I'm going to develop a MRA architecture with Jabber guest, and I have some dubts.
The architecture consists in two exp-e/exp-c chains, one for MRA, one for Jabber guest.A CUCM and a Jabber guest server are in the internal network. The clients (both MRA and Jabber Guest) accesses the platform only from the outside: there are no clients registered in the inside.
First question: I've considered to use a public SRV record for expressway-E MRA for _collab-edge (_collab-edge.company.com) and a private SRV record for CUM for _cisco-uds service (_cisco-uds.company.local). In other words, I've planned to use splitted domains.
Is this configuration enough? Or do I have to add other SRV/services, or specific configuration?
Second question: I honestly did not understand how to configure DNS for Jabber Guest. I read that "You also need to ensure that appropriate DNS records exist so that the Cisco Jabber Guest client can reach the Cisco Expressway-E . The FQDN of the Cisco Expressway-E in DNS must include the Cisco Jabber Guest domain. The Cisco Jabber Guest domain is the domain that is configured on the Cisco Expressway-C" (http://ipv6.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Guest/10_0/icg/JABC_BK_J0FC634A_00_jabberc-installation-and-configuration-guide/JABC_BK_J0FC634A_00_jabberc-installation-and-configuration-guide_chapter_010.pdf) pag.15, but I'm not sure what it means.
Have I to configure a public type A record? SRV? In wich domain? company.com, I suppose, so expej.company.com
In both implementation (MRA and jabber guest), can I use subdomain in my internal DNS? How it affect certificates?
Third question: Certificates. In a splitted DNS domains environment, are there particular points of attention? Will a jabber client accept a certificate from the internal domain?
This lead to the final point: I've read here https://ciscocollab.wordpress.com/tag/jabber/ that The public CAs are no longer signing certificates with subject alternative names (SAN) for internal server names. I think best solution to this is to develop a single (public) domain environment, but I would like to have some suggestions specific for my architecture.
Thank you in advance, any help/suggestion will be appreciate.
Solved! Go to Solution.
Thank you Jonathan,
Based on your suggestions, I will develop a single domain (with two zones) architecture.
But a new dubt arose: if i have a cucm cluster and a cup cluster, and I want to deploy high availability with SRV records, I read I have to configure two subdomains (for instance cucm.company.com and cup.company.com). The jabber domain I would like to use is jabber.company.com, so the public SRV DNS record for expressway-E is _collab-edge._tls.jabber.company.com
Having my devices (cucm, expressway and cup) in three different subdomins, will I have problems with certificates? I suppose I have to use SANs in the certificates, and to create expressway-E certificate with cucm.company.com and cup.company.com in the SANs field. Is that correct?
A DNS SRV record does not have to be in the same domain as the device it is referencing. In the example you provided it is typical to create the subdomains only to delineate between SRV records.
The only purpose the sub-zones serves in this case is to provide a unique namespace for the SRV records.