cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
2172
Views
10
Helpful
7
Replies
License
Beginner

Cisco Expressway MRA Deployment-Single Firewall

Hello Experts,

Warm Greetings.

Now we are planning to deploy Cisco Expressway for MRA. We have two BE6K servers in two different geographiclly distributed datacenters (in the same country). Currently we delployed CUCM with Clustering Over WAN. Becasue of the Resources availability (and the company doesn't want pay more!!) I am forced to install Expressway-C and Expressway-E on the remote site UCS (in the branch DC) on which CUCM subscriber and the only IM and presence server is installed. My **bleep** Pubisher is in the HQ DC. Active Directory and the Internal DNS servers also at the HQ Datacenter.  Both sites are linked with MPLS VPN service. No firewall between two sites. We have only one firewall in each site.

 

I have attched my plan to install and delpy the Expressway Servers. Please suggest me the concerns and required changes.

 

Thanks a Lot

Abdul

2 ACCEPTED SOLUTIONS

Accepted Solutions
Alok Jaiswal
Enthusiast

Hi, 

 

I guess from the design point of view it looks ok to me. Just to confirm as per your attached network diagram both the sides actually has internet link, correct ?

 

The only problem here i see is that all your AD, DNS servers are actually separated across via MPLS. Do you have a failover for MPLS ? Because consider if MPLS link goes down, that means no more access to DNS and then potentialy no new users can login to MRA. You can build a new DNS for site B, that would be perfect. 

 

Recently i ran into same situation however in my case Site B doesn't have any internet Access hence i was forced to install on SITE A UCS, but i had DNS locally at Site A for this.

 

What i would suggest you is that create two separate Jabber profiles and assign the users to local profile in this case.

 

Regards,

Alok

View solution in original post

Yes, that's correct. Infact for MRA its important to use FQDN's everywhere. However please make sure that you publish the same FQDN outside as well. 

 

Regards,

Alok

View solution in original post

7 REPLIES 7
Alok Jaiswal
Enthusiast

Hi, 

 

I guess from the design point of view it looks ok to me. Just to confirm as per your attached network diagram both the sides actually has internet link, correct ?

 

The only problem here i see is that all your AD, DNS servers are actually separated across via MPLS. Do you have a failover for MPLS ? Because consider if MPLS link goes down, that means no more access to DNS and then potentialy no new users can login to MRA. You can build a new DNS for site B, that would be perfect. 

 

Recently i ran into same situation however in my case Site B doesn't have any internet Access hence i was forced to install on SITE A UCS, but i had DNS locally at Site A for this.

 

What i would suggest you is that create two separate Jabber profiles and assign the users to local profile in this case.

 

Regards,

Alok

View solution in original post

Hello Mr. Alok,

Thanks a lot for your quick response.

Yes. We have Internet link at each site.

We have a GRE tunnel filover for MPLS circuit.

Yes. We can implement a DNS server at BRANCH site. And even a aditional domain controller for fail over.

One more question.

Whent configuring EW-C, I planned to provide the FQDN of the EW-E (say exe.domain.com) which will be resolved to the IP address of internal interface (in my caes B.114) of the Expressway-E. Is that alright?

Best Regards

Abdul

Yes, that's correct. Infact for MRA its important to use FQDN's everywhere. However please make sure that you publish the same FQDN outside as well. 

 

Regards,

Alok

View solution in original post

Dear Mr.Alok,

Thanks a lot for answers.

I am planning to do a static NAT on the firewall (Fortigate) to the external interface IP of the Expressway-E (as per the diagram C.114 to public IP). But I read some documents says that itshould be done on the Expressway-E itself. As it is my first MRA deploeyment I am bit confused. Will it work fine if I dod the static NAT at the firewall and only use private IPs on the expressway-E server?

 

Thanka nd Best Regards

Abdul

Hi,

 

You don't actually do NAT'ing on the Expressway-E, what you basically do is you let Exp-E know about the NAT'ed IP-address. 

 

The concept of providing NAT'ing IP details on Exp-E is there for a long time before even MRA came into existence. The NIC pointing to public IP you will see an option for configuring NAT IP. 

 

Let me tell you even if you won't configure that NAT ip, your MRA will work, but it will create issues with media. Hence its important you provide NAT information on Exp-E.

 

Regards,

Alok

Dear Mr. Tareq,

Thanks a lot for your quick response.

I will keep you updated the progess of the deployment.

Thanks and Best Regards

Abdul

Hello Mr. Alok,

Could you please tell me about CSR in both Expressway-c and Expressway-e? What are SAN should be included in each CSR?

 

Thanks and Best Regards

Abdul

Content for Community-Ad

Spotlight Awards 2021