV should point to cucm.ext.com & imp.ext.com.

 

Unfortunately I can't use that tool as they have firewall rules locked down to my public IP only during testing

You must be able to login internally using your external domain (sub.ext.com). Otherwise, It will also not work for MRA. for this to work, DNS forward zone is required.

 

Test and let me know.

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 05:00 AM

If your internal DNS SRV records for sub.external.com are correct, Are your users able to login internally with

user@sub.external.com ?

 

If yes, then you need only to look at EXPC config + Jabber UC profile settings.

0 Helpful

Go to solution
rchaseling
Level 4
Level 4

‎01-24-2022 05:46 AM

Hi,

 

Many thanks - I'm getting the forwarding DNS zone SRV records for sub.external.com setup internally and will revert

 

Can I just ask why I I need to change this?  IMP domain ext.com=off

0 Helpful

Go to solution
Ammar Saood
Spotlight
Spotlight
In response to rchaseling

‎01-24-2022 06:48 AM

because this Expresway is not serving external.com for IMP services. Its collab-edge record is in sub.ext.com

if you want this ON. then you must add this domain in your SSL certificate.

 

Add the FWD zone and keep me posted.

 

Go to solution
rchaseling
Level 4
Level 4
In response to Ammar Saood

‎01-26-2022 04:24 AM

UPDATE: 

 

Sooo the issue ended up being firewall related TCP 8443 and 5061 where opened inbound from internet but 5222 was not!!! Schoolboy error not checking this myself - CSA tool would have picked this up straight away had they have had this allowed....any way thanks for all the support.

 

At least I learnt you do not have to have IM Address Scheme set to Directory URI to allow mulit domain logins!!

 

0 Helpful

Go to solution
Ammar Saood
Spotlight
Spotlight

‎01-27-2022 02:49 AM

I am glad that your setup working now without doing so many changes.

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents