Expressway VPN-less Jabber solution - Certificate & CRL issue & Local encryption problem

Unanswered Question
Apr 16th, 2014
User Badges:

Hi All UC Experts,

I just deployed the Expressway VPN-less Jabber solution on my Cisco UC environment. I am thinking the Managing Certificate Revocation Lists (CRLs). Actually, I have not the much more experience about the CRL deployment.
The Cisco Guide just introduced the CRL:
Now, I am using the OpenSSL CA, which is the self-CA for internal usage only.

1. Can I prevent from the cert. error when the users access the Expressway-Edge as using the internal OpenSSL CA? Will not prompt the cert. error if the (CN="Expressway-Edge Public FQDN")?

2. How can I do the best CRL? Actually, the all users would use the Exchange addresses as the login. Should I use the Windows Cert. Server to make the CRL? Is it the CRL controlled by per devices? That mean one user will use the one or more mobile devices, then the admin can revoke the login per device?

3. I discovered the Jabber Client would lock the local cache on the mobile device / Windows PC. Can I make the local cache encryption?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
George Thomas Thu, 04/17/2014 - 09:12
User Badges:
  • Blue, 1500 points or more

Hi Edwin,

1. You can optionally sign the cert using an internal Microsoft CA or 3rd party CA. Page 5 of the guide tells you that. Keep in mind, its not just the Expressway's that need to be signed. You have to sign CUCM Tomcat, Unity Tomcat, IM/P Tomcat and xmpp certs so that you dont get any certificate errors.

2. If you have to do CRL, it would be best to do with a MS PKI infrastructure. CRLs are best done on devices and you will need a mechanism to push down certs down to the individual devices. For mobiles, this can be done with a mobile device management software, for windows PC you could use group policies.

3. Not possible. 


Chi Fai Leung Thu, 04/17/2014 - 22:55
User Badges:

For Windows PC using the Group Policies, but the Jabber client would not be set the restriction on the connection sources, that mean anyone have the Jabber client, then he/she can access the UC environment already.


This Discussion