Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7162
Views
25
Helpful
7
Replies

MRA with multi external domain

Go to solution
h.hajamor
Level 1
Level 1

‎04-27-2018 02:23 AM - edited ‎03-17-2019 07:30 PM

hi,

I am deploying a cisco MRA solution using EXPC and EXPE.

In my case, I have one internal domain (domain0.local) and multiple external domain that have different SRV records pointing to the same public address of my EXPE.

_collab-edge._tls.domain1.com   --> expe.domain1.com (EPXE pulbic@)

_collab-edge._tls.domain2.com  --> expe.domain2.com   (EPXE pulbic@)

_collab-edge._tls.domain3.com  --> expe.domain3.com  (EPXE pulbic@)

during the configuration,  I tried one domain, it work fine.

when i add the second, both of them have different issues:

-HTTP allow list

  or

-cant determine home UCM 

-....

BTY, I have upgrade both EXP to 8.10.4.

Is there a solution or a specific guide that coud help to resolve my problem

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎05-01-2018 02:21 AM

For this to work, you have to make some serious changes and here are the reasons why

1. Your IM and P server if using the default presence domain structure must match the domain in your JID. Eg If your users sign in using adam@domain1.com, then your IM and P server presence domain has to be domain1.com.

Now if you have multiple users on different external domain, then you will have issues. If you have another user on adam@domain2.com, your login will fail, because domain2.com is not configured on your IM and P server, hence it is not responsible to process requests for that domain.

 

There is only one possible solution for this and that is to use flexible JID on your IM and Presence server. Now this comes with a caveat, your users "mail or msRTCSIP-primaryuseraddress" address must be mapped to the directory uri and this directory uri is what they must use to login to jabber.

For example, when you change IM and P to use directory uri, then your users "mail or msRTCSIP-primaryuseraddress" attributes in AD must match as follows

1. users on domain1: adam@domain1.com

2. users on domain2: adam@domain2.com

3. users on domain 3: adam@domain3.com

 

Now once this is taken care, IM and P will allow users to login using any of the matched directory URI..But you still need to sort out expressway.

 

To allow expressway-e to accept the login request, you will need to then tell jabber to use the domain on the expressway-e for its service discovery. Lets assume your expressway-e is on domain1 and your cucm and IP and P servers are on internal domain. You will need to do the following:

 

jabber: SERVICES_DOMAIN=domain1.com ( note you dont need voice_services_domain: this is only required if you are using hybrid services). Y our discovery domain is actually your services_domain

So when Jabber runs its query for collab-edge, it will look for _collab-edge._tls.domain1.com> resolve to expwe  eg expwe01.domain1.com

 

Now internally, expressway-C will query UDS records for domain1.com, so you need to then create a forward lookup rulezone on DNS to point all the request for domain1.com to your internal domain where your CUCM and IM and P lives

 

Please rate all useful posts

View solution in original post

7 Replies 7

Go to solution
Slavik Bialik
Level 7
Level 7

‎04-27-2018 04:39 AM

Hi, I'm having a feeling that it has something to do with the:

<VoiceServicesDomain>domain1</VoiceServicesDomain>

That is located in your jabber-config.xml file.

Just out of curiosity, try to change the value of the first external domain that you put in the above XML tag, to the second domain that you're currently not being able to login with. And then try to make a login with this second domain. If it works, so I'm not sure how to solve it, because you can enter only one external domain in the VoiceServicesDomain tag. I think a possible solution for that is applying a Transformation rule on the Expressway server that'll replace all the domains to the first domain (the main one, that currently is working).

If it's still not working, review the configurations, maybe you didn't add those SIP domains in the Expressway-C server, you have under configurations a settings page named "Domains" you must enter them all there.

Plus, you need to enter all the relevant domains in the IM&P server under Domains also.

0 Helpful

Go to solution
h.hajamor
Level 1
Level 1
In response to Slavik Bialik

‎04-27-2018 09:45 AM

dear Slavik,
about <VoiceServicesDomain>, I am sure that tha jabber-config.xml dosn't support multidomain,
I am trying to go through with the transformation method
but i think that the transformation is needed only for SIP routing and not jabber AUTH for MRA.
best regards
0 Helpful

Go to solution
Slavik Bialik
Level 7
Level 7
In response to h.hajamor

‎04-27-2018 11:00 AM

Yeah, I think you are right about the transformation. It won't affect the authentication.

Anyway, how are the users from domain2 are trying to make their login? They're using "username@domain2" or "username@domain1" ?

If each one of them is using a different domain, I think that the solution is using the Directory URI field for all of users. Is this field currently contains some information or is it blank for all of the users?

If it's blank, you can change the LDAP Directory configuration for this field to sync from the "mail" attribute from Active Directory, and then it'll contain "username@domain2" or "mailuser@domain2", depending on if the username is different from the email address of the person.

Because then, the IM&P server will try to locate users that has this Directory URI based on user's input when he's trying to login, and currently there's no match probably therefore authentication fails. (But of course, do not forget to add the domains as I said in my previous comment in the Expressway-C and IM&P servers)

 

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎05-01-2018 02:21 AM

For this to work, you have to make some serious changes and here are the reasons why

1. Your IM and P server if using the default presence domain structure must match the domain in your JID. Eg If your users sign in using adam@domain1.com, then your IM and P server presence domain has to be domain1.com.

Now if you have multiple users on different external domain, then you will have issues. If you have another user on adam@domain2.com, your login will fail, because domain2.com is not configured on your IM and P server, hence it is not responsible to process requests for that domain.

 

There is only one possible solution for this and that is to use flexible JID on your IM and Presence server. Now this comes with a caveat, your users "mail or msRTCSIP-primaryuseraddress" address must be mapped to the directory uri and this directory uri is what they must use to login to jabber.

For example, when you change IM and P to use directory uri, then your users "mail or msRTCSIP-primaryuseraddress" attributes in AD must match as follows

1. users on domain1: adam@domain1.com

2. users on domain2: adam@domain2.com

3. users on domain 3: adam@domain3.com

 

Now once this is taken care, IM and P will allow users to login using any of the matched directory URI..But you still need to sort out expressway.

 

To allow expressway-e to accept the login request, you will need to then tell jabber to use the domain on the expressway-e for its service discovery. Lets assume your expressway-e is on domain1 and your cucm and IP and P servers are on internal domain. You will need to do the following:

 

jabber: SERVICES_DOMAIN=domain1.com ( note you dont need voice_services_domain: this is only required if you are using hybrid services). Y our discovery domain is actually your services_domain

So when Jabber runs its query for collab-edge, it will look for _collab-edge._tls.domain1.com> resolve to expwe  eg expwe01.domain1.com

 

Now internally, expressway-C will query UDS records for domain1.com, so you need to then create a forward lookup rulezone on DNS to point all the request for domain1.com to your internal domain where your CUCM and IM and P lives

 

Please rate all useful posts

Go to solution
Risat
Level 3
Level 3
In response to Ayodeji Okanlawon

‎08-16-2020 02:03 AM

Hi Ayodeji,

Thanks for the detailed description (+5),do you think by this method, the same user can use different domains to login, for eg: a user name john, can he login with john@domain1.com, john@domain2.com and john@domain3.com, there is only one directory-URI for one user-id right ?

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Risat

‎08-16-2020 02:22 AM

No you can't have multiple user IDs for one user. So this won't be possible.

Please rate all useful posts

Go to solution
Sebastien Denoncin
Level 1
Level 1

‎05-15-2021 01:25 AM

Hello,

I am in the same situation as Hajmor.

On IM and P, I use the directory URI for my users. In the team, we manage several branches from different countries in our company.

 

The goal is to put a Jabber over MRA on the mobiles.

 

I think I did as Ayodeji says.

 

I created an internal DNS zone called MRA.domain1.com (with the srv UDS and cup)
On the public DNS, I did the same thing and configured the Collabedge SRV on my domain MRA.domain1.com
My eu expressways are configured with my domain.local --> expe1.domain.local. Is this a problem?

The Jabbers on mobile will be configured and pushed via airwatch. The domain service will therefore be mra.domain1.com.

 

So I think I match what Ayodeji mentioned.

 

But my question is, how will the users authenticate on my jabber. Because internally we use a global domain for all branches. And the local jabber you just need to put your userid to log in because the service domains are pushed through the jabber bootstrap.

 

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents