Category: Cisco Unified Communications

UC Certificate Nirvana | DigiCert Wildcard Plus

Nirvana?  Maybe not, but the DigiCert Wildcard Plus certificate is by far the best SSL certificate for all Cisco Collaboration applications that I have used.  Yes I know, most Cisco Collaboration applications do not officially support using wildcard certificates, but the DigiCert Wildcard Plus certificate is much more than just a *.

For detailed information click here DigiCert Wildcard Plus SSL Certificate.

Once Mr. Customer has purchased the DigiCert Wildcard Plus certificate, you will need to follow the outlined process to create duplicate server or Multi-SAN certificates.

  • Login to the DigiCert customer portal and go to My Orders -> Manage Orders.
  • Click on the Order# that is specific to the WildCard Plus product.

digi 1

  • You will now see the wildcard certificate that was purchased.  If the customer would like to use this wildcard they can download it from this page.  You will also see a Reissue Actions section, this section is used to only manage and modify the wildcard certificate only.  The Duplicate button allows you to make a duplicate certificate (add SANs) but you cannot change the Common Name which is *.customer.com.

digi 2

  • I prefer to make a duplicate server or Multi-SAN certificate and remove the wildcard.  This requires some assistance from DigiCert support, which has been good so far.  You will need to add a custom note using the Add a Note text box on the right side of the customer portal.

digi 3

  • In the Add a Note you will need to specify that you would like to remove the wildcard, change the Common Name (CN), specify any additional Subject Alternate Names (SAN) that you need, and paste in the Certificate Signing Request (CSR).

Note: If this duplicate certificate is going to be Multi-SAN, please specify that they need to include the domain as a SAN.  This was the only issue I have had so far.  Thinking they would add the domain as a SAN by default, but that was not the case.

This is a sample of what you should include in the note:

This is a multi-SAN CSR need the following and make sure the domain name is specified as a SAN.

Remove wildcard

Change CN= ucm1.customer.com

Add SANs= ucm2.customer.com, con1.customer.com, con2.customer.com, imp1.customer.com, imp2.customer.com, customer.com

—–BEGIN CERTIFICATE REQUEST—–

CSR goes here.

—–END CERTIFICATE REQUEST—–

  • Now that you have submitted the duplicate certificate request, you must contact DigiCert Support to have them generate the new certificate.  I have done this by sending them an email, by phone, or by using the chat feature on their customer portal.  Once they have generated the new certificate it will be posted to the customer portal for download under the Download Duplicate Certificates section.

digi 4

  • Rinse and Repeat!

Oh yeah, drink the Kool-Aid…

 

Expressway Single NIC | ASA NAT Reflection

This is a working configuration for a customer that required both Expressway-C & Expressway-E (single NIC) to be on the same internal VLAN.  In order for this configuration to work, communication from Expressway-C to Expressway-E must communicate with the public IP address of the Expressway-E. Also, communication from Expressway-E to Expressway-C must be sourced from the Expressway-E public IP address, which is configured as a static NAT on the ASA.

The ASA configuration does require 2 public IP addresses, one for the Expressway-C & one for the Expressway-E.  The public IP addresses will be used for NAT Reflection and also external access to the Expressway-E.

MRA, B2B, and XMPP Federation worked as expected, I was actually quite surprised that I did not run into any oddities.  Obviously, this is not the preferred nor supported architecture for deploying Expressway , but it is nice to have something in your back pocket besides your magic wand.

Note:  This does create additional network overhead as communication from Expressway-C to Expressway-E and Expressway-E to Expressway-C MUST traverse the ASA.  If all traffic does not traverse the ASA, asymmetric routing and other communication issues will occur resulting in a non-working solution.

Oh yeah, drink the Kool-Aid…

ciscokoolaid Blog Expressway ASA NAT Reflection

ASA Configuration

Configure ASA to allow traffic to hairpin the same interface

same-security-traffic permit intra-interface

 Configure network objects for Expressway-C & Expressway-E

object network EXPC1-IN

host 172.16.0.18

object network EXPC1-OUT

host 1.1.1.51

object network EXPE1-IN

host 172.16.0.19

object network EXPE1-OUT

host 1.1.1.50

Configure service group for ports allowed into Expressway-E  (Modify ports as needed)

object-group service EXPE1

service-object tcp destination eq 8443

service-object tcp destination eq 5222

service-object tcp destination eq 5269

service-object tcp destination range sip 5061

service-object udp destination eq sip

service-object udp destination range 36000 59999

service-object tcp destination eq h323

service-object tcp destination eq 2776

service-object tcp destination range 15000 19999

service-object udp destination eq 3478

service-object udp destination range 24000 29999

service-object tcp destination eq https

Configure access-list to open ports into Expressway-E

access-list outside_access_in extended permit object-group EXPE1 any object EXPE1-IN

Configure NAT Reflection for Expressway-C & Expressway-E

nat (INSIDE,INSIDE) source static EXPC1-IN EXPC1-OUT destination static EXPE1-OUT EXPE1-IN

nat (INSIDE,INSIDE) source static EXPE1-IN EXPE1-OUT destination static EXPC1-OUT EXPC1-IN

Configure static NAT for Expressway-E (Static NAT for Expressway-E only)

object network EXPE1-IN

nat (INSIDE,OUTSIDE) static 1.1.1.50

Sam I Am Sam

A Cisco Unified Communications Primer in DevOps

Cisco Collab Engineering Tips

Michael White - CCIE #26626

Unified Communications Guerrilla

Cisco Collaboration

UC Corner

Cisco Collaboration

The Cloverhound Blog

Cloverhound Employees Talk Unified Communications and Contact Center