cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1828
Views
10
Helpful
8
Replies

Jabber MRA and Expressway certificates.

givanov
Level 1
Level 1

Hello,

 

I got really badly stuck with deploying MRA for Jabber via Expressway-C/E.

I read through lots of documents, deployment guides and discussions here, but the mess in my head just got bigger.

 

Let me  quickly summarize what I think I am missing:

1. I have the internal SRV records pointing to CUCM (_cisco-uds) and IM&P (_cuplogin);

2. I have the external SRV record _collab-edge pointing directly to the Public IP of Expressway-E (which is NATted to the external LAN2).

This is fine so far!

The certificates are what gets me in trouble. Here are my questions:

1. I need to sign the certs of both Expressway E and C by the same CA. Then upload the root CA and the CA CRL to both systems. Is this right?

2. Is it mandatory to sign something via public CA? If so - what and what is the process?

 

Any help will be greatly appreciated! I've done 100 different things and I am up to the point where I am not sure even in the most basic tasks.

1 Accepted Solution

Accepted Solutions

Jaime Valencia
Cisco Employee
Cisco Employee

I made a video in which I explain certificates, and explain MRA certs

https://youtu.be/_5x8pvhrJOI

 

There are also a lot of Cisco Live sessions dedicated to MRA design and troubleshooting that cover the whole solution, have you watched any of them?

You can also find several resources at SalesConnect.

All of the above is complementary to the MRA configuration guide.

HTH

java

if this helps, please rate

View solution in original post

8 Replies 8

Jaime Valencia
Cisco Employee
Cisco Employee

I made a video in which I explain certificates, and explain MRA certs

https://youtu.be/_5x8pvhrJOI

 

There are also a lot of Cisco Live sessions dedicated to MRA design and troubleshooting that cover the whole solution, have you watched any of them?

You can also find several resources at SalesConnect.

All of the above is complementary to the MRA configuration guide.

HTH

java

if this helps, please rate

Hi Jaime,

 

I actually use your videos pretty often (even in this case, when I was deploying CMS in phase 1 of the project), but it looks like I have missed the one on certificates.  It's just this little thing that I a missing because certificates is not something I do day-to day. Your video makes the things in my head more clear now. And I also watched lots of other sessions.

 

I still have two questions here though. If MRA for Jabber clients is the only thing that I will use Expressway for, can I sign the Expressway-E cert with a private CA and make the devices who will run Jabber trust it will that work? Or the "whole internet" should trust Expressway-E not just Jabber and that's why public CA is a must.

 

The other question is - how can I setup secure TLS connection between Expressway C and E using their own self-signed certificates? I tried with downloading both certs and uploading E cert in C Trusted CA and vice versa, but it doesn't work. Is this even possible.

If you want to take the overhead of distributing the root certificate to all your MRA clients, it will work.

HTH

java

if this helps, please rate

Yes, I know all of the disadvantages of self-signed certs. I just wanted to set it up for a test purpose, because every step with this customer is taking ages and I will probably have signed certs next year.

Thanks anyway!

OK  just for clarification, I'm talking about using a private CA, there's no way to get MRA working with self signed certificates.

HTH

java

if this helps, please rate

Yeah, for the whole MRA setup self-signed won't work.

One last thing. Since you manually accept the server certificates with Jabber, can this server certificate of Expressway-E be signed with private CA or Expressway-E must always be publicly signed? Jabber with MRA and external calls to CMS will be the two things I am deploying Expressway for.

I believe that is everything I wanted to ask in the whole discussion but didn't manage to construct my question.

Hi Jaime,

 

Unable to open the Video.

 

Regards,

AbdulSakkeer

AbdulSakkeer
Collaboration Engineer

Hello, Jaime. Could not obtain the video :(

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: