We started as a dual domain, but now we only have one domain we have DNS entries & SRV records for  _cisco-uds._ & _cisco-uds._tcp  & external _collab-edge._tls. 

I will take a look at the bug you mentioned thanks.

can you provide the below details.

Internal domain

External domain

Dual NIc or Single NIC

A record details  created on internal DNS.

what you mean by _cisco-uds._ & _cisco-uds._tcp  ?? AFAIK you need to create only cisco-uds._tcp and that not required for the latest versions of expressway.

uc-imp-01.xyz.uk is this CUCM or IMP  ?

Hi Nithin, 

Thank you for your response. Please find the answers to your questions below and also a pdf of screenshots.

Internal domain = ad.abc.xyz.uk

External domain = abc.xyz.uk

The only difference is the ad in the internal,  but we have now added both to the internal so a Jabber client can use the high-level without the 'ad' to discover the services.

Please see the attachment below which has screenshots and configuration 

We have a dual NIC Setup 

Dual NIC  ( with static routes applied to point back to the subnet of the Expressway-C and CUCM Nodes)

what you mean by _cisco-uds._ & _cisco-uds._tcp  ??   

The service records created in the above table, as Jabber looks for these pointing to uc-tftp servers & publisher.

uc-imp-01.xyz.uk is this CUCM or IMP  ?

This is the primary presence node. 

A record details created on internal DNS,

We have srv records created and DNS configured, reverse lookup

SIP and SIPS SRV records for SIP communications to the CUCM cluster     Service (SRV)     _sip._tcp.ad.xyz.uk.        xx060                10           10           uc-cmsub-01.ad.xyz.uk

                Service (SRV)     _sip._tcp.ad.xyz.uk.        xx060    10           10           uc-cmsub-02.ad.xyz.uk

                Service (SRV)     _sips._tcp.ad.xyz.uk.      xx061    10           10           uc-cmsub-01.ad.xyz.uk

                Service (SRV)     _sips._tcp.ad.xyz.uk.      xx061    10           10           uc-cmsub-02.ad.xyz.uk

To be used for Cisco Jabber clients to locate and connect to services when they are in the internal network                Service (SRV)     _cisco-uds._tcp.ad.xyz.uk.           8443       10           10           uc-cmpub-01.ad.xyz.uk

                Service (SRV)     _cisco-uds._tcp.ad.xyz.uk.           8443       10           10           uc-cmtftp-01.ad.xyz.uk

                Service (SRV)     _cisco-uds._tcp.ad.xyz.uk.           8443       10           10           uc-cmtftp-02.ad.xyz.uk

To be used when Cisco Jabber clients are outside of the corporate network; the Expressway-C performs a query for these SRV records using the public domain           Service (SRV)     _cisco-uds._tcp.xyz.uk. 8443       10           10           uc-cmpub-01.ad.xyz.uk

                Service (SRV)     _cisco-uds._tcp.xyz.uk. 8443       10           10           uc-cmtftp-01.ad.xyz.uk

                Service (SRV)     _cisco-uds._tcp.xyz.uk. 8443       10           10           uc-cmtftp-02.ad.xyz.uk

                Service (SRV)     _cuplogin._tcp. .xyz.uk.

                8443       10           10           uc-imp-01.ad.xyz.uk

                Service (SRV)     _cuplogin._tcp. .xyz.uk.

                8443       10           10           uc-imp-02.ad.xyz.uk

 We have External Public DNS Created

Public DNS Servers

Table 2. Summary of external DNS Entries

Purpose               Type      Entry     Port       Priority Weight Resolves to

To be able to resolve the Expressway-E Fully Qualified Domain Name (FQDN) to the public IP address       Host (A)                expressway1..xyz.uk       N/A        N/A        N/A        19xx.188.xx.xx

                Host (A)               expressway2..xyz.uk       N/A        N/A        N/A        19xx.188.xx.xx

For the Cisco Jabber clients to locate and connect to services when they are located outside the internal network; the target host should be the MRA Expressway-E servers external FQDN        Service (SRV)     _collab-edge._tls. .xyz.uk                8443       10           10           expressway1..xyz.uk

DNS entries for MRA

Dual domain with Dual NIC.

Example Configuration.

Internal Domain:- abc.local
External Domain:- abc.com

CUCM IP addresses:- 192.168.10.10 HostName :- cucm.abc.local
IM Presence address:- 192.168.10.11 HostName :- im.abc.local
Expressway C address :- 192.168.10.12 HostName :- express-c.abc.local
Expressway Internal NIC :- 192.168.10.13 HostName :-
Expressway DNZ NIC address :- 192.168.20.13 HostName :- express-e.abc.com
Expressway public IP:- 168.10.20.54

Internal DNS Entries
======================================================

A-record(Forward and Reverse):-

Domain:- abc.local
cucm.abc.local 192.168.10.10
im.abc.local 192.168.10.11
express-c.abc.local 192.168.10.12

Domain :- Create a subzone abc.com

express-e.abc.com 192.168.10.13(Internal NIC IP)
======================================================
Srv-Record

New versions of Expressway doesn't need below for C to discover CUCM.But required when jabber user logins internally.

======================================================
_cisco-uds._tcp.abc.local SRV service location:
priority = 6
weight = 30
port = 8443
svr hostname = cucm.abc.local
======================================================

Public DNS:-

A-record :-
======================================================
Domain:- abc.com
express-e.abc.com 168.10.20.54
======================================================

Srv-Record

======================================================
_collab-edge._tls.abc.com SRV service location:
priority = 3
weight = 7
port = 8443
svr hostname = express-e.abc.com
======================================================

_sips amd _sip are configured on public DNS.

Thanks, Nithin,

We are making progress, I can now log in using iPhone, Andriod, and Jabber on PC and get some services like corporate directory and enabling single number reach for example.

however, 

the phone services are not working.

Please see pdf attached

Did you tried login from internal network  ?

The error which you face when turning on the TLS is due to certificate. 

We can log in fine locally ( internally ) Thanks we are keeping TLS off for now trying to get it to work without TLS on.

As @Nithin Eluvathingal wrote the error seen with TLS verification set to on is caused by issues with the verification of the certificate. There are a few things with this that commonly is the cause.

• The content of the SAN in the certificate does not include the name of the cluster and/or the Expressway nodes in the cluster.
• The FQDN name set on the traversal zone can not be found in the certificate.
• The FQDN name in traversal zone configuration cannot be resolved via name lookup in DNS.
• IP address is used for the “name” in zone configuration instead of FQDN.
• The names in the SAN can not be resolved in DNS.
• The CA certificates used to sign the server certificate is not uploaded into both C and E. If an internal CA is used for the C server certificate the root CA and if applicable intermediate certificates of the internal CA need to be also uploaded on the E apart from on C. The reverse is also true for E to C, however here the server certificate is for the most signed by a public CA. In either case the CA certificates needs to be present in the trust store on both C and E to form what in PKI is known as the the chain of trust.

Try collabedge validator on CSA tool and see if get any errors. 

Also collects  logs from jabber and use it on CSA tool.

if your certificates are not proper, turning on tls you will get this error.