Solved: expressway MRA : jabber cannot communicate with server

jefferson_best · ‎12-09-2017

hello, I write to you about the activation of the MRA functionality on the expressway. The jabber works well locally. but when I log in from outsite the corporate network I have the error '' can not communicate with server ''. it's a new deployment with single NIC on EXPW-E. the certificate of my expressway-E has been signed by the internal certification authority. the peer in the expressway-C matches the A record of the EXPW-E that points to the IP address of the expw-E in the DMZ. on my DNS server I have two forward lookup zone '' .test.local '' and '' test.com '',CUCM and CUP A records were created on the forwardzone "test.local" and those from expw-C, expw-E, CUCM, and CUP were also created "test.com".

the domain on expressway-C is "test.com"

my zone is Active

can you help me please ?

Slavik Bialik · ‎12-09-2017

OK, now I can say for sure that you'll have to ask the guys managing the Firewall to take a look, they probably didn't open all the relevant ports for this service. Like port TCP/7400 stated in the first alert.

Another thing is that it is saying the CUCM FQDN isn't in the allow list, but it is strange because when you add a CUCM (or a whole cluster) to the Expressway-C, it automatically adds all the IPs and FQDNs of the CUCMs in cluster into the HTTP allowed list in Expressway-C. So... is your CUCM is configured under the DNS domain name "guineaalumina.com" or it is configured under some internal domain? Or this domain (guineaalumina.com) is also internal and external?

Anyway, you can go in Expressway-C, to: Configuration -> Unified Communications -> HTTP Allow List -> Editable inbound rules. Add 4 new rules for the following FQDNs:

tinccucm01.guineaalumina.com
kamccucm02.guineaalumina.com
FQDN of IM&P Server #1
FQDN of IM&P Server #2

Select the GET method and under Match Type select Prefix match.

Anyway, you have 2 different problems here. The first is networking and firewall (mostly) and the second of it that the CUCMs weren't in the HTTP allow list of Expressway-C.

If you don't know which exact ports you need to open for this MRA service, send me a private message and I'll send you an Excel file I've made that I'm sending all my customers that they should open on their own network.

View solution in original post

Slavik Bialik · ‎12-09-2017

Hi,

When you're using a single NIC deployment, you must configure the internal A record of the Expressway-E to be the PUBLIC IP address. So when Expressway-C is communicating with the Expressway-E it should communicate towards his public IP address, but of course it shouldn't communicate via the Internet and back to the organization, that's not the end of it, you must ask your security fellows that are managing the Firewall that they will need to create a NAT reflect. Meaning, a NAT rule inside the network that will translate the destination IP address of the public IP address to the internal IP address in the DMZ.

I'm guessing that this rule is already there, because it must be set anyway for an incoming traffic from the internet towards the Expressway-E. So what you actually need to do is change the internal A record of the Expressway-E to contain the public IP address instead of the internal one.

jefferson_best · ‎12-09-2017

thank you very much. I just did it, my zone is Active. but when I check my configuration with '' cisco collabedge validator " tool everything is fine except the
IM&P rubric.

see the screenchot in attached

I do not know if it's normal or if it's a problem ?

Slavik Bialik · ‎12-09-2017

Do you have this SRV record in your internal DNS?

_cuplogin._tcp.guineaalumina.com (or if you have an internal domain, so only under the internal domain)

If not, you need also set it and point to the internal FQDN of the IM&P server.

Another thing, I'm not still sure about, what is configured in your Expressway-C under Unified Communications Configurations? You have the authentication method configured as "Use credentials" or...?

2 more things:

Go in both Expressways to Status -> Logs-> Event log. And after an unsuccessful login see what errors you get there. Please share us so we can advise.
Go in both Expressways to Maintenance -> Diagnostics -> Diagnostic logging, and start it on both of the server. Then go and try to login again (preferably after you do reset Cisco Jabber), then go back to the servers and stop the logging and fetch the files. Now go to back to this tool:
https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/
But instead of the validator, go to Log Analysis , upload both files and and analyze. It'll give you a better output and diagnostics about what's missing, I really like this tool.
Also, share both files here so I can also analyze them and see the output.

jefferson_best · ‎12-09-2017

see attached files please

Slavik Bialik · ‎12-09-2017

The screenshot you took is from Expressway-E, and I need from Expressway-C.

About the logging files, please attach the whole TAR file like after you're downloading it from the Expressways diagnostics logging page.

Thanks!

jefferson_best · ‎12-09-2017

i don't no why but i am not able to import .tar files . i have the error "The contents of the attachment doesn't match its file type."

but see attached the results of the analysis

Slavik Bialik · ‎12-09-2017