Jabber MRA without Firewall

Answered Question
May 13th, 2017
User Badges:

Hi experts,


for lab purpose, can we run Jabber MRA without firewall ?  I have 1 BE6K  that I plan to use for lab (UCM , IMP, Exp-C and Exp-E).


if possible, can share some steps and notes here?


thanks,

K

Correct Answer by Alok Jaiswal about 2 months 1 week ago

Hi Karen,


For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.


For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.


You can use the certificates on Exp-C & E generated via internal CA.


Regards,

Alok

Correct Answer by Alok Jaiswal about 2 months 1 week ago

Hi Karen,


Yes, that's correct, you can choose everything in same subnet.


But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.

Nic 1- 172.17.17.210

Nic 2- 172.17.18 210


Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.


You need to build two DNS servers for simulating internal & external login scenarios. 

When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.


When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record. 


Regards,

Alok



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jaime Valencia Sat, 05/13/2017 - 11:47
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    2011

Yes, I have it running all in the same subnet, with just one NIC while I get a second subnet for my lab.

Basic steps are all the same, you just don't need to worry to poke holes for network traffic as you would in a real network.

My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration.

If you do have two networks, what you won't need to do, is to configure NAT in the "external" network but point directly to that IP, and I'd place the DNS and test machines in that network as well (that's what I'm planning to do in my lab). Or just point devices to that special DNS which would only resolve _collab-edge, or use split-horizon DNS.

karen.johnson5801 Tue, 05/16/2017 - 15:04
User Badges:

Thanks Jamie,


I am trying  to understand here.  So if I choose all in one subnet for Exp-C and Exp-E and UCM.

Do you mind writing down detailed steps here ?


Sorry  I am bit confuse on this statement  "My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration "

Thanks,

K

Correct Answer
Alok Jaiswal Wed, 05/17/2017 - 02:00
User Badges:
  • Bronze, 100 points or more

Hi Karen,


Yes, that's correct, you can choose everything in same subnet.


But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.

Nic 1- 172.17.17.210

Nic 2- 172.17.18 210


Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.


You need to build two DNS servers for simulating internal & external login scenarios. 

When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.


When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record. 


Regards,

Alok



karen.johnson5801 Thu, 05/18/2017 - 13:51
User Badges:

hi Alok,


Assuming if I just use all internal for Exp-E , I have internal DNS.  


For external DNS I have few questions :


- Do I need to install new AD with different domain for external DNS ?

- what is different in setting and install for this external DNS?

- This external DNS just in same subnet with internal DNS ?


tks,

K

Correct Answer
Alok Jaiswal Thu, 05/18/2017 - 16:41
User Badges:
  • Bronze, 100 points or more

Hi Karen,


For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.


For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.


You can use the certificates on Exp-C & E generated via internal CA.


Regards,

Alok

karen.johnson5801 Thu, 05/18/2017 - 16:44
User Badges:

Thanks Alok,


One more question :    Possible to combine internal AD and external AD on same server?


Best,

K

Alok Jaiswal Thu, 05/18/2017 - 17:05
User Badges:
  • Bronze, 100 points or more

No, i don't think so, its possible in this scenario.

Jabber always runs the _cisco-uds query first to find the servers, if it doesn't finds it then only it goes to _collab-edge.

If you use same DNS server, then jabber always be able to find the _cisco-uds record and will never fall to _collab-edge. It can be done if you have for e.g. an ASA in your environment. In that case you can use the capability of ASA to do SRV filtering and then ASA will drop _cisco-uds record query which will allow Jabber to fall back to _collab-edge.

Look at the document below.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Net...


Not sure if anyone else has any other ideas for this.


Regards,

Alok

Actions

This Discussion