Well I have added it Expressway E and can see it can resolve as per your suggestion.

But I am still getting an error, "cannot communicate with the server"

In Jabber logs I can see it tries to resolve cisco-uds and cuplogin SRV records but fails and then skip to _collab-edge._tls record which is fair enough as this should be the case while Jabber attempt outside the corporate network. But i am keep getting the same error.

Also, Even though I have enabled level 2 and level 4 logging at ExpressWay E side but nothings comes in as it seems no traffic is able to reach yet.

Before attempting to sign in from outside, we checked through nslookup and SRV record are resolvable.

Just would like to emphasis here that we are running, CUCM v 10 ( cluster of 5 nodes ) and IM&P v 10 ( cluster of 4 nodes )

So, here just confirm me as for _cisco-uds it should be pointing to which cucm server ( Publisher or subscriber ? )
and for which server it should be for _cuplogin ?

Your usual assistance would be appreciated.

Regards

Ok so your Exp-E has DNS resolution capability, that's fine

Yes if you are outside the business you will fail the _cisco-uds._tcp.domain.com and the _cuplogin._tcp.domain.com and go to the _collab-edge._tls

Are you certain you have followed everything in my original posts between me and Heathrw?...here is a summary

- Check your firewall has all the ports required to be open, MRA requires a few more ports than your standard VCS Telepresence does so if you had Telepresence already and assumed you have all the ports you need, think again.

- Check your firewall and ensured you see the communication going across it ok or is it being blocked?

- Check your external DNS has the srv record correct for _collab-edge._tls but also has an A record for the E's public IP

- Check there are no errors on your IM+P server

- Check the SOAP/AXL permissions on the IM+P server

- Check you have turned off "Use dual network interfaces" setting and restarted the Expressways

- Check you have put your Expressway-E's public IP address in the 'IPv4 static NAT address' setting and restarted the Expressway

The above are the things not present in the setup guide at http://ciscocollab.wordpress.com/2014/01/29/deploying-collaboration-edge/ ; so if you follow that guide, then check off my items you should be at the same point as I got to which is everything is working.

If not then I'm unsure what else to suggest other than checking if there is anything extra you need with CUCM 10 and IM+P 10, I know the IM+P is now seen as a cluster node so doubt that will affect it but yes do check

_cisco-uds._tcp.domain.com = setup on your internal DNS server, point at your CUCM Pub IP address

_cuplogin._tcp.domain.com = setup on your internal DNS server, point at your primary IM+P IP address

_collab-edge._tls = setup on your external DNS server, point at your Expressway-E public IP address

Thanks for your response. yes double checked everything!

Actually we can see in the Jabber logs that it is is trying with _cisco-uds and _cuplogin for resolving the DNS entry  but failing and then it is looking for _collab-edge._tls which it should do as it is from outside.

Also, I have checked through 'nslookup' on that remote pc, it can resolve to IP address of expressway E perfectly.

The irony here is we can not see any kind of traffic coming towards the VCSe even on the firewall.  It seems strange, we unable to form any kind of connection through.

Any ideas what & where to look for ?

- Turn off Windows firewall if using that OS

- Check your browser for any internet proxy settings, turn them off

- Check your PC for 3rd party antivirus or firewalls, turn them off for duration of testing

- Install Jabber on an Android or an Iphone, test if they can connect

- If you have no joy with the above, then because you see no traffic towards your Expressway-E I suggest checking your firewall, run logs/captures on it during a login attempt, you should see traffic

Ok. Turned off firewall and proxy.

Another thing that I noticed while running wireshark on my laptop on my internet enabled interface, that there were no DNS query being made to SRV and the host record of expressway. 

Any clues ?

Is it a dual nic laptop?

You said the Jabber logs show it looking for the srv record, and then you say the internet facing NIC capture shows no DNS queries

Try capturing the other NIC if you have one, maybe the DNS is going the wrong way for querying. 

Or try using Jabber for Android/Iphone as there are limited settings on there, and you can quickly determine if your Expressway configuration is correct and it is your laptop with the problem

Thanks for your support tirepojke;

Actually, I was pointing to same NIC.

Anyways the issue seems to be the public IP address which after some trouble shooting at Firewall end they got to know the IP being not routable publicly.

We then got the new IP given and we changed the needful in DNS and Expressway E and it got connected remotely the very first time. We even tried from Iphone as well and that can login perfectly.

The new thing is we can call internally and externally and destination phones rings perfectly but we cannot hear each other at all. there seems no voice traffic.

what do you suggest? Could be RTP?

Either your firewall is blocking your RTP streams or see my previous post on this, snippet here

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Finally we got it fixed.

Although we used the new public IP for NAT setting in Expressway.

but as per TAC, we supposed to do following changes;

at Expressway C, we had to use the public ip of 'E' in peer address under traversal zone and that did require some tweaks in DNS as we had already put the hostname of expressway E there which was resolving to private IP. As that name being used in certificates as CN so we didnt want to change it and added the entry in internal DNS to reolve it to required public IP of Expressway E.

Also, as the objective was, that ExpressWay C should only communicate with public IP of expressway E, hence NAT reflexion came in play and we had to configure this at Firewall side for that to happen.

And after that voice was working in both directions.

I would like to Thanks tigrepojke for your support throughout.

One question though, I can make video calls within two IPhone users using Jabber internally but while going through Expressway the video icon seems greyed out.

I can make video calls between Windows Jabber and Iphone through Expressway as well but not among Iphone themselves.

Regards

M Taha

It sounds like you did not follow the guide or advice correctly

For router-on-a-stick DMZ scenario it says that the traversal zone must be using the public address of the Expressway but you had it as the private address.  And then you had to tweak DNS afterwards, so as per the guide here is what you should have on your DNS and if you have something different or a "tweak" I recommend you untweak it and do it right so as to avoid problems troubleshooting in the future

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

INTERNAL DNS Server

Create two A records:

• sjc-expressway-edge-01.domain.com A – (make this name whatever you want) Pointing to the INSIDE interface of Expressway-E for two-legged deployments, or pointing to the DMZ address if it’s on a stick.  The record is used by Expressway-C to lookup and validate the certificate against.  You will use this hostname anywhere you are asked for the expressway server’s name when configuring the C server.
• sjc-expressway-core-01.domain.com A – (any name you want) Pointing to Expressway-C.

Create two SRV records:

• _cisco-uds._tcp.domain.com SRV 0 0 port 8443 – Pointing to CUCM.  (NOT IM&P!)
• _cuplogin._tcp.domain.com SRV 0 0 port 8443 – Pointing to IM&P  (TBD if this is really required for Jabber 9.6 with IM&P 9.1 – I don’t believe it actually is)

When you launch Jabber, if it can resolve these DNS records, it knows it’s inside and pulls the service profile directly from CUCM and logs in to IM&P and CUCM.

EXTERNAL DNS Server

Create one A record:

• sjc-expressway-edge-01.domain.com A – (any name you want) Pointing to the public address assigned (or NATted) to your Expressway-E.

Create one SRV record:

• _collab-edge._tls.domain.com SRV 0 0 8443 – Pointing to Expressway-E (in our case sjc-expressway-edge-01.domain.com)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

As for the Iphone problem this could be so many things, if you still have your TAC case open ask them to check the logs for you.

If you don't have it open anymore then off the top of my head it could be a firewall issue with SIP media, something wrong on the CUCM config for the IPhone, could not actually be a video button that is greyed out but is the Share My Desktop button....and likely lots of other stuff.

- Make a test call from Iphone Jabber internally to a Windows Jabber, check the video is not greyed out

- Make a test call from Iphone Jabber internally to Iphone Jabber, check the video is not greyed out

- Make a test call from Iphone Jabber externally to Iphone Jabber, check the video is greyed out

Get the test Iphone Jabber to send you a problem report, it should give you logs and check the difference between the internal and external calls.   Also pull the CUCM logs and check them as well.

Based on the experiences of this thread I'd suggest you check your firewall configuration/logs, DNS configuration/logs and make sure you've followed the official guide and the blog link in this thread for how to configure two-legged deployments

Dear Rigrepojke.

I'm sure that no firewall between zones in my topology.

With DNS, I can resolve all of service record.

But I don't know can I use different domain for internal and external network/

Thanks.

I don't see why you can't have different domains with the right DNS mappings unless it says in the guides it is unsupported.

Because the error says you cannot communicate with server I would be checking the DNS, routing, firewall etc however you said one of your NICs is in the DMZ and now say you have no firewalls, I don't have all the information I need to assist so I'm out.  Good luck