In general, with regards to a traversal zone between a VCS Control and Expressway, you don't want the firewall in between these to perform any H323 or SIP ALG functionality for the traversal zone traffic as this might interfere with the built-in firewall/NAT traversal capabilitiy of the VCS itself.
I am not sure whether there exists any such specific document. The firewall configuration is similar to any other except that the ports that need to opened up should be specific to the VCS expressway requirements and just few consideration like whether you place in the DMZ only, DMZ with static NATs.
So I would recommend to look into Firewall and NAT config section in this link :
http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf along with the ASA guide for configuring the firewall.
I'm having the same problem with X8.2 and an ASA 5520.
The ASA is built as a 3 port firewall (inside, outside, DMZ). The interface for the DMZ is cut into 8 subinterfaces. (Fa2.1, Fa2.2,Fa2.3, etc...)
I configured the Expressway C VM and placed it on the inside interface, and I can access it via HTTP, no problem.
I built a static 1:1 NAT statement and configured the Expressway E VM, and placed it on one of the DMZ interfaces, and cannot access it via the outside or DMZ IP address. I can see the traffic being allowed on the firewall., but it is never responded to.
Appendix 4 of Cisco Expressway Basic Configuration Deployment Guide for X8.2 shows an example of this on page 53, and states that NAT redirection is not supported by all types of firewalls.
I've opened a TAC case, and have not received any updates.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.