Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
2
Replies

Expressway Mobile Remote Access ( MRA ) setup query

ahmed-hassan1110
Level 1
Level 1

‎05-23-2015 02:24 AM - edited ‎03-17-2019 03:06 AM

Hi Gents,

I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :

- Split horizon DNS.

- 2 domains as follows, Internal: domainX.local and external: domainX.com

- All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc.

- Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates.

- I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside.

I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet.

 

my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work?

I have the following concerns in this regard:

- If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

- If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine?

- is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay?

- is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or i can just enable the non-secure phone profile without TLS, and if i can use the non secure phone profile, do i have to enter this field when generating the EXP-C CSR or can i leave it blank ?

If any on have a working setup kindly brief me about it specially the domains and certificates parts.

Labels:
0 Helpful
2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-23-2015 02:33 AM

Duplicate posts.  


Go HERE.

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame

‎05-23-2015 06:15 AM

Exp-C should be on the internal network, and Exp-E should ideally be deployed with dual NICs, one on internal "transit" DMZ and the other "services" DMZ.  Deploying transit DMZ in internal network would work, but that is big potential security whole as you want firewall between C and E for obvious reasons.  The actual domain that the servers are using (not Jabber domain) is not that important as long as they are resolvable and collab-edge SRV is reachable from outside. 

0 Helpful
Customers Also Viewed These Support Documents