cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3003
Views
1
Helpful
3
Replies

Expressway Domain Question

When a client has a login domain that differs from the email domain which domain is used for MRA and B2B and the associated SRV and Expressway core-defined domains?  Not sure if matters but we have MRA on one C/E pair and B2B on the Jabber Guest C/E pair.

I have a client with these scenarios:

email is: user@exampledomain.com

login (internal) domain is: user@exampledomain.root

email is: user@exampledomain.com

login (internal) domain is: user@domain.exampledomain.com

Thanks in advance,

Brian

1 Accepted Solution

Accepted Solutions

So I heard back from my Expressway TAC engineer, whom discussed the issue with a CUCM engineer. The solution appears simple enough:

In CUCM, if you go to the LDAP Directory Settings, change the Directory URI from msRTCSIP-primaryuseraddress to mail, And then configure IM&P to use Directory URI, it will set the CUCM and IM&P usernames for those users to, example, user@domain2.org. When that authentication request hits CUCM, it will know to authenticate that user against the correct domain.

BTW, the config option in IM&P is in Presence>Settings>Advanced Configuration>IM Address Scheme>Directory URI


Worth noting is that we are planning to use LDS/AdamSync to point LDAP to multiple AD forests for directory/authentication.


Any additional thoughts or questions greatly appreciated.

View solution in original post

3 Replies 3

Kevin Roarty
Cisco Employee
Cisco Employee

Hi Brian,

Ok starting with the MRA Expressway pair first.  At a minimum you will need the Expressway-C to include the domain used to discover the edge (via collab-edge DNS SRV) in the Configuration > Domains menu.  The domain(s) will be provided to Expressway-E once the unified communications traversal zone is established and allows the Expressway-E to only allow traffic for the configured domains.  This appears to be exampledomain.com from your post. 

If you are using IM&P, you'll want to include the presence domain as well on the Exp-C, and enable IM&P service in the domain config. 

Take a look at the following application note that includes a worst case multi-domain scenario, Configuration Example: Mobile and Remote Access through Expressway/VCS in a multi-domain deployment - Cisco

B2B DNS SRV records will likely align with exampledomain.com, but you can publish other records if need be. They don't need to be related to Jabber service or presence domains.  And there's no requirement to specify domains used for B2B in the Exp-C Configuration > Domains menu.  Only search rules and CPL rules are usually needed.

No DNS SRV records required for Jabber Guest, but you do need to have a domain configured on Exp-C that allows inbound jabber guest traffic for your domain.  And similar to B2B, there's no requirement for the Jabber guest domain to align with Jabber service or presence domains.

HTH,

Kevin

Kevin,

Sincere thanks for the info. Unfortunately I think the problem is a bit more complex. I just stumped TAC --- waiting on a call back.

Anyhow, maybe this helps illustrate the challenge.

Here's the lay of the land with my client:

Forest 1

Email:    user@domain1.com

Login Domain/AD Users & servers: internal.domain1.com

Domain for all other internal servers: domain1.com

Forest 1 Child Login Domains:

child1.domain1.com

child2.domain1.com

Forest 2

Email:    user@domain2.org

Login Domain:    domain2.root

What user ID should users in Forest1 and Forest2 log into Jabber?

Right now I have SRV records (cisco-uds and collab-edge) correctly resolving for a login of user@domain1.com

So I heard back from my Expressway TAC engineer, whom discussed the issue with a CUCM engineer. The solution appears simple enough:

In CUCM, if you go to the LDAP Directory Settings, change the Directory URI from msRTCSIP-primaryuseraddress to mail, And then configure IM&P to use Directory URI, it will set the CUCM and IM&P usernames for those users to, example, user@domain2.org. When that authentication request hits CUCM, it will know to authenticate that user against the correct domain.

BTW, the config option in IM&P is in Presence>Settings>Advanced Configuration>IM Address Scheme>Directory URI


Worth noting is that we are planning to use LDS/AdamSync to point LDAP to multiple AD forests for directory/authentication.


Any additional thoughts or questions greatly appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: