Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Jabber VCS Expressway - internal DNS resolution from Expressway itself

Dear support community,

I am currently configuring the VCS Expressway solution (both Expressway E and Expressway C servers). Because of some firewall limitations I am in need of resolving the Expressway C fqdn directly from the Expressway E server meaning that I need the Expressway E resolve Expressway C fqdn withoout using DNS server resolution. I was wondering if there is a way to edit the VCS Expressway hosts file (if such a thing exist in the VCS) like anyone can do in operating systems like linux. I make this question because I took a .pcap capture from the VCS and in there I saw the DNS query process but number one option was 127.0.0.1 which is the Expressway itself. May be this connection attempt is just the Expressway looking in its DNS cache, but I am not sure.

Best Regards,

Roberto López.

1 ACCEPTED SOLUTION

Accepted Solutions

Ah, thats the reason I asked.

Ah, thats the reason I asked. You dont need DNS for it.

The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E. 

Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.

 

HTH

Please rate useful posts.
6 REPLIES

There is a hosts file on the

There is a hosts file on the Expressway but unfortunately that gets overwritten everytime you reboot the device.

The way you would do this will be to open port 53 (UDP) to your internal DNS server and specify the DNS server on the expressway. 

May I ask why you need to resolve Expressway C ip on the Expressway E. As far as I know, the Expressway E doesnt connect back to the Expressway C. Its always a connection from C to E.

Please rate useful posts.

Hi George,Thanks for your

Hi George,

Thanks for your answer. Currently the DNS ports are closed in the firewall, since I do not manage the firewall and because having DNS working form E to C would require a lot of paper work and burocratical requests that easily may last a week, I was hoping to avoid this waste of time. I need this resolution just for security certficates validation from E to C.

Best Regards,

Roberto.

Ah, thats the reason I asked.

Ah, thats the reason I asked. You dont need DNS for it.

The way it will work is when the Traversal client (in your case Expressway-C) tries to connect to Traversal server (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the traversal client. It sees if the Expressway E can match it up with what is specified when you configure the traversal zone on the Expressway E. 

Basically DNS is not needed. You just need to make sure that the FQDN of the expressway C is what is specified in the "TLS verify subject name". Also make sure that if the certs are signed by a CA, the root/intermediate certs need to be uploaded to both Expressway C/E. Also make sure, in the traversal zone on the Expressway C, you put in the FQDN of the Expressway E and not the IP address.

 

HTH

Please rate useful posts.

Hi George,I am going to right

Hi George,

I am going to right away  give it a try and let you know the outcome.

Thanks  a lot my friend!

Best Regards,

Roberto.

Great to hear! You could sign

Great to hear! You could sign it with Private CA and the users will be able to connect. THey will be prompted to accept the certificate, that is the only downside but it will work fine.

Keep in mind, its not just Expressway certs that needs to be present in the trust store of the device that is signing in, its the CA that signed CUCM/CUCN/Presence as well if you need to do without the certificate prompts.

Also, Cisco is looking into a potential issue where if you have an intermediate cert, there is a problem with the certificate validation process. This is due to be fixed in a future release. Good luck!

Please rate useful posts.

Hi George,It worked without

Hi George,

It worked without DNS resolution... you were right.

I signed both certificates with a private CA. Now I guess I will need a trusted signed certificate (like Verisign) for my jabber users when connecting from Internet, am I right?

 

Thanks again and best regards,

Roberto.

785
Views
9
Helpful
6
Replies