for lab purpose, can we run Jabber MRA without firewall ? I have 1 BE6K that I plan to use for lab (UCM , IMP, Exp-C and Exp-E).
if possible, can share some steps and notes here?
For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.
For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.
You can use the certificates on Exp-C & E generated via internal CA.
Yes, that's correct, you can choose everything in same subnet.
But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.
Nic 1- 172.17.17.210
Nic 2- 172.17.18 210
Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.
You need to build two DNS servers for simulating internal & external login scenarios.
When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.
When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record.