User Community Feedback

Submitted ideas will be evaluated by our product teams for upcoming releases and will be responded to so you know where things stand. For product support, please use the community forums or contact TAC.

NOTE: All Cisco employees & Channel Partners must enter Ideas through this Ideas Portal.

Fully Support Communications Manager Clusters Defined by IP Address without Displaying Certificate Warnings

Communications Manager, per the SRND, full supports clusters defined by IP address OR FQDN.

In environments where the server objects are defined by IP address, Jabber displays a certificate validation warning to the end user as the IP address of the server object that it connects to does not match the FQDN defined in the certificate.

The only supported way to correct this is to re-define the server objects in Communications Manager such that they reference the FQDN of the servers. Defining the server objects as FQDN adds a dependency on DNS for the entire phone system, which is undesirable in many environments.

Jabber and/or Communications Manager needs to add additional logic and/or facilities to gracefully handle this situation.

  • Giant Junk
  • Sep 9 2020
  • Not likely to implement
  • Giant Junk commented
    26 Aug, 2021 05:53pm

    I considered adding the IP addresses of the servers to the certificates; however in order to make that work the IPs must be public addresses. Our Communications Managers servers all have private addresses.

    You used to be able to get private addresses added to publicly trusted certificates, but they stopped doing that a while ago.

    I also considered using an internal CA, which we could add private IP addresses to; however we lacked the existing infrastructure to support that.

    I also considered using public addresses and mapping them to private addresses; however doing so does not work as Jabber will discover the configured private addresses, connect to them, then pop the certificate warning.

    In the end I ended up inserting a proxy in-between the UDS service and the Jabber clients and fiddling with the messaging.

    IMHO Cisco really needs to fix this, it's brain damaged in the current implementation. I'm surprised others have not had this same issue.

  • Michael Heimann commented
    9 Sep, 2020 11:29pm

    You can add the IPs to the certificates of the Servers - it's just very uncommon.
    Last time I checked Internet Explorer didn't understand IP type entries in certificates.
    First Link I could find to that: https://www.redelijkheid.com/blog/2011/6/8/microsoft-internet-explorer-and-ip-addresses-in-certificate.html