MOBILE AND REMOTE ACCESS

Jabber over MRA

Kontron Hungary Kft.

2040 Budaörs,
Puskás Tivadar út 14.
+36 1 371 8000
www.kontron.hu

MOL

Issue date: 6/26/2023

Mobile and remote access | Jabber over MRA

DOCUMENT DATASHEET
Title Mobile and remote access

Subtitle Jabber over MRA

Version 1.0

Status Draft

Issue date: 2023. 06. 26.

Company MOL

CRM ID HU-2023-1234 Project ID 17E23_01234

File name Document2

Created by: Molnar Zsolt

Reviewed by:

Manager: [Felettes]

VERSION HISTORY
Version no. Change date Change type Changed by

1.0 2023. 06. 26. First draft Kontron

© Contents of this document may only be studied by persons properly authorized by MOL. The contents of this document, or any
information that, if disclosed, would have an adverse effect on, or would cause the negative judgement of, or would violate or jeopardize
the business interests of Kontron Hungary Ltd. / Kontron Operations Hungary Ltd. or any other entity in connection with it, must be
handled as trade secret and must not be disclosed to unauthorized persons. Selling, copying or using this document as a whole or in
part, or any other way of commanding this document can only be done with an explicit advance written permit from Kontron Hungary
Ltd. / Kontron Operations Hungary Ltd. Names and trademarks, as well as related products mentioned in this document are registered
trademarks of the manufacturing/distributing companies, and are protected by law. The contents of this document must be held as
trade secrets by MOL or the person authorized by them indefinitely.

2023. 06. 26. | version: 1.0 | page 2/13

Mobile and remote access | Jabber over MRA

DOCUMENT ACCEPTANCE CERTIFICATE

Title: Mobile and remote access
Version: 1.0
Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:

Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:

Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:

Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:

Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:

2023. 06. 26. | version: 1.0 | page 3/13

Mobile and remote access | Jabber over MRA

Table of Contents
1 Preamble ........................................................................................................................................................................5
1.1 Purpose and scope of the document ..................................................................................................................5
1.2 Audience .............................................................................................................................................................5
2 Current system ...............................................................................................................................................................5
2.1 Current system access via VPN ...........................................................................................................................5
2.2 Current services ..................................................................................................................................................5
2.3 New system access via Mobile and Remote Access (MRA) ................................................................................5
2.4 Connections of new system ................................................................................................................................6
2.5 Protocol Summary ..............................................................................................................................................6
2.6 Enable call recording over MRA ..........................................................................................................................7
2.7 Enable the agent device selection ......................................................................................................................7
3 TOPOLOGY at MOL .........................................................................................................................................................7
4 MANDATORY DNS AND SRV RECORDS ...........................................................................................................................8
4.1 External records ..................................................................................................................................................8
4.2 Internal records ..................................................................................................................................................9
5 Mobile And Remote Access port usage .......................................................................................................................10
5.1 Overview of an MRA connection in general .....................................................................................................10
5.2 MRA port reference ..........................................................................................................................................11
6 Appendix ......................................................................................................................................................................13

2023. 06. 26. | version: 1.0 | page 4/13

Mobile and remote access | Jabber over MRA

1 PREAMBLE
1.1 Purpose and scope of the document

The purpose of this document is to give a basic picture regarding the MRA technology and describe the solution
implementation in detalis specified at MOL’s environment. The document will discuss the topology of the
solution and the key components. It will also describe the needed DNS and SRV record configurations and
summarize the ports and protocols are used between the different components of the system.

1.2 Audience

The Audience of this document is the system engineers and security team members of MOL.

2 CURRENT SYSTEM
2.1 Current system access via VPN
The following diagram shows the basic overview of the current system elements when a remote worker is
accessing the IP telephony system funcitons.

1. Figure - Topology of the current system in case from a remote worker perspective via VPN

2.2 Current services

Currently the remote workers accessing the telephony features via softphones (Cisco IP Communicator/Cisco
Jabber) which are installed on their laptops. These remote workers are connecting to the corporate network via
the Cisco Anyconnect VPN client.

2.3 New system access via Mobile and Remote Access (MRA)
The Cisco Anyconnect VPN solution will be replaced by the Zscaler Zero Trust solution. The corporate network
access for remote users will be changed. Because Zscaler doesn’t trust the server to client type network traffic

2023. 06. 26. | version: 1.0 | page 5/13

Mobile and remote access | Jabber over MRA

during the test the remote workers having issues with the audio streams and experiencing one way audio. To
resolve this issue the remote users can connect to the IP telephony system via the MRA (Mobile Remote
Access) VPN less solution which are provided by Cisco. The following figure shows the basic topology of the
solution.

2. Figure - Topology of the system in case from remote worker perspective via MRA

In this new setup the remote workers are reaching the corporate IP telephony resources via the Cisco
Expressway servers. These servers are currently active part of the topology. Expressway servers are providing
access for the Business to Business video calls from the Cisco Video Conference Endpoints and also providing
the MRA function for a limited amount of users working from remote locations.

2.4 Connections of new system

As it is earlier mentioned all the components which are needed for the MRA solution is already exist in MOL’s
environment. No new components must be installed. The Expressway-E servers are placed in MOL’s DMZ
network and providing connectivity to the remote workers on public internet and the Expressway-C servers via
a secure tunnel. The Expressway-C server provides the direct connection to the IP telephony system.

Cisco Unified Communications Mobile and Remote Access is a core part of the Cisco Collaboration Edge
Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning,
messaging, and presence services provided by Cisco Unified Communications Manager (Unified CM) when the
endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side
support for Unified CM registrations.

2.5 Protocol Summary

The following table lists the protocols and associated services used in the Unified Communications solution.

Protocol Security Services

SIP TLS Session establishment – Register, Invite etc.

HTTPS TLS Logon, provisioning, configuration, directory, Visual Voicemail

Media SRTP Media - audio, video, content sharing

XMPP TLS Instant Messaging, Presence, Federation

Table 1. Protocols and Associated Services

2023. 06. 26. | version: 1.0 | page 6/13

Mobile and remote access | Jabber over MRA

2.6 Enable call recording over MRA

The call recording will be enabled for the remote workers over MRA. The current components of the system are
supporting the Bulit in Bridge type call recordings for remote workers. The traffic must be allowed on the
firewalls between the recording servers and the Expressway-C servers.

2.7 Enable the agent device selection

A new feature will be enabled on the Call Center side to allow the remote worker agents to select which device
they want to use in the Call Center (desk phone/softphone).

3 TOPOLOGY AT MOL
The following table is an overview of the solution in the MOL’s network environment.

3. Figure - Topology of the solution in MOL's environment

2023. 06. 26. | version: 1.0 | page 7/13

Mobile and remote access | Jabber over MRA

4 MANDATORY DNS AND SRV RECORDS

The following part will describe the mandatory DNS entries have to be available via the public internet and MOL
internal network. Also explain the SRV records that need to be configured for the solution to work.

When an end user is trying to connect to MOL’s telephony system network during the login process the jabber
client start a query for the following SRV records in order:

1. _cisco-uds._tcp.mol.hu
2. _cuplogin._tcp.mol.hu
3. _collab-edge._tls.mol.hu

In case the jabber is not able to resolve the first two SRV records it means the user is outside of the corporate
network. Then the jabber client is trying to resolve and connect via the third SRV record.

4.1 External records

The following table lists the SRV record must provision on external name servers as part of the configuration for
Expressway Mobile and Remote Access:

Service Record Description

_collab-edge Provides the location of the Cisco VCS Expressway or

Cisco Expressway-E server.

You must use the fully qualified domain name

(FQDN) as the hostname in the SRV record.

The client requires the FQDN to use the cookie that

the Cisco VCS Expressway or Cisco Expressway-E
server provides.

4. Figure - External service record

The following is an example of the _collab-edge SRV record:

_collab-edge._tls.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = video1.mol.hu

_collab-edge._tls.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = video.mol.hu

2023. 06. 26. | version: 1.0 | page 8/13

Mobile and remote access | Jabber over MRA

4.2 Internal records

Service Record Description

_cisco-uds Provides the location of Cisco Unified

Communications Manager version 9 and higher.

_cuplogin Provides the location of Cisco Unified Presence.

5. Figure - Internal service record

_cisco-uds._tcp.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = ipt-bp-cm-1.mol.hu

_cisco-uds._tcp.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = ipt-szhbatta-1.mol.hu

_cisco-uds._tcp.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = ipt-tiszaujv-cm-2.mol.hu

_cuplogin._tcp.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = ipt-bp-cup-1.mol.hu

_cuplogin._tcp.mol.hu SRV service location:

priority =0
weight =0
port = 8443
svr hostname = ipt-szhbatta-cup-1.mol.hu

2023. 06. 26. | version: 1.0 | page 9/13

Mobile and remote access | Jabber over MRA

5 MOBILE AND REMOTE ACCESS PORT USAGE

The following part will describe the necessary ports must be opened for the solution to work.

5.1 Overview of an MRA connection in general

The following figure shows the ports which are used during a client connect to the corporate network via MRA.

6. Figure - MRA connection overview

2023. 06. 26. | version: 1.0 | page 10/13

Mobile and remote access | Jabber over MRA

5.2 MRA port reference

The following part is about the needed ports between the Expressway-E servers and the clients must be
accessible. This part also describes the ports need to be opened between the Expressway servers (C and E) and
the connection must be allowed between the on-premises infrastructure and the Expressway-C servers.

Purpose Src. IP Src. Ports Protocol Dest. IP Dest. Ports

UDS Off-premises 1024-65535 TLS Expressway-E 8443

(phonebook and endpoint Public IP
provisioning)
SIP signaling Off-premises 1024-65535 TLS Expressway-E 5061
endpoint Public IP

RTP/RTCP Off-premises 1024-65535 UDP Expressway-E 36000-59999

media endpoint Public IP

RTP/RTCP Expressway-E 36000-59999 UDP Off-premises 1024-65535

media Public IP endpoint

XMPP (IM and Off-premises 1024-65535 TCP Expressway-E 5222

Presence) endpoint Public IP

TURN control Any IP >=1024 UDP Expressway-E 3478-3483

(ICE address (signaling port
passthrough) from endpoint
or
the firewall)
TURN media Any IP >=1024 UDP Expressway-E 24000-29999
(ICE address
passthrough)
7. Figure - Connections Between Off-premises Endpoints and the Expressway-E

Purpose Src. IP Src. Ports Protocol Dest. IP Dest. Ports

SSH tunnels Expressway-C 30000-35999 TLS Expressway-E 2222

Private IP
SIP signaling Expressway-C 25000-29999 TLS Expressway-E 7001
Private IP

SIP media Expressway-C 36000-59999 UDP Expressway-E 2776/7 or

Private IP 36000-11

XMPP (IM and Expressway-C 30000-35999 TCP Expressway-E 7400

Presence) Private IP

TURN control Expressway-C >=1024 UDP & TCP Expressway-E 3478-3483

8. Figure - Connection Between Expressway-C and Expressway-E

2023. 06. 26. | version: 1.0 | page 11/13

Mobile and remote access | Jabber over MRA

Purpose Src. IP Src. Ports Protocol Dest. IP Dest. Port

SIP signaling
(TCP) Expressway-C 25000-2999 TCP Unified CM 5060
SIP signaling
(TCP) Unified CM Ephemeral TCP Expressway-C 5060
SIP signaling
(TLS) Expressway-C 25000-2999 TLS Unified CM 5061
SIP signaling
(TLS) Unified CM Ephemeral TLS Expressway-C 5061
SIP signaling
(OAuth) Expressway-C 25000-2999 TLS Unified CM 5091
SIP signaling
(OAuth) Unified CM 5091 TLS Expressway-C 5061
HTTP
Configuration file
download (TFTP)
(Pre 11.x Jabber
and pre 11.x
Unified CM) Expressway-C 30000-35999 TCP Unified CM 6970
HTTPS Headset
Configuration
file download
(TFTP) Expressway-C 30000-35999 TLS Unified CM 6971
HTTPS
Configuration file
download (TFTP)
(Pre 11.x Jabber
and pre 11.x
Unified CM) Expressway-C 30000-35999 TLS Unified CM 6972
HTTP for UDS
(User Data
Services)
and AXL
(Administrative
XML Layer) Expressway-C 30000-35999 TLS Unified CM 443 or 8443
IM and
XMPP (IM and Presence
Presence) Expressway-C 30000-35999 TLS Service Node 7400
IM and
HTTPS SOAP (IM Presence
and Presence) Expressway-C 30000-35999 TLS Service Node 8443
IM and
File transfer (IM Presence
and Presence) Expressway-C 30000-35999 TLS Service Node 7336
HTTPS to visual Cisco Unity
voicemail* Expressway-C 30000-35999 TLS Connection 443 or 8443
MWI (Message
Waiting Cisco Unity
Indicator)* Expressway-C 30000-35999 TCP Connection 7080

2023. 06. 26. | version: 1.0 | page 12/13

Mobile and remote access | Jabber over MRA

MWI (Message
Waiting Cisco Unity
Indicator)* Expressway-C 30000-35999 TLS Connection 7443
HTTP for metrics
POST (Headset Cisco Unity
Management)* Expressway-C 30000-35999 TCP Connection 9444
Audio Video
Media Cisco Unity
(RTP/RTCP)* Expressway-C 36000-35999 UDP Connection 16384-32767
9. Figure - Connection Between Expressway-C and On-premises

*The mentioned function is not in use currently at MOL’s environment. Cisco Unity Connection provides
voicemail functionality which is not deployed. However, in case of future activation of the voicemail service this
traffic also have to be allowed.

6 APPENDIX
The detailed documentation and deployment guide for MRA provided by the vendor are available at the
following URL:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-0/mra/exwy_b_mra-
deployment-guide-14/exwy_m_mra-overview-and-planning.html

The detailed port usage guide for MRA provided by the vendor:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-
0/ip_port_usage/exwy_b_ip-port-usage-configuration-guide-14.html

2023. 06. 26. | version: 1.0 | page 13/13