Hi Patrick

   Thanks for your comment. I did all the steps in the guide, but when I call cucm endpoints from skype client, the call does not reach expressway-E. I added the _sifederationtls._tcp SRV record on external DNS server which targets expressway-E external FQDN. The SRV can be resolved via window cmd nslookup and even Cisco TAC Tool SRV records checking tool.

What else can I do to make this work?

Thanks

Hello Danny. Did you find a solution for this scenario? I am stuck in the same step as you.

hi rrmillan1313

Yes . I finally made it work. The expressway-E must use public CA certificate. The _sipfederationtls._tcp.domain must match expressway-E FQDN domain.

meaning _sipfederationtls._tcp.abc.com  must point to expressway-E.abc.com

but not expressway-E.conf.abc.com

Hi Danny

But the cisco guide document says that SRV _sipfederationtls._tcp.msdomain must point to S4B, and the other SRV _sipfederationtls._tcp.ciscodomain must point to the Expressway E public FQDN. In your example cisco domian is conf.abc.com

Are you saying that _sipfederation._tcp.msdomian must point to FQDN Expressway-E@msdomian?

Is the cisco guide wrong on how those SRV must be configured?

Regards!

I'm also wondering something else related to this - Microsoft recommends using a load-balanced A-record of sip.domain.com for S4B federation redundancy.

Could we have an SRV record for _sipfederationtls._tcp.conf.example.com that pointed to sip.conf.example.com, that in turn load balanced between exp-e1.example.com and exp-e2.example.com, without having to change the certificates etc on the Expressways to use a subdomain?  Or would we still need to change to exp-e1.conf.eample.com etc?

hi  rrmillan1313,

I didn't use my current deployment as example so it might confuse you.

My deployment is as below:

For MS platform, there should be a srv record pointing to ms side:

_sipfederationtls._tcp.abc.com should point to ms platform, because customer had already registered abc.com as MS sip domain.

> _sipfederationtls._tcp.abc.com
Server: [8.8.8.8]
Address: 8.8.8.8

Non-authoritative answer:
_sipfederationtls._tcp.abc.com SRV service location:
priority = 100
weight = 1
port = 5061
svr hostname = sipfed.online.lync.com
> \

As for cisco platform, I used conf.abc.com as Exp-E domain

> _sipfederationtls._tcp.conf.abc.com
Server: [8.8.8.8]
Address: 8.8.8.8

Non-authoritative answer:
_sipfederationtls._tcp.conf.abc.com SRV service location:
priority = 100
weight = 1
port = 5061
svr hostname = EXPRESSE01.conf.abc.com

The very very important thing here is 

_sipfederationtls._tcp.conf.abc.com must point to EXPRESSE01.conf.abc.com

You CAN'T point this SRV record to EXPRESSE01.abc.com

meaning on customer's external DNS server, a sub domain was created as conf.abc.com

Expressway-E A record point to expressway-E public ip must be placed under conf.abc.com subdomain

The next step is that you should add/ change top level domain and cluster domain as conf.abc.com in CUCM enterprize parameters. 

Expressway-E must use public CA signed certificate with multiple SAN enabled because you need to include both conf.abc.com and abc.com in the public CA signed certificate

For example:

SAN should include

DNS Name=expresse01.abc.com   (this dns record was added on customer's public dns)
DNS Name=www.expresse01.abc.com     (added by default when generate the certificate request)
DNS Name=join.abc.com (for CMS webRTC via expressway-E proxy)
DNS Name=abc.com (AD domain)
DNS Name=cms.abc.com  (CMS FQDN)
DNS Name=expresse01.conf.abc.com  (Must be included, this is the most important record)

because during certificate exchange process, MS will ignore common name in the public certificate

instead, MS will look for the domain (conf.abc.com) in SAN pool.