Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2376
Views
9
Helpful
6
Replies

Jabber VCS Expressway - internal DNS resolution from Expressway itself

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1

‎03-21-2014 08:59 AM - edited ‎03-18-2019 02:45 AM

Dear support community,

I am currently configuring the VCS Expressway solution (both Expressway E and Expressway C servers). Because of some firewall limitations I am in need of resolving the Expressway C fqdn directly from the Expressway E server meaning that I need the Expressway E resolve Expressway C fqdn withoout using DNS server resolution. I was wondering if there is a way to edit the VCS Expressway hosts file (if such a thing exist in the VCS) like anyone can do in operating systems like linux. I make this question because I took a .pcap capture from the VCS and in there I saw the DNS query process but number one option was 127.0.0.1 which is the Expressway itself. May be this connection attempt is just the Expressway looking in its DNS cache, but I am not sure.

Best Regards,

Roberto López.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Thomas
Level 10
Level 10
In response to Roberto Rafael Lopez Marquez

‎03-21-2014 12:56 PM

Ah, thats the reason I asked. You dont need DNS for it.

The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E. 

Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.

 

HTH

Please rate useful posts.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
George Thomas
Level 10
Level 10

‎03-21-2014 09:48 AM

There is a hosts file on the Expressway but unfortunately that gets overwritten everytime you reboot the device.

The way you would do this will be to open port 53 (UDP) to your internal DNS server and specify the DNS server on the expressway. 

May I ask why you need to resolve Expressway C ip on the Expressway E. As far as I know, the Expressway E doesnt connect back to the Expressway C. Its always a connection from C to E.

Please rate useful posts.

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1
In response to George Thomas

‎03-21-2014 11:55 AM

Hi George,

Thanks for your answer. Currently the DNS ports are closed in the firewall, since I do not manage the firewall and because having DNS working form E to C would require a lot of paper work and burocratical requests that easily may last a week, I was hoping to avoid this waste of time. I need this resolution just for security certficates validation from E to C.

Best Regards,

Roberto.

0 Helpful

Go to solution
George Thomas
Level 10
Level 10
In response to Roberto Rafael Lopez Marquez

‎03-21-2014 12:56 PM

Ah, thats the reason I asked. You dont need DNS for it.

The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E. 

Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.

 

HTH

Please rate useful posts.
0 Helpful

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1
In response to George Thomas

‎03-21-2014 01:34 PM

Hi George,

I am going to right away  give it a try and let you know the outcome.

Thanks  a lot my friend!

Best Regards,

Roberto.

0 Helpful

Go to solution
George Thomas
Level 10
Level 10
In response to Roberto Rafael Lopez Marquez

‎03-21-2014 06:03 PM

Great to hear! You could sign it with Private CA and the users will be able to connect. THey will be prompted to accept the certificate, that is the only downside but it will work fine.

Keep in mind, its not just Expressway certs that needs to be present in the trust store of the device that is signing in, its the CA that signed CUCM/CUCN/Presence as well if you need to do without the certificate prompts.

Also, Cisco is looking into a potential issue where if you have an intermediate cert, there is a problem with the certificate validation process. This is due to be fixed in a future release. Good luck!

Please rate useful posts.

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1
In response to George Thomas

‎03-21-2014 05:54 PM

Hi George,

It worked without DNS resolution... you were right.

I signed both certificates with a private CA. Now I guess I will need a trusted signed certificate (like Verisign) for my jabber users when connecting from Internet, am I right?

 

Thanks again and best regards,

Roberto.

0 Helpful
Customers Also Viewed These Support Documents