09-02-2014 06:20 AM - edited 03-18-2019 03:21 AM
Cannot get Expressway-C & E X8.2.1 to form a TLS connection for MRA traversal. We have generated a SSL certificate using a client and server certificate template on a Windows Server CA, and have uploaded this certificate to the Expressway-C and the CA chain to the Expressway-E, but the TraversalClient zone fails to form the TLS connection. The Event Log shows 'unable to get local issuer certificate'. Yet the Client certificate testing tool shows the certificate is good when checked. Certificate revocation checking under SIP is set to Off. Can anyone advise why the TLS connection won't form? Thanks.
Solved! Go to Solution.
09-03-2014 09:09 AM
I'm pretty sure that one of the deployment guides (perhaps with regard to Certificates, perhaps with regard to VCS Deployment) says that wild-card certificates are NOT supported. This seem to be common on a other UC type platform (e.g. Lync)
09-02-2014 12:14 PM
What have you set as peer address for the traversal zone on the Exp-C?
09-03-2014 02:02 AM
And doesn't the peer address need to appear in the certificate SAN or Common Name (certainly this is true when you use TLS validation on a traversal zone, but isn't this a requirement on the Expressway-C/E?).
Also, is this supposed to be a two way thing - i.e. you need to upload certificates on both er Expressway-C/E plus CA on both, as both act as server and client.
I'm not too familiar with CUCM environment, but I assume that the transversal zone acts is a similar way to that on the standard VCS-C/E?
09-03-2014 08:21 AM
Thanks both for the replies. It turned out it wasn't the private CA-signed Expressway-C cert that was the problem - it was the public CA wildcard certificate on the Expressway-E that was causing the authentication issue (presumably as the CN wasn't an exact match for the connecting Expressway-C). Bit disappointing that a wildcard certificate wouldn't be accepted (surely the logic to match the CN in the case of a wildcard wouldn't be a problem?).
09-03-2014 09:09 AM
I'm pretty sure that one of the deployment guides (perhaps with regard to Certificates, perhaps with regard to VCS Deployment) says that wild-card certificates are NOT supported. This seem to be common on a other UC type platform (e.g. Lync)
09-03-2014 09:20 AM
Your recollection is correct it is mentioned in one of the documents. Chances are you will have already invested in a wildcard certificate though if it is appropriate for the rest of your infrastructure.
Interestingly when the Expressway was incorrectly configured with the wrong type of TraversalZone (not UC) the wildcard cert wasn't an issue and the Core was happy to form a tunnel. When the TraversalZone error came to light and the zones replaced with the correct type it suddenly decided the wildcard certificate was a problem.
09-03-2014 09:30 AM
Interesting. As mentioned, we don't use CUCM but even reading one of the deployment guides recently to set up for authentication delegation for Jabber for Telepresences with TMS it stated that we should use a UC traversal zone. I promptly ignored this and setup a normal traversal zone with certificates and in our deployment all is working well. I don't know what this might break in the CUCM environment (if anything) but it certainly is OK in a normal VCS-C/E with TMS deployment.
09-03-2014 09:53 AM
That's correct, it works fine with normal Jabber for TP (movi) and Traversal zones. For Jabber for Windows and CUCM, we need to use UC traversal zone due to the search rules that gets automatically created.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide