Check Point Harmony Connect VPN and Cisco Jabber with DNS

If you’re using Check Point Harmony which is based on WireGuard or any VPN for that matter, you may not want Cisco Jabber from connected through the tunnel. Check Point shared that SIP is known not to work through Harmony Connect.

There is plenty of documentation from Cisco regarding how the Jabber client determines if its running from external or internal.

  1. Jabber does a DNS query for the SRV record _cisco-uds._tcp.domainname.com
  2. If that record isn’t found, it will do another DNS query for the SRV record _cuplogin._tcp.domainname.com
  3. If that record isn’t found, it will do another DNS query for the SRV record _collab-edge._tls.domainname.com

By knowing the records and sequence we can configure Check Point Harmony and DNS server resolve the correct address to the client to access it externally. These instructions assume you have Cisco Expressway Mobile Remote Access (MRA) setup and working and the appropriate DNS records in place externally.

Configuration – Harmony Connect

  1. In the Check Point Harmony Connect portal, under Settings > Harmony Connect App add the FQDN of your expressway to the bypass destinations (Ex. exp-e.domainname.com).
  2. Under Settings > Corporate DNS Servers add an external DNS server such as Google (8.8.8.8) or Cloudflare (1.1.1.1)
  3. In the Resolve the following domains section, record your settings and then remove them. The Harmony Connect client processes the domain resolution from top to bottom.
  4. Add the FQDN of your external expressway server and choose the external DNS server you added in Step 2. (Ex. exp-e.domainname.com)
  5. Now add the domain names you removed previously in Step 3. (Note, this tells the Harmony Client that when it needs to resolve the expressway external address that its using a public DNS instead of your internal DNS).

Configuration – Windows DNS Server

You should have at least one Check Point Harmony connector running in Docker within your data center. Obtain the IP address of the docker container/host as this is where the DNS queries are being generated from, not from the client itself.

  1. Open Powershell on the DNS server and run the following commands
  2. Add-DnsServerClientSubnet -Name CheckPointHarmony -IPv4Subnet x.x.x.x/32 (Note: adjust the subnet or mask to only capture the IP of the Docker container(s). It is fine if the Docker container is running on a subnet with other servers.)
  3. Add-DnsServerQueryResolutionPolicy -Name “DirectCiscoJabberExternal” -Action IGNORE -ClientSubnet “EQ,CheckPointHarmony” -Fqdn “EQ,_cisco-uds._tcp.domainname.com” -QType “EQ,SRV” (Note: this blocks the first SRV DNS query from the “subnet” we just created in Step 2)
  4. Add-DnsServerQueryResolutionPolicy -Name “DirectCiscoJabberExternal2” -Action IGNORE -ClientSubnet “EQ,CheckPointHarmony” -Fqdn “EQ,_cuplogin._tcp.lorettosystem.org” -QType “EQ,SRV” (Note: this blocks the second SRV DNS query from the “subnet” we just created in Step 2)\
  5. Repeat these on any other internal DNS servers you have configured for Harmony Connect.

Now if you suspend your Harmony Connect client, reactivate it and exit/restart Cisco Jabber, everything should work as intended. Keep in mind, that if you have _collab-edge._tls.domainname.com configured on your internal DNS server, that should not be there and is only meant for external DNS resolution.

Check Point Harmony Connect VPN and Cisco Jabber with DNS Read More »