Hi Gents, I'm implementing Expressway C and E version 8.5.2 for MRA and i have the following client setup :
- Split horizon DNS. - 2 domains as follows, Internal: domainX.local and external: domainX.com - All UC servers are joining the internal domain, CUCM.domainX.local, IM&P.doaminX.local, CUC.domainX.local,....etc. - Client has both local certificate authority (CA) to locally sign his servers certificates and also registered to public CA to sign his public servers certificates. - I have EXP-C and EXP-E to enable the Mobile Remote Access for Jabber clients from outside. I'm able to make the EXP-C either on internal domainX.local or external domainX.com and for sure the EXP-E on the DMZ will be on the domainX.com as it will be a public and will be accessed from internet. my question is, should i place the EXP-C in the domainX.local (internal) or domainX.com (external) for the setup to work? I have the following concerns in this regard: - If i placed the EXP-C in the external domainX.com, will its communication with the internal UC servers which are all in the internal domain be okay ? and will the certificate trust relation with all UC servers and relation with the EXP-E will be fine? - If i placed the EXP-C in the internal will the certificate trust relation with all UC servers and relation with the EXP-E will be fine? - is it possible to have EXP-C certificates signed by local CA while the EXP-E certificates will be signed by public CA ? will it be okay? - is the "Unified CM phone security profile names" as a part of the data to be entered when generating the CSR in the EXP-C mandatory ? i mean do i have to use TLS for phones through this security profile or I can just enable the non-secure phone profile without TLS, and if i can use the non-secure phone profile, do i have to enter this field when generating the EXP-C CSR or can I leave it blank ? If any on have a working setup kindly brief me about it specially the domains and certificates parts. Best Regards Ahmed Abd EL-Rahman Senior Network Engineer
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
