Recently I worked on an MRA deployment using SX-10, MX-300 and DX-series (650/70/80) endpoints.
I had Expressway-C and E working successfully for 8800 series MRA, but needed to get the TC-based and DX-based endpoints to register. This turned out to to involve some issues that I wasn’t expecting.
TC-based endpoint registration
There isn’t a lot of documentation for TC endpoint registration through MRA (since traditionally it’s been registered to VCS through VCS-E). The best documentation that I could find was here: http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html
I began the deployment by registering the MX-300 I use directly to CUCM to make sure I had it successfully working before attempting registration through MRA. I’d previously had it registered to a VCS-C.
MRA requires TC 7.3 code, so I decided to deploy 7.3.4 since it is the latest bugfix version. I downloaded and deployed the COP file to CUCM since CUCM will be in control of what version of software the TC endpoint will use once it’s registered to CUCM (like typical phones get firmware).
Note that TC 7.3.3 or greater firmware have different functionality for remote screen monitoring of systems! TC 7.3.3 introduces the requirement to have an option key for remote system/screen monitoring of the TC endpoint. You’ll need to work with TAC/Cisco to get option keys cut if you are doing remote screen monitoring before going to 7.3.3+.
Registration to CUCM was straightforward. I defined the device on CUCM as you would normally define a phone, picking the appropriate SIP profiles. I didn’t do secure registration as this is optional. (The documentation above does mention that secure registration is optional, but the example works through a secure registration.)
I made sure to set the device association my end user in CUCM. This is important for MRA later.
Once the MX-300 was registered and making calls successfully through CUCM, I moved it out to a general internet connection to work on MRA.
On the touchpanel I launched the Provisioning wizard and selected Cisco UCM via Expressway. After putting in my credentials I was greeted with this error:
After doing quite a bit of research and looking at the detailed error logs from the MX-300, it turns out that your Expressway-E certificate must also include a SAN for the domain name itself (e.g. yourdomain.com). The error actually indicates that it wants a collab-edge.yourdomain.com SAN:
Edge TLS verification failed: Edge domain ‘yourdomain.com’ and corresponding SRVName ‘collab-edge._tls.yourdomain.com’ not found in certificate SAN list.
The challenge I had is that the certificate I’d bought from GoDaddy for Expressway-E (that was working with 8800 MRA) wasn’t a UCC or multi-SAN certificate and you need to have at least the Expressway-E as the CN and the domain as a SAN.
At this point I decided that it was time to move from GoDaddy to DigiCert since they have unlimited resigning of certificates without having to revoke any of them. This essentially allows you to create as many certificates as you want without having to keep buying more like GoDaddy. I bought the Wildcard Plus certificate and used it to create a multi-SAN certificate for my Expressway-E. The CN is always *.yourdomain.com, but you can add a bunch of SANs (like 20 or so.)
I generated the certificate with the following SANs – edge.yourdomain.com, yourdomain.com, collab-edge._tls.yourdomain.com and _collab-edge._tls.yourdomain.com. One of the partner engineers that I talked to said that he got it working without having to add either collab-edge SAN. (I’ve not looked into why/when we’ll need the collab-edge SAN and if it is actually be collab-edge as the error indicates, or if it needs the preceding underscore on collab-edge like the SRV records have.)
After applying the certificate to Expressway-E and rebooting it I tried the provisioning wizard on the touchpanel again and was greeted with the SAME ERROR.
It turns out that I hadn’t included the DigiCert root and the DigiCert Intermediate cert in the list of Trusted CAs on the endpoint itself. The documentation indicates how to install it here – http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html#anc10 Make sure you have both root and intermediate (if the CA you used signs with an intermediate) on the TC endpoint.
After this the MX-300 registered like a champ and is able to do calls. I followed this same process to get an SX-10 registered as well.
The partner engineer I talked to said he had to work through a couple issues on his test: 1) Endpoint rejecting the user credentials when running through the provisioning wizard. Make sure the endpoint is associated with the End User and that the end user has CTI Enabled and CCM End user. 2) Getting an http download error after getting through the initial expressway authentication and that it was caused by the endpoint needing to do a _cisco-uds.yourdomain.com lookup internally to find out where CUCM is to download it’s configuration. He was in a split domain situation and didn’t have a _cisco-uds record for the external domain on the inside.
I’ll detail the adventure for the DX-series on another post.