Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
5
Helpful
8
Replies

Jabber MRA without Firewall

Go to solution
karen.johnson5801
Level 1
Level 1

‎05-13-2017 11:13 AM - edited ‎03-19-2019 12:25 PM

Hi experts,

for lab purpose, can we run Jabber MRA without firewall ?  I have 1 BE6K  that I plan to use for lab (UCM , IMP, Exp-C and Exp-E).

if possible, can share some steps and notes here?

thanks,

K

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to karen.johnson5801

‎05-17-2017 02:00 AM

Hi Karen,

Yes, that's correct, you can choose everything in same subnet.

But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.

Nic 1- 172.17.17.210

Nic 2- 172.17.18 210

Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.

You need to build two DNS servers for simulating internal & external login scenarios. 

When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.

When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record. 

Regards,

Alok

View solution in original post

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to karen.johnson5801

‎05-18-2017 04:41 PM

Hi Karen,

For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.

For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.

You can use the certificates on Exp-C & E generated via internal CA.

Regards,

Alok

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-13-2017 11:47 AM

Yes, I have it running all in the same subnet, with just one NIC while I get a second subnet for my lab.

Basic steps are all the same, you just don't need to worry to poke holes for network traffic as you would in a real network.

My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration.

If you do have two networks, what you won't need to do, is to configure NAT in the "external" network but point directly to that IP, and I'd place the DNS and test machines in that network as well (that's what I'm planning to do in my lab). Or just point devices to that special DNS which would only resolve _collab-edge, or use split-horizon DNS.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
karen.johnson5801
Level 1
Level 1
In response to Jaime Valencia

‎05-16-2017 03:04 PM

Thanks Jamie,

I am trying  to understand here.  So if I choose all in one subnet for Exp-C and Exp-E and UCM.

Do you mind writing down detailed steps here ?

Sorry  I am bit confuse on this statement  "My MRA devices are in a secondary DNS domain which only resolves the _collab-edge SRV and that way are re-directed to my EXP-E IP for registration "

Thanks,

K

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to karen.johnson5801

‎05-17-2017 02:00 AM

Hi Karen,

Yes, that's correct, you can choose everything in same subnet.

But if you plan to use Exp-E with a dual NIC then make sure that both the NIC's get IP from a different subnet. So for e.g.

Nic 1- 172.17.17.210

Nic 2- 172.17.18 210

Please note that to enable dual nic you need advanced network key. So if you don't have that, for the lab purpose you can just go ahead with the single NIC on Expressway-E.

You need to build two DNS servers for simulating internal & external login scenarios. 

When you login internally, on the Jabber for PC configure the DNS as (internal server) and login, it should be able to resolve the _cisco-uds srv record query pointing to the CUCM.

When you login externally configure the DNS as (external server) and login, it should fail to resolve _cisco-uds and then falls back to _collab-edge srv record. 

Regards,

Alok

0 Helpful

Go to solution
karen.johnson5801
Level 1
Level 1
In response to Alok Jaiswal

‎05-18-2017 01:51 PM

hi Alok,

Assuming if I just use all internal for Exp-E , I have internal DNS.  

For external DNS I have few questions :

- Do I need to install new AD with different domain for external DNS ?

- what is different in setting and install for this external DNS?

- This external DNS just in same subnet with internal DNS ?

tks,

K

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to karen.johnson5801

‎05-18-2017 04:41 PM

Hi Karen,

For external DNS you can have it on same subnet no issues, the only thing you need to do is when you simulate the MRA Environment (login via expressway), you manually change the DNS on the PC to point to external DNS or you can have two separate PC instances running one pointing to internal DNS and the other to external DNS.

For external DNS no need to enable AD, just enable the DNS services and create your forward lookup zone and SRV records for your external domain simulation.

You can use the certificates on Exp-C & E generated via internal CA.

Regards,

Alok

0 Helpful

Go to solution
karen.johnson5801
Level 1
Level 1
In response to Alok Jaiswal

‎05-18-2017 04:44 PM

Thanks Alok,

One more question :    Possible to combine internal AD and external AD on same server?

Best,

K

0 Helpful

Go to solution
Alok Jaiswal
Level 4
Level 4
In response to karen.johnson5801

‎05-18-2017 05:05 PM

No, i don't think so, its possible in this scenario.

Jabber always runs the _cisco-uds query first to find the servers, if it doesn't finds it then only it goes to _collab-edge.

If you use same DNS server, then jabber always be able to find the _cisco-uds record and will never fall to _collab-edge. It can be done if you have for e.g. an ASA in your environment. In that case you can use the capability of ASA to do SRV filtering and then ASA will drop _cisco-uds record query which will allow Jabber to fall back to _collab-edge.

Look at the document below.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_CollabEdge.html

Not sure if anyone else has any other ideas for this.

Regards,

Alok

Go to solution
karen.johnson5801
Level 1
Level 1
In response to Alok Jaiswal

‎05-19-2017 09:40 AM

Thanks Alok and also great doc.

K

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents