10-07-2015 08:49 AM - edited 03-14-2019 03:17 PM
When a client has a login domain that differs from the email domain which domain is used for MRA and B2B and the associated SRV and Expressway core-defined domains? Not sure if matters but we have MRA on one C/E pair and B2B on the Jabber Guest C/E pair.
I have a client with these scenarios:
email is: user@exampledomain.com
login (internal) domain is: user@exampledomain.root
email is: user@exampledomain.com
login (internal) domain is: user@domain.exampledomain.com
Thanks in advance,
Brian
Solved! Go to Solution.
10-08-2015 10:53 AM
So I heard back from my Expressway TAC engineer, whom discussed the issue with a CUCM engineer. The solution appears simple enough:
In CUCM, if you go to the LDAP Directory Settings, change the Directory URI from msRTCSIP-primaryuseraddress to mail, And then configure IM&P to use Directory URI, it will set the CUCM and IM&P usernames for those users to, example, user@domain2.org. When that authentication request hits CUCM, it will know to authenticate that user against the correct domain.
BTW, the config option in IM&P is in Presence>Settings>Advanced Configuration>IM Address Scheme>Directory URI
Worth noting is that we are planning to use LDS/AdamSync to point LDAP to multiple AD forests for directory/authentication.
Any additional thoughts or questions greatly appreciated.
10-07-2015 05:03 PM
Hi Brian,
Ok starting with the MRA Expressway pair first. At a minimum you will need the Expressway-C to include the domain used to discover the edge (via collab-edge DNS SRV) in the Configuration > Domains menu. The domain(s) will be provided to Expressway-E once the unified communications traversal zone is established and allows the Expressway-E to only allow traffic for the configured domains. This appears to be exampledomain.com from your post.
If you are using IM&P, you'll want to include the presence domain as well on the Exp-C, and enable IM&P service in the domain config.
Take a look at the following application note that includes a worst case multi-domain scenario, Configuration Example: Mobile and Remote Access through Expressway/VCS in a multi-domain deployment - Cisco
B2B DNS SRV records will likely align with exampledomain.com, but you can publish other records if need be. They don't need to be related to Jabber service or presence domains. And there's no requirement to specify domains used for B2B in the Exp-C Configuration > Domains menu. Only search rules and CPL rules are usually needed.
No DNS SRV records required for Jabber Guest, but you do need to have a domain configured on Exp-C that allows inbound jabber guest traffic for your domain. And similar to B2B, there's no requirement for the Jabber guest domain to align with Jabber service or presence domains.
HTH,
Kevin
10-08-2015 07:29 AM
Kevin,
Sincere thanks for the info. Unfortunately I think the problem is a bit more complex. I just stumped TAC --- waiting on a call back.
Anyhow, maybe this helps illustrate the challenge.
Here's the lay of the land with my client:
Forest 1
Email: user@domain1.com
Login Domain/AD Users & servers: internal.domain1.com
Domain for all other internal servers: domain1.com
Forest 1 Child Login Domains:
child1.domain1.com
child2.domain1.com
Forest 2
Email: user@domain2.org
Login Domain: domain2.root
What user ID should users in Forest1 and Forest2 log into Jabber?
Right now I have SRV records (cisco-uds and collab-edge) correctly resolving for a login of user@domain1.com
10-08-2015 10:53 AM
So I heard back from my Expressway TAC engineer, whom discussed the issue with a CUCM engineer. The solution appears simple enough:
In CUCM, if you go to the LDAP Directory Settings, change the Directory URI from msRTCSIP-primaryuseraddress to mail, And then configure IM&P to use Directory URI, it will set the CUCM and IM&P usernames for those users to, example, user@domain2.org. When that authentication request hits CUCM, it will know to authenticate that user against the correct domain.
BTW, the config option in IM&P is in Presence>Settings>Advanced Configuration>IM Address Scheme>Directory URI
Worth noting is that we are planning to use LDS/AdamSync to point LDAP to multiple AD forests for directory/authentication.
Any additional thoughts or questions greatly appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide