Вы находитесь на странице: 1из 215

Collaboration Edge

Troubleshooting
Philip Smeuninx
Technical Leader Services
psmeunin@cisco.com
BRKCOL-2602

Agenda

Introduction

Mobile and Remote Access

XMPP Federation

B2B

Takeaways

Before we start
For your reference

Tool bookmark

Questions

Mobile and Remote Access

Topology
CUCM
CUP

Internet
Expressway-C

Expressway x8.5

CUCM/CUP 10.5(2)

Jabber for Windows 10.5(2)

Expressway-E

ExpressWay Configuration and Troubleshooting

System configuration

Firewall configuration

Certificate configuration and deployment

Traversal zone configuration

UC server discovery

DNS and domain configuration/deployment

Mobile and Remote access


System Configuration

System Configuration

Set Unified Communications mode to Mobile and remote access on E and C


Configuration > Unified Communications > Configuration

Check the Administrator guide for more help on system configuration topics

System configuration - NTP

Each system must be synched with NTP server


> System > Time

System Configuration - NTP

If NTP is not configured and synchronized on ExpressWay-C and


ExpressWay-E Jabber Telephony registration to CUCM may not
succeed.

Security mechanism based on SIP SERVICE messages.

Expressway-E time-stamps a SERVICE message

Expressway-E sends the SERVICE message to Expressway-C

Expressway-C verifies the SERVICE is received within 60 secs


error margin

Mobile and Remote access


Firewall Configuration

Firewall Configuration

What traffic does the firewall need to pass?

HTTPS proxy for secure provisioning of endpoints


SIP/TLS, RTP/SRTP for audio/video media
XCP/XMPP for IM&P for Jabber
HTTPS Services
Traversal Connection between ExpressWay-C and E
ClusterDB change notifications (ssh tunnel)

Firewall Configuration
To which ports does this translate?

Port usage: ExpressWay C to Expressway E


DMZ

Internet

IM&P
CUCM-UDS

ExpressWay E

ExpressWay C
ExpressWay C
Source Port

ExpressWay E
Listening Port

TCP & TLSA = Configurable TCP Outbound ports range


Management Control

Inbound and outbound calls

Open Firewall

Private to DMZ
IP address of
- ExpressWay C

IP Address

TCP & TLSB = Configurable traversal port for traversal link


between Expressway C and Expressway E (i.e. 7001, 7002,
etc.)

IP address of
- ExpressWay E

IP Ports

XMPP (IM and Presence)

TCP Ue
30000 to 35999 *

TCP 7400

SSH
(HTTP/S tunnels)

TCP Ue
30000 to 35999 *

TCP 2222

TCP & TLSA


25000 to 29999

TCP & TLSB


7001

UDP YC
36000 to 59999 **

UDP YE
36000 to 36011 **

SIP signaling
SIP media

Ue = Configurable TCP ephemeral port range

YC = Configurable traversal media ports range (on Expressway


C)
YE = Configurable multiplexed media ports range (on
Expressway E)

Firewall Configuration
Where to configure these ports?

ExpressWay C

> System > Administration

ExpressWay C
Source Port

Management Control

Inbound and outbound calls

Open Firewall

Private to DMZ
IP address of
- ExpressWay C

IP Address

ExpressWay E
Listening Port

IP address of
- ExpressWay E

XMPP (IM and Presence)

TCP Ue
30000 to 35999 *

TCP 7400

SSH
(HTTP/S tunnels)

TCP Ue
30000 to 35999 *

TCP 2222

TCP & TLSA


25000 to 29999

TCP & TLSB


7001

UDP YC
36000 to 59999 **

UDP YE
36000 to 36011 **

SIP signaling
SIP media

Firewall Configuration
Where to configure these ports?

ExpressWay C

> Protocols > SIP


ExpressWay C
Source Port

Management Control

Inbound and outbound calls

Open Firewall

Private to DMZ
IP address of
- ExpressWay C

IP Address

XMPP (IM and Presence)


SSH
(HTTP/S tunnels)
SIP signaling
SIP media

ExpressWay E
Listening Port

IP address of
- ExpressWay E

TCP 7400

TCP Ue
30000 to 35999 *

TCP Ue
30000 to 35999 *

TCP 2222

TCP & TLSA


25000 to 29999

TCP & TLSB


7001

UDP YC
36000 to 59999 **

UDP YE
36000 to 36011 **

Firewall Configuration
Where to configure these ports?

ExpressWay C

> Configuration > Traversal Subzone


ExpressWay C
Source Port

Management Control

Inbound and outbound calls

Open Firewall

Private to DMZ
IP address of
- ExpressWay C

IP Address

XMPP (IM and Presence)


SSH
(HTTP/S tunnels)
SIP signaling
SIP media

ExpressWay E
Listening Port

IP address of
- ExpressWay E

TCP 7400

TCP Ue
30000 to 35999 *

TCP Ue
30000 to 35999 *

TCP 2222

TCP & TLSA


25000 to 29999

TCP & TLSB


7001

UDP YC
36000 to 59999 **

UDP YE
36000 to 36011 **

Firewall Configuration
Where to configure these ports?

ExpressWay E

> Configuration > Zone > Traversal Zone


ExpressWay C
Source Port

Management Control

Inbound and outbound calls

Open Firewall
IP Address

ExpressWay E
Listening Port

Private to DMZ
IP address of
- ExpressWay C

IP address of
- ExpressWay E

XMPP (IM and Presence)

TCP Ue
30000 to 35999 *

TCP 7400

SSH
(HTTP/S tunnels)

TCP Ue
30000 to 35999 *

TCP 2222

TCP & TLSA


25000 to 29999

TCP & TLSB


7001

UDP YC
36000 to 59999 **

UDP YE
36000 to 36011 **

SIP signaling
SIP media

Expressway E Demultiplexing media ports

Small/medium deployment
->Configured Media Demultiplexing ports
Default : 2776 (RTP) 2777 (RTCP)
or
->First 2 ports from Traversal Media port range
Default : 36000 (RTP) 36001 (RTCP)

36000-59999

ExpressWay C

36000-36001
or
2776-2777

ExpressWay E

Expressway E Demultiplexing media ports

For large systems new install


-> First 12 ports from Traversal Media port range
Default : 36000 (RTP) 36011 (RTCP)

36000-59999

ExpressWay C

36000-36011

ExpressWay E

Firewall configuration
Demultiplex port range after upgrades

Upgrade from x7 to x8.1 -> 50000 50001


System uses port pair from Traversal Media port range

Upgrade from x8.1 (upgraded from x7) to x8.2 -> 50000 50001
Demultiplex port range = retained from previous version and
Use configured demultiplexing ports is set to Yes

Upgrade from x7 to x8.2 -> 2776 2777


Demultiplex port range = retained from previous version and
Use configured demultiplexing ports is set to Yes

Firewall Configuration
To which ports does this translate?

Port usage: Expressway E to/from Public Internet


DMZ

Internet

IM&P
CUCM-UDS

Expressway E

ExpressWay C
Expressway E
Source Port

Management Control

Outbound to SIP UA in the Internet

Open Firewall

DMZ to Internet
Public IP address of
- ExpressWay E

IP Address

Internet SIP UA
Listening Port

IP address of
- Any (or specific IP)

IP Ports

XMPP (IM and Presence)) Client/Server

N/A

N/A/5269

UDS
(Provisioning and Phonebook)

N/A

N/A

TURN Server Control

N/A

N/A

TLS
25000 to 29999

TLS S
>= 1024

UDP YE
36000 to 59999 **

UDP N
>= 1024

SIP signaling
Media

N = ExpressWay wait unit it receives media, then it sends its


media to the IP port from which media was received (egress
port of the media from the far end non SIP-aware firewall)
S = Source port, typically >=1024
YE = Configurable traversal media ports range (on Expressway
E)

Firewall Configuration
To which ports does this translate?

Port usage: Expressway E to/from Public Internet


DMZ

Internet

IM&P
CUCM-UDS

ExpressWay E

ExpressWay C
Expressway C
Listening Port

Management Control

Inbound from SIP UA in the Internet

Open Firewall

Internet to DMZ
IP address of
- VCS Expressway

IP Address

Internet SIP UA
Source Port

IP address of
- Any (or specific IP)

TCP 5222/5269

TCP S
>= 1024

UDS
(Provisioning)

TCP 8443

TCP S
>= 1024

TURN Server Control

UDP 3478

UDP S
>= 1024

SIP signaling

TLS 5061

TLS S
>= 1024

UDP YE
36000 to 59999 **

UDP N
>= 1024

XMPP (IM and Presence)) Client/Server

IP Ports

Media

N = ExpressWay wait unit it receives media, then it sends its


media to the IP port from which media was received (egress
port of the media from the far end non SIP-aware firewall)
S = Source port, typically >=1024
YE = Configurable traversal media ports range (on
Expressway/E)
** Default media ports range (X8.1) is 36000 59999 which
configurable

Firewall Configuration
To which ports does this translate?

Port usage: ExpressWay C to Unified CM and IM&P


DMZ

Internet

IM&P
CUCM-UDS

ExpressWay E

ExpressWay C
CUCM&CUP System
Listening Port

Management Control

ExpressWay C
Source Port

Open Firewall

* Default ephemeral ports range (X8.1) for is 30000 35999


which configurable

N/A
IP address of
- Unified CM
- IM & Presence Server

IP Address

Ue = Configurable TCP ephemeral port range

Private Network

IP address of
- ExpressWay C

TCP 7400
(IM&P Server)

TCP Ue
30000 to 35999 *

TCP 8443
(CUCM Server, IM&P Server)

TCP Ue
30000 to 35999 *

TFTP

TCP 6970
(TFTP Server)

TCP Ue
30000 to 35999 *

CUC (Voicemail)

TCP 443
(CUC server)

TCP Ue
30000 to 35999 *

XMPP (IM and Presence)

IP Ports

UDS CUCM
SOAP IM&P

Dual NIC consideration (advanced networking option)

If option key is added


it will add a second LAN (LAN 2)

This will result in following


default configuration

With following port assignment

Dual NIC consideration (advanced networking option)

Dual-NIC enabled but not used/connected (only for static NAT) ExpressWay C
will not be able to connect to 7400 for XMPP

ExpressWay C diagnostic logs


xwayc XCP_JABBERD[23843]: UTCTime="2015-03-25 17:19:45,843" ThreadID="139747212576512" Module="Jabber"
Level="INFO " CodeLocation="mio.c:1109" Detail="Connecting on fd 28 to host '10.48.55.99', port 7400
xwayc XCP_JABBERD[23843]: UTCTime="2015-03-25 17:19:45,847" ThreadID="139747212576512" Module="Jabber"
Level="ERROR" CodeLocation="mio.c:1121" Detail="Unable to connect to host '10.48.55.99', port 7400:(111)
Connection refused
xwayc XCP_JABBERD[23843]: UTCTime="2015-03-25 17:19:45,847" ThreadID="139747406935808" Module="Jabber"
Level="ERROR" CodeLocation="base_connection.cpp:104" Detail="Failed to connect to component jabberd-port1.xwayc-coluc-com

Solution : Disable LAN 2 (internal) or connect it physically

Firewall Setup
Port Status and Configuration

Maintenance > Tools > Port Usage

HTTP Server Allow list


> Configuration > Unified Communications > Configuration

The hostname or IP address of an on-prem HTTP server that a Jabber client


located outside of the enterprise is allowed to access.
Access is granted when server portion of the client-supplied URI matches the
name entered here or resolves via DNS lookup to configured IP.

Mobile and Remote Access


Certificates

Certificates
> Maintenance
> Security Certificate
> Server Certificate

Certificates
> Maintenance > Security Certificate > Trusted CA Certificate

ExpressWay C Server Certificate

Used with ExpressWay E for traversal zone connection

Used with CUCM when endpoint security mode is Authenticated


or Encrypted (TLS transport used)

Must be CA Signed -> Enterprise CA or Public CA

CA Root which issued the certificate must be appended to Trusted CA


certificate on both ExpressWays

CA Root must be uploaded to Callmanager-trust store on every node in the


cluster

Troubleshooting
CA Root not uploaded on ExpressWay E

Traversal Zone State Failed

Expressway-C Diagnostics logs (traversal client)

xwayc tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Srcport="25016" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS"
Common-name="xwaye.coluc.com" Level="1" UTCTime="2014-03-24 17:33:30,872

Expressway Event logs

Troubleshooting
CA Root not uploaded on CUCM

Softphone Registration fails (other will work) when endpoint security settings are
authenticated or encrypted

Troubleshooting
CA Root not uploaded on CUCM

ExpressWay-C diagnostic logs


2014-03-24T18:57:37+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25264" Dst-ip="10.48.55.96" Dst-port="5061"
Detail="tlsv1 alert unknown ca" Protocol="TLS" Common-name="COLCM9PUB.coluc.com"
Level="1" UTCTime="2014-03-24 18:57:37,777

Expressway-C event logs

ExpressWay C Certificate Requirements

Extended Key Usage


- TLS Web Server Authentication
- TLS Web Client Authentication

SAN elements configured with :


- FQDN Expressway C
- IM and Presence chat node alias
- Unified CM Security Profile names

ExpressWay C Certificate Requirements


Expressway C

CUP

ExpressWay C Certificate Requirements


Expressway C

CUCM

Troubleshooting
Security Profile added as SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0

//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or


x509SubjectName calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit

SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]

SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com,


Expected=CSFEWAYJ. Will check SAN the next

SIPStationD(9) - validTLSConnection: Found matching SAN, SAN Rcvd=xwayc.coluc.com;conference-2ecup9.coluc.com;csf-secure, Expected=csf-secure

Troubleshooting
Security Profile not added as SAN (CUCM trace)
SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0

//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or


x509SubjectName calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit

SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]

SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com,


Expected=CSFEWAYJ. Will check SAN the next

SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either,
Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure

Troubleshooting
Security Profile not added as SAN (CUCM trace)

ExpressWay E Server Certificate

Used with ExpressWay C for traversal zone connection

Used with foreign domains for XMPP Federation

Must be CA Signed

Public CA

CA Root which issued the certificate must be appended to


Trusted CA certificate on both ExpressWays

ExpressWay E Certificate Requirements

Extended Key Usage


- TLS Web Server Authentication
- TLS Web Client Authentication

SAN elements configured with :


- Unified CM Registration domains (incl. voiceservices domains)
- IM and Presence chat node alias
- XMPP Domain

ExpressWay E Certificate Requirements


Expressway E

Expressway C

Troubleshooting
CA root not uploaded to ExpressWay C

Traversal Zone State

ExpressWay E diagnostic logs


xwaye tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.48.55.98" Srcport="25006" Dst-ip="10.48.55.99" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS"
Level="1" UTCTime="2014-03-25 09:52:36,680

ExpressWay E event logs

Bookmark X8.5 Tool

Secure traversal test Expressway C

Mobile and Remote Access


Unified Communications Traversal Zone

Unified Communications Traversal Zone

Expressway-E is traversal server in DMZ

Expressway-C is traversal client inside the network

Establish traversal link between both using traversal zone configuration

Enterprise Network

DMZ

CUCM

Outside Network
Internet

Expressway-C
Traversal Client

Endpoint A

Expressway-E
Traversal Server

Endpoint B
Traversal Link Management
Signal
Media Payload

UC Traversal Zone
ExpressWay E Traversal Server

Select Type : Unified Communications


traversal
Configure username to be used by Traversal
Client to authenticate with server
Port is default 7001, listening port for
traversal client connection
Must match CN or SAN from Certificate
presented by Traversal Client
(ExpressWay C)

UC Traversal Zone
ExpressWay E Traversal Server

Traversal Zone Status

Connection status with Traversal Client

UC Traversal Zone
ExpressWay C Traversal Client

Select Unified Communications


Traversal as Type

Configure same username and


password as added on the Traversal
Server (Expressway E)

Destination port Traversal Server is


listening on

UC Traversal Zone
ExpressWay C Traversal Client
Must resolve to Public IP address
Expressway E when
single NIC deployment

Must be FQDN (*)

Must match CN or SAN from


Certificate presented by
Expressway E

Troubleshooting
Peer Address not matching CN

Peer Address configured as IP address

ExpressWay C diagnostic logs


2014-03-25T14:08:16+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25697" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="Peer's TLS certificate identity was unacceptable" Protocol="TLS" Commonname="10.48.55.99" Level="1" UTCTime="2014-03-25 14:08:16,699

ExpressWay C Event logs

Troubleshooting
Peer Address not matching CN

Peer Address/FQDN not matching CN

ExpressWay C diagnostic logs


2014-03-25T14:16:36+00:00 xwayc tvcs: Event="Outbound TLS Negotiation Error"
Service="SIP" Src-ip="10.48.55.98" Src-port="25714" Dst-ip="10.48.55.99" Dst-port="7001"
Detail="Peer's TLS certificate identity was unacceptable" Protocol="TLS" Commonname="xwy.coluc.com" Level="1" UTCTime="2014-03-25 14:16:36,699"

ExpressWay C Event logs

Troubleshooting
Password incorrect

Traversal Client will show for this zone

ExpressWay C diagnostic logs


Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="xwaye.coluc.com" Type="A
and AAAA
Module="network.dns" Level="DEBUG": Detail="Resolved hostname to: ['IPv4''TCP''10.48.55.99']
(A/AAAA) Number of relevant records retrieved: 1
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dstport="7001" Detail="TCP Connecting
Module="network.tcp" Level="DEBUG": Src-ip="10.48.55.98" Src-port="25723" Dst-ip="10.48.55.99" Dstport="7001" Detail="TCP Connection Established

Password incorrect (contd.)

ExpressWay C diagnostics logs


Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.48.55.98" Local-port="25723" Dst-ip="10.48.55.99" Dst-port="7001" MsgSIPMSG:
|OPTIONS sip:10.48.55.99:7001;transport=tls SIP/2.0
.
Module="network.sip" Level="DEBUG": Action="Received" Local-ip="10.48.55.98" Local-port="25723" Src-ip="10.48.55.99" Src-port="7001"
SIPMSG:
|SIP/2.0 401 Unauthorised

WWW-Authenticate: Digest realm="TraversalZone", nonce="527e7f2a24ff1c54e3e4cd5025f674967e81d2aa9b214fda98cef27f3f82",


opaque="AQAAAPet.
.
Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.48.55.98" Local-port="25723" Dst-ip="10.48.55.99" Dst-port="7001" MsgSIPMSG:
|OPTIONS sip:10.48.55.99:7001;transport=tls SIP/2.0
.
Authorization: Digest nonce="527e7f2a24ff1c54e3e4cd5025f674967e81d2aa9b214fda98cef27f3f82", realm="TraversalZone",
opaque="AQAAAPet+0JJTq4cyuB34opHePwV7bkk", algorithm=MD5, uri="sip:10.48.55.99:7001;transport=tls", username="xway", response=
...
2014-03-25T14:19:56+00:00 xwayc tvcs: UTCTime="2014-03-25 14:19:56,705" Module="network.sip" Level="DEBUG": Action="Received"...
SIPMSG:
|SIP/2.0 401 Unauthorised
.
Event="External Server Communications Failure" Reason="gatekeeper timed out" Service="NeighbourGatekeeper" Dst-ip="10.48.55.99" Dstport="7001" Detail="name:xwaye.coluc.com" Protocol="TCP" Level="1" UTCTime="2014-03-25 14:19:56,705"

Troubleshooting
Password incorrect

ExpressWay E diagnostic logs


Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: xway

Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(686)"


Method="SipProxyAuthentication::checkDigestSAResponse" Thread="0x7f2485cb0700": calculated response does not
match supplied response, calculatedResponse=769c8f488f71eebdf28b61ab1dc9f5e9,
response=319a0bb365decf98c1bb7b3ce350f6ec

Event="Authentication Failed" Service="SIP" Src-ip="10.48.55.98" Src-port="25723" Detail="Incorrect authentication


credential for user" Protocol="TLS" Method="OPTIONS" Level="1

Troubleshooting
Password incorrect

ExpressWay C event log

ExpressWay E event log

Mobile and Remote Access


UC Server Discovery

UC Server Discovery

CUCM Server Discovery

Discovers hostname (processnodetable)


Discovers version
Discovers Cluster Security mode (Transport Protocols)

CUCM Server Discovery


HTTPS
Expressway C

TOMCAT UDS/8443

expwayC.domain1.com

colcm10pub.coluc.com

Q: What do I enter here?


A: Depends on TLS verify setting

CUCM Server Discovery TLS verify mode

TLS verify mode = On

Publisher address = FQDN, MUST match CN TOMCAT Certificate Publisher (*)

CUCM Server Discovery TLS verify mode

TLS verify mode = On

OR (*)
Publisher address = FQDN MUST match SAN TOMCAT Certificate Publisher
(*) Only valid statement RFC 6125

CUCM Server Discovery TLS verify mode

TLS verify mode = On

CA Certificate must be uploaded


Trusted CA certificate list Expressway C

CUCM Server Discovery TLS verify mode

TLS verify mode = Off

No requirements for
TOMCAT Certificate Publisher

CUCM Server Discovery Zone Configuration

Auto-Zone Configuration per node and per transport protocol


Syntax : CEtcp-<UCMName> and CEtls-<UCMName>

CUCM Server Discovery Zone Configuration


TLS verify mode = On

TLS verify mode Discovery

TLS verify mode Zone

CUCM Server Discovery Zone Configuration


TLS verify mode = On

CEtls-<UCMName> Zone:
- TLS Verify mode = On
- Peer Address must match CN or SAN
from Callmanager certificate

CUCM Server Discovery Zone Configuration


TLS verify mode = Off

TLS verify mode configuration Discovery

TLS verify mode configuration Zone

CUCM Server Discovery Zone Configuration

CUCM Server Discovery Search Rule Configuration

1 Search Rule per node per transport protocol

Pattern matching for header

Troubleshooting - Different server Domain

Expressway C

expwayC.edge1.com

Internal DNS

CUCM

colcm9pub.coluc.com

How does Server configuration on CUCM impact the discovery?

Troubleshooting
Different server Domain
Status is Active when DNS resolves
<hostname>@<domain xway>
or
<hostname>
What when Expressway and CUCM
servers are in different domains ?

Troubleshooting - Different server Domain

Expressway C
expwayC.edge1.com

Internal DNS

CUCM
colcm9pub.coluc.com

DNS query fails for


colcm9pub.edge.com
colcm9pub

Troubleshooting - Different server Domain

How to solve?
1) Use FQDN for server configuration on CCMADMIN

2) Use IP address for server configuration on CCMADMIN (*)

(*) Requires TLS verify mode = Off for mixed-mode configurations

Troubleshooting - Different server Domain


When FQDN is returned shows
Active when xway can DNS resolve
<hostname>@<domain> as configured
in CCMADMIN
Here colcm9pub.coluc.com
and colcm9sub1.coluc.com

Troubleshooting - Different server Domain


No DNS query is required as IP
address is used.
Will always show Active

Troubleshooting - Self Signed Certificates

TLS verify + Self Signed CCM/Tomcat certificate


When Tomcat cert is uploaded first -> discovery will succeed

When CCM cert is uploaded first -> discovery will fail

TLS verify + Self Signed CCM/Tomcat certificate + Encryption

Either discovery will fail or TLS connections with CUCM will fail
With self-signed certificates use TLS verify mode = Off
and only upload the CUCM cert

Troubleshooting - Single Server Certificate


(CCM & TOMCAT)

Expressway disregard CN for identity verification when SAN attributes are


present

RFC 6125 Move from CN-ID to DNS-ID, SRV-ID or URI-ID

With TLS Verify mode for HTTPS (discovery) and SIP TLS (edge calls)
CCM and TOMCAT Certificates MUST FQDN SAN = DNS-ID

Troubleshooting - Multi-Server Certificates for UC App


Servers

Multi-Server certificates for CUCM/CUP


have -ms appended to the CN

Certificate will have SAN populated


with all server nodes

Expressway X8.2 + supports


multi-server certificates

Troubleshooting - Search Rule matching for


Edge/MRA calls
|INVITE sip:2000@cucm10p.coluc.com;user=phone SIP/2.0
Via: SIP/2.0/TLS 10.48.55.93:7001;egress-zone=TraversalUC;branch=
Via: SIP/2.0/TLS 10.48.55.106:52008;branch=z9hG4bK000073dc;received=10.48.55.106;ingress-zone=CollaborationEdgeZone
Call-ID: 0050568a-003a0004-0000592c-00003095@10.48.55.106
CSeq: 101 INVITE
Remote-Party-ID: "5445" <sip:5445@cucm10p.coluc.com>;party=calling;id-type=subscriber;privacy=off;screen=yes
Contact: <sip:1622b86e-bc3b-fa8c-66d3-2d7a96c892bf@10.48.55.106:52008;transport=tls>;video;bfcp
From: "5445" <sip:5445@cucm10p.coluc.com>;tag=0050568a003a000800006fdd-00006fe8
To: <sip:2000@cucm10p.coluc.com>
Max-Forwards: 10
Route: <sip:cucm10p.coluc.com;transport=tls;lr>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:7001;transport=tls;lr;zone-id=1>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:5061;transport=tls;lr>
Allow: ACK,BYE,CANCEL,INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE,INFO
User-Agent: Cisco-CSF
.

Set by client based on :


Device Pool
Device Security mode

Mobile and Remote Access


DNS and Domain

Domain Configuration
ExpressWay C & E DNS Configuration

System > DNS

Domain Configuration
ExpressWay C Domain Configuration
> Configurations > Domains

Client Service Discovery

Service discovery enables clients and endpoints to automatically detect and


locate service.

The client/endpoint does query DNS servers to retrieve service (SRV) records
that provide the location of servers.

Clients/endpoints outside internal network must be able to resolve


_collab-edge._tls.<domain> with target Expressway E server

Clients/endpoints & ExpressWay C inside the internal network must be able to


resolve _cisco-uds._tcp.<domain> SRV record with target CUCM server.

The external DNS may not resolve _cisco-uds._tcp SRV records

The internal DNS may not resolve _collab-edge._tls SRV records

ExpressWay Mobile and Remote Access


Domain and DNS configuration

Scenario 1
- Flat domain structure
- ExpressWay Servers : domain1.com
- UC servers : domain1.com
- IM&P domain : domain1.com
cup.domain1.com
IM&P Domain =
domain1.com

Jabber Client

External DNS

Expressway E

Expressway C

xwayE.domain1 com xwayC.domain1.com

Internal DNS

CUCM Home UDS

cucm.domain1.com

IMP Server

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

Expressway C

xwayC.domain1.com

Question : How do I login?


Answer : With <userid>@domain1.com

Internal DNS

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

expwyE.domain1 com

ExpressWay C

Internal DNS

expwyC.domain1.com

CUCM Home UDS

cucm.domain1.com

Question: How is my external DNS configured?


Answer:
Entry

Resolves to

SRV record _collab-edge._tls.domain1.com

expwyE.domain1.com port 8443

A record xwayE.domain1.com

External IP address ExpressWay E

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

xwayC.domain1.com

Question: How is my ExpressWay E configured?


Answer:
> System > DNS >
- System host name xwayE
- Domain name domain1.com

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

xwayE.domain1 com

Question: How is my ExpressWay C configured?


Answer:
> System > DNS >
- System host name xwayE
- Domain name domain1.com
> Configuration > Domains >
- Domain domain1.com enabled for:
UCM registrations and IM and Presence

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

ExpressWay C

Expressway E

xwayE.domain1 com

xwayC.domain1 com

Internal DNS

CUCM Home UDS

cucm.domain1.com

Question: How is my Internal DNS configured?


Answer:
Entry

Resolves to

SRV record _cisco-uds._tcp.domain1.com

cucm.domain1.com port 8443

A record cucm.domain1.com

IP address CUCM

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

ExpressWay C

Internal DNS

CUCM Home UDS

xwayC.domain1 com

Question: How is my CUCM configured?


Answer:
> CCMADMIN > System > Server
- Server with hostname cucm
> CLI set network domain domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 1
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

ExpressWay C

xwayC.domain1 com

Internal DNS

CUCM Home UDS

IMP Server

cucm.domain1.com

Question: How is my CUP configured?


Answer:
> CUPAdmin > Clustertopology
- Node configuration with cup.domain1.com
- IM and Presence Domain with domain1.com

ExpressWay Mobile and Remote Access


Domain and DNS configuration

Scenario 2
- Mixed domain structure
- Expressway servers : domain2.com
- UC and CUP servers : domain1.com
- IM&P domain : domain1.com

Jabber Client

External DNS

Expressway E

cup.domain1.com
IM&P Domain =
domain1.com

Expressway C

xwayE.domain2 com xwayC.domain2.com

Internal DNS

CUCM Home UDS

cucm.domain1.com

IMP Server

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain2 com

Expressway C

xwayC.domain2.com

Internal DNS

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =

domain1.com

Question : How do I login?


Answer :
- With <userid>@domain1.com (*)
- jabber-config.xml has voiceservicesdomain set to domain2.com

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain2 com

ExpressWay C

Internal DNS

xwayC.domain2.com

CUCM Home UDS

cucm.domain1.com

Question: How is my external DNS configured?


Answer:
Entry

Resolves to

SRV record _collab-edge._tls.domain2.com

xwayE.domain2.com port 8443

A record xwayE.domain2.com

External IP address ExpressWay E

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

xwayC.domain1.com

Question: How is my ExpressWay E configured?


Answer:
> System > DNS >
- System host name xwayE
- Domain name domain2.com

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain2 com

ExpressWay C

Internal DNS

CUCM Home UDS

cucm.domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

Question: How is my ExpressWay C configured?


Answer:
> System > DNS >
- System host name xwayC
- Domain name domain2.com
> Configuration > Domains >
- Domain domain1.com enabled for UCM registrations and IM and Presence
- Domain domain2.com enabled for UCM registrations and IM and Presence

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

ExpressWay C

Expressway E

xwayE.domain2.com

xwayC.domain2.com

Internal DNS

CUCM Home UDS

cucm.domain1.com

Question: How is my Internal DNS configured?


Answer:
Entry

Resolves to

SRV record _cisco-uds._tcp.domain2.com

cucm.domain1.com port 8443

A record cucm.domain1.com

IP address CUCM

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

ExpressWay C

Internal DNS

CUCM Home UDS

xwayC.domain1 com

Question: How is my CUCM configured?


Answer:
> CCMADMIN > System > Server
- Server with hostname cucm
> CLI set network domain domain1.com

IMP Server

cup.domain1.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 2
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

ExpressWay C

xwayC.domain1 com

Internal DNS

CUCM Home UDS

IMP Server

cucm.domain1.com

Question: How is my CUP configured?


Answer:
> CUPAdmin > Clustertopology
- Node configuration with cup.domain1.com
- IM and Presence Domain with domain1.com

ExpressWay Mobile and Remote Access


Domain and DNS configuration

Scenario 3
- Mixed domain structure
- Expressway servers : domain3.com
- UC and CUP servers : domain2.com
- IM&P domain : domain1.com

Jabber Client

External DNS

Expressway E

cup.domain2.com
IM&P Domain =
domain1.com

Expressway C

xwayE.domain3 com xwayC.domain3.com

Internal DNS

CUCM Home UDS

cucm.domain2.com

IMP Server

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain3 com

Expressway C

xwayC.domain3.com

Internal DNS

CUCM Home UDS

cucm.domain2.com

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

Question : How do I login?


Answer :
- With <userid>@domain1.com
- jabber-config.xml has voice voiceservicesdomain set to domain3.com

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain3 com

ExpressWay C

Internal DNS

xwayC.domain3.com

CUCM Home UDS

cucm.domain2.com

Question: How is my external DNS configured?


Answer:
Entry

Resolves to

SRV record _collab-edge._tls.domain3.com

xwayE.domain3.com port 8443

A record xwayE.domain3.com

External IP address ExpressWay E

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

xwayC.domain3.com

Question: How is my ExpressWay E configured?


Answer:
> System > DNS >
- System host name xwayE
- Domain name domain3.com

CUCM Home UDS

cucm.domain2.com

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

ExpressWay C

xwayE.domain3.com

Question: How is my ExpressWay C configured?

Internal DNS

CUCM Home UDS

cucm.domain2.com

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

Answer:
> System > DNS >
- System host name xwayC
- Domain name domain3.com
> Configuration > Domains >
- Domain domain1.com enabled for UCM registrations and IM and Presence
- Domain domain2.com enabled for UCM registrations and IM and Presence
- Domain domain3.com enabled for UCM registrations and IM and Presence

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

ExpressWay C

Expressway E

xwayE.domain3 com

xwayC.domain3 com

Internal DNS

CUCM Home UDS

cucm.domain2.com

Question: How is my Internal DNS configured?


Answer:
Entry

Resolves to

SRV record _cisco-uds._tcp.domain3.com

cucm.domain2.com port 8443

A record cucm.domain2.com

IP address CUCM

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain3 com

ExpressWay C

Internal DNS

CUCM Home UDS

xwayC.domain3 com

Question: How is my CUCM configured?


Answer:
> CCMADMIN > System > Server
- Server with hostname cucm
> CLI set network domain domain2.com

IMP Server

cup.domain2.com
with
IM and Presence Domain =
domain1.com

ExpressWay Scenario 3
Domain and DNS configuration

Jabber Client

External DNS

Expressway E

xwayE.domain1 com

ExpressWay C

xwayC.domain1 com

Internal DNS

CUCM Home UDS

IMP Server

cucm.domain2.com

Question: How is my CUP configured?


Answer:
> CUPAdmin > Clustertopology
- Node configuration with cup.domain2.com
- IM and Presence Domain with domain3.com

Troubleshooting - CNAME Considerations

Target URL Jabber can be subdomain of domain returned by HTTP server


(Expressway E)
-> Cookie domain : cisco.com
-> Target URL : expressway.internal.cisco.com

Cookie is returned by server in get_edge_config responds

Cookie is save and re-used for subsequent HTTP requests


With correct domain/DNS/Alias configuration Jabber will show
-> Cookies size = 1
With incorrect domain/DNS/Alias configuration Jabber will show
-> Cookies size = 0
Jabber does not save the cookie and discovery will fail

Troubleshooting - CNAME Considerations


[csf.httpclient] [http::executeImpl] - *-----* HTTP response from:
https://expway.cisco.com:8443/dmFyZGUuZGs/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin[2] -> 200.
[csf.edge] [netutils::adapters::httpResponseToEdgeResponse] - Cookie : .cisco.com TRUE/TRUE
4583-a433-5d56ed2671be

1421787961 X-Auth 47159c6b-e978-

[csf.edge] [netutils::adapters::httpResponseToEdgeResponse] - Cookies size = 1

[csf.netutils.adapters] [netutils::adapters::EdgeUtilsAdapter::transformRequest] - Transformed


Urls:https://expway.cisco.com:8443/dmFyZGUuZGsvaHR0cHMvMTAuMTg0LjEuNTIvODQ0Mw/cucm-uds/user/93085[csf.edge]
[edge::EdgeUtilsImpl::transformHttpCookies] - Transforming 0 Http Cookies for each transformedUrl -size: 2
[csf.edge] [edge::EdgeUtilsImpl::getHttpCookies] - checking if http cookies can be returned from cached edge config
[csf.httpclient] [http::CurlHttpUtils::setCookies] - setting cookie : X-Auth

Jabber for each HTTP request will search for cached cookies
If found and domain/target is matched will be used in subsequent requests

Troubleshooting - CNAME Considerations


[csf.httpclient] [http::executeImpl] - *-----* HTTP response from:
https://expway.cisco.com:8443/dmFyZGUuZGs/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin[2] -> 200.
[csf.edge] [netutils::adapters::httpResponseToEdgeResponse] - Cookie : .internal.com TRUE/TRUE
e978-4583-a433-5d56ed2671be

1421787961 X-Auth 47159c6b-

[csf.edge] [netutils::adapters::httpResponseToEdgeResponse] - Cookies size = 0

** Discovery has failed. Calling Callback! **

Cookie domain does not match HTTP target domain

Troubleshooting
ExpressWay or UC Server Domain not configured

ExpressWay or UC server domain not added


or not enabled for Unified Communications

Jabber login will fail Cannot communicate with the server

Diagnostic logs will show


HTTPMSG:|GET
https:///Y29sdWMuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
HTTP/1.1Authorization: xxxxxHost: xwaye.coluc.com:8443
Accept: */*User-Agent: Jabber-Win-345
HTTPMSG:|HTTP/1.1 403 Forbidden
Date:
Mon, 17 Mar 2014 16:07:20 GMT
Connection: closeServer:
CE_EContent-Length: 0|

Decodes to coluc.com

Troubleshooting
IM&P Domain not configured (UC Domain)

IM&P domain not added or not enabled for IM&P

Jabber login will fail Cannot communicate with the server

Diagnostic logs will show


xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310"
ThreadID="140582990952192" Module="Jabber" Level="INFO
Detail="bouncing a packet to 'domain3.com from 'cm-1_jsmcp-1.xwaye-domain1.com'
xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864"
Module="cm-1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198"
Detail="Failed to query auth component for SASL mechanisms"

Tool bookmark

Service record lookups

https://mxtoolbox.com/NetworkTools.aspx

Tool bookmark

Tool bookmark

Base64 decoding/encoding

https://www.base64decode.org

Tool Bookmark - Jabber URL transform


-

Jabber transforms original Url: http://colcm9pub:6970/CSFxwayj.cnf.xml

Base Url with appended Edge domain: coluc.com/

Base Url with appended protocol: coluc.com/http/

Base Url with appended host: coluc.com/http/colcm9pub

Base Url before encoding: coluc.com/http/colcm9pub/6970

Encoded Base64 Url: Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA=

Transformed Url:

https://xwaye.coluc.com:8443/Y29sdWMuY29tL2h0dHAvY29sY205cHViLzY5NzA
=/CSFxwayj.cnf.xml

Tool bookmark Jabber get_edge_config

A good way to verify that the basic MRA components are in place is to run the first
HTTP request Jabber would do.

To do this verification, open a browser and enter the following URL to verify that the
HTTP Reverse proxy is working, and that the ExpressWay-C can discover the DNS.
https://xwaye.coluc.com:8443/Y29sdWMuY29/get_edge_config?service_name=_ci
sco-uds&service_name=_cuplogin

COLUC.COM
Use a CUCM User credentials when prompted by the browser

Tool bookmark Jabber get_edge_config

Service Config

Expressway Diagnostic Logs

Diagnostics logs

XMPP Federation

XMPP Federation Support

XMPP Federation on CUP

XMPP Federation Support

XMPP Federation on Expressway E

XMPP Federation Configuration Tasks

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

XMPP Federation Support

Disable XMPP Federation on CUP


Cisco Unified CM IM and Presence Administration > Presence > Inter Domain
Federation > XMPP Federation > Settings

XMPP Federation Support

Expressway C
Enable Domain for XMPP Federation

Expressway E
Enable XMPP Federation feature

XMPP Federation Support

Verify Notifications on CUP for restart XCP router

XMPP Federation Support

Verify Notifications on CUP for restart XCP router

XMPP Federation Support

Expressway C shows

Event="System Configuration Changed" Node="clusterdb@10.48.55.94"


Detail="xconfiguration xcpS2SStatus uuid 9896d611-5603-408e-bec4-6cc2e9bad514
remote_address: 10.48.55.113:7001 remote_address: 10.48.55.113:7001"
Event="System Configuration Changed" Node="clusterdb@10.48.55.94"
Detail="xconfiguration xcpS2SStatus uuid 9896d611-5603-408e-bec4-6cc2e9bad514
remote_address: 10.48.55.113:7001 s2s_realm: cm-2_s2scp-1.eft-xwye-a-coluc-com"
Module="network.axl" Level="INFO" Action="Send"
URL="https://ecup10.coluc.com:8443/axl/" Function="executeSQLQuery"

CUP shows

admin:run sql select * from xmpps2snodes


pkid
cp_id
===============================================================
055c13d9-943d-459d-a3c6-af1d1176936d
cm-2_s2scp-1.eft-xwye-a-coluc-com

XMPP Federation

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

DNS vs Static Routes


DOMAIN - COLUC.COM

DOMAIN
VNGTP.LAB

DMZ
5269

5269

user1@coluc.com
5222

UC IM&P
IBM Sametime
Cisco Webex
GoogleTalk
Other XMPP

S2S

CM

7400
IM/P
XCP
UC IM&P Serv

IM/P

7400

SRV
lookup

IM/P

5222
DNS

Static
Route

XCP

XCP

Expressway-C

Expressway-E

employee1@vngtp.lab

DNS vs Static Routes

Static routes = Off

Queries for SRV records


_XMPP-SERVER._TCP.<domain>
_XMPP-SERVER._TCP.<chat node alias>

DNS vs Static Routes

Static routes = On

Queries static routes configured with failover to DNS

DNS vs Static Routes

Scenario - XMPP Federation with DNS


XCP_CM2[1382]:..Level="INFO " Detail="Starting resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmpp-server._tcp:defport=0
XCP_CM2[1382]:..Level="DEBUGDetail="_lookup: look for static route for info->host=vngtp.lab:info->service=_xmpp-server._tcp:info>socktype=1'

XCP_CM2[1382]:..Level="INFO " Detail="_lookupSRV: static routes not found, proceed to SRV lookup'
XCP_CM2[1382]:..Level="INFO " Detail="(54fe6aa8-687d-40d6-8954-8d9bac710652, coluc.com:vngtp.lab, OUT)
resolved outbound address for host=vngtp.lab method=SRV _xmpp-server._tcp addrs=10.48.36.171:5269 ...

DNS vs Static

Scenario - XMPP Federation with Static Routes


XCP_CM2[20104]:..Level="INFO "..Detail="Starting resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmpp-server._tcp:defport=0'"
XCP_CM2[20104]:..Level="DEBUG"..Detail="_lookup: look for static route for info->host=vngtp.lab:info->service=_xmpp-server._tcp:info>socktype=1'"
XCP_CM2[20104]:..Level="DEBUG"..Detail="_lookup: static route match static_route.GetDomain()=vngtp.lab'"
XCP_CM2[20104]:..Level="DEBUG"..Detail="_lookup: static route add host=10.48.36.171, port=5269'"
XCP_CM2[20104]:..Level="INFO "..Detail="_lookupSRV: static routes found'"

DNS vs Static

Scenario No Matching Configured Static Route, DNS Failover


XCP_CM2[24046]: ..Level="INFO "..Detail="Starting resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmpp-server._tcp:defport=0'"
XCP_CM2[24046]: ..Level="DEBUG"..Detail="_lookup: look for static route for info->host=vngtp.lab:info->service=_xmpp-server._tcp:info>socktype=1'"
XCP_CM2[24046]: ..Level="1" Subject="cm-2.eft-xwye-a-coluc-com" Event="Static route did not match domain:[vngtp.com]"
Module="XMPPFederation"
XCP_CM2[24046]: ..Level="INFO "..Detail="_lookupSRV: static routes not found, proceed to SRV lookup'"
XCP_CM2[24046]: ..Level="INFO "..Detail="Finished resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmpp-server._tcp:defport=0'. Took
0.000652s"

DNS vs Static

When no static routes defined for a federated domain or chat node alias,
the system will use DNS instead

If static routes are defined for the federated domain or chat node alias,
but the remote system cannot be contacted over those routes,
the system will not fall back to DNS.

If Privacy mode is set to Allow list and Use static routes is On,
any domains (or chat node aliases) that are configured as static routes
are included automatically in the allow list

XMPP Federation

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

XMPP Federation Server Dialback

XMPP Federation Server Dialback

What is Dialback server?


Identity verification with federated domain
Initiating Server

Receiving Server

Authoritative Server

Send dialback key


Send verify request
Send verify responds

Report dialback result

DOMAIN1

DOMAIN2

DOMAIN1

XMPP Federation Server Dialback

Initiating Server
XCP_CM2[12122]:.. Level="INFO " CodeLocation="stanza.component.out" Detail="xcoder=34A9B60C8 sending::
<db:result from='coluc.com' to='vngtp.lab'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:result>"
XCP_CM2[12122]:.. Level="DEBUG" CodeLocation="stream.out" Detail="(00000000-0000-0000-0000-000000000000, coluc.com:vngtp.lab, OUT)
xcoder=34A9B60C8 Scheduling dialback timeout in 30 secs."
XCP_CM2[12122]:.. Level="INFO " CodeLocation="ConnInfoHistory" Detail="Connection state change: PENDING->CONNECTED:

XMPP Federation Server Dialback

Receiving Server

XCP_CM2[22992]:.. Level="VBOSE" CodeLocation="stanza.component.in" Detail="xcoder=05E295A2B received::


<db:result from='coluc.com' to='vngtp.lab'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:result>
..
XCP_CM2[22992]:.. Level="INFO " CodeLocation="Resolver.cpp:128" Detail=
"Starting resolver lookup for 'coluc.com:puny=coluc.com:service=_xmpp-server._tcp:defport=0'
..
XCP_CM2[22992]:.. Level="INFO " CodeLocation="debug" Detail="(e5b18d01-fe24-4290-bba1-a57788a76468, vngtp.lab:coluc.com, IN)
resolved dialback address for host=coluc.com method=SRV dns-timings=(TOTAL:0.003157 SRV:0.002885)
..
XCP_CM2[22992]:.. Level="INFO " CodeLocation="DBVerify.cpp:270" Detail="(e5b18d01-fe24-4290-bba1-a57788a76468, vngtp.lab:coluc.com,
IN)
DBVerify stream is open. Sending db:verify packet: <db:verify from='vngtp.lab' id='05E295A2B'
to='coluc.com'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:verify>
..
XCP_CM2[22992]:.. Level="INFO " CodeLocation="DBVerify.cpp:282" Detail="(e5b18d01-fe24-4290-bba1-a57788a76468, vngtp.lab:coluc.com,
IN)
DBVerify Packet Received <db:verify from='coluc.com' id='05E295A2B' to='vngtp.lab'
type='valid'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:verify>

XMPP Federation Server Dialback

Receiving Server

XMPP Federation Server Dialback

Authoritative Server

XCP_CM2[5164]:..Level="INFO " CodeLocation="debug" Detail="xcoder=94A9B60C8 onStreamOpen::


<stream:stream from='vngtp.lab' id='1327B794B' to='coluc.com' version='1.0' xml:lang='en-US.UTF-8' xmlns='jabber:server'
xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams'/>
..
XCP_CM2[5164]:..Level="VBOSE" CodeLocation="stanza.component.in" Detail="xcoder=94A9B60C8 received::
<db:verify from='vngtp.lab' id='05E295A2B' to='coluc.com'>d780f198ac34a6dbd795fcdaf8762eaf52ea9b03</db:verify>
..
XCP_CM2[5164]:..Level="INFO " CodeLocation="stream.in" Detail="xcoder=94A9B60C8 closing stream used for dialback only"

Tool Bookmark - Wireshark

Tool Bookmark - Wireshark

XMPP Federation Server Dialback

Scenario - DNS Problem on Receiving


Initiator shows

XMPP Federation Server Dialback

Scenario - DNS problem on Receiving Server


Receiving Server event log show

XMPP Federation Server Dialback

After timeout XMPP traffic will fail Domain pair blocked for 30min
XCP_CM2[21104]: CodeLocation="stanza.router.in" Detail="cm-2_s2scp-1.eft-xwye-a-coluc-com onPacket:: <message
from='user1@coluc.com/jabber_5111' to='employee1@vngtp.lab' type='chat' xml:lang='en'><gone
xmlns='http://jabber.org/protocol/chatstates'/></message>
XCP_CM2[21104]: CodeLocation="debug" Detail="Bouncing packet because domain pair (453d2518-9894-4bb2-ae77-d1a6c88b06aa,
coluc.com:vngtp.lab, OUT) is marked as failed: <message from='user1@coluc.com/jabber_5111' to='employee1@vngtp.lab' type='chat'
xml:lang='en'><gone xmlns='http://jabber.org/protocol/chatstates'/></message>
XCP_CM2[21104]: CodeLocation="stanza.router.out" Detail="cm-2_s2scp-1.eft-xwye-a-coluc-com <message from='employee1@vngtp.lab'
to='user1@coluc.com/jabber_5111' type='error' xml:lang='en'><gone xmlns='http://jabber.org/protocol/chatstates'/><error code='504'
type='wait'><remote-server-timeout xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></message>

Result is that Jabber user continues to receive


Message to user could not be delivered

Correct problem and restart XCP (Expressway)

After 30min domain pair state is cleared again

XMPP Federation

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

XMPP Federation Security Mode

TLS Required Always TLS

TLS Optional Attempts TLS


falls back to TCP

No TLS Always TCP

XMPP Federation Security Mode

Certificate requirements:

Must contain SAN with XMPP domain

(Optional) contain SAN with XMPP Chat node alias

Troubleshooting
Receiver required TLS, initiator Req or optional

Troubleshooting
Receiver required TLS, initiator Req or optional

Troubleshooting
Receiver required TLS, initiator no TLS

Troubleshooting
Receiver required TLS, initiator no TLS

Troubleshooting
Receiver optional TLS, initiator TLS optional or required

Initiator TLS

Troubleshooting
Receiver no TLS, initiator required

Troubleshooting
Receiver no TLS, initiator required

Troubleshooting
Domain not contained in server certificate

Initiating Server logs

XCP_CM2[21722]:..Level="VBOSE" CodeLocation="stanza.router.in" Detail="cm-2_s2scp-1.ExpresswayE-vngtp-lab onPacket:: <message


from='employee1@vngtp.lab/jabber_6705' to='chat254021641016410@conference-4-standaloneclusterf1fa2.coluc.com'
type='groupchat' xml:lang='en'><composing xmlns='http://jabber.org/protocol/chatstates'/></message>
XCP_CM2[21722]:..Level="INFO " CodeLocation="ConnInfoHistory" Detail="Connection state change: IDLE_TIMEOUT->PENDING:
(f8d3c3d4-27df-4cf2-88d2-625090104543, vngtp.lab:conference-4-standaloneclusterf1fa2.coluc.com, OUT) state=PENDING
XCP_CM2[21722]:..Level="INFO " CodeLocation="Resolver.cpp:143" Detail="Finished resolver lookup for 'conference-4standaloneclusterf1fa2.coluc.com:puny=conference-4-standaloneclusterf1fa2.coluc.com:service=_xmpp-server._tcp:defport=0'. Took
0.001163s"
XCP_CM2[21722]:..Level="DEBUG" CodeLocation="stream.out" Detail="xcoder=2783DD838 new outgoing"
XCP_CM2[21722]:..Level="INFO " CodeLocation="XMPPStream.cpp:2395" Detail="The hostname conference-4standaloneclusterf1fa2.coluc.com was not found on the SSL certificate: 'eft-xwye-a.coluc.com' ... Disconnecting stream."

Security Mode TLS Required/Optional


Require client-side security certificates

Verifies CA/Issuer from certificate presented by foreign domain

TLS negotiation will fail when CA root is not uploaded to Expressways trusted
CA root list

Falls back to TCP when TLS is optional

Fails when TLS is required

Troubleshooting
CA not uploaded to initiator trust store

Troubleshooting
CA not uploaded to initiator trust store

XMPP Federation

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

XMPP Federation - Privacy

Allow list white list


Contains domains and chat node aliases with which federation is allows

Deny list black list


Contains domains and chat node aliases with which federation is not allows

XMPP Federation - Privacy

Scenario Initiating Server Allow list does not contain foreign domain

XCP_CM2[5366]:..Level="INFO " CodeLocation="Resolver.cpp:128" Detail="Starting resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmppserver._tcp:defport=0'


XCP_CM2[5366]:..Level="INFO " CodeLocation="stream.out" Detail="(3b86cdb2-af61-4d5e-a50b-e9875ebb8d4a, coluc.com:vngtp.lab, OUT)
host:vngtp.lab using addrs:10.48.36.171:5269
XCP_CM2[5366]:..Level="DEBUG" CodeLocation="debug" Detail="authorizeOutToAddr is returning false for: 10.48.36.171
XCP_CM2[5366]:..Level="INFO " CodeLocation="stream.out" Detail="(3b86cdb2-af61-4d5e-a50b-e9875ebb8d4a, coluc.com:vngtp.lab, OUT)
resolved address is on blacklist host:vngtp.lab ip:10.48.36.171:5269"

Troubleshooting Privacy
Receiving Server Allow list does not contain source
XCP_CM2[8002]:..Level="INFO " CodeLocation="debug" Detail="xcoder=21107F2AE onStreamOpen:: <stream:stream from='vngtp.lab'
id='11107F2AE' to='coluc.com' version='1.0' xml:lang='en-US.UTF-8' xmlns='jabber:server' xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'/>
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:52" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
Attempting to do dialback, Xcoder ID: 343BDFCC4"
..
XCP_CM2[8002]:..Level="INFO " CodeLocation="Resolver.cpp:143" Detail="Finished resolver lookup for 'vngtp.lab:puny=vngtp.lab:service=_xmppserver._tcp:defport=0'. Took 0.001415s"
....
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:282" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
DBVerify Packet Received <db:verify from='vngtp.lab' id='21107F2AE' to='coluc.com'
type='valid'>c33b79581b391a1a0c59a65b060c4dd5954e8c10</db:verify>"
..
XCP_CM2[8002]:..Level="INFO " CodeLocation="DBVerify.cpp:301" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f, coluc.com:vngtp.lab, IN)
Passed dialback first stage. packet-from: vngtp.lab, stored-from: vngtp.lab, packet-to: coluc.com, stored-to: coluc.com, packet-id: 21107F2AE,
stored-id: 21107F2AE

XCP_CM2[8002]:..Level="DEBUG" CodeLocation="debug" Detail="authorizeInFromHost is returning false for: vngtp.lab


XCP_CM2[8002]:..Level="INFO " CodeLocation="%s %s not allowed host:%s" Detail="(ba1999ed-7b82-4ca9-a170-e85bf88af35f,
coluc.com:vngtp.lab, IN)"

Troubleshooting Privacy
Receiving Server Allow list does not contain source

XMPP Federation

XMPP Federation Support


DNS vs Static
Dialback Secret
Security mode
Privacy mode
Serviceability

XMPP Federation Serviceability

XMPP Federation Serviceability


Domain pair blocked for 30min

10 Retries

Connection State from None to Pending to Connected or Fail

XMPP Federation Serviceability

XMPP Federation Serviceability

Business to Business
calls

Business to Business calls

Enterprise Network

DomainA

DMZ

CUCM

Internet
Expressway-C
Collab Gateway

Expressway-E
Collab Gateway

Traversal Link Management


Signal
Media Payload

DomainB

Business to Business calls - Configuration


SIP Trunk
URI Dialing

Dialplan
(Search Rules,
Transforms ..)

DomainA

CUCM

Internet
Expressway-C

Neighbor
Zone

Traversal
Zone Client

Expressway-E

Traversal
Zone Server

DNS Zone

DomainB

Bussiness to Business SIP Trunk


Edge traffic Device registration

B2B traffic Trunk Calls

Bussiness to Business SIP Trunk


None Secure SIP Trunk

Bussiness to Business SIP Trunk


Secure SIP Trunk

FQDN CUCM Server


FQDN Expressway C Server

Business to Business Traversal Zone


UC Traversal

B2B Traversal

Business to Business Traversal Zone

Business to Business DNS Zone


DNS lookup for SRV
_sip._tcp.domain
_sips._tls.domain
_h323cs._tcp.domain
_h323ls._udp.domain

Troubleshooting
INVITE send to wrong IP address

Expressway E receives following INVITE from CUCM


Module="network.sip" Level="DEBUG": Src-ip="10.48.79.189" Src-port="25018"
SIPMSG:
|INVITE sip:user@company.com:5060 SIP/2.0

When port information is included in URI Expressway E will use


result from DNS A record lookup for domain and not SRV for SIP service

This results in INVITE send to wrong IP address

Solution : Configure Transform rule which strips port from URI

Key TakeAways

Key TakeAways

Review Firewall ports

Review Certificate Requirements

Review UC Domains on Expressway C

Review Services on the UC domain

SRV records for the different services must exist in DNS with Split DNS

Trunk vs Line

Continue the Conversation using Cisco Spark

Sign up free for Cisco Spark at http://www.ciscospark.com/

Download the application from iOS App Store, Google Play Store, or from
http://download.ciscospark.com/

Visit the World of Solutions Cisco Spark area for demos

Use Cisco Spark to continue the conversation or ask any additional questions
with the speaker for this session. The room name is BRKCOL-2602

How to get added to the Cisco Spark room for this session

To opt in, send an email to spark-at-ciscolive@cisco.com with the message Please


add me to the BRKCOL-2602 room

Participate in the My Favorite Speaker Contest


Promote Your Favorite Speaker and You Could Be a Winner

Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)

Send a tweet and include


Your favorite speakers Twitter handle @PhilipSmeuninx
Two hashtags: #CLUS #MyFavoriteSpeaker

You can submit an entry for more than one of your favorite speakers

Dont forget to follow @CiscoLive and @CiscoPress

View the official rules at http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

Give us your feedback to be


entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.

Complete your session surveys


though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Table Topics

Meet the Engineer 1:1 meetings

Related sessions

Thank you

Appendix

Other useful HTTP query to run XCP router status

To verify XCP router status run following :

https:/<expressway>/getxml?location=/Status/XMPP

Other useful HTTP query to run XCP router status

Enter Expressway credentials (administrator login)

Other useful HTTP query to run XCP router status

ExpressWay E

Other useful HTTP query to run XCP router status

ExpressWay C

Jabber Registration Walk Trough


Register Jabber client on UCM via MRA
Expected signaling flow for Jabber Client logon and registration on simple IM&P based
deployment

Jabber Client

External DNS

Jabber login with


xwayj@coluc.com

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

DNS Query

SRV _cisco-uds._tcp.coluc.com
Query Response
Not Found
DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
Not Found

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

DNS Query

SRV _collab-edge._tls.coluc.com
Query Response
(Contain Answers including SRV and A/AAAA record)
Service: collab-edge
Protocol: tls
Name: coluc.com
Type: SRV
Port: 8443
Target: xwaye.coluc.com
SRV coluc.com
DNS Query
A xwaye.coluc.com
Query Response
(Contain Answers including A/AAAA record)
Name: xwaye.coluc.com
Type: A
Addr: 122.208.118.4

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

Expressway C

Internal DNS

CUCM Home
UDS

SSL: Client Hello

SSL: Server Hello


SSL: Certificate, Server Hello Done

Establish secure communication channel


between VCS-E

HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET https:///Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: xwaye.coluc.com:8443
User-Agent: Jabber-Win-746

Client requests Edge Configuration data

HTTPS
HTTPS: GET /get_edge_config
HTTPMSG:
GET http://vcs_control.coluc.com:8443/Y2lzY290cC5jb20/get_edge_config HTTP/1.1
Authorization: xxxxx <= Basic username and password
Host: vcs_control.coluc.com:8443
User-Agent: Jabber-Win-746
X-Forwarded-For: 64.104.46.217 <= Address of Jabber client that VCS-E received from
Via: https/1.1 vcs[7AD07604] (ATS)

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

When DNS record is not cached ExpressWay C will send out following DNS queries
DNS Query
SRV _cisco-uds._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)

SRV _cisco-phone-tftp._tcp.coluc.com
Query Response
(Target: colcm9pub.coluc.com)
DNS Query
A colcm9pub.coluc.com
Query Response
(Addr: 172.16.1.36

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

DNS Query
SRV _cuplogin._tcp.coluc.com
Query Response
(Target: colcup.coluc.com)

DNS Query

A colcup.coluc.com
Query Response
(Addr: 172.16.1.33)

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

Expressway C

Internal DNS

CUCM Home
UDS

TFTP
Server

HTTP(S)

Requesting CUCM home node information

HTTPS: GET //<cucm-fqdn>/cucm-uds/clusterUser?<user-name>


HTTPMSG:
GET //colcm9pub:8443/cucm-uds/clusterUser?username=xwayj HTTP/1.1
HTTP(S) 200 OK

Should see Found user cluster and Found UDS server internal status log this point in diagnostic log
===========================================================
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(655)" Detail="Found user cluster" Username=xwayj"
Cluster="172.16.1.36
Module="developer.edgeconfigprovisioning.server" Level="DEBUG"
CodeLocation="edgeconfigprovisioningserver(682)" Detail="Found UDS server" Cluster="172.16.1.36"
UdsServer="colcm9pub
===========================================================

HTTPMSG:
HTTP/1.1 200 OK
Content-Type: application/xml
Server:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><clusterUser uri="https://colcm9pub:8443/cucmuds/clusterUser?username=xwayj" version="9.1.2"><result version="9.1.2" uri="https://172.16.1.36:8443/cucmuds/user/xwayj" found="true"/><homeCluster>172.16.1.36</homeCluster></clusterUser>

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

HTTP(S)

Get Devices

HTTPS: GET //<cucm-fqdn>/cucm-uds/user/<user-name>/devices


HTTPMSG:
GET //colcm9pub:8443/cucm-uds/user/xwayj/devices HTTP/1.1
Authorization: <CONCEALED>
HTTP(S) 200 OK
HTTPMSG:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONIDSSO=xxxxx, Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=xxxxx; Path=/cucm-uds/; Secure; HttpOnly
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices version="9.1.2" uri="https://colcm9pub:8443/cucmuds/user/xwayj/devices"><device hasPrimaryNumber="false" uri="https://colcm9pub:8443/cucmuds/user/xwayj/device/663e40ed-b3bd-3060-5483-b6721d04c32e"><id>663e40ed-b3bd-3060-5483b6721d04c32e</id><name>CSFxwayj</name><model>Cisco Unified Client Services Framework</model> ..
</device></devices> |

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

HTTPS 200 OK

Returned configuration:
1) IMP, CUCM, TFTP SRV
2) SIP edge
3) Randomized list of UDS
4) XMPP edge
5) HTTP edge
etc.

HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> .. </edgeConfig></getEdgeConfigResponse>|

HTTPS 200 OK

HTTPMSG:
HTTP/1.1 200 OK
Server: CE_C ECS
Set-Cookie: X-Auth=<edge token>; Expires=xxxxx; Domain=.coluc.com; Path=/; Secure
<?xml version='1.0' encoding='UTF-8'?> <getEdgeConfigResponse version="1.0"><serviceConfig><service><name>_ciscophonetftp</name><server><priority>0</priority><weight>0</weight><port>69</port><address>colcm9pub.coluc.com</address></
server></service><service><name>_cuplogin</name><server><priority>0</priority><weight>0</weight><port>8443</port>
<address>imp33.coluc.com</address></server> .. </edgeConfig></getEdgeConfigResponse>|

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

HTTPS
HTTPS: GET /jabber-config.xml
HTTPMSG:
GET https:///...../jabber-config.xml HTTP/1.1
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: POST /EPASSoap/service/ login
HTTPMSG:
POST https:///...../EPASSoap/service/v80 HTTP/1.1
Host: xwaye.coluc.com:8443
User-Agent: gSOAP/2.8
User-Agent: Jabber-Win-746
Cookie: $Version=1;X-Auth=<edge token>;$Path="/";$Domain=".coluc.com
SOAPAction: "urn:cisco:epas:soap/EpasSoapServiceInterface/login"
.

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

HTTPS
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.tlv
HTTPMSG:
GET https:///...../CTLSEPCSFxwayj.tlv HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746
HTTPS: GET /EPASSoap/service / CTLSEP<CSFUSERNAME>.cnf.xml
HTTPMSG:
GET https:///....../CSFxwayj.cnf.xml HTTP/1.1
Authorization: xxxxx
Host: xwaye.coluc.com:8443
Cookie: X-Auth=<edge token>
User-Agent: Jabber-Win-746

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1000 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP

407 Proxy
Authentication Required

Client includes the route set received at


startup negotiation

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1001 REFER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.31:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=xxxxx", opaque=xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

SIP - REFER
REFER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1001 REFER
Refer-To: <cid:0000360d@10.71.50.153>
Referred-By: <sip:081196545e65@10.71.50.153>
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:081196545e65@10.71.50.153>
SIP - REFER

REFER sip:colcm9pub SIP/2.0


Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 1001 REFER
Refer-To: <cid:0000360d@10.71.50.153>
Referred-By: <sip:081196545e65@10.71.50.153>
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>
P-Asserted-Identity: <sip:081196545e65@10.71.50.153>

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

TFTP
Server

SIP

SIP

202 Accepted

202 Accepted

SIP

202 Accepted
SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d
Call-ID: 08119654-5e650005-00005970-00003801@10.71.50.153
CSeq: 101 REGISTER
Contact: <sip:..... @10.71.50.153:50036;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+sip.instance="<urn:uuid:00000000-0000-0000-0000081196545e65>";+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503";video
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:xwaye.coluc.com;transport=tls;lr>,<sip:172.16.1.30:5061;transport=tls;zoneid=1;directed;lr>,<sip:colcm9pub;transport=tcp;lr>

SIP

407 Proxy
Authentication Required

Registration request including Contact and


all Route information

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

SIP - REGISTER
REGISTER sip:colcm9pub SIP/2.0
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=..
CSeq: 102 REGISTER
Contact: <sip:xxxxx@10.71.50.153:50036;transport=tls>..
+u.sip!devicename.ccm.cisco.com="CSFxwayj";+u.sip!model.ccm.cisco.com="503"
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Proxy-Authorization: Digest username="xwayj", realm="xwaye.coluc.com", uri="sip:colcm9pub",
response="4900cdfe65c4a4551f1129903c9ed98d", nonce=xxxxx", opaque=xxxxx", cnonce="000030a0", qop=auth,
nc=00000001, algorithm=MD5

Internal DNS

CUCM Home
UDS

TFTP
Server

IMP
Server

Jabber Registration Walk Trough

Jabber Client

External DNS

Expressway E

ExpressWay C

Internal DNS

CUCM Home
UDS

SIP - REGISTER

Via information include;


1) Edge zone name
2) Client local and NAT address with
port number

REGISTER sip:colcm9pub SIP/2.0


Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;..;proxy-call-id=..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=..;received=64.104.46.217;rport=9706
;ingress-zone=CollaborationEdgeZone
CSeq: 102 REGISTER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
SIP - REGISTER

Proxy registration to CUCM


Cseq number for REGISTER is managing
separately

REGISTER sip:colcm9pub SIP/2.0


Via: SIP/2.0/TCP 172.16.1.30:5060;egress-zone=CEtcpcolcm9pub;..;proxy-call-id=..
Via: SIP/2.0/TCP 0.0.0.0;egress-zone=TokyoVCS;..;proxy-call-id=..
Via: SIP/2.0/TLS 10.71.50.153:50036;branch=..;received=64.104.46.217;rport=9706
;ingress-zone=CollaborationEdgeZone
CSeq: 101 REGISTER
From: <sip:8300100@colcm9pub>;tag=081196545e6500020000428b-00005ddf
To: <sip:8300100@colcm9pub>
Route: <sip:colcm9pub;transport=tcp;lr>

SIP
100 Trying

TFTP
Server

IMP
Server

Вам также может понравиться