Solved: Expressway-C & E MRA Certificates TLS connection

dbooth · ‎09-02-2014

Cannot get Expressway-C & E X8.2.1 to form a TLS connection for MRA traversal. We have generated a SSL certificate using a client and server certificate template on a Windows Server CA, and have uploaded this certificate to the Expressway-C and the CA chain to the Expressway-E, but the TraversalClient zone fails to form the TLS connection. The Event Log shows 'unable to get local issuer certificate'. Yet the Client certificate testing tool shows the certificate is good when checked. Certificate revocation checking under SIP is set to Off. Can anyone advise why the TLS connection won't form? Thanks.

Chris Swinney · ‎09-03-2014

I'm pretty sure that one of the deployment guides (perhaps with regard to Certificates, perhaps with regard to VCS Deployment) says that wild-card certificates are NOT supported. This seem to be common on a other UC type platform (e.g. Lync)

View solution in original post

George Thomas · ‎09-02-2014

What have you set as peer address for the traversal zone on the Exp-C?

Please rate useful posts.

Chris Swinney · ‎09-03-2014

And doesn't the peer address need to appear in the certificate SAN or Common Name (certainly this is true when you use TLS validation on a traversal zone, but isn't this a requirement on the Expressway-C/E?).

Also, is this supposed to be a two way thing - i.e. you need to upload certificates on both er Expressway-C/E plus CA on both, as both act as server and client.

I'm not too familiar with CUCM environment, but I assume that the transversal zone acts is a similar way to that on the standard VCS-C/E?

dbooth · ‎09-03-2014

Thanks both for the replies. It turned out it wasn't the private CA-signed Expressway-C cert that was the problem - it was the public CA wildcard certificate on the Expressway-E that was causing the authentication issue (presumably as the CN wasn't an exact match for the connecting Expressway-C). Bit disappointing that a wildcard certificate wouldn't be accepted (surely the logic to match the CN in the case of a wildcard wouldn't be a problem?).

Chris Swinney · ‎09-03-2014

I'm pretty sure that one of the deployment guides (perhaps with regard to Certificates, perhaps with regard to VCS Deployment) says that wild-card certificates are NOT supported. This seem to be common on a other UC type platform (e.g. Lync)

dbooth · ‎09-03-2014

Your recollection is correct it is mentioned in one of the documents. Chances are you will have already invested in a wildcard certificate though if it is appropriate for the rest of your infrastructure.

Interestingly when the Expressway was incorrectly configured with the wrong type of TraversalZone (not UC) the wildcard cert wasn't an issue and the Core was happy to form a tunnel. When the TraversalZone error came to light and the zones replaced with the correct type it suddenly decided the wildcard certificate was a problem.

Chris Swinney · ‎09-03-2014

Interesting. As mentioned, we don't use CUCM but even reading one of the deployment guides recently to set up for authentication delegation for Jabber for Telepresences with TMS it stated that we should use a UC traversal zone. I promptly ignored this and setup a normal traversal zone with certificates and in our deployment all is working well. I don't know what this might break in the CUCM environment (if anything) but it certainly is OK in a normal VCS-C/E with TMS deployment.

George Thomas · ‎09-03-2014

That's correct, it works fine with normal Jabber for TP (movi) and Traversal zones. For Jabber for Windows and CUCM, we need to use UC traversal zone due to the search rules that gets automatically created.

Please rate useful posts.