cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1019
Views
0
Helpful
4
Replies

Expressway VPN-less Jabber solution - Certificate & CRL issue & Local encryption problem

Chi Fai Leung
Level 1
Level 1

Hi All UC Experts,

I just deployed the Expressway VPN-less Jabber solution on my Cisco UC environment. I am thinking the Managing Certificate Revocation Lists (CRLs). Actually, I have not the much more experience about the CRL deployment.
The Cisco Guide just introduced the CRL: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
Now, I am using the OpenSSL CA, which is the self-CA for internal usage only.

1. Can I prevent from the cert. error when the users access the Expressway-Edge as using the internal OpenSSL CA? Will not prompt the cert. error if the (CN="Expressway-Edge Public FQDN")?

2. How can I do the best CRL? Actually, the all users would use the Exchange addresses as the login. Should I use the Windows Cert. Server to make the CRL? Is it the CRL controlled by per devices? That mean one user will use the one or more mobile devices, then the admin can revoke the login per device?

3. I discovered the Jabber Client would lock the local cache on the mobile device / Windows PC. Can I make the local cache encryption?

4 Replies 4

George Thomas
Level 10
Level 10

Hi Edwin,

1. You can optionally sign the cert using an internal Microsoft CA or 3rd party CA. Page 5 of the guide tells you that. Keep in mind, its not just the Expressway's that need to be signed. You have to sign CUCM Tomcat, Unity Tomcat, IM/P Tomcat and xmpp certs so that you dont get any certificate errors.

2. If you have to do CRL, it would be best to do with a MS PKI infrastructure. CRLs are best done on devices and you will need a mechanism to push down certs down to the individual devices. For mobiles, this can be done with a mobile device management software, for windows PC you could use group policies.

3. Not possible. 

HTH

Please rate useful posts.

For Windows PC using the Group Policies, but the Jabber client would not be set the restriction on the connection sources, that mean anyone have the Jabber client, then he/she can access the UC environment already.

Can I do the CRL on the Expressway, like ISE? It is because no any document talk about how to configure the CRL on Expressway.

Publish Certificate Revocation Lists for ISE on a Microsoft CA Server Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115758-cert-rev-lists-00.html

Chi Fai Leung
Level 1
Level 1

Can I do the CRL on the Expressway, like ISE? It is because no any document talk about how to configure the CRL on Expressway.

Publish Certificate Revocation Lists for ISE on a Microsoft CA Server Configuration Example

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115758-cert-rev-lists-00.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: