Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
3
Replies

When doing SIP Federations for IM & Presence, does ASA have to be in the routing path?

thomas.luebke
Level 1
Level 1

‎07-13-2016 02:58 AM - edited ‎03-13-2019 09:32 PM

We want to migrate from Microsoft OCS/MOC to Cisco IMP/Jabber and have several Interdomain federations based on SIP.

Looking at the documenration on CCO, ASA has to be configured as TLS Proxy. However, in all configuration examples ASA is within the routing path of Expressway-E and NAT/PAT has to be configured as well.

Does anybody know if this is a requirement or can ASA act as Proxy in the "tradiotional" way, not being in the path? For example, I configure the ASA internal IP address as target for my federation domain and the ASA contacts the external company using DNS. 

Thanks,

Thomas.

Labels:
0 Helpful
3 Replies 3

Shashank Mahajan
Cisco Employee
Cisco Employee

‎07-14-2016 02:38 PM

As per the Cisco Preferred Architecture for Enterprise Collaboration 11.x,  "Prior Cisco architectures involved using the Cisco Adaptive Security Appliance (ASA) firewall as a TLS proxy and allowing inbound ports to be opened through the external firewall to directly access the internal IM and Presence servers. This is still the recommended solution for SIP federation."

http://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/11x/collbcvd/edge.html#pgfId-1068065

0 Helpful

thomas.luebke
Level 1
Level 1
In response to Shashank Mahajan

‎07-15-2016 01:46 AM

Hi Shashank,

thanks for your reply. I am not sure I understand thsi correctly though.

For inbound connections this would mean the firewall (not necessary the ASA providing TLS proxy) would need to do NAT to forward requests to port 5060 to the internal IM&Presence server? I would rather avoid this as it does not seem secure to me.

For outbound connections I have to configure a routing target on the IM & Presence server, per documentation this should be the actual SIP server of the Federation partner, not the ASA. Hiow would ASA then be able to proxy the traffic?

The open question is, does ASA have to be in the routing path to interrupt the traffic or not? If not (which I would prefer as I do not need to redesign my DMZ), how would I configure this?

0 Helpful

Shashank Mahajan
Cisco Employee
Cisco Employee
In response to thomas.luebke

‎07-15-2016 04:12 PM

ASA must be configured as TLS proxy and it needs to be in the network path between IM Presence and Microsoft OCS/MOC. That's the only documented way to federate with Microsoft OCS/MOC.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_0110.html

0 Helpful
Customers Also Viewed These Support Documents