05-23-2015 02:24 AM - edited 03-17-2019 03:06 AM
Hi Gents,
I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :
- Split horizon DNS.
- 2 domains as follows, Internal: domainX.local and external: domainX.com
- All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc.
- Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates.
- I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside.
I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet.
my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work?
I have the following concerns in this regard:
- If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?
- If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?
- is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay?
- is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or i can just enable the non-secure phone profile without TLS, and if i can use the non secure phone profile, do i have to enter this field when generating the EXP-C CSR or can i leave it blank ?
If any on have a working setup kindly brief me about it specially the domains and certificates parts.
05-23-2015 02:33 AM
Duplicate posts.
Go HERE.
05-23-2015 06:15 AM
Exp-C should be on the internal network, and Exp-E should ideally be deployed with dual NICs, one on internal "transit" DMZ and the other "services" DMZ. Deploying transit DMZ in internal network would work, but that is big potential security whole as you want firewall between C and E for obvious reasons. The actual domain that the servers are using (not Jabber domain) is not that important as long as they are resolvable and collab-edge SRV is reachable from outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide