cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
1890
Views
10
Helpful
10
Replies
David Rees
Beginner

Jabber Guest - Must translate the destination port of 443 to 9443

Jabber Guest - Firewall Port Translations

 

I have a VCS-E with public address on a DMZ behind a Cisco ASA 5515X firewall.

Has anybody successfully "translate the destination port of 443 to 9443 for all HTTPS (and 80 to 9980 for HTTP) traffic that targets the Expressway-E address from Jabber Guest clients" with an ASA?

All ASA PAT examples also change the IP address as well as the Port address - as the VCS-E has a public address, the address does not change.

Cheers!

10 REPLIES 10
martyn.rees
Enthusiast

Have you had any luck with this? I am facing the same problem as well.

Not a word :-(

 

ctcahoe
Beginner

Yeah, here is the config we use. I'm stumped on how to treat the port mappings different based on who is trying to contact the expressway. I have an idea, let us change the admin ports on the expressway to be 9443 and 9980! This is way too much hassle.

x.x.x.x = public IP of expressway

object network expressway-guest
 host x.x.x.x
object network expressway-guest2
 host x.x.x.x

object network expressway-guest
 nat (inside,outside) static x.x.x.x service tcp 9980 80 

object network expressway-guest2
 nat (inside,outside) static x.x.x.x service tcp 9443 443 

 

 

Thanks for the ASA items - this appears to resolve the translation issues.

Now can get to the website, plugin installs, sits at "Checking Connection" then fails with a TURN Error

 

Some progress at least..... back to the doco.

 

Hey David, I am also running into same issue with Jabber Guest saying "checking connection" but the turn port 3478 is allowed on the firewall...any thoughts would be much appreciated!!

Thanks

I recently had a case with similar conditions -

We found that the VCS-C certificates had been signed with X509 v1 Certificate. This would not allow the Jabber Guest to POST the Turn Credentials back to the VCS-C with a SSL Error.

The condition in this case was a continual hang of the Jabber Guest Client at connecting.

Resolution was to use a X509v3 Certificate on the VCS-C - which is stated in the Certificate Guide for the VCS Certificate and Creation.

If you continue to run into the problem - if you attach the Webcommon Log off of the Jabber Guest Server I can look into the cause. Or you could open a TAC case for review.

ctcahoe
Beginner

Here is the config to translate 443 to 9443 and 80 to 9980 for outside hosts only. It took way too long to figure it out, but hopefully it helps you guys.

 

object network expressway-guest
 host x.x.x.x
object network bsu-outside
 subnet 0.0.0.0 0.0.0.0
object service https2
 service tcp source eq 9443
object service https3
 service tcp source eq https
object service http2
 service tcp source eq 9980
object service http3
 service tcp source eq www
object-group network internal_bsu
 network-object y.y.y.y 255.255.255.0
 network-object z.z.z.z 255.255.255.0


nat (inside,outside) source static expressway-guest expressway-guest destination static internal_bsu internal_bsu service https3 https3
nat (inside,outside) source static expressway-guest expressway-guest destination static bsu-outside bsu-outside service https2 https3
nat (inside,outside) source static expressway-guest expressway-guest destination static bsu-outside bsu-outside service http2 http3

This config almost nailed it but it invalidated the certificates between Expressway cluster nodes because we have separate firewalls between peers.

shawnangelo
Beginner

It does work using PAT as ctcahoe described below.

Also, in the latest Jabber Guest OS Update, it is no longer required to use PAT as you can add the correct port number in the "Set Domain Used for Links" configuration.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Guest/10_6/icg/JABC_BK_JF2738FB_00_jabber-guest-server-106-installation.pdf

If I am reading the guide correctly, if you get the "set Domain Used for Links" configuration properly set to include port numbers, you do not need port redirection in front of the Expressway E. Would that be accurate? I am hoping so because it will simplify deployment if we don't have to do port redirection.

Content for Community-Ad

Spotlight Awards 2021