Solved: Jabber IM and Presence use without VPN

mulkeyinc · ‎02-20-2013

How can I allow IM and Presence from over the internet without the VPN? I'd like to be able for users to run Jabber IM mobile app without a tunnel due to it hogging battery resources.

I have setup a NAT to my CUPS and opened the correct ports (SIP and XMPP) on my ASA but still not allowed to login. Has anyone configured this?

Aaron Harrison · ‎02-20-2013

Hi Aaron

The only 'supported' deployment is tunnel based at the moment.

I would suspect that if you aren't getting logged in it may be the old hostname resolution thing - your initial connection will result in CUPS returning a server hostname (yep, hostname, not FQDN) which the client will then resolve as .. You won't have control of the remote devices's DNS/DHCP setup.

So... theoretically you could configure the CUPS server hostnames in Topology as FQDNs rather than just hostnames, and they would return those to the remote clients. You would need to ensure those FQDNS are resolvable externally.

That means that your CUPS FQDN can't be an org.local or org.internal type domain.

Also there is a bug where changing that reference from hostname to FQDN kills replication in the cluster, in a way than cannot be recovered... so take a DRF.

If the DNS setup is a problem, you might get it working with CUPS on a public IP, but that's not what you have currently I expect.

And this is all theory... I wouldn't try deploying it in a way Cisco won't support for my customers :-)

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎02-20-2013

Hi Aaron

The only 'supported' deployment is tunnel based at the moment.

I would suspect that if you aren't getting logged in it may be the old hostname resolution thing - your initial connection will result in CUPS returning a server hostname (yep, hostname, not FQDN) which the client will then resolve as .. You won't have control of the remote devices's DNS/DHCP setup.

So... theoretically you could configure the CUPS server hostnames in Topology as FQDNs rather than just hostnames, and they would return those to the remote clients. You would need to ensure those FQDNS are resolvable externally.

That means that your CUPS FQDN can't be an org.local or org.internal type domain.

Also there is a bug where changing that reference from hostname to FQDN kills replication in the cluster, in a way than cannot be recovered... so take a DRF.

If the DNS setup is a problem, you might get it working with CUPS on a public IP, but that's not what you have currently I expect.

And this is all theory... I wouldn't try deploying it in a way Cisco won't support for my customers :-)

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

mulkeyinc · ‎02-27-2013

Thanks Aaron.

In this case I am the customer and I wanted to be able to pull up Jabber IMs quickly when away from the office without the VPN because AnyConnect really drains the battery on an iPhone if left continuously running.

I was able to get it to work logging in with the public IP NATed to internal IP of CUP. Also, for anyone out there looking to do this I had to open TCP port 8443 for SOAP/TLS in addition to the SIP and XMPP ports on the outside interface of my ASA.

williams.brad · ‎09-25-2013

Barry,

Can you give me the exact ports you opened in your ASA to allow this? I have attempted but get a TCP Connection Deny. We too are attempting to use Jabber for IM/P without VPN.

Thanks,

Brad

mulkeyinc · ‎09-26-2013

NAT your internal CUPS server IP on the ASA to a public IP. Create ACL allowing any host to connect to outside IP on ports tcp/udp 5060, tcp 5222, tcp 8443.

William Reed · ‎12-24-2013

I have the above ports open but I am unable to connect without VPN. Could this be a DNS name issue? We use .local on the inside and .com on the outside.