cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1319
Views
35
Helpful
4
Replies

SX20 MRA Regisration Through Expressway

scr.sybex1
Level 1
Level 1

Dear

I have 60 SX20 on Branches, and CUCM 11.5 and CUP 11.5, Expressway 12.7 that Oauth Authentication is in disable state.

the cucm cluster security mode is mixed mode.

the problem is that when i want to register sx20 through mra to cucm the following error that is in attachment is shown and when i change the procotol from tls to tcp the error is "Cannot Get Config from edge server"

another thing that i found in cisco log analyzer tool is that, the expressway-e cannot verify sx20 certificate. (why the expressway is validating sx20 certificate, is there anyway that i can't disable client certificate validation on expressway.)

attach the expressway-e/c log on the meesage.

appreciate if someone could help me to find the cause of this issue.

4 Replies 4

b.winter
VIP
VIP

Hi,

 

is it possible to register with Jabber over MRA (in unsecure mode)?

CSA says, that your EXP-E hasn't a public IP configured. Have you already checked that?

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

yes the jabber registration through MRA work perfectly.

I use the expressway on intranet service, because of that i didn't configure Public IP address on it. but everything work perfectly through MRA except the SX20 registration.

So you mean you are not using this for Internet, but your own private network. Why do you need an Expressway for this scenario ?

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/211304-Collaboration-Edge-TC-based-Endpoints-Co.html

 

EX, MX, and SX Series Endpoints (Running TC Software)

Ensure that the provisioning mode is set to Cisco UCM via Expressway.

These devices must verify the identity of the Expressway-E they are connecting to by validating its server certificate. To do this, they must have the certificate authority that was used to sign the Expressway-E's server certificate in their list of trusted CAs.

The devices ship with a list of default CAs which cover the most common providers (including Verisign and Thawte). If the relevant CA is not included, it must be added (for instructions, see the endpoint administrator guide).

Mutual authentication is optional, and these devices are not required to provide client certificates. If you do want to configure mutual TLS, you cannot use CAPF enrolment to provision the client certificates. Instead, manually apply the certificates to the devices. The client certificates must be signed by an authority that is trusted by the Expressway-E.

 



Response Signature


scr.sybex1
Level 1
Level 1

The problem solve by upgrading sx firmware.