Professional Documents
Culture Documents
CST Jabber 11 0 Lab Guide PDF
CST Jabber 11 0 Lab Guide PDF
For additional information about Cisco Jabber Voice and Unified Communications, visit the product solution page.
This lab is intended to give the participant hands-on configuration experience with all of the architecture components required to
deploy Cisco Jabber for Collaboration System Release 11. The content in this lab is focused on recently added features and
functional additions to the Cisco Jabber Client product. The exercises in this lab will take the student through the process of initial
provisioning and configuration of the core solution components and then extend to configuration of advanced feature deployment.
NOTE: Participants should have a high degree of familiarity with the software, tools and methods used to deploy, configure and
maintain Cisco Collaboration technologies.
• End to End Quick Start Jabber Deployment: Students will configure the integration and deployment from the ground up
including the configuration and/or installation of the following components:
o Persistent Chat
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 1 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 2 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 3 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 4 of 257
Cisco dCloud
Lab Workflow
End-to-End Quick Start Deployment
The lab begins with a series of exercises, which guide the participant through the required activities and workflow to establish and
test a Cisco Jabber on-premise deployment. Test activities include configuration and verification of basic functionality while
emphasizing some recent feature additions and deployment methodologies.
These activities are mandatory, as the result will form the baseline system required to progress to the advanced feature modules.
The remainder of this lab is divided into Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote particular time or emphasis to one or more of the feature modules may wish to be chooseive in the interest of completing
desired modules within the time allotted.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is Module 3(b), which requires Modules 2 and 3a to be completed in
order to test solution functionality.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 5 of 257
Cisco dCloud
Lab Requirements
The table below outlines the requirements for this preconfigured lab activity.
Required Optional
Lab Configuration
This lab contains preconfigured users and components to illustrate the scripted scenarios and features of this solution. All
information needed to access the demonstration components is in the Topology and Servers menus of your active session.
• Topology Menu. Click on any server in the topology and a popup window will appear with available server options.
• Servers Menu. Click on or next to any server name to display the available server options and credentials.
Anita Perez aperez C1sco12345 Cisco Jabber for Windows +1212 555 6017 aperez@alpha.com
Lab Topology
This demonstration includes several server virtual machines. Most of the servers are fully configurable using the administrative
level account. Administrative account details are included in the script steps where relevant and in the server details table.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 6 of 257
Cisco dCloud
UCM1 Communications Manager 11.0 (Call Control) cucm1.dcloud.cisco.com 198.18.133.3 administrator dCloud123!
IMP1 IM & Presence 11.0 (Presence and Chat) cup1.dcloud.cisco.com 198.18.133.4 administrator dCloud123!
NOTE: Two passwords are used throughout this lab. Password1 (dCloud123!) is used across all Cisco Collaboration components
and linux hosts. Password2 (C1sco12345) is used for all Microsoft Active Directory accounts including administrative, service, and
demonstration user accounts. This applies to both Platform and Administrative user accounts within Cisco Collaboration
Applications.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 7 of 257
Cisco dCloud
Lab Pre-Configuration
In order to save time, certain elements of this lab have been pre-configured in advance to provide a baseline starting point. Please
review this section before proceeding to the first configuration activity.
Jabber-Config.xml
The vast majority of service and client configuration for Cisco Jabber is provisioned using the service profiles (created earlier),
however to enable certain non-default behaviors on the Jabber client a configuration file in XML format named Jabber-
Config.xml must be used.
To save time and avoid the introduction of errors to the lab environment a series of Jabber-Config.xml files have been staged on
both wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com. During the lab, when a new series of
client configuration parameters are required, you will browse to and upload the required file.
Dial Plan
Table 1. Partitions
Partition Description
PostgreSQL
PostgreSQL server 9.4 (with dependencies) was installed using the YUM package installer on centos.dcloud.cisco.com running
CentOS7. The database and services have been initialized using default values and the following parameters have been
configured:
• Connections permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 8 of 257
Cisco dCloud
• Operating system configuration to permit incoming connections on TCP 5432 has been performed for you.
Details of the steps taken to create the baseline environment can be found in Appendix A.
Microsoft™ AD FS 2.0 (3) has been installed on ad1.dcloud.cisco.com. The Basic AD FS 2.0 setup wizard has been run to
enable ADFS features. These operations are documented in Appendix B.
Follow the steps below to schedule your demonstration and configure your demonstration environment.
1. Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials.
3. Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How]
4. Verify your demonstration is Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.
5. If you are not connected to the lab from behind a router, on your laptop, use Cisco AnyConnect paired with the session
credentials from the UI to connect to the lab. [Show Me How]
6. From your laptop, access the demonstration workstation named wkst1 located at 198.18.133.36 and login using the following
credentials: Username: dcloud\cholland, Password: C1sco12345.
• Recommended method: Use Cisco AnyConnect [Show Me How] and the local RDP client on your laptop. [Show Me
How]
• Alternate method: Use the Cisco dCloud Remote Desktop client with HTML5. [Show Me How]
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 9 of 257
Cisco dCloud
Lab Orientation
NOTE: Read and Complete the Activities in this section before proceeding. Connections to lab hosts require an active
connection to the assigned Lab Pod through either a supported VPN connected router or the Cisco AnyConnect VPN Client.
The student will be using a series of Remote Desktop Protocol (RDP) sessions to Microsoft Windows workstations and servers in
order to complete the following:
In this activity, the student will configure and connect the RDP sessions required and referenced throughout the lab.
NOTE: Connections to lab hosts require an active connection to the assigned Lab Pod through either a router connected to dCloud
or the Cisco AnyConnect VPN Client.
The table below identifies the hosts, use cases, and credentials required when connecting.
AD1 Active Directory, Internal DNS, ADFS2.0 ad1.dcloud.cisco.com 198.18.133.1 dcloud\administrator C1sco12345
AD2 External DNS server, Photo Server ad2.dcloud.cisco.com 198.18.2.11 dcloud\administrator C1sco12345
Throughout this guide, steps will instruct the student to Open or Switch to the RDP session connected to one of the hosts
referenced above. These statements always reference the FQDN of the host accompanied at times by contextual information. All
FQDNs should be resolvable directly from the student workstation (while connected to Lab Pod via VPN - required), however IP
addresses may be used as well.
o Use Cases: Workstation 1 is the primary anchor point for configuration activities in addition to hosting the Jabber
client for lab user Charles Holland.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 10 of 257
Cisco dCloud
o Use Cases: Workstation 2 is assigned to Lab User Anita Perez. Workstation 2 is used only for demonstration
and testing of features. Workstation 2 will be moved to an external network during the Collaboration Edge
module for testing Mobile and Remote Access.
• ad1.dcloud.cisco.com (AD1):
o Use Cases: AD1 hosts the majority of internal services. This server will be used for interactions with Microsoft
Active Directory, Internal DNS, Active Directory Federation Services.
• ad2.dcloud.cisco.com (AD2):
o Use Cases: AD2 is used to add DNS SRV records required to configure and demonstration the Collaboration
Edge Solution.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 11 of 257
Cisco dCloud
NOTE: These Steps will be repeated for each host specified, until an active connection has been created for each.
1. Click Start > All Programs > Accessories > Remote Desktop Connection.
2. Click Options.
6. Click OK.
9. Click the General tab and fill in the Computer and Username fields based on the table below, according to the host to which
you are connecting:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 12 of 257
Cisco dCloud
11. (Optional) Click Save and use the Save As file dialog to name and save the session definition to your computer.
13. When Prompted enter the Password: C1sco12345 and click Remember my credentials.
16. Repeat Steps 1-15 for each Host listed in the table above.
Activity Complete
This activity is complete when the student has four active RDP sessions to the hosts listed in the table above.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 13 of 257
Cisco dCloud
Activity Objectives
In this activity, you will connect to server AD1, verify the configuration of Microsoft Active Directory as it relates to our Lab topology,
and perform prerequisite DNS configuration to support service discovery.
• Explore the dCloud Organizational Unit containing all users pertinent to the topology
o Identify Email domains in use and discuss relation to format of the Jabber ID (JID) and multi-domain support
o Review and Add Distribution Groups to leverage the new Enterprise Groups feature.
• Provision service location (SRV) records in DNS to allow for service discovery.
2. From the Task Bar, click the Active Directory Users and Computers icon.
3. Click the dCloud Organizational Unit (OU) from the Menu Tree on the left. This OU contains all of the users and distribution
groups that will addressed throughout the exercise in this lab guide.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 14 of 257
Cisco dCloud
4. Users have been pre-configured and assigned to this OU and will serve as the contact source and user base for lab exercises.
5. Review the list of users displayed. Observe that there are three distinct email address domains in use:
• uk.dcloud.cisco.com
• alpha.com
6. Notice that demonstration user Charles Holland is assigned email address (cholland@dcloud.cisco.com) while Anita Perez
is assigned (aperez@alpha.com). This distinction serves to simulate an environment wherein multiple domain name spaces
are present.
Two Distribution Groups, Engineering and Marketing were created in advance. We will be using Distribution Groups in tandem
with the new Enterprise Groups Feature in Jabber 11. This allows automatic synchronization of administrator-defined distribution
groups through an LDAP agreement in Cisco Unified Communications Manager.
7. Double-click the Engineering distribution group to open the properties dialog. Notice that the group type is set to
Distribution. Only Distribution Groups are eligible for synchronization with Unified Communications Manager.
8. Click the Members tab. Notice that all of the users in the Engineering department are members of this distribution group.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 15 of 257
Cisco dCloud
Figure 9. Members
10. The Marketing distribution group has been similarly configured with membership populated with users assigned to the
Marketing department. Optional: You may open and validate the configuration at this time. Otherwise, proceed to the next
step.
In this activity, we will create a new Active Directory distribution group to which we will assign members of the Sales team. This
Distribution Group and the others already present will be used later to demonstrate the new Enterprise Groups feature. We will
use two different techniques to add members and to additional familiarity with the process.
4. Click OK.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 16 of 257
Cisco dCloud
5. Double-click the newly added Sales Distribution Group to open the Properties editor.
7. Click Add.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 17 of 257
Cisco dCloud
9. Click Check Names to search the Active Directory for a matching user with a display naming beginning with Adam.
10. Notice that the Check Names search utility returned a user object for Adam McKenzie (amckenzie@dcloud.cisco.com).
13. The previous method is adequate when assigning group membership individually. Next you will add multiple users
simultaneously.
14. Note that the list of users in the dCloud OU is currently sorted using the Department Column. All of the members of the Sales
department are listed together at the bottom of the list.
16. Press and hold the Shift key and click on user Taylor Bard. Notice that we have excluded Adam McKenzie from the
selection as this user was added in the previous steps.
17. Right-click within the highlighted area and choose Add to a group from the menu.
18. In the Enter the object names to choose field enter the name Sales.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 18 of 257
Cisco dCloud
20. A message indicating that the Add to Group operation was successful. Click OK to continue.
22. Click the Members tab. Observe that all users in the Sales Department are members of the Sales Distribution Group.
Service discovery is the process by which Cisco Jabber does the following:
• Determines whether it is operating internal to or external to the corporate network, to influence client behavior
• Locate services within the corporate network or through Expressway when operating externally.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 19 of 257
Cisco dCloud
Cisco Jabber clients query domain name servers (DNS) to retrieve service (SRV) records that provide the location of hosted
services on the network.
In this activity, you will provision the DNS service location records required to enable auto-discovery for Cisco Jabber while running
inside internal enterprise network.
The Cisco Jabber client will query DNS for SRV records based on user domain in parallel. The highest priority record returned will
be used for services.
Priority Service HTTP Request/DNS SRV
1 WebEx Messenger HTTP CAS Lookup
7. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 20 of 257
Cisco dCloud
• Service: _cisco-uds
• Protocol: _tcp
• Priority: 0 (default)
• Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 21 of 257
Cisco dCloud
NOTE: Since our environment contains multiple domains and we will be demonstrating the new Flexible JID and multi-domain
features we will create Service Location data for all DNS domains containing presence users. In a production environment, it is
likely that each domain would have dedicated infrastructure, such as AD, DNS, and Email. For the purpose of our lab, we are using
a collapsed topology, where only one service domain will be queried.
15. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
• Service: _cisco-uds
• Protocol: _tcp
• Priority: 0 (default)
• Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 22 of 257
Cisco dCloud
23. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
• Service: _cisco-uds
• Protocol: _tcp
• Priority: 0 (default)
• Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 23 of 257
Cisco dCloud
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) to perform DNS verification.
6. SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 24 of 257
Cisco dCloud
7. A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address (es)
associated with the host(s). You should see text similar to the graphic above (Red Text).
NOTE: If you see error text indicating a failure to lookup this or subsequent _cisco-uds SRV records, for example: Non-existent
domain, follow the instructions below.
• Confirm that the command entered is exactly as specified in the guide and retry.
• Confirm that the settings of the SRV record match the previous configuration steps.
If you are unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
9. SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 25 of 257
Cisco dCloud
This completes the addition and validation of Service Location Records required for internal Jabber functionality.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 26 of 257
Cisco dCloud
With preparation for deployment complete, Activity 2 addresses, systematically the requirements and methods needed to
implement Unified IM and Presence solution with provisioned End Users, Services, and Devices.
Activity Objectives
The following are the objectives for this activity:
• Identify and confirm the status of services required for the operation of Cisco Unified Communications Manager and IM
and Presence Service as they relate to features implemented in the lab
• Identify and perform the activities required to integrate Cisco Unified CM and IM and Presence
• Define UC Services and a Service Profile in order to assign presence capabilities to Cisco Jabber users
• Implement LDAP Directory Synchronization and Authentication with Microsoft Active Directory to import Users and
Groups
• Use template based automation tools to quickly and accurately provision End Users, Directory Numbers, and Devices
through the LDAP user import process
• Configure Cisco Unified CM and Unified IM and Presence for the Flexible JID Address Scheme with Multi-Domain
Domain support
• Interact with the Cisco Jabber client configuration file (jabber-config.xml) to enable non-default behaviors in Cisco Jabber
2. Launch Internet Explorer by double clicking on the desktop shortcut or clicking the Internet Explorer icon in the task bar.
3. From the Cisco dCloud Homepage hover over Collaboration Admin Links and choose Cisco Unified Communications
Manager to connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the
address bar.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 27 of 257
Cisco dCloud
NOTE: As part of this lab, we will be performing Certificate Management in Unified Communications Manager and IM&P in an
upcoming exercise. Until a Certificate signed by a trusted Certification Authority is installed, we will continue to receive these
errors. Please acknowledge and proceed using the Continue to this website option.
5. From the Installed Applications list, click Cisco Unified Communications Manager.
6. From the Navigation menu in the upper-right corner of the Administration Webpage, choose Cisco Unified Serviceability.
7. Click Go.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 28 of 257
Cisco dCloud
11. From the Menu choose Tools > Control Center – Feature Services.
12. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.
14. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
o Cisco DirSync
o Cisco CallManager
o Cisco CTIManager
o Cisco Tftp
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 29 of 257
Cisco dCloud
2. Click Go.
3. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 30 of 257
Cisco dCloud
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) if not already in focus.
2. From the currently open Internet Explorer window connected to ucm1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified CM Administration.
3. If the previous logon session has expired you may need to login. (Username: administrator, Password: dCloud123!)
Otherwise, proceed to the next step.
4. From the menu navigate to System > Security > SIP Trunk Security Profile.
5. Click Find to display the list of configured Sip Trunk Security Profiles.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 31 of 257
Cisco dCloud
6. Click Non Secure SIP Trunk Profile to open the configuration page.
9. Click Save.
11. From the Find and List Trunks page, click Add New.
12. Set the Trunk Type value to SIP Trunk from the drop down menu.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 32 of 257
Cisco dCloud
14. Set the Following Values under the Device Configuration section.
15. Scroll down to the section labeled SIP Information and set the following values:
We will now identify the SIP Trunk just created as the device used to send line presence information to the IM & Presence server.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 33 of 257
Cisco dCloud
21. From the main menu, navigate to System > Service Parameters.
23. Choose Cisco CallManager from the Service drop down menu.
You may expedite this process by typing Ctrl-F with the browser window in focus. This will open a search window, into which you
may type IM and Presence to jump directly to the parameter.
25. Continue until you locate the IM and Presence Publish Trunk parameter.
Configure UC Services
1. From the main menu navigate to User Management > User Settings > UC Service.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 34 of 257
Cisco dCloud
4. Click Next.
• Name: IMP-Service
6. Click Save.
9. Click Next.
• Name: CTI-Service
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 35 of 257
Cisco dCloud
• Name: Voicemail-Service
• Port: 443
• Protocol: HTTP
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 36 of 257
Cisco dCloud
17. From the Related Links menu in the upper-right of the webpage, choose Back to Find/List.
20. Observe that all three services are created and match the image below.
NOTE: We have omitted the manual configuration of a Directory Service. Feature enhancements to the Jabber Client portfolio
have made it possible to leverage the Service Discovery capabilities of Jabber to automatically detect an accessible LDAP
directory. Automatic discovery using SRV is the preferred method where possible.
21. From the main menu choose User Management > User Settings > Service Profile.
• Name: CST-Service-Profile
• Make this the default service profile for the system: Checked
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 37 of 257
Cisco dCloud
• Primary: Voicemail-Service
• Primary: None
• Primary: IMP-Service
• Primary: CTI-Service
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 38 of 257
Cisco dCloud
We will explore the new Flexible Jabber ID and Multi-Domain support features as part of our directory synchronization exercise.
Significant advancements in End-User provisioning have been part of Unified Communications Manager since the 10.x release.
We will be using Feature Group Templates to demonstrate how quickly items such as End Users, UC Service Assignment,
Group Membership, and even Directory Numbers can be added during the first LDAP synchronization. It is beyond the scope of
this lab to delve into the design mechanics of each feature but we will be interacting with these tools and using them to expedite
our provisioning process.
Service Activation
1. Recall that as part of our Service Activation and Status Verification activity we confirmed the status of Cisco DirSync to be
activated and running. Directory Synchronization depends on this service to function and must be activated prior to enabling
and LDAP Directory Synchronization agreement and/or LDAP Authentication.
Class of Control
In order to leverage component features such as URI Dialing and to maintain consistency with Cisco Dial-Plan best practices for a
centralized call control deployment, the following Partitions and Calling Search Spaces were created in advance. We will
reference these when configuring our Provisioning Templates.
Table 4. Partitions
Partition Description
In this section, we will interact with Universal Device, Universal Line, and Feature Group templates to create the foundation for
automatic provisioning.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 39 of 257
Cisco dCloud
1. Navigate to the Cisco Unified CM Administration web interface at https://ucm1.dcloud.cisco.com/ccmadmin. This should
already be open from the previous exercise.
2. Use the menu to navigate to User Management > User/Phone Add > Universal Device Template.
3. Click Find.
4. Click the Sample Device Template with TAG usage examples hyperlink to open.
6. Click the icon to the left of Device Routing title to expand the section.
7. Set the Calling Search Space to CST-CSS by choosing it from the drop-down menu.
8. Click Save.
9. From the main menu, choose User Management > User/Phone Add > Universal Line Template.
11. Click the Sample Line Template with TAG usage examples hyperlink to open.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 40 of 257
Cisco dCloud
14. From the main menu choose User Management > User/Phone Add > Feature Group Template.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 41 of 257
Cisco dCloud
19. From the main menu choose User Management > User Settings > User Profile.
21. Click the hyperlink for Standard {Factory Default) User Profile, to open the editor page.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 42 of 257
Cisco dCloud
3. Click Save.
NOTE: The user CollabLDAP has already been created as a standard user (no administrative roles) in the active directory for use
as a service account in LDAP Synchronization and Authentication in accordance with Cisco deployment best practice.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 43 of 257
Cisco dCloud
NOTICE: Our demonstration users are provisioned across three different domains in the format sAMAccountName@domain.com.
In the coming steps, we will ensure that this value will be used to populate the Jabber ID (JID).
12. In the Find Access Control Group where Name search field type: Standard.
14. From the Find and List Access Control Groups dialog, place a Check next to the following entries:
15. Click Add Selected , to close the dialog and return to the LDAP Directory configuration screen.
16. Set the value of Feature Group Template to CST Feature Group Template.
17. Check the box next to Apply mask to synced telephone numbers to create a new line for inserted users.
18. In the Mask field, enter XXXXXXXXXXXXX (The letter “X” in CAPS 13 times).
This mask is used because we have variable length E.164 telephone numbers with demonstration users in different countries. The
maximum length of any telephone number in our demonstration is 12-digits with a leading +. Thus the mask XXXXXXXXXXXXX
will accommodate any phone number string of 13 characters or less.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 44 of 257
Cisco dCloud
20. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
22. Do NOT attempt to perform a Directory synchronization at this time. We will be performing additional configuration to
complete IM and Presence integration, and to accommodate Multi-Domain support before importing users.
Cisco Unified Communications Manager release 10.5 and onward provides support the creation E164 (with leading “+”) formatted
directory numbers via the Directory Synchronization process. Enhancements to the way in which the system applies the Mask field
now allow the Mask to represent the maximum length of any discovered Directory Number within the defined directory. When the
discovered telephone number is less than the value specified it is inserted “as is”.
23. From the main menu choose System > LDAP > LDAP Authentication.
24. In the LDAP Authentication for End Users section, enter the following values:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 45 of 257
Cisco dCloud
25. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
1. From the Unified Communications Manager Administration webpage, use the main menu to navigate to System > Enterprise
Parameters.
6. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 46 of 257
Cisco dCloud
1. From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer (if NOT already open) or click the New Tab
icon.
2. From the dCloud Homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service to connect
to imp1.dcloud.cisco.com. Optionally, you may manually type https://imp1.dcloud.cisco.com in the address bar.
4. From the Installed Applications list, click Cisco Unified IM and Presence.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 47 of 257
Cisco dCloud
7. Click Login.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 48 of 257
Cisco dCloud
By default, the Jabber ID (JID) is based on the Unified CM User ID<uid>@xmpp domain. The flexible JID feature allows the JID to
be constructed based on Directory URI field. The directory URI may be administratively mapped using the following LDAP
synchronized data fields:
• msRTCSIP-PrimaryUserAddress
This allows organizations to map user JIDs that align with the corporate naming address scheme in use. For example, a user’s JID
(IM address) can be mapped to their E-Mail address using the mail parameter, effectively creating a single address for multi-modal
communications.
The graphic below demonstrates how this feature affects the demonstration users in the Lab.
Multi-Domain Support
Jabber IDs across multiple domains are now supported in a single Unified IM and Presence cluster. For example, an organization
may manage many email domains, but only a single IM and Presence cluster. The JIDs can be formed based on the different email
domains in this scenario, such as in our lab topology:
• dcloud.cisco.com
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 49 of 257
Cisco dCloud
• alpha.com
• uk.dcloud.cisco.com
The Cisco Unified IM and Presence service will automatically learn the domains in the assigned topology based on those detected
in @domain portion of the JID (IM Address).
1. From the menu choose Presence > Settings > Advanced Configuration.
2. This is the configuration screen where the IM Address scheme can be modified to support flexible JID and Multi-Domain
provisioning.
3. Observe that all configuration items are Grayed Out. A message indicating that certain services must be stopped in order to
continue is displayed.
1. From the active RDP session connected to wkst1.dcloud.cisco.com, launch the terminal application PuTTY by clicking on
the icon in the taskbar.
2. Under Saved Sessions, choose the entry imp1 and click Load.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 50 of 257
Cisco dCloud
3. Click the Open button to launch a secure shell connection to the IM and Presence node imp1.dcloud.cisco.com.
NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps, to paste into the PuTTY windows simply right click within the active terminal connection.
6. Type the following command: utils service stop Cisco Presence Engine
7. Press Enter.
9. Type the following command: utils service stop Cisco SIP Proxy
12. Type the following command: utils service stop Cisco XCP Router
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 51 of 257
Cisco dCloud
15. Type the following command: utils service stop Cisco Sync Agent
18. Type the following command: utils service stop Cisco Client Profile Agent
With all of the required services stopped, we may now proceed to configure the IM Address scheme for Multi-Domain support.
2. If the session timer has expired, log in again with Username: administrator and Password: dCloud123!. Otherwise, proceed
to the next step.
3. From the menu choose Presence > Settings > Advanced Configuration.
6. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 52 of 257
Cisco dCloud
NOTE: This message is a reminder that the specified modification is applied globally to all Users assigned to this IM and Presence
cluster. In this lab, we are dealing with only 29 total users supporting this feature, in a Net-New install. If this was an existing
installation with users imported into the IM and Presence database, this operation would trigger an update of ALL user records,
which could have significant impact on system performance. This change would be permanent and requires that ALL Cisco Jabber
clients in use be at version 10.6 or higher for support.
8. Observe the Status message at the top of the page, displayed immediately after initiating the change. This indicates that the
IM Address Scheme update has been triggered.
9. Wait until the message transitions to IM address Scheme change update successful before proceeding.
In a previous exercise, we stopped essential Unified IM and Presence services in order to modify the IM Address scheme. The
next steps will guide you through the process of starting these services to resume normal operation.
1. Switch back to the PuTTY terminal session connected to imp1.dcloud.cisco.com. If the console session login timeout has
expired and/or PuTTY has been closed, launch the PuTTY application as described earlier, load the imp1 saved session, and
click Open.
2. If you are NOT actively logged in to the server, log into the imp1.dcloud.cisco.com CLI with the (administrator/dCloud123!)
password combination referenced earlier.
NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps. To paste into the PuTTY window, simply right click within the active terminal connection.
3. Type the following command: utils service start Cisco Presence Engine
4. Press Enter.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 53 of 257
Cisco dCloud
6. Type the following command: utils service start Cisco SIP Proxy
7. Press Enter.
9. Type the following command: utils service start Cisco XCP Router
12. Type the following command: utils service start Cisco Sync Agent
15. Type the following command: utils service start Cisco Client Profile Agent
NOTE: In a previous exercise, we Stopped the Cisco XCP Router service. If you Stop the Cisco XCP Router instead of choosing
to restart this service, the IM and Presence Service will automatically stop all other dependent XCP services. Subsequently when
you turn on the XCP router, the IM and Presence Service does not automatically turn on the other XCP services; you need to
manually turn on the other XCP services.
18. Type the following command utils service start Cisco XCP Connection Manager
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 54 of 257
Cisco dCloud
21. Type the following command utils service start Cisco XCP Authentication Service
24. Type the following command utils service start Cisco XCP Text Conference Manager
We will begin by opening a web browser session with active connections to both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com in separate tabs.
NOTE: If an active Internet Explorer window with Tabs for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com is open on
wkst1.dcloud.cisco.com. You may simply authenticate using (administrator/dCloud123!) to both interfaces and proceed to first
listed exercise: Perform LDAP Directory Synchronization.
2. Navigate to Collaboration Admin Links > Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com.
5. Click the New Tab icon on the active Internet Explorer window.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 55 of 257
Cisco dCloud
6. From the Cisco dCloud homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
1. From the Unified Communications Manager Administration interface, navigate to choose System > LDAP > LDAP
Directory.
2. Click Find.
3. Click the hyperlink for CST LDAP to open the directory configuration page.
6. Observe the status message in upper left hand corner of the LDAP Directory configuration page.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 56 of 257
Cisco dCloud
1. From the main menu choose User Management > End User.
2. Click Find.
3. Observe that the 29 Users identified during the Active Directory review activity are listed. Pay particular attention to our two
demonstration users Charles Holland – cholland and Anita Perez – aperez.
4. Confirm that the synchronized Directory URI for Anita Perez is set to aperez@alpha.com.
5. Confirm that the synchronized Directory URI for Charles Holland is set to cholland@dcloud.cisco.com.
6. From the main menu navigate to User Management > User Settings > User Group.
7. Click Find.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 57 of 257
Cisco dCloud
8. Notice that the distribution groups provisioned in the earlier exercise are synchronized through the LDAP agreement.
NOTE: Changes to the membership of the distribution group in Active Directory will be propagated dynamically during the
scheduled LDAP sync process. Changes to assigned members will be reflected in the Jabber client where users have added these
groups as contact sources.
13. Observe that the LDAP Synchronization process has automatically generated directory numbers in the CST-DN-PT in +E164
format based on the Active Directory telephoneNumber field.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 58 of 257
Cisco dCloud
14. Switch to the IM and Presence Service Console tab in the Internet Explorer browser window.
15. If necessary, use the (administrator/dCloud123!) username and password combination to log in.
17. Observe the list of System Managed Domains, which have been learned through the LDAP Synchronization process. Each
unique domain is detected by parsing the assigned Directory URI.
• dcloud.cisco.com
• uk.dcloud.cisco.com
• alpha.com
20. Hover your mouse pointer over the imp1.dcloud.cisco.com node icon.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 59 of 257
Cisco dCloud
21. Observe that listed items appear with a Green Check Mark.
22. Click All Assigned Users from the Presence Topology navigation pane.
24. Observe that the IM Address (JID) assigned to each user matches the Directory URI field.
1. Switch to the Unified CM Console tab in the Internet Explorer browser window.
2. If necessary, use the (administrator/dCloud123!) username and password combination to log in.
3. From the menu choose User Management > User/Phone Add > Quick User/Phone Add.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 60 of 257
Cisco dCloud
4. To filter the user search results type Anita in the Find User where field. (Default Search Criteria is First Name)
5. Click Find.
7. From the Quick User/Phone Add configuration page, click Manage Devices.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 61 of 257
Cisco dCloud
11. Observe the Success message which displays in the bottom right corner of the screen.
12. From the Related Links navigation menu, choose Back to Find List Users.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 62 of 257
Cisco dCloud
14. To filter the user search results type Charles in the Find User where field.
16. From the Quick User/Phone Add configuration page, click Manage Devices.
20. Observe the Success message which displays in the bottom right corner of the screen.
23. Observe that both Client Services Framework devices have been added to the Unified CM device database.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 63 of 257
Cisco dCloud
24. Click the CSFCHOLLAND Device Name hyperlink to open the device configuration.
25. Observe that the Directory Number \+14085556018 created via the initial LDAP synchronization was automatically
associated to the device. Notice that configuration elements defined during the creation of Auto-Provisioning templates such
as Device CSS, have been set to the values specified through that process.
26. If desired you may investigate the auto-provisioning of the CSFAPEREZ device. When you are ready, move to the next step.
27. Navigate to User Management > End User from the main menu.
30. Scroll down to Service Settings and observe that through the Auto-Provisioning process this user has been enabled for
Unified IM and Presence, and an associated UC Service Profile has been assigned.
31. Confirm that the CSF Device CSFCHOLLAND is listed as an associated device.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 64 of 257
Cisco dCloud
34. Observe that the Auto-Provisioning process has automatically added the Directory Number line appearance of the device
CSFCHOLLAND with the end user.
35. Close the Line Appearance Association for Presence dialog by clicking Cancel.
36. Through the previous activity, user Anita Perez (aperez) has been similarly provisioned. You may investigate this if you wish,
when you are ready move on to the next activity.
Review Jabber-Config.xml
As discussed in the Lab Pre-Configuration section, a series of jabber-config.xml files have been staged on
wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com.
1. From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.
3. Right click the file jabber-config.xml and choose Open with > Notepad.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 65 of 257
Cisco dCloud
4. The following parameters were added to the Directory section of the file to enable Flexible JID:
• <SipUri>mail</SipUri>
• <UseSIPURIToResolveContacts>true</UseSIPURIToResolveContacts>
• <BDISipUri>mail</BDISipUri>
• <BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
URI dialing allows users to make calls and resolve contacts with Uniform Resource Identifiers (URI). For example, a user named
Charles Holland has the following SIP URI associated with his directory number: cholland@dcloud.cisco.com. URI dialing enables
users to call Charles with his SIP URI rather than his directory number.
• <EnableSIPURIDialling>True</EnableSIPURIDialling> (Required)
• <BusinessPhone>telephoneNumber</BusinessPhone> (COSMETIC ONLY: If not added then the SIP URI will be
identified as the work number and the Business telephone will indicate unknown)
6. The following parameters were added to support the Save Chat to Exchange feature:
• <enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
• <InternalExchangeServer>mail1 </InternalExchangeServer>
NOTE: Each time a modification to the jabber-config.xml file is made in support of added features/enhancements, it must first be
uploaded to the Unified Communications Manager TFTP server, and the TFTP service must be restarted before the new
configuration becomes available to the client software.
1. From an active browser session to ucm1.dcloud.cisco.com on wkst1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified OS Administration.
2. Click Go.
4. Click Login.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 66 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 67 of 257
Cisco dCloud
18. From the Menu choose Tools > Control Center – Feature Services.
19. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.
24. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
Verify Jabber-Config.xml
To confirm that the updated jabber-config.xml is being served by ucm1.dcloud.cisco.com we will use a web-browser to request
the jabber-config.xml file from the Unified Communications Manager TFTP Server.
NOTE: Internet Explorer does not properly render the XML file when requested over http in this manner. As such, we will be using
Mozilla Firefox for the next exercise.
2. From the Cisco dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally you
may manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 68 of 257
Cisco dCloud
3. Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 69 of 257
Cisco dCloud
Currently both the Cisco Unified Communications Manager (ucm1.dcloud.cisco.com) and the Cisco Unified IM and Presence
Server (imp1.dcloud.cisco.com) are using self-signed SSL certificates generated during the installation process. Cisco Jabber
relies on SSL certificate validation to establish secure connections with applications and services hosted on servers. In so doing,
Cisco Jabber is authenticating the identity of the hosts to which it connects. Cisco Jabber will NOT automatically accept any
certificate issued by an untrusted Certificate Authority (CA), and this includes self-signed certificates.
In order to establish an environment for secure connectivity we MUST deploy CA signed certificates across all Cisco Collaboration
applications in the environment. This is also a requirement for implementation of Mobile and Remote Access with Cisco
Expressway, and SAML Single Sign-On; both addressed later in the lab.
As this is a lab environment, we will be using an instance of Microsoft Active Directory Certificate Services installed on
ad1.dcloud.cisco.com as our primary trust point. In essence, we will assume that ad1.dcloud.cisco.com is a trusted Certificate
Authority and configure Unified CM, Unified IM and Presence, and Cisco Expressway to trust any certificate signed by
ad1.dcloud.cisco.com as authentic.
In a production environment, a third party CA would take the place of ad1.dcloud.cisco.com, however the fundamental mechanics
of SSL certificate management remain unchanged.
NOTE: As Unity Connection does not play a role in the configuration or demonstration content of the exercises in this lab, a
Certificate signed by ad1.dcloud.cisco.com has already been installed as part of the pre-configuration and to avoid certificate
errors during interaction with the Cisco Jabber client in later exercises.
Activity Objectives
You will perform the following during this activity:
• Identify required naming convention for Cisco Unified Collaboration service nodes
• Establish a Root trust relationship between ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com with the Certificate
Authority hosted on ad1.dcloud.cisco.com
• Generate and download Certificate Signing Requests for required services across Cisco Unified CM and Unified IM and
Presence
• Use Microsoft Active Directory Certificate services to generate CA signed certificates for Cisco Unified CM and Unified IM
and Presence
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 70 of 257
Cisco dCloud
The reason for changing the Unified CM and Unified IM and Presence server names from hostname or IP address to FQDN, is so
they can be resolved by the different services and client applications, which access them over the network. The Cisco Jabber for
Windows certificate validation process expects that the identity of hosts providing services is reflected as an FQDN in the
Common Name field of CA signed certificates.
1. From the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36), change focus of the Internet Explorer to the
browser tab connected to ucm1.dcloud.cisco.com. Use the Navigation menu to choose Cisco Unified CM Administration
and click Go.
2. If the login session timeout has expired from the previous activity, login with Username: administrator and
Password:dcloud123!.
3. From the Cisco Unified CM Administration webpage, navigate to System > Server.
4. Click Find.
5. Confirm that the server hostnames reflect their fully qualified domain name as shown.
Jabber clients no longer accept the self-signed certificates installed by default on the UC servers. In this section, you will install the
CA signed certificates. You can use publicly trusted CA signed certificates or those created by an internal CA such as Microsoft
Active Directory Certificate Services. This lab makes use of the latter.
NOTE: You will download and create multiple certificates. Rename these files as they are downloaded to keep better track of them.
The default Download directory for the browsers in this lab is Desktop\CST-Jabber\Downloads.
2. From the dCloud homepage, choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 71 of 257
Cisco dCloud
2. Choose the radio button for Base 64 and then click Download CA certificate.
In order to create a trust point for authentication we must first configure Unified Communications Manager
(ucm1.dcloud.cisco.com) and Unified IM and Presence (imp1.dcloud.cisco.com), to trust the Root Certificate associated with
our Certification Authority. To do this we will upload the Root certificate obtained in the previous exercise to the Unified
Communications Manager Publisher (ucm1.dlcoud.cisco.com).
NOTE: From Collaboration Systems Release 10.x and onward the Cisco Unified IM and Presence service is considered a part of
the Unified Communications manager cluster. Therefore certificate replication is performed by the publisher to all nodes in the
cluster. Before this enhancement, we would have needed to perform this operation on both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 72 of 257
Cisco dCloud
1. From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.
5. Choose tomcat-trust from the drop down menu. Do NOT choose tomcat.
7. Click Browse.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 73 of 257
Cisco dCloud
NOTE: In order for certificate management changes to take effect the Cisco Tomcat service must be restarted. We will restart
Cisco Tomcat in a later step.
• Distribution: Multi-Server(San)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 74 of 257
Cisco dCloud
4. Click Generate.
5. Verify that CSR generation completed successfully, and export completed for both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.
6. Click Close.
13. Right click the downloaded tomcat.csr file and choose rename.
2. Click the button for Select a program from a list of installed programs from the file dialog pop-up.
3. Click OK.
5. Click OK.
6. From the Notepad main menu choose Format > Word Wrap.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 75 of 257
Cisco dCloud
10. Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.
11. Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.
15. Press CTRL-V to past the data saved to the computer buffer.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 76 of 257
Cisco dCloud
2. Use the Navigation menu to choose Cisco Unified OS Administration. (if not already there)
7. Click Browse.
12. Confirm that the operation is successful. The Unified CM Status message should appear as in the image below:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 77 of 257
Cisco dCloud
NOTE: Because Unified CM supports the use of Multi-Server (Subject Alternative Name) SSL certificates, only a single CA Signed
certificate is required for all nodes in the Unified CM Cluster.
In the previous exercise, we uploaded the CA Root certificate (ad1.dcloud.cisco.com) to the Tomcat Trust store of both the
Unified Communications Manager (ucm1.dcloud.cisco.com) and the IM and Presence (imp1.dcloud.cisco.com). Next, we
generated CA Signed Tomcat certificates. We must now upload the CA Root certificate to the IM and Presence XMPP-Tomcat
trust in order to generate and install a CA Signed XMPP certificate.
2. Use the Navigation menu to choose Cisco Unified IM and Presence OS Administration.
3. Click Go.
9. Click Browse.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 78 of 257
Cisco dCloud
14. Notice the status message indicates that the Cisco XCP Router service must be restarted for changes to take effect. We will
restart the service in a later exercise.
• Distribution: imp1.dcloud.cisco.com
NOTE: Subject Alternative Names (SANs) have been auto-populated based on the presence domains for which the IM and
Presence server has been configured. In our lab, this includes alpha.com, dcloud.cisco.com, and uk.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 79 of 257
Cisco dCloud
25. Right click the downloaded cup-xmpp.csr file and choose rename.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 80 of 257
Cisco dCloud
1. Double click the file imp1-cup-xmpp.csr (renamed in the previous step) to open.
2. From the Notepad main menu, choose Format and confirm that Word Wrap is highlighted.
6. Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.
7. Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.
11. Press CTRL-V to past the data saved to the computer buffer.
12. From the Certificate Template drop down, choose Web Server.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 81 of 257
Cisco dCloud
2. Navigate to Security > Certificate Management from the menu. (If not already on this page)
5. Click Browse.
8. Click Open.
9. Click Upload.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 82 of 257
Cisco dCloud
A new secure TFTP transfer process was introduced in Cisco Unified CM 11.0. This provides an SSL secured TFTP transfer of
configuration data from Cisco Unified CM to the Cisco Jabber client. In Unified CM Release 11.0, the modification of the installed
Cisco Tomcat security certificate requires that the Cisco Tftp service (if activated) on all nodes must be deactivated and then
activated again. This is to bind the certificates properly when performing the SSL handshake to authenticate secure TFTP
connections. As such, we will deactivate and re-activate the Cisco Tftp service running on ucm1.dcloud.cisco.com.
NOTE: This behavior will change in Unified CM Release 11.5, where a Restart of the Cisco Tftp service will bind the new
certificates.
1. Launch the terminal application PuTTY by clicking on the icon in the taskbar.
2. Under Saved Sessions, choose the entry ucm1 and click Load.
6. Press Enter.
7. While waiting for the restart command to complete, open another PuTTY session to imp1.dcloud.cisco.com by right clicking
the PuTTY icon in the taskbar.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 83 of 257
Cisco dCloud
10. Type the following command: utils service restart Cisco Tomcat
12. Before proceeding, confirm that the Cisco Tomcat service has been restarted on both hosts as shown below.
13. Type the following command: utils service restart Cisco XCP Router
15. Before proceeding, confirm that the Cisco XCP Router service has been restarted.
NOTE: It will likely take at least 10 minutes for Cisco Tomcat and its dependent services to restart.This is an excellent time to take
a break. . If you are unable to log into the Administration interfaces of either imp1.dcloud.cisco.com or ucm1.dcloud.cisco.com
after 15 minutes, report the issue to a proctor.
As described earlier in this section, the Cisco Tftp Service must be re-initialized by performing a Deactivation and subsequent
Activation. This process binds the newly uploaded CA signed Cisco Tomcat certificate to the secure TFTP listener to
authenticate secure connections.
2. From the dCloud homepage navigate to: Collaboration Admin Links > Cisco Unified Comunications Manager.
3. Select Cisco Unified Communications Manager from the Installed Applications list.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 84 of 257
Cisco dCloud
NOTE: No error regarding an untrusted certificate is encountered and the address bar has changed from red to white. This is
because both imp1.dcloud.cisco.com and ucm1.dcloud.cisco.com are both using SSL certificates signed by our Root CA:
ad1.dcloud.cisco.com. All servers and workstations in this lab have been pre-configured to trust certificates signed by
ad1.dcloud.cisco.com. Therefore, these hosts trust the identity certificates provided by imp1.dcloud.cisco.com and
ucm1.dcloud.cisco.com.
8. Click Go.
9. In the CM Services section of the webpage, locate the entry for Cisco Tftp. Observe that the entry is checked and the current
Activation Status is Activated.
10. Uncheck the entry for the Cisco Tftp service and click Save. It may take up to a minute for the operation to complete.
11. Confirm that the Activation Status of the Cisco Tftp service is now Deactivated.
12. To re-initialize the Cisco Tftp service, place a Checkmark next to the entry for Cisco Tftp. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 85 of 257
Cisco dCloud
14. Once the service activation command completes, confirm that the Cisco Tftp service Activation Status is set to Activated.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 86 of 257
Cisco dCloud
Chat
P2P Calling
At the conclusion of this activity, we will confirm a functional Cisco Jabber for Windows installation on both demonstration
workstations and validate readiness for Advanced Feature Deployment Modules.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 87 of 257
Cisco dCloud
1. Open an RDP session to wkst1.dcloud.cisco.com (198.18.133.36). (May already be open from the previous exercise)
4. From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively, you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 88 of 257
Cisco dCloud
11. Cisco Jabber will launch and you will see the Finding services… as it initializes for the first time and performs automatic
service discovery.
12. Once service discovery is complete, a Logon screen will appear. The username cholland should be automatically populated.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 89 of 257
Cisco dCloud
NOTE: Jabber has automatically detected the UPN (User Principal Name) of the logged on user, populated the sAMAccount name
in the Username field and used the @Domain portion of the UPN as the domain to query for service Discovery.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
16. In order to get a feel for how locations may be updated and displayed, click Add to my locations.
18. Type a location of your choice. In our example, we use HQ as the location specified for Charles Holland.
20. Observe that Charles Holland is logged in to the Jabber client with the location data entered above.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 90 of 257
Cisco dCloud
The Location Update and Automated Location Detection features are new as of the Jabber 10.6 release. These allow Cisco
Jabber users to quickly and easily specify their current location and share this data with contacts as part of their presence detail.
This feature may be disabled via customization of the global jabber-config.xml file for those organizations that wish to exclude it.
The default setting for the location feature is Enabled, the default behavior of the location detection mechanism is by the detected
IP address of the client’s default gateway.
Changes to Location settings can be made from within the File > Options menu of the Cisco Jabber client.
The feature may be enabled/disabled using the Enable locations checkbox. New location detection behavior can be disabled
using the Tell me when new locations are detected checkbox. Existing locations can be deleted, edited or reassigned by
choosing a saved location from the My Locations window.
The currently assigned location can be modified by clicking on the Location icon.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 91 of 257
Cisco dCloud
21. Click the Menu icon and choose File > View my profile to display and confirm information about Charles Holland.
22. Observe and confirm the following fields and corresponding data:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 92 of 257
Cisco dCloud
24. To test Directory lookup, type Ani in the Search or Call field. (not case sensitive)
25. Observe that the offline contact record for Anita Perez is displayed.
26. Click the Menu icon and choose Help > Show connection status to confirm that the Jabber client has active
connectivity to provisioned services.
27. Confirm that the following services have Status of Connected (consult the graphic for reference):
• Softphone
Status: Connected
Address: ucm1.dcloud.cisco.com
• Presence
Status: Connected
Address: imp1.dcloud.cisco.com
Address: Outlook
• Directory
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 93 of 257
Cisco dCloud
4. From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 94 of 257
Cisco dCloud
11. Cisco Jabber will launch and you will see the Finding services… as it initializes for the first time and performs automatic
service discovery.
12. Once service discovery is complete, a Logon screen will appear. The username aperez should be automatically populated.
The lab environment has a single Active Directory domain. Even though the mail id attribute of this user is aperez@alpha.com,
the UPN assigned to the user Anita Perez is aperez@dcloud.cisco.com. In a production environment with multiple managed
domains this user would likely authenticate to a separate Active Directory infrastructure with a UPN matching the mail id attribute.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
18. Type a location of your choice. In our example, we use Home Office as the location specified for Anita Perez.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 95 of 257
Cisco dCloud
20. Observe that Anita Perez is logged in to Jabber with the location data entered above.
21. Click the Menu icon and choose File > View my profile to display and confirm information about Anita Perez.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 96 of 257
Cisco dCloud
22. Observe and confirm the following fields and corresponding data:
24. To test Directory lookup, type chol in the Search or Call field. (not case sensitive)
25. Observe that the contact record for Charles Holland is displayed.
26. Notice the status of Available @ HQ. This is the result of adding the HQ location in the previous activity.
27. Click the Menu icon and choose Help > Show connection status to confirm that the Jabber client has active
connectivity to provisioned services.
• Softphone
Status: Connected
Address: ucm1.dcloud.cisco.com
• Presence
Status: Connected
Address: imp1.dcloud.cisco.com
Address: Outlook
• Directory
30. This completes service discovery validation and Jabber client connectivity.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 97 of 257
Cisco dCloud
1. Maintain or switch focus to the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
3. From the Add Contact dialog, click New Group to create a new group in which to place the new contact.
7. Click Add.
8. Hover your mouse over the new contact and click the Chat icon.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 98 of 257
Cisco dCloud
9. In the chat window, type a message from Anita Perez to Charles Holland.
10. Open (Switch to) the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36) for user Chris Holland.
11. Click the chat notification to open the active chat session.
12. Click the Add icon in the contact menu of the active chat window to add Anita Perez as a contact.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 99 of 257
Cisco dCloud
16. In the chat window, type a reply message of your choice from Chris Holland to Anita Perez.
18. Type a reply message back to Chris indicating the need for a call to discuss.
19. The Chat window should have a flow similar to the one depicted
NOTE: Both workstations in this exercise are virtual machines. We are leveraging a virtual camera and audio drivers to allow for
simulated audio and video between Jabber clients. You will NOT have live video or audio for test calls.
20. Click the Arrow directly to the left of the Call icon.
21. Observe that we may place a call to either the URI (cholland@dcloud.cisco.com) or Telephone Number assigned to
Charles Holland. This is because we have completed the configuration steps required to enable the URI Dialing feature. By
placing and completing a call using the Directory URI, we validate the operation of the URI Dialing feature.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 100 of 257
Cisco dCloud
25. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
26. Observe that the presence indicator for Charles Holland has changed from Available to On a Call.
29. Click the End Call icon to end the active call.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 101 of 257
Cisco dCloud
30. You may continue to explore P2P chat and calling features, by attempting a call from Charles Holland to Anita Perez if you
wish. When ready, please move on to the next activity.
Jabber for Windows can be configured to automatically save chat histories to a Cisco Jabber Chats folder in users' Microsoft
Outlook application. When a user closes a chat window, the client saves the IM conversation to the Exchange server.
This allows users to more easily search all conversations both email and IM from a single location.
Earlier we enabled this feature by adding the following lines to the jabber-config.xml file in the Client section:
<Client>
<enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
<InternalExchangeServer>mail1.dcloud.cisco.com</InternalExchangeServer>
</Client>
In this exercise, we will open Microsoft Outlook and observe that the chat interactions undertaken thus far have been logged to the
Cisco Jabber Chats folder.
1. Open (or switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 102 of 257
Cisco dCloud
5. Observe that all chat interaction between Anita Perez and Charles Holland has been saved to the folder.
NOTE: If you do not see any chat history, ensure that all chat windows are closed. The save history feature is not activated until
the conversation has been closed.
6. Hover your mouse over the contact entry for Charles Holland.
Integration between Cisco Jabber and the Microsoft Office Contact card with presence and click to call/chat capability is enabled.
In order to accomplish this, the proxyAddresses attribute for both Charles Holland and Anita Perez have been edited to include
a SIP URI. The graphic below shows the entry added for Charles Holland using the Active Directory Users and Computers
console.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 103 of 257
Cisco dCloud
7. You may test integration functionality by initiating IM or Calling using the contact card entry.
9. If you wish, you may confirm the same functionality from wkst1.dcloud.cisco.com (Charles Holland). When ready move on to
the next activity. Manage Contacts using Enterprise Groups.
We have tested the manual management of contacts in Cisco Jabber. In the next exercise, we will streamline this process by
importing contacts through the Enterprise Groups feature.
In this next activity, we will explore the automatic population of Jabber contacts by using Distribution Groups synchronized from
Active Directory. Recall that in the first activity of this lab we reviewed and created groups for this purpose:
• Sales
• Engineering
• Marketing
We confirmed that these groups synchronized with Active directory and are present within Unified Communications Manager under
User Management > User Settings > User Group.
We will now explore adding these groups and interacting with them. We will also demonstrate the dynamic nature of the Enterprise
Groups feature.
1. Open (Switch to) an RDP session to wkst1.dcloud.cisco.com (198.18.133.36) user Charles Holland.
2. Click the Menu icon and choose File > New > Directory Group.
NOTE: You can add multiple groups at the same time by searching for the group name(s) entered in part or in whole. You can
double-click on the desired group(s) returned by the search. Continue adding groups in this manner until you are ready to add
them all to the Jabber Contacts list. In place of the mouse interaction, you may use either the Tab or Enter keys to add when a
single search result is returned.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 104 of 257
Cisco dCloud
3. In the Search field of the Add Directory Group dialog, type Sales.
5. Click Add.
6. Observe the Sales group is added to the Contacts window. All of the members defined in the Active Directory distribution
group are present as contacts in the group. Notice that a total count of contact in the group is shown in the upper-right corner
of the group header.
NOTE: Only Anita Perez has an associated contact photo. This photo was added to the local cache from our chat interactions.
The others are missing because a Throttling Policy is enforced on picture download for contacts added through an Enterprise
Group. This behavior is designed to avoid performance degradation with wide use of the feature in the enterprise. The photo is
downloaded upon first interaction with an added contact. In our demonstration, we will click each user to download their photo.
Some contacts may have photos resolved through the address book entries in MS Outlook while exploring chat history.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 105 of 257
Cisco dCloud
7. Click on each contact in the list and observe that the contact photo is immediately downloaded.
8. Click the Menu icon and choose File > New > Directory Group.
9. In the Search field type Eng and press the Enter key.
10. In the Search field type Mark and press the Enter key. Notice that the Enter or Tab key may be pressed as soon as the
predictive search returns a viable result.
12. If you wish, you may click each contact to download a photo.
13. Open (Switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
14. From the Jabber hub window click the Menu icon and choose File > New > Directory Group.
16. In the Search field type Sales and press the Enter.
17. In the Search field type Marketing and press the Enter.
19. Click on each contact in the list and observe that the contact photo downloads instantly.
A major benefit of the Enterprise Groups feature is that contact management is centralized within LDAP (Microsoft Active
Directory). When changes are made to the membership of a synchronized Directory Group (Additions/Deletions), these are
replicated during the scheduled synchronization process between Unified CM and LDAP Directory.
In the next exercise, we will connect to ad1.dcloud.cisco.com (198.18.133.1) and use the Active Directory Users and
Computers console to modify group membership by removing our two demonstration users from their respective groups.
2. From the Task Bar Click the Active Directory Users and Computers icon.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 106 of 257
Cisco dCloud
7. Click Remove.
9. Click Apply.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 107 of 257
Cisco dCloud
NOTE: In a production environment, a recurring schedule for directory synchronization is established and defined as part the LDAP
Directory Synchronization agreement. It would be during these scheduled synchronization intervals that updates to synchronized
groups would occur and be registered in Cisco Unified CM. To expedite the process of synchronization we will manually initiate an
LDAP Synchronization.
3. From the Cisco dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified Communications Manager to
connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.
4. From the Installed Applications list, click Cisco Unified Communications Manager.
7. Click Login.
8. In the Unified Communications Manager Administration interface, browse to System > LDAP > LDAP Directory.
9. Click Find.
10. Click the hyperlink for CST LDAP to open the directory configuration page.
NOTE: In rare circumstances we have experienced an issue where the Confirm Password field, is cleared when this page is
accessed. If this happens you will receive a pop-up stating: LDAP Password:: - Passwords do not match. If this happens, enter
the password C1sco12345 in the Password and Confirm Password fields and repeat the previous step.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 108 of 257
Cisco dCloud
13. Observe the status message in upper left hand corner of the LDAP Directory configuration page.
1. From the main menu choose User Management > User Settings > User Group.
2. Click Find.
6. From the Related Links menu, choose Back to Find/List User Groups.
7. Click Go.
9. Click Find.
10. Confirm that Charles Holland has been removed from the group.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 109 of 257
Cisco dCloud
1. If not already in focus, open the RDP session to wkst1.dcloud.cisco.com (Charles Holland).
3. View the Sales group and see that the contacts counter has been reduced to 9 and that Anita Perez is absent from the group.
4. Expand the Engineering group and see that the number of listed contacts has been reduced to 8 and that Charles Holland is
no longer listed as a member of the Engineering contact group.
6. Review the Sales and Engineering contact groups and confirm that the output matches the observed behavior of the Jabber
client on wkst1.
NOTE: The Contact list update for the Cisco Jabber client is almost instantaneous. Exact results may vary and depend heavily
upon load in a production environment.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 110 of 257
Cisco dCloud
The remainder of this lab is a series of Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote extra time or emphasis to one or more of the feature modules may wish to be selective in order to complete the desired
modules within the time allotted.
Students should check the amount of time left at this point in the lab and decide on which Modules to pursue.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is 3(b), which requires Modules 2 and 3a to be completed in advance in
order to test solution functionality.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 111 of 257
Cisco dCloud
Persistent Chat
Instant messaging is an important communication option that lets you efficiently interact in today's multitasking business
environment. Cisco Unified Presence provides personal chat, group chat, and persistent chat capabilities so you can quickly
connect with individuals and groups and conduct ongoing conversations.
Personal and Group chat have been available for some time without any special configuration however these interactions are
temporary (are deleted when all participants leave the chat.).
The Persistent Chat feature provides a richer set of capabilities allowing users to create permanent chat rooms and manage
privacy and group membership settings. Persistent Chat offers users ongoing access to a discussion thread or other topic. It is
available even if no one is currently in the chat and remains available until explicitly removed from the system.
Additional administrative configuration options were recently added to the Collaboration Systems portfolio including the ability to
limit the creation of rooms to designated Group Chat Administrators.
Managed file transfer (MFT) allows an IM and Presence Service client, such as Cisco Jabber, to transfer files to other users, ad
hoc group chat rooms, and persistent chat rooms. The files are stored in a repository on an external file server using SSHFS to
secure file transfer operations and the transaction is logged to an external database.
Unlike Peer-to-Peer file transfers, Managed File Transfer may be used in conjunction with Group and Persistent Chat to share files
in a multi-user environment.
Configuration Notes
All pertinent external services (Database, SSHFS) will be hosted on the centos.dcloud.cisco.com (198.18.134.29) running
CentOS Linux 7.
NOTE: We will be using command line access CLI through PuTTY to connect and configure the components required. Some
familiarity with these tools and systems will be helpful, but are not required.
Module Objectives
In this module, we will perform the following tasks:
• Configure External PostgreSQL Database instances to support the Persistent Chat and Managed File Transfer.
• Provision an SSHFS file system for use as the file store and secure transfer protocol for Managed File Transfer.
• Enable SSH Key based authentication for a dedicated Managed File Transfer User.
• Configure the Cisco Unified IM and Presence Service to support Persistent Chat and Managed File Transfer.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 112 of 257
Cisco dCloud
• Update the jabber-config.xml global configuration file to enable the Persistent Chat feature.
• PostgreSQL database, versions 8.3.x through 9.4.x are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 9.1.9, 9.2.6, 9.3.6, and 9.4.1.
• Oracle database, versions 9g, 10g, 11g, and 12c are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 11.2.0.1.0 and 12.1.0.2.0 (Linux).
NOTE: To save time PostgreSQL server 9.4 (with dependencies) is installed on centos.dcloud.cisco.com running CentOS7.
Detailed instructions regarding the installation process and initial configuration using the YUM package installer on CentOS can be
found in Appendix A.
The database and services have been initialized using default values and the following parameters configured:
• Connections and Authentication permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)
• Some additional database parameters that are pertinent to integration are also pre-configured but these are identified
throughout the activity.
NOTE: In this exercise, we will use the root account unless otherwise specified. For production environments, it is a best practice
to authenticate using a non-root account and to use the sudo option when executing commands requiring root privilege elevation.
3. Under Saved Sessions, choose the entry CentOS and click Load.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 113 of 257
Cisco dCloud
4. Click the Open button to launch a secure shell connection to the Linux Server node centos.dcloud.cisco.com.
NOTE: This information is provided for reference only. No configuration file modifications are necessary.
To save time and avoid the potential for error the following required configuration file modifications have been made for you:
• listen_addresses = '*'
• port = 5432
• escape_string_warning = off
• standard_conforming_strings = off
NOTE: DO NOT COPY and PASTE PostgreSQL commands into the PuTTY console session. For your convenience, a text file
with the commands that may be copied and pasted into the console is located on wkst1.dcloud.cisco.com (198.18.133.36) at the
path: Desktop\CST-Jabber\Utilities\PostgreSQL-Commands.txt. Open the file in the Notepad application and copy and paste
where appropriate.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 114 of 257
Cisco dCloud
3. Create the Persistent Group Chat database user with permissions by typing:
4. Press Enter.
5. Create the Managed File Transfer database user with permissions by typing:
6. Press Enter.
Create Databases
8. Press Enter.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 115 of 257
Cisco dCloud
\list
13. Confirm that both the tcmadb and mftadb databases are listed in the command output.
18. Type the following to connect to the tcmadb (Persistent Chat Database) as the postgres user.
\connect tcmadb
19. Press Enter. Observe the status message: You are now connected to database "tcmadb" as user "postgres".
21. Press Enter. Confirm that command output matches the graphic below.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 116 of 257
Cisco dCloud
22. Type the following to connect to the mftadb (Managed File Transfer Database) as the postgres user.
\connect mftadb
23. Press Enter. Observe the status message: You are now connected to database "mftadb" as user "postgres".
26. Press Enter. Confirm that command output matches the graphic below.
\q
1. Open a New Tab in the active Internet Explorer window. If necessary, open a new Internet Explorer session.
2. Navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 117 of 257
Cisco dCloud
5. From the menu choose Messaging > External Server Setup > External Databases.
• Password: tcuser
• Hostname: centos.dcloud.cisco.com
8. Click Save.
9. Note that the External Database status indicates that the server is reachable. You may ignore the warning, which indicates
that the server must be mapped to a service for any further tests to be performed.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 118 of 257
Cisco dCloud
• Password: mftuser
• Hostname: centos.dcloud.cisco.com
13. Note that the External Database status indicates that the server is reachable.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 119 of 257
Cisco dCloud
1. Switch back to the PuTTY session connected to centos.dcloud.cisco.com. If necessary, open a new PuTTY session to
centos.dcloud.cisco.com. Login as root with the password dCloud123!.
2. To allow private/public key authentication, make sure that the following fields in the /etc/ssh/sshd_config file are set as follows:
• RSAAuthentication yes
• PubkeyAuthentication yes
NOTE: These values are set by default; however, we will validate them with the following step.
3. Type the following command to search the /etc/ssh/sshd_config file for the values described above.
4. Press Enter.
5. Multiple lines are returned however, the output depicted in the graphic indicates that the default value of these two parameters
is set to yes.
useradd -m mftuser
7. Press Enter.
su mftuser
9. Press Enter.
10. Create a .ssh directory under the mftuser home directory that is used as a key store by typing:
mkdir ~mftuser/.ssh/
12. Create an authorized_keys file under the .ssh directory that is used to hold the public key text for each IM and Presence
Service node. Type the following:
touch ~mftuser/.ssh/authorized_keys
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 120 of 257
Cisco dCloud
14. Set the correct permissions for passwordless SSH to function by typing the following commands. Press Enter after each
command.
Next, we will create a file directory structure where files transferred using the MFT feature will be stored. We will ensure that the
user created in the previous step has ownership and the permissions needed to read, write, and delete files.
16. To create a top-level directory named mftFileStore to hold sub directories for all of the IM and Presence Service nodes that
have managed file transfer enabled. Type the following:
mkdir -p /opt/mftFileStore/
18. Give ownership of the newly created /opt/mftFileStore directory to user mftuser.
20. Specify directory permissions that permit Read, Write, and Execute by the mftuser account only by typing:
22. Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node. In our case, this is
imp1.dcloud.cisco.com. Type the following commands one per line and press Enter after each:
su mftuser
mkdir /opt/mftFileStore/imp1
23. To verify the previous exercise enter the following commands and compare the output with the graphic provided. Commands
are entered one per line and the Enter key should be pressed after each.
ls -al ~/.ssh/
ls -al /opt/mftFileStore/
24. Confirm that the output displayed in PuTTY matches the highlighted lines in the graphic. This validates that all required files
and directories have been created and assigned permissions correctly.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 121 of 257
Cisco dCloud
In order to implement key-based SSH authentication for the mftuser for file transfers between centos.dcloud.cisco.com and
imp1.dcloud.cisco.com, both servers will need to be aware of the Public Key provided by the other. In this step, we will obtain the
Public Key of the MFT server, which will be provided to imp1.dcloud.cisco.com during the configuration process.
2. Press Enter.
3. Copy the result of the ssh-keyscan command. Highlight the desired text and left-click the mouse to copy the selection to the
buffer. Be certain to copy the entire key value, from the server hostname, FQDN, or IP address to the end. Consult the graphic
below for reference.
4. Open the Notepad text editor by clicking on the icon in the taskbar.
5. Click Format and ensure that Word Wrap is un-checked. We want to paste the key as a single line.
NOTE: Do NOT paste the key text with Word Wrap enabled in Notepad. Ensure that Word Wrap is un-checked before proceeding.
6. Paste the contents of the buffer by using the Ctrl-V key combination. You may also left click and choose Paste from the menu.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 122 of 257
Cisco dCloud
12. Minimize, but leave the PuTTY session open, as it will be used during the provisioning of the MFT feature.
1. Open Internet Explorer and choose the tab for IM and Presence Server (imp1.dcloud.cisco.com). If necessary, launch
Internet Explorer and navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
3. From the menu, choose Messaging > Group Chat and Persistent Chat.
• Allow only group chat system administrators to create persistent chat rooms: Checked
5. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 123 of 257
Cisco dCloud
NOTE: For this change to take effect, the Cisco XCP Router and Cisco XCP Text Conference Manager must be restarted. We
will do so in a later step.
7. Click Find.
9. Scroll down to External Database Status viewer and observe the connectivity state. All tests should return a successful
result.
Our configuration specifies that ONLY Administrators have the ability to create Chat Rooms. In this exercise, Group Chat
Administrator privileges will be assigned to Charles Holland.
• IM Address: cholland@dcloud.cisco.com
4. Click Save.
6. Click Go.
8. Place a Checkmark in the Enable group chat system administrator privileges checkbox in the upper left of the screen.
9. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 124 of 257
Cisco dCloud
Update Jabber-Config.xml
Persistent Chat is Disabled by default in Cisco Jabber for Windows. In order to enable the feature we must update the jabber-
config.xml file. As with our previous exercises, a pre-configured jabber-config.xml file has been staged for you.
1. From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.
3. Right click the file jabber-config.xml and click Open with > Notepad.
4. The following parameters were added to the Client section of the file to enable Persistent Chat:
• <Persistent_Chat_Enabled>True</Persistent_Chat_Enabled>
Upload Jabber-Config.xml
1. From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 125 of 257
Cisco dCloud
2. Click Go.
4. Click Login.
5. From the menu choose Software Upgrades > TFTP File Management.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 126 of 257
Cisco dCloud
2. Click Go.
4. Click Login.
5. From the Menu choose Tools > Control Center – Feature Services.
7. Click Go.
9. Click Restart.
11. The page will automatically refresh, displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 127 of 257
Cisco dCloud
Verify Jabber-Config.xml
To confirm that the updated jabber-config.xml is being served by ucm1.dcloud.cisco.com we will use a web-browser to request
the jabber-config.xml file from the Unified Communications Manager TFTP Server.
2. From the dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may
manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
3. Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 128 of 257
Cisco dCloud
As stated earlier, when making changes to the Persistent Chat configuration, a restart of the Cisco XCP Router service is
required. In this case, the Cisco XCP Text Conference Manager must also be restarted.
1. Switch back to the active Internet Explorer browser tab connected to the Control Center – Feature Services page.
3. Click Go.
4. In the IM and Presence Services section, click the radio button for Cisco XCP Text Conference Manager.
5. If the service status is Running, click Restart. If the service status is Not running, click Start.
9. Click Go.
10. Scroll to the IM and Presence Services section and click the radio button for Cisco XCP Router.
11. Click Restart. You may need to scroll to the top of the page to see the Restart option.
NOTE: Because a Restart of the Cisco XCP Router services causes a restart to all dependent XCP related services it may take
some time for this command to fully complete and return a result.
1. Close the Cisco Jabber for Windows clients (if open) on both wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 129 of 257
Cisco dCloud
5. Notice the Chat Rooms tab now present in the Jabber Client user interface.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 130 of 257
Cisco dCloud
• Type: Restricted
7. On the Set Room Password pop-up, Click Password protect this chat room.
8. Type a password of your choice in the Password field, and re-type in Verify field.
9. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 131 of 257
Cisco dCloud
10. Confirm that the settings entered match the graphic below and click Create.
11. When the add members to the room dialog is displayed, click Add Now.
13. Double click the contact entry for Anita Perez to add to the list.
15. Observe that the CST Members Only group chat window is opened automatically and that Charles Holland is added as an
active conversation participant.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 132 of 257
Cisco dCloud
3. Observe that CST Members Only was automatically added to the My Rooms list for Anita Perez. This is because we added
Anita Perez as a user during the room creation process.
5. Enter the password created for the room earlier and click Ok.
6. Observe that both Charles Holland and Anita Perez are present in the participants list.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 133 of 257
Cisco dCloud
9. From the main Jabber Client window, click the Chat Rooms tab and choose All rooms.
10. Observe that there are no rooms listed. This is because CST Members Only was created as an unlisted Restricted room
visible only to members. Only Room Moderators can add additional participants, who will then be able to access the room
from the My Rooms list, as we saw in the case of Anita Perez once added as a member.
11. Notice a key difference between the CST Members Only room layout displayed for Charles Holland versus Anita Perez; the
room layout for Charles Holland contains an Edit Room menu option as seen below, which is absent from the chat window
on Anita’s Jabber client.
12. Recall that Charles Holland is a room administrator while Anita Perez is only a participant. He therefore has the capability to
administer features of the room.
14. Add Anita Perez as a room moderator by searching for Anita Perez in the Moderators field.
15. Double click the contact record for Anita Perez, to add to the list of moderators.
17. Close the CST Members Only chat window to leave for now.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 134 of 257
Cisco dCloud
20. Notice that a moderator notification is delivered to the Desktop. Click the Enter button.
21. Examine the Group Chat window and verify that the Edit Room option is now an option for Anita Perez.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 135 of 257
Cisco dCloud
The Persistent Chat interface offers several ways to filter notifications giving priority to activity in rooms that is of particular interest.
One of the built in filters, My Mentions, delivers notifications about new chat topics where the Jabber user has been tagged. This
can be especially valuable when a user is a member of multiple active rooms and requires a way to identify priority communication.
3. Type the @ symbol in the chat window, and notice that this brings up a search field.
4. Search for Charles Holland and double click the contact record.
5. Jabber has created a Tag for user Charles Holland. Type some text of your choice and then press Enter.
7. Observe that there are two notifications displayed on the Chat Rooms tab. When clicked it is apparent that both My Rooms
and Filters have new entries.
8. Click Filters and observe that the My Mentions filter has an entry because of the IM in which Charles was tagged.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 136 of 257
Cisco dCloud
9. Double click the entry for My Mentions @ Charles Holland. An entry for each tagged post will appear.
10. Mouse over the entry from Anita Perez in CST Members Only and click the Door icon to enter the room automatically.
11. This example illustrates how filters can be used to quickly identify priority communication and join pertinent conversations and
Chat interactions.
12. Feel free to continue testing this feature between our demonstration users. When ready, close all open chat windows on
wkst1 and wkst2 and proceed to the next activity.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 137 of 257
Cisco dCloud
5. Click Open.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 138 of 257
Cisco dCloud
8. An incoming chat notification is in the task bar. Hover the mouse over the jabber icon in the Windows task tray and choose the
entry for Charles Holland.
9. A notification in the conversation window of the Jabber Client is displayed prompting the user to accept or decline the file
transfer. Click Accept.
11. Files transferred in this way are stored in the path My Documents\MyJabberFiles\<JID of file sender>\. In this case, it was
sent from cholland@dcloud.cisco.com, so the path would be:
My Documents\MyJabberFiles\cholland@dcloud.cisco.com\ Expenses.xlsx
13. Open the CST Members Only chat room, by clicking Chat Rooms > My rooms > CST Members Only.
14. Observe that no file transfer option is available in the Group Chat interface. This is because File Transfer in Group chat is only
available given the implementation of Managed File Transfer.
1. From the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland), open Internet Explorer and click the tab
for IM and Presence Server (imp1.dcloud.cisco.com). Open and navigate to the server if necessary.
2. Ensure that Cisco Unified CM IM and Presence Administration is selected in the Navigation menu and click Go.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 139 of 257
Cisco dCloud
4. Navigate to Messaging > External Server Setup > External File Servers.
• Name: centos.dcloud.cisco.com
NOTE: Do not attempt to save at this time. The Public Key for centos.dcloud.cisco.com obtained and saved earlier must be
retrieved to complete the configuration.
7. If not already open, open the text file Desktop\CST-Jabber\MFT-Server-Pubkey saved earlier in this exercise.
8. Press Ctrl-A to select all text and then Ctrl-C to copy the text to the computer copy buffer.
9. Switch back to the External File Server Configuration dialog in Internet Explorer.
10. Paste the copied text into the External File Server Public Key field by clicking in the field and using the Ctrl-V keystroke
combination.
12. The External File Server Status output may be disregarded at this point. No connection attempt or test is made until the
feature has been fully enabled.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 140 of 257
Cisco dCloud
16. Locate the hyperlink for Public Key now present in Node Public Key field in the Managed File Transfer Assignment section
at the bottom of the configuration page.
18. Copy the key text displayed in the View Node Public Key dialog.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 141 of 257
Cisco dCloud
19. Click Close to exit the View Node Public Key dialog.
20. Switch focus to the PuTTY session currently connected to centos.dcloud.cisco.com. (left open from earlier in this module)
21. Ensure that you are logged on as user mftuser. To check type the following command followed by the Enter key.
whoami
22. If the result is anything other than mftuser, type su mftuser, followed by the Enter key, otherwise move on to the next step.
23. Use the nano editor to add the Public Key of the imp1.dcloud.cisco.com IM and Presence node to the authorized_keys file
created earlier by typing:
nano /home/mftuser/.ssh/authorized_keys
24. Right click the mouse anywhere inside the PuTTY console to paste the contents of the copy buffer into the editor. The output
should be similar to the graphic below.
28. Confirm that the file has been updated by typing the following command:
cat /home/mftuser/.ssh/authorized_keys
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 142 of 257
Cisco dCloud
In order to activate the Managed File Transfer features, the Cisco XCP File Transfer Manager service must be activated.
1. Switch back to the active Internet Explorer browser tab connected to imp1.dcloud.cisco.com.
2. From the Navigation menu, choose Cisco Unified IM and Presence Serviceability.
3. Click Go.
7. Place a checkmark next to the Cisco XCP File Transfer Manager service.
8. Click Save.
10. Observe service activation, by confirming that the Activation Status has transitioned from Deactivated to Activated.
1. Use the Navigation drop down to choose Cisco Unified IM and Presence Administration, click Go.
2. Navigate to Messaging > External Server Setup > External File Servers.
3. Click Find.
5. Confirm that all connectivity test indicate a successful result (as below):
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 143 of 257
Cisco dCloud
6. At this time, close the Cisco Jabber for Windows clients running on wkst1 and wkst2, by choosing Menu > Exit.
2. If the Jabber client is open, close it now by choosing Menu > Exit.
3. Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.
6. If the Jabber client is open, close it now by choosing Menu > Exit.
7. Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.
10. Double click the contact for Anita Perez to open a chat window.
15. Open the conversation with Charles Holland from the Jabber application running in the task bar.
16. Notice that rather than being prompted to Accept or Decline the transfer, Anita has the option to Download if desired.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 144 of 257
Cisco dCloud
This is because with Managed File Transfer activated for all transfers, the file is transferred to the External File Server
(centos.dcloud.cisco.com), rather than directly to Anita’s workstation. Now, Anita Perez can choose to download the file at her
leisure.
18. Click Show Folder and notice that just as with peer to peer file transfer the newly added Budget.xlsx has been saved to the
path My Documents\MyJabberFiles\cholland@dcloud.cisco.com\Budget.xlsx.
21. Choose the My Rooms list and open the CST Members Only chat room.
22. Enter the password you assigned to the room when created and OK.
23. Confirm that the Send a file icon is now present from within the Group Chat interface.
24. Feel free to execute a file transfer for either the Budge.xlsx or Expenses.xlsx file in Desktop\CST-Jabber\FileTransfer to
confirm that a permitted file size is transferred successfully through the Group Chat interface.
Recall that when configuring the Managed File Transfer feature we set a size limit of 4096 kB or 4MB. We will now attempt to
transfer a file that exceeds this limit, to confirm and observe how this restriction is enforced.
25. Click the Send a file icon to initiate the file transfer.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 145 of 257
Cisco dCloud
27. Notice that the file SRND.pdf is approximately 48MB in size, which is well over the administrative limit we defined.
29. A notification indicating that the file size exceeds the defined limit is immediately presented in the conversation window.
This concludes the Persistent Chat and Managed File Transfer Lab Module.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 146 of 257
Cisco dCloud
Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified
Communications Manager. It features established firewall-traversal technology and helps redefine traditional enterprise
collaboration boundaries, supporting our vision of any-to-any collaboration.
• Offers proven and highly secure firewall-traversal technology to extend your organizational reach
• Provides session-based access to comprehensive collaboration for remote workers, without the need for a separate VPN
client
• Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and desktops
• Complements bring-your-own-device (BYOD) strategies and policies for remote and mobile workers
The Expressway solution is deployed as a pair, an Expressway-C with a trunk and line-side connection to Unified CM, and an
Expressway-E deployed in the DMZ and configured with a traversal zone to an Expressway-C. Expressway may be clustered to
provide High Availability (HA) for deployments.
Expressway-C
Expressway-C delivers any-to-any enterprise wide conference and session management and interworking capabilities. It extends
the reach of TelePresence conferences by enabling interworking between Session Initiation Protocol (SIP) and H.323-compliant
endpoints, interworking with third-party endpoints. It integrates with Unified CM and supports third-party IP private branch
exchange (IP PBX) solutions. Expressway-C implements the tools required for creative session management, including definition
of aspects such as routing, dial plans, and bandwidth usage, while allowing organizations to define call-management applications,
customized to their requirements.
Expressway-E
The Expressway-E deployed with the Expressway-C enables smooth video communications easily and securely outside the
enterprise. It enables business-to-business video collaboration, improves the productivity of remote and home-based workers, and
enables service providers to provide video communications to customers. The application performs securely through standards-
based, secure firewall traversal for all SIP and H.323 devices. As a result, organizations benefit from increased employee
productivity and enhanced communication with partners and customers.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 147 of 257
Cisco dCloud
It uses an intelligent framework that allows endpoints behind firewalls to discover paths through which they can pass media, verify
peer-to-peer connectivity through each of these paths, and then choose the optimal connection path, eliminating the need to
reconfigure enterprise firewalls.
The Expressway-E is built for high reliability and scalability, supporting multi-vendor firewalls, and can traverse any number of
firewalls regardless of SIP or H.323 protocol.
Jabber Edge Detection is the Jabber Client service discovery process, which allows Cisco Jabber to determine whether it is
operating internal or external to services inside the corporate network.
If the DNS query process returns at least one _cisco-uds SRV record , Jabber assumes itself to be internal and will use the
configuration in the assigned UC Service Profile to determine the location and type of services such as the Corporate Directory.
Alternatively, if no _cisco-uds record is returned and at least one _collab-edge DNS SRV record is located: Cisco Jabber
determines that it is remote (outside the corporate network) and will use the host information specified in the _collab-edge SRV
lookup to negotiate a registration with Expressway.
When operating outside the network, the service discovery process functions as seen in the diagram below.
Pre-Configuration
The following configuration on Expressway-C and Expressway-E were performed in advance to save time:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 148 of 257
Cisco dCloud
Module Objectives
In this module, we will perform the following tasks:
• Identify and add required DNS Records required to enable Collaboration Edge
• Update the jabber-config.xml file to allow for the retrieval of contact photos hosted on a Web Server
Module Notes
NOTE: In order to eliminate the possibility of any unexpected interaction and maintain consistency with best practice, Mozilla
Firefox will be used throughout this module when configuring the Cisco Expressway appliances. This is because Microsoft
Internet Explorer 10 is not a supported browser for accessing the Expressway administration pages.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 149 of 257
Cisco dCloud
The topology for this lab leverages an internal DNS server (AD1) and a mock external (public) DNS server (AD2). As this is a self-
contained lab pod with no true internet-facing network, VLAN separation will be used for the purpose of simulating a client placed
outside the enterprise network to test MRA functionality. When placed onto the external network the workstation will query ONLY
external DNS.
The following is a summary of what DNS A (host) and SRV (service location) records required.
Internal DNS Server – ad1.dcloud.cisco.com (198.18.133.1)
In this exercise, one A record for Expressway E is already present and three SRV records will be added:
1. Switch focus to or launch the RDP session connected to ad2.dcloud.cisco.com (198.18.2.11). If opening a new session,
login using (administrator / C1sco12345).
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 150 of 257
Cisco dCloud
5. Review the listed DNS host records in the right-hand pane. Confirm that a record for exp-e-1 (198.18.1.152) exists as seen in
the graphic below.
8. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
o Service: _collab-edge
o Protocol: _tls
o Priority: 0 (default)
o Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 151 of 257
Cisco dCloud
NOTE: As mentioned earlier, the addition of records for alpha.com and uk.dcloud.cisco.com are NOT required to successfully
demonstrate the functionality featured in this lab. For practical consistency, we will add the required records as though the
environment did support three fully independent domains.
16. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
o Service: _collab-edge
o Protocol: _tls
o Priority: 0 (default)
o Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 152 of 257
Cisco dCloud
24. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
o Service: _collab-edge
o Protocol: _tls
o Priority: 0 (default)
o Weight: 0 (default)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 153 of 257
Cisco dCloud
5. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com. Because we are
using the nslookup utility on ad2.dcloud.cisco.com the DNS server name will be localhost.
6. A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address(es) associated
with the host(s). As depicted in the graphic above (Red Text)
NOTE: If you see error text, indicating a failure to lookup this or subsequent _collab-edge SRV records, for example: Non-
existent domain, perform the following steps:
-Confirm that the command entered is exactly as specified in the guide and retry.
-Confirm that the settings of the SRV record match the previous configuration steps.
If unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 154 of 257
Cisco dCloud
8. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).
10. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).
11. Type exit and press Enter to close the Command Prompt.
12. This completes the addition of Service Location Records required to support Mobile and Remote Access (MRA) functionality.
2. Launch the Mozilla Firefox browser by clicking on the icon in the task bar.
3. From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-C.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 155 of 257
Cisco dCloud
4. Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.
DNS
• Address 1: 198.18.133.1
NTP
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 156 of 257
Cisco dCloud
2. From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-E.
3. Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.
DNS
• Address 1: 198.18.133.1
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 157 of 257
Cisco dCloud
NTP
4. Set the Unified Communications mode value to Mobile and remote access.
5. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 158 of 257
Cisco dCloud
In an earlier activity related to the initial deployment of Cisco Unified IM and Presence, the Root Certificate was downloaded from
the CA hosted on ad1.dcloud.cisco.com.
NOTE: If CARootCert.cer is present in this folder, move on to the next activity: Install CA Root on Expressway-C
4. If unable to locate the CARootCert.cer, follow the next steps to obtain and download it.
6. From the dCloud homepage choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.
9. Choose the radio button for Base 64 and then click Download CA certificate.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 159 of 257
Cisco dCloud
3. From the menu choose Maintenance > Security certificates > Trusted CA certificate.
7. Click Open.
9. Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 160 of 257
Cisco dCloud
10. From the main menu choose Maintenance > Security certificates > Server Certificate.
• Country: US
• Locality: Richardson
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 161 of 257
Cisco dCloud
15. Choose the radio button for Save when prompted and click OK.
16. Use the windows file explorer to navigate to the folder Desktop\CST-Jabber\Downloads.
3. From the menu choose Maintenance > Security certificates > Trusted CA certificate.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 162 of 257
Cisco dCloud
7. Click Open.
9. Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.
NOTE: The CSR field Unified CM registration domains is not added to the CSR until the Unified Communications mode is
enabled on Expressway-E. Recall that this configuration step was performed earlier in the module.
1. From the main menu choose Maintenance > Security certificates > Server Certificate.
• Country: US
• Locality: Richardson
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 163 of 257
Cisco dCloud
5. Click Download.
6. Choose the radio button for Save when prompted and click OK.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 164 of 257
Cisco dCloud
3. From the Notepad main menu choose Format > Word Wrap.
8. From the menu choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 165 of 257
Cisco dCloud
13. Press CTRL-V to past the data saved to the computer buffer.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 166 of 257
Cisco dCloud
6. Switch focus back to Firefox and the Active Directory Certificate Services webpage.
11. Press CTRL-V to past the data saved to the computer buffer.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 167 of 257
Cisco dCloud
NOTE: A custom certificate template covering Client/Server authentication is required to support CA signed certificate generation
for Cisco Expressway. This template has been pre-configured and the details of this process can be found in Appendix C.
3. From the menu choose Maintenance > Security certificates > Server certificate.
8. Observe the status message after the upload indicating success, with a need to perform a restart.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 168 of 257
Cisco dCloud
12. The page will provide progress updates as the restart progresses.
3. From the menu choose Maintenance > Security certificates > Server certificate.
8. Observe the status message after the upload indicating success, with a need to perform a restart.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 169 of 257
Cisco dCloud
12. The page will provide progress updates as the restart progresses.
4. In the Unified Communications mode field, use the drop-down menu to choose Mobile and Remote Access.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 170 of 257
Cisco dCloud
6. Click Save.
You must identify the domains for which registration, call control, provisioning, messaging, and presence services are to be routed
to Unified CM. Recall that our IM and Presence deployment has been implemented with Multi-Domain support, servicing
dcloud.cisco.com, uk.dcloud.cisco.com, and alpha.com. In the following steps, you will create a domain entry for each.
• SIP registrations and provisioning on Unified CM: Endpoint registration, call control and provisioning for this SIP
domain is serviced by Unified CM. The Expressway acts as a Unified Communications gateway to provide secure
firewall traversal and line-side support for Unified CM registrations.
• IM and Presence services on Unified CM: Instant messaging and presence services for this SIP domain are
provided by the Unified CM IM and Presence service.
2. Click New.
• SIP registration: On
• IM and Presence: On
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 171 of 257
Cisco dCloud
The Expressway-C must be configured with the address details of the IM&P servers and Unified CM servers that are to provide
registration call control, provisioning, and messaging and presence services.
NOTE: An application user with id CollabEdgeAXL has been created in advance on Unified CM. This user is assigned ONLY the
Standard AXL API Access role.
1. Navigate to Configuration > Unified Communications > IM and Presence Service nodes.
2. Click New.
• Username: CollabEdgeAXL
• Password: dCloud123!
5. Confirm that the IM and Presence node is added successfully with communication established.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 172 of 257
Cisco dCloud
NOTE: Expressway-C uses the information from the Unified CM node discovery process to automatically generate non-
configurable neighbor zones between itself and each unified CM node.
7. Click New.
• Username: CollabEdgeAXL
• Password: dCloud123!
10. Notice that after discovery, there is both an error message regarding security of SIP messages exchanged between
Expressway-C and Unified CM and a success indicator. The error regarding a failure to connect on a secure SIP signaling port
may be disregarded. Confirm that a successful addition is made.
NOTE: The error referenced above is NOT in relationship to the SSL certificate verification enabled when the TLS verify mode is
set to ON. Rather, the discovery process makes an attempt to communicate on a secure SIP port toward Unified CM. This would
only be successful if the Unified CM Cluster Security mode had been set to Mixed or Secure enabling TLS for signaling traffic. Our
Unified CM Cluster is running in Mode 0 Insecure (default).
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 173 of 257
Cisco dCloud
11. Navigate to Configuration > Unified Communications > Unity Connection servers.
• Username: administrator
• Password: dCloud123!
15. Confirm that the Unity Connection node is added successfully with communication established.
Recall that the Traversal between Expressway-C and Expressway-E operates on a Client/Server relationship. Expressway-E
operates as the server and Expressway-C, the client. Notice that during the configuration process a local user account is created
on Expressway-E for authentication of the Traversal connection. During the configuration of the Traversal Zone on Expressway-C
this username and password combination will be entered and then used to authenticate the Traversal Tunnel.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 174 of 257
Cisco dCloud
4. Click New.
7. Under Connection credentials, click the hyperlink for Add/Edit local authentication database to quickly add an
authentication user and credential which will be assigned to this zone.
8. The Local authentication database configuration screen will pop-up in a new window.
13. Close the Local authentication database window to resume configuration of the Traversal Zone.
16. Consult the figure below to ensure accuracy of configured field values:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 175 of 257
Cisco dCloud
Follow these steps to create a new Unified Communications Traversal zone matching the configuration of the Zone already created
on Expressway-E. Note that when defining the Traversal on Expressway-C, we must supply the username and password created
for authentication on Expressway-E. The encrypted traversal tunnel is always initiated by Expressway-C as the client, which must
successfully authenticate to the server (Expressway-E).
3. Click New.
• Username: traversal-admin
• Password: dCloud123!
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 176 of 257
Cisco dCloud
• Port: 7001
5. Consult the graphic to confirm accuracy and when ready click Create zone.
1. The list of configured zones for Expressway-C along with current status should appear as below, immediately following zone
creation:
3. Scroll to the bottom of the page and confirm that Peer 1 address displays a SIP: Reachable message and that the Status is
Active.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 177 of 257
Cisco dCloud
Status Errors: If you see an error such as the following and the zone status fails to
transition to active, it is likely that there is a credential error. Re-type the password of the traversal-admin user and ensure that the
user name is typed exactly as defined earlier on Expressway-E. If this fails to bring the zone active, open the Expressway-E
console and confirm that the user account specified is spelled as expected. If the username spelling is correct, then reset the
password of the user ensuring complete accuracy. Check the zone status on Expressway-C once more and proceed if a
successful validation result is achieved.
4. Navigate to Configuration > Zones > Zones. Check the list of Zones on Expressway-C against the graphic below:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 178 of 257
Cisco dCloud
3. Confirm that the output of the webpage matches the highlighted areas of the graphic below.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 179 of 257
Cisco dCloud
3. Confirm the output of the webpage matches the highlighted areas of the graphic below.
Until now, our Jabber clients have been connected to the internal network, freely able to resolve the LDAP directory through
service discovery and using the User Photo attribute in Microsoft Active directory as the source for contact photo resolution.
When registered via MRA through Cisco Expressway however the Jabber client will automatically use UDS for contact resolution.
NOTE: When Cisco Jabber is running in remote mode through MRA, the Corporate Directory and contact source type is
automatically set to UDS. There is no additional configuration required for this behavior to function.
For contact photo resolution outside the enterprise network, a Web Server must be used to host directory contact photos. A
parameter is then added to the jabber-config.xml file to notify the Jabber Client of the location of contact photos.
Server ad2.dcloud.cisco.com has been configured to host contact photos at the following URL:
• http://ad2.dcloud.cisco.com/directory/.
Contact photos stored in this directory are named with the following convention:
• <sAMAccountName>.jpg
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 180 of 257
Cisco dCloud
Recall that during the deployment process we specified that the User ID for Unified CM and IM and Presence users would be
mapped to the LDAP attribute sAMAccountName.
So for example, one could view the directory photo for user Anita Perez (aperez) by navigating to
http://ad2.dcloud.cisco.com/directory/aperez.jpg.
Because we have a predictable naming convention that matches an attribute (User ID) that the Cisco Jabber client is aware of, we
can define a query string using substitution that will request and return the photos of users in our Jabber contact list.
Use the following activity to review the parameter and format required to enable the resolution of contact photos while
connected using MRA. Upload an updated Jabber-Config.xml file. Finally configure an HTTP server allow list to permit tunneled
access to the Web Server hosting photos from the Jabber Client when registered via MRA.
Update Jabber-Config.xml
In order to enable external contact photo resolution we must update the jabber-config.xml file. As with previous exercises, a pre-
configured jabber-config.xml file has been staged for you.
1. From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.
3. Right click the file jabber-config.xml and choose Open with > Notepad.
4. The following parameter is appended to the Directory section of the file to enable contact photo resolution from a web server.
Observe the substitution or Token value highlighted in red (%%uid%%) :
<UDSPhotoURIWithToken>http://ad2.dcloud.cisco.com/directory/%%uid%%.jpg</UDSPhotoURIWithToken>
Upload Jabber-Config.xml
1. From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.
2. Click Go.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 181 of 257
Cisco dCloud
9. Click Open.
2. Click Go.
4. Click Login.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 182 of 257
Cisco dCloud
5. From the menu choose Tools > Control Center – Feature Services.
7. Click Go.
9. Click Restart.
11. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
Verify Jabber-Config.xml
2. Navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may manually navigate to the
following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
3. Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 183 of 257
Cisco dCloud
5. Shutdown the Jabber Client(s) running on wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by choosing Menu >
Exit.
As indicated earlier, contact photos are served from ad2.dcloud.cisco.com over http. In order for the Jabber client to successfully
access contact photos when registered using MRA, an http traffic permit statement must be explicitly added.
4. In the Advanced section of the configuration page, locate and click the hyperlink for Configure HTTP server allow list.
5. Click New.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 184 of 257
Cisco dCloud
9. Notice the Auto-configured allow list with data populated based on the discovery process. The list contains the FQDNs and
resolved IP addresses of imp1.dcloud.cisco.com, ucm1.dcloud.cisco.com, and cuc1.dcloud.cisco.com.
Thus far, we have been able to use a single RDP session connected to wkst2.dcloud.cisco.com on IP address 198.18.133.37 to
connect and test Jabber Client functionality from WKST2 as Anita Perez.
During the migration process, the active IP address of the workstation will change to 198.18.2.37 which will be resolvable by DNS
using host name wkst2-ext.dcloud.cisco.com.
To facilitate switching between the two modes we will configure and save an RDP session definition for connecting to Workstation
2 when operating in the external VLAN.
NOTE: This operation is to be performed from the Students Personal Computer, NOT an active RDP session.
1. Click Start > All Programs > Accessories > Remote Desktop Connection from the student’s personal computer.
2. Click Options.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 185 of 257
Cisco dCloud
6. Click OK.
12. Click Save and use the Save As file dialog to name and save the session definition to your computer as wkst2-ext to a
location in your file system that will be easy to find later.
In this activity, we will briefly review connection details of the Cisco Jabber client running on wkst2.dcloud.cisco.com while
registered to services on the internal network. This will assist in identifying the differences in behavior when registered to services
via MRA through Expressway.
1. Open (switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) user Anita Perez.
2. If Cisco Jabber is open from a previous activity, exit and restart it at this time. This is necessary in order for changes to the
jabber-config.xml file to be assimilated. If closed, launch Cisco Jabber.
4. Click the Menu icon and choose Help > Show connection status to confirm that the Jabber client has active
connectivity to provisioned services.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 186 of 257
Cisco dCloud
5. Pay close attention to the following entries which will alter when connected through MRA:
• Softphone
• Presence
Address: imp1.dcloud.cisco.com
• Directory
Address: DCLOUD.CISCO.COM (No host reference because Jabber discovered it automatically using DNS)
7. From the dCloud homepage choose Collaboration Admin Links > Cisco Unified Communications Manager.
8. Choose Cisco Unified Communications Manager from the list of Installed Applications.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 187 of 257
Cisco dCloud
12. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of wkst2.dcloud.cisco.com (198.18.133.37).
13. Take note of the Contact Photo associated with Charles Holland in the contact list of Anita Perez.
14. The contact photos hosted on the web server have been modified in order to verify the source and confirm that contact photos
presented are served from the web server defined earlier.
NOTE: This procedure will disconnect the active RDP session, which is the expected result.
2. Navigate to the Desktop and locate the windows batch executable named External Network On.
1. From the Student Laptop, open the Remote Desktop Connection client program.
2. Click Options.
4. Browse the location where you saved the RDP session definition wkst2-ext.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 188 of 257
Cisco dCloud
7. Click Open.
Under normal circumstances, it would take a considerable amount of time for the Jabber client to clear its locally cached contact
photos. To expedite this process we will clear the contents of the locally cached information for the Jabber client on Workstation 2.
1. On the desktop of wkst2-ext.dcloud.cisco.com locate a windows batch executable file named Clear Jabber Cache.
3. Confirm that the IP Address displayed is 198.18.2.37, and the Default Gateway is 198.18.2.1.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 189 of 257
Cisco dCloud
7. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com.
8. A successful result returns the FQDN exp-e-1.dcloud.cisco.com as well as the resolved IP 198.18.1.152 as depicted in the
graphic above (Red Text).
3. Notice the New location detected notification since Jabber has detected that we are connecting from a new network. This will
likely appear to the lower right of the remote desktop workspace.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 190 of 257
Cisco dCloud
6. Type a location of your choice. In our example, we use Mobile Remote Access as the location specified for Anita Perez.
7. Click Create.
8. Notice that both the contact photos for Anita Perez and Charles Holland are present but in Black and White as opposed to the
full color images resolved through LDAP.
9. Test contact search by typing Muk in the search window and confirm that the lookup returns a contact record for Mukul
Kumar.
NOTE: Notice that all of the cached images for contacts added through the Directory Group/Enterprise Group feature are now
missing. This is a result of the removal of all cached contact photos in tandem with the Throttling Policy for photo download of
contacts added through enterprise groups. As before, you can manually initiate the download of contact photos by clicking the
contact record.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 191 of 257
Cisco dCloud
1. Click the Menu icon and choose Help > Show connection status to confirm that the Jabber client has active
connectivity to provisioned services.
2. Pay close attention to the following entries which will alter when connected through MRA:
• Softphone
• Presence
Address: exp-e-1.dcloud.cisco.com
• Directory
3. As you can see, all services are connected. The entries for Softphone, Presence, and Directory have modified values
indicating a tunneled connection through Expressway-E.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 192 of 257
Cisco dCloud
6. From the Navigation drop down select Cisco Unified CM Administration and click Go.
9. Click Find.
10. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of Expressway-C (198.18.133.152). This is because Expressway-C serves is the anchor point for SIP Registration
with Unified CM for all MRA sessions.
2. If Cisco Jabber is open from a previous activity, exit and restart it. This is necessary for changes to the jabber-config.xml file to
be assimilated. If closed, launch Cisco Jabber.
4. Observe that the location information associated with Anita’s current presence status has been updated based on the new
location created.
5. Double click the contact record for Anita Perez to launch a conversation window.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 193 of 257
Cisco dCloud
12. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
13. See that the presence indicators for both Charles Holland and Anita Perez have transitioned from Available to On a Call.
16. This concludes the Mobile Remote Access Module. Students may continue to test features and functionality (time permitting).
When ready, please proceed to the next activity.
NOTE: This procedure will disconnect the active RDP session, which is the expected result.
2. Navigate to the Desktop and locate the windows batch executable named Internal Network On.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 194 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 195 of 257
Cisco dCloud
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration
applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information
between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified
Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an
Identity Provider (IdP) and a service provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco collaboration solutions.
SAML 2.0 enables SSO across Cisco applications and enables federation between Cisco applications and an IdP. SAML 2.0
allows Cisco administrative users to access secure web domains to exchange user authentication and authorization data, between
an IdP and a Service Provider while maintaining high security levels. The feature provides secure mechanisms to use common
credentials and relevant information across various applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the provisioning process
between the IdP and the Service Provider. The Service Provider trusts the IdP's user information to provide access to the various
services or applications. In this interaction, the Service Provider (SP) would be Unified CM and Unified IM and Presence.
The client authenticates against the IdP and the IdP grants an Assertion to the client. The client presents the Assertion to the
Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion and grants access to the client.
• Reduces password fatigue by removing the need for entering different user name and password combinations
• Transfers the authentication from your system that hosts the applications to a third party system. Using SAML SSO, you
can create a circle of trust between an IdP and a service provider. The service provider trusts and relies on the IdP to
authenticate the users
• Protects and secures authentication information. It provides encryption functions to protect authentication information
passed between the IdP, service provider, and user. SAML SSO can also hide authentication messages passed between
the IdP and the service provider from any external user.
• Improves productivity because you spend less time re-entering credentials for the same identity
• Reduces costs as fewer help desk calls are made for password reset, thereby leading to more savings
• Client (the user’s client): This is a browser-based client or software client that can leverage a browser instance for
authentication. For example, a system administrator’s browser.
• Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified
Communications Manager.
• An Identity Provider (IdP) server: This is the entity that authenticates user credentials and issues SAML Assertions.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 196 of 257
Cisco dCloud
• Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example
Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server.
• SAML Assertion: It consists of pieces of security information that are transferred from IdPs to the service provider for user
authentication. An assertion is an XML document that contains trusted statements about a subject including, username
and privileges. SAML assertions are usually digitally signed to ensure their authenticity.
• SAML Request: This is an authentication request that is generated by a Unified Communications application. To
authenticate the LDAP user, the Unified Communications application delegates an authentication request to the IdP.
• Circle of Trust (CoT): The various service providers that share and authenticate against one IdP in common.
• Metadata: An XML file generated by an SSO-enabled Unified Communications application, such as Cisco Unified
Communications Manager or Cisco Unity Connection, as well as an IdP. The exchange of SAML metadata builds a trust
relationship between the IdP and the service provider.
• Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the
IdP to post the final SAML response to a particular URL.
Module Objectives
In this module, we will perform the following tasks:
• Create a Circle of Trust (CoT) between ADFS 2.0 (IdP) and Unified CM and IM and Presence (SP)
• Enable SSO for Unified Communications Manager and Unified IM and Presence
• Test Kerberos authentication for cross/application authentication using Microsoft Internet Explorer and Cisco Jabber
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 197 of 257
Cisco dCloud
Module Notes
NOTE: In the interest of time, Microsoft™ AD FS2.0 has been preinstalled on ad1.dcloud.cisco.com. The Basic AD FS 2.0
setup wizard was run to enable ADFS features. These operations are documented in Appendix B. By default, AD FS2.0 has
Username/Password Authentication enabled, so no extra steps are needed to prepare AD FS2.0 to enable this Authentication
method. For other authentication methods, AD FS2.0 needs customization to be part of the lab steps.
Pre-Requisites
These are the dependencies that must be in place and functional prior to the implementation of SAML SSO for Cisco Unified
Communications. ALL of these pre-requisite requirements have been met during lab configuration activities or as part of the pre-
configuration of the lab environment.
• NTP – All components of the solution must be configured to use a reliable NTP source for clock synchronization.
This requirement is already provisioned across all installed Cisco Collaboration Applications (Services Providers) and
Identity Providers (ADFS 2.0 on ad1.dcloud.cisco.com)
• DNS – All hosts involved in SSO transactions must be fully resolvable by FQDN via DNS. All of the Service Providers
(ucm1.dcloud.cisco.com, imp1.dcloud.cisco.com) have DNS A (Host) records and are resolvable by FQDN.
• Directory Setup - LDAP directory synchronization is a prerequisite and a mandatory step to enable SAML SSO
across various Unified Communications applications. Synchronization of Unified Communications applications with
an LDAP directory allows the administrator to provision users easily by mapping Unified Communications
applications data fields to directory attributes. Recall that the foundation of our deployment activity was the import of
Jabber users through an LDAP synchronization agreement.
• Certificates signed by a CA - In SAML SSO, the IdP and service providers must have CA signed certificates with
the correct domains in the CN or SAN. If the correct CA certificates are not validated, the browser issues a pop up
warning. We have performed the certificate management required to meet this pre-requisite as part of our
deployment activities.
Once SSO is enabled, access to the Unified CM and IM and Presence administrative interfaces will be limited to End Users
synchronized from LDAP. Therefore at least one End User account must be delegated administrative access.
NOTE: There is a Recovery URL that may be used in case of SSO failure that is accessed with the default administration account,
if needed.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 198 of 257
Cisco dCloud
3. From the Cisco dCloud Homepage choose Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.
4. From the Installed Applications list, click Cisco Unified Communications Manager.
6. Click Login.
8. Click Find.
9. Click the hyperlink for user cholland (Charles Holland) to open the End User configuration page.
10. Scroll to the bottom of the page and locate the Permissions Information section. Notice that Charles Holland is currently
assigned to the Standard CCM End Users, and Standard CTI Enabled groups.
12. In the Find tool, user the drop-down menu to choose contains and type Super.
16. Confirm that the Standard CCM Super Users group has been added to the Groups field.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 199 of 257
Cisco dCloud
Obtain Metadata for the Unified CM and Unified IM and Presence Cluster
As part of the CoT (Circle of Trust) configuration between ADFS and Unified CM and Unified IM and Presence, the Metadata from
deployed Unified Collaboration nodes must be obtained. This will be used to create a Relying Party Trust on the IdP.
3. After a few seconds, click the Save As option on the bottom of the page to save to the SPMetadata.zip file.
5. Click Save.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 200 of 257
Cisco dCloud
6. Minimize Internet Explorer and use the File Explorer to navigate to Desktop\CST-Jabber\SSO.
7. Right click the SPMetadata.zip file, choose Extract All and then click Extract.
8. Check that you have the following two files in the new Desktop\CST-Jabber\SSO\SPMetadata directory.
9. There will be one SPMetadata file generated for each node in the cluster since Unified CM automatically exports the Unified
CM and IM&P Metadata. The contents in each file define the parameters that will be used for the authorization process
between the SP (Unified CM and Unified IM and Presence) and the IdP (Microsoft AD FS).
A relying party trust must be added to Microsoft ADFS for every node in your deployment on which SSO will be enabled. Follow
these steps to add a Relying Party Trust for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com.
1. Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [ ] in the taskbar.
4. From the Choose Data Source screen, click the Import data about the relying party from a file radio button.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 201 of 257
Cisco dCloud
5. Click Browse.
6. Use the Browse for Metadata file dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.
7. Choose the file SPMetadata_ucm1.dcloud.cisco.com.xml to choose the file for Unified CM.
8. Click Open.
9. Click Next.
10. On the Specify Display Name screen enter the following values:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 202 of 257
Cisco dCloud
12. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
15. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
17. On the Edit Claim rules screen click the Add Rule button.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 203 of 257
Cisco dCloud
18. Choose the default Claim Rule template Send LDAP Attributes as Claims.
Caution: Use care when entering the Outgoing Claim Type value. The value uid must be typed in lowercase letters exactly as
specified, there is no matching menu value.
20. On the Configure Claim Rule screen set the following values:
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 204 of 257
Cisco dCloud
NOTE: To prevent copy/paste errors and erroneous formatting during the Custom Claim Rules creation, 2 text files containing the
required claims format have been placed in the Desktop\CST-Jabber\SSO directory on ad1.dcloud.cisco.com.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
28. Double click to open in the Notepad editor. Notice the custom portion of the rule highlighted in green below. The first row
specifies the IdP asserted ID, which can be found the in the exported Metadata from the ADFS instance. This will remain
constant for our environment. The second highlighted text entry specifies the Service Provider asserted identity supplied by
ucm1.dcloud.cisco.com in the exported Metadata field.
29. Copy the file contents to the computer buffer by pressing Ctrl + C.
31. Paste the contents of the file into the Custom Rule field by pressing Ctrl + V.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 205 of 257
Cisco dCloud
1. From the ADFS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.
3. From the Choose Data Source screen, click the Import data about the relying party from a file radio button.
4. Click Browse.
5. Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.
6. Choose the file SPMetadata_imp1.dcloud.cisco.com.xml to choose the file for Unified CM.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 206 of 257
Cisco dCloud
7. Click Open.
8. Click Next.
11. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
14. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 207 of 257
Cisco dCloud
16. On the Edit Claim rules screen click the Add Rule button.
17. Choose the default Claim Rule template Send LDAP Attributes as Claims.
19. On the Configure Claim Rule screen set the following values:
24. From the Claim rule template drop-down list, choose Send Claims Using a Custom Rule.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
27. Locate the file SAML-SSO-Custom-Claims-Rule-imp.txt. Double-click to open in the Notepad editor. Notice the custom
portion of the rule highlighted in green below. The first row specifies the IdP asserted ID which can be found the in the
exported Metadata from the ADFS instance. This will remain constant for our environment. The second highlighted text entry
specifies the Service Provider asserted identity supplied by imp1.dcloud.cisco.com in the exported Metadata field.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 208 of 257
Cisco dCloud
28. Copy the file contents to the computer buffer by selecting all the text and pressing Ctrl + C.
30. Paste the contents of the file into the Custom Rule field pressing Ctrl + V.
33. The list of Relying Party Trusts should appear as follows when finished:
NOTE: For your convenience the IdP Metadata was exported from the ADFS2.0 instance on ad1.dcloud.cisco.com and has been
placed in the file: Desktop\CST-Jabber\SSO\FederationMetadata.xml. This file can be manually downloaded at
https://ad1.dcloud.cisco.com/FederationMetadata/2007-06/FederationMetadata.xml.
1. From the RDP session connected to ad1.dcloud.cisco.com, open Internet Explorer and choose the tab connected to
ucm1.dcloud.cisco.com.
2. It is likely that the logon timer has expired. If so, login with Username: administrator and Password: dCloud123!.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 209 of 257
Cisco dCloud
6. Click Next. The IdP Metadata Trust File has already been obtained for you and is present in the Desktop\CST-Jabber\SSO
folder.
7. Click on Browse.
9. Click Open.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 210 of 257
Cisco dCloud
13. Click Next on the next screen of the wizard. This screen is not relevant as we have already exported SP Metadata for
ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com and used it to create a trust on the IdP.
NOTE: There is a 60-second timer running to complete the next few steps. If you do not enter the username and password in Step
16 below in time then you will get an error on the SSO Test as shown below.
14. The next process will verify the SAML Assertion with ADFS2.0. Click the user cholland, and then click Run SSO Test.
15. In the new window that pops up click Continue to this website.
16. When the Windows Security login prompt appears enter Username: cholland and Password: C1sco12345.
18. Check if the output message indicates a successful result. SSO Metadata Test Successful.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 211 of 257
Cisco dCloud
21. You have now successfully completed the basic configuration tasks to enable SSO on UCM using ADFS2.0. Close the web
browser so it clears all of the session cookies.
NOTE: It is VERY important to close and reopen Internet Explorer. You are asked to do this several times in this lab. Please be
sure to perform this step, as it will clear the cookies from the browser and make it request new login information from the server.
In the next activity, you will test SSO with a Username and Password from wkst1.dcloud.cisco.com (198.18.133.36).
2. If the Cisco Jabber client is still open from a previous activity, close it by choosing Menu > Exit.
3. If either Internet Explorer and/or Firefox are open from a previous activity, close them as well.
4. Launch Internet Explorer, from the Cisco dCloud homepage and navigate to Collaboration Admin Links > Cisco Unified
Communications Manager. Optionally you may navigate to https://ucm1.dcloud.cisco.com.
5. Notice under Installed Applications there is a new option for Recovery URL to bypass Single Sign-on (SSO). If the new
link is not visible, continue to refresh your browser until it appears.
6. The SSO recovery link may be used in cases where the SSO IdP has failed. This allows for authentication with the default
administrative application user, providing a mechanism for administration and recovery.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 212 of 257
Cisco dCloud
7. Click the hyperlink for Cisco Unified Communications Manager under Installed Applications.
NOTE: If you get a 404 error this means the Tomcat service is still restarting. Refresh your browser until you get a login screen.
8. Observe that in place of the Unified Communications Manager Administration webpage you are now presented with a
Windows authentication prompt. If you do NOT see a windows authentication prompt, move to the Troubleshooting note
below, complete the steps to disable, and re-enable SSO. Otherwise Proceed to step 23 of this activity.
Troubleshooting: In rare instances, the first time you enable SSO on Unified CM it will not work on the Administration
page initially but it will work on the Self Care Portal. The quick fix for this is to disable and then re-enable SSO. The next few
steps will first test SSO with the Self Care Portal and then proceed to disable SSO so you can complete the steps above again to
re-enable SSO.
9. Click the home button to go back to the Cisco dCloud links page.
10. Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.
11. Click the Cisco Unified Communications Self Care Portal link.
12. This time you should receive an SSO login, which proves that SSO is enabled. There is no need to login at this time. First, you
will disable SSO.
13. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager and click Cisco Unified Communications Manager.
18. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager.
19. If you still see the Recovery URL to bypass Single Sign On (SSO) link then SSO is still disabled. Keep refreshing your page
until that link disappears.
20. Once the link disappears, click the Cisco Unified Communications Manager link and login with Username: administrator
and Password: dCloud123!.
22. Follow this link to run through the steps in this section again and re-enable SSO. You should then have a successful SSO test
and continue with the rest of this lab.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 213 of 257
Cisco dCloud
24. Confirm that authentication succeeds and you are presented with the Unified Communications Manage administration
page.
Before enabling SSO, the Unified CM admin page prompted you with a HTML form for username and password. After enabling
SSO, Unified CM is no longer responsible for handling Authentication; rather Unified CM redirects the client request to the IdP
(ADFS). It is the IdP prompting you with a basic username and password pop-up.
To complete the configuration of SSO for Unified IM and Presence, we must initiate an SSO test from the SAML SSO
administration interface. Since we have already created a Relying Party Trust in ADFS for imp1.dcloud.cisco.com and have
enabled SSO for the cluster, we will run the SSO test utility from the Unified Communications Manager Administration
interface.
2. Click the Run SSO Test Button associated with the imp1.dcloud.cisco.com node.
6. Click OK.
NOTE: You may not be prompted to authenticate, as you have already authenticated to ucm1.dcloud.cisco.com and since SSO is
active for the Unified CM and Unified IM and Presence Cluster the active authentication token is used.
8. Click Close.
2. Close any active web browser sessions connected to either ucm1.dcloud.cisco.com or imp1.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 214 of 257
Cisco dCloud
3. Launch Internet Explorer and Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.
4. From the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.
5. When the Windows Security login prompt appears, enter Username: cholland and Password: C1sco12345.
6. Click OK.
7. Confirm that the Unified Communications Self-Care portal page for Charles Holland is displayed.
9. When the Windows Security login prompt appears, login with Username: cholland and Password: C1sco12345.
10. Confirm that Jabber is authenticated successfully and the interface displays as expected for user Charles Holland.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 215 of 257
Cisco dCloud
NOTE: Even though Charles Holland had an active authentication session via SSO to the Unified CM Self-Care portal, credentials
were required when logging into Cisco Jabber. This behavior will change when Kerberos authentication is enabled.
NOTE: By default, AD FS 2.0 has Kerberos authentication enabled with priority over username/password authentication. The
configuration required is performed within the client web-browser, in this case Internet Explorer.
Modify the security settings in Microsoft Internet Explorer to permit Kerberos authentication on intranet sites.
2. Open Internet Explorer and click the Tools icon [ ], then choose Internet options from the menu.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 216 of 257
Cisco dCloud
5. In the Local intranet configuration screen, place a checkmark in the Automatically detect intranet network option.
6. Click Advanced.
8. Click Add.
9. Click Close.
10. Click OK on the Local intranet configuration screen to close the dialog.
11. From the Security tab, click the button Custom level.
13. Click the radio button for Automatic logon only in Intranet zone.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 217 of 257
Cisco dCloud
NOTE: Be sure to close and re-open Internet Explorer if you have not done so after making the Kerberos configuration changes in
the previous activity. Close Cisco Jabber if it is open by choosing Menu > Exit.
Because Cisco Jabber for Windows uses the settings defined in Microsoft Internet Explorer to control Keberos authentication, it will
use the Kerberos authentication token already active due the workstation login session and authenticate the user against the IdP.
1. Switch focus to the RDP session actively connected to wkst1.dcloud.cisco.com (Charles Holland).
3. From the open Internet Explorer window navigate to Collaboration Admin Links > Cisco Unified Communications
Manager.
4. Under the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.
5. Confirm that you are directed to the Self Care portal for user Charles Holland without being challenged to authenticate.
6. Double-click the Cisco Jabber shortcut on the workstation desktop to launch the application.
7. Observe that Jabber launches and authenticates without challenging the user for credentials.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 218 of 257
Cisco dCloud
Module Overview
This module builds on the Mobile and Remote Access configuration and the SAML SSO deployment developed through the
completion of Modules 2 and 3a. Cisco Expressway may be configured to enable single sign-on for endpoints access Unified
Communications services from outside the network.
The functionality relies on the secure traversal capabilities of the Expressway pair at the edge, and the established CoT (Circle of
Trust) between Internal Service Providers (SPs) such as Unified CM and Unified IM and Presence and an externally resolvable
Identity provider (IdP).
All authentication responsibility is owned by the IdP with authentication directly to the configured SPs.
Cisco Jabber uses DNS service discovery to determine whether it is operating internal to or external to the services within the
organizations network. If the _collab-edge._tls.example.com DNS record is resolved it will proceed as normal to attempt
registration via MRA. If single sign-on is enabled on Expressway, the Expressway-E redirects Jabber to the IdP with a request to
authenticate the user.
The IdP challenges the client to identify itself, and if the identity is authenticated, the IdP redirects Jabber’s service request back to
Expressway-E with a signed assertion that the identity is authentic.
The Expressway-E is configured to trust the IdP, so it will pass the request to the appropriate service inside the network. The
Unified Communications SPs are already provisioned as part of the Circle of Trust with the IdP, and Expressway pair, so they
provide the requested services to the Jabber client.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 219 of 257
Cisco dCloud
NOTE: In a production environment, it is customary to place a secondary, externally reachable IdP in a DMZ network. In the case
of AD FS, this would be an AD FS proxy. Our environment uses only a single IdP resolvable by both the internal SPs and the
External SP (Expressway-E).
Pre-Requisites
The following are pre-requisites for deployment of SSO over the Collaboration Edge.
• Expressway-C and Expressway-E are fully configured to provide secure Unified Communications traversal
• The SIP domain that will be accessed via SSO is configured on Expressway-C
• The Expressway-C is in Mobile and Remote Access mode and has discovered the Unified CM Topology
• The hostnames of all Unified CM nodes have been added to the HTTP server allow list on the Expressway-C
• Cisco Jabber clients are configured to request the internal services using the correct domain names, SIP URIs, and
Chat Aliases
• The default browser of the client can resolve the Expressway-E and IdP
Module Objectives
In this module, we will perform the following tasks:
• Extend the existing Circle of Trust (CoT) between AD FS 2.0 (IdP) to include the Expressway pair (SP)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 220 of 257
Cisco dCloud
• Move Workstation 2 to the External network and confirm authentication and authorization through Expressway using
SSO.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 221 of 257
Cisco dCloud
In this activity, we will import the FederatationData.xml file into the configuration for Expressway-C to establish a trust relationship
between Expressway and ADFS.
2. Open the Firefox web browser and Navigate to Collaboration Admin Links > Cisco Expressway-C.
6. Click on Browse.
8. Click Open.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 222 of 257
Cisco dCloud
1. From the Configuration > Unified Communications > Identity providers (IdP) page, locate the IdP entry with Entity ID
http://ad1.dcloud.cisco.com/adfs/services/trust.
2. Under the Actions column, click the hyperlink for Associate domains.
• uk.dcloud.cisco.com
• dcloud.cisco.com
• alpha.com
4. Click Save.
To define the relying party trust in ADFS for Expressway we will need to obtain the Service Provider Metadata.
2. Notice that what we are actually downloading is Metadata from the Expressway-E peered to this Expressway-C system.
3. Under the Export SAML data section, click the Download button.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 223 of 257
Cisco dCloud
5. Use the Save As dialog to save the resulting xml file to the Desktop\CST-Jabber\SSO folder.
A relying party trust must be added to Microsoft AD FS for each Expressway-E in the cluster. Follow these steps to add a Relying
Party Trust for exp-e-1.dcloud.cisco.com.
2. Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [ ] in the taskbar.
3. From the AD FS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.
5. From the Choose Data Source screen, click the Import data about the relying party from a file radio button.
6. Click Browse.
7. Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\ directory.
8. Choose the XML filename that begins saml_exp-c-1 downloaded in the previous step.
9. Click Open.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 224 of 257
Cisco dCloud
11. On the Specify Display Name screen enter the following values:
• Notes: Expressway-E
13. On the Choose Issuance Authorization Rules screen confirm that the Permit All Users to access this relying party radio
button is selected.
16. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
18. On the Edit Claim rules screen click the Add Rule button.
19. Choose the default Claim Rule template Send LDAP Attributes as Claims.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 225 of 257
Cisco dCloud
21. On the Configure Claim Rule screen set the following values:
24. Observe that an entry for exp-e-1.dcloud.cisco.com is now present in the list of Relying Party Trusts.
To ensure that AD FS formulates the SAML responses as Expressway-E expects them we will use the Microsoft Windows
PowerShell utility to configure the following properties assigned to the Relying Party Trust entity for Expressway-E:
• SAMLResponsSignature
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 226 of 257
Cisco dCloud
Instruct ADFS to sign both the message and assertion during negotiation
• SignatureAlgorithm
1. Right click the icon for the Windows PowerShell in the task bar and click Import system modules to launch Windows
PowerShell with system module commands for AD FS.
2. Copy and paste the following command text and then press Enter.
Set-ADFSRElyingPartyTrust -TargetName "exp-e-1.dcloud.cisco.com" -SAMLResponseSignature MessageAndAssertion
-SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1
2. Open the Firefox web browser and navigate to Collaboration Admin Links > Cisco Expressway-C. Optionally, navigate to
https://exp-c-1.dcloud.cisco.com.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 227 of 257
Cisco dCloud
6. From the Single Sign-On support drop-down menu change the value from off to on.
7. Click Save.
1. Open a new tab in Firefox and choose Collaboration Admin Links > Cisco Expressway-E.
3. From the menu choose Configuration > Unified Communications > Configuration.
7. Click Save.
NOTE: Check for internal SSO availability setting controls whether the Expressway-C will check if the user's home Unified CM
node has SSO available. By choosing No, the Expressway-E always tells the client that SSO is available, without actually checking
the home node. This results in reduced traffic on the internal network; however this should ONLY be used when ALL nodes
have SSO available.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 228 of 257
Cisco dCloud
NOTE: This procedure will disconnect the active RDP session, which is the expected result.
3. Navigate to the Desktop and locate the windows batch executable named External Network On.
10. From the Student Laptop, open the Remote Desktop Connection client program.
13. Browse the location where you saved the RDP session definition wkst2-ext.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 229 of 257
Cisco dCloud
2. Notice that a Windows Security authentication prompt is displayed, rather than the Cisco Jabber Sign-In prompt.
4. Verify that authentication succeeds and that all services are available.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 230 of 257
Cisco dCloud
With SSO support for Mobile and Remote Access fully enabled and tested, several new sources of information under the Status >
Unified Communications page of the Cisco Expressway-C are now available.
2. In the active Firefox browser, choose the tab connected to Expressway-C (exp-c-1).
3. If the logon timer has expired, login with Username: admin and Password: dCloud123!.
5. Observe the new SSO related data present in the Activity section of the page. These describe the number of SSO access
requests and responses made by Expressway during assertion.
• SSO provisioned sessions indicates the number of MRA connections made using SSO
• View detailed SSO statistics provides detailed information about SSO processing on Expressway
• View and manage active SSO token holders provides a convenient interface for validation and troubleshooting of
active SSO user session via MRA.
6. Click the hyperlink for View and manage active SSO token holders.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 231 of 257
Cisco dCloud
7. Observe that a single active token holder is displayed: aperez. This is as a direct result of the SSO testing performed in the
previous activity.
8. Click the hyperlink for aperez to view details about the active authentication tokens associated with this user. An entry is
present for both Unified CM and Expressway. If we had provisioned Unity Connection as part of the SSO module, an entry for
this would be present as well.
This completes the Extension of SAML SSO to the Collaboration Edge with Cisco Expressway.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 232 of 257
Cisco dCloud
1. Log into the target CentOS 7 host with Root Privileges or as a user with sudo privileges.
nano /etc/yum.repos.d/CentOS-Base.repo
3. Locate the [base] and [updates] section of the file and append the line exclude=postrgres*.
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*
============================================================================================================
=====================================
Package Arch Version Repository
Size
============================================================================================================
=====================================
Installing:
pgdg-centos94 noarch 9.4-1 /pgdg-centos94-
9.4-1.noarch 2.1 k
Transaction Summary
============================================================================================================
=====================================
Install 1 Package
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 233 of 257
Cisco dCloud
Installed:
pgdg-centos94.noarch 0:9.4-1
Complete!
3. Check for a list of resolved packages and dependencies by entering the following command:
yum list postgres*
Available Packages
postgresql94.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-contrib.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-debuginfo.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-devel.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-docs.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-jdbc.noarch 9.3.1101-2.rhel7
pgdg94
postgresql94-jdbc-javadoc.noarch 9.3.1101-2.rhel7
pgdg94
postgresql94-libs.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-odbc.x86_64 09.03.0400-1PGDG.rhel7
pgdg94
postgresql94-odbc-debuginfo.x86_64 09.03.0400-1PGDG.rhel7
pgdg94
postgresql94-plperl.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-plpython.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-pltcl.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-python.x86_64 4.1.1-1PGDG.rhel7
pgdg94
postgresql94-python-debuginfo.x86_64 4.1.1-1PGDG.rhel7
pgdg94
postgresql94-server.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-test.x86_64 9.4.4-1PGDG.rhel7
pgdg94
Note that postgresql94-serverx86_64 is returned as part of the command. We are ready to install the postgresql server software.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 234 of 257
Cisco dCloud
2. If PostrgreSQL 9.4.1 installation is successful, output should appear as follows (some output omitted).
Installed:
postgresql94-server.x86_64 0:9.4.4-1PGDG.rhel7
Dependency Installed:
postgresql94.x86_64 0:9.4.4-1PGDG.rhel7 postgresql94-libs.x86_64 0:9.4.4-
1PGDG.rhel7
Complete!
1. Type the following command to initialize the PostgreSQL database with default parameters.
/usr/pgsql-9.4/bin/postgresql94-setup initdb
2. Confirm that the command returns the following result: Initializing database ... OK.
1. To enable automatic service startup with OS Boot, type the following command:
chkconfig postgresql-9.4 on
Services must be started for the first time to begin interacting with the software.
5. Notice that the process is running as OS user postgres, which is automatically created during the package installation.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 235 of 257
Cisco dCloud
On Windows and OS X, the default password is postgres. However, on Linux systems, there is no default password set. This is
required to gain superuser access to create and modify databases and users.
2. Use the psql client utility to connect to the PostgreSQL instance which is accessible locally, as user postgres with no
password.
psql postgres
3. Use the \password <username> command to the set the postgres user password.
postgres=# \password postgres
Enter new password: <yourpasswordhere>
Enter it again: <yourpasswordhere>
Allow Local and Remote Connections via PW authentication by editing the pg_hba.conf
Use the following command to edit the authentication parameter file to enable password based authentication for local and remote
connections.
1. Use the nano editor to make the following modifications to the pg_hba.conf file.
nano /var/lib/pgsql/9.4/data/pg_hba.conf
Modify the configuration to allow connections from remote hosts, confirm the TCP listening port, set global parameters required for
integration with Cisco Unified IM and Presence.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 236 of 257
Cisco dCloud
1. Use the nano editor to make the following modifications to the postgresql.conf file.
nano /var/lib/pgsql/9.4/data/postgresql.conf
2. Edit the listen_addresses parameter by uncommenting and setting the value to ‘*’ to enable listening on all configured IP
interfaces.
listen_addresses = '*'
4. Set the escap_string_warning and standard_confirming_strings values to off. This is a requirement for using PostgreSQL
to provide external database services for Cisco Unified IM and Presence.
escape_string_warning = off
standard_conforming_strings = off
The built-in firewall process in CentOS Linux iptables must be updated to permit incoming IP connections on TCP port 5432 in
order for database connectivity between Cisco Unified IM and Presence and the PostgreSQL server.
1. Type the following command to make a permanent iptables permit for TCP/5432.
firewall-cmd --permanent --add-port=5432/tcp
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 237 of 257
Cisco dCloud
2. Click the box for the Active Directory Certificate Services Role. Click Next.
3. You have the option to deploy additional services. Deploy the services Certificate Authority and Certificate Authority Web
Enrollment, at that time another Wizard will start to add extra Roles for IIS.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 238 of 257
Cisco dCloud
4. For the setup type, you choose Enterprise, it should be what you see in most of our customer installations, but it makes no
difference for our specific deployment, could even be Standalone CA. Click Next.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 239 of 257
Cisco dCloud
5. For the CA Type you choose Root CA, since you do not have other CA already running in our organization.
6. The next step will be to create the private key for your CA. Choose this option and click Next.
7. After configuring the CA, you need to configure the Sole Services for IIS, since it is necessary for the Web Enrolment of the
CA. For our ADFS deployment you will need an extra Role in IIS, click on ASP.NET under Application Development.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 240 of 257
Cisco dCloud
8. In the Server Manager click on Web Server > IIS, and then right click on Default Web Site. You need to change the Binding
to allow HTTPS along with HTTP.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 241 of 257
Cisco dCloud
10. Add a new Site Bindings and choose https as the type. Choose for SSL certificate the server certificate that should have the
same FQDN as your Ad1 server (ad1.cloud.cisco.com).
Everything is complete from a platform perspective, now you need to install AD FS 2.0. In the roles that you have in the server
manager you will see AD FS but that version is version 1.0 and does not provide SAML.
11. Go to the link http://www.microsoft.com/en-us/download/details.aspx?id=10909. Set the language and click the Continue
button.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 242 of 257
Cisco dCloud
12. Choose the correct version for your OS. In our case, it is the first check box for Windows 2008 R2. Click Download.
14. For the Server Role choose the Federation Server, since you are installing the IdP to be inside the customer network in the
private LAN. Click Next.
15. The product is installed and you can open it from the taskbar or start menu.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 243 of 257
Cisco dCloud
1. Launch the ADFS Management console. You may need to perform a search from the start menu if not listed. Start >
Administrative Tools > AD FS 2.0 Management is the typical path.
2. Click the AD FS 2.0 Federation Server Configuration Wizard option to start your ADFS server configuration.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 244 of 257
Cisco dCloud
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 245 of 257
Cisco dCloud
4. Under SSL certificate, choose the ad1.dcloud.cisco.com certificate from the list. The Federation Service name will auto-
populate. Click Next.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 246 of 257
Cisco dCloud
6. Confirm all the components have completed successfully and click Close to end the wizard and return to the main
management console. This may take a few minutes.
7. ADFS is now effectively enabled and configured as an Identity Provider (IdP). Next, you need to add Cisco UCM as a trusted
Relying partner. Before you can to this, you need to configure Cisco UCM Administration.
2. Open Server Manager and expand Roles > Web Server(IIS). Click Add Role Services.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 247 of 257
Cisco dCloud
3. Click Security > IIS Client Certificate Mapping Authentication, click Next and let it install.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 248 of 257
Cisco dCloud
1. From within your RDP session to AD1 open the Certificate Authority application by going to Start > All Programs >
Administrative Tools > Certification Authority.
2. Click the plus (+) sign next to dcloud-AD1-CA to expand it and click on Certificate Templates below.
3. Right click on Certificate Templates and choose Manage from the pop-up menu.
4. Right click on Web Server and choose Duplicate Template from the pop-up menu.
5. Verify Microsoft Server 2003 Enterprise is selected and then click OK.
• Click the Request Handling tab and click the checkbox for Allow private key to be exported
• Click Add
• Click to highlight Client Authentication from the list, click OK, and then click OK to confirm the addition
7. Close the Certificate Template Console by using the X in the top right corner of the window.
8. Right click on Certificate Templates and choose New > Certificate Template to Issue from the pop-up menu.
9. Click ClientServer from the list to highlight it and then click OK.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 249 of 257
Cisco dCloud
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11.html
Expressway x8.5
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-
Expressway-Deployment-Guide-X8-5.pdf
Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager, Release 11.0(1)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_0_1/CUP0_BK_C36EBE60_00_c
onfig-admin-guide-110.html
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/database_setup/10_5_2/CUP0_BK_D4BFFAC9_00_dat
abase-setup-guide-imp-1052/CUP0_BK_D4BFFAC9_00_database-setup-guide-imp-1052_chapter_011.html
SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.5
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/10_5_1/CUCM_BK_S52C3A64_00_s
aml-sso-deployment-guide-105.html
SAML SSO Configure Microsoft Active Directory Federation Services Identity Provider on Windows Platform
http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Wind
ows_Platform
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 250 of 257
Cisco dCloud
Appendix E: Errata
Steps of a SAML based authentication flow
Figure 519. SP-Initiated SSO (Redirect/POST binding)
1. The user tries to access a service or resource by pointing the browser to the URL hosted on the application server. The
browser at this moment does not have an active session with the service.
2. The SP realizes that the request originates from a client without an active session. Based on the SSO configuration the SP
now generates a SAML authentication request to be sent to the appropriate the IdP defined as part of SSO configuration. The
SAML request contains information about the SP generating the request. This is required so that the IdP can identify the SPs
sending SAML requests.
3. The SP does not communicate directly with the IdP to authenticate the user. Instead, the SP redirects the browser to the IdP.
The URL used for this redirect is taken from the IdP metadata exchanged earlier. The SAML request to be sent to the IDP is
included in the redirect as a URL query parameter using Base64 encoding.
4. The browser receives the redirect, follows the URL and issues the corresponding GET to the IdP. The SAML request is
maintained. The browser at this stage does not have an active session with the IdP
5. After receiving the new request from a browser with no active session, the IdP authenticates the user based on the pre-
configured authentication mechanisms. Possible authentication mechanisms include user/password, PKI/CAC or Kerberos.
For user/password authentication, the IdP might push a form to the user to enter the credentials (e.g. 200 OK with IdP login
form). For the actual authentication, the IdP might depend on backend systems like for example an LDAP server for
user/password authentication.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 251 of 257
Cisco dCloud
One key point here is that the exchange of credentials for the purpose of authentication takes place between the IdP and the
browser. The SP is not involved and does not see the credentials.
6. The browser provides further information required for the authentication process. For the user/password case, this would be a
POST with the information. For other authentication mechanisms, other details would need to be sent to the IdP by the
browser.
7. The IdP now checks and validates the provided credentials. The check could involve interactions with respective backend
systems (LDAP bind for user/password based authentication against LDAP, communication with Kerberos server to validate
ticket etc.).
8. Finally, the IdP generates a SAML response for the SP. This response contains the SAML assertion documenting the result of
the authentication process. The SAML assertion in addition to the basic “Yes/No” information also contains validity
information and information about attributes describing the authenticated entity. At least the user id of the authenticated entity
has to be included in the well-known attribute “uid” so that the SP can extract this information from the assertion to relate the
authenticated entity to users existing in the local database.
The SAML assertion is signed by the IdP according to the SSO key information published in the IdP metadata. This ensures
that the SP can verify the authenticity of the SAML assertion.
The IdP returns the SAML assertion to the browser in a hidden form in a 200 OK message. The hidden form instructs the
browser to POST the SAML assertion to the Assertion Consumer Service (ACS) of the SP.
The IdP also sets a session cookie, which is cached by the browser. If the browser needs to get additinal SAML assertions, it
will send the session cookie with the SAML requests. The IdP will then realize it already has a valid session with the browser
and will assert the authentication of the previously authenticated user without prompting for credentials again. This enables
SSO against multiple SPs. Session expiry times for these session cookies are configured on the IdP.
9. The browser follows the hidden POST received in the 200 OK and POSTs the SAML assertion to the Assertion Consumer
Service on the SP.
10. The SP extracts the SAML assertion from the POST and validates the signature of the assertion. This guarantees the
authenticity of the SAML assertion and the IdP. The user identifier received in the SAML assertion in attribute “uid” is then
used to decide whether the user is authorized to access the requested service. This is based on local access control
configuration on the SP.
11. The SP grants access to the requested resource and sends back the content in a 200 OK to the browser. The SP also sets a
session cookie in the browser so that for subsequent requests from the same browser to the same SP the SP does not need
to initiate an exchange with the IdP anymore. The IdP will only be involved for requests from the same browser after the SP
session cookie has expired.
Enterprise Groups
With Cisco Unified Communications Manager Release 11.0, Cisco Jabber users can search for groups in Microsoft Active
Directory and add them to their contact lists. If a group already in the contact list is updated, the contact list is automatically
updated. Cisco Unified Communications Manager synchronizes its database with Microsoft Active Directory groups at specified
intervals.
When a user adds a group to their contact list, IM and Presence Service provides the following information for each group member:
• display name
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 252 of 257
Cisco dCloud
• user ID
• title
• phone number
• mail ID
Only the group members that are assigned to IM and Presence Service nodes can be added to the contact list. Other group
members are discarded.
NOTE: Currently, the enterprise groups feature is supported only on Microsoft Active Directory server. It is not supported on other
corporate directories.
The enterprise groups feature is enabled system-wide with the Cisco Unified Communications Manager Directory Group
Operations on Cisco IM and Presence enterprise parameter. For more information about enterprise groups, see the Feature
Configuration Guide for Cisco Unified Communications Manager.
LDAP Integrations
You can configure a corporate LDAP directory in this integration to satisfy a number of different requirements:
User provisioning: You can provision users automatically from the LDAP directory into the Cisco Unified Communications
Manager database. Cisco Unified Communications Manager synchronizes with the LDAP directory content so you avoid having to
add, remove, or modify user information manually each time a change occurs in the LDAP directory.
User authentication: You can authenticate users using the LDAP directory credentials. The IM and Presence Service
synchronizes all the user information from Cisco Unified Communications Manager to provide authentication for users of the Cisco
Jabber client and IM and Presence Service user interface.
Cisco recommends integration of Cisco Unified Communications Manager and Directory server for user synchronization and
authentication purposes.
NOTE: When Cisco Unified Communications Manager is not integrated with LDAP, you must verify that the username is the same
in Active Directory and Cisco Unified Communications Manager before deploying IM and Presence Service.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 253 of 257
Cisco dCloud
The Cisco SIP Proxy service is responsible for providing the SIP registrar and proxy functionality. This includes request routing,
requestor identification, and transport interconnection.
The Cisco Presence Engine collects, aggregates, and distributes user capabilities and attributes using the standards-based SIP
and SIMPLE interface. It collects information about the availability status and communications capabilities of a user.
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
The Cisco XCP Authentication Service handles all authentication requests from XMPP clients that are connecting to IM and
Presence Service. This includes Jabber clients authenticating through Collaboration Edge.
The Cisco XCP Web Connection Manager service enables browser-based clients to connect to IM and Presence Service.
The Cisco XCP SIP Federation Connection Manager supports interdomain federation with Microsoft OCS over the SIP protocol.
You must also turn on this service when your deployment contains an intercluster connection between an IM and Presence Service
Release 9.0 cluster, and a Cisco Unified Presence Release 8.6 cluster.
The Cisco XCP XMPP Federation Connection Manager supports interdomain federation with third party enterprises such as IBM
Lotus Sametime, Cisco Webex Meeting Center, and GoogleTalk over the XMPP protocol, as well as supports interdomain
federation with another IM and Presence Service enterprise over the XMPP protocol.
The Cisco XCP Message Archiver service supports the IM Compliance feature. The IM Compliance feature logs all messages sent
to and from the IM and Presence Service server, including point-to-point messages, and messages from ad hoc (temporary) and
permanent chat rooms for the Chat feature. Messages are logged to an external Cisco-supported database.
Cisco XCP Directory Service (NA) but may be needed for pidgin
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 254 of 257
Cisco dCloud
The Cisco XCP Directory Service supports the integration of XMPP clients with the LDAP directory to allow users to search and
add contacts from the LDAP directory.
The Cisco Login Datastore is a real-time database for storing client sessions to the Cisco Client Profile Agent.
The Cisco Route Datastore is a real-time database for storing a cache of route information and assigned users for the Cisco SIP
Proxy and the Cisco Client Profile Agent.
The Cisco Configuration Agent is a change-notification service that notifies the Cisco SIP Proxy of configuration changes in the IM
and Presence Service IDS database.
The Cisco Sync Agent keeps IM and Presence data synchronized with Cisco Unified Communications Manager data. It sends
SOAP requests to the Cisco Unified Communications Manager for data of interest to IM and Presence and subscribes to change
notifications from Cisco Unified Communications Manager and updates the IM and Presence IDS database.
The Cisco OAM Agent service monitors configuration parameters in the IM and Presence Service IDS database that are of interest
to the Presence Engine. When a change is made in the database, the OAM Agent writes a configuration file and sends an RPC
notification to the Presence Engine.
The Cisco Client Profile Agent service provides a secure SOAP interface to or from external clients using HTTPS.
The Cisco Intercluster Sync Agent service provides the following: DND propagation to Cisco Unified Communications Manager and
syncs end user information between IM and Presence Service clusters for intercluster SIP routing.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 255 of 257
Cisco dCloud
The XCP Router is the core communication functionality on the IM and Presence Service server. It provides XMPP-based routing
functionality on the IM and Presence Service. It routes XMPP data to the other active XCP services on IM and Presence Service
and it accesses SDNS to allow the system to route XMPP data to IM and Presence Service users. The XCP router manages
XMPP sessions for users, and routes XMPP messages to and from these sessions.
After IM and Presence Service installation, the system turns on Cisco XCP Router by default.
NOTE: If you restart the Cisco XCP Router, the IM and Presence Service automatically restarts all active XCP services. Note that
you must choose the Restart option to restart the Cisco XCP Router; this is not the same as turning off and turning on the Cisco
XCP Router. If you turn off the Cisco XCP Router, rather than restart this service, IM and Presence Service stops all other XCP
services. Subsequently when you turn on the XCP router, IM and Presence Service does not automatically turn on the other XCP
services; you need to manually turn on the other XCP services.
The Cisco XCP Config Manager service monitors the configuration and system topology changes made through the administration
GUI (as well as topology changes that are synchronized from an InterCluster Peer) that affect other XCP components (for
example, Router and Message Archiver), and updates these components as needed. The Cisco XCP Config Manager service
creates notifications for the administrator indicating when an XCP component requires a restart (due to these changes), and it
automatically clears the notifications after the restarts are complete.
The Cisco Server Recovery Manager (SRM) service manages the failover between nodes in a presence redundancy group. The
SRM manages all state changes in a node; state changes are either automatic or initiated by the administrator (manual). Once you
turn on high availability in a presence redundancy group, the SRM on each node establishes heartbeat connections with the peer
node and begins to monitor the critical processes.
The Cisco IM and Presence Data Monitor monitors IDS replication state on the IM and Presence Service. Other IM and Presence
services are dependent on the Cisco IM and Presence Data Monitor. These dependent services use the Cisco service to delay
startup until such time as IDS replication is in a stable state.
The Cisco IM and Presence Data Monitor also checks the status of the Cisco Sync Agent sync from Cisco Unified Communications
Manager. Dependent services are only allowed to start after IDS replication has set up and the Sync Agent on the IM and
Presence database publisher node has completed its sync from Cisco Unified Communications Manager. After the timeout has
been reached, the Cisco IM and Presence Data Monitor on the Publisher node will allow dependent services to start even if IDS
replication and the Sync Agent have not completed.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 256 of 257
Cisco dCloud
On the subscriber nodes, the Cisco IM and Presence Data Monitor delays the startup of feature services until IDS replication is
successfully established. The Cisco IM and Presence Data Monitor only delays the startup of feature services on the problem
subscriber node in a cluster, it will not delay the startup of feature services on all subscriber nodes due to one problem node. For
example, if IDS replication is successfully established on node1 and node2, but not on node3, the Cisco IM and Presence Data
Monitor allows feature services to start on node1 and node2, but delays feature service startup on node3.
The Cisco Presence Datastore is a real-time database for storing transient presence data and subscriptions.
The Cisco Presence SIP Registration Datastore is a real-time database for storing SIP Registration data.
The Cisco RCC Device Selection service is the Cisco IM and Presence user device selection service for Remote Call Control.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 257 of 257