cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4110
Views
0
Helpful
13
Replies
asmlicense
Beginner

Expressway DNS requirements

Hello, I would like to clarify my confusing about Expressway DNS requirement. Currently, there are separate internal and domains. I want to install Expressway with a single interface.

What are the appropriate dns configurations for it? I am aware of SRV records stuff. What more I wonder, do I need split DNS?

In a case of separate internal and external domain, how Jabber will resolve username@externaldomain.com in the local network? I saw some blogs that say to change the external domain in the jabber-config file. But I don't want to play with every jabber. 

Is there any better solution for user single entity login in both internal and external network? I think if I add another externaldomain.com zone in the internal network (but expressway with local ip address to resolve username@externaldomain.com), it can do my work.

So in the internal, I will have internaldomain.local and externaldomain.com zones with local ip-a records mappings.

2 ACCEPTED SOLUTIONS

Accepted Solutions

It will work.

BUT, as I mentioned already. By creating 'externaldomain.com' in your local DNS will affect your internal users, so you cannot just add the '_cisco-uds' in there, you'll have to add all the records (A,MX,SRV,etc...) that are configured on the internet in your 'externaldomain.com', of course without the _collab-edge. That'll be the only difference between them.

So if you do it, do it very carefully, and not in the scope of the working hours of your company - depends on your DNS size of records and configurations (in the public internet).

View solution in original post

Doesn't matter.

But I would advise you to login with your Cisco Jabber for the first time only after you put the jabber-config file into your CUCM TFTP.

If you do it after, it is better to clean the configuration of the Jabber by logging out and pressing the File -> Reset Cisco Jabber, especially when you're doing tests and trying to do the setup.

View solution in original post

13 REPLIES 13
Jaime Valencia
Hall of Fame Cisco Employee

You will also need NAT reflection, using a single NIC is not the recommended deployment.

If you're going to use a different domain internally and externally, you have no choice but to use the voice services domain parameter in the .xml for that to work. If you want only a few devices to use that, use the Cisco Support Field to have them user a special jabber config file.

If you don't want to do any translation, you would need to use the same domain internally and externally.

HTH

java

if this helps, please rate

Can I accomplish to use the single external domain? I think I could create externaldomain.com in internal domain, but mapping with local IP address of expressway? So expressway will be resolvable in both external and internal domains with the same SRV and A records. But in local domain, I will point internal ip addresses, in external I will point public ip. The user will try just username@externaldomain.com.

Because I don't know how many users will connect. So I will have to change every users's jabber config file, which is not the option for me.

If you'll add the external domain on your internal network, you CANNOT add the expressway to be resolvable from the within. This is a split DNS topology actually.

The DNS configuration should be:

externaldomain.com on the external:

resolving only the Expressway-E.

externaldomain.com on the Internal:

Resolving only the CUCM & IM&P servers.

For me, this is the preferred topology. But keep it in mind, that from now on, if you go and do the split DNS, you'll have to maintain all the DNS records that currently on the internet, also on your private network, otherwise people that are connected to the private network won't be able to access services that located on the 'externaldomain.com' because it won't be resolved.

But in that preferred topology, I have to change jabber-config file for each user. Do you think that it is the correct solution for 100 users?

You said "you'll have to maintain all the DNS records that currently on the internet, also on your private network" Can you clarify this a little bit more? In public domain, I will have collab-edge and A record of expressway-e mapping with public IP. So how I will maintain them in the local domain? Example?

You won't have to change the jabber-config per each user, you'll have to change it only once, the main one and add this:

<Policies>
<VoiceServicesDomain>externaldomain.com</VoiceServicesDomain>
</Policies>

Unless I'm missing something?

About maintaining the DNS records.

Think that for example you have a website that can be accessed under 'externaldomain.com' from the internet, and currently from within the organization.

How is that, that from within they can access it today? It's because you have some forward DNS rules to some public DNS servers that are resolving this domain.

BUT... when you add a new zone called 'externaldomain.com' in your organization, when a person will try to access the website that is on this domain, he won't be able to access it anymore. It's because now, when a computer in the organization sending a DNS query inside your domain, your DNS server will actually now find this domain on your network, and won't try to resolve it in the public internet. So it means, that all the A, MX, SRV, etc records that configured on the internet, you'll have to configure it one by one on the inside too, otherwise your organization will cease to communicate with services under this domain.

So if you have an huge DNS on the public internet, it can be very messy to maintain it on the internal network. If it's a small one, with a few A records you can do it easily, but just need to remember all the time, that each change you do on the public internet, you'll have to make it on the internal, too.

And for your question about the _collab-edge SRV record. You mustn't configure this SRV on your internal network, because you don't want people to communicate the Exrepssway when they're on the internal network. When a person is logged to the internal network, all he needs is to communicate with internal services: CUCM, Unity, IM&P.

And last thing... because your users are connected to a domain 'internaldomain.com', and not to the external, it means that you'll have to configure the _cisco-uds, _cuplogin SRV records on your internal network for the both domains:

  • internaldomain.com
  • externaldomain.com

It should work. I did a few setups like that.

To be clear, my purpose of creating externaldomain.com in local dns is just for Exressway. So I won't need any other records and updates. I will add the same records needed for internal login, but this time for externaldomain.com

So local DNS there will be 2 zones, the same records for each:
internadomain.com:

-cucm01.internaldomain.com - 192.168.10.10

_cisco-uds - cucm01.internaldomain.com

extenaldomain.com:

-cucm01.externaldomain.com - 192.168.10.10

_cisco-uds - cucm01.externaldomain.com

In the internet:
User logs in username@externaldomain.com. Jabber cannot find cisco-uds record and start to look for collab-edge, find EXPe and connected.

In local network:

User logs in username@externaldomain.com. Jabber finds cisco-uds record (because I created externaldomain.com zone in local DNS) and will connect.

Will it work?

It will work.

BUT, as I mentioned already. By creating 'externaldomain.com' in your local DNS will affect your internal users, so you cannot just add the '_cisco-uds' in there, you'll have to add all the records (A,MX,SRV,etc...) that are configured on the internet in your 'externaldomain.com', of course without the _collab-edge. That'll be the only difference between them.

So if you do it, do it very carefully, and not in the scope of the working hours of your company - depends on your DNS size of records and configurations (in the public internet).

View solution in original post

Thank you, really appreciated. There is not any public DNS, published services yet. I will create it from scratch.

The last thing I would like to know, you said: "You won't have to change the jabber-config per each user, you'll have to change it only once, the main one and add this".

I see cisco guide says go to below directory to change jabber-config file:

Navigate to %APPDATA% > Cisco > Unified Communications > Jabber > CSF > Config, and create this jabber-config-user.xml

This is the directory of PC. Does not it mean that I have to do it in every PC?

How about android, iphone jabbers then?

What do you mean by saying changing it only once and add? Where can I do it and apply?

Ah no no ;)

This method you're talking about is if you want personal jabber-config file for each user, but this is not the case. In your TFTP you currently have a 'jabber-config.xml', right? If so, just edit it and place the XML content from my previous posts.

There may be a chance that the user that already logged into the Jabber on his PC, will have to disconnect and do 'Reset Cisco Jabber configurations'. But only once.

I am sorry for my dummy questions :) There is nothing in the production but cucm. There won't be IMP&Presence. I am about to install and configure Expressway. I just want to know which way I will go: by editing jabber-config file, or by adding new external domain zone in local DNS. The 2nd option is obvious now.

The 1st one - editing jabber-config file, you said it is possible to edit it one time and apply it to all users. This was what I understood.

What do you mean by TFTP server? You mean i have to edit and jabber-config file and deploy it to all users via TFTP?

The TFTP is a services that is running on your CUCM that contains all the firmware, MOH, background files and etc. When placing the 'jabber-config.xml' file on your CUCM (TFTP service) it is available for all the users requesting it. That way you don't need to go user by user and put a personal jabber-config file.

In order to upload a file to your TFTP on the CUCM you need to go to: Cisco Unified OS Administration. And then in the menu go to: Software Upgrade -> TFTP File Management. There, you can add new files to the TFTP of the CUCM.

Keep it in mind:

  1. When uploading the 'jabber-config.xml' file you need to upload it to the root folder, by putting a slash ('/') in the directory field (or just leave it empty).
  2. You MUST restart the Cisco TFTP service after uploading any new files, otherwise, they won't be available to users. Go to: Cisco Unified Serviceability. And then in the menu go to: Tools -> Control Center - Feature Services, select the CUCM node, locate the Cisco TFTP service and restart it.
  3. If you have more then one CUCM, like another subscriber, you must do the above procedure also on the other nodes. When uploading a new file to the CUCM, it'll upload it ONLY to the CUCM you're connected to.

Hope it helps ;)

Thank you. Is it required jabber client to log in at least once or I can do it before jabber client login?

Doesn't matter.

But I would advise you to login with your Cisco Jabber for the first time only after you put the jabber-config file into your CUCM TFTP.

If you do it after, it is better to clean the configuration of the Jabber by logging out and pressing the File -> Reset Cisco Jabber, especially when you're doing tests and trying to do the setup.

View solution in original post

Content for Community-Ad

Spotlight Awards 2021