cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1731
Views
5
Helpful
4
Replies
Fabrizio Nurra
Beginner

Jabber and Jabber guest DNS and certificates dubts

Hi,
 I'm going to develop a MRA architecture with Jabber guest, and I have some dubts.
 The architecture consists in two exp-e/exp-c chains, one for MRA, one for Jabber guest.A CUCM and a Jabber guest server are in the internal network. The clients (both MRA and Jabber Guest) accesses the platform only from the outside: there are no clients registered in the inside.
 
First question: I've considered to use a public SRV record for expressway-E MRA for _collab-edge (_collab-edge.company.com) and a private SRV record for CUM for _cisco-uds service (_cisco-uds.company.local). In other words, I've planned to use splitted domains.
Is this configuration enough? Or do I have to add other SRV/services, or specific configuration?


Second question: I honestly did not understand how to configure DNS for Jabber Guest. I read that "You also need to ensure that appropriate DNS records exist so that the Cisco Jabber Guest client can reach the Cisco Expressway-E . The FQDN of the Cisco Expressway-E in DNS must include the Cisco Jabber Guest domain. The Cisco Jabber Guest domain is the domain that is configured on the Cisco Expressway-C" (http://ipv6.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Guest/10_0/icg/JABC_BK_J0FC634A_00_jabberc-installation-and-configuration-guide/JABC_BK_J0FC634A_00_jabberc-installation-and-configuration-guide_chapter_010.pdf) pag.15, but I'm not sure what it means.
Have I to configure a public type A record? SRV? In wich domain? company.com, I suppose, so expej.company.com

 

In both implementation (MRA and jabber guest), can I use subdomain in my internal DNS? How it affect certificates?

Third question: Certificates. In a splitted DNS domains environment, are there particular points of attention? Will a jabber client accept a certificate from the internal domain?

This lead to the final point: I've read here https://ciscocollab.wordpress.com/tag/jabber/ that The public CAs are no longer signing certificates with subject alternative names (SAN) for internal server names. I think best solution to this is to develop a single (public) domain environment, but I would like to have some suggestions specific for my architecture.


Thank you in advance, any help/suggestion will be appreciate.

1 ACCEPTED SOLUTION

Accepted Solutions

  1. The Mobile and Remote Access via Cisco Expressway Deployment Guide explain this on page 11.
  2. Look at the traffic flows on the page that proceeds it. The plugin sends media and HTTP-based signaling to/from the Expressway-E public IP/hostname. Expressway-E forwards the traffic inside which routes it through Jabber Guest to be converted to SIP. So, the clients must be able to reach Expressway-E and the Ascent connection between -E and -C must be working. The comment about "Cisco Jabber Guest domain is the domain that is configured on the Cisco Expressway-C" is a reference to the configuration on -C; you tell it which DNS domains it should consider its own vs a foreign system.
  3. Use your public domain root (e.g. _collab-edge._tls.cisco.com) for DNS records.
  4. A client will accept any certificate it is told to. In most cases this is controlled by the Trusted Root Certificates trust store on the OS. For most deployments this rules out internal CAs since you want external devices not owned/managed by you to connect to Jabber Guest and/or do B2B calls. BYOD environments also pose challenges with internal CAs but MDM solutions do have mechanisms of pushing this to endorsed devices.
  5. My advise to customers is a single public domain. The entire public/private domain distinction is dumb IMO. A single domain, split-zone design makes far more sense. In this design internet-facing DNS servers only contain A/PTR records for internet-facing servers, typically with the public often NATed IPv4 addresses, and a separate zone accessible only inside the network contains internal server records.

View solution in original post

4 REPLIES 4

  1. The Mobile and Remote Access via Cisco Expressway Deployment Guide explain this on page 11.
  2. Look at the traffic flows on the page that proceeds it. The plugin sends media and HTTP-based signaling to/from the Expressway-E public IP/hostname. Expressway-E forwards the traffic inside which routes it through Jabber Guest to be converted to SIP. So, the clients must be able to reach Expressway-E and the Ascent connection between -E and -C must be working. The comment about "Cisco Jabber Guest domain is the domain that is configured on the Cisco Expressway-C" is a reference to the configuration on -C; you tell it which DNS domains it should consider its own vs a foreign system.
  3. Use your public domain root (e.g. _collab-edge._tls.cisco.com) for DNS records.
  4. A client will accept any certificate it is told to. In most cases this is controlled by the Trusted Root Certificates trust store on the OS. For most deployments this rules out internal CAs since you want external devices not owned/managed by you to connect to Jabber Guest and/or do B2B calls. BYOD environments also pose challenges with internal CAs but MDM solutions do have mechanisms of pushing this to endorsed devices.
  5. My advise to customers is a single public domain. The entire public/private domain distinction is dumb IMO. A single domain, split-zone design makes far more sense. In this design internet-facing DNS servers only contain A/PTR records for internet-facing servers, typically with the public often NATed IPv4 addresses, and a separate zone accessible only inside the network contains internal server records.

Thank you Jonathan,

Based on your suggestions, I will develop a single domain (with two zones) architecture.
 But a new dubt arose: if i have a cucm cluster and a cup cluster, and I want to deploy high availability with SRV records, I read I have to configure two subdomains (for instance cucm.company.com and cup.company.com). The jabber domain I would like to use is jabber.company.com, so the public SRV DNS record for expressway-E is _collab-edge._tls.jabber.company.com
 Having my devices (cucm, expressway and cup) in three different subdomins, will I have problems with certificates? I suppose I have to use SANs in the certificates, and to create expressway-E certificate with cucm.company.com and cup.company.com in the SANs field. Is that correct?

 Thanks

A DNS SRV record does not have to be in the same domain as the device it is referencing. In the example you provided it is typical to create the subdomains only to delineate between SRV records. 

Example:

  • Zone: cisco.com
    • A: cucm1.cisco.com -> x.x.x.x
    • PTR: x.x.x.x -> cucm1.cisco.com
    • A: cups1.cisco.com -> y.y.y.y
    • PTR: y.y.y.y -> cups1.cisco.com
    • Zone: uc.cisco.com
      • Zone: manager.uc.cisco.com
        • SRV _sip._tcp.manager.uc.cisco.com -> cucm1.cisco.com
      • Zone: presence.uc.cisco.com
        • SRV _sip._tcp.presence.uc.cisco.com -> cups1.cisco.com

The only purpose the sub-zones serves in this case is to provide a unique namespace for the SRV records.

 

Thank you again Jonathan.

 I didn't find documentation about PTR records: what are they used for exactly?

 

 

Create
Recognize Your Peers
Content for Community-Ad