Wednesday, June 4, 2014

Collaboration Edge - Expressway Step-by-Step guide

There are 4 reference guides that is useful for the setup.  You should cross reference each of those when it is needed.  The way I use it is as follow:

Cisco-Expressway-Basic-Configuration-Deployment-Guide-X8-1
Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1
Cisco-Expressway-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-and-X8-1
Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1

The purpose of this post is to help you to setup Expressway-C and E with MRA features at one single place.  Hope you find it useful.

My environment:  UCM 10.5, CUP 10.5, Expressway 8.1

Basic Expressway Configuration

1.  First download the Expressway .ova from CCO.  Expressway C and E, as well as VCS-C and E are sharing the same base image, and use license file to determine the capability.

2.  Setting IP address for Expressway C and E.  In Expressway E I am using a dual-NIC deployment, and the advanced networking license comes for free so it is fine.  Remember to use the "xconfiguration ip route" or "xconfiguration routeadd" command to add host route back to your internal network, as your default route is pointing to your Internet service provider gateway.

3.  System > Administration to set the System Name

4.  System > DNS to set the System host name and domain name.  hostname.domain_name = FQDN of Expressway

5.  System > DNS to set Default DNS servers.  For Expressway-C it is configured with the internal DNS server and Expressway-E is configured with public DNS server.  This is important, because later on you will need your Expressway-C to resolve so internal SRV record to complete the Jabber and endpoint registration.

6.  System > Time to setup the NTP server

Certificate and CA 
In my lab I have created my own CA and sign the certificate for Exp-C, Exp-E, UCM tomcat and CUP tomcat.  

1.  Go to Maintenance > Security certificates > Server certificate to generate CSR

2.  The Common name is your Expressway FQDN, you don't need to fill up.  The Subject Alternative Name (SAN) should includes your domain name, both internal and external domain (e.g. pandaeatsbamboo.com, uc.pandaeatsbamboo.com).  For Expressway C you should include the chat node aliases in SAN.  You can find that under CUP admin page > Messaging > Group Chat Server Alias Mapping.  For Expressway E, you should include your collaboration edge SRV record.  So the SAN in your cert should look like this:
Expressway-C Subject Alternative Name:   DNS:expc.uc.pandaeatsbamboo.com, DNS:conference-2-StandAloneClusterda021.uc.pandaeatsbamboo.com, DNS:conference-3-StandAloneClusterda021.uc.pandaeatsbamboo.com
Expressway-E Subject Alternative Name:   DNS:expe.pandaeatsbamboo.com, DNS:_collab-edge._tls.pandaeatsbamboo.com, DNS:expe.uc.pandaeatsbamboo.com, DNS:pandaeatsbamboo.com, DNS:uc.pandaeatsbamboo.com, DNS:conference-2-StandAloneClusterda021.uc.pandaeatsbamboo.com, DNS:conference-3-StandAloneClusterda021.uc.pandaeatsbamboo.com
3.  Download your CSR

4.  If you have your CA in place, please skip the following steps.  In my lab I am using my MacBook with OpenSSL as the CA.  I have created several folders under /System/Library/OpenSSL

mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial

5. Copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory, rename it to openssl_local.cfg

6. Modify openssl_local.cfg, under [CA_default] section, ensure the line "copy_extensions = copy" does not have a # at the beginning of the line.  Change "policy = policy_match" to "policy = policy_anything".  Change "dir = ./demoCA" to "dir = ."  Change "default_days = 365" to 3650 (10 years)

7. Generate private key for CA with the command:
 openssl genrsa -aes256 -out private/cakey.pem 4096

Enter your password to make sure you remember this, as you need this when you sign your cert.

8. Generate CA cert:
openssl req -new -x509 -days 3650 -key private/cakey.pem -config openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem

9. Enter the passphrase for the key, and enter the data requested.  Keep the CA cert cacert.pem and you will need this for Expressway and endpoints later on.

10. Copy the previously generated CSR from Expressway-C and E to the demoCA folder, and sign it with the command:
openssl ca -config openssl_local.cfg -cert cacert.pem -keyfile private/cakey.pem -in expc.csr -out certs/expc.pem -md sha1

11.  Upload the signed certificate - Expressway > Maintenance > Server certificate > Upload Server Certificate. 

12.  Upload your CA certificate if you are using your self-created OpenSSL CA - Expressway > Trusted CA certificate, choose the cacert.pem and upload. 

13.  Restart Expressway after certificate installation

Note: If you generate different certs with the same common name, you will get the error "openssl failed to update database.  TXT_DB error number 2".  If that is the case, modify your index.txt.attr file, change the unique_subject to no.

Configuring the traversal zone
1. Configure Expressway-C as traversal client zone, Expressway-E as traversal server zone.  Configuration > Zones > Zones

2. Click New, and fill in the fields.  Make sure the username and password is created in Exp-E under Configuration > authentication > local database.  Disable H.323 mode, and change the SIP TLS verify mode to "On".  Make sure Media encryption mode is "Force encrypted".  In Expressway-C, input FQDN instead of IP address in the Peer address field.  Make sure this FQDN is in Expressway-E SAN or Common name.

Expressway-C Traversal Zone configuration


Expressway-E Traversal Zone configuration

Configuring traversal zone search rules
Configuration > Dial Plan > Search Rules


Configuring DNS Zone
Configuration > Zones > Zones

Configuring DNS zone search rules
Configuration > Dial Plan > Search rules

Configuring external (unknown) IP address routing
Configuration > Dial Plan > Configuration

Configuration > Dial Plan > Search Rules

Configuring Unified CM for an Expressway trunk
1. UCM > System > Region information > Region.  Set "Maximum Session Bit Rate for Video Calls" to a suitable upper limit for the system say for 6000 kbps.

2. For the SIP profile that applies to phones, select the check box "Use Fully Qualified Domain in SIP Requests" and "Allow Presentation Sharing using BFCP".  

3. UCM > System > Security > SIP Trunk Security Profile, select Non Secure SIP Trunk Profile, checked the option "Accept Unsolicited Notification" and "Accept Replaces Header".  Change the port to something else other than 5060 and 5061, in my case I used 5062.


4.  Create the SIP trunk.  UCM > Device > Trunk > Add New.  Choose SIP Trunk as the Trunk Type, SIP as Device Protocol, None for Trunk Service Type.

5. Save your configuration and reset the trunk.

6. Configure the cluster FQDN on UCM.  UCM > System > Enterprise parameters, set the cluster fully qualified domain name to the same domain as the video network.

7. Call Routing > SIP Route Pattern > Add New.  In my lab I use the * wildcard to route everything in SIP URI format to Expressway via the Expressway trunk.


Configuring a neighbor zone on Expressway for Unified CM
Expressway-C > Configuration > Zones > Zones
Then you can create search rules back to Unified CM based on your dial plan.

Create your jabber-config.xml

This is my sample jabber-config.xml

<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Client>
  <CachePasswordMobile>true</CachePasswordMobile>
</Client>
<Directory>
  <DirectoryServerType>BDI</DirectoryServerType>
  <BDIPhotoUriSubstitutionEnabled>True</BDIPhotoUriSubstitutionEnabled>
  <BDIPhotoUriSubstitutionToken>sAMAccountName</BDIPhotoUriSubstitutionToken>
  <BDIPhotoUriWithToken>http://10.1.90.51/jabber/sAMAccountName.jpg
      </BDIPhotoUriWithToken>
  <BDIPrimaryServerName>10.1.90.10</BDIPrimaryServerName>
  <BDIPresenceDomain>uc.pandaeatsbamboo.com</BDIPresenceDomain>
  <BDIServerPort1>389</BDIServerPort1>
  <BDISearchBase1>OU=Cisco,DC=uc,DC=xcloud-hk,DC=com</BDISearchBase1>
</Directory>
<Policies>
    <EnableSIPURIDialling>true</EnableSIPURIDialling>
</Policies>
</config>

This allows SIP URI Dialing, and BDI for non-Windows domain users such as Jabber on iPhone, iPad, Android, Mac users, etc.

Configuring Expressway-C for Mobile and Remote Access (MRA)
1. Configuration > Unified Communications > Configuration

2. Configuration > Domains 

3.  Discover UCM and CUP on Expressway-C.  First of all, make sure you have replaced the tomcat cert on UCM and CUP.  Generate CSR on UCM and CUP on Unified Operating System Administration > Security > Certificate Management > Generate CSR.  Under Certificate Purpose drop down box, choose tomcat.  Click generate and download the CSR.  Sign the certificate with your CA, in my case I used my OpenSSL CA that created in prior steps.  Click "Upload Certificate / Certificate chain", choose "tomcat-trust" and upload your CA cert (e.g. cacert.pem) and click upload.  Then Upload your signed tomcat cert using similar steps, but this time choose "tomcat" instead of tomcat-trust.  Restart tomcat after you upload the cert.  Do the same thing for your subscribers as well.  Repeat the same steps for CUP.

4. Discover your UCM and CUP, make sure TLS verify mode is on.  Since TLS verify is on, you need to use FQDN instead of IP address, and this FQDN should includes in your tomcat cert common name or SAN.  (Probably you need to sign your CallManager cert and upload your CA as CallManager-trust in order to get the TLS verify mode to work)


5.  New zones and search rules are automatically generated after discovery


Configuring Expressway-E for Mobile and Remote Access (MRA)
1. Configuration > Unified Communications > Configuration to enable mobile and remote access, similar to what you have done on Exp-C
2. Check Status > Unified Communications, make sure all Unified Communications Services are Active.

Configuring Service Discovery on Public DNS
Service: _collab-edge
Protocol: _tls
Priority: 10
Weight: 10
Port number: 8443
Host: expe.pandaeatsbamboo.com

Service: _sips
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com

Service: _sips
Protocol: _tls
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com 

Service: _sip
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 5060
Host: expe.pandaeatsbamboo.com  

Service: _sip
Protocol: _udp
Priority: 10
Weight: 10
Port number: 5060
Host: expe.pandaeatsbamboo.com   

Service: _sip
Protocol: _tls
Priority: 10
Weight: 10
Port number: 5061
Host: expe.pandaeatsbamboo.com   

Service: _h323ls
Protocol: _udp
Priority: 10
Weight: 10
Port number: 1719
Host: expe.pandaeatsbamboo.com    

Service: _h323cs
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 1720
Host: expe.pandaeatsbamboo.com    

Service: _h323rs
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 1719
Host: expe.pandaeatsbamboo.com  

Configuring Service Discovery on Internal DNS server
Domain:  pandaeatsbamboo.com (not uc.pandaeatsbamboo.com)
Service: _cisco-uds
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 8443
Host: ucm1.uc.pandaeatsbamboo.com   

Domain:  pandaeatsbamboo.com (not uc.pandaeatsbamboo.com)
Service: _cuplogin
Protocol: _tcp
Priority: 10
Weight: 10
Port number: 8443
Host: cup1.uc.pandaeatsbamboo.com   

If your internal domain name (e.g. uc.pandaeatsbamboo.com) is different from external domain name (e.g. pandaeatsbamboo.com), you still need to make sure the above SRV record are under the root domain but only resolvable internally.  You should not able to query the cuplogin and cisco-uds SRV record in public internet, otherwise the _collab-edge SRV record will not work and your Jabber MRA will not work.

Configure Voicemail and Jabber Photo web server access
To allow your Jabber to access voicemail, and the web server which contains the Jabber profile picture, you can configure the "HTTP server allow list" on Expressway-C:

MRA using Jabber
Download Jabber on iPhone / iPad via App Store and Jabber on Android via Google Play and give it a try!


To register EX via Expressway to UCM from Internet
Make sure you are using TC 7.1 onwards, and upload your OpenSSL CA cert to the unit.  From the EX web interface, Configuration > Security > CAs > Add Certificate Authority, upload your cacert.pem file and reload the unit.



After reload, use the touch panel to run the Provisioning wizard, and choose the option Cisco UCM via Expressway.  Enter your credential and it will work.  Make sure on UCM you have created your device already and you have associated your users to your phone devices.  On UCM you can see your EX is registered, and the IP address instead of your device internet IP address, it is your Expressway-C IP address.

That's all!  This is a long post but I hope it helps!

43 comments:

AbO RaBeA said...

Thanks Dear, but you don't need to create a trunk in cucm unless you register any devices to expressway.

i have question what if you have publisher and 3 subscribers, should we define all as records in internal dns ?

Anonymous said...

Hi
Do you have to create a sip trunk for collab edge?

Danny Wong said...

The SIP trunk is for B2B video calls. For the MRA features you do not need to define SIP trunk at the UCM end.

I have all the pub and subs record in DNS, but for Expressway C it just needs to recognize the pub, but no harm to put all in your DNS

KK said...

Hi, grat for great article.

I am a system enginner, and I am planning a system using servers above.
Is it possible to register to the CUCM with a standard SIP softclient connected by 3G?
If so, is richmedialicense required?

Thank you,
Karoly
Hungary

Danny Wong said...

If you using a standard SIP client then you will need to use VPN. The MRA feature is client and client version dependent so it has to be Jabber if you want to make phone call in a VPNless fashion.

Jeff Levensailor said...

I am using godaddy as my CA. I used the cisco configuration guide to setup my subject alternative names but I don't see them in the certificate, only the common name expe.domain.com and expc.domain.com. Did I need to purchase a multi-domain certificate for use of SANs? My traversal zone says active but it doesn't seem to be working.

Danny Wong said...

Sorry I have no experience with godaddy, however yes I think you need a multidomain cert for SANs.

http://support.godaddy.com/help/article/4649/adding-or-dropping-subject-alternative-names-from-ucc-certificates

Jeff Levensailor said...

I was able to get IM working, but the CSF phone still won't register. I'm including the error

tvcs: Event="Registration Rejected" Reason="Unknown domain" Service="SIP" Src-ip="70.109.225.129" Src-port="9314" Protocol="TCP" AOR="sip:10.1.4.111" Contact=";+sip.instance\="";+u.sip!devicename.ccm.cisco.com\="CSFJLEVENSAILOR";+u.sip!model.ccm.cisco.com\="503";video" Duration="3600" Level="1" UTCTime="2014-07-16 23:30:47,132"


tvcs: Event="Registration Requested" Service="SIP" Src-ip="70.109.225.129" Src-port="9314" Protocol="TCP" AOR="sip:10.1.4.111" Contact=";+sip.instance\="";+u.sip!devicename.ccm.cisco.com\="CSFJLEVENSAILOR";+u.sip!model.ccm.cisco.com\="503";video" Duration="3600" Level="1" UTCTime="2014-07-16 23:30:47,132"

Danny Wong said...

Did you make sure your SIP domain is configured correctly? Did you get your CSF client register within internal network instead of via Expressway?

Radim Mutina said...

Dear Danny.

Great article ! I found it when I went myself already through four CCO pdf's as you suggested. But - I'm stuck in Event="Registration Rejected" Reason="Unknown domain" error too.
CFS is registering fine when in inside network. I'm using CA signed certs on CUCM, ExpE, ExpC. I filled every form of CUCM name as SAN for sure. No luck yet. But I'm not giving up.


expe tvcs - - - Event="Registration Rejected" Reason="Unknown domain" Service="SIP" Src-ip="85.237.234.152" Src-port="26015" Protocol="TCP" AOR="sip:cucm1.mydomain.net" Contact=";+sip.instance\="";+u.sip!devicename.ccm.cisco.com\="CSFBWILLIS";+u.sip!model.ccm.cisco.com\="503";video" Duration="0" Level="1" UTCTime="2014-09-08 13:53:58,454"

Radim Mutina said...

Fixed :-)

As usual, workaround is very simple. I used secured SIP device profile for Jabber CSF device (based on my very quick reading of Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-2.pdf) I missed, that TLS between EXP-C and CUCM is possible only in Mixed security mode.

So some maybe useful troubleshooting info for others with same error.

Check the EXP-C network log in DEBUG level [Status-> Logs-> Network Log]. You can see there REGISTER message. Right above that message is response to SIP/2.0 404 Not found with that warning in the header:

Warning: 399 172.16.60.17:5061 "Policy Response"

When you look at the DEBUG messagess between REGISTER and its 404 response, you can see:

tvcs: UTCTime="2014-09-10 15:37:05,339" Module="network.search" Level="DEBUG": Detail="Search rule 'CEtcp-CUCM1.mydomain.net' did not match destination alias 'CUCM1.mydomain.net;transport=tls;lr'"

So autogenerated Search Rule was responsible for pattern match. When your CSF is trying to use TLS, there is no match with that pattern, so registration was denied, because rule is looking for CUCM1.mydomain.net;transport=TCP and REGISTER message was not forwarded to CUCM.

Workaround in my case is simple - change Device sec profile to unsecure. Now I have CSF registered from internet.

Danny Wong said...

Congrats mate!

Valentine Sondoyi said...

Hi Danny

Thanks for the wonderful blog. Was an eye opener on a number of issues.

Our Environment has Exp-E X8.2.1, CUCM 10.0, TP C40, with jabber clients for all supported platforms.

Our design is to deploy Exp-E in DMZ and use it for MRA to CUCM and the C40 for video conferences between jabber based users and those within the organisation.

I need to know if for the Jabber users, we just point to the external DNS name of Exp-E? I added the sub and pub as neighbours in the zones and some search rules where auto generated. I have still configured a traversal to the pub but not sure if its required. We have licenses for advanced networking and rich media plus a number of traversal.

I addedd some zones for ext and int DNS but on the search rules under dialing, there is no pattern or prefix matcing available. Not sure if you have come across this?

Kindly help us.

SKVL

Valentine Sondoyi said...

Hi Danny

Thanks for the wonderful blog. Was an eye opener on a number of issues.

Our Environment has Exp-E X8.2.1, CUCM 10.0, TP C40, with jabber clients for all supported platforms.

Our design is to deploy Exp-E in DMZ and use it for MRA to CUCM and the C40 for video conferences between jabber based users and those within the organisation.

I need to know if for the Jabber users, we just point to the external DNS name of Exp-E? I added the sub and pub as neighbours in the zones and some search rules where auto generated. I have still configured a traversal to the pub but not sure if its required. We have licenses for advanced networking and rich media plus a number of traversal.

I addedd some zones for ext and int DNS but on the search rules under dialing, there is no pattern or prefix matcing available. Not sure if you have come across this?

Kindly help us.

SKVL

Danny Wong said...

For Jabber it will auto service discover depends if you are inside organization or from external. If the Jabber client is connected within your corporate network, your internal DNS will return cup-login and cisco-uds SRV to your Jabber client. If you are outside office, your external DNS should return the collab-edge SRV record which direct your registration traffic to Exp-E then enter your enterprise.

For the search rule what did you see from the search history?

rosh edward said...
This comment has been removed by a blog administrator.
yu zhao said...

Thanks for a great write up.

I saw you created a new sip security profile 5062 but didn't see where you used it. I understand that 5060/5061 are to be used for proxy registration. So wondering the SIP trunk should be using 5062 instead of 5060? So is the security profile should be the one you created?

Tian wang said...

Hey Expert,I just deployed the Collab-edge at home lab, they are UC&IMP10.5,VCS-C&E X8.5.1,two dns server are located in different subnet,single NIC on VCS-C&E.
Jabber client works only internal network if moved to External network, it shows "your username or password is not correct". I also check the logs on VCS-E "traffic_server[10969]: Event="Request Failed" Detail="Access denied" Reason="Host is not in allow list" Host="vcs_control.ccielab.com" URL="Y2NpZWxhYi5jb20/get_edge_config" UTCTime="2015-03-03 19:06:19,272""
Not sure if you have any idea, but thanks in advance.

Danny Wong said...

Did you create the _cuplogin and _cisco-uds DNS SRV records in your internal DNS server?

Tian wang said...
This comment has been removed by the author.
Danny Wong said...

How about _cuplogin in internal DNS?

Tian wang said...
This comment has been removed by the author.
Danny Wong said...

I don't see it in my lab, however I think there are several areas that you can look into and see if it helps:

1. Make sure both Exp-C and Exp-E have time synced with the same NTP source
2. Make sure the IM&P domain is added on Expressway.
3. Make sure cuplogin and cisco-uds SRV are ONLY resolvable internally but not externally.
4. Make sure collab_edge SRV is only resolvable externally but not internally

Are you using the same domain name for internal and external?

Matteo said...

Hi Danny, greatJob with your guide, but I've same issue as Tiam Wong.

I just deployed the Collab-edge at customer site, they are UC&IMP10.5.2,VCS-C&E X8.5.1,two dns server are located in different subnet,single NIC on VCS-C&E.

Jabber client works only internal network if moved to External network, it shows "your username or password is not correct". I also check the logs on VCS-E "traffic_server[10969]: Event="Request Failed" Detail="Access denied" Reason="Host is not in allow list" Host="vcs_control.coop.com" URL="Y2NpZWxhYi5jb20/get_edge_config" UTCTime="2015-03-03 19:06:19,272""

Userdomain is differente from Expressway domain:
Example expressway domain: novacoop.com
User that login in jabber clinet firstname.lastname@coop.com

Public Record SRV map domain @coop.com to the Public DNS of the Expressway-E server that is: exwe.novacoop.com

No documentation found about that issue on Cisco Guide

Can you help me please?

Thank you very much.

Regards

Juan Carlos Ramos said...

Hi Danny,

I'm working with the config of RMA but I have had many problems with openssl.
I have tried to follow step by step your guide with openssl.
I'm working with windows version.

e.g. touch command is not accepted

in step 8 I don't understand the
v3_ca after -extensions.

regards

Juan Carlos Ramos said...
This comment has been removed by the author.
Danny Wong said...

Matteo, in your Exp-C > Configuration > Unified Communications > HTTP server allow list, did you see your UCM in the auto config allow list?

Danny Wong said...

Juan, I haven't tried OpenSSL on Windows, however I think the command is the same. Touch is a linux command to create an empty file, you can do it easily on Windows with UI.

Juan Carlos Ramos said...

Hi Danny:

I have another question in section to create a jabber.xml 10.1.90.51 and 10.1.90.10 IP addresses to whom they belong?

Juan Carlos Ramos said...

Hi Danny,

Regarding Certificate an CA, in step 2 when you define for Expressway E SAN, the line about edge SRV record is:

_collab-edge._tls.pandaeatsbambo.com.

why is just included the internal domain for this SRV record?

also I see that Expc is define for one domain (external) but ExpE is define for two domains.

in Expc I do not see external domain but in ExpE I see internal an external ,

why those differents?

regards

Astral said...

Hello Danny,
I have the same problem as Tian and Matteo
Scenario is similar to Matteo

Thanks for your time to reply.

jhuizi said...

Hi,

Did anyone solve the: Detail="Access denied" Reason="Host is not in allow list" error?
I have the same, although everything seems OK.

Thanks

Danny Wong said...

@Juan 10.1.90.51 is my server hosting the directory photo, 10.1.90.11 is my UCM

Danny Wong said...

@jhuizi

Please try the following and see if it solves your issue

1. Make sure both Exp-C and Exp-E have time synced with the same NTP source
2. Make sure the IM&P domain is added on Expressway.
3. Make sure cuplogin and cisco-uds SRV are ONLY resolvable internally but not externally.
4. Make sure collab_edge SRV is only resolvable externally but not internally
5. Exp-C > Configuration > Unified Communications > HTTP server allow list, make sure your UCM in the auto config allow list

Hope it helps.

Lestat said...

Hello,

Thanks for this information, is wonderful.

My question is about if it is possible to set up this scenario without IM & Presence, just jabber for call?

BR

Danny Wong said...

IM/P is not a must, you can use Jabber phone mode in MRA.

Filo said...

Hi Danny,

We have already loaded certificates in CUCM, presence, ExpC and EXpE servers, we have unified communications traversal zone UP.

Now we are configuring service discovery on internal and external DNS, but something kept my attention regarding end's userDNS server.

End user has in the same server internals and externals domains, in our scenario internal domain an external domains are diferents

we need to follow your recommendation regarding that SRV records _cisco-uds and _cuplogin that must be resolvable internally.

I'm confuse about how to define these SRV records on internal domain if the external domain is on the same server.

any recomendation o reference?

regards

Danny Wong said...

I am having two separate name server, one for internal and one for external. For external one is a BIND named server which work as the authoritative name server for the domain. For the internal server I am using a Windows server, create a zone with the external domain, and just create the 2 SRV records (cuplogin, cisco-uds). All internal clients are pointing to the internal name server. External clients via MRA will resolve the SRV record from the authoritative external named server.

lestat said...


When I try to upload cacert.pem this is the resutlt:

File uploaded: CA certificate file uploaded. File contents - Certificates: 1, CRLS: 0.

Monika Gupta said...

This post is likeable, and your blog is very interesting, congratulations :-)

SpeedPerformance said...

Hi there,

Just a question, under the Configuring a neighbor zone on Expressway for Unified CM, at the end you mentioned that you can then configure a search rule back to your call manager, what do you mean and in why do you need to configure a search zone back to your call manager? If all I need is just to be able to do outbound SIP URI calling and not inbound SIP URI calling, do i still need to configure that search rule?

Thanks
Khai

Eparukpa said...

Hi,
this is cool,it will really be helpful in the B2B i intend to deploy.

Thanks
Essien

patolinx said...

Hi,
Thanks for your time writing this tutorial.

kind regards.