I am deploying a single CMS server with Expressway Edge for my client. The deployment should support external party join CMS meeting via WebRTC, B2B video call with external standard SIP endpoints as well as microsoft S4B O365 endpoints.
My customer's company domain ( abc.com) has already been used for S4B O365 service.
I mean _sipfederationtls._tcp.abc.com has already been registered with microsoft service. So, a internal registered standard SIP endpoint should be able to call S4B O365 endpoints through the call path CUCM->exp-C->CMS->exp-C->exp-E
. My question is how S4B O365 endpoints call customer's internal registered video endpoints.
Do I need another sipfederationtls SRV record pointing to Expressway-E on public DNS server?
if yes, then can I use a sub domain , e.g. conf.abc.com for this purpose?
So the SRV record may be something like _sipfederationtls._tcp.conf.abc.com.
By the way, since this is B2B call using expressway pair , any other firewall ports required apart from standard expressway ports requirement.
O365 will look for _sipfederationtls SRV record for your on-premise video endpoints, so a different domain or subdomain is needed. The configuration and requirements for video calls between Cisco and Microsoft environments are covered in the Cisco Expressway Options with Cisco Meeting Server and/or Microsoft Infrastructure (Expressway X8.9.2).
Thanks for your comment. I did all the steps in the guide, but when I call cucm endpoints from skype client, the call does not reach expressway-E. I added the _sifederationtls._tcp SRV record on external DNS server which targets expressway-E external FQDN. The SRV can be resolved via window cmd nslookup and even Cisco TAC Tool SRV records checking tool.
What else can I do to make this work?
Yes . I finally made it work. The expressway-E must use public CA certificate. The _sipfederationtls._tcp.domain must match expressway-E FQDN domain.
meaning _sipfederationtls._tcp.abc.com must point to expressway-E.abc.com
but not expressway-E.conf.abc.com
But the cisco guide document says that SRV _sipfederationtls._tcp.msdomain must point to S4B, and the other SRV _sipfederationtls._tcp.ciscodomain must point to the Expressway E public FQDN. In your example cisco domian is conf.abc.com
Are you saying that _sipfederation._tcp.msdomian must point to FQDN Expressway-E@msdomian?
Is the cisco guide wrong on how those SRV must be configured?
I'm also wondering something else related to this - Microsoft recommends using a load-balanced A-record of sip.domain.com for S4B federation redundancy.
Could we have an SRV record for _sipfederationtls._tcp.conf.example.com that pointed to sip.conf.example.com, that in turn load balanced between exp-e1.example.com and exp-e2.example.com, without having to change the certificates etc on the Expressways to use a subdomain? Or would we still need to change to exp-e1.conf.eample.com etc?
I didn't use my current deployment as example so it might confuse you.
My deployment is as below:
For MS platform, there should be a srv record pointing to ms side:
_sipfederationtls._tcp.abc.com should point to ms platform, because customer had already registered abc.com as MS sip domain.
_sipfederationtls._tcp.abc.com SRV service location:
priority = 100
weight = 1
port = 5061
svr hostname = sipfed.online.lync.com
As for cisco platform, I used conf.abc.com as Exp-E domain
_sipfederationtls._tcp.conf.abc.com SRV service location:
priority = 100
weight = 1
port = 5061
svr hostname = EXPRESSE01.conf.abc.com
The very very important thing here is
_sipfederationtls._tcp.conf.abc.com must point to EXPRESSE01.conf.abc.com
You CAN'T point this SRV record to EXPRESSE01.abc.com
meaning on customer's external DNS server, a sub domain was created as conf.abc.com
Expressway-E A record point to expressway-E public ip must be placed under conf.abc.com subdomain
The next step is that you should add/ change top level domain and cluster domain as conf.abc.com in CUCM enterprize parameters.
Expressway-E must use public CA signed certificate with multiple SAN enabled because you need to include both conf.abc.com and abc.com in the public CA signed certificate
SAN should include
DNS Name=expresse01.abc.com (this dns record was added on customer's public dns)
DNS Name=www.expresse01.abc.com (added by default when generate the certificate request)
DNS Name=join.abc.com (for CMS webRTC via expressway-E proxy)
DNS Name=abc.com (AD domain)
DNS Name=cms.abc.com (CMS FQDN)
DNS Name=expresse01.conf.abc.com (Must be included, this is the most important record)
because during certificate exchange process, MS will ignore common name in the public certificate
instead, MS will look for the domain (conf.abc.com) in SAN pool.