02-20-2013 09:03 AM - edited 03-17-2019 03:02 PM
How can I allow IM and Presence from over the internet without the VPN? I'd like to be able for users to run Jabber IM mobile app without a tunnel due to it hogging battery resources.
I have setup a NAT to my CUPS and opened the correct ports (SIP and XMPP) on my ASA but still not allowed to login. Has anyone configured this?
Solved! Go to Solution.
02-20-2013 10:26 AM
Hi Aaron
The only 'supported' deployment is tunnel based at the moment.
I would suspect that if you aren't getting logged in it may be the old hostname resolution thing - your initial connection will result in CUPS returning a server hostname (yep, hostname, not FQDN) which the client will then resolve as 
So... theoretically you could configure the CUPS server hostnames in Topology as FQDNs rather than just hostnames, and they would return those to the remote clients. You would need to ensure those FQDNS are resolvable externally.
That means that your CUPS FQDN can't be an org.local or org.internal type domain.
Also there is a bug where changing that reference from hostname to FQDN kills replication in the cluster, in a way than cannot be recovered... so take a DRF.
If the DNS setup is a problem, you might get it working with CUPS on a public IP, but that's not what you have currently I expect.
And this is all theory... I wouldn't try deploying it in a way Cisco won't support for my customers :-)
Aaron
02-20-2013 10:26 AM
Hi Aaron
The only 'supported' deployment is tunnel based at the moment.
I would suspect that if you aren't getting logged in it may be the old hostname resolution thing - your initial connection will result in CUPS returning a server hostname (yep, hostname, not FQDN) which the client will then resolve as 
So... theoretically you could configure the CUPS server hostnames in Topology as FQDNs rather than just hostnames, and they would return those to the remote clients. You would need to ensure those FQDNS are resolvable externally.
That means that your CUPS FQDN can't be an org.local or org.internal type domain.
Also there is a bug where changing that reference from hostname to FQDN kills replication in the cluster, in a way than cannot be recovered... so take a DRF.
If the DNS setup is a problem, you might get it working with CUPS on a public IP, but that's not what you have currently I expect.
And this is all theory... I wouldn't try deploying it in a way Cisco won't support for my customers :-)
Aaron
02-27-2013 07:31 AM
Thanks Aaron.
In this case I am the customer and I wanted to be able to pull up Jabber IMs quickly when away from the office without the VPN because AnyConnect really drains the battery on an iPhone if left continuously running.
I was able to get it to work logging in with the public IP NATed to internal IP of CUP. Also, for anyone out there looking to do this I had to open TCP port 8443 for SOAP/TLS in addition to the SIP and XMPP ports on the outside interface of my ASA.
09-25-2013 01:41 PM
Barry,
Can you give me the exact ports you opened in your ASA to allow this? I have attempted but get a TCP Connection Deny. We too are attempting to use Jabber for IM/P without VPN.
Thanks,
Brad
09-26-2013 05:44 AM
NAT your internal CUPS server IP on the ASA to a public IP. Create ACL allowing any host to connect to outside IP on ports tcp/udp 5060, tcp 5222, tcp 8443.
12-24-2013 02:47 PM
I have the above ports open but I am unable to connect without VPN. Could this be a DNS name issue? We use .local on the inside and .com on the outside.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide