11-20-2018 05:29 AM - edited 03-19-2019 01:36 PM
Hello,
I got really badly stuck with deploying MRA for Jabber via Expressway-C/E.
I read through lots of documents, deployment guides and discussions here, but the mess in my head just got bigger.
Let me quickly summarize what I think I am missing:
1. I have the internal SRV records pointing to CUCM (_cisco-uds) and IM&P (_cuplogin);
2. I have the external SRV record _collab-edge pointing directly to the Public IP of Expressway-E (which is NATted to the external LAN2).
This is fine so far!
The certificates are what gets me in trouble. Here are my questions:
1. I need to sign the certs of both Expressway E and C by the same CA. Then upload the root CA and the CA CRL to both systems. Is this right?
2. Is it mandatory to sign something via public CA? If so - what and what is the process?
Any help will be greatly appreciated! I've done 100 different things and I am up to the point where I am not sure even in the most basic tasks.
Solved! Go to Solution.
11-20-2018 11:54 AM
I made a video in which I explain certificates, and explain MRA certs
There are also a lot of Cisco Live sessions dedicated to MRA design and troubleshooting that cover the whole solution, have you watched any of them?
You can also find several resources at SalesConnect.
All of the above is complementary to the MRA configuration guide.
11-20-2018 11:54 AM
I made a video in which I explain certificates, and explain MRA certs
There are also a lot of Cisco Live sessions dedicated to MRA design and troubleshooting that cover the whole solution, have you watched any of them?
You can also find several resources at SalesConnect.
All of the above is complementary to the MRA configuration guide.
11-21-2018 04:14 AM
Hi Jaime,
I actually use your videos pretty often (even in this case, when I was deploying CMS in phase 1 of the project), but it looks like I have missed the one on certificates. It's just this little thing that I a missing because certificates is not something I do day-to day. Your video makes the things in my head more clear now. And I also watched lots of other sessions.
I still have two questions here though. If MRA for Jabber clients is the only thing that I will use Expressway for, can I sign the Expressway-E cert with a private CA and make the devices who will run Jabber trust it will that work? Or the "whole internet" should trust Expressway-E not just Jabber and that's why public CA is a must.
The other question is - how can I setup secure TLS connection between Expressway C and E using their own self-signed certificates? I tried with downloading both certs and uploading E cert in C Trusted CA and vice versa, but it doesn't work. Is this even possible.
11-21-2018 07:28 AM
If you want to take the overhead of distributing the root certificate to all your MRA clients, it will work.
11-22-2018 12:22 AM
Yes, I know all of the disadvantages of self-signed certs. I just wanted to set it up for a test purpose, because every step with this customer is taking ages and I will probably have signed certs next year.
Thanks anyway!
11-22-2018 06:12 AM
OK just for clarification, I'm talking about using a private CA, there's no way to get MRA working with self signed certificates.
11-22-2018 06:29 AM
Yeah, for the whole MRA setup self-signed won't work.
One last thing. Since you manually accept the server certificates with Jabber, can this server certificate of Expressway-E be signed with private CA or Expressway-E must always be publicly signed? Jabber with MRA and external calls to CMS will be the two things I am deploying Expressway for.
I believe that is everything I wanted to ask in the whole discussion but didn't manage to construct my question.
10-09-2019 01:37 AM
Hi Jaime,
Unable to open the Video.
Regards,
AbdulSakkeer
05-13-2020 01:55 PM
Hello, Jaime. Could not obtain the video :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide