Cisco Expressway MRA双域部署
2021-09-16 本文已影响0人
小岳_
一、软件环境
角色 | 版本 | IP地址 |
---|---|---|
CUCM | 12.5.1.14900-63 | 172.16.101.155 |
IM&P | 12.5.1.14900-4 | 172.16.101.156 |
Expressway-C | 12.7.1 | 172.16.101.181 |
Expressway-E | 12.7.1 | LAN1:172.16.101.182 LAN2:172.16.100.182(公网映射) 公网:103.117.19.XXX |
DNS | Windows Server 2019 | 172.16.101.151 |
CA | Windows Server 2019 | 172.16.101.151 |
AD | Windows Server 2019 | 172.16.101.151 |
Windows-Jabber | 14.0.2 | / |
Android-Jabber | 14.0.3 | / |
iOS-Jabber | 14.0.3 | / |
二、逻辑拓扑
![](https://img.haomeiwen.com/i22515027/f21adb730d6acc1a.png)
CUCM,IM&P和Expressway-C之间:
- CUCM,IM&P和Expressway-C之间通信使用非加密或用内部CA签发证书实现加密;
- 本例使用非加密方式。
Expressway-C和Expressway-E之间:
- Expressway-C和Expressway-E之间加密通信使用内部CA签发证书;
- Expressway-C生成CSR文件后由内部CA签发证书;
- Expressway-C安装内部CA根证书;
- Expressway-C安装公网CA根证书。
Expressway-E和外网终端之间:
- Expressway-E和外网终端之间加密通信使用公网CA签发证书;
- Expressway-E生成CSR文件后由公网CA签发证书;
- Expressway-E安装公网CA根证书;
- Expressway-E安装内部CA根证书。
三、需求说明
1.内部域为:test.local,外部域为:yuezq.com。
- 用户在内网和外网可以使用内部域名test.local登录Jabber。
- 内部域名的挑战在于:当用户通过MRA登录Jabber时,服务发现过程将失败,因为输入的登录凭据为:user@test.local,并且没有_collab-edge._tls.test.local的SRV记录在Internet上可用(也不可能有)。
- 当登录用户凭据中的域名与Expressway-E配置的域不同时,这时必须启用VoiceServicesDomain配置。Jabber使用此配置来发现Collaboration Edge和UDS。
- 为解决这个问题,可以修改jabber-config.xml文件以包含Jabber应该尝试针对其进行服务发现的外部域名。
<Policies>
<VoiceServicesDomain>yuezq.com</VoiceServicesDomain>
</Policies>
- 因此,Jabber必须首先在内网登录,以下载包含上述策略的jabber-config.xml。
- 当在内网登录Jabber并加载完jabber-config.xml后,当用户尝试通过MRA从外网登录时,此时仍将使用user@test.local 凭据,但Jabber将使用指定的VoiceServicesDomain(在本例中为yuezq.com)。所以它将在_collab-edge._tls.yuezq.com 上执行SRV记录查询,这时应能够解析Expressway-E并顺利登录。
当Jabber在外网MRA登录时,Expressway-C会向DNS查询yuezq.com的SRV记录,并在200 OK消息中返回记录。所以除了正常的_cisco-uds._tcp.test.local和_cuplogin._tcp.test.local这两个SRV记录外,在内网DNS服务器上还需要另外两个SRV记录:_cisco-uds._tcp.yuezq.com和_cuplogin._tcp.yuezq.com,这两条记录分别指向cucm.test.local和imp.test.local以使MRA正常登录。
- 用户在内网和外网可以使用外部域名yuezq.com登录Jabber。
- 防火墙和路由器的配置不是本例重点,不再描述。
四、先决条件
- AD、CA、DNS已安装并配置完毕;
- CUCM、IM&P、Expressway-C、Expressway-E已安装并初始化完毕;
- CUCM和IM&P已经配置完毕,Cisco Jabber在内网使用"xxx@test.local"凭据可以正常登录。
五、配置CUCM
- 用户管理 >> 用户设置 >> UC服务
![](https://img.haomeiwen.com/i22515027/fdc19154ace12f78.png)
![](https://img.haomeiwen.com/i22515027/9fdf60db7ba6a735.png)
![](https://img.haomeiwen.com/i22515027/5d1ea99af1f82bb6.png)
- 用户管理 >> 用户设置 >> 服务配置文件
![](https://img.haomeiwen.com/i22515027/001c570e4bfe2c1e.png)
六、配置系统名称
6.1 Expressway-C
- System >> Administration settings
![](https://img.haomeiwen.com/i22515027/70da45a467c8a7d5.png)
6.2 Expressway-E
- System >> Administration settings
![](https://img.haomeiwen.com/i22515027/161978a5ad7605d7.png)
七、配置IP地址和路由
7.1 Expressway-C
- System >> Network interfaces >> IP
![](https://img.haomeiwen.com/i22515027/0c570ab3117abe28.png)
7.2 Expressway-E
- System >> Network interfaces >> IP
![](https://img.haomeiwen.com/i22515027/ce225061136526c8.png)
-
System >> Network interfaces >> Static routes
image.png
八、配置DNS
8.1 Expressway-C
- System >> DNS
![](https://img.haomeiwen.com/i22515027/96ab09422d6cf86b.png)
8.2 Expressway-E
- System >> DNS
![](https://img.haomeiwen.com/i22515027/4021e6dba2eafb76.png)
九、配置NTP
9.1 Expressway-C
- System >> Time
![](https://img.haomeiwen.com/i22515027/f9b24c3fdd9bc94d.png)
9.2 Expressway-E
- System >> Time
![](https://img.haomeiwen.com/i22515027/df765ede406172ef.png)
十、配置SIP
10.1 Expressway-C
- Configuration >> Protocols >> SIP
![](https://img.haomeiwen.com/i22515027/f1b3fcb5d32b7f47.png)
10.2 Expressway-E
- Configuration >> Protocols >> SIP
![](https://img.haomeiwen.com/i22515027/e8e45a4b9703bb71.png)
十一、配置UC模式、MRA访问控制
11.1 Expressway-C
- Configuration >> Unified Communications >> Configuration
![](https://img.haomeiwen.com/i22515027/bfc6e6e490c334b4.png)
11.2 Expressway-E
- Configuration >> Unified Communications >> Configuration
![](https://img.haomeiwen.com/i22515027/68501b0cc4fecad5.png)
十二、配置Domain
12.1 Expressway-C
- Configuration >> Domains
![](https://img.haomeiwen.com/i22515027/fe00c2f743cc41a2.png)
十三、配置Traversal Zone
13.1 Expressway-C
- Configuration >> Zones >> Zones
![](https://img.haomeiwen.com/i22515027/7495e358f90fbc86.png)
13.2 Expressway-E
- Configuration >> Authentication >> Local database
![](https://img.haomeiwen.com/i22515027/6167bddfcd2e3f23.png)
- Configuration >> Zones >> Zones
![](https://img.haomeiwen.com/i22515027/f9b15d7cb13633f2.png)
十四、添加CUCM和IM&P
14.1 Expressway-C
- Configuration >> Unified Communications >> Unified CM servers
![](https://img.haomeiwen.com/i22515027/4f93af2372a54c65.png)
- Configuration >> Unified Communications >> IM and Presence Service nodes
![](https://img.haomeiwen.com/i22515027/83e7002e650e62c8.png)
十五、调整呼叫带宽
15.1 CUCM
- 系统 >> 区域信息 >> 区域
![](https://img.haomeiwen.com/i22515027/f1446dbe878586ce.png)
15.2 Expressway-C
- Configuration >> Bandwidth >> Configuration
![](https://img.haomeiwen.com/i22515027/1d6a0e2a60d6317a.png)
15.3 Expressway-E
- Configuration >> Bandwidth >> Configuration
![](https://img.haomeiwen.com/i22515027/41af23b5a4b23fc4.png)
十六、安装证书
16.1 内部CA配置
- 采用Windows Server 2019搭建企业CA服务后,按以下步骤完成证书模板配置(证书模板主要用来定义证书的功能)。
![](https://img.haomeiwen.com/i22515027/19b0eb5ac757ee7b.png)
![](https://img.haomeiwen.com/i22515027/c7a8c4fef51262ea.png)
- 修改证书模板名称和证书有效期(建议先修改注册表中的证书有效期)。
![](https://img.haomeiwen.com/i22515027/9c54c8f2c3a21ce1.png)
![](https://img.haomeiwen.com/i22515027/0bd4169361ec8429.png)
![](https://img.haomeiwen.com/i22515027/bc9ab4a4136c51b3.png)
![](https://img.haomeiwen.com/i22515027/1d7fe762997c9bab.png)
![](https://img.haomeiwen.com/i22515027/6550e01930d46150.png)
![](https://img.haomeiwen.com/i22515027/98f5796eb1eb8251.png)
16.2 Expressway-C
16.2.1 申请服务器证书
- 申请服务器证书 --- 生成CSR文件
- Maintenance >> Security >> Server certificate
![](https://img.haomeiwen.com/i22515027/e8e42a13dff01493.png)
![](https://img.haomeiwen.com/i22515027/c79baa97ed9afffd.png)
![](https://img.haomeiwen.com/i22515027/963813e76a6440c3.png)
![](https://img.haomeiwen.com/i22515027/4e544a303d36e9f2.png)
- 访问证书服务器 http://172.16.101.151/certsrv ,签发证书
![](https://img.haomeiwen.com/i22515027/6eca09afbdb685dc.png)
![](https://img.haomeiwen.com/i22515027/ae7d6247a7eb58fb.png)
![](https://img.haomeiwen.com/i22515027/311abc9c626c90b4.png)
![](https://img.haomeiwen.com/i22515027/d129880571d67945.png)
![](https://img.haomeiwen.com/i22515027/eaac10ac010c49ed.png)
![](https://img.haomeiwen.com/i22515027/31e16e2dfeaff56b.png)
16.2.2 下载CA根证书
![](https://img.haomeiwen.com/i22515027/2c16f7698d51e220.png)
![](https://img.haomeiwen.com/i22515027/881d529252cb8114.png)
![](https://img.haomeiwen.com/i22515027/61c9560c3031e1df.png)
16.2.3 安装CA根证书
- Maintenance >> Security >> Trusted CA certificate
![](https://img.haomeiwen.com/i22515027/0ea1a55af8dc7c00.png)
16.2.4 安装服务器证书
- Maintenance >> Security >> Server certificate
![](https://img.haomeiwen.com/i22515027/ae4054da09d0a0c2.png)
16.3 Expressway-E
16.3.1 申请服务器证书
- 申请服务器证书 --- 生成CSR文件
- Maintenance >> Security >> Server certificate
![](https://img.haomeiwen.com/i22515027/defec809bf10585e.png)
![](https://img.haomeiwen.com/i22515027/a61a28b3d97ec66b.png)
![](https://img.haomeiwen.com/i22515027/93ffa2403aa7855b.png)
![](https://img.haomeiwen.com/i22515027/a8272676ac859984.png)
- 生产环境建议按年购买公网证书。
- 本例为实验测试环境,采用freessl.cn提供的3个月免费多域名公网证书。
- 访问https://freessl.cn,然后登录。
![](https://img.haomeiwen.com/i22515027/d7fcc901a004d488.png)
![](https://img.haomeiwen.com/i22515027/d3004e734143e0d7.png)
- 为公网域名临时添加TXT记录,此记录用于验证公网域名所有权。
![](https://img.haomeiwen.com/i22515027/d295d9b69414aa02.png)
- 查看添加完毕的TXT记录。
![](https://img.haomeiwen.com/i22515027/f6844d42c91889cb.png)
- 公网域名的TXT记录添加完毕并等待几分钟后,即可进行验证。这时证书颁发机构会验证域名的TXT记录,验证无误后,就会签发证书。
![](https://img.haomeiwen.com/i22515027/7e24e64a78c0f8e0.png)
- 复制”CA证书”的全部内容,保存到新建的文本文档中,并修改文件扩展名为.cer。
- 复制”证书”的全部内容,保存到新建的文本文档中,并修改文件扩展名为.cer。
![](https://img.haomeiwen.com/i22515027/808bb43b04a931ae.png)
- 查看服务器证书
![](https://img.haomeiwen.com/i22515027/b5f6f9b6bc7a9c81.png)
- 查看CA证书,可看出CA证书实际是一个CA中间证书,所以还需从此证书中导出CA根证书。
![](https://img.haomeiwen.com/i22515027/bb90c236e5b4fe85.png)
16.3.2 导出CA根证书
![](https://img.haomeiwen.com/i22515027/6986243d6f5493ba.png)
![](https://img.haomeiwen.com/i22515027/6c1a902ea424b84d.png)
![](https://img.haomeiwen.com/i22515027/8e700aafbf678830.png)
![](https://img.haomeiwen.com/i22515027/1c07d648f697314c.png)
![](https://img.haomeiwen.com/i22515027/8eb9db111aa57e1e.png)
![](https://img.haomeiwen.com/i22515027/90177f0a8e51ac40.png)
![](https://img.haomeiwen.com/i22515027/28d5999e6e82b116.png)
- 查看导出的CA根证书
![](https://img.haomeiwen.com/i22515027/d397608d5f2363db.png)
- 查看所有证书
![](https://img.haomeiwen.com/i22515027/8662d54ecc10ea5e.png)
16.3.3 安装CA根证书
- 导入CA根证书
- Maintenance >> Security >> Trusted CA certificate
![](https://img.haomeiwen.com/i22515027/b0d52595d0f90c24.png)
- 导入中间CA证书
![](https://img.haomeiwen.com/i22515027/4aa9956d07a0d286.png)
- 删除中间CA证书自带的根证书(在使用公网证书时需特别注意此步)。
- Expressway在导入中间CA证书时,会把中间CA证书包含的根CA证书也同时导入。但实际并不需要此根CA证书(因为刚才已导入实际的根CA证书),如果不删除此根CA证书,可能会导致后续的服务器证书导入失败。
![](https://img.haomeiwen.com/i22515027/84a774b354457c05.png)
16.3.4 安装服务器证书
-
Maintenance >> Security >> Server certificate
image.png
16.4 安装对方的CA根证书
16.4.1 Expressway-C
- 根CA证书和中间CA证书用于验证Expressway-E上服务器证书的有效性。
- 安装公网CA根证书
![](https://img.haomeiwen.com/i22515027/1824194e768898d1.png)
- 安装公网中间CA证书
![](https://img.haomeiwen.com/i22515027/813e1cd1d9eebe4d.png)
- 删除中间CA证书包含的根证书
![](https://img.haomeiwen.com/i22515027/b23da46b307532a9.png)
- 重启Expressway-C
- Maintenance >> Restart options
![](https://img.haomeiwen.com/i22515027/cc6d21b300026562.png)
16.4.2 Expressway-E
- 根CA证书用于验证Expressway-C上服务器证书的有效性。
- 安装内网CA根证书
![](https://img.haomeiwen.com/i22515027/f38ef5d368e65cdd.png)
-
重启Expressway-E
-
Maintenance >> Restart options
image.png
十七、检查Expressway状态
17.1 Expressway-C
- Configuration >> Zones >> Zones
![](https://img.haomeiwen.com/i22515027/7b813d1f95c5aa57.png)
-
Status >> Unified Communications status
image.png
17.2 Expressway-E
- Configuration >> Zones >> Zones
![](https://img.haomeiwen.com/i22515027/e5b1fe2b24e7357d.png)
-
Status >> Unified Communications status
image.png
十八、配置DNS解析
18.1 内网DNS
- test.local域的A记录
![](https://img.haomeiwen.com/i22515027/243dc14353799eb4.png)
- test.local域的SRV记录
- Jabber内网登录时使用
![](https://img.haomeiwen.com/i22515027/7b1cee15bf998bc6.png)
- yuezq.com域的A记录
- Expressway-C Zone中的Peer指向的为expe.yuezq.com,所以DNS上需有此条A记录。
![](https://img.haomeiwen.com/i22515027/cd1a0c777e9b7f4d.png)
- yuezq.com域的SRV记录
- Jabber MRA登录时,Expressway-C会查询yuezq.com的SRV记录。
![](https://img.haomeiwen.com/i22515027/95a4842848ee5f87.png)
- 反向解析记录
- 由创建A记录时自动生成
![](https://img.haomeiwen.com/i22515027/c2cda1b277c6ad71.png)
18.2 公网DNS
![](https://img.haomeiwen.com/i22515027/b3ac3c9c538edb27.png)
十九、效果演示
-
在内网使用test.local登录Jabber
image.png
-
在外网使用test.local登录Jabber(必须先在内网登录后再在外网登录)
image.png
-
在内网使用yuezq.com登录Jabber
image.png
-
在外网使用yuezq.com登录Jabber
image.png
二十、DNS查询抓包
20.1 内网登录
- Jabber在内网使用test.local登录时的DNS查询,在DNS服务器上抓包。
- 172.16.101.81为内网Jabber客户端IP地址。
![](https://img.haomeiwen.com/i22515027/7ff492cc40e89a40.png)
20.2 外网登录
-
Jabber在外网使用test.local登录时的DNS查询,在DNS服务器上抓包。
image.png
-
Jabber在外网使用test.local登录时的DNS查询,在客户端上抓包。
image.png
引用参考
- Configure Mobile and Remote Access through Expressway/VCS in a Multi-Domain Deployment
https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway-series/117811-configure-vcs-00.html