Cisco Cisco Expressway
Public DNS
The public (external) DNS must be configured with _collab-edge._tls.<domain> SRV records so that
endpoints can discover the Expressway-Es to use for mobile and remote access. SIP service records are
also required (for general deployment, not specifically for mobile and remote access). For example, for a
cluster of 2 Expressway-E systems:
endpoints can discover the Expressway-Es to use for mobile and remote access. SIP service records are
also required (for general deployment, not specifically for mobile and remote access). For example, for a
cluster of 2 Expressway-E systems:
Domain
Service
Protocol
Priority
Weight
Port
Target host
example.com
collab-edge
tls
10
10
8443
expe1.example.com
example.com
collab-edge
tls
10
10
8443
expe2.example.com
example.com
sips
tcp
10
10
5061
expe1.example.com
example.com
sips
tcp
10
10
5061
expe2.example.com
Local DNS
The local (internal) DNS requires _cisco-uds._tcp.<domain> and _cuplogin._tcp.<domain>
SRV records. For example:
SRV records. For example:
Domain
Service
Protocol
Priority
Weight
Port
Target host
example.com
cisco-uds
tcp
10
10
8443
cucmserver.example.com
example.com
cuplogin
tcp
10
10
8443
cupserver.example.com
Ensure that the cisco-uds and _cuplogin SRV records are NOT resolvable outside of the internal
network, otherwise the Jabber client will not start mobile and remote access negotiation via the Expressway-
E.
network, otherwise the Jabber client will not start mobile and remote access negotiation via the Expressway-
E.
Note: We strongly recommend that you create internal DNS records, for both forward and reverse lookups,
for all Unified Communications nodes used with Mobile and Remote Access. This should allow Expressway-
C to find the nodes when IP addresses are used instead of FQDNs.
for all Unified Communications nodes used with Mobile and Remote Access. This should allow Expressway-
C to find the nodes when IP addresses are used instead of FQDNs.
Firewall
n
Ensure that the relevant ports have been configured on your firewalls between your internal network (where
the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ
and the public internet. See
the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ
and the public internet. See
n
If your Expressway-E has one NIC enabled and is using static NAT mode, note that:
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer
address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN,
rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by
all types of firewalls.
See the Advanced network deployments appendix, in the
You must enter the FQDN of the Expressway-E, as it is seen from outside the network, as the peer
address on the Expressway-C's secure traversal zone. The reason for this is that in static NAT mode, the
Expressway-E requests that incoming signaling and media traffic should be sent to its external FQDN,
rather than its private name.
This also means that the external firewall must allow traffic from the Expressway-C to the
Expressway-E's external FQDN. This is known as NAT reflection, and may not be supported by
all types of firewalls.
See the Advanced network deployments appendix, in the
, for more information.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.6)
Page 13 of 55
Configuration overview