cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1695
Views
5
Helpful
14
Replies
Highlighted
Rising star

Cisco Expressway C & E Solution Questions

Dear Support,

I am working with customer to deploy Cisco Collaboration Edge Solution. I have attached a solution diagram with the case. The solution includes:

 

1. Cluster of CUCM Servers
2. Cluster of IM & Presence Servers
3. Cluster of Expressway C Servers
4. Cluster of Expressway E Servers

 

As you see in the diagram the servers are configured with internal domain  "net.lab.com". The public domain is "lab.com" which is routable on the internet.

 

Following are the questions about the solution:


1. Do we need to create separate clusters for Expressway C & E?
2. Do we need to create separate cluster names for Expressway for C & E?
3. What DNS SRV records are required for Expressway C on internal and external DNS server?
4. What DNS SRV records are required for Expressway E on internal and external DNS server?
5. What DNS SRV records are required for Jabber Users on internal and external DNS server?
6. Can we use "lab.com" as our SIP domain? Is it required for in this solution?
7. Is it required to configure Expressway E with public domain name "lab.com"?

 

Please feel free to provide additional information.

 

Thanks,
Vaijanath

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.
14 REPLIES 14
Advocate

1. You do not need separate

1. You do not need separate clusters for Expressway C&E for the "domain" setup you have. You only need it for HA.

2. The cluster name will be the same on both Expressway Cs and Expressway Es. The DNS host names will be obviously different.

3. Expressway C requires only A records on the internal DNS server.

4. Expressway E requires A records on the internal and external DNS server and _collab-edge._tls.domain.com SRV record on the external DNS server.

5. See 4.

6. Yes, its possible. On the IM/P, you can choose what domain you want.

7. Yes, Expressway E needs to be configured with the lab.com domain since it will be external.

Please read the admin and install/configure guides on www.cisco.com to understand more. There are a lot more to the deployment process which is difficult to outline on the forum.

Please rate useful posts.
Rising star

Hi George,Thank you very much

Hi George,

Thank you very much for your prompt response. Follwing is my understanding from your response:

1. We can have a single cluster which includes C's and E's in same cluster. In my case it is a cluster of:

expwyc1.net.lab.com
expwyc2.net.lab.com
expwye1.lab.com
expwye2.lab.com

2. For example the cluster name is "expwy.lab.com". This clustername can be ocnfigured on C's and E's. The DNS hostnames will be:

expwyc1.net.lab.com
expwyc2.net.lab.com
expwye1.lab.com
expwye2.lab.com

3. DNS A records for C's which maps to hostname to IP Address on Internal DNS server.
    
expwyc1.net.lab.com   <---> 10.1.1.21
expwyc2.net.lab.com   <---> 10.1.1.22

4. DNS A records for E's which maps to hostname to IP Address on Internal and External DNS server.

expwye1.lab.com   <---> 78.10.1.21
expwye2.lab.com   <---> 78.10.1.22

DNS SRV records for E's on External DNS server.
_collab-edge._tls.lab.com. SRV 10 10 8443 expwye1.lab.com.
_collab-edge._tls.lab.com. SRV 10 10 8443 expwye2.lab.com.

5. DNS SRV records for Jabber on Internal DNS server:

_cisco-uds._tcp.lab.com. SRV 10 10 8443 cucmpub.net.lab.com
_cisco-uds._tcp.lab.com. SRV 10 10 8443 cucmsub1.net.lab.com
_cuplogin._tcp.lab.com. SRV 10 10 8443 imps1.net.lab.com
_cuplogin._tcp.lab.com. SRV 10 10 8443 imps2.net.lab.com

 

6. NA
7. Is it possible to configure Expressway E in "net.lab.com" domain with IP natting?

 

Thanks.

Vaijanath

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.
Rising star

Hi George, Do you have any

Hi George,

 

Do you have any updates on my above response?

 

Thanks,

VJ

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.
Advocate

You potentially could but

You potentially could but then your public DNS server should have the zone net.lab.com configured so that you can create appropriate A records and SRV records to point to the net.lab.com A records.

Please rate useful posts.
Beginner

Re: Hi George, Do you have any

In my case its little bit different.
there is no internet here. but want to use expressway E and C clustered.

 

So can we use same internal DNS server as external and internal dns server.
or do i need to create another DNS server in DMZ zone dedicated for expressway.

VIP Mentor

Re: Hi George, Do you have any

You can't use the same DNS server. This is because Jabber will only use MRA..ie go over expressway E and C only if it can't resolve the internal SRV UDS record. If you have the same DNS and have both collab-edge and uds srv record Jabber will always use the UDS record. 

By the way if there is no internet why are you trying to use expressway solution?

Please rate all useful posts
Beginner

Re: Hi George, Do you have any

Thank you for your reply. Actually all the users are connected to this data center from internet using VPN. From this data center all internet activities will be blocked. There are perimeter firewall and internal firewall. There is DMZ IN perimeter firewall. The users will access the resources through this DMZ. There is IMP deployed. Only jabber call is allowed here. No hard phones allowed. So our security engineer suggested place expressway edge in DMZ. So jabber users can use this expressway E to reach IMP using VPN. We can't publish anything in internet. That's the client requirement. I don't know it's a recommended solution. But doable it seems. It should work as if like accessing from internet.
Cisco Employee

Re: Hi George, Do you have any

If you already have VPN than why the need for MRA ? MRA is aimed at a VPN less solution for remote workers/jabbers clients. There is no requirement for having a VPN to connect to Expressway-E.
When you say nothing get's published to internet, what do you mean by that ? For the remote jabber users to connect via E&C, Jabber would need to resolve to the Edge public address via public DNS.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Beginner

Re: Hi George, Do you have any

i agreed what you said. "When you say nothing get's published to internet," no DNS record will be published on internet. thats what i mean.

I know MRA is for VPN less solution. no users will be internal. all users will be connected from internet through VPN. after they get connected all these will reach the data center or get resoureces through DMZ. since there is already DMZ our security engineer suggested to use Expressway Edge at DMZ. i informed my concern that its used for VPN less technology. he was telling why cant we consider like the same situation as if connected from internet. its like almost the same.its like recreating internet kind of situation inside VPN network.
I dont know it will work like that or not. if we place a DNS server in DMZ zone, we can recreate same situation right?

This environment is secured data center. thats why set up is like this.
Cisco Employee

Re: Hi George, Do you have any

Ok so you are confusing two things here. Like I posted already, if your users are going to use VPN for access why is your security team pushing for Expressway-E ? And most important of all you are not going to publish your edge SRV record on the public DNS so how do you plan the remote jabber clients to discover the expressway-E in the first place let alone connect through it ?

 

You can have the DNS in DMZ but I am not sure if that is a valid/supported deployment.

 

 

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Beginner

Re: Hi George, Do you have any

actually we only need NAT traversal. thatts all. and dont want traffic to reach directly to DC for security reason.
Cisco Employee

Re: Hi George, Do you have any

NAT traversal can be done by Edge but that's all you are deploying it for I mean like you said the users will connect through VPN and you won't publish DNS entries on internet ? I would suggest you to contact a UC specialised Cisco Partner in your area, sit down with them and understand what the product is for and if it would be right for you or not depending upon the restrictions that you have in place and alternatives for the same.

Nipun Singh Raghav
"We cannot solve our problems with the same thinking we used when we created them"
Beginner

Re: Hi George, Do you have any

hmm im also little bit confuse as expressway is not to use inside a VPN setup.

may i know how can we pass the jabber client through DMZ without Expressway then? just NATing and allow ports. we have 2 firewall situation.
VIP Mentor

Re: Hi George, Do you have any

Take  a look at the jabber firewall ports and have them opened within your firewall. Then just configure jabber SRV record for _cisco-uds._tcp.<yourdomain.com> to point to the CUCM UDS servers

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_0/CJAB_BK_C04C09E7_00_cisco-jabber-110-planning-guide/CJAB_BK_C04C09E7_00_cisco-jabber-110-planning-guide_chapter_010.html#CJAB_RF_P3A082A9_00

 

Please rate all useful posts
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here