Expressway internal & External are different

SachinS1 · ‎08-31-2024

I am deploying expressway Setup for MRA & B2B.

Internal & External Domains are different.

Internal: example.in and External: abc.com

I have deployed Expressway in Cluster.

Expressway C: 2 Nodes.

Expressway E: 2 Nodes. (Dual NIC)

Domain configured in Expressway C is example.in & Domain configured in Expressway E is abc.com

I am about to generate CSR on Expressway C & E Cluster.

I want to know what SAN i have to specify while generating CSR on C & E Cluster. if i have internal: example.in & External: abc.com.

more specifically now i have 2 different FQDN for expressway E nodes.

exp-e1.abc.com (Public)

exp-e1.example.in(internal) resolving internal NIC LAN 1 Network.

and same for exp-e2 node.

exp-e2.abc.com (Public)

exp-e2.example.in(internal) resolving internal NIC LAN 1 Network.

Appreciate if some can guide with steps to generate CSR in C & E Cluster.

Nithin Eluvathingal · ‎09-01-2024

You don’t need an entry on your DNS for exp-e1.example.in, which resolves to the internal NIC of the Expressway. Instead, create a subzone on the DNS for abc.com and add exp-e1.abc.com, which resolves to the Expressway E Internal NIC IP that C uses to communicate.

On the Expressway, you can use the Cluster FQDN as the CN name, and the SAN must include the FQDN of the peer and the domain abc.com.

For C, you can use the CN as the Expressway C Cluster FQDN, and the SAN must include the Peer FQDN.

SachinS1 · ‎09-03-2024

I have configured example.in domain on both expressway E nodes

Exp-e1.example.in and exp-e2.example.in which resolves to internal interface and this fqdn are used as while exp-e Clustering as well.

is it ok if i configured both internal and external domain on exp E along with host (exp-e1.example.in, exp-e2.example.in, exp-e1.abc.com, exp-e2.abc.com in SAN while generatingCSR on expressway E nodes. i mean can i configure exp-e1 & e2 along with example.in and abc.com both as a SAN while generatingCSR.

Nithin Eluvathingal · ‎09-04-2024

Expressway E is an internet-facing device and must be signed by a public CA like Digicert or GoDaddy. The public CA won’t sign a CSR if you include an internal domain in the SAN field; it must only contain a publicly available domain. The Expressway must be on a public domain and never on an internal domain.

The Expressway E CSR must include the peer IPs as SANs if you are using the CN as the Cluster FQDN. Additionally, abc.com must also be included in the SAN field.

As I mentioned in my first reply, for C to communicate, add a subdomain for abc.com on your internal DNS and add entries for Exp-e1.abc.com and Exp-e2.abc.com to their internal NIC IP addresses.

Vaijanath Sonvane · ‎09-03-2024

Hi @SachinS1,

The Expressway-E servers must be configured with a public domain name, which will correspond to their fully qualified domain name (FQDN). For secure deployments like MRA, each Expressway-E peer needs a certificate with a Subject Alternative Name (SAN) that includes its public FQDN. If the Expressway-E server is also recognized by additional FQDNs (e.g., exp-e1.example.in and exp-e2.example.in), all these aliases should be included in the server certificate's SAN.

Cluster Address Mapping is required as the DNS resolution of the FQDN will likely point to the public IP address.

Please refer to below two documents:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-3/cluster_creation_maint/exwy_b_cisco-expressway-cluster-creation-and-maintenance-deployment-guide-x143.pdf

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-3/cert_creation_use/exwy_b_cisco-expressway-certificate-creation-and-use-deployment-guide-x14-3.pdf

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.