03-21-2014 08:59 AM - edited 03-18-2019 02:45 AM
Dear support community,
I am currently configuring the VCS Expressway solution (both Expressway E and Expressway C servers). Because of some firewall limitations I am in need of resolving the Expressway C fqdn directly from the Expressway E server meaning that I need the Expressway E resolve Expressway C fqdn withoout using DNS server resolution. I was wondering if there is a way to edit the VCS Expressway hosts file (if such a thing exist in the VCS) like anyone can do in operating systems like linux. I make this question because I took a .pcap capture from the VCS and in there I saw the DNS query process but number one option was 127.0.0.1 which is the Expressway itself. May be this connection attempt is just the Expressway looking in its DNS cache, but I am not sure.
Best Regards,
Roberto López.
Solved! Go to Solution.
03-21-2014 12:56 PM
Ah, thats the reason I asked. You dont need DNS for it.
The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E.
Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.
HTH
03-21-2014 09:48 AM
There is a hosts file on the Expressway but unfortunately that gets overwritten everytime you reboot the device.
The way you would do this will be to open port 53 (UDP) to your internal DNS server and specify the DNS server on the expressway.
May I ask why you need to resolve Expressway C ip on the Expressway E. As far as I know, the Expressway E doesnt connect back to the Expressway C. Its always a connection from C to E.
03-21-2014 11:55 AM
Hi George,
Thanks for your answer. Currently the DNS ports are closed in the firewall, since I do not manage the firewall and because having DNS working form E to C would require a lot of paper work and burocratical requests that easily may last a week, I was hoping to avoid this waste of time. I need this resolution just for security certficates validation from E to C.
Best Regards,
Roberto.
03-21-2014 12:56 PM
Ah, thats the reason I asked. You dont need DNS for it.
The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E.
Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.
HTH
03-21-2014 01:34 PM
Hi George,
I am going to right away give it a try and let you know the outcome.
Thanks a lot my friend!
Best Regards,
Roberto.
03-21-2014 06:03 PM
Great to hear! You could sign it with Private CA and the users will be able to connect. THey will be prompted to accept the certificate, that is the only downside but it will work fine.
Keep in mind, its not just Expressway certs that needs to be present in the trust store of the device that is signing in, its the CA that signed CUCM/CUCN/Presence as well if you need to do without the certificate prompts.
Also, Cisco is looking into a potential issue where if you have an intermediate cert, there is a problem with the certificate validation process. This is due to be fixed in a future release. Good luck!
03-21-2014 05:54 PM
Hi George,
It worked without DNS resolution... you were right.
I signed both certificates with a private CA. Now I guess I will need a trusted signed certificate (like Verisign) for my jabber users when connecting from Internet, am I right?
Thanks again and best regards,
Roberto.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide