Update
Collab Edge is now supported. The official Mobile-Remote-Access-via-Expressway-Deployment-Guide is located here.
I’m updating this document to reflect changes made in Expressway-C/E 8.1 that make importing the certificates MUCH easier.
Introduction
This document explains how to deploy Collaboration Edge with on-prem presence (IM&P/CUP) on a non-redundant set of Expressway-E and C VMs. Deploying with WebEx Messenger is not covered here, but the bulk of the configuration is the same as far as the Expressway piece.
The biggest challenge in the initial deployment was finding all of the necessary documentation! Things you need to know like certificate chaining, or OpenSSL are in various docs. I’ve linked all of the documents that I used and tried to summarize things to make it quicker to deploy.
What you’ll need to deploy Collaboration Edge today:
- CUCM 9.1(2)+
- IM&P (CUP) 9.1+
- VCS or “Expressway” X8.1.1+
- A Collaboration Edge enabled Jabber client: Cisco Jabber for Windows 9.7+, Cisco Jabber for iOS 9.6, Jabber for Android 9.6+ or Cisco Jabber for MAC 9.6+
- Updated jabber-config.xml on CUCM with RemoteAccess turned on (This is no longer required for Jabber 9.6+)
- Two certificates (one for VCSe another for VCSc) – either signed by your own CA (OpenSSL or similar) or publically signed certs like GoDaddy, Verisign, etc.
A few notes about nomenclature:
Collaboration Edge is the architecture umbrella term for the VCS/Expressway edge proxy for CUCM-registered clients (Jabber and TC7.0 TP units). It’s commonly used to refer to the Jabber piece of it, but will support endpoints too. (The DX650 will support Collaboration Edge in a future release of firmware. Traditional IP phones will not be supported, they will use VPN Phone or CUBE lineside proxy.)
Mobile and Remote Access (MRA) is the term used in VCS/Expressway documentation for the VPN-less Jabber (and CUCM-registered TC7.0 endpoint) proxy feature.
Cisco Expressway-Edge is the same software as VCS-Expressway, just packaged for CUCM registered endpoints. Expressway-Edge is a VCS-Expressway that is deployed as a Mobile and Remote Access proxy or for traversal calls for CUCM registered endpoints. There is a license file actually changes the title to say “Expressway-E” when it is loaded. In the rest of the document, I will refer to VCS-Expressway, VCS-E, Expressway-Edge, Expressway-E as Expressway-E since we are primarily talking about MRA.
Expressway-Core is the same story. It is VCS-Control software deployed as an MRA proxy only with the Expressway-C license loaded. We call it VCS-Control when it is licensed for device registration, non-traversal calls, FindMe, and other features like Lync interop. For purposes of this document I’ll call it the Expressway-C below.
Customers with a valid UCSS contract for UCL-Enhanced, CUWL-STD, or CUWL-PRO are entitled to Expressway-Edge and Expressway-Core for free (for MRA) and their license will reflect the Expressway names. Licenses are charged for the other VCS features mentioned above. Licenses are required and have a cost for B2B/B2C (Jabber Guest) calls through Expressway-C/E Each box requires one media session license to get a session through.
VCS-C and VCS-E can have the MRA features turned on and run on a pair and do both functions. We are still awaiting clarification as to when you must break these apart and run a separate set of VCS (for B2B, interop) and Expressway (for MRA) servers. (Update: VCS is supported for limited sized deployments.)
Expressway licenses should be orderable via PUT, or you can use your existing VCS severs by upgrading to X8.1. (Update: I posted a later post that discusses what to order.)
Prepare CUCM for MRA
1) Create an AXL user if you don’t already have one on CUCM and IM&P. There’s a good guide here –http://www.uplinx.com/cleanuptool/userguide/index.htm#page=Enable_AXL_on_CUCM.htm
2) Decide if you want to deploy valid security certificates on CUCM, IM&P and CUC. You will likely want to do this independent of Collaboration Edge as all of the Jabber clients are no longer trusting self-signed certificates. By providing a publicly trusted cert, Jabber won’t throw Invalid Certificate errors as you log in. Granted they are only shown once during the very first login if the user accepts them on each client. If you do put certificates on those components I’d suggest getting them for a 5-year term so you aren’t dealing with it in a year when the certificates expire.
Directory Lookup Considerations
MRA only supports UDS as the directory lookup service. If you are inside you can use LDAP (EDI/BDI), outside UDS.
Jabber-config.xml Update for 9.6 clients
Update: This section is no longer required as current versions of the clients (Win 9.7, iOS 9.6.1, Android 9.6, OS X 9.6) to do MRA by default, negating the requirement to pull the jabber-config.xml file first (expect in the case of split internal/external domains).
CUCM UC Service Profiles
Make sure that you’ve configure CUCM UC Service Profiles (this should have been done as part of your initial IM&P/CUP deployment and won’t be covered here) and assigned them to the end users.
Deploy Expressway OVAs
For new installations, you’ll need to download and deploy OVAs – http://www.cisco.com/en/US/docs/voice_ip_comm/expressway/install_guide/Cisco-Expressway-Virtual-Machine-Install-Guide-X8-1.pdf – See my previous post about upgrading to X8.1 if you’ve already got VCS installed – here
Recall there is a single OVA that does both Expressway-E/C and VCS-E/C that you need to deploy — it’s just a matter of how you configure and license (request via PUT as mentioned above) it as to what it is called. Download the OVA from Cisco here
You’ll deploy the Expressway-C on your internal network (presumably on the same VLAN as CUCM and other UC components) e.g. 10.10.1.30
You’ll deploy Expressway-E one of two ways. Either on a stick in your DMZ (perhaps 10.99.99.30), or two-legged with the external interface in the DMZ network (e.g. 10.99.99.30 – or on your public address space), and the internal interface on the internal network (presumably on the same VLAN as Expressway-C and other UC components – e.g. 10.10.1.31).
You’ll need to trunk your DMZ to your ESXi host if you haven’t, or figure out how to deal with getting the Expressway-E external (LAN2) interface in the DMZ network.
Once the VM’s are deployed edit the Expressway-E VM settings to put LAN2 in the DMZ network (alternately you can put LAN2 on the inside and LAN1 in the DMZ). If you don’t see options for the second NIC, or options for NAT, you are missing the Advanced Networking license. You need this in order to have it two legged, or do NAT.
Firewall Configuration
I don’t know how long I wasted on my first install because I forgot to modify the ACL to include the additonal ports that MRA requires. I just assumed that beause VCS was working for B2B that it would work for MRA. Not the case!
You’ll need to configure NAT on your firewall from a public IP address outside your network to the DMZ address of Expressway-E, or do 1:1 public to your DMZ if you’ve deployed it with a public address.
Look at p.258 of the Expressway Admin Guide for a concise list of ports.
A couple notes about DNS records
You will need two DNS servers for MRA to function properly. Jabber decides if it is inside the network or outside the network depending on what SRV records it can resolve. Depending on what records it resolves it will either try to use MRA or it will directly connect to CUCM/IM&P.
Internal DNS Server
Create two A records:
- sjc-expressway-edge-01.domain.com A – (make this name whatever you want) Pointing to the INSIDE interface of Expressway-E for two-legged deployments, or pointing to the DMZ address if it’s on a stick. The record is used by Expressway-C to lookup and validate the certificate against. You will use this hostname anywhere you are asked for the expressway server’s name whe configuring the C server.
- sjc-expressway-core-01.domain.com A – (any name you want) Pointing to Expressway-C.
Create two SRV records:
- _cisco-uds._tcp.domain.com SRV 0 0 port 8443 – Pointing to CUCM. (NOT IM&P!)
- _cuplogin._tcp.domain.com SRV 0 0 port 8443 – Pointing to IM&P (TBD if this is really required for Jabber 9.6 with IM&P 9.1 – I don’t believe it actually is)
When you launch Jabber, if it can resolve these DNS records, it knows it’s inside and pulls the service profile directly from CUCM and logs in to IM&P and CUCM.
External DNS Server
Create one A record:
- sjc-expressway-edge-01.domain.com A – (any name you want) Pointing to the public address assigned (or NATted) to your Expressway-E.
Create one SRV record:
- _collab-edge._tls.domain.com SRV 0 0 8443 – Pointing to Expressway-E (in our case sjc-expressway-edge-01.domain.com)
Configure Expressway-Edge and Expressway-Core
Follow this chapter of the Expressway Admin Guide – Mobile and Remote Access (feature preview) beginning at p.52 but stop half-way down p.56 (before the beginning of the Certificates section).
A couple notes: I did not enable TLS verify mode on my CUCM and IM&P server definitions because just wanted to get it up and running. I’m suggesting putting real certs on CUCM, IM&P, and CUC, and turning TLS verify on, but this can be done later.
The admin guide is located here (p.52-56):
Certificates
Valid CA-signed certificates are required to setup the traversal zone for MRA. You can either get public ones, or sign your own with your own CA. I’ve done it both ways. The major reason for a valid trusted CA-signed certificate is to stop Jabber from throwing a certificate warning on the initial MRA login to Expressway-E itself. I highly recommend deploying a publicly trusted CA signed certificate.
Update: This is fixed in Expressway 8.1.1 Ignore this section below:
Deprecated instructions for VCS 7.x: The best document out there is this WebEx enabled Telepresence VCS Config document that describes how to chain up the intermediate cert properly here – http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/webex_enabled_telepresence/cts_webex_vcse_cert.html
When importing the CA trusted certs, the key is to make sure the intermediate cert appears in the CA trust list ABOVE the root cert.
Expressway 8.1 Certificates
You will need to get a specific type of certificate, the multi-SAN (subject alternative names) also called a UCC certificate).
Expressway-C CSR will be generated with the IM&P, and CUCM SANs.
Expressway-E needs the server itself and domain only as a SAN.
See the Expressway Certificate Guide for detailed information.
For Expressway-E follow this basic flow:
- Generate CSR
- Add UC Domain (domain.com) and XMPP server information
- Download the CSR
- Upoad the CSR file to the CA to get the certificate signed
- Get the signed server PEM and the root/intermediate chain PEM back from the CA.
- Upload the signed server cert to Expressway-E under Maintenance | Security Certificates | Server Certificate
- Break apart the CA-intermediate-root certificates into individual PEMs for import – See the WebEX instruction for VCS 8.1 to learn how to do this.
- Import into the Trusted CA certificate list: the top-level cert (“CA”), then the root cert, then the intermediate cert found under Maintenance | Security Certificates | Trusted CA Certificates
- Reboot to make them active.
Follow the Webex instructions to break apart the CA-intermediate and root PEM into individual certs using Windows so that you can import them into the CA trusted cert list properly.
Repeat this procedure for Expressway-C.
For the customers that I’ve worked with using GoDaddy certificates. I’ve worked with four certificates – Go Daddy Class 2 CA; Go Daddy Root Certificate Authority – G2; Go Daddy Secure Certificate Authority – G2; the server certificate itself.
I used Chrome on Windows to export the three Go Daddy certificates individually to Base 64 .PEM and then loaded them into the Expressway-E/C trusted CA list. This worked perfectly for me after loading and rebooting the servers. The UC traversal zones came right up.
Sign your own using OpenSSL if you’d like
If you want to use OpenSSL to create your own CA cert and sign your CSR, it is actually easier than you’d think.
Start at the bottom of p.13 of this document –
Click to access Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
You’ll follow the procedure twice. Once for Expressway-E and once for Expressway-C. Take the CA root cert that you generated and import it into the trusted list on both boxes, and then import your signed server cert on the appropriate box.
Traversal Zone Configuration
Resume the configuration tasks in the Admin guide on p.58 making sure to put the proper settings for both Expressway-E and Expressway-C.
If your certificates are good, you will see the traversal zone go active on both servers under Status | Unified Communications. If not, double-check your configuration settings, and double-check your certificates.
Troubleshooting Zone Configuration
If the zone won’t go active and you think it looks good, check the logs to see what is happening. My initial attempt where the certificates were not chained properly showed a continuous loop of TLS failures. When I had my Expressway-C pointing to the external public address instead of the inside interface of Expressway-E, TLS looked good and even the SSH tunnel showed “up” but traffic wasn’t actually flowing.
The best place I found to troubleshoot this stuff was by putting the Expressway-C and E in “Devel mode” to enable the Experimental menu. (Instructions for this are found on p.207 of the admin guide.) The reason for this is because the CollabEdge/MRA feature is still considered experimental. You need to look at the Developer Logs. You can enable them for debug level as well as collect a tcpdump.
HTTP Whitelisting
Make sure to add your Unity Connection, and any other servers that Jabber needs access to. Unity Connection requires it for Visual Voicemail to work.
Launch Jabber 9.6 internally
Update: No longer required unless you are doing separate internal and external domains. (I’ll detail this in a later post.)
Launch Jabber on your client device on the inside network (so that it has direct access to CUCM/IM&P). When you enter your email address Jabber should automatically discover your servers (using the before setup internal DNS SRV records). If Jabber does not auto-discover, troubleshoot your SRV records. The easiest method is to use dig or nslookup.
The quick nslookup method is to:
- Launch the program,
- Make sure it shows your internal DNS servers (that your device should be pulling via DHCP scope options)
- Enter set type=SRV, then type _cisco-uds._tcp.domain.com. This should resolve to the hostname of CUCM, or the IP address of it.
- If using the hostname, exit nslookup and try to ping the hostname.
Once you enter your credentials you will likely be presented with several invalid certs to accept, and your client should connect and have IM, Presence, CUCM, CUC, and be able to IM and do voice/video calls.
Sign out and close Jabber
Launch Jabber 9.6 externally
Disconnect from your internal network and make sure your device is outside your network where a) it cannot resolve the internal SRV records, and b) it can resolve the external _collab-edge SRV record and access your Expressway-E from the outside.
Launch Jabber on your device. Jabber will attempt to resolve _cisco-uds._tcp.domain.com and will fail to do so. It will also attempt to resolve _cuplogin._tcp.domain.com and will fail. It will then attempt to resolve _collab-edge._tls.domain.com and get pointed to the public IP address of Expressway-E.
It will then connect to Expressway-E, and a if everything is configured properly it will login and you’ll show connected to IM, CUCM and CUC!
Notes about iOS
On iOS the timeout for attempts to login is MINUTES long. Be very patient for it to either succeed or fail. It can take a significant amount of time to login successfully on the 9.6 build. 9.6.1 is supposed to be much faster.
If your login fails, click the Send Error Report and email it to yourself. Open the ZIP file and look through (going from bottom to top) to see where the errors are. The logs will include more than just the current login attempt, so note the time when you are attempting to login and look at the timestamps in the log. This is critical so that you aren’t troubleshooting an old login that isn’t relevant to your current problem.
From my experience:
- When I had firewall issues, I was seeing CONNECTION_TIMEOUT errors when trying to login via MRA, but not when I was inside.
- When I had neglected to enable RemoteAccess in jabber-config.xml I was seeing RemoteAccess Policy errors.
Summary
I’m impressed with the ability to finally be able to do voice/video calls from anywhere! It’s about time. Collab Edge is still considered a Feature Preview by Cisco and isn’t TAC supported yet. Please send me questions that you have as you attempt to deploy it.
-Mike
Hi Mike,
I fear this topic here is focused know-how pool of the inner workings of the collaboration edge infrastructure so I am posting my question here. 🙂
With the recent Openssl bug (https://www.openssl.org/news/secadv_20140407.txt) and the tunneling done on the VCS, which systems could be involved in the any SSL termination? All (VCSe, VCSc, CUCM, CUC, CUPS) of them? Or better said, which internal devices have their Openssl based daemons exposed to the internet?
-Danny
Hi Danny,
Great find. Here’s the initial PSIRT response:
http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
It does show VCS identified as affected. I’m sure we’ll see quite a few more products identified and patches released as soon as possible (and/or suggested migrations to non-affected versions)
Hi Mike,
“When I had neglected to enable RemoteAccess in jabber-config.xml I was seeing RemoteAccess Policy errors ”
Here in jabber-config.xml–how we can enable Remote access.
Any of the current clients, J4W 9.7, J4M 9.6, J4iOS 9.6, J4Andoird 9.6 do not require the flag to enable MRA. You’ve got something else going on.
Hi Mike,
I’m having CUCM 9.1.2 and IMP 9.1 installed on my UCS server. is it possible to deploy Expressway-E and expressway-c with out license as a trial.
Not that I know of. Expressway doesn’t ship with demo licenses included without the order being placed.
Hi Danny,
CUCM/CUC/CUPS/UCCX till version 9.1.X are running an older version of the OpenSSL package than the ones affected. Thus they should be safe.
admin:show packages active openssl
Active Side Package(s): for openssl package(s)
openssl-0.9.8e-26.el5_9.1
Regards,
Jagpreet
Talked to a TME and found out that CUCM (and likely all of VOS) 10.0(1) is vulnerable.
Hi Guys,
An update: VCS X8.1.1 has been released and is now available on CCO.
http://software.cisco.com/download/release.html?mdfid=283733603&flowid=46003&softwareid=280886992&release=X8.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest
NOTE: Among other items, this release includes a fix for the CVE-2014-160 (Heartbleed) OpenSSL vulnerability.
Hi Mike,
When I try to login from internet, Jabber Client automatically choose Webex Messenger because my company’s domain is registered to Webex. How do I resolve this issue since I want Jabber to connect to IM&P instead of Webex? I’ve already setup SRV records, and I can login from internal without problem
Are you still using Webex Messenger service? If not, I would contact your Webex Account representative and ask then to submit a ticket to disable it for your domain. I helped one of my customer do this and it took about a month and some screaming to get them to actually disable it.
But in the meantime, Jabber has now added the ability to not try Webex, CUCM or CUPS. You’ll need to add the following section to your jabber-config.xml file under the (Policies) section.
(ServiceDiscoveryExcludedServices)
WEBEX
(/ServiceDiscoveryExcludedServices)
You’ll need to replace the ( with < If I put in the < in this message WordPress thinks it is XML and ignores it….
More info here – http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/iOS/9-6-1/ICG/JABI_BK_C9AC3244_00_cisco-jabber-for-iphone-and-iPad-961/JABI_BK_C9AC3244_00_cisco-jabber-for-iphone-and-iPad-961_chapter_0101.html#CJAB_RF_CD345A8D_00
-Mike
Thanks I’ll try that. Well, actually I only know my company has subscription for webex online meeting. I don’t know whether webex messenger service is included or not. By the way, is it possible to use manual sign in setup for MRA from the jabber client?
Lots of times they’ll automatically include Webex messenger. You’ll need to have your client login internally first (with manul login) so that it can connect and pull the jabber-config.xml first to tell it not to try Webex when it connects in the future.
The only way to connect quickly outside that I know of is with service discovery.
Can you give me a suggestion what should I look to troubleshoot the call? My Exp-Edge use one leg with static NAT enabled. I have open my firewall just to test connectivity first.
1. From outside, I can only ring the device which is registered to CUCM, but after I pick up the call, I can’t hear any voice from both parties. (type traversal, SIPSIP)
2. From inside, when I call the device which is registered through expressway. I see on Expressway call log, it try to connect using TLS (I only setup TLS connection between Control and Edge. Contrary to this, call from outside to inside is made using TCP by examine the log) ,then it fails with service unavailable status. (type Non Traversal, SIPSIP)
I’m using Jabber Android for outside, and Jabber windows 9.7 for inside.
Hi Xave,
Did you manage to solve this issue? We have the exact same issue on our system.
Thanks
Hi Guys,
Any luck with this? I’m having the same issue with outbound calls to the devices. Everything else is working fine.
Mike,
Can you give some insight on how the internal client would know how to use the internal AD servers and the external client would know how to use the UDS especially when they have the same jabber-config.xml file? Looking forward to your reply! Thanks!
Hi Mike,
upgraded my cisco callmanager to 9.1.2SU1 (Previous version 9.1.1a) and add UDS COP file and now i have problem to login internal (via finding service , Manual is OK)
Any advice
Thanks for your help
——————————LOG——————————————-
[csf.edge.capability.EdgeCapabilityPolicy][enforce] Enforcing policy 0
— 2014-04-15 00:27:54.584 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge is going to be enabled for this object
— 2014-04-15 00:27:54.584 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge has been enabled
— 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Policy enforced
— 2014-04-15 00:27:54.585 INFO [b0f5000] – [csf.edge][enqueue] EdgeTransitionDetectionController enqueuing event NetworkActivity
— 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.httpclient][isVcs407Response] result: 0
— 2014-04-15 00:27:54.585 DEBUG [b0f5000] – [csf.httpclient][isVcse502Response] result: 0
— 2014-04-15 00:27:54.588 DEBUG [b0f5000] – [csf.httpclient][executeImpl] The total size of the data received is: 365, the size of the response body is: 365
— 2014-04-15 00:27:54.588 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Exiting executeImpl()
— 2014-04-15 00:27:54.589 DEBUG [b0f5000] – [csf.httpclient][~HttpRequestData] Destroying instance of Request data, with request: 5
— 2014-04-15 00:27:54.590 DEBUG [b0f5000] – [csf.config][doGet] Finished GET request.
— 2014-04-15 00:27:54.590 INFO [b0f5000] – [csf.config][mapToHttpUtilsResult] csf::http::HttpClientResult=[SUCCESS] HttpUtilsResult=[SUCCESS]
— 2014-04-15 00:27:54.590 DEBUG [b0f5000] – [csf.config][run] Response body: Cisco User Data Service9.1.2Cisco Unified Communications ManagerCisco Enterprise License Manager
— 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parseChildElementsAsNameValuePairs] result : SUCCESS for xpath : /versionInformation
— 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parse] Number of elements found: 4
— 2014-04-15 00:27:54.594 DEBUG [b0f5000] – [csf.config][parse] Checking name, Cisco User Data Service
— 2014-04-15 00:27:54.595 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
— 2014-04-15 00:27:54.595 DEBUG [b0f5000] – [csf.config][parse] Checking version, 9.1.2
— 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Found UDS Server Version: 9.1.2.
— 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Checking installedProducts/product, Cisco Unified Communications Manager
— 2014-04-15 00:27:54.596 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
— 2014-04-15 00:27:54.597 DEBUG [b0f5000] – [csf.config][parse] Checking installedProducts/product, Cisco Enterprise License Manager
— 2014-04-15 00:27:54.598 DEBUG [b0f5000] – [csf.config][parse] Element is not a valid UDS server.
— 2014-04-15 00:27:54.598 DEBUG [b0f5000] – [csf.config][BlacklistAddress] Created BlacklistAddress with request: https://10.251.1.10:8443/cucm-uds/version (FQDN: 10.251.1.10, Hostname: 10.251.1.10) and matching type URL.
— 2014-04-15 00:27:54.599 DEBUG [b0f5000] – [csf.config][run] The version of UDS server ( 10.251.1.10:8443) is 9.1.2
— 2014-04-15 00:27:54.599 WARNING [b0f5000] – [csf.config][isEmailUpnLookupSupported] Invalid Uds Version: 9.1.2
— 2014-04-15 00:27:54.600 DEBUG [b0f5000] – [csf.config][run] Identifier:Username will be used for LocatorUdsQuery.
— 2014-04-15 00:27:54.600 DEBUG [b0f5000] – [csf.config][doGet] About to send GET Request.
— 2014-04-15 00:27:54.601 DEBUG [b0f5000] – [csf.httpclient][RequestWrapper] Constructing RequestWrapper with originalUrl: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
— 2014-04-15 00:27:54.601 DEBUG [b0f5000] – [csf.httpclient][updateCertDisplayId] no change in cert display identifier
— 2014-04-15 00:27:54.602 DEBUG [b0f5000] – [csf.httpclient][HttpRequestData] Created new instance of transfer data, with request: 6
— 2014-04-15 00:27:54.605 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Searching a policy with nature EDGE_USAGE
— 2014-04-15 00:27:54.606 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Policy found
— 2014-04-15 00:27:54.606 INFO [b0f5000] – [csf.httpclient][execute] About to enforce Edge policy with Url: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
— 2014-04-15 00:27:54.606 DEBUG [b0f5000] – [csf.netutils][getGlobalEdgeState] Getting GlobalEdgeState
— 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.edge][checkConnectivity] Acquired scoped lock (connectivityMutex_)
— 2014-04-15 00:27:54.607 INFO [b0f5000] – [csf.edge][isInternalConnectivityAvailable] Internal Connectivity: 1
— 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.netutils][getGlobalEdgeState] Getting GlobalEdgeState
— 2014-04-15 00:27:54.607 DEBUG [b0f5000] – [csf.edge][checkConnectivity] Acquired scoped lock (connectivityMutex_)
— 2014-04-15 00:27:54.608 INFO [b0f5000] – [csf.edge][isInternalConnectivityAvailable] Internal Connectivity: 1
— 2014-04-15 00:27:54.608 INFO [b0f5000] – [csf.httpclient][execute] Edge policy enforced successfully with transformed Url: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
— 2014-04-15 00:27:54.608 DEBUG [b0f5000] – [csf.httpclient][updateCertDisplayId] no change in cert display identifier
— 2014-04-15 00:27:54.609 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Entering executeImpl()
— 2014-04-15 00:27:54.609 INFO [b0f5000] – [csf.httpclient][configureEasyRequest] Configuring a CURL Easy request for: https://10.251.1.10:8443/cucm-uds/clusterUser?username=soporte@domain.com.pe
— 2014-04-15 00:27:54.609 INFO [b0f5000] – [csf.httpclient][CurlHeaders] Number of Request Headers : 0
— 2014-04-15 00:27:54.610 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Checking for proxy information…
— 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] System Proxy will not be used
— 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] No proxy information available [6].
— 2014-04-15 00:27:54.611 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Setting connect timeout value in milliseconds to : 60000
— 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] Setting transfer timeout value in milliseconds to : 120000
— 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][configureEasyRequest] HTTP Request Configured
— 2014-04-15 00:27:54.612 DEBUG [b0f5000] – [csf.httpclient][performCurlRequest] About to perform curl connection request…
— 2014-04-15 00:27:54.730 INFO [b2b8000] – [csf.netutils][beginBackgroundTask] Call to beginBackgroundTaskWithExpirationHandler returned 1
— 2014-04-15 00:27:54.730 INFO [b2b8000] – [csf.edge][doNetworkSensing] DetectDirectConnectUnavailable.Monitoring: Will probe internal network visibility, old timestamp: 0, now: 1397521674.443277
— 2014-04-15 00:27:54.731 INFO [b2b8000] – [csf.dns][makeDnsQuery] About to make a dns request against _cisco-uds._tcp.domain.com.pe.
— 2014-04-15 00:27:54.731 INFO [b2b8000] – [csf.dns][makeQuery] Making an SRV record request. _cisco-uds._tcp.domain.com.pe.
— 2014-04-15 00:27:54.733 INFO [b2b8000] – [csf.dns][makeDnsQuery] The answer count is 1
— 2014-04-15 00:27:54.733 DEBUG [b2b8000] – [csf.dns][parseSingleAnswerRecord] Parsed SRV Record Request result.
— 2014-04-15 00:27:54.734 DEBUG [b2b8000] – [csf.dns][parseResults] Parse Succeeded.
— 2014-04-15 00:27:54.734 INFO [b2b8000] – [csf.edge][logSensorEvaluation] EnterpriseNetworkSensor strategy FindCiscoUdsRecord evaluated to true
— 2014-04-15 00:27:54.734 INFO [b2b8000] – [csf.edge][doNetworkSensing] DetectDirectConnectUnavailable.Monitoring: Did see internal network
— 2014-04-15 00:27:54.736 INFO [b2b8000] – [csf.netutils][markProgress] Progressing through background task MonitoringState.doNetworkSensing, id 1, iOS applicationState: Active, backgroundTimeRemaining: (large)
— 2014-04-15 00:27:54.737 INFO [b2b8000] – [csf.edge][processEvent] EdgeTransitionDetectionController processing Event: NetworkActivity
— 2014-04-15 00:27:54.737 INFO [b2b8000] – [csf.edge][logIgnoringEvent] DetectDirectConnectAvailable.Idle: Ignoring event NetworkAccessOpportunity
— 2014-04-15 00:27:54.738 INFO [b2b8000] – [csf.edge][runEventLoop] Reactor event loop entering wait()
— 2014-04-15 00:27:54.741 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (17). – HTTP/1.1 200 OK
— 2014-04-15 00:27:54.742 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] New response, removing 0 previous headers
— 2014-04-15 00:27:54.742 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Finished appending the header.
— 2014-04-15 00:27:54.743 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (29). – X-Frame-Options: SAMEORIGIN
— 2014-04-15 00:27:54.743 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Finished appending the header.
— 2014-04-15 00:27:54.744 DEBUG [b0f5000] – [csf.httpclient][curlHeaderCallback] Header callback (31). – Content-Type: application/xml
— 2014-04-15 00:27:54.750 INFO [b0f5000] – [csf.edge.capability.EdgeDetectionControllerWrapper][getNetworkTransitionDetectionController] Getting a wrapping of the stored EdgeTransitionDetectionController
— 2014-04-15 00:27:54.750 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][getInstance] Registering this as a DefaultPoliciesStore observer
— 2014-04-15 00:27:54.750 DEBUG [b0f5000] – [csf.common.DefaultPoliciesStore][registerForDefaultPoliciesChanges] Registering an observer for policies changes
— 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][wrapIt] Wrapping an EdgeTransitionDetectionController
— 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][wrapIt] Received a wrapping request for a wrapped object. Returning the object untouched
— 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.edge.capability.EdgeAccessDirector][instructWrapper] Instructing a wrapper on the EDGE_CAPABILITY policy
— 2014-04-15 00:27:54.751 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Searching a policy with nature EDGE_CAPABILITY
— 2014-04-15 00:27:54.752 DEBUG [b0f5000] – [csf.common.PolicySet][getPolicy] Policy found
— 2014-04-15 00:27:54.752 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Enforcing policy 0
— 2014-04-15 00:27:54.752 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge is going to be enabled for this object
— 2014-04-15 00:27:54.753 INFO [b0f5000] – [csf.edge.capability.EdgeTransitionDetectionControllerWrapper][enableEdge] Edge has been enabled
— 2014-04-15 00:27:54.753 DEBUG [b0f5000] – [csf.edge.capability.EdgeCapabilityPolicy][enforce] Policy enforced
— 2014-04-15 00:27:54.753 INFO [b0f5000] – [csf.edge][enqueue] EdgeTransitionDetectionController enqueuing event NetworkActivity
— 2014-04-15 00:27:54.754 DEBUG [b0f5000] – [csf.httpclient][isVcs407Response] result: 0
— 2014-04-15 00:27:54.755 INFO [b2b8000] – [csf.edge][processEvent] EdgeTransitionDetectionController processing Event: NetworkActivity
— 2014-04-15 00:27:54.755 INFO [b2b8000] – [csf.edge][logIgnoringEvent] DetectDirectConnectAvailable.Idle: Ignoring event NetworkAccessOpportunity
— 2014-04-15 00:27:54.755 DEBUG [b0f5000] – [csf.httpclient][isVcse502Response] result: 0
— 2014-04-15 00:27:54.755 DEBUG [b0f5000] – [csf.httpclient][executeImpl] The total size of the data received is: 236, the size of the response body is: 236
— 2014-04-15 00:27:54.756 DEBUG [b0f5000] – [csf.httpclient][executeImpl] Exiting executeImpl()
— 2014-04-15 00:27:54.756 INFO [b2b8000] – [csf.edge][runEventLoop] Reactor event loop entering wait()
— 2014-04-15 00:27:54.756 DEBUG [b0f5000] – [csf.httpclient][~HttpRequestData] Destroying instance of Request data, with request: 6
— 2014-04-15 00:27:54.757 DEBUG [b0f5000] – [csf.config][doGet] Finished GET request.
— 2014-04-15 00:27:54.757 INFO [b0f5000] – [csf.config][mapToHttpUtilsResult] csf::http::HttpClientResult=[SUCCESS] HttpUtilsResult=[SUCCESS]
— 2014-04-15 00:27:54.757 DEBUG [b0f5000] – [csf.config][run] LocatorUdsQuery is successful.
— 2014-04-15 00:27:54.758 DEBUG [b0f5000] – [csf.config][run] Locator Uds request finished.
— 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] attr name : found
— 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] attr value : false
— 2014-04-15 00:27:54.759 DEBUG [b0f5000] – [csf.config][parseAttributesAsNameValuePairs] result : SUCCESS for xpath : /clusterUser/result
— 2014-04-15 00:27:54.760 INFO [b0f5000] – [csf.config][parseResult] No Home UDS Location found
— 2014-04-15 00:27:54.760 ERROR [b0f5000] – [csf.config][parse] Failed to parse LocatorUdsResponse: NO_HOME_UDS_FOUND
— 2014-04-15 00:27:54.760 WARNING [b0f5000] – [csf.config][getLocatorUdsInformation] LocatorUdsQuery has failed with result: NO_HOME_UDS_FOUND
— 2014-04-15 00:27:54.760 ERROR [b0f5000] – [csf.config][convertLocatorUdsResult] locatorUdsResult=[NO_HOME_UDS_FOUND] ucmConfigResult=[FAILED_TO_FIND_HOME_UDS]
— 2014-04-15 00:27:54.761 WARNING [b0f5000] – [csf.config][getUdsInformation] Ucm Locator query has failed with FAILED_TO_FIND_HOME_UDS
— 2014-04-15 00:27:54.761 WARNING [b0f5000] – [csf.config][fetchXmlFileSet] No information available after doing a fetch.
— 2014-04-15 00:27:54.761 DEBUG [b0f5000] – [csf.config][fetchXmlFileSet] Returning: FAILED_TO_FIND_HOME_UDS
— 2014-04-15 00:27:54.761 INFO [b0f5000] – [csf.config][fetchXmlFileSet] Time taken to complete the ucm-config library fetchXmlFileSet(): 0 seconds.
— 2014-04-15 00:27:54.762 INFO [b0f5000] – [service-discovery][authenticate] Ucm90 Library Returned with Code FAILED_TO_FIND_HOME_UDS
— 2014-04-15 00:27:54.762 DEBUG [b0f5000] – [csf.httpclient][~BasicHttpClientImpl] Destroying a BasicHttpClientImpl object.
— 2014-04-15 00:27:54.762 DEBUG [b0f5000] – [csf.httpclient][~HttpClientData] Destroying instance of Client data
— 2014-04-15 00:27:54.763 DEBUG [b0f5000] – [csf.cert.ios][~iOSCertVerifier] iOS CertVerifier destructor
— 2014-04-15 00:27:54.764 DEBUG [b0f5000] – [csf.config][~DnsProvider] De-initializing DNS Provider
— 2014-04-15 00:27:54.766 INFO [b0f5000] – [csf.config][deInitialize] CSF Provided DNS Library De-initialized!
— 2014-04-15 00:27:54.767 INFO [b0f5000] – [service-discovery][retrieveConfigImpl] resultCode FAILED_AUTHENTICATION
— 2014-04-15 00:27:54.767 DEBUG [b0f5000] – [service-discovery][retrieveConfigImpl] Ucm90 Authentication has failed, setting ucm90 credentials as unverified for username : soporte@domain.com.pe
— 2014-04-15 00:27:54.767 INFO [b0f5000] – [service-discovery][saveUcm90Credentials] Saving Ucm90 Credentials, verified 0
— 2014-04-15 00:27:54.767 DEBUG [b0f5000] – [service-discovery][saveUcm90Credentials] Enqueuing saving of ucm90 credentials task onto dispatcher thread.
— 2014-04-15 00:27:54.768 DEBUG [b0f5000] – [services-dispatcher][enqueue] ServicesDispatcher.enqueue: DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread
— 2014-04-15 00:27:54.768 WARNING [b0f5000] – [service-discovery][mapUcm90ResultCodeToServiceDiscoveryResult] CUCM Result : Failed – Authentication error.
— 2014-04-15 00:27:54.768 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executing (DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread)
— 2014-04-15 00:27:54.768 INFO [b0f5000] – [service-discovery][LogServiceInformationVect]
No Service Discovery DNS records have been found.
— 2014-04-15 00:27:54.769 INFO [3ced118c] – [service-discovery][saveCredentialsInDispatcherThread] Updating Ucm90 Credentials from Dispatcher Thread
— 2014-04-15 00:27:54.769 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] ScopedLock to protect access to credentialsMap
— 2014-04-15 00:27:54.769 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] Found credential object associated with the Authenticator ID: UCM90
— 2014-04-15 00:27:54.770 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][UpdateCredentials] ScopedLock to protect access to credentialsMap
— 2014-04-15 00:27:54.770 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] ScopedLock to protect access to credentialsMap
— 2014-04-15 00:27:54.770 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][GetCredentialsImplForService] Found credential object associated with the Authenticator ID: UCM90
— 2014-04-15 00:27:54.771 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][UpdateCredentials] Setting credentials for Authenticator [UCM90]
— 2014-04-15 00:27:54.771 DEBUG [3ced118c] – [CredentialsImpl][setCredentials] Credentials set [authenticatorId=1000;synced=true;username=soporte@domain.com.pe;password=not empty;oAuthToken=empty;rememberMe=false;ssoMode=0;verified=false;userVerified=false]
— 2014-04-15 00:27:54.771 INFO [b0f5000] – [service-discovery][evaluateServiceDiscoveryResult] ServiceDiscoveryHandlerResult return code FAILED_UCM90_AUTHENTICATION
— 2014-04-15 00:27:54.771 DEBUG [3ced118c] – [csf-unified.services.system.CredentialsManager][saveCredentials] ScopedLock to protect access to credentialsMap
— 2014-04-15 00:27:54.772 INFO [3ced118c] – [csf-unified.services.system.CredentialsManager][saveCredentials] Saving Credentials Profile: soporte@domain.com.pe
— 2014-04-15 00:27:54.773 DEBUG [b0f5000] – [services-dispatcher][enqueue] ServicesDispatcher.enqueue: DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread
— 2014-04-15 00:27:54.776 DEBUG [3ced118c] – [service-discovery][saveCredentialsInDispatcherThread] Ucm90 Credentials are saved.
— 2014-04-15 00:27:54.776 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executed (DiscoveryConfigRetriever::saveUcm90CredentialsInDispatcherThread)
— 2014-04-15 00:27:54.777 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executing (DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread)
— 2014-04-15 00:27:54.777 DEBUG [3ced118c] – [service-discovery][callOnAuthenticationFailedDiscoveryResultOnDispatcherThread] Discovery has failed due to Authentication Failure for id 1000Calling Callback!
— 2014-04-15 00:27:54.780 INFO [3ced118c] – [CSFServiceLocatorManager][onAuthenticationFailed:authenticatorId:] enter
— 2014-04-15 00:27:54.780 WARNING [3ced118c] – [Login Time Check] discovery Authentication Failed.
— 2014-04-15 00:27:54.781 DEBUG [3ced118c] – YLCSigninUIMgr showSigninError The username or password is not correct, or the user account is inactive.,withAction cxsignaction://senderrorproblem
— 2014-04-15 00:27:54.799 DEBUG [3ced118c] – height:49.031998, createLabel.numberOfLines:1
— 2014-04-15 00:27:54.803 DEBUG [3ced118c] – YLCSigninUIMgr enableUserInteraction YES
— 2014-04-15 00:27:54.804 INFO [3ced118c] – [CSFServiceLocatorManager][onAuthenticationFailed:authenticatorId:] out
— 2014-04-15 00:27:54.807 INFO [3ced118c] – [scoped-timer][pop]
** BEGIN TIMER TRACE **
ASYNC FLOWS CAPTURED:
DiscoveryHandler::Discover
— Thread Id – 185552896 —
00:00:00.000.009 + DiscoveryHandler::DiscoverImpl
00:00:00.257.674 + ServiceDiscoveryHandler::Discover
00:00:00.294.151 + ServiceDiscoveryHandler::determineIsWebexCustomerFromCache
00:00:00.294.773 – ServiceDiscoveryHandler::determineIsWebexCustomerFromCache (00:00:00.000.622)
00:00:00.294.794 + ServiceDiscoveryHandler::determineIsWebexCustomerFromCasLookup
00:00:00.795.952 – ServiceDiscoveryHandler::determineIsWebexCustomerFromCasLookup (00:00:00.501.158)
00:00:00.796.232 + ServiceDiscoveryHandler::makeUcm90BasedDiscovery
00:00:00.796.523 + DnsEdgeServiceDiscoveryRequest::makeDiscoveryRequest
00:00:00.797.561 + DnsEdgeServiceDiscoveryRequest::getDnsServiceInformationFromNetutils
00:00:00.800.428 – DnsEdgeServiceDiscoveryRequest::getDnsServiceInformationFromNetutils (00:00:00.002.867)
00:00:00.800.966 – DnsEdgeServiceDiscoveryRequest::makeDiscoveryRequest (00:00:00.004.443)
00:00:00.800.991 + ServiceDiscoveryHandler::saveServiceDiscoveryResult
00:00:00.801.008 + ServiceDiscoveryHandler::writeToCache
00:00:00.803.529 – ServiceDiscoveryHandler::writeToCache (00:00:00.002.521)
00:00:00.811.220 – ServiceDiscoveryHandler::saveServiceDiscoveryResult (00:00:00.010.229)
00:00:07.008.991 – ServiceDiscoveryHandler::makeUcm90BasedDiscovery (00:00:06.212.759)
00:00:07.011.803 – ServiceDiscoveryHandler::Discover (00:00:06.754.129)
00:00:07.011.826 + DiscoveryHandler::evaluateServiceDiscoveryResult
00:00:07.014.439 – DiscoveryHandler::evaluateServiceDiscoveryResult (00:00:00.002.613)
00:00:07.014.450 – DiscoveryHandler::DiscoverImpl (00:00:07.014.441)
— Thread Id – 1022169484 —
00:00:00.0-1.-762 + DiscoveryHandler::Discover
00:00:00.000.-41 – DiscoveryHandler::Discover (00:00:00.001.721)
00:00:07.017.804 + DiscoveryHandler::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread
00:00:07.046.424 – DiscoveryHandler::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread (00:00:00.028.620)
** END TIMER TRACE **
— 2014-04-15 00:27:54.807 DEBUG [3ced118c] – [services-dispatcher][pumpNext] pumpNext.executed (DiscoveryHandlerImpl::callOnAuthenticationFailedDiscoveryResultOnDispatcherThread)
— 2014-04-15 00:27:56.371 DEBUG [3ced118c] – -[MXSendProblemReport trySendProblemReportWithDelegate:crashReport:], canSendEmail= 1
Thanks for the detailed information. This blog is quite informative and active. Please keep the information flowing.
Hi,
I can login in jabber via MRA but i dont have phone services(In the corporate networks it is works fine)
any advice
thanks
I have the same issue… anyone found the answer, cucm version = 10
were you able to fix this issue? I am facing the same
Hi Mike,
I am having a problem with my Jabber config on my vcs-c and vcs-e servers.
Currently Jabber can register internally in full (IM and CUCM) using username@domain.name, no problems there. Externally, using the same username and domain I can only register to the IM. See from the vcs-e event log files the Jabber client tried to SIP REGISTER to 12345@1.2.3.4. Yes, it tries to register to an IP address and no the “domain.name”. The vcs-e server only has a search rule for domain.name pointing to the traversal zone. That is why it complains that 1.2.3.4 is an unknown domain.
So, what is going wrong here? Is the Jabber client correct and should there be a 1.2.3.4 (which I cannot configure) search rule? Or should the Jabber client register to domain.name? Then where did it get the idea to register to an IP addresss?
A third option could be: The TLS tunnel is not working between the Jabber client and the vcs-c because the vcs-e can see and react to the clear text SIP registration messages and the IP address in the REGISTER is just the assigned subscriber.
Any help would be great, I do not have access or have experience with a working setup where I can compare behavior.
Thanks,
Danny
Here is the official Cisco Collaboration Deployment Guide just released this week. Enjoy.
Click to access Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-1-1.pdf
Thanks Frantz! I’ve updated the post to reflect this. Appreciate it!
Your welcome. I preparing to deploy VCS-E for our remote users with Jabber. Working with Cisco on the design so once I complete my deployment and it’s placed into production, I’ll post my findings. This is a great blog Mike.
-Frantz
Hi Mike,
Do you have any experience with collaboration edge together with Jabber Guest / Jabberc?
kind regards
Edwin
mra + jabberg is not supported in x8 code
Hello Mike, thanks for the blog.
In case of a CUCM cluster with 4 servers, but only the first two have TFTP service and the other two are configured as UCM server to receive registrations. Do we need to add _cisco-uds SRV entries for all 4 servers? It is needed to add config lines at jabber-config.xml file to instruct which one to use?
Thanks in advance.
Hi Mike, how are you?
First of all, very nice posting about Collab Edge.
I’m preparing to deploy VCS-E and C and your post is giving me some real nice idea about this deployment.
I would like to ask you about the Jabber-config.xml that you had to take of from the post. Do you mind in sharing the lines to config the xml?
Thank you very much.
Martin
Hi Mike,
We have Jabber MRA set up and it works well from the outside, but having the voiceservicedoamin in the jabber-config file breaks it internally.
Our external and internal domains are different. I can see form the jabber logs the servicesdomain is our internal domain, and voiceservicedoamin our external domain. I can see in the logs that it has set the internal and external domain as the voiceservicedomain entry. Jabber is looks for _cisco-uds / _cuplogin files and fails internally as it is looking for _cisco-uds.tcp.EXTERNALDOAMIN.
We only have our A record for expresswayE and SRV _collag-edge record in our external domain. I thought the service domain is what it used internally but this is not the case.
When I remove voiceservicesdomain entry it start working again as it looks for _cisco-uds.tcp.INTERNALDOMAIN, which is set correctly.
Any Ideas?
Rebecca,
I’m not sure if you made it past this issue, but from what I ran into while doing a similar internal/external domain deployment it seems that you should set the voiceservicesdomain to the external .com domain. Then create those external .com cups/uds SRV records on an internal DNS server so that they can be resolved while inside the network.
See the Jabber DNS doc:http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/CJAB_BK_C606D8A9_00_cisco-jabber-dns-configuration-guide/CJAB_BK_C606D8A9_00_cisco-jabber-dns-configuration-guide_chapter_010.html#CJAB_TK_D380F2C5_00
Hello Mike,
Thanks for your awesome guide! We’re deploying the Expressway solution for Remote Mobile Access and I feel we’re almost good to go. The traversal zones (using IP addresses) are active in both the ExpC and ExpE. The problem is that I can’t login from the Outside, it says that it could not find network services. While on the inside, everything works well.
This is the deal:
– internal domain: acme.corp (private)
-external domain: acme.com.br (public)
When I signin internally, I use user@acme.corp in the Jabber’s login screen and everything work fine! Without any other configuration I am able to login and call other directory numbers.
When I try to signin externally, the user@acme.corp gives me a timeout, so I exchange it to user@acme.com.br and then after a few moments, I get the could not find services error message.
Do I have to try both logins when on the inside/outside of the corporate network?
I haven’t made any changes in the jabber-config.xml file. Is it necessary on version X8.1.1?
I’m thinking about certificate problems, reading your guide I got a little confused on items 2 and 7 of this part:
1)Generate CSR-> OK
2)Add UC Domain (domain.com) and XMPP server information -> ??? Meaning the “Additional alternative names (comma separated)” and “Unified Communications domains” and “IM and Presence chat node aliases” right?
In our deploy we don’t use FQDN for the CUCM, CUC and CUP services, we’re starting to use FQDN from the deploy of the Expressway solution. Anyways, the CUCM PUB is 192.168.40.100, CUCM SUB 192.168.40.101, CUC 192.168.40.102 and CUP 192.168.40.104. EXPC is 192.168.40.106 and EXPE (Single NIC, on a stick, without NAT) is 200.200.200.200(example).
In the Outside: _collab-edge._tls.acme.com.br is SRV resolved to exp.acme.com.br 8443 -> OK!
exp.acme.com.br is A resolved to 200.200.200.200 -> OK!
In the Inside: _cisco-uds._tcp.acme.corp is SRV resolved to 192.168.40.100
_cuplogin._tcp.acme.corp is SRV resolved to 192.168.40.104
exp.acme.corp is A resolved to 192.168.40.106 -> OK!
Generating the CSR on ExpC I get ‘conference-2-StandAloneClusterb7095.acme.corp’ auto-filled in the ‘IM and Presence Chat Node Aliases’.
Generating the CSR on ExpE I get ‘exp.acme.corp’ auto-filled in the ‘Unified Communications domain’.
How to proper fill these fields generating CSR? We’re using OpenSSL to act as CA and sign the CSRs.
3)Download the CSR -> OK!
4)Use the PEM file to get the certificate signed by the CA -> OK!
5)Get the signed server PEM and the root/intermediate chain PEM back from the CA. -> OK!
6)Upload the signed server cert to Expressway-E. -> OK!
7)Follow the Webex instructions to break apart the CA-intermediate and root PEM into individual certs using Windows so that you can import them into the CA trusted cert list properly. -> ??? Could you write a little more on this please?
8) Repeat this procedure for Expressway-C. -OK!
Thank you in advance!
Best regards, Daniel
Hi Daniel, did you resolve your issue? we are facing the same issue and we couldn’t find the real cause of the issue. Cisco TAC suggested that we should create a PTR record for the public IP.
Hi Mike or anyone else that may could answer. I`m just installing Expressway-C & E and may have an issue. Where it says to go under Configuration/Domains not sure what domain to enter here as our external domain ex. acme.com is different than our internal ex. acme.int. Seems as though this could be a problem if today internally we authenticate to Ldap @ acme.int with Jabber and our voice services, but when you go outside you will be accessing expressways as acme.com. Any thoughts or ideas?
Hi Craig,
As we have recently discovered, the internal/external FQDNs, as well as SSL certificate’s CN – all have to match for the Expressway-Edge to work properly. In my environment, the external FQDN was, say, collab-edge.domain.com, internal FQDN was expressway-e.domain.com and the SAN certificate had both FQDNs in it; however, the CN of the certificate was matching the internal FQDN and that prevented Expressway from working properly. Since we are using split-DNS, it was easier for me to change the A Record for the Expressway Edge in the Public DNS and update the SRV record to point to it. After doing just that, Jabber started to work externally without a hitch.
Is it possible that a customized XMPP client running outside the corporate network is able to access IM/Presence server without VPN?
Does collaboration edge make this possible or is it only possible when we use the latest Jabber clients from Cisco?
Normally you’d just NAT out your CUP/IM&P Server and open your firewall on 5222 (or preferably 5223 if the client supports SSL) if you’re using a generic XMPP client. Collab Edge MRA is going to require Jabber as the client. You can of course deploy Jabber for IM&P mode only and not have audio/video functionality.
I blog quite often and I genuinely thank you for your information.
Your article has really peaked my interest. I’m going to bookmark
your site and keep checking for new information about once per week.
I subscribed to your Feed too.
What a great Write up.
I have hit a major issue with deploying Jabber for Windows/Mac Mobile and Remote Access Services (MRA) using VCS. The issue has been raised with TAC as it is a show stopper for deploying VPNless Jabber Communications in a Non-Split Domain DNS environment and I believe this is a design flaw with the Jabber Client.
See below for details.
The customer has the following:
• 5x CUCM, 1 Pub, 2x CTI Sub and 2x TFTP
• 2x IM and P (CUP)
• 2x VCS-C Clustered
• 2x VCS-E Clustered
• Single DNS Zone for Domain for both internal and external (Public) DNS lookups (Non-Split Domain DNS)
Both internal and external DNS resolutions for @cisco.com.au (sip URI and SMTP) are provide by the Customer’s DNS Servers which are hosted at their Data Centres. They have a single DNS view where by both internal and external lookups hit the DNS Servers. The Single View means that if I lookup webserver.cisco.com.au from either an internal computer or an public computer it will resolve the same IP Address (public or private depending). The CUCM and CUP servers are internal IP Address 10.x.x.x servers which have SRV’s _cuplogin and _cisco-uds pointing to CTI Subs and CUP’s FQDNS which in turn lookup Internal Private IP’s. If I lookup from an external client to either of these records I will get the internal FQDN ip Addresses 10.x.x.x. This is known as NON-split horizon or NON-Split View DNZ where by both internal and external DNS looks for a domain share the same DNS table.
Our issue is that we are looking up _cuplogin and _cisco-uds from an external client and getting a return result of an internal IP Address which the client fails to connect to from external. If we remove the records, it forces the jabber client to resolve the _collab SRV but the VCS-C requires the _CUP and _Cisco-uds SRV’s internally. One cannot work without the other.
This is very common for large orgs and as a result Vendors must have a work around to compensate for this. Jabber Video (Movi) has a manual configuration entry for both internal and external hostnames so people could customise. Microsoft use SRV records but use a top down method of Internal SRV records first then external SRV records. IE _sipinternal .cisco.com.au and _sip.cisco.com.au. The client would try to establish a connection to _sipinternal IP address and if not successful it would try the external _sip. IP address however, this is not the case for the Jabber client which it really should be.
Any thoughts on alternative methods around companies with Non-Split Domain DNS?
Very interesting. Is there any way to block the DNS requests for _cuplogin and _cisco-uds from coming in your network or prevent the response to go outside your network? Something maybe on the firewall you could do. I would be very interested to know how you get this working.
Only way to achieve is block the request for cuplogin and uds to go to internal servers when you are outside. this way jabber will fall to collab-edge.
We have a very similar environment to yours, Matt, and did precisely what Anson and Alok suggested. Dropped the dns requests for cisco-uds and cuplogin at the border and it works from off-site with the jabber client falling back to the edge expwy. I agree it’s a major design flaw with the Jabber client, but the firewall policy got us up and running *without* needing to implement split DNS (a contentious issue!).
Having an issue getting my jabber csf phone registered to cucm (xmpp chat and all other features work great). The error i’m getting is registration rejected: unknown domain. I know the documentation called for a secure phone profile to be created and applied to the phone and for the name of the phone profile to be in the subject alternate name of the expressway-c server. I did that. Question – do I need to have my cucm cluster in mixed mode for it to be able to use the secure phone profile? do my call manager servers need to be added by dns name instead of ip address under “servers” in cucm? anything else I could be forgetting?
I didn’t deploy with security on the CUCM side. Generate an error report in Jabber and look at the error logs to make sure CUCM has a valid SIP domain and is handing off the correct server name to connect to. I’ve seen problems where the CUCM or CUP server don’t have a valid domain name and are just handing back to Jabber their hostname (w/o domain). Jabber doesn’t have a way to connect back to the servers.
Do I need to have everything in CUCM as FQDN vs IP address? (System>Server and UC Services) I’ve come a long way in debugging sip, but still not great at it..
Hi Mike and Every one,
I have installed and configured ExpressWay C and E and at the moment i am unable to get my jabber signed in from outside.
i would appreciate if you could be of any assistance in this. i have also posted my scenario under here for the reference;
https://supportforums.cisco.com/discussion/12200046/mobile-remote-access-expressway-inactive-jabber#comment-9837341
I do have CUCM 10 and CM IM&P 10 with Expressway X8.1.1
– Done with DNS SRV and A records for internal and External DNS and verified by nslookup.
– We have deployed the ExpressWay E as in Router on stick in DMZ natted with Public IP
– Configured ExpressWay C And E with TLS ON and certificates being uploaded and do have a Active status in Unified communication and Traversal zone.
I am using Cisco Jabber 9.7 for Windows but when i am trying to sign in from outside I am getting an error, “cannot communicate with the server”
Here I am kind of lost to where and which part needs to be checked or where to further dig into?
Let me know if you guys need any more detail.
Check the expressway-E logs in Maintenence -> Diagnostic Logs.
If you don’t find any significant information in logs from VCSe then is probably that you communication is not really getting in VCSe. Check your firewall and DNS Records.
Did you checked the logs generated on the jabber feedback (generate a report)?
I have a similar problem and a have a SR opened on TAC to investigate. My problem is that after the jabber downloads the config file and identify all services, it try to reach the CUCM directly and not trough the Expressway and off course it cannot because the jabber is outside.
The Jabber logs cann help you to identify at which point it fails.
Hi Sam and Martin
Thank you for putting your time in;
@Sam: Did you get any feedback on your case.?
In Jabber logs I can see it tries to resolve cisco-uds and cuplogin SRV records but fails and then skip to _collab-edge._tls record which is fair enough as this should be the case while Jabber attempt outside the corporate network. But i am keep getting “cannot communicate with the server”
@ Martin: Even though I have enabled level 2 and level 4 logging at ExpressWay E side but nothings comes in as it seems no traffic is able to reach yet.
Few things, we would like to mention;
For internal and External DNS A and SRV records have been created;
Internal DNS
A record for Exp C and E
SRV record for _cisco-uds and _cuplogin
External DNS
A record for Exp E
SRV record for _collab-edge._tls
Before attempting to sign in from outside, we checked through nslookup and SRV record are resolvable.
Just would like to emphasis here that we are running, CUCM v 10 ( cluster of 5 nodes ) and IM&P v 10 ( cluster of 4 nodes )
So, here just confirm me as for _cisco-uds it should be pointing to which cucm server ( Publisher or subscriber ? )
and for which server it should be for _cuplogin ?
FYI: May not be your specific problem but it is worth investigation. Your statement router on a stick in the DMZ leads me to believe you are configuring E with only one interface. I had mine E configured with only one interface at first but could not getting it working. I needed to configure the ASA with some sort of route reflector which seemed fairly complex. I then add the second interface on my E and configured accordingly and it was a much easier configuration to get working.
I have a couple customers working on E with a single interface and NAT across the ASA. You just need to point C to the external (public) NAT IP of the E server to make it work.
How Can I point C to the external (public) NAT IP of the E server?
The Zone used for collab edge should point to the public IP of the expressway.
Hi Muhamhus
Well, everythig is appointing to a connection problem. Maybe your NAT is not properly configured. Are you sure you can reach the VCSe from outside your network? Are you redirecting all the ports needed to the VCSe?
Just pointing to the publisher servers should be enough for now.
Hi Martin,
Thanks for your response.
Actually we can see in the Jabber logs that it is is trying with _cisco-uds and _cuplogin for resolving the DNS entry but failing and then it is looking for _collab-edge._tls which it should do as it is from outside.
Also, I have checked through ‘nslookup’ on that remote pc, it can resolve to IP address of expressway E perfectly.
The irony here is we can not see any kind of traffic coming towards the VCSe even on the firewall. It seems strange, we unable to form any kind of connection through.
Any ideas what & where to look for ?
Another thing that I noticed while running wireshark on my laptop on my internet enabled interface, that there were no DNS query being made to SRV and the host record of expressway.
Any clues ?
Any difference for VCS 8.2?
Hi Greg, I’m really curious about this, too. Basically we are at 8.1.1 right now but it would be great to know whether to follow this page and the guidelines (sticking with 8.1.1 on VCSs) or should we go ahead and upgrade to 8.2 first, then go through the process. I don’t want to get this set up with 8.1.1 and then upgrade to 8.2 and have to make firewall, DNS, cert changes (as examples). If anyone has feedback it would be much appreciated!
Its different
Zones are different.
I’m still trying to make it work and struggling.
i used this link:
Click to access Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1.pdf
Hi All,
We have 2 expressway-E and 2 Expressway-C in our cluster and we are doing a fail-over testing.
During failover testing we have observed that whenever any one of expressway-E server is down then jabber from internet will not be able to login into it. when both servers are up we will be able to login from internet.
When we made Master down , we have observed below in event log of slave exp-E:
2014-08-05T20:47:06+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”115.245.81.253″ Dst-port=”36767″ UTCTime=”2014-08-05 15:17:06,493″
2014-08-05T20:35:26+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”115.245.81.253″ Dst-port=”39446″ UTCTime=”2014-08-05 15:05:26,106″
2014-08-05T20:35:09+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”164.100.222.42″ Dst-port=”55961″ UTCTime=”2014-08-05 15:05:09,609″
2014-08-05T20:35:09+05:30 traffic_server[7649]: Event=”Sending HTTP error response” Status=”403″ Reason=”Forbidden” Dst-ip=”164.100.222.42″ Dst-port=”55960″ UTCTime=”2014-08-05 15:05:09,502″
When we make Slave down we get below errors in master Exp-E server when i am trying to login:
2014-08-06T19:51:56+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.245.68.152″ Dst-port=”34593″ UTCTime=”2014-08-06 14:21:56,146″
2014-08-06T19:51:54+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.245.68.152″ Dst-port=”2676″ UTCTime=”2014-08-06 14:21:54,507″
2014-08-06T19:46:51+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”17559″ UTCTime=”2014-08-06 14:16:51,359″
2014-08-06T19:46:50+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”37356″ UTCTime=”2014-08-06 14:16:50,205″
2014-08-06T19:44:44+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”30566″ UTCTime=”2014-08-06 14:14:44,948″
2014-08-06T19:44:43+05:30 traffic_server[16142]: Event=”Sending HTTP error response” Status=”502″ Reason=”Next Hop Connection Failed” Dst-ip=”101.58.19.58″ Dst-port=”25095″ UTCTime=”2014-08-06 14:14:43,269″
2014-08-06T18:50:34+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”27898″ UTCTime=”2014-08-06 13:20:34,602″
2014-08-06T18:50:33+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”31975″ UTCTime=”2014-08-06 13:20:33,190″
2014-08-06T18:46:46+05:30 traffic_server[7642]: Event=”Sending HTTP error response” Status=”503″ Reason=”VCS expressway informationnot available” Dst-ip=”115.244.204.238″ Dst-port=”39551″ UTCTime=”2014-08-06 13:16:46,910″
Expressway version : 8.1.1
CUCM v: 10.5
Jabber windows:9.7
Hmm is anyone else experiencing problems with the pictures on this blog loading?
I’m trying to determine if its a problem on my end or if it’s the blog.
Any responses would be greatly appreciated.
yes they are gone / not displayed for me, too
Hi Mike,
Thanks for your detailed blog about Collaboration Edge (CE). For the last couple of days I’m busy with to configure CE. Internally, I can login but externally, I get an error that “no communication with server”. When I deliberately put a wrong password, I get an error message that with wrong username and password. The Services Discovery is also working because I’m getting the correct IM server information.
I don’t know what can be the issue. I was thinking about Certificate issue. I have Certificates signed by external CA (CUCM and IM = Tomcat) and uploaded on both VCS nodes. I’ve uploaded the Root CA Certificate on CUCM and IM nodes. Is that correct or do I have to upload additional certificates on CUCM and IM nodes?
I really appreciate your help.
Thanks.
Regards,
Tweeling
hi,mike and tweeling:
Thanks for your detailed blog.
i also have this question:
I can login but externally, I get an error that “no communication with server”. When I deliberately put a wrong password, I get an error message that with wrong username and password. The Services Discovery is also working because I’m getting the correct IM server information.
task1: expressway core have one not active
XCP Server connection: 192.168.99.13(edge) :Inactive Jabber is not running on remote host, if jabber is running then check password for r2r connection on connect
task2:on cupm server have two servervice not running ok
Cisco XCP Message Archiver and Cisco XCP Directory Service status Not Running ,activation status Activated
taks 3:about ip or FQDN
on my cucm system>server ,i use IP not for FQDN
on my cups application>Legacy Client Settings,i use IP not for FQDN
is this question? if i must change server list from ip to FQDN ?
What is the need to pay attention to ?
taks4:in my network
i direct connect core and expressway use LAN1.
inside-jabber pc and outside-jabber pc use diffrent DNS
inside and outside dns or srv is ok.
in my test,inside-jabber pc can login ok,
outside-jabber pc can not login
if test ok,we will put out-side dns server in internet ,and nat expressway-edge (which port?)
or use lan2 connection internet (if we will add some route for lan1 and lan2 ?)
i s can ok?
thank you for your help.
Hi Mike!
I have a question, can I use jabber for only phone capabilities with expressway? I mean with no CUP installed?
Bst regards!
Yes. With the latest Jabber clients that support Phone Only mode, and CUCM 9.1+ you’ll be able to proxy Jabber without needing CUP.
Hi Mike,
I have an issue with MRA regarding audio. If you don’t mind can I have your email address.
You should call TAC. I wish I had time to help 1:1, but I’m underwater with my day job.
Hi Friends,
I have deployed vpn less jabber . I am succesfully login but my calling feature is not working
Very good info. Lucky me I discovered your site by accident (stumbleupon).
I’ve book marked it for later!
I am presently trying to install a VCS-C + E v8.2.1 in a network that has CUCM 10.5 & Unity Connection 10.5 without the installation of a CUP or IM&P server, but the documentation is enormous, and all over the place. Have six different large PDF documents for info with hundreds of pages each ? Is there no easy step by step for this ?
Hey – anything further on when the DX650 might be supported.
Should be out in 10.2(4) in the Spring.
MRA deployed successfully , i can login from both inside and out side but phone service is not working , IM is working perfect .
Make sure your Expressway C can resolve your cisco-uds SRV internally. I ran into this one too.
From inside your phone services are working good?
I this problem, but in my case was the firewall, from Internet do DMZ. You have to make sure that all ports are correctly configured.
Hi Martin,
Do you have a SIP Trunk between the VCS-C and the CUCM? If so, please change the Port on the SIP Profile for that Trunk from 5060 to something else. Maybe 5065.
Internal i can resolve Srv record, and inside phone service is working good . All port is opened from internet to DMZ, for your info , TLS verification is off for CUCM and IM&PRESENCE. When adding CUCM by name , record is not creating in VCS but if i do it by IP record is creating .
AND WE HAVE different domain in internal and external , so configured both domain in VCS , under domain tab
Maybe you could open a discussion in Cisco Forum, we can help you better from there.
If you have a SIP Trunk between the VCS-C/Expressway-C and the CUCM, please change the port for that Trunk in the SIP Profile from 5060 to something else, maybe 5065. Save and try again.
For MRA SIP TRUNK IS NOT REQUIRED , SO ITS NOT CONFIGURED .
SEARCH RULE IS NOT CONFIGURED IN VCS IS IT EFFECT THE REGISTRATION OF SOFTPHONE
You do not need a SIP Trunk or search rules with MRA. I mentioned just in case you had one for call routing between endpoints registered to the VCS and endpoints registered to CUCM.
I have some doubt regarding certificate creation in VCS Control and CUCM , I had created certificate using Microsft CA ,
Created certificate for Tom Cat and Call manager and also uploaded VCS Control and Root Certificate to Trust .
VCS Control
Subject: C=BH, ST=MANAMA, L=MANAMA, O=ALMAHROOS, OU=IT, CN=exp.srngroups.com
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:exp.srngroups.com, DNS:conference-2-StandAloneCluster873ff.mahroos.com, DNS:conference-3-StandAloneCluster873ff
and in VCS Trust i had added certificate of callmanager and tomcat. but while adding CUCM its showing TLS validation failed , when am adding CUCM with out TLS verification ,its show lookup successful but no entry is show . while adding IP its working
We have this same issue. We have had a TAC case open for over two weeks with no resolution so far.
Please update if your issue get solved
My issue got resolved , now the issue is INBOUND TLS NEGOTIATION FAILURE FOR SIP PHONE ( Hope it will be resolved by adding secure device profile)
We had the same issue where the phone services wouldn’t connect but everything else was fine. TAC pointed us to our firewall rules for TLS. Turned out in our Checkpoint firewalls there was a policy that was manipulating SIP TLS traffic and it just had to be set to not change the traffic/port.
SOME MISTAKE IN ABOVE COMMENT
I have some doubt regarding certificate creation in VCS Control and CUCM , I had created certificate using Microsft CA ,
Created certificate for Tom Cat and Call manager and also uploaded VCS Control and Root Certificate to Trust .
Call Manager and VCS domain : mahroos.com
VCS Control
Subject: C=BH, ST=MANAMA, L=MANAMA, O=ALMAHROOS, OU=IT, CN=exp.mahroos.com
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:exp.mahroos.com, DNS:conference-2-StandAloneCluster873ff.mahroos.com, DNS:conference-3-StandAloneCluster873ff
and in VCS Trust i had added certificate of callmanager and tomcat. but while adding CUCM its showing TLS validation failed , when am adding CUCM with out TLS verification ,its show lookup successful but no entry is show . while adding IP its working
Diljith,
Make sure you replace the CUCM self signed cert with the signed cert from the CA. I was getting the exact same error until I replaced it.
1. Make sure you upload the CA root cert first
2 upload your tomcat and cucm trust certs
3 replace the self signed certs with the same certs you used for the trust cert upload.
Nick,
Now the error is Inbound TLS Negotiation failed in VCS E .
Im not an expert in the error messages but I can pass on what I did to make mine work. make sure you are using FQDN as zone peer addresses instead of IP addresses and that peer name is a CN or SAN in your cert.
on the VCS do you have client and server EKU certs installed from the same root CA that you provided certs to CUCM? Also use the same certificate template in your certificate auth to produce all certs
I actually followed the vcs certificate creation and use deployment guide and used the microsoft CA as a cert provider.
once all the certs were issued and installed ( both Root CA and signed certs [yes tomcat and cucm trust had different certs]) and then replaced the self signed certs for cucm. I followed theCisco TelePresence Cisco UnifiedCommunications Manager with Cisco VCS (SIP Trunk) guide. in CUCM SIP security profile the x.509 filed has to have all the same CN and SAN information as the cert.
Once I did this it all worked, if you are still having issues I can provide some screen shots but the biggest thing is to make sure you have your certs issued properly with the correct CN, SAN and EKU.
Diljith,
I have a question for you. you said you were able to create an SSL cert for the expressway with both internal and external domains in the cert. What certification provider did you use to do this. Im using godaddy and get errors when trying to create a cert with a CN of the external and a SAN of a internal domain ( for call manager registrations).
IN MY CASE I HAD USED MICROSOFT CA , As a i contacted Cisco for TAC , they told its feature preview and TAC support will be after 3 months . So i thought its better to go with Microsoft CA
Nick L
Thanks for briefing the concept. I doubt the issue with SIP Security profile . I am running CUCM 9.1(2) and can you brief me how i can change call manager to Mixed security mode.
Forgive me for being Naive with cisco stuff here but could a ASA do the job of the expressway. Say set up a A record with an external DNS provider that matches your internal DNS record and then just set up the ASA to NAT the external IP to the internal CUCM server. Obviously the big concern here would be security, but could this be address by only passing certain port connection through? Maybe add SIP Digest Authentication in also?
So it would work like this someone inside the network would connect to sonso.sonso.com internally and when they are externally it would look that dns record up point to the asa and be routed to the cucm server.
I will try to work left to right on my configuration
Left:
CUCM Pub and 2 Subs 9.1
domain name configured
internal FQDN certificate
*problem no DNS client with IP defined CUCM cluster members
CUPS 9.1 with DNS client and internal FQDN certificate
VCS C is connected to CUCM and CUPS with TLS
middle:
VCS C LAN1 on subnet A internal certificate
VCS C is connected to VCS E via LAN1 interfaces with TLS
VCS E LAN1 on subnet A with certificate subject alternative name
right:
VCS E LAN2 set to external with default gateway on subnet B
LAN2 static NAT configured
firewall inside on subnet B
firewall outside with static NAT no NAT reflection
The internal and external DNS zones share the same domain name but are isolated from each other. The internal and external SRV records are in place.
Inbound calls work from iPhone and PC client.
Chat and Visual Voicemail work.
Outbound calls do not work with incomplete signaling as symptom.
It is obvious that inbound calls present less of an addressing problem than outbound calls do.
I see reference to NAT reflection in the configuration guides.
I know that no DNS client on phone system is an old practice that I can not correct with this version.
Is there an obvious flaw with this setup that prevents outbound calls?
If so, is there a correct left to right SIP address sequence that I should see in debugs?
Is NAT reflection required?
What part in the addressing does the NAT reflection portion play in ensuring correct addressess to complete calls?
I reverted my Expressway E to single interface and established a static NAT between subnet A and subnet B for the Expressway global internet address. The result is that the Controller establishes the traversal zone with the Expressway global internet address. I can dial inbound and outbound to my shared line now with the Expressway. The Cisco documents need to dictate valid network topologies vs. presenting 3 or four scenarios when all scenarios do not work. The SIP signaling is secure and can not be altered by the devices in the path.
My expressway FQDN resolves to the global internet address in both internal and external DNS.
Your deployment must be built so that the VCS Controller establishes the Traversal Zone with the VCS Expressway global internet address.
George Paxson
Hi Mike,
I’m making Expressway-C/E Cluster, My concern is related to DNS Hostname and SRV Record on the External ISP DNS .So for example I have expe01.company.com (10.1.1.1) ,expe02.company.com (10.1.1.2) and cluster-expe.company.com (10.1.1.1 & 10.1.1.2) which are added to the External DNS, the Natting of the Public IP Address (82.5.5.5) should be mapped to which FQDN of the three?.
Also the DNS SRV Record on External DNS should be added to the three FQDNs above or the cluster FQDN only?
My understanding is that both Expressway-E’s need public IP’s assigned to them, and the FQDN mapped to those public IPs.
Some info here – https://supportforums.cisco.com/discussion/12070126/vcs-expressway-cluster-use-1-public-ip-loadbalancer
hi Mike,
thanks for your post, it was very useful for me, especially the part with certificates
Hi Mike,
Thanks, I can make the call from Jabber externally but there is no audio.
Hi ,
I have doubt in Certificate part ,
if we are going for Public Certificate ie from godaddy , we want to purchase UCC certificate , and also did we need to buy for both VCS E and VCS C
That’s how I deployed it. VCSe and VCSc both have public certs with SANs on them. This page has some details – http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
Hi Mike,
Thanks for this information. I’ve been doing some reading, several documents, and some searching and can’t seem to find an answer to my question.
I’d like to consider a Jabber for Everyone deployment, which means a potentially large number of users, north of 20 K. This made me ponder whether or not I should be using private or public IP addressing for my imp servers. I understand that MRA resolves this issue for Jabber in a UC deployment, but what about IM only? Will MRA resolve this as well? My concerns include:
– does expressway support third party xmpp clients?
– does expressway support jabber for everyone? (im only)
– does expressway scale to the possibly 25,000 IM only users I might have?
– expressway does not support all the on premise features, like file transfer
– no real details on how to deploy presence server on public IP but still use expressway for UC
What are your thoughts?
Hi Mike
Thanks for this information.
I do not understand what you mean by the intermediate CA.
I create certificates with openssl based on the following documents
Click to access Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5.pdf
openssl genrsa -aes256 -out ccakey.pem 2048
openssl req -new -x509 -days 3650 -key ccakey.pem -config openssl_local.cfg -sha1 -extensions v3_ca -out ccacert.pem
openssl ca -config openssl_local.cfg -cert ccacert.pem -keyfile ccakey.pem -in expreswayC.csr -out certificate.example.com -md sha1
To develop MRA (mobile Remote Access) How many certificates are up altogether?
Expressway C:
1.- generate CSR
2.- download CSR
3.- Sent CSR to CA (openssl)
4.- upload signed certificates (.pem) (Maintanance – Security Certificates – Server certificate)
5.- Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
6.- restart
Expressway E:
1.- generate CSR
2.- download CSR
3.- Sent CSR to CA (openssl)
4.- upload signed certificates (.pem) (Maintanance – Security Certificates – Server certificate)
5.-Upload CA Certificate (Maintanance – Security Certificates – Trusted CA Certificates)
6.- restart
Download the tomcat certificates CUCM and CUPS and then went up to the expressway’s (C and E)
Sends me this error when creating the area between the expressway cye
SIP: Failed to connect to X.X.X.X:7001 : TLS negotiation failure (X.X.X.X = ip address)
Check the certificates for the traversal connection
Secure traversal test
FQDN of Expressway-E: expreswayE.example.com
TLS verify name of this Expressway-C (as it appears on the Expressway-E): expreswayc.example.com
Results:
Description The Expressway-E cannot verify the CA ‘expresswayC.example.com’, which signed the Expressway-C’s certificate
Action Check that this CA is in the Expressway-E’s trusted CA list.
missing more certificates ??
Regards.
Love it!
hi Mike,
how much to buy CA certificates for VCS-E and VCS-C for Jabber MRA from GoDaddy ?
and which option to choose there, do you have the link?
tks,
J
hi Mike,
how much is the certificate of GoDaddy for Jabber MRA (VCS-E ,VCS-C) ? do I need for UCM and UNity?
do you have the link ,what option to choose or buy when order certificate from Godaddy?
tks,
J
You need two UCC certs. I don’t know the price from GoDaddy. I’m not a fan of their certs. I use DigiCert UCC. Way more flexible.
You don’t have to have CUCM CUP or CUC.
thanks Mike,
if I order from Digicert for UCC cert, what should I tell them to buy ? do you have the link or option I need to tell them for certs and how much?
tks,
J
Hey Mike, do you have an example of what a good Jabber diagnostic output looks like when connected via the public network? I have a free lab available to the public and am very close to have MRA working, just get a “cannot communicate with the server” after entering valid user credentials. The debug output doesn’t show any error nor anything in the Jabber diagnostic other than “Internal Visibility = Not Visible”.. not sure if that is normal or not when using the edge. http://webmasterx.com/jabber-5-26-2017.html . If you have any suggestions, please let me know. The public lab is available here as well if you want to take a look yourself. Otherwise let me know what you need. If not that’s ok too, thanks for your time!
Hello,
Take a look at this document from Cisco:
Click to access jabber-mra-call_flow-detailed.pdf
Is the detailed call flow and will answer many of your questions.
😉
Bogdan
That superb document comes from the hands of Deji – seen here:
https://supportforums.cisco.com/t5/collaboration-voice-and-video/thoughts-from-ayodeji-deji-okanlawon-cisco-designated-vip/ta-p/3151296
Besides being a technical expert, he is, more importantly, one of the nicest guys you will ever meet.
You can put 100% faith and confidence in the accuracy of that document.
I helped him on VCS / VCSE some years ago when he was starting to investigate video technologies. I then went onto other technologies and have come back around to a new role where I have to implement an Expressway C/E solution.
I’ll be using this superb document from Mike as my blueprint!
Thanks,
Amir
Where is the TCP and UDP connection from the External SIP phone terminated (DMZ Expressway-E or CCM)?