I’ve recently implemented Jabber Mobile and Remote Access in three different environments, each requiring a different deployment model.
Any scenario in which the Expressway E server has a single LAN interface, you will have to configure NAT reflection on the firewall, as the E and C servers must communicate via the public IP address of the E server. Without NAT reflection you’ll run into issues with the traversal client between E and C not coming up, or audio issues between the E and C servers.
- Expressway Core server is configured with a single network interface and IP address (192.168.1.11 below) on the internal network. The default gateway address can/should be the core layer 3 device for the subnet.
- Expressway Edge server is configured with a single network interface and IP address (192.168.1.10 below) on the internal network. The default gateway address must be the firewall as all traffic between Expressway C and Expressway E MUST be NAT’d to the public IP address of the Expressway E (220.127.116.11 below) server.
- The public IP address that will be used externally for Expressway E must be entered as the NAT address for the LAN1 interface in the Expressway E administration.
- The external IP address that will be used externally for Expressway E must be configured on the firewall with 1:1 NAT to the internal network IP address (LAN1) of the Expressway Edge server.
Here are the sample commands needed on an ASA to configure NAT reflection for the Expressway servers. In the example below, the inside network is called “inside”, the DMZ is called “dmz”, and the outside network is called “outside”. This may differ in your environment.
object network vcse-inside
object network vcse-outside
object network vcsc-inside
object service http-proxy-uds
service tcp destination eq 8443
object service media
service udp destination range 36002 59999
object service sip-signaling-tcp
service tcp destination eq 5061
object service sip-signaling-udp
service udp destination eq 5061
object service xmpp-imp
service tcp destination eq 5222
object-group service JabberMRA-Ports
service-object object http-proxy-uds
service-object object media
service-object object sip-signaling-tcp
service-object object sip-signaling-udp
service-object object xmpp-imp
access-list outside_in extended permit object-group JabberMRA-Ports any object vcse-inside
access-list dmz_in extended permit udp object vcse-outside object-group DNS-Servers eq domain
access-list dmz_in extended permit udp object vcse-outside object-group NTP-Servers eq ntp
access-list dmz_in extended permit ip object vcse-outside object vcsc-inside
object network vcse-inside
nat (dmz,any) static 18.104.22.168