cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1497
Views
15
Helpful
13
Replies

Jabber MRA deployment initial requirements and design information required

mohsin majeed
Level 2
Level 2

Hi Experts,

I have BE6000 deployment CUCM 11.5 and IMP single cluster with no dns reliance. Now i have client requirement to configure vpnless jabber via expressway. I have basic understand of internal/external dns records, certificates enable on vcsc and vcse. I have some question as below.

- what are the designs to make this happen

- Can vcsc and CUCM on the same subnet

- Can vcsc and vcse be on the same subnet and two firewals must required, i mean DMZ.

- What is dual and single NIC deployment.

- what are the minimum requirement which i can get from client like ip addressing, internal external domain, public ip etc.

I am looking detail from other sources also. Meanwhile i hope i can get the help from this forum.

Forgive if i asked something nonsense.

Regards,

13 Replies 13

Dennis Mink
VIP Alumni
VIP Alumni

Mohsin,

dual NIC is one "nic" facing towards the internet, one NIC facing towards your internal network.

There is no requirement to have the VCS-e in a DMZ, it is just best practise.

client needs to be either and android or an iphone when running on smartphone, black berries not supported.

there is plenty of design documentation on the cisco.com website.  

Please remember to rate useful posts, by clicking on the stars below.

Hi Dennis,

Have little confusion about the routing. Attached the topology, please suggest, is it correct IP assignments.

- Have only one firewall on premises where Public traffic statically natted to ExpE LAN2 Ip

- ExpE has LAN1 and LAN2 in different DMZ subnets where LAN1:172.16.1.10/24 and LAN2:172.16.2.10/24

- ExpC has LAN1:10.10.110.25/24 , internal network where CM, IMP belongs to the same Subnet (10.10.110.0/24)

- Static route for ExpC subnet will be configured on ExpE

- What about GW Ip addresses and anything else if i am missing??

Regards,

Mohsin, 

IP Assignment looks fine. Default gateway IP on Exp-E will be pointing to second NIC network which will be NAT'ed to external public IP.

To communicate with Exp-C and any other internal segment (e.g. for management purpose accessing Web or SSH) you need to add static routes for that as well.

Regards,

Alok

Hi Alok,

My final toplogy is now, Core is Installed on UCS server where CUCM & IMP, Edge is installed in DMZ on other server.

 

Core -- 10.10.110.124 (Internal Subnet as CUCM)

Edge (NIC -2) -- Point to Internal segment -- 10.10.110.125 (Internal Subnet as CUCM)

Edge (NIC -1) -- Point to Public world-- 172.20.0.104 (DMZ)-- Nate'd to PublicIP

 

- i have some confusion about internal domain. Does it always mean the internal domain is Active Directory domain, which in my case is GGI.local as attached.- External domain is ggi-sa.com

 

In Above case the A records and SRV records in the interal DNS server will be configured with ggi.local or ggi-sa.com ?

- Second, do we need jabber-config file to upload in MRA case and what is the purpose of this file. Please share if there is a standard contents of this file.

- About the certificates in the CSR, what is the purpose of Subject Alternate Name, is it must to configure in MRA deployment.

- Does Static route on expE required in above topology

- The A record on External DNS for expE should resolve to the Public IP , ?

- The SRV record on External DNS should point to the A record of expE server ?

- Does SIP trunk from CUCM to expC must need to configured for MRA

- Does IM&P configuration must required on expC for MRA to work.

-

Regards,

 

Alok Jaiswal
Level 4
Level 4

Hi Mohsin,

You can have everything in part of same subnet, however VCS-E is normally deployed in DMZ as a part of best practice since its the edge gateway.

From the firewall prospective you don't need two separate firewall, a 3 legged firewall will also work. 

VCS-E can be deployed with single nic or dual nic, but its advisable to use dual NIC, because with single NIC deployment if you invoke B2BUA then media revolves around VCS-E twice and creates additional delay.

Also with single NIC deployment VCS-C traversal needs to point to the public nat address, hence all the traffic goes to firewall first and then hairpins back in to go to VCS-E, which lot of customers doesn't wants to do.

In case you deploy VCS-E with dual NIC, make sure that both the interface is on different subnet. 

Keep this points in mind when you go to talk to customer regarding the VCS firewall traversal design.

Regards,

Alok

Hi Alok,

Thanks for your time and make me understand some points. Hopefully i will deploy this scenario in couple of days and will return

Hi Alok,

Let me explain you the structure, client has two sites very near connected with fiber and :

- Site A using 10.10.110.0/24 , Site B using 10.10.111.0/24 subnet.

- One UCS server is on site A and other on site B.

- Site A collab apps (CM, CUC, IMP) working as publisher and Site B apps as subcriber

- Both sites have seperate firewall.

- Will i install C & E on single UCS server or C on UCS1 and E on UCS2 ?

- How my IP scheme will be for Mobile and Remote access design as i want to make it as simple as possible. I mean, what IPs i will assign to the interfaces of C & E.

Regards,

Mohsin

Hi Mohsin,

There is no point of having Exp-C & E installed on two separate UCS, because this boxes works in pair.

Consider for e.g. Core is on UCS at Site A and Edge is on UCS at Site B, if any one of this sites goes down, means your collaboration edge is broken and any outside to inside tunneling won't happen.

IF you want to achieve redundancy, install one instance of core and edge on both the UCS boxes, and then cluster them for redundancy. Clustering means you need additional licenses, and with CUWL bundle its not something we need to worry about but worth to check it. If you have spare licenses and then i will suggest to go with clustering or else just run one pair on any one of the UCS box which is having less amount of VM installed.

From the IP assignment prospective, you can have Core IP in the same subnet as your Call manager, but for Edge, i would suggest to go with Dual NIC design with two DMZ segments.

So for e.g, something like below

Core -- 10.10.98.11

Edge (NIC -1) -- Point to Public world-- 172.18.210.11 -- Nate'd to 203.x.x.x

Edge (NIC -2) -- Point to Internal segment -- 172.18.211.11

Note: For communication between core and Edge in the above example you have to add a static route as well on Edge.

Regards,

Alok

Hi Alok,

Thanks to make me understand about design. Can we do this, asking just to enhance my understanding.

Core -- 10.10.98.11

Edge (NIC -1) -- Point to Internal segment -- 10.10.98.12

Edge (NIC -2) -- Point to Public world-- 172.18.210.11 -- Nate'd to 203.x.x.x

Regards,

Yes, its pretty much supported and works well, but not the best design from security point of view.

Regards,

Alok

Hi Alok,

I am about to engage with network team to tell them about my requirement for MRA deployment. Before going into, i would like to clear some points.

Just for information

- If i go by this design as you proposed before; it must not require two physical firewalls, right??; We have only 1 firewall, does it mean it must use 3 legged as you mentioned in previously to fulfill this scenario.

Core -- 10.10.98.11

Edge (NIC -1) -- Point to Public world-- 172.18.210.11 -- Nate'd to 203.x.x.x

Edge (NIC -2) -- Point to Internal segment -- 172.18.211.11

Your suggestion required on below

- I don't need B2B; only MRA, have only 1 firewall which is on the edge. Active directory internal domain is abc.local but external is abc.com; also where the NAT is configured on firewall or Expe. Security should be provided in this suggestion.

i want to make it as simple as possible which i can explain to network team to make this setup ready for deployment.

if you can give a brief with mentioning the IP address of each entity.

Thanks in advance

Hi Mohsin,

Yes, you will have to use three legged firewall in this scenario to achieve this. If you want your solution to just keep with MRA that's fine, though it doesn't take much of an effort to achieve B2B as well.

NAT will be configured on the firewall, but you also need to define that on Exp-E by enabling NAT on the public facing interface of Exp-E. You would get a drop down on networking page if you have the advanced networking option key installed.

If your internal domain is abc.local then i would suggest to use abc.com as login domain for Jabber. That would be the best. 

So all your servers cucm, unity, IM&P and Exp-C will be in domain abc.local and exnterprise singned certificate. Exp-E will be on domain abc.com and have public signed certificate.

Keep in mind that with the above approach Jabber users may get a certificate pop-up window to accept it, if the enterprise signed CA root certificate is not installed on the devices. For e.g. PC and handheld devices. Its just one time during the first login, but some users finds it annoying.

You can get rid of it, by installing all the servers with public signed CA because all the devices by default has public trusted root CA's installed.

Regards,

Alok

Hi Alok,

Thanks again, i hope this conversation will go till i successfully deploy :)

Can you give a little more idea about 3 legged setup, what need to be configured on which device.

Also you mentioned

"If your internal domain is abc.local then i would suggest to use abc.com as login domain for Jabber. That would be the best."

This just simply mean to use .com domain to login Jabber or it require some settings; i mean in the xml file to achieve this.