Solved: MRA configuration with different domain name

Marko Rodic · ‎12-01-2017

Hello guys

I'm trying to build MRA with two different domains, and its giving me hell :( I just can't login from outside...

So, here is infrastructure:

inside domain: inside.example.com (subdomain of example.com)

outside domain: example.com

Expressway-E: two NIC, one inside, second in DMZ

Exp-e can be access internally using private IP, externally using public IP(I'm not controlling FW, so I don't know how is it set up, bu I can ping public IP and I can access it via WEB)

Expressway-C has internal IP

CUCM has internal IP

IM server is not configured!!! (maybe this is the problem? I don't know... We don't need Jabber for messaging, only for video calls).

However, I tried using Jabber internally, and it works.

I have set up Exp-C with two domains (example.com and inside.example.com, both with Unified CM registration and XMPP federation on) and created zone where he is traversal client. Exp-E is traversal server. And they are connected and active. Exp-C sees Exp-E as exp-e.example.com via public IP, so I'm really not sure what private IP on Exp-E is doing :s Maybe connecting on Exp-C cause it sees Exp-C with exp-c.inside.example.com and its private IP

Exp-C also have unified CM configured, and its register and active(register without tls and with CUCM IP).

Both Exp-C and Exp-E have SIP enabled.

Exp-C under dns/domain has inside.example.com

Exp-E under dns/domain has example.com

Certificates were created with win server, using Exp-C CSR for exp-c, and using Exp-E CSR having unified domains registration example.com(maybe this should be inside.example.com?) and format DNS for exp-e.

And this is all thats been done on Expressway servers.

On DNS I have:

Internal zone:

exp-c A privateIP of exp-c

exp-e A privateIP of exp-e

cucm A privateIP of CUCM

external zone:

exp-e publicIP of exp-e

srv records

_cisco-uds._tcp.example.com -> resolve as cucm.internal (private IP)

_collab-edge._tls.example.com -> resolve as exp-e (public IP)

I've been using this Cisco page for setup:

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html

I have install Jabber using steps 1 and 2 in this guide. However, for step 3 it says I need to register internally first. This has to be avoided, cause we need to have users from outside of company using it, so they cant register internally first.

Never used that file thats created on step 3... So maybe thats the problem.

When I open Jabber after done step 1 and 2, I get Cannot communicate with server...

And this is where I stopped, cause I've tried numerous things, but I guess I just don't know how to resolve all of this :(

My guess, possible problems are:
-no IM&P server(again, not sure why would this be a probles, as Jabber registers on CUCM)
-something with FW, although I said i can ping public IP of exp-e and I can access it via https... But maybe 5060 is closed, or whatever port Jabber is using(I can contact FW owners, but I'd rather be sure everything else is OK)
-certificates should be different
-DNS needs to be different
-i need aditional config on exp-e and exp-c...

So, yeah, there is wide array of possible problems. So I'd appriciate any help you can give me :)

Slavik Bialik · ‎12-01-2017

OK, so after all our private messages, I found out that the SRV record '_cisco-uds.tcp.domain.com' is also published across the public DNS, and that's why you're not even communicating from the outside towards the Expressway-E. Because as longs as the Cisco Jabber "sees" the above SRV record, it'll try to communicate with the FQDN that is stated in the SRV, and it will not fallback to the external SRV "_collab-edge._tls.domain.com".

So, you need to remove this SRV record ONLY from the external public DNS, and I have faith that it'll start working unless there are more issues like firewall or configurations.

View solution in original post

Slavik Bialik · ‎12-01-2017

Hi,

I never made a deployment with a sub-domain of the same domain, because I remember that I've read something about it in some configuration guide or something, but now I cannot find it, so don't take me for 100%.

Anyway, there are few things I would like you to check / do:

Check in your internal DNS that you have a PTR to your internal NIC IP address of Expressway-E. If you don't have it, that is the main reason why it doesn't work. BTW, this PTR should point to the FQDN of the external, otherwise it won't be able to verify the certificates, as the Expressway-E is signed with the "example.com" and not "inside.example.com" (I hope).
In your jabber-config.xml file you must have the "VoiceServicesDomain" setting. Like that:
```
<Policies>
  <VoiceServicesDomain>example.com</VoiceServicesDomain>
</Policies>
```
And yes, the above domain should be the external one.
While you're trying to login, check the Firewall. See that there's in traffic that is getting blocked.
Verify on the firewall, that there's no SIP TLS (TCP/5061) Inspection is on. If you inspection on your TCP/5061 object in the firewall, it can definitely cause an issue with logging in (from experience), so if you have a Checkpoint firewall or something like that, I would definitely check it out.
After you try to login, go into your Expressway-C and Expressway-E, and go to: Status -> Logs -> Event Logs, and see if you have any errors. When there are errors, they're colored in red, so it's hard to miss. If you see errors, please share it with us.
Also, you can enable diagnostics logging on your Expressways and then use a Cisco tool to validate the outputs, it's a very handy tool for those cases. Just go to both Expressways, to: Maintenance -> Diagnostics -> Diagnostics logging, press the Start new log in both of them, and try to login. After you get the error on your Cisco Jabber, go back to the above page and press Stop logging, and gather those zipped files. Then go to this tool:
https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/
Go to Log Analysis, and upload both files from both Expressways at once. It will analyze the logs and will output all the relevant information, and if it seems some errors, it'll print it under the relevant section. Please, also share the information with us so we can take a look.

Best regards

Slavik.

Marko Rodic · ‎12-01-2017

Hello Slavik.

First of all, many thanks on all the information :)

1. DNS is same for external and internal. Internal zone has internal exp-e, external zone has external :)

in other words, exp-e.example.com points to public IP, exp-e.inside.example.com points to private IP. checked with nslookup.

2. I don't have jabber-config.xml file(this is what actually confuse me). I have jabber-config-user.xml, and it is configured as you pointed out.(made it while following link i posted in first post)

<?xml version="1.0" encoding="utf-8"?>
<config version ="1.0">
<Policies>
<VoiceServicesDomain>example.com</VoiceServicesDomain>
</Policies>
</config>

3-4. Will check the firewall... actually, will send info to check it, cause, as I said, I dont control it.

5. under system-logs-event logs, there are some red lines, but those are for unsecceful login for root(someone is tryinig to hack in). but nothing regarding Jabber registration.

6. No issues.

Issues (0)

Missing inforation (21)

Not Applicable (55)

OK (17)

I just don't know are those bellow issues cathegories, or relevant info. Cause one of the info is Missing domain on Exp-C, causing Jabber MRA login failure... Yeah, Im sure domain is there :)

Slavik Bialik · ‎12-01-2017

Hi!

1) You're talking here about A records, I'm talking about PTR (reverse lookup) records in the DNS. As mentioned, you need the internal IP address of the Expressway-E to be pointed to the exp-e.example.com (FQDN), which should be also route-able inside the network, for Expressway-C purpose.

2) Not sure in 100%, but I don't think that Expressway-C is looking for jabber-config-user.xml, you will have to use jabber-config.xml. jabber-config-user.xml file is for you to be able to deploy this configuration file on a local computer and test your configurations before you apply them on your jabber-config.xml which will impact on all users of your system. So, take this file and put it into your CUCM TFTP as "jabber-config.xml".

5) Just a small tip. Block all incoming traffic from the internet to your Expressway-E, and leave only the relevant ports needed. Otherwise there's a full management from the internet and it is easier to hack in.

All my Expressways are not accessible from the Internet, only from the internal management LAN.

6) Well, I don't know the output as you didn't share it, but maybe the domain it is talking about is the Voice Service Domain from the jabber-config, because it couldn't fetch it (maybe).

If you have an issue to share those logging files publicly, can you please at least send it to me privately in a private message so I can take a look?

Slavik Bialik · ‎12-01-2017

OK, so after all our private messages, I found out that the SRV record '_cisco-uds.tcp.domain.com' is also published across the public DNS, and that's why you're not even communicating from the outside towards the Expressway-E. Because as longs as the Cisco Jabber "sees" the above SRV record, it'll try to communicate with the FQDN that is stated in the SRV, and it will not fallback to the external SRV "_collab-edge._tls.domain.com".

So, you need to remove this SRV record ONLY from the external public DNS, and I have faith that it'll start working unless there are more issues like firewall or configurations.

mysecure2017 · ‎06-25-2018

which SRV Record to remove that you are referring to?

_collab-edge._tls.domain.com or _cisco-uds.tcp.domain.com ?

I have a similar problem, but my E Server hostname is internal only.