Assign separate IP addresses to the Expressway-C and the Expressway-E. Do not use a shared address for both elements, as the firewall cannot distinguish between them.

The ideal scenario for MRA is to have a single domain with a split DNS configuration, and this is the recommended approach. This is not always possible, so there are some other approaches to deal with various alternative scenarios.

Note	The domain to which the calls are routed must match with the MRA domain to which the endpoints were registered. For example, if endpoints are registered with the domain exp.example.com, the calls must be routed to this domain, and it must not be routed to the domain cluster1.exp.example.com.

Single Domain with Split DNS - Recommended

A single domain means that you have a common domain (example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.

Dual Domain without Split DNS

From X12.5, the Cisco Expressway Series supports the case where MRA clients use an external domain to lookup the _collab-edge SRV record, and the _cisco-uds SRV record for that same external domain cannot be resolved by the Expressway-C. This is typically the case when split DNS is not available for the external domain. And prior to X12.5 this required a pinpoint subdomain or some other DNS workaround on the Expressway-C, to satisfy the client requirements for resolving the _cisco-uds record.

Limitation: This case is not supported for Unified CM nodes identified by IP addresses, only for FQDNs.

This feature also supports a secondary case, for MRA deployments that only allow Jabber access over MRA even if users are working on-premises. In this case only one domain is required and typically the DNS records are publicly resolvable (although this is not required if MRA access is disallowed for users when off premises). The change in X12.5 means that there is no need to have a _cisco-uds._tcp.<external-domain> DNS SRV record available to Cisco Expressway-C or to the Jabber clients.

Single Domain without Split DNS

Deployments that require Jabber clients to always connect over MRA also benefit from the X12.5 update that no longer requires the Expressway-C to resolve the _cisco-uds DNS SRV record. So administrators only need to configure the _collab-edge DNS SRV record, and Jabber clients using service discovery will only have the option of connecting over MRA.

URL for Cisco Meeting Server Web Proxy and MRA domain cannot be the same

If you use both the CMS Web Proxy service and MRA on the same Expressway, the following configuration items must be assigned different values per service. If you try to use the same value, the service that was configured first will work, but the other one will fail:

• MRA domain(s). The domain(s) configured on Expressway and enabled for Unified CM registration

• CMS Web Proxy URL link. Defined in the Expressway "Guest account client URI" setting on the Expressway > Configuration > Unified Communications > Cisco Meeting Server page.

Multiple External Domains for Mobile and Remote Access

Cisco Expressway supports Mobile and Remote Access with multiple external domains. With this deployment, you will have more than one external domain where your MRA clients may reside. Expressway-E must be able to connect to all of them. To configure this deployment, do the following:

For Expressway-E:

• Configure your external DNS with two or more entries for the _collab_edge SRV record. The record must point to both Expressway-E hostname and domains. For example:

  Expressway-E.hostname.domain1

  Expressway-E.hostname.domain2

• For the Certificate Signing Request, include both Expressway-E FQDNs.

For Expressway-C:

• For internal DNS, add A and PTR records that point to both Expressway-E FQDNs. Add these records to all Expressway-C nodes.

• Configure the _cisco_uds SRV record for every domain to point to your Unified Communications Manager clusters.

• On the Domains page of Expressway-C, add each of the internal domains that point to the Unified Communications Manager cluster.

• Ensure that the relevant ports are configured on your firewalls between your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and between the DMZ and the public internet.

  No inbound ports are required to be opened on the internal firewall. The internal firewall must allow the following outbound connections from Expressway-C to Expressway-E: SIP: TCP 7001; Traversal Media: UDP 2776 to 2777 (or 36000 to 36011 for large VM/appliance); XMPP: TCP 7400; HTTPS (tunneled over SSH between C and E): TCP 2222.

  The external firewall must allow the following inbound connections to Expressway: SIP: TCP 5061; HTTPS: TCP 8443; XMPP: TCP 5222; Media: UDP 36002 to 59999.

  For more information, see Cisco Expressway IP Port Usage Configuration Guide, for your version, on the Cisco Expressway Series configuration guides page.

• Do not use a shared address for the Expressway-E and the Expressway-C, as the firewall cannot distinguish between them. If you use static NAT for IP addressing on the Expressway-E, make sure that any NAT operation on the Expressway-C does not resolve to the same traffic IP address. We do not support shared NAT addresses between Expressway-E and Expressway-C.

• The traversal zone on the Expressway-C points to the Expressway-E through the Peer address field on the traversal zone, which specifies the address of the Expressway-E server.

  • For dual NIC deployments, you can specify the Expressway-E address using a FQDN that resolves to the IP address of the internal interface. With split DNS you can optionally use the same FQDN as is available on the public DNS. If you don't use split DNS you must use a different FQDN.

  • For single NIC with static NAT (this deployment is NOT recommended), you must specify the Expressway-E address using a FQDN that resolves to the public IP address. This also means that the external firewall must allow traffic from the Expressway-C to the external FQDN of the Expressway-E. This is known as NAT reflection, and may not be supported by all types of firewalls.

For more information, see the "Advanced networking deployments" appendix in the Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment Guide

The Maximum Session Bit Rate for Video Calls on the default region on Cisco Unified Communications Manager is 384 kbps by default. The Default call bandwidth on Expressway-C is also 384 kbps by default. These settings may be too low to deliver the expected video quality for MRA-connected devices.

Note	If you are using an IM&P server that is earlier than 11.5(1)SU3, make sure the minimum TLS version for the XMPP service is 1.0 (on newer Expressway installations the default is TLS 1.2). Instructions for configuring TLS versions and cipher suites are in the Expressway Administrator Guide.

Ensure that the Cisco AXL Web Service is active on the IM and Presence Service publishers that discovers other IM and Presence Service nodes for remote access. To check this, select the Cisco Unified Serviceability application and go to Tools > Service Activation.

If you are deploying Mobile and Remote Access with multiple IM and Presence Service clusters, you must configure Intercluster peer links between the clusters, and the Intercluster Sync Agent (ICSA) must be active on all clusters. This ensures that the user database is replicated between clusters, allowing Expressway-C to correctly route XMPP traffic.

For details of the correct configuration, refer to the chapter "Intercluster Peer Configuration" in Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager. You can find the correct document for your version at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-installation-and-configuration-guides-list.html.