12-01-2017 01:16 AM - edited 03-17-2019 11:42 AM
Hello guys
I'm trying to build MRA with two different domains, and its giving me hell :( I just can't login from outside...
So, here is infrastructure:
inside domain: inside.example.com (subdomain of example.com)
outside domain: example.com
Expressway-E: two NIC, one inside, second in DMZ
Exp-e can be access internally using private IP, externally using public IP(I'm not controlling FW, so I don't know how is it set up, bu I can ping public IP and I can access it via WEB)
Expressway-C has internal IP
CUCM has internal IP
IM server is not configured!!! (maybe this is the problem? I don't know... We don't need Jabber for messaging, only for video calls).
However, I tried using Jabber internally, and it works.
I have set up Exp-C with two domains (example.com and inside.example.com, both with Unified CM registration and XMPP federation on) and created zone where he is traversal client. Exp-E is traversal server. And they are connected and active. Exp-C sees Exp-E as exp-e.example.com via public IP, so I'm really not sure what private IP on Exp-E is doing :s Maybe connecting on Exp-C cause it sees Exp-C with exp-c.inside.example.com and its private IP
Exp-C also have unified CM configured, and its register and active(register without tls and with CUCM IP).
Both Exp-C and Exp-E have SIP enabled.
Exp-C under dns/domain has inside.example.com
Exp-E under dns/domain has example.com
Certificates were created with win server, using Exp-C CSR for exp-c, and using Exp-E CSR having unified domains registration example.com(maybe this should be inside.example.com?) and format DNS for exp-e.
And this is all thats been done on Expressway servers.
On DNS I have:
Internal zone:
exp-c A privateIP of exp-c
exp-e A privateIP of exp-e
cucm A privateIP of CUCM
external zone:
exp-e publicIP of exp-e
srv records
_cisco-uds._tcp.example.com -> resolve as cucm.internal (private IP)
_collab-edge._tls.example.com -> resolve as exp-e (public IP)
I've been using this Cisco page for setup:
I have install Jabber using steps 1 and 2 in this guide. However, for step 3 it says I need to register internally first. This has to be avoided, cause we need to have users from outside of company using it, so they cant register internally first.
Never used that file thats created on step 3... So maybe thats the problem.
When I open Jabber after done step 1 and 2, I get Cannot communicate with server...
And this is where I stopped, cause I've tried numerous things, but I guess I just don't know how to resolve all of this :(
My guess, possible problems are:
-no IM&P server(again, not sure why would this be a probles, as Jabber registers on CUCM)
-something with FW, although I said i can ping public IP of exp-e and I can access it via https... But maybe 5060 is closed, or whatever port Jabber is using(I can contact FW owners, but I'd rather be sure everything else is OK)
-certificates should be different
-DNS needs to be different
-i need aditional config on exp-e and exp-c...
So, yeah, there is wide array of possible problems. So I'd appriciate any help you can give me :)
Solved! Go to Solution.
12-01-2017 08:35 AM
OK, so after all our private messages, I found out that the SRV record '_cisco-uds.tcp.domain.com' is also published across the public DNS, and that's why you're not even communicating from the outside towards the Expressway-E. Because as longs as the Cisco Jabber "sees" the above SRV record, it'll try to communicate with the FQDN that is stated in the SRV, and it will not fallback to the external SRV "_collab-edge._tls.domain.com".
So, you need to remove this SRV record ONLY from the external public DNS, and I have faith that it'll start working unless there are more issues like firewall or configurations.
12-01-2017 03:15 AM
Hi,
I never made a deployment with a sub-domain of the same domain, because I remember that I've read something about it in some configuration guide or something, but now I cannot find it, so don't take me for 100%.
Anyway, there are few things I would like you to check / do:
<Policies> <VoiceServicesDomain>example.com</VoiceServicesDomain> </Policies>And yes, the above domain should be the external one.
Best regards
Slavik.
12-01-2017 03:50 AM
Hello Slavik.
First of all, many thanks on all the information :)
1. DNS is same for external and internal. Internal zone has internal exp-e, external zone has external :)
in other words, exp-e.example.com points to public IP, exp-e.inside.example.com points to private IP. checked with nslookup.
2. I don't have jabber-config.xml file(this is what actually confuse me). I have jabber-config-user.xml, and it is configured as you pointed out.(made it while following link i posted in first post)
<?xml version="1.0" encoding="utf-8"?>
<config version ="1.0">
<Policies>
<VoiceServicesDomain>example.com</VoiceServicesDomain>
</Policies>
</config>
3-4. Will check the firewall... actually, will send info to check it, cause, as I said, I dont control it.
5. under system-logs-event logs, there are some red lines, but those are for unsecceful login for root(someone is tryinig to hack in). but nothing regarding Jabber registration.
6. No issues.
Issues (0)
Missing inforation (21)
Not Applicable (55)
OK (17)
I just don't know are those bellow issues cathegories, or relevant info. Cause one of the info is Missing domain on Exp-C, causing Jabber MRA login failure... Yeah, Im sure domain is there :)
12-01-2017 04:17 AM
Hi!
1) You're talking here about A records, I'm talking about PTR (reverse lookup) records in the DNS. As mentioned, you need the internal IP address of the Expressway-E to be pointed to the exp-e.example.com (FQDN), which should be also route-able inside the network, for Expressway-C purpose.
2) Not sure in 100%, but I don't think that Expressway-C is looking for jabber-config-user.xml, you will have to use jabber-config.xml. jabber-config-user.xml file is for you to be able to deploy this configuration file on a local computer and test your configurations before you apply them on your jabber-config.xml which will impact on all users of your system. So, take this file and put it into your CUCM TFTP as "jabber-config.xml".
5) Just a small tip. Block all incoming traffic from the internet to your Expressway-E, and leave only the relevant ports needed. Otherwise there's a full management from the internet and it is easier to hack in.
All my Expressways are not accessible from the Internet, only from the internal management LAN.
6) Well, I don't know the output as you didn't share it, but maybe the domain it is talking about is the Voice Service Domain from the jabber-config, because it couldn't fetch it (maybe).
If you have an issue to share those logging files publicly, can you please at least send it to me privately in a private message so I can take a look?
12-01-2017 08:35 AM
OK, so after all our private messages, I found out that the SRV record '_cisco-uds.tcp.domain.com' is also published across the public DNS, and that's why you're not even communicating from the outside towards the Expressway-E. Because as longs as the Cisco Jabber "sees" the above SRV record, it'll try to communicate with the FQDN that is stated in the SRV, and it will not fallback to the external SRV "_collab-edge._tls.domain.com".
So, you need to remove this SRV record ONLY from the external public DNS, and I have faith that it'll start working unless there are more issues like firewall or configurations.
06-25-2018 04:39 PM
which SRV Record to remove that you are referring to?
_collab-edge._tls.domain.com or _cisco-uds.tcp.domain.com ?
I have a similar problem, but my E Server hostname is internal only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide