Professional Documents
Culture Documents
ZeroTrust MRA Plan
ZeroTrust MRA Plan
MOL
DOCUMENT DATASHEET
Title Mobile and remote access
Version 1.0
Status Draft
Company MOL
Reviewed by:
Manager: [Felettes]
VERSION HISTORY
Version no. Change date Change type Changed by
© Contents of this document may only be studied by persons properly authorized by MOL. The contents of this document, or any
information that, if disclosed, would have an adverse effect on, or would cause the negative judgement of, or would violate or jeopardize
the business interests of Kontron Hungary Ltd. / Kontron Operations Hungary Ltd. or any other entity in connection with it, must be
handled as trade secret and must not be disclosed to unauthorized persons. Selling, copying or using this document as a whole or in
part, or any other way of commanding this document can only be done with an explicit advance written permit from Kontron Hungary
Ltd. / Kontron Operations Hungary Ltd. Names and trademarks, as well as related products mentioned in this document are registered
trademarks of the manufacturing/distributing companies, and are protected by law. The contents of this document must be held as
trade secrets by MOL or the person authorized by them indefinitely.
Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:
Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:
Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:
Name: Name:
Title: Title:
Company: Company:
Signature: Signature:
Date: Date:
Table of Contents
1 Preamble ........................................................................................................................................................................5
1.1 Purpose and scope of the document ..................................................................................................................5
1.2 Audience .............................................................................................................................................................5
2 Current system ...............................................................................................................................................................5
2.1 Current system access via VPN ...........................................................................................................................5
2.2 Current services ..................................................................................................................................................5
2.3 New system access via Mobile and Remote Access (MRA) ................................................................................5
2.4 Connections of new system ................................................................................................................................6
2.5 Protocol Summary ..............................................................................................................................................6
2.6 Enable call recording over MRA ..........................................................................................................................7
2.7 Enable the agent device selection ......................................................................................................................7
3 TOPOLOGY at MOL .........................................................................................................................................................7
4 MANDATORY DNS AND SRV RECORDS ...........................................................................................................................8
4.1 External records ..................................................................................................................................................8
4.2 Internal records ..................................................................................................................................................9
5 Mobile And Remote Access port usage .......................................................................................................................10
5.1 Overview of an MRA connection in general .....................................................................................................10
5.2 MRA port reference ..........................................................................................................................................11
6 Appendix ......................................................................................................................................................................13
1 PREAMBLE
1.1 Purpose and scope of the document
The purpose of this document is to give a basic picture regarding the MRA technology and describe the solution
implementation in detalis specified at MOL’s environment. The document will discuss the topology of the
solution and the key components. It will also describe the needed DNS and SRV record configurations and
summarize the ports and protocols are used between the different components of the system.
1.2 Audience
The Audience of this document is the system engineers and security team members of MOL.
2 CURRENT SYSTEM
2.1 Current system access via VPN
The following diagram shows the basic overview of the current system elements when a remote worker is
accessing the IP telephony system funcitons.
1. Figure - Topology of the current system in case from a remote worker perspective via VPN
2.3 New system access via Mobile and Remote Access (MRA)
The Cisco Anyconnect VPN solution will be replaced by the Zscaler Zero Trust solution. The corporate network
access for remote users will be changed. Because Zscaler doesn’t trust the server to client type network traffic
during the test the remote workers having issues with the audio streams and experiencing one way audio. To
resolve this issue the remote users can connect to the IP telephony system via the MRA (Mobile Remote
Access) VPN less solution which are provided by Cisco. The following figure shows the basic topology of the
solution.
2. Figure - Topology of the system in case from remote worker perspective via MRA
In this new setup the remote workers are reaching the corporate IP telephony resources via the Cisco
Expressway servers. These servers are currently active part of the topology. Expressway servers are providing
access for the Business to Business video calls from the Cisco Video Conference Endpoints and also providing
the MRA function for a limited amount of users working from remote locations.
Cisco Unified Communications Mobile and Remote Access is a core part of the Cisco Collaboration Edge
Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning,
messaging, and presence services provided by Cisco Unified Communications Manager (Unified CM) when the
endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side
support for Unified CM registrations.
3 TOPOLOGY AT MOL
The following table is an overview of the solution in the MOL’s network environment.
When an end user is trying to connect to MOL’s telephony system network during the login process the jabber
client start a query for the following SRV records in order:
1. _cisco-uds._tcp.mol.hu
2. _cuplogin._tcp.mol.hu
3. _collab-edge._tls.mol.hu
In case the jabber is not able to resolve the first two SRV records it means the user is outside of the corporate
network. Then the jabber client is trying to resolve and connect via the third SRV record.
MWI (Message
Waiting Cisco Unity
Indicator)* Expressway-C 30000-35999 TLS Connection 7443
HTTP for metrics
POST (Headset Cisco Unity
Management)* Expressway-C 30000-35999 TCP Connection 9444
Audio Video
Media Cisco Unity
(RTP/RTCP)* Expressway-C 36000-35999 UDP Connection 16384-32767
9. Figure - Connection Between Expressway-C and On-premises
*The mentioned function is not in use currently at MOL’s environment. Cisco Unity Connection provides
voicemail functionality which is not deployed. However, in case of future activation of the voicemail service this
traffic also have to be allowed.
6 APPENDIX
The detailed documentation and deployment guide for MRA provided by the vendor are available at the
following URL:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-0/mra/exwy_b_mra-
deployment-guide-14/exwy_m_mra-overview-and-planning.html
The detailed port usage guide for MRA provided by the vendor:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-
0/ip_port_usage/exwy_b_ip-port-usage-configuration-guide-14.html