cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1748
Views
5
Helpful
5
Replies

cisco jabber integration with Airwatch

networkexpert
Level 1
Level 1

Dear Team ,

we are using jabber client through expressway edge . everything is working fine for jabber users to access internally and externally.

security team refused to expose Expressway edge to internet and instead we have to use Airwatch to connect users from external.

my question is , is it applicable to integrate cisco jabber with Airwatch so user can use jabber outside corporate using Airwatch?

are EXpressway edge and core still in use in that case ?

any one has experience for the same ?  

5 Replies 5

Mike_Brezicky
Cisco Employee
Cisco Employee
If not using the Expressway, I believe Airwatch utilizes its own VPN tunnel, so as long as all ports from the airwatch edge to CUCM are functional, it should work. You would want to make sure all DNS records for the internal CUCM, UDS, etc are reachable.

I will be implementing this as well in the next weeks so I will post how it goes.

Thanks Mike .
so I can see that using expressway is effective
instead of allowing all services and ports through Airwatch , I am allowing only one public ip which is the expressway edge and it works as proxy to foreword all requests internally .
what the businesses case or requirement to not utilize the expressway as designed by cisco

If you are using per-app VPN through your MDM there is no need to deploy MRA. The app will perceive it is on the internal network (eg service discovery will resolve _cisco-uds).

In my opinion, this is a bad design for at least a couple of reasons:
1. It forces the MDM head-end infrastructure to proxy your voice and video traffic. At even modest scale the packets per second and aggregate bandwidth required by your MDM server for call traffic is going to be wildly above email or nearly any other app I can think of. Since the internet lacks QoS you’ll have to scale for highest possible bandwidth, likely overbuilding your MDM solution substantially. That assumes it even supports/tested delay-sensitive VOIP apps.
2. How are you going to troubleshoot issues, both internally and with Cisco TAC? By adding the VPN, especially a non-Cisco vendor, you are giving TAC a get-out-of-jail-free card: they can point at the MDM as a potential cause and tell you to reproduce any issue without it before they will assist.

The approach I recommend to gung-ho MDM clients is to solve the security concerns with certificates-based SAML SSO. Use the MDM to distribute client certificates and configure the IdP to only accept said certificate for user authentication (ie no username & password). That way only MDM-managed devices can successfully authenticate and the Jabber client can leverage the normal Expressway-MRA feature when remote. This also helps prevent users from running Jabber on guest WiFi while at the office since the client certificate can be used for EAP-TLS.

Thanks Jonathan
"This also helps prevent users from running Jabber on guest WiFi while at the office since the client certificate can be used for EAP-TLS".
I didn't understand this , can you please explain

hi Mike,

 

I know this an old post.   Luck would have it i am in the similar situation,  attempting to integrate Airwatch with Jabber.  I am having a difficult time getting this to work.    Curious if you perhaps may have configured this already and can share some knowledge. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: