Collab Edge / Jabber

Collab Edge for Jabber MRA – NAT Reflection

- by Admin User

I’ve recently implemented Jabber Mobile and Remote Access in three different environments, each requiring a different deployment model.

Any scenario in which the Expressway E server has a single LAN interface, you will have to configure NAT reflection on the firewall, as the E and C servers must communicate via the public IP address of the E server. Without NAT reflection you’ll run into issues with the traversal client between E and C not coming up, or audio issues between the E and C servers.

  • Expressway Core server is configured with a single network interface and IP address (192.168.1.11 below) on the internal network. The default gateway address can/should be the core layer 3 device for the subnet.
  • Expressway Edge server is configured with a single network interface and IP address (192.168.1.10 below) on the internal network. The default gateway address must be the firewall as all traffic between Expressway C and Expressway E MUST be NAT’d to the public IP address of the Expressway E (12.12.1.10 below) server.
  • The public IP address that will be used externally for Expressway E must be entered as the NAT address for the LAN1 interface in the Expressway E administration.
  • The external IP address that will be used externally for Expressway E must be configured on the firewall with 1:1 NAT to the internal network IP address (LAN1) of the Expressway Edge server.

 

Here are the sample commands needed on an ASA to configure NAT reflection for the Expressway servers.  In the example below, the inside network is called “inside”, the DMZ is called “dmz”, and the outside network is called “outside”.  This may differ in your environment.

object network vcse-inside
host 192.168.1.10
object network vcse-outside
host 12.12.1.10
object network vcsc-inside
host 192.168.1.11

object service http-proxy-uds
service tcp destination eq 8443
object service media
service udp destination range 36002 59999
object service sip-signaling-tcp
service tcp destination eq 5061
object service sip-signaling-udp
service udp destination eq 5061
object service xmpp-imp
service tcp destination eq 5222

object-group service JabberMRA-Ports
service-object object http-proxy-uds
 service-object object media
 service-object object sip-signaling-tcp
 service-object object sip-signaling-udp
 service-object object xmpp-imp

access-list outside_in extended permit object-group JabberMRA-Ports any object vcse-inside

access-list dmz_in extended permit udp object vcse-outside object-group DNS-Servers eq domain
access-list dmz_in extended permit udp object vcse-outside object-group NTP-Servers eq ntp
access-list dmz_in extended permit ip object vcse-outside object vcsc-inside

object network vcse-inside
nat (dmz,any) static 12.12.1.10

Related Posts

Jabber client configuration file local cache

Collab Edge for Jabber MRA – DNS

Collab Edge for Jabber MRA – Certificates

About Admin User

View all posts by Admin User →

Leave a Reply

Your email address will not be published. Required fields are marked *