Deploying Cisco Collaboration Edge – Updated

Update

Collab Edge is now supported.  The official Mobile-Remote-Access-via-Expressway-Deployment-Guide is located here.

I’m updating this document to reflect changes made in Expressway-C/E 8.1 that make importing the certificates MUCH easier.

Introduction

This document explains how to deploy Collaboration Edge with on-prem presence (IM&P/CUP) on a non-redundant set of Expressway-E and C VMs.  Deploying with WebEx Messenger is not covered here, but the bulk of the configuration is the same as far as the Expressway piece.

The biggest challenge in the initial deployment was finding all of the necessary documentation!  Things you need to know like certificate chaining, or OpenSSL are in various docs.  I’ve linked all of the documents that I used and tried to summarize things to make it quicker to deploy.

What you’ll need to deploy Collaboration Edge today:

  • CUCM 9.1(2)+
  • IM&P (CUP) 9.1+
  • VCS or “Expressway” X8.1.1+
  • A Collaboration Edge enabled Jabber client:  Cisco Jabber for Windows 9.7+, Cisco Jabber for iOS 9.6, Jabber for Android 9.6+ or Cisco Jabber for MAC 9.6+
  • Updated jabber-config.xml on CUCM with RemoteAccess turned on  (This is no longer required for Jabber 9.6+)
  • Two certificates (one for VCSe another for VCSc) – either signed by your own CA (OpenSSL or similar) or  publically signed certs like GoDaddy, Verisign, etc.

A few notes about nomenclature:

Collaboration Edge is the architecture umbrella term for the VCS/Expressway edge proxy for CUCM-registered clients (Jabber  and TC7.0 TP units).  It’s commonly used to refer to the Jabber piece of it, but will support endpoints too.  (The DX650 will support Collaboration Edge in a future release of firmware.  Traditional IP phones will not be supported, they will use VPN Phone or CUBE lineside proxy.)

Mobile and Remote Access (MRA) is the term used in VCS/Expressway documentation for the VPN-less Jabber (and CUCM-registered TC7.0 endpoint) proxy feature.

Cisco Expressway-Edge is the same software as VCS-Expressway, just packaged for CUCM registered endpoints.  Expressway-Edge is a VCS-Expressway that is deployed as a Mobile and Remote Access proxy or for traversal calls for CUCM registered endpoints.  There is a license file actually changes the title to say “Expressway-E” when it is loaded.  In the rest of the document, I will refer to VCS-Expressway, VCS-E, Expressway-Edge, Expressway-E as Expressway-E since we are primarily talking about MRA.

Expressway-Core is the same story.  It is VCS-Control software deployed as an MRA proxy only with the Expressway-C license loaded.  We call it VCS-Control when it is licensed for device registration, non-traversal calls, FindMe, and other features like Lync interop.  For purposes of this document I’ll call it the Expressway-C below.

Customers with a valid UCSS contract for UCL-Enhanced, CUWL-STD, or CUWL-PRO are entitled to Expressway-Edge and Expressway-Core for free (for MRA) and their license will reflect the Expressway names.  Licenses are charged for the other VCS features mentioned above.  Licenses are required and have a cost for B2B/B2C (Jabber Guest) calls through Expressway-C/E  Each box requires one media session license to get a session through.

VCS-C and VCS-E can have the MRA features turned on and run on a pair and do both functions.  We are still awaiting clarification as to when you must break these apart and run a separate set of VCS (for B2B, interop) and Expressway (for MRA) servers.  (Update:  VCS is supported for limited sized deployments.)

Expressway licenses should be orderable via PUT, or you can use your existing VCS severs by upgrading to X8.1.  (Update: I posted a later post that discusses what to order.)

Prepare CUCM for MRA

1) Create an AXL user if you don’t already have one on CUCM and IM&P.  There’s a good guide here –http://www.uplinx.com/cleanuptool/userguide/index.htm#page=Enable_AXL_on_CUCM.htm

2) Decide if you want to deploy valid security certificates on CUCM, IM&P and CUC.  You will likely want to do this independent of Collaboration Edge as all of the Jabber clients are no longer trusting self-signed certificates.  By providing a publicly trusted cert, Jabber won’t throw Invalid Certificate errors as you log in.  Granted they are only shown once during the very first login if the user accepts them on each client.  If you do put certificates on those components I’d suggest getting them for a 5-year term so you aren’t dealing with it in a year when the certificates expire.

Directory Lookup Considerations

 

MRA only supports UDS as the directory lookup service.  If you are inside you can use LDAP (EDI/BDI), outside UDS.

Jabber-config.xml Update for 9.6 clients

Update:  This section is no longer required as current versions of the clients (Win 9.7, iOS 9.6.1, Android 9.6, OS X 9.6) to do MRA by default, negating the requirement to pull the jabber-config.xml file first (expect in the case of split internal/external domains).


CUCM UC Service Profiles

Make sure that you’ve configure CUCM UC Service Profiles (this should have been done as part of your initial IM&P/CUP deployment and won’t be covered here) and assigned them to the end users.

Deploy Expressway OVAs

For new installations, you’ll need to download and deploy OVAs – http://www.cisco.com/en/US/docs/voice_ip_comm/expressway/install_guide/Cisco-Expressway-Virtual-Machine-Install-Guide-X8-1.pdf – See my previous post about upgrading to X8.1 if you’ve already got VCS installed – here

Recall there is a single OVA that does both Expressway-E/C and VCS-E/C that you need to deploy — it’s just a matter of how you configure and license (request via PUT as mentioned above) it as to what it is called.  Download the OVA from Cisco here

You’ll deploy the Expressway-C on your internal network (presumably on the same VLAN as CUCM and other UC components)  e.g. 10.10.1.30

You’ll deploy Expressway-E one of two ways.  Either on a stick in your DMZ (perhaps 10.99.99.30), or two-legged with the external interface in the DMZ network (e.g. 10.99.99.30 – or on your public address space), and the internal interface on the internal network (presumably on the same VLAN as Expressway-C and other UC components – e.g. 10.10.1.31).

You’ll need to trunk your DMZ to your ESXi host if you haven’t, or figure out how to deal with getting the Expressway-E external  (LAN2) interface in the DMZ network.

Once the VM’s are deployed edit the Expressway-E VM settings to put LAN2 in the DMZ network (alternately you can put LAN2 on the inside and LAN1 in the DMZ).  If you don’t see options for the second NIC, or options for NAT, you are missing the Advanced Networking license.  You need this in order to have it two legged, or do NAT.

Firewall Configuration

I don’t know how long I wasted on my first install because I forgot to modify the ACL to include the additonal ports that MRA requires.  I just assumed that beause VCS was working for B2B that it would work for MRA.  Not the case!

You’ll need to configure NAT on your firewall from a public IP address outside your network to the DMZ address of Expressway-E, or do 1:1 public to your DMZ if you’ve deployed it with a public address.

Look at p.258 of the Expressway Admin Guide for a concise list of ports.

 

A couple notes about DNS records

You will need two DNS servers for MRA to function properly.  Jabber decides if it is inside the network or outside the network depending on what SRV records it can resolve.  Depending on what records it resolves it will either try to use MRA or it will directly connect to CUCM/IM&P.

Internal DNS Server

Create two A records:

  • sjc-expressway-edge-01.domain.com A – (make this name whatever you want) Pointing to the INSIDE interface of Expressway-E for two-legged deployments, or pointing to the DMZ address if it’s on a stick.  The record is used by Expressway-C to lookup and validate the certificate against.  You will use this hostname anywhere you are asked for the expressway server’s name whe configuring the C server.
  • sjc-expressway-core-01.domain.com A – (any name you want) Pointing to Expressway-C.

Create two SRV records:

  • _cisco-uds._tcp.domain.com SRV 0 0 port 8443 – Pointing to CUCM.  (NOT IM&P!)
  • _cuplogin._tcp.domain.com SRV 0 0 port 8443 – Pointing to IM&P  (TBD if this is really required for Jabber 9.6 with IM&P 9.1 – I don’t believe it actually is)

When you launch Jabber, if it can resolve these DNS records, it knows it’s inside and pulls the service profile directly from CUCM and logs in to IM&P and CUCM.

External DNS Server

Create one A record:

  • sjc-expressway-edge-01.domain.com A – (any name you want) Pointing to the public address assigned (or NATted) to your Expressway-E.

Create one SRV record:

  • _collab-edge._tls.domain.com SRV 0 0 8443 – Pointing to Expressway-E (in our case sjc-expressway-edge-01.domain.com)

Configure Expressway-Edge and Expressway-Core

Follow this chapter of the Expressway Admin Guide  – Mobile and Remote Access (feature preview) beginning at p.52 but stop half-way down p.56 (before the beginning of the Certificates section).

A couple notes:  I did not enable TLS verify mode on my CUCM and IM&P server definitions because just wanted to get it up and running.  I’m suggesting putting real certs on CUCM, IM&P, and CUC, and turning TLS verify on, but this can be done later.

The admin guide is located here (p.52-56):

http://www.cisco.com/en/US/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-1.pdf

Certificates

Valid CA-signed certificates are required to setup the traversal zone for MRA.  You can either get public ones, or sign your own with your own CA.  I’ve done it both ways.  The major reason for a valid trusted CA-signed certificate is to stop Jabber from throwing a certificate warning on the initial MRA login to Expressway-E itself.  I highly recommend deploying a publicly trusted CA signed certificate.

Update:  This is fixed in Expressway 8.1.1  Ignore this section below:

Deprecated instructions for VCS 7.x:   The best document out there is this WebEx enabled Telepresence VCS Config document that describes how to chain up the intermediate cert properly here – http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/webex_enabled_telepresence/cts_webex_vcse_cert.html

When importing the CA trusted certs, the key is to make sure the intermediate cert appears in the CA trust list ABOVE the root cert.

 

Expressway 8.1 Certificates

You will need to get a specific type of certificate, the multi-SAN (subject alternative names) also called a UCC certificate). 

Expressway-C CSR will be generated with the IM&P, and CUCM SANs.

Expressway-E needs the server itself and domain only as a SAN.

See the Expressway Certificate Guide for detailed information.

For Expressway-E follow this basic flow:

  1. Generate CSR
  2. Add UC Domain (domain.com) and XMPP server information
  3. Download the CSR
  4. Upoad the CSR file to the CA to get the certificate signed
  5. Get the signed server PEM and the root/intermediate chain PEM back from the CA.
  6. Upload the signed server cert to Expressway-E under Maintenance | Security Certificates | Server Certificate
  7. Break apart the CA-intermediate-root certificates into individual PEMs for import – See the WebEX instruction for VCS 8.1 to learn how to do this.
  8. Import into the Trusted CA certificate list: the top-level cert (“CA”), then the root cert, then the intermediate cert found under Maintenance | Security Certificates | Trusted CA Certificates
  9. Reboot to make them active.

Follow the Webex instructions to break apart the CA-intermediate and root PEM into individual certs using Windows so that you can import them into the CA trusted cert list properly.

Repeat this procedure for Expressway-C.

For the customers that I’ve worked with using GoDaddy certificates.  I’ve worked with four certificates – Go Daddy Class 2 CA; Go Daddy Root Certificate Authority – G2; Go Daddy Secure Certificate Authority – G2; the server certificate itself.

I used Chrome on Windows to export the three Go Daddy certificates individually to Base 64 .PEM and then loaded them into the Expressway-E/C trusted CA list.  This worked perfectly for me after loading and rebooting the servers.  The UC traversal zones came right up.

 

Sign your own using OpenSSL if you’d like

If you want to use OpenSSL to create your own CA cert and sign your CSR, it is actually easier than you’d think.

Start at the bottom of p.13 of this document –

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

You’ll follow the procedure twice.  Once for Expressway-E and once for Expressway-C.  Take the CA root cert that you generated and import it into the trusted list on both boxes, and then import your signed server cert on the appropriate box.

Traversal Zone Configuration

Resume the configuration tasks in the Admin guide on p.58 making sure to put the proper settings for both Expressway-E and Expressway-C.

If your certificates are good, you will see the traversal zone go active on both servers under Status | Unified Communications.  If not, double-check your configuration settings, and double-check your certificates.

Troubleshooting Zone Configuration

If the zone won’t go active and you think it looks good, check the logs to see what is happening.  My initial attempt where the certificates were not chained properly showed a continuous loop of TLS failures.  When I had my Expressway-C pointing to the external public address instead of the inside interface of Expressway-E, TLS looked good and even the SSH tunnel showed “up” but traffic wasn’t actually flowing.

The best place I found to troubleshoot this stuff was by putting the Expressway-C and E in “Devel mode” to enable the Experimental menu.  (Instructions for this are found on p.207 of the admin guide.)  The reason for this is because the CollabEdge/MRA feature is still considered experimental.  You need to look at the Developer Logs.  You can enable them for debug level as well as collect a tcpdump.

HTTP Whitelisting

 

Make sure to add your Unity Connection, and any other servers that Jabber needs access to.   Unity Connection requires it for Visual Voicemail to work.

Launch Jabber 9.6 internally

Update:  No longer required unless you are doing separate internal and external domains. (I’ll detail this in a later post.)

Launch Jabber on your client device on the inside network (so that it has direct access to CUCM/IM&P).  When you enter your email address Jabber should automatically discover your servers (using the before setup internal DNS SRV records).  If Jabber does not auto-discover, troubleshoot your SRV records.  The easiest method is to use dig or nslookup.

The quick nslookup method is to:

  1. Launch the program,
  2. Make sure it shows your internal DNS servers (that your device should be pulling via DHCP scope options)
  3. Enter set type=SRV, then type _cisco-uds._tcp.domain.com.  This should resolve to the hostname of CUCM, or the IP address of it.
  4. If using the hostname, exit nslookup and try to ping the hostname.

Once you enter your credentials you will likely be presented with several invalid certs to accept, and your client should connect and have IM, Presence, CUCM, CUC, and be able to IM and do voice/video calls.

Sign out and close Jabber

Launch Jabber 9.6 externally

 

Disconnect from your internal network and make sure your device is outside your network where a) it cannot resolve the internal SRV records, and b) it can resolve the external _collab-edge SRV record and access your Expressway-E from the outside.

Launch Jabber on your device.  Jabber will attempt to resolve _cisco-uds._tcp.domain.com and will fail to do so.  It will also attempt to resolve _cuplogin._tcp.domain.com and will fail.  It will then attempt to resolve _collab-edge._tls.domain.com and get pointed to the public IP address of Expressway-E.

It will then connect to Expressway-E, and a if everything is configured properly it will login and you’ll show connected to IM, CUCM and CUC!

Notes about iOS

 

On iOS the timeout for attempts to login is MINUTES long.   Be very patient for it to either succeed or fail.  It can take a significant amount of time to login successfully on the 9.6 build.  9.6.1 is supposed to be much faster.

If your login fails, click the Send Error Report and email it to yourself.  Open the ZIP file and look through (going from bottom to top) to see where the errors are.  The logs will include more than just the current login attempt, so note the time when you are attempting to login and look at the timestamps in the log.  This is critical so that you aren’t troubleshooting an old login that isn’t relevant to your current problem.

From my experience:

  • When I had firewall issues, I was seeing CONNECTION_TIMEOUT errors when trying to login via MRA, but not when I was inside.
  • When I had neglected to enable RemoteAccess in jabber-config.xml I was seeing RemoteAccess Policy errors.

Summary

I’m impressed with the ability to finally be able to do voice/video calls from anywhere!  It’s about time.  Collab Edge is still considered a Feature Preview by Cisco and isn’t TAC supported yet.  Please send me questions that you have as you attempt to deploy it.

-Mike

274 thoughts on “Deploying Cisco Collaboration Edge – Updated

  1. Hi Mike,

    I fear this topic here is focused know-how pool of the inner workings of the collaboration edge infrastructure so I am posting my question here. 🙂

    With the recent Openssl bug (https://www.openssl.org/news/secadv_20140407.txt) and the tunneling done on the VCS, which systems could be involved in the any SSL termination? All (VCSe, VCSc, CUCM, CUC, CUPS) of them? Or better said, which internal devices have their Openssl based daemons exposed to the internet?

    -Danny

  2. Hi Mike,

    When I try to login from internet, Jabber Client automatically choose Webex Messenger because my company’s domain is registered to Webex. How do I resolve this issue since I want Jabber to connect to IM&P instead of Webex? I’ve already setup SRV records, and I can login from internal without problem

  3. Can you give me a suggestion what should I look to troubleshoot the call? My Exp-Edge use one leg with static NAT enabled. I have open my firewall just to test connectivity first.
    1. From outside, I can only ring the device which is registered to CUCM, but after I pick up the call, I can’t hear any voice from both parties. (type traversal, SIPSIP)
    2. From inside, when I call the device which is registered through expressway. I see on Expressway call log, it try to connect using TLS (I only setup TLS connection between Control and Edge. Contrary to this, call from outside to inside is made using TCP by examine the log) ,then it fails with service unavailable status. (type Non Traversal, SIPSIP)

    I’m using Jabber Android for outside, and Jabber windows 9.7 for inside.

  4. Mike,

    Can you give some insight on how the internal client would know how to use the internal AD servers and the external client would know how to use the UDS especially when they have the same jabber-config.xml file? Looking forward to your reply! Thanks!

  5. Hi Mike,

    upgraded my cisco callmanager to 9.1.2SU1 (Previous version 9.1.1a) and add UDS COP file and now i have problem to login internal (via finding service , Manual is OK)

    Any advice

    Thanks for your help

    ——————————LOG——————————————-

    [csf.edge.capability.EdgeCapabilityPolicy][enforce] Enforcing policy 0
    — 2014-04-15 00:27:54.584 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge is going to be enabled for this object
    — 2014-04-15 00:27:54.584 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge has been enabled
    — 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Policy enforced
    — 2014-04-15 00:27:54.585 INFO [b0f5000] – [csf.edge][enqueue] EdgeTransitionDetectionController enqueuing event NetworkActivity
    — 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.httpclient][isVcs407Response] result: 0
    — 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.httpclient][isVcse502Response] result: 0
    — 2014-04-15 00:27:54.588 DEBUG [b0f5000] – [csf.httpclient][executeImpl] The total size of the data received is: 365, the size of the response body is: 365
    — 2014-04-15 00:27:54.588 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Exiting executeImpl()
    — 2014-04-15 00:27:54.589 DEBUG [b0f5000] – [csf.httpclient][~HttpRequestData] Destroying instance of Request data, with request: 5
    — 2014-04-15 00:27:54.590 DEBUG [b0f5000] – [csf.config][doGet] Finished GET request.
    — 2014-04-15 00:27:54.590 INFO [b0f5000] – [csf.config][mapToHttpUtilsResult] csf::http::HttpClientResult=[SUCCESS] HttpUtilsResult=[SUCCESS]
    — 2014-04-15 00:27:54.590 DEBUG [b0f5000] – [csf.config][run] Response body: Cisco User Data Service9.1.2Cisco Unified Communications ManagerCisco Enterprise License Manager

    — 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parseChildElementsAsNameValuePairs] result : SUCCESS for xpath : /versionInformation
    — 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parse] Number of elements found: 4
    — 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parse] Checking name, Cisco User Data Service
    — 2014-04-15 00:27:54.595 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
    — 2014-04-15 00:27:54.595 DEBUG [b0f5000] – [csf.config][parse] Checking version, 9.1.2
    — 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Found UDS Server Version: 9.1.2.
    — 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Checking installedProducts/product, Cisco Unified Communications Manager
    — 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
    — 2014-04-15 00:27:54.597 DEBUG [b0f5000] – [csf.config][parse] Checking installedProducts/product, Cisco Enterprise License Manager
    — 2014-04-15 00:27:54.598 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
    — 2014-04-15 00:27:54.598 DEBUG [b0f5000] – [csf.config][BlacklistAddress] Created BlacklistAddress with request: https://10.251.1.10:8443/cucm-uds/version (FQDN: 10.251.1.10, Hostname: 10.251.1.10) and matching type URL.
    — 2014-04-15 00:27:54.599 DEBUG [b0f5000] – [csf.config][run] The version of UDS server ( 10.251.1.10:8443) is 9.1.2
    — 2014-04-15 00:27:54.599 WARNING [b0f5000] – [csf.config][isEmailUpnLookupSupported] Invalid Uds Version: 9.1.2
    — 2014-04-15 00:27:54.600 DEBUG [b0f5000] – [csf.config][run] Identifier:Username will be used for LocatorUdsQuery.
    — 2014-04-15 00:27:54.600 DEBUG [b0f5000] – [csf.config][doGet] About to send GET Request.
    — 2014-04-15 00:27:54.601 DEBUG [b0f5000] – [csf.httpclient][RequestWrapper] Constructing RequestWrapper with originalUrl: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
    — 2014-04-15 00:27:54.601 DEBUG [b0f5000] – [csf.httpclient][updateCertDisplayId] no change in cert display identifier
    — 2014-04-15 00:27:54.602 DEBUG [b0f5000] – [csf.httpclient][HttpRequestData] Created new instance of transfer data, with request: 6
    — 2014-04-15 00:27:54.605 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Searching a policy with nature EDGE_USAGE
    — 2014-04-15 00:27:54.606 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Policy found
    — 2014-04-15 00:27:54.606 INFO [b0f5000] – [csf.httpclient][execute] About to enforce Edge policy with Url: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
    — 2014-04-15 00:27:54.606 DEBUG [b0f5000] – [csf.netutils][getGlobalEdgeState] Getting GlobalEdgeState
    — 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.edge][checkConnectivity] Acquired scoped lock (connectivityMutex_)
    — 2014-04-15 00:27:54.607 INFO [b0f5000] – [csf.edge][isInternalConnectivityAvailable] Internal Connectivity: 1
    — 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.netutils][getGlobalEdgeState] Getting GlobalEdgeState
    — 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.edge][checkConnectivity] Acquired scoped lock (connectivityMutex_)
    — 2014-04-15 00:27:54.608 INFO [b0f5000] – [csf.edge][isInternalConnectivityAvailable] Internal Connectivity: 1
    — 2014-04-15 00:27:54.608 INFO [b0f5000] – [csf.httpclient][execute] Edge policy enforced successfully with transformed Url: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
    — 2014-04-15 00:27:54.608 DEBUG [b0f5000] – [csf.httpclient][updateCertDisplayId] no change in cert display identifier
    — 2014-04-15 00:27:54.609 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Entering executeImpl()
    — 2014-04-15 00:27:54.609 INFO [b0f5000] – [csf.httpclient][configureEasyRequest] Configuring a CURL Easy request for: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
    — 2014-04-15 00:27:54.609 INFO [b0f5000] – [csf.httpclient][CurlHeaders] Number of Request Headers : 0
    — 2014-04-15 00:27:54.610 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Checking for proxy information…
    — 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] System Proxy will not be used
    — 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] No proxy information available [6].
    — 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Setting connect timeout value in milliseconds to : 60000
    — 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Setting transfer timeout value in milliseconds to : 120000
    — 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] HTTP Request Configured
    — 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][performCurlRequest] About to perform curl connection request…
    — 2014-04-15 00:27:54.730 INFO [b2b8000] – [csf.netutils][beginBackgroundTask] Call to beginBackgroundTaskWithExpirationHandler returned 1
    — 2014-04-15 00:27:54.730 INFO [b2b8000] – [csf.edge][doNetworkSensing] DetectDirectConnectUnavailable.Monitoring: Will probe internal network visibility, old timestamp: 0, now: 1397521674.443277
    — 2014-04-15 00:27:54.731 INFO [b2b8000] – [csf.dns][makeDnsQuery] About to make a dns request against _cisco-uds._tcp.domain.com.pe.
    — 2014-04-15 00:27:54.731 INFO [b2b8000] – [csf.dns][makeQuery] Making an SRV record request. _cisco-uds._tcp.domain.com.pe.
    — 2014-04-15 00:27:54.733 INFO [b2b8000] – [csf.dns][makeDnsQuery] The answer count is 1
    — 2014-04-15 00:27:54.733 DEBUG [b2b8000] – [csf.dns][parseSingleAnswerRecord] Parsed SRV Record Request result.
    — 2014-04-15 00:27:54.734 DEBUG [b2b8000] – [csf.dns][parseResults] Parse Succeeded.
    — 2014-04-15 00:27:54.734 INFO [b2b8000] – [csf.edge][logSensorEvaluation] EnterpriseNetworkSensor strategy FindCiscoUdsRecord evaluated to true
    — 2014-04-15 00:27:54.734 INFO [b2b8000] – [csf.edge][doNetworkSensing] DetectDirectConnectUnavailable.Monitoring: Did see internal network
    — 2014-04-15 00:27:54.736 INFO [b2b8000] – [csf.netutils][markProgress] Progressing through background task MonitoringState.doNetworkSensing, id 1, iOS applicationState: Active, backgroundTimeRemaining: (large)
    — 2014-04-15 00:27:54.737 INFO [b2b8000] – [csf.edge][processEvent] EdgeTransitionDetectionController processing Event: NetworkActivity
    — 2014-04-15 00:27:54.737 INFO [b2b8000] – [csf.edge][logIgnoringEvent] DetectDirectConnectAvailable.Idle: Ignoring event NetworkAccessOpportunity
    — 2014-04-15 00:27:54.738 INFO [b2b8000] – [csf.edge][runEventLoop] Reactor event loop entering wait()
    — 2014-04-15 00:27:54.741 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (17). – HTTP/1.1 200 OK

    — 2014-04-15 00:27:54.742 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] New response, removing 0 previous headers
    — 2014-04-15 00:27:54.742 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Finished appending the header.
    — 2014-04-15 00:27:54.743 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (29). – X-Frame-Options: SAMEORIGIN

    — 2014-04-15 00:27:54.743 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Finished appending the header.
    — 2014-04-15 00:27:54.744 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (31). – Content-Type: application/xml

    — 2014-04-15 00:27:54.750 INFO [b0f5000] – [csf.edge.capability.EdgeDetectionControllerWrapper][getNetworkTransitionDetectionController] Getting a wrapping of the stored EdgeTransitionDetectionController
    — 2014-04-15 00:27:54.750 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][getInstance] Registering this as a DefaultPoliciesStore observer
    — 2014-04-15 00:27:54.750 DEBUG [b0f5000] – [csf.common.DefaultPoliciesStore][registerForDefaultPoliciesChanges] Registering an observer for policies changes
    — 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][wrapIt] Wrapping an EdgeTransitionDetectionController
    — 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][wrapIt] Received a wrapping request for a wrapped object. Returning the object untouched
    — 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][instructWrapper] Instructing a wrapper on the EDGE_CAPABILITY policy
    — 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Searching a policy with nature EDGE_CAPABILITY
    — 2014-04-15 00:27:54.752 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Policy found
    — 2014-04-15 00:27:54.752 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Enforcing policy 0
    — 2014-04-15 00:27:54.752 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge is going to be enabled for this object
    — 2014-04-15 00:27:54.753 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge has been enabled
    — 2014-04-15 00:27:54.753 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Policy enforced
    — 2014-04-15 00:27:54.753 INFO [b0f5000] – [csf.edge][enqueue] EdgeTransitionDetectionController enqueuing event NetworkActivity
    — 2014-04-15 00:27:54.754 DEBUG [b0f5000] – [csf.httpclient][isVcs407Response] result: 0
    — 2014-04-15 00:27:54.755 INFO [b2b8000] – [csf.edge][processEvent] EdgeTransitionDetectionController processing Event: NetworkActivity
    — 2014-04-15 00:27:54.755 INFO [b2b8000] – [csf.edge][logIgnoringEvent] DetectDirectConnectAvailable.Idle: Ignoring event NetworkAccessOpportunity
    — 2014-04-15 00:27:54.755 DEBUG [b0f5000] – [csf.httpclient][isVcse502Response] result: 0
    — 2014-04-15 00:27:54.755 DEBUG [b0f5000] – [csf.httpclient][executeImpl] The total size of the data received is: 236, the size of the response body is: 236
    — 2014-04-15 00:27:54.756 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Exiting executeImpl()
    — 2014-04-15 00:27:54.756 INFO [b2b8000] – [csf.edge][runEventLoop] Reactor event loop entering wait()
    — 2014-04-15 00:27:54.756 DEBUG [b0f5000] – [csf.httpclient][~HttpRequestData] Destroying instance of Request data, with request: 6
    — 2014-04-15 00:27:54.757 DEBUG [b0f5000] – [csf.config][doGet] Finished GET request.
    — 2014-04-15 00:27:54.757 INFO [b0f5000] – [csf.config][mapToHttpUtilsResult] csf::http::HttpClientResult=[SUCCESS] HttpUtilsResult=[SUCCESS]
    — 2014-04-15 00:27:54.757 DEBUG [b0f5000] – [csf.config][run] LocatorUdsQuery is successful.
    — 2014-04-15 00:27:54.758 DEBUG [b0f5000] – [csf.config][run] Locator Uds request finished.
    — 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] attr name : found
    — 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] attr value : false
    — 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] result : SUCCESS for xpath : /clusterUser/result
    — 2014-04-15 00:27:54.760 INFO [b0f5000] – [csf.config][parseResult] No Home UDS Location found
    — 2014-04-15 00:27:54.760 ERROR [b0f5000] – [csf.config][parse] Failed to parse LocatorUdsResponse: NO_HOME_UDS_FOUND
    — 2014-04-15 00:27:54.760 WARNING [b0f5000] – [csf.config][getLocatorUdsInformation] LocatorUdsQuery has failed with result: NO_HOME_UDS_FOUND
    — 2014-04-15 00:27:54.760 ERROR [b0f5000] – [csf.config][convertLocatorUdsResult] locatorUdsResult=[NO_HOME_UDS_FOUND] ucmConfigResult=[FAILED_TO_FIND_HOME_UDS]
    — 2014-04-15 00:27:54.761 WARNING [b0f5000] – [csf.config][getUdsInformation] Ucm Locator query has failed with FAILED_TO_FIND_HOME_UDS
    — 2014-04-15 00:27:54.761 WARNING [b0f5000] – [csf.config][fetchXmlFileSet] No information available after doing a fetch.
    — 2014-04-15 00:27:54.761 DEBUG [b0f5000] – [csf.config][fetchXmlFileSet] Returning: FAILED_TO_FIND_HOME_UDS
    — 2014-04-15 00:27:54.761 INFO [b0f5000] – [csf.config][fetchXmlFileSet] Time taken to complete the ucm-config library fetchXmlFileSet(): 0 seconds.
    — 2014-04-15 00:27:54.762 INFO [b0f5000] – [service-discovery][authenticate] Ucm90 Library Returned with Code FAILED_TO_FIND_HOME_UDS
    — 2014-04-15 00:27:54.762 DEBUG [b0f5000] – [csf.httpclient][~BasicHttpClientImpl] Destroying a BasicHttpClientImpl object.
    — 2014-04-15 00:27:54.762 DEBUG [b0f5000] – [csf.httpclient][~HttpClientData] Destroying instance of Client data
    — 2014-04-15 00:27:54.763 DEBUG [b0f5000] – [csf.cert.ios][~iOSCertVerifier] iOS CertVerifier destructor
    — 2014-04-15 00:27:54.764 DEBUG [b0f5000] – [csf.config][~DnsProvider] De-initializing DNS Provider
    — 2014-04-15 00:27:54.766 INFO [b0f5000] – [csf.config][deInitialize] CSF Provided DNS Library De-initialized!
    — 2014-04-15 00:27:54.767 INFO [b0f5000] – [service-discovery][retrieveConfigImpl] resultCode FAILED_AUTHENTICATION
    — 2014-04-15 00:27:54.767 DEBUG [b0f5000] – [service-discovery][retrieveConfigImpl] Ucm90 Authentication has failed, setting ucm90 credentials as unverified for username : soporte@domain.com.pe
    — 2014-04-15 00:27:54.767 INFO [b0f5000] – [service-discovery][saveUcm90Credentials] Saving Ucm90 Credentials, verified 0
    — 2014-04-15 00:27:54.767 DEBUG [b0f5000] – [service-discovery][saveUcm90Credentials] Enqueuing saving of ucm90 credentials task onto dispatcher thread.
    — 2014-04-15 00:27:54.768 DEBUG [b0f5000] – [services-dispatcher][enqueue] ServicesDispatcher.enqueue: DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread
    — 2014-04-15 00:27:54.768 WARNING [b0f5000] – [service-discovery][mapUcm90ResultCodeToServiceDiscoveryResult] CUCM Result : Failed – Authentication error.
    — 2014-04-15 00:27:54.768 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executing (DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread)
    — 2014-04-15 00:27:54.768 INFO [b0f5000] – [service-discovery][LogServiceInformationVect]
    No Service Discovery DNS records have been found.
    — 2014-04-15 00:27:54.769 INFO [3ced118c] – [service-discovery][saveCredentialsInDispatcherThread] Updating Ucm90 Credentials from Dispatcher Thread
    — 2014-04-15 00:27:54.769 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] ScopedLock to protect access to credentialsMap
    — 2014-04-15 00:27:54.769 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] Found credential object associated with the Authenticator ID: UCM90
    — 2014-04-15 00:27:54.770 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][UpdateCredentials] ScopedLock to protect access to credentialsMap
    — 2014-04-15 00:27:54.770 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] ScopedLock to protect access to credentialsMap
    — 2014-04-15 00:27:54.770 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] Found credential object associated with the Authenticator ID: UCM90
    — 2014-04-15 00:27:54.771 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][UpdateCredentials] Setting credentials for Authenticator [UCM90]
    — 2014-04-15 00:27:54.771 DEBUG [3ced118c] – [CredentialsImpl][setCredentials] Credentials set [authenticatorId=1000;synced=true;username=soporte@domain.com.pe;password=not empty;oAuthToken=empty;rememberMe=false;ssoMode=0;verified=false;userVerified=false]
    — 2014-04-15 00:27:54.771 INFO [b0f5000] – [service-discovery][evaluateServiceDiscoveryResult] ServiceDiscoveryHandlerResult return code FAILED_UCM90_AUTHENTICATION
    — 2014-04-15 00:27:54.771 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][saveCredentials] ScopedLock to protect access to credentialsMap
    — 2014-04-15 00:27:54.772 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][saveCredentials] Saving Credentials Profile: soporte@domain.com.pe
    — 2014-04-15 00:27:54.773 DEBUG [b0f5000] – [services-dispatcher][enqueue] ServicesDispatcher.enqueue: DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread
    — 2014-04-15 00:27:54.776 DEBUG [3ced118c] – [service-discovery][saveCredentialsInDispatcherThread] Ucm90 Credentials are saved.
    — 2014-04-15 00:27:54.776 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executed (DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread)
    — 2014-04-15 00:27:54.777 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executing (DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread)
    — 2014-04-15 00:27:54.777 DEBUG [3ced118c] – [service-discovery][callOnAuthenticationFailedDiscoveryResultOnDispatcherThread] Discovery has failed due to Authentication Failure for id 1000Calling Callback!
    — 2014-04-15 00:27:54.780 INFO [3ced118c] – [CSFServiceLocatorManager][onAuthenticationFailed:authenticatorId:] enter
    — 2014-04-15 00:27:54.780 WARNING [3ced118c] – [Login Time Check] discovery Authentication Failed.
    — 2014-04-15 00:27:54.781 DEBUG [3ced118c] – YLCSigninUIMgr showSigninError The username or password is not correct, or the user account is inactive.,withAction cxsignaction://senderrorproblem
    — 2014-04-15 00:27:54.799 DEBUG [3ced118c] – height:49.031998, createLabel.numberOfLines:1
    — 2014-04-15 00:27:54.803 DEBUG [3ced118c] – YLCSigninUIMgr enableUserInteraction YES
    — 2014-04-15 00:27:54.804 INFO [3ced118c] – [CSFServiceLocatorManager][onAuthenticationFailed:authenticatorId:] out
    — 2014-04-15 00:27:54.807 INFO [3ced118c] – [scoped-timer][pop]
    ** BEGIN TIMER TRACE **

    ASYNC FLOWS CAPTURED:
    DiscoveryHandler::Discover

    — Thread Id – 185552896 —
    00:00:00.000.009 + DiscoveryHandler::DiscoverImpl
    00:00:00.257.674 + ServiceDiscoveryHandler::Discover
    00:00:00.294.151 + ServiceDiscoveryHandler::determineIsWebexCustomerFromCache
    00:00:00.294.773 – ServiceDiscoveryHandler::determineIsWebexCustomerFromCache (00:00:00.000.622)
    00:00:00.294.794 + ServiceDiscoveryHandler::determineIsWebexCustomerFromCasLookup
    00:00:00.795.952 – ServiceDiscoveryHandler::determineIsWebexCustomerFromCasLookup (00:00:00.501.158)
    00:00:00.796.232 + ServiceDiscoveryHandler::makeUcm90BasedDiscovery
    00:00:00.796.523 + DnsEdgeServiceDiscoveryRequest::makeDiscoveryRequest
    00:00:00.797.561 + DnsEdgeServiceDiscoveryRequest::getDnsServiceInformationFromNetutils
    00:00:00.800.428 – DnsEdgeServiceDiscoveryRequest::getDnsServiceInformationFromNetutils (00:00:00.002.867)
    00:00:00.800.966 – DnsEdgeServiceDiscoveryRequest::makeDiscoveryRequest (00:00:00.004.443)
    00:00:00.800.991 + ServiceDiscoveryHandler::saveServiceDiscoveryResult
    00:00:00.801.008 + ServiceDiscoveryHandler::writeToCache
    00:00:00.803.529 – ServiceDiscoveryHandler::writeToCache (00:00:00.002.521)
    00:00:00.811.220 – ServiceDiscoveryHandler::saveServiceDiscoveryResult (00:00:00.010.229)
    00:00:07.008.991 – ServiceDiscoveryHandler::makeUcm90BasedDiscovery (00:00:06.212.759)
    00:00:07.011.803 – ServiceDiscoveryHandler::Discover (00:00:06.754.129)
    00:00:07.011.826 + DiscoveryHandler::evaluateServiceDiscoveryResult
    00:00:07.014.439 – DiscoveryHandler::evaluateServiceDiscoveryResult (00:00:00.002.613)
    00:00:07.014.450 – DiscoveryHandler::DiscoverImpl (00:00:07.014.441)

    — Thread Id – 1022169484 —
    00:00:00.0-1.-762 + DiscoveryHandler::Discover
    00:00:00.000.-41 – DiscoveryHandler::Discover (00:00:00.001.721)
    00:00:07.017.804 + DiscoveryHandler::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread
    00:00:07.046.424 – DiscoveryHandler::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread (00:00:00.028.620)

    ** END TIMER TRACE **
    — 2014-04-15 00:27:54.807 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executed (DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread)
    — 2014-04-15 00:27:56.371 DEBUG [3ced118c] – -[MXSendProblemReport trySendProblemReportWithDelegate:crashReport:], canSendEmail= 1

  6. Thanks for the detailed information. This blog is quite informative and active. Please keep the information flowing.

  7. Hi,

    I can login in jabber via MRA but i dont have phone services(In the corporate networks it is works fine)

    any advice

    thanks

  8. Hi Mike,

    I am having a problem with my Jabber config on my vcs-c and vcs-e servers.

    Currently Jabber can register internally in full (IM and CUCM) using username@domain.name, no problems there. Externally, using the same username and domain I can only register to the IM. See from the vcs-e event log files the Jabber client tried to SIP REGISTER to 12345@1.2.3.4. Yes, it tries to register to an IP address and no the “domain.name”. The vcs-e server only has a search rule for domain.name pointing to the traversal zone. That is why it complains that 1.2.3.4 is an unknown domain.

    So, what is going wrong here? Is the Jabber client correct and should there be a 1.2.3.4 (which I cannot configure) search rule? Or should the Jabber client register to domain.name? Then where did it get the idea to register to an IP addresss?

    A third option could be: The TLS tunnel is not working between the Jabber client and the vcs-c because the vcs-e can see and react to the clear text SIP registration messages and the IP address in the REGISTER is just the assigned subscriber.

    Any help would be great, I do not have access or have experience with a working setup where I can compare behavior.

    Thanks,
    Danny

      • Your welcome. I preparing to deploy VCS-E for our remote users with Jabber. Working with Cisco on the design so once I complete my deployment and it’s placed into production, I’ll post my findings. This is a great blog Mike.

        -Frantz

  9. Hi Mike,

    Do you have any experience with collaboration edge together with Jabber Guest / Jabberc?

    kind regards

    Edwin

  10. Hello Mike, thanks for the blog.
    In case of a CUCM cluster with 4 servers, but only the first two have TFTP service and the other two are configured as UCM server to receive registrations. Do we need to add _cisco-uds SRV entries for all 4 servers? It is needed to add config lines at jabber-config.xml file to instruct which one to use?
    Thanks in advance.

  11. Hi Mike, how are you?

    First of all, very nice posting about Collab Edge.
    I’m preparing to deploy VCS-E and C and your post is giving me some real nice idea about this deployment.

    I would like to ask you about the Jabber-config.xml that you had to take of from the post. Do you mind in sharing the lines to config the xml?

    Thank you very much.

    Martin

  12. Hi Mike,

    We have Jabber MRA set up and it works well from the outside, but having the voiceservicedoamin in the jabber-config file breaks it internally.

    Our external and internal domains are different. I can see form the jabber logs the servicesdomain is our internal domain, and voiceservicedoamin our external domain. I can see in the logs that it has set the internal and external domain as the voiceservicedomain entry. Jabber is looks for _cisco-uds / _cuplogin files and fails internally as it is looking for _cisco-uds.tcp.EXTERNALDOAMIN.

    We only have our A record for expresswayE and SRV _collag-edge record in our external domain. I thought the service domain is what it used internally but this is not the case.

    When I remove voiceservicesdomain entry it start working again as it looks for _cisco-uds.tcp.INTERNALDOMAIN, which is set correctly.

    Any Ideas?

  13. Hello Mike,

    Thanks for your awesome guide! We’re deploying the Expressway solution for Remote Mobile Access and I feel we’re almost good to go. The traversal zones (using IP addresses) are active in both the ExpC and ExpE. The problem is that I can’t login from the Outside, it says that it could not find network services. While on the inside, everything works well.

    This is the deal:
    – internal domain: acme.corp (private)
    -external domain: acme.com.br (public)

    When I signin internally, I use user@acme.corp in the Jabber’s login screen and everything work fine! Without any other configuration I am able to login and call other directory numbers.

    When I try to signin externally, the user@acme.corp gives me a timeout, so I exchange it to user@acme.com.br and then after a few moments, I get the could not find services error message.

    Do I have to try both logins when on the inside/outside of the corporate network?

    I haven’t made any changes in the jabber-config.xml file. Is it necessary on version X8.1.1?

    I’m thinking about certificate problems, reading your guide I got a little confused on items 2 and 7 of this part:

    1)Generate CSR-> OK

    2)Add UC Domain (domain.com) and XMPP server information -> ??? Meaning the “Additional alternative names (comma separated)” and “Unified Communications domains” and “IM and Presence chat node aliases” right?

    In our deploy we don’t use FQDN for the CUCM, CUC and CUP services, we’re starting to use FQDN from the deploy of the Expressway solution. Anyways, the CUCM PUB is 192.168.40.100, CUCM SUB 192.168.40.101, CUC 192.168.40.102 and CUP 192.168.40.104. EXPC is 192.168.40.106 and EXPE (Single NIC, on a stick, without NAT) is 200.200.200.200(example).

    In the Outside: _collab-edge._tls.acme.com.br is SRV resolved to exp.acme.com.br 8443 -> OK!
    exp.acme.com.br is A resolved to 200.200.200.200 -> OK!
    In the Inside: _cisco-uds._tcp.acme.corp is SRV resolved to 192.168.40.100
    _cuplogin._tcp.acme.corp is SRV resolved to 192.168.40.104
    exp.acme.corp is A resolved to 192.168.40.106 -> OK!

    Generating the CSR on ExpC I get ‘conference-2-StandAloneClusterb7095.acme.corp’ auto-filled in the ‘IM and Presence Chat Node Aliases’.

    Generating the CSR on ExpE I get ‘exp.acme.corp’ auto-filled in the ‘Unified Communications domain’.

    How to proper fill these fields generating CSR? We’re using OpenSSL to act as CA and sign the CSRs.

    3)Download the CSR -> OK!
    4)Use the PEM file to get the certificate signed by the CA -> OK!
    5)Get the signed server PEM and the root/intermediate chain PEM back from the CA. -> OK!
    6)Upload the signed server cert to Expressway-E. -> OK!

    7)Follow the Webex instructions to break apart the CA-intermediate and root PEM into individual certs using Windows so that you can import them into the CA trusted cert list properly. -> ??? Could you write a little more on this please?

    8) Repeat this procedure for Expressway-C. -OK!

    Thank you in advance!

    Best regards, Daniel

    • Hi Daniel, did you resolve your issue? we are facing the same issue and we couldn’t find the real cause of the issue. Cisco TAC suggested that we should create a PTR record for the public IP.

  14. Hi Mike or anyone else that may could answer. I`m just installing Expressway-C & E and may have an issue. Where it says to go under Configuration/Domains not sure what domain to enter here as our external domain ex. acme.com is different than our internal ex. acme.int. Seems as though this could be a problem if today internally we authenticate to Ldap @ acme.int with Jabber and our voice services, but when you go outside you will be accessing expressways as acme.com. Any thoughts or ideas?

    • Hi Craig,

      As we have recently discovered, the internal/external FQDNs, as well as SSL certificate’s CN – all have to match for the Expressway-Edge to work properly. In my environment, the external FQDN was, say, collab-edge.domain.com, internal FQDN was expressway-e.domain.com and the SAN certificate had both FQDNs in it; however, the CN of the certificate was matching the internal FQDN and that prevented Expressway from working properly. Since we are using split-DNS, it was easier for me to change the A Record for the Expressway Edge in the Public DNS and update the SRV record to point to it. After doing just that, Jabber started to work externally without a hitch.

  15. Is it possible that a customized XMPP client running outside the corporate network is able to access IM/Presence server without VPN?

    Does collaboration edge make this possible or is it only possible when we use the latest Jabber clients from Cisco?

    • Normally you’d just NAT out your CUP/IM&P Server and open your firewall on 5222 (or preferably 5223 if the client supports SSL) if you’re using a generic XMPP client. Collab Edge MRA is going to require Jabber as the client. You can of course deploy Jabber for IM&P mode only and not have audio/video functionality.

  16. I blog quite often and I genuinely thank you for your information.
    Your article has really peaked my interest. I’m going to bookmark
    your site and keep checking for new information about once per week.
    I subscribed to your Feed too.

  17. What a great Write up.

    I have hit a major issue with deploying Jabber for Windows/Mac Mobile and Remote Access Services (MRA) using VCS. The issue has been raised with TAC as it is a show stopper for deploying VPNless Jabber Communications in a Non-Split Domain DNS environment and I believe this is a design flaw with the Jabber Client.

    See below for details.

    The customer has the following:
    • 5x CUCM, 1 Pub, 2x CTI Sub and 2x TFTP
    • 2x IM and P (CUP)
    • 2x VCS-C Clustered
    • 2x VCS-E Clustered
    • Single DNS Zone for Domain for both internal and external (Public) DNS lookups (Non-Split Domain DNS)

    Both internal and external DNS resolutions for @cisco.com.au (sip URI and SMTP) are provide by the Customer’s DNS Servers which are hosted at their Data Centres. They have a single DNS view where by both internal and external lookups hit the DNS Servers. The Single View means that if I lookup webserver.cisco.com.au from either an internal computer or an public computer it will resolve the same IP Address (public or private depending). The CUCM and CUP servers are internal IP Address 10.x.x.x servers which have SRV’s _cuplogin and _cisco-uds pointing to CTI Subs and CUP’s FQDNS which in turn lookup Internal Private IP’s. If I lookup from an external client to either of these records I will get the internal FQDN ip Addresses 10.x.x.x. This is known as NON-split horizon or NON-Split View DNZ where by both internal and external DNS looks for a domain share the same DNS table.

    Our issue is that we are looking up _cuplogin and _cisco-uds from an external client and getting a return result of an internal IP Address which the client fails to connect to from external. If we remove the records, it forces the jabber client to resolve the _collab SRV but the VCS-C requires the _CUP and _Cisco-uds SRV’s internally. One cannot work without the other.

    This is very common for large orgs and as a result Vendors must have a work around to compensate for this. Jabber Video (Movi) has a manual configuration entry for both internal and external hostnames so people could customise. Microsoft use SRV records but use a top down method of Internal SRV records first then external SRV records. IE _sipinternal .cisco.com.au and _sip.cisco.com.au. The client would try to establish a connection to _sipinternal IP address and if not successful it would try the external _sip. IP address however, this is not the case for the Jabber client which it really should be.

    Any thoughts on alternative methods around companies with Non-Split Domain DNS?

    • Very interesting. Is there any way to block the DNS requests for _cuplogin and _cisco-uds from coming in your network or prevent the response to go outside your network? Something maybe on the firewall you could do. I would be very interested to know how you get this working.

    • Only way to achieve is block the request for cuplogin and uds to go to internal servers when you are outside. this way jabber will fall to collab-edge.

    • We have a very similar environment to yours, Matt, and did precisely what Anson and Alok suggested. Dropped the dns requests for cisco-uds and cuplogin at the border and it works from off-site with the jabber client falling back to the edge expwy. I agree it’s a major design flaw with the Jabber client, but the firewall policy got us up and running *without* needing to implement split DNS (a contentious issue!).

  18. Having an issue getting my jabber csf phone registered to cucm (xmpp chat and all other features work great). The error i’m getting is registration rejected: unknown domain. I know the documentation called for a secure phone profile to be created and applied to the phone and for the name of the phone profile to be in the subject alternate name of the expressway-c server. I did that. Question – do I need to have my cucm cluster in mixed mode for it to be able to use the secure phone profile? do my call manager servers need to be added by dns name instead of ip address under “servers” in cucm? anything else I could be forgetting?

    • I didn’t deploy with security on the CUCM side. Generate an error report in Jabber and look at the error logs to make sure CUCM has a valid SIP domain and is handing off the correct server name to connect to. I’ve seen problems where the CUCM or CUP server don’t have a valid domain name and are just handing back to Jabber their hostname (w/o domain). Jabber doesn’t have a way to connect back to the servers.

  19. Hi Mike and Every one,

    I have installed and configured ExpressWay C and E and at the moment i am unable to get my jabber signed in from outside.

    i would appreciate if you could be of any assistance in this. i have also posted my scenario under here for the reference;
    https://supportforums.cisco.com/discussion/12200046/mobile-remote-access-expressway-inactive-jabber#comment-9837341

    I do have CUCM 10 and CM IM&P 10 with Expressway X8.1.1

    – Done with DNS SRV and A records for internal and External DNS and verified by nslookup.

    – We have deployed the ExpressWay E as in Router on stick in DMZ natted with Public IP

    – Configured ExpressWay C And E with TLS ON and certificates being uploaded and do have a Active status in Unified communication and Traversal zone.

    I am using Cisco Jabber 9.7 for Windows but when i am trying to sign in from outside I am getting an error, “cannot communicate with the server”

    Here I am kind of lost to where and which part needs to be checked or where to further dig into?

    Let me know if you guys need any more detail.

    • Check the expressway-E logs in Maintenence -> Diagnostic Logs.
      If you don’t find any significant information in logs from VCSe then is probably that you communication is not really getting in VCSe. Check your firewall and DNS Records.

    • Did you checked the logs generated on the jabber feedback (generate a report)?
      I have a similar problem and a have a SR opened on TAC to investigate. My problem is that after the jabber downloads the config file and identify all services, it try to reach the CUCM directly and not trough the Expressway and off course it cannot because the jabber is outside.

      The Jabber logs cann help you to identify at which point it fails.

      • Hi Sam and Martin

        Thank you for putting your time in;

        @Sam: Did you get any feedback on your case.?

        In Jabber logs I can see it tries to resolve cisco-uds and cuplogin SRV records but fails and then skip to _collab-edge._tls record which is fair enough as this should be the case while Jabber attempt outside the corporate network. But i am keep getting “cannot communicate with the server”

        @ Martin: Even though I have enabled level 2 and level 4 logging at ExpressWay E side but nothings comes in as it seems no traffic is able to reach yet.

        Few things, we would like to mention;

        For internal and External DNS A and SRV records have been created;

        Internal DNS
        A record for Exp C and E
        SRV record for _cisco-uds and _cuplogin

        External DNS
        A record for Exp E
        SRV record for _collab-edge._tls

        Before attempting to sign in from outside, we checked through nslookup and SRV record are resolvable.

        Just would like to emphasis here that we are running, CUCM v 10 ( cluster of 5 nodes ) and IM&P v 10 ( cluster of 4 nodes )

        So, here just confirm me as for _cisco-uds it should be pointing to which cucm server ( Publisher or subscriber ? )
        and for which server it should be for _cuplogin ?

    • FYI: May not be your specific problem but it is worth investigation. Your statement router on a stick in the DMZ leads me to believe you are configuring E with only one interface. I had mine E configured with only one interface at first but could not getting it working. I needed to configure the ASA with some sort of route reflector which seemed fairly complex. I then add the second interface on my E and configured accordingly and it was a much easier configuration to get working.

  20. Hi Muhamhus

    Well, everythig is appointing to a connection problem. Maybe your NAT is not properly configured. Are you sure you can reach the VCSe from outside your network? Are you redirecting all the ports needed to the VCSe?

    Just pointing to the publisher servers should be enough for now.

    • Hi Martin,

      Thanks for your response.

      Actually we can see in the Jabber logs that it is is trying with _cisco-uds and _cuplogin for resolving the DNS entry but failing and then it is looking for _collab-edge._tls which it should do as it is from outside.

      Also, I have checked through ‘nslookup’ on that remote pc, it can resolve to IP address of expressway E perfectly.

      The irony here is we can not see any kind of traffic coming towards the VCSe even on the firewall. It seems strange, we unable to form any kind of connection through.

      Any ideas what & where to look for ?

      • Another thing that I noticed while running wireshark on my laptop on my internet enabled interface, that there were no DNS query being made to SRV and the host record of expressway.

        Any clues ?

  21. Hi All,

    We have 2 expressway-E and 2 Expressway-C in our cluster and we are doing a fail-over testing.

    During failover testing we have observed that whenever any one of expressway-E server is down then jabber from internet will not be able to login into it. when both servers are up we will be able to login from internet.

    When we made Master down , we have observed below in event log of slave exp-E:

    2014-08-05T20:47:06+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”115.245.81.253″ Dst-port=”36767″ UTCTime=”2014-08-05 15:17:06,493″
    2014-08-05T20:35:26+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”115.245.81.253″ Dst-port=”39446″ UTCTime=”2014-08-05 15:05:26,106″
    2014-08-05T20:35:09+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”164.100.222.42″ Dst-port=”55961″ UTCTime=”2014-08-05 15:05:09,609″
    2014-08-05T20:35:09+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”164.100.222.42″ Dst-port=”55960″ UTCTime=”2014-08-05 15:05:09,502″

    When we make Slave down we get below errors in master Exp-E server when i am trying to login:

    2014-08-06T19:51:56+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.245.68.152″ Dst-port=”34593″ UTCTime=”2014-08-06 14:21:56,146″
    2014-08-06T19:51:54+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.245.68.152″ Dst-port=”2676″ UTCTime=”2014-08-06 14:21:54,507″
    2014-08-06T19:46:51+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”17559″ UTCTime=”2014-08-06 14:16:51,359″
    2014-08-06T19:46:50+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”37356″ UTCTime=”2014-08-06 14:16:50,205″
    2014-08-06T19:44:44+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”30566″ UTCTime=”2014-08-06 14:14:44,948″
    2014-08-06T19:44:43+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”25095″ UTCTime=”2014-08-06 14:14:43,269″
    2014-08-06T18:50:34+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”27898″ UTCTime=”2014-08-06 13:20:34,602″
    2014-08-06T18:50:33+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”31975″ UTCTime=”2014-08-06 13:20:33,190″
    2014-08-06T18:46:46+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”39551″ UTCTime=”2014-08-06 13:16:46,910″
    Expressway version : 8.1.1

    CUCM v: 10.5

    Jabber windows:9.7

  22. Hi Mike,

    Thanks for your detailed blog about Collaboration Edge (CE). For the last couple of days I’m busy with to configure CE. Internally, I can login but externally, I get an error that “no communication with server”. When I deliberately put a wrong password, I get an error message that with wrong username and password. The Services Discovery is also working because I’m getting the correct IM server information.

    I don’t know what can be the issue. I was thinking about Certificate issue. I have Certificates signed by external CA (CUCM and IM = Tomcat) and uploaded on both VCS nodes. I’ve uploaded the Root CA Certificate on CUCM and IM nodes. Is that correct or do I have to upload additional certificates on CUCM and IM nodes?

    I really appreciate your help.

    Thanks.

    Regards,

    Tweeling

    • hi,mike and tweeling:
      Thanks for your detailed blog.
      i also have this question:
      I can login but externally, I get an error that “no communication with server”. When I deliberately put a wrong password, I get an error message that with wrong username and password. The Services Discovery is also working because I’m getting the correct IM server information.

      task1: expressway core have one not active
      XCP Server connection: 192.168.99.13(edge) :Inactive Jabber is not running on remote host, if jabber is running then check password for r2r connection on connect

      task2:on cupm server have two servervice not running ok
      Cisco XCP Message Archiver and Cisco XCP Directory Service status Not Running ,activation status Activated

      taks 3:about ip or FQDN
      on my cucm system>server ,i use IP not for FQDN
      on my cups application>Legacy Client Settings,i use IP not for FQDN

      is this question? if i must change server list from ip to FQDN ?

      What is the need to pay attention to ?

      taks4:in my network
      i direct connect core and expressway use LAN1.
      inside-jabber pc and outside-jabber pc use diffrent DNS
      inside and outside dns or srv is ok.
      in my test,inside-jabber pc can login ok,
      outside-jabber pc can not login

      if test ok,we will put out-side dns server in internet ,and nat expressway-edge (which port?)
      or use lan2 connection internet (if we will add some route for lan1 and lan2 ?)
      i s can ok?

      thank you for your help.

  23. Hi Mike!

    I have a question, can I use jabber for only phone capabilities with expressway? I mean with no CUP installed?

    Bst regards!

  24. I am presently trying to install a VCS-C + E v8.2.1 in a network that has CUCM 10.5 & Unity Connection 10.5 without the installation of a CUP or IM&P server, but the documentation is enormous, and all over the place. Have six different large PDF documents for info with hundreds of pages each ? Is there no easy step by step for this ?

  25. MRA deployed successfully , i can login from both inside and out side but phone service is not working , IM is working perfect .

    • From inside your phone services are working good?
      I this problem, but in my case was the firewall, from Internet do DMZ. You have to make sure that all ports are correctly configured.

      • Hi Martin,

        Do you have a SIP Trunk between the VCS-C and the CUCM? If so, please change the Port on the SIP Profile for that Trunk from 5060 to something else. Maybe 5065.

      • Internal i can resolve Srv record, and inside phone service is working good . All port is opened from internet to DMZ, for your info , TLS verification is off for CUCM and IM&PRESENCE. When adding CUCM by name , record is not creating in VCS but if i do it by IP record is creating .

      • AND WE HAVE different domain in internal and external , so configured both domain in VCS , under domain tab

    • If you have a SIP Trunk between the VCS-C/Expressway-C and the CUCM, please change the port for that Trunk in the SIP Profile from 5060 to something else, maybe 5065. Save and try again.

      • For MRA SIP TRUNK IS NOT REQUIRED , SO ITS NOT CONFIGURED .

        SEARCH RULE IS NOT CONFIGURED IN VCS IS IT EFFECT THE REGISTRATION OF SOFTPHONE

    • You do not need a SIP Trunk or search rules with MRA. I mentioned just in case you had one for call routing between endpoints registered to the VCS and endpoints registered to CUCM.

      • I have some doubt regarding certificate creation in VCS Control and CUCM , I had created certificate using Microsft CA ,
        Created certificate for Tom Cat and Call manager and also uploaded VCS Control and Root Certificate to Trust .

        VCS Control
        Subject: C=BH, ST=MANAMA, L=MANAMA, O=ALMAHROOS, OU=IT, CN=exp.srngroups.com

        X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Subject Alternative Name:
        DNS:exp.srngroups.com, DNS:conference-2-StandAloneCluster873ff.mahroos.com, DNS:conference-3-StandAloneCluster873ff

        and in VCS Trust i had added certificate of callmanager and tomcat. but while adding CUCM its showing TLS validation failed , when am adding CUCM with out TLS verification ,its show lookup successful but no entry is show . while adding IP its working

      • My issue got resolved , now the issue is INBOUND TLS NEGOTIATION FAILURE FOR SIP PHONE ( Hope it will be resolved by adding secure device profile)

      • We had the same issue where the phone services wouldn’t connect but everything else was fine. TAC pointed us to our firewall rules for TLS. Turned out in our Checkpoint firewalls there was a policy that was manipulating SIP TLS traffic and it just had to be set to not change the traffic/port.

  26. SOME MISTAKE IN ABOVE COMMENT

    I have some doubt regarding certificate creation in VCS Control and CUCM , I had created certificate using Microsft CA ,
    Created certificate for Tom Cat and Call manager and also uploaded VCS Control and Root Certificate to Trust .
    Call Manager and VCS domain : mahroos.com

    VCS Control
    Subject: C=BH, ST=MANAMA, L=MANAMA, O=ALMAHROOS, OU=IT, CN=exp.mahroos.com
    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Subject Alternative Name:
    DNS:exp.mahroos.com, DNS:conference-2-StandAloneCluster873ff.mahroos.com, DNS:conference-3-StandAloneCluster873ff

    and in VCS Trust i had added certificate of callmanager and tomcat. but while adding CUCM its showing TLS validation failed , when am adding CUCM with out TLS verification ,its show lookup successful but no entry is show . while adding IP its working

    • Diljith,

      Make sure you replace the CUCM self signed cert with the signed cert from the CA. I was getting the exact same error until I replaced it.

      1. Make sure you upload the CA root cert first
      2 upload your tomcat and cucm trust certs
      3 replace the self signed certs with the same certs you used for the trust cert upload.

      • Im not an expert in the error messages but I can pass on what I did to make mine work. make sure you are using FQDN as zone peer addresses instead of IP addresses and that peer name is a CN or SAN in your cert.

        on the VCS do you have client and server EKU certs installed from the same root CA that you provided certs to CUCM? Also use the same certificate template in your certificate auth to produce all certs

        I actually followed the vcs certificate creation and use deployment guide and used the microsoft CA as a cert provider.
        once all the certs were issued and installed ( both Root CA and signed certs [yes tomcat and cucm trust had different certs]) and then replaced the self signed certs for cucm. I followed theCisco TelePresence Cisco UnifiedCommunications Manager with Cisco VCS (SIP Trunk) guide. in CUCM SIP security profile the x.509 filed has to have all the same CN and SAN information as the cert.

        Once I did this it all worked, if you are still having issues I can provide some screen shots but the biggest thing is to make sure you have your certs issued properly with the correct CN, SAN and EKU.

  27. Diljith,

    I have a question for you. you said you were able to create an SSL cert for the expressway with both internal and external domains in the cert. What certification provider did you use to do this. Im using godaddy and get errors when trying to create a cert with a CN of the external and a SAN of a internal domain ( for call manager registrations).

    • IN MY CASE I HAD USED MICROSOFT CA , As a i contacted Cisco for TAC , they told its feature preview and TAC support will be after 3 months . So i thought its better to go with Microsoft CA

      • Nick L

        Thanks for briefing the concept. I doubt the issue with SIP Security profile . I am running CUCM 9.1(2) and can you brief me how i can change call manager to Mixed security mode.

  28. Pingback: Fix Cisco Webex Error 104 Windows XP, Vista, 7, 8 [Solved]
  29. Forgive me for being Naive with cisco stuff here but could a ASA do the job of the expressway. Say set up a A record with an external DNS provider that matches your internal DNS record and then just set up the ASA to NAT the external IP to the internal CUCM server. Obviously the big concern here would be security, but could this be address by only passing certain port connection through? Maybe add SIP Digest Authentication in also?
    So it would work like this someone inside the network would connect to sonso.sonso.com internally and when they are externally it would look that dns record up point to the asa and be routed to the cucm server.

  30. I will try to work left to right on my configuration
    Left:
    CUCM Pub and 2 Subs 9.1
    domain name configured
    internal FQDN certificate
    *problem no DNS client with IP defined CUCM cluster members

    CUPS 9.1 with DNS client and internal FQDN certificate

    VCS C is connected to CUCM and CUPS with TLS

    middle:
    VCS C LAN1 on subnet A internal certificate
    VCS C is connected to VCS E via LAN1 interfaces with TLS
    VCS E LAN1 on subnet A with certificate subject alternative name

    right:
    VCS E LAN2 set to external with default gateway on subnet B
    LAN2 static NAT configured
    firewall inside on subnet B
    firewall outside with static NAT no NAT reflection

    The internal and external DNS zones share the same domain name but are isolated from each other. The internal and external SRV records are in place.
    Inbound calls work from iPhone and PC client.
    Chat and Visual Voicemail work.

    Outbound calls do not work with incomplete signaling as symptom.

    It is obvious that inbound calls present less of an addressing problem than outbound calls do.

    I see reference to NAT reflection in the configuration guides.
    I know that no DNS client on phone system is an old practice that I can not correct with this version.

    Is there an obvious flaw with this setup that prevents outbound calls?
    If so, is there a correct left to right SIP address sequence that I should see in debugs?

    Is NAT reflection required?

    What part in the addressing does the NAT reflection portion play in ensuring correct addressess to complete calls?

    • I reverted my Expressway E to single interface and established a static NAT between subnet A and subnet B for the Expressway global internet address. The result is that the Controller establishes the traversal zone with the Expressway global internet address. I can dial inbound and outbound to my shared line now with the Expressway. The Cisco documents need to dictate valid network topologies vs. presenting 3 or four scenarios when all scenarios do not work. The SIP signaling is secure and can not be altered by the devices in the path.

      My expressway FQDN resolves to the global internet address in both internal and external DNS.

      Your deployment must be built so that the VCS Controller establishes the Traversal Zone with the VCS Expressway global internet address.

      George Paxson

  31. Hi Mike,

    I’m making Expressway-C/E Cluster, My concern is related to DNS Hostname and SRV Record on the External ISP DNS .So for example I have expe01.company.com (10.1.1.1) ,expe02.company.com (10.1.1.2) and cluster-expe.company.com (10.1.1.1 & 10.1.1.2) which are added to the External DNS, the Natting of the Public IP Address (82.5.5.5) should be mapped to which FQDN of the three?.

    Also the DNS SRV Record on External DNS should be added to the three FQDNs above or the cluster FQDN only?

  32. Hi ,

    I have doubt in Certificate part ,

    if we are going for Public Certificate ie from godaddy , we want to purchase UCC certificate , and also did we need to buy for both VCS E and VCS C

  33. Hi Mike,

    Thanks for this information. I’ve been doing some reading, several documents, and some searching and can’t seem to find an answer to my question.

    I’d like to consider a Jabber for Everyone deployment, which means a potentially large number of users, north of 20 K. This made me ponder whether or not I should be using private or public IP addressing for my imp servers. I understand that MRA resolves this issue for Jabber in a UC deployment, but what about IM only? Will MRA resolve this as well? My concerns include:

    – does expressway support third party xmpp clients?
    – does expressway support jabber for everyone? (im only)
    – does expressway scale to the possibly 25,000 IM only users I might have?
    – expressway does not support all the on premise features, like file transfer
    – no real details on how to deploy presence server on public IP but still use expressway for UC

    What are your thoughts?

  34. Hi Mike
    Thanks for this information.

    I do not understand what you mean by the intermediate CA.

    I create certificates with openssl based on the following documents

    https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5.pdf

    openssl genrsa -aes256 -out ccakey.pem 2048
    openssl req -new -x509 -days 3650 -key ccakey.pem -config openssl_local.cfg -sha1 -extensions v3_ca -out ccacert.pem
    openssl ca -config openssl_local.cfg -cert ccacert.pem -keyfile ccakey.pem -in expreswayC.csr -out certificate.example.com -md sha1

    To develop MRA (mobile Remote Access) How many certificates are up altogether?

    Expressway C:
    1.- generate CSR
    2.- download CSR
    3.- Sent CSR to CA (openssl)
    4.- upload signed certificates (.pem) (Maintanance – Security Certificates – Server certificate)
    5.- Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
    6.- restart

    Expressway E:
    1.- generate CSR
    2.- download CSR
    3.- Sent CSR to CA (openssl)
    4.- upload signed certificates (.pem) (Maintanance – Security Certificates – Server certificate)
    5.-Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
    6.- restart

    Download the tomcat certificates CUCM and CUPS and then went up to the expressway’s (C and E)

    Sends me this error when creating the area between the expressway cye

    SIP: Failed to connect to X.X.X.X:7001 : TLS negotiation failure (X.X.X.X = ip address)
    Check the certificates for the traversal connection

    Secure traversal test
    FQDN of Expressway-E: expreswayE.example.com
    TLS verify name of this Expressway-C (as it appears on the Expressway-E): expreswayc.example.com

    Results:
    Description The Expressway-E cannot verify the CA ‘expresswayC.example.com’, which signed the Expressway-C’s certificate
    Action Check that this CA is in the Expressway-E’s trusted CA list.

    missing more certificates ??

    Regards.

  35. Pingback: ExpressWay DMZ and NAT Design Considerations | afterthenumber
  36. hi Mike,

    how much to buy CA certificates for VCS-E and VCS-C for Jabber MRA from GoDaddy ?

    and which option to choose there, do you have the link?

    tks,
    J

  37. hi Mike,

    how much is the certificate of GoDaddy for Jabber MRA (VCS-E ,VCS-C) ? do I need for UCM and UNity?

    do you have the link ,what option to choose or buy when order certificate from Godaddy?

    tks,
    J

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s