locked
Edge deployment without _sip._tls SRV record RRS feed

  • Question

  • We're going to deploy a single site edge topology to go with our existing enterprise pool to enable remote access, federation, external live meeting.. all the good stuff Smile

     

    The problem with the _sip._tls SRV record is that it's a little too generic for us: we have future plans to enable ENUM with our Cisco Call Manager to enable VoIP to VoIP with other organisations over the internet rather than dropping off to PSTN.

     

    I can see a couple of workarounds for this:

     

    1) Add some sort of SIP router in (much like an SMTP mail relay) that routes appropiate OCS SIP traffic to the edge servers. I forsee major problems with this, not least if TLS encryption has to be unpicked and then re-encrypted again.

     

    2) Cross fingers, there's an alternative to deploying the _sip._tls SRV record! I've noticed that the MOC client will look for "sipexternal.domain.com" A records: will this suffice? (We have no issue with deploying the _sipfederationtls SRV record btw).

     

    Another question with this latter option is that: if we do create a _sip._tls SRV record at a later date for a totally different purpose, how will the MOC client feel about it? WIll it try and connect to the service, discover it's not OCS, then move onto the next DNS record in its list?

     

    Many thanks in advance,

     

    Alex

    Wednesday, June 11, 2008 5:17 PM

Answers

  • You don't have to use a SRV record, a simple A (or CNAME) record can be used.  Take a lot at this blog entry for some detail on how the client attempt to locate the server via name lookups:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=14

     

    You could simply use one of the other name formats as an A record to leverage Automatic Configuration.

    Thursday, June 12, 2008 4:56 AM
    Moderator
  • No...you don't need a sip.mydomain.com record.  This is used for autologin of the clients (it will fallback to this if all the others fail...for example, if you don't have the SRV record).


    In any case, you'd need a SAN with it along with whatever name your SRV record on the certficate with "sip.mydomain.com" as the 2nd name.

     

    All of this is just default behavior for the client for autologon in any case.  You can always manually enter (or script for that matter) the record you wish the client to use if the autologon doesn't work.

     

    Cheers.

     

    - Steve

     

     

    Thursday, June 12, 2008 11:16 AM

All replies

  • Not sure what you mean here.  SRV record being too generic?  There is one for internal, one for external.

     

    _sipinternaltls._tcp <domain>.<internal>  is what it looks for internally.

    _sipinternal._tcp is what it looks for for TCP internally..

     

    _sip._tls.<domain>.com   => port 443  =>  ExIm.<domain>.com    is for external connections.

     

    ----

     

    Where <domain> are your sip domains (you can have multiple records).   This is so the clients can auto-find the server without any configuration.


    They also look for "sip.<domain>.com" as well  (so you can have a SAN with both ExIm.<domain>.com and sip.<domain>.com to accommodate for either.

     

    What gets me is why if the client FINDS the SRV record, does it still look at 5061 first - when it knows it is external and the recommendation is to look for 443  when looking for the ABS server...(using the externalwebfarm FQDN).

    So you get to wait 2 minutes for it to figure out it needs to try 443.   (Will have to play with that...)

     

    ---

     

    Then again, maybe I'm missing your point altogether...

     

    Cheers.

     

    - Steve

     

    Wednesday, June 11, 2008 5:58 PM
  • Cheers for the reply!

     

    I think my point was that _sip._tls is not just an OCS specific SRV record - it can be used to advise other SIP services (like in our case CUCM). So, if I point _sip._tls at my Access Edge Server, I can't then use CUCM VoIP as I want (and vice versa).

     

    Hence, my question about not using the SRV record at all... Also: is the A record for the FQDN of the access edge,  sip.domain.com, really required (i.e. can I just get away with sipexternal.domain.com)? Again, it seems a little cheeky to want such a generic name for a server...

     

    [Update] Perhaps I can explain myself with: assume that _sip._tls.mydomain.com is already taken and advertising a different, non OCS, service.

    Wednesday, June 11, 2008 7:13 PM
  • You don't have to use a SRV record, a simple A (or CNAME) record can be used.  Take a lot at this blog entry for some detail on how the client attempt to locate the server via name lookups:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=14

     

    You could simply use one of the other name formats as an A record to leverage Automatic Configuration.

    Thursday, June 12, 2008 4:56 AM
    Moderator
  • That's really useful, thanks.

    • Does that also mean that I don't have to have the "sip.mydomain.com" A record?
    • If I do have a non OCS SIP service listening on _sip._tls will this cause problems with client auto config?

     

    Cheers,

     

    Alex

     

    Thursday, June 12, 2008 7:41 AM
  • No...you don't need a sip.mydomain.com record.  This is used for autologin of the clients (it will fallback to this if all the others fail...for example, if you don't have the SRV record).


    In any case, you'd need a SAN with it along with whatever name your SRV record on the certficate with "sip.mydomain.com" as the 2nd name.

     

    All of this is just default behavior for the client for autologon in any case.  You can always manually enter (or script for that matter) the record you wish the client to use if the autologon doesn't work.

     

    Cheers.

     

    - Steve

     

     

    Thursday, June 12, 2008 11:16 AM
  • That's great - thanks everyone!

    Thursday, June 12, 2008 11:21 AM
  • is it i need to configure the srv record in the active directory DNS or somewhere else?
    Friday, June 13, 2008 3:37 AM
  •  

    Depends.

     

    Internal SRV records - on your AD DNS server

    External SRV records - on your External DNS server.

     

    _sipinternaltls._tcp.<mydomain>.<internal sip domain> is for internal users only

    _sip._tls.<mydomain).<external sip domain> is for your external users.

     

    Cheers.

     

    - Steve

    Friday, June 13, 2008 11:13 AM
  • i dont understand "_sip._tls.<mydomain).<external sip domain> is for your external users"

    the external user is refer to public IM user or the user who have the OCS username who reside outside the network??
    Friday, June 13, 2008 6:22 PM
  • Remote Users I'm referring to, not Public IM (MSN / Yahoo /etc),  or Federated users.

     

    Cheers.

     

    - Steve

     

     

     

    Saturday, June 14, 2008 6:06 PM