CST Jabber 11 0 Lab Guide PDF

Cisco dCloud
Cisco Collaboration Specialist Training for Jabber 11.x v1

Last Updated: 29-SEP-2015
About This Solution

Cisco Jabber provides enterprise-quality collaboration capability directly on your desktop or mobile device through an integrated
software client. You can chat with other users using the IM and Presence features of Cisco Jabber. Video calling and WebEx
conferencing are also available from Cisco Jabber with the click of a button. Visual voicemail helps you to access your messages
more efficiently and keep them better organized. Cisco Jabber is part of the Cisco Unified Communications architecture, a cost-
effective, reliable, and easy to manage software collaboration solution.
For additional information about Cisco Jabber Voice and Unified Communications, visit the product solution page.
This lab is intended to give the participant hands-on configuration experience with all of the architecture components required to
deploy Cisco Jabber for Collaboration System Release 11. The content in this lab is focused on recently added features and
functional additions to the Cisco Jabber Client product. The exercises in this lab will take the student through the process of initial
provisioning and configuration of the core solution components and then extend to configuration of advanced feature deployment.
NOTE: Participants should have a high degree of familiarity with the software, tools and methods used to deploy, configure and
maintain Cisco Collaboration technologies.
About This Lab

This Cisco Collaboration Specialist Training for Jabber 11 lab includes the following topics:
• End to End Quick Start Jabber Deployment: Students will configure the integration and deployment from the ground up
including the configuration and/or installation of the following components:
o Unified Communications Manager
o Unified IM and Presence Service
o Microsoft Active Directory LDAP
o Domain Name Service (DNS)
o Cisco Jabber for Windows Client.
• Specialized Cisco Jabber Feature and Deployment Options
o Persistent Chat
o Managed File Transfer
o SAML Single Sign-On
o Mobile Remote Access (MRA)
© 2015 Cisco and/or its affiliates. All rights reserved. This document is intended for Cisco Partner Training. Page 1 of 257
Cisco dCloud
About This Solution..................................................................................................................................... 1

About This Lab............................................................................................................................................ 1
Lab Workflow ......................................................................................................................................... 5
Lab Requirements ........................................................................................................................................ 6
Lab Configuration ....................................................................................................................................... 6
Lab Topology .............................................................................................................................................. 6
Applications and Versions ....................................................................................................................... 7
Lab Pre-Configuration ............................................................................................................................. 8
Connecting to Your Pod............................................................................................................................... 9
Lab Orientation.......................................................................................................................................... 10
Connecting to Required Resources ......................................................................................................... 10
Activity 1: Preparation for IM & Presence Deployment ............................................................................. 14
Activity Objectives ................................................................................................................................ 14
Investigate Active Directory Users and Distribution Groups .................................................................. 14
DNS Service Discovery Configuration ................................................................................................... 19
Activity 2: Unified IM and Presence Deployment ...................................................................................... 27
Service Activation and Status Verification ............................................................................................. 27
Unified CM SIP Trunk Configuration .................................................................................................... 31
Configure UC Services and Service Profile ............................................................................................ 34
Prepare Directory Synchronization and Automatic User Provisioning .................................................... 39
IM and Presence Service Configuration ................................................................................................. 47
Enabled Flexible Jabber ID (JID) and Multi-Domain Support ................................................................ 49
User and Group Import .......................................................................................................................... 55
Provision Devices and Client Configuration........................................................................................... 60
Activity 3: SSL Certificate Management: Cisco Unified CM and Cisco Unified IM and Presence ............. 70
Configure Unified CM and IM and Presence with FQDNs ..................................................................... 71
Establish Root CA Trust ........................................................................................................................ 71
Request and Install a CA Signed Tomcat Certificate .............................................................................. 74
Request and Install a CA Signed XMPP-Trust Certificate ...................................................................... 78
Service Maintenance to Finalize Certificate Installation ......................................................................... 83
Activity4: Jabber Client Installation and Feature Testing ........................................................................... 87
Cisco dCloud

Cisco Jabber User Interface (UI) Updates .............................................................................................. 87
Install Jabber on WKST1 and Login ...................................................................................................... 88
Install Jabber on WKST2 and Login ...................................................................................................... 94
Test Chat, Calling, and Chat History ...................................................................................................... 98
Deployment Activity Conclusion ............................................................................................................. 111
Module 1: Persistent Chat and Managed File Transfer ............................................................................. 112
Module Overview ................................................................................................................................ 112
Module Objectives ............................................................................................................................... 112
PostgreSQL Database Setup................................................................................................................. 113
Set Up External Database Entries on the IM and Presence Service ....................................................... 117
Set Up an External File Server for MFT ............................................................................................... 120
Configure Persistent Group Chat .......................................................................................................... 123
Modify Jabber Client Configuration ..................................................................................................... 125
Test Persistent Chat ............................................................................................................................. 129
Configure Managed File Transfer ........................................................................................................ 137
Module 2: Mobile and Remote Access (MRA) with Cisco Expressway ................................................... 147
Module Overview ................................................................................................................................ 147
Module Notes ...................................................................................................................................... 149
DNS Service Discovery Configuration ................................................................................................. 150
Expressway-C Initial Configuration ..................................................................................................... 155
Expressway-E Initial Configuration ..................................................................................................... 157
Configure Expressway-E for Unified Communications ........................................................................ 158
Certificate Management for Expressway .............................................................................................. 159
Configure Expressway-C for Unified Communications ........................................................................ 170
Create a Secure Traversal between Expressway-E and Expressway-C .................................................. 174
Validate Unified Communications Status on Expressway .................................................................... 179
Contact Photo Resolution with MRA ................................................................................................... 180
Testing Mobile and Remote Access Operation ..................................................................................... 185
Module 3(a): SAML Single Sign-On (SSO) Inside the Network .............................................................. 196
SAML Overview ................................................................................................................................. 196
Cisco dCloud
Module Notes ...................................................................................................................................... 198

Prepare to Enable SAML SSO for Unified CM and IM and Presence ................................................... 198
SAML SSO Configuration for Microsoft ADFS2.0 .............................................................................. 201
Enable SSO for Unified CM and IM and Presence ............................................................................... 209
Testing SSO Username/Password Authentication ................................................................................ 214
Enable Kerberos Authentication for SSO ............................................................................................. 216
Module 3(b): Extending (SSO) to the Collaboration Edge ........................................................................ 219
Module Overview ................................................................................................................................ 219
Pre-Requisites ...................................................................................................................................... 220
Prepare to Enable SAML SSO for Expressway .................................................................................... 222
SAML SSO Configuration for Microsoft AD FS 2.0 ............................................................................ 224
Enable SSO for Cisco Expressway ....................................................................................................... 227
Verify operation on Unified CM SSO functionality.............................................................................. 228
Appendix A: PostgreSQL Installation on CentOS .................................................................................... 233
Installation of PostgreSQL Server 9.4.1 ............................................................................................... 233
Initialize PostgreSQL and Start Services .............................................................................................. 235
Configure Authentication and Access .................................................................................................. 236
Appendix B: AD FS 2.0 Install and Configuration ................................................................................... 238
How to install Microsoft AD FS2.0 ................................................................................................... 238
Appendix C: Adding Client-Server Template to Microsoft Certificate Services ....................................... 249
Appendix D: Table of Documents ............................................................................................................ 250
Appendix E: Errata .................................................................................................................................. 251
Steps of a SAML based authentication flow ......................................................................................... 251
Enterprise Groups ................................................................................................................................ 252
LDAP Integrations ............................................................................................................................... 253
Listing of IM and Presence Service Services ........................................................................................ 254
Cisco dCloud
Lab Workflow
End-to-End Quick Start Deployment
The lab begins with a series of exercises, which guide the participant through the required activities and workflow to establish and
test a Cisco Jabber on-premise deployment. Test activities include configuration and verification of basic functionality while
emphasizing some recent feature additions and deployment methodologies.
These activities are mandatory, as the result will form the baseline system required to progress to the advanced feature modules.
Specialized Features and Deployment Modules
The remainder of this lab is divided into Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote particular time or emphasis to one or more of the feature modules may wish to be chooseive in the interest of completing
desired modules within the time allotted.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is Module 3(b), which requires Modules 2 and 3a to be completed in
order to test solution functionality.
• Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)
o Optional with no dependencies
• Module 2: Mobile and Remote Access (MRA) with Cisco Expressway
• Module 3a: SAML Single Sign-On (SSO) Inside the Network
• Module 3b: Extending SSO to the Collaboration Edge
o Optional, but requires Modules 2 and 3a.
Cisco dCloud
Lab Requirements
The table below outlines the requirements for this preconfigured lab activity.
Table 1. Lab Requirements
Required Optional
• Laptop with Cisco AnyConnect • None
Lab Configuration
This lab contains preconfigured users and components to illustrate the scripted scenarios and features of this solution. All
information needed to access the demonstration components is in the Topology and Servers menus of your active session.
• Topology Menu. Click on any server in the topology and a popup window will appear with available server options.
• Servers Menu. Click on or next to any server name to display the available server options and credentials.
Table 2. Demonstration User Information
User Name User ID Password Endpoint Devices Phone Email/Directory URI

Charles Holland cholland C1sco12345 Cisco Jabber for Windows +1408 555 6018 cholland@dcloud.cisco.com
Anita Perez aperez C1sco12345 Cisco Jabber for Windows +1212 555 6017 aperez@alpha.com
Lab Topology
This demonstration includes several server virtual machines. Most of the servers are fully configurable using the administrative
level account. Administrative account details are included in the script steps where relevant and in the server details table.
Figure 1. Lab Topology Overview
Cisco dCloud
Table 3. Equipment details
Name Description Host Name (FQDN) IP Address Username Password
UCM1 Communications Manager 11.0 (Call Control) cucm1.dcloud.cisco.com 198.18.133.3 administrator dCloud123!
IMP1 IM & Presence 11.0 (Presence and Chat) cup1.dcloud.cisco.com 198.18.133.4 administrator dCloud123!
CUC1 Unity Connection 11.0 (Voicemail) cuc1.dcloud.cisco.com 198.18.133.5 administrator dCloud123!

Exp-C Expressway-C (Core) X8.5 exp-c-1.dcloud.cisco.com 198.18.133.152 admin dCloud123!
Exp-E Expressway-E (Edge) X8.5 exp-e-1.dcloud.cisco.com 198.18.1.152 admin dCloud123!

AD1 Active Directory, DNS, ADFS2.0 ad1.dcloud.cisco.com 198.18.133.1 administrator C1sco12345
Centos SSHFS and Postgresql Database Server centos.dcloud.cisco.com 198.18.134.29 root dCloud123!
AD2 External DNS server ad2.dcloud.cisco.com 198.18.2.11 administrator C1sco12345
Exchange Exchange 2010 mail1.dcloud.cisco.com 198.18.133.2 administrator C1sco12345
Workstation 1 Windows 7 wkst1.dcloud.cisco.com 198.18.133.36 cholland C1sco12345
Workstation 2 Windows 7 wkst2.dcloud.cisco.com 198.18.133.37 aperez C1sco12345
Workstation 2 Windows 7 wkst2-ext.dcloud.cisco.com 198.18.2.37 aperez C1sco12345

External
NOTE: Two passwords are used throughout this lab. Password1 (dCloud123!) is used across all Cisco Collaboration components
and linux hosts. Password2 (C1sco12345) is used for all Microsoft Active Directory accounts including administrative, service, and
demonstration user accounts. This applies to both Platform and Administrative user accounts within Cisco Collaboration
Applications.
Applications and Versions

The Table below provides detail on the software components used in this Lab.
Software Description Version Installed
Cisco Unified Communications Manager 11.0.1.10000-10
Cisco Unified IM and Presence Service 11.0.1.10000-6

Cisco Unity Connection 11.0.1.10000-10
Expressway-C (Core) X8.5.3
Expressway-E (Edge) X8.5.3

Microsoft Windows Server (AD, DNS, ADFS) Microsoft Windows Server 2008 R2 with Hotfix 3
Microsoft Exchange Microsoft Exchange 2010
External DNS server Microsoft Windows Server 2008 R2
Mail Server Microsoft Windows Server 2008 R2 with Exchange 2010
Demonstration Workstations Microsoft Windows 7
Cisco Jabber for Windows 11.x
Cisco dCloud
Lab Pre-Configuration
In order to save time, certain elements of this lab have been pre-configured in advance to provide a baseline starting point. Please
review this section before proceeding to the first configuration activity.
Jabber-Config.xml
The vast majority of service and client configuration for Cisco Jabber is provisioned using the service profiles (created earlier),
however to enable certain non-default behaviors on the Jabber client a configuration file in XML format named Jabber-
Config.xml must be used.
To save time and avoid the introduction of errors to the lab environment a series of Jabber-Config.xml files have been staged on
both wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com. During the lab, when a new series of
client configuration parameters are required, you will browse to and upload the required file.
File Locations: Desktop\CST-Jabber\Jabber-Config-Files
The following sub-folders contain the relevant jabber-config.xml files:
• Deployment (Preliminary Jabber Deployment)
• Module1 (Persistent Chat)
• Module2 (Mobile and Remote Access)
Dial Plan
Basic Class of Control elements have been pre-defined as follows:
Table 1. Partitions
Partition Description
CST-DN-PT Collaboration Specialist Training DN Partition

CST-URI-PT Collaboration Specialist Training URI Partition
Table 2. Calling Search Spaces
Calling Search Space Partitions

CST-DN-PT CST-DN-PT, CST-URI-PT, (All System Generated Partitions)
PostgreSQL
PostgreSQL server 9.4 (with dependencies) was installed using the YUM package installer on centos.dcloud.cisco.com running
CentOS7. The database and services have been initialized using default values and the following parameters have been
configured:
• Username postgres and Password postgres
• Listening on TCP 5432
• Connections permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)
Cisco dCloud
• Services configured to start automatically on OS boot.
• Operating system configuration to permit incoming connections on TCP 5432 has been performed for you.
Details of the steps taken to create the baseline environment can be found in Appendix A.
Single Sign On (SSO)
Microsoft™ AD FS 2.0 (3) has been installed on ad1.dcloud.cisco.com. The Basic AD FS 2.0 setup wizard has been run to
enable ADFS features. These operations are documented in Appendix B.
Connecting to Your Pod
Follow the steps below to schedule your demonstration and configure your demonstration environment.
1. Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials.
2. Schedule a demonstration. [Show Me How]
3. Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How]
4. Verify your demonstration is Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.
• It may take up to 30 minutes for your demonstration to become active.
5. If you are not connected to the lab from behind a router, on your laptop, use Cisco AnyConnect paired with the session
credentials from the UI to connect to the lab. [Show Me How]
6. From your laptop, access the demonstration workstation named wkst1 located at 198.18.133.36 and login using the following
credentials: Username: dcloud\cholland, Password: C1sco12345.
• Recommended method: Use Cisco AnyConnect [Show Me How] and the local RDP client on your laptop. [Show Me
How]
• Alternate method: Use the Cisco dCloud Remote Desktop client with HTML5. [Show Me How]
o Accept any certificates or warnings
Cisco dCloud
Lab Orientation
NOTE: Read and Complete the Activities in this section before proceeding. Connections to lab hosts require an active
connection to the assigned Lab Pod through either a supported VPN connected router or the Cisco AnyConnect VPN Client.
Connecting to Required Resources

Introduction
The student will be using a series of Remote Desktop Protocol (RDP) sessions to Microsoft Windows workstations and servers in
order to complete the following:
• Access Administrative Interfaces for Configuration
• Interact with the Cisco Jabber Client
• Test features and functionality
In this activity, the student will configure and connect the RDP sessions required and referenced throughout the lab.
NOTE: Connections to lab hosts require an active connection to the assigned Lab Pod through either a router connected to dCloud
or the Cisco AnyConnect VPN Client.
The table below identifies the hosts, use cases, and credentials required when connecting.
Name Use Case Host Name (FQDN) IP Address Domain\Username Password
Workstation 1 Primary Configuration Workspace, wkst1.dcloud.cisco.com 198.18.133.36 dcloud\cholland C1sco12345

Demonstration User Charles Holland
Workstation 2 Demonstration User Anita Perez wkst2.dcloud.cisco.com 198.18.133.37 dcloud\aperez C1sco12345
Workstation 2 Testing MRA functionality wkst2- 198.18.2.37 dcloud\aperez C1sco12345

External ext.dcloud.cisco.com
AD1 Active Directory, Internal DNS, ADFS2.0 ad1.dcloud.cisco.com 198.18.133.1 dcloud\administrator C1sco12345
AD2 External DNS server, Photo Server ad2.dcloud.cisco.com 198.18.2.11 dcloud\administrator C1sco12345
Throughout this guide, steps will instruct the student to Open or Switch to the RDP session connected to one of the hosts
referenced above. These statements always reference the FQDN of the host accompanied at times by contextual information. All
FQDNs should be resolvable directly from the student workstation (while connected to Lab Pod via VPN - required), however IP
addresses may be used as well.
Host Reference and Use Cases
• wkst1.dcloud.cisco.com (Workstation 1):
o Lab User Assignment: Charles Holland
 Windows Logon Account: cholland
 Windows Logon Domain: dcloud
 Windows Logon Password: C1sco12345
o Use Cases: Workstation 1 is the primary anchor point for configuration activities in addition to hosting the Jabber
client for lab user Charles Holland.
Cisco dCloud
• wkst2.dcloud.cisco.com (Workstation 2):
o Lab User Assignment: Anita Perez
 Windows Logon Account: aperez
o Use Cases: Workstation 2 is assigned to Lab User Anita Perez. Workstation 2 is used only for demonstration
and testing of features. Workstation 2 will be moved to an external network during the Collaboration Edge
module for testing Mobile and Remote Access.
• ad1.dcloud.cisco.com (AD1):
o Lab User Assignment: None
 Windows Logon Account: administrator
o Use Cases: AD1 hosts the majority of internal services. This server will be used for interactions with Microsoft
Active Directory, Internal DNS, Active Directory Federation Services.
• ad2.dcloud.cisco.com (AD2):
o Lab User Assignment: None
 Windows Logon Account: administrator
o Use Cases: AD2 is used to add DNS SRV records required to configure and demonstration the Collaboration
Edge Solution.
Cisco dCloud
Create and Connect RDP Sessions
NOTE: These Steps will be repeated for each host specified, until an active connection has been created for each.
From the Student’s personal computer:
1. Click Start > All Programs > Accessories > Remote Desktop Connection.
2. Click Options.
3. Choose the Local Resources tab.
4. Click Settings, under Remote audio.
5. Choose Play on this computer and Do Not Record.
Figure 2. Audio Playback
6. Click OK.
7. Click the Experience tab.
8. Choose LAN (10Mbps or higher) from the connection speed menu.
Figure 3. LAN Connection Speed
9. Click the General tab and fill in the Computer and Username fields based on the table below, according to the host to which
you are connecting:
Table 3. RDP Connection Settings
Field WKST1 WKST2 AD1 AD2
Computer: wkst1.dcloud.cisco.com wkst2.dcloud.cisco.com ad1.dcloud.cisco.com ad2.dcloud.cisco.com

or 198.18.133.36 or 198.18.133.37 or 198.18.133.1 or 198.18.2.11
Username: dcloud\cholland dcloud\aperez dcloud\administrator dcloud\administrator
10. Click Allow me to save credentials.
Cisco dCloud
11. (Optional) Click Save and use the Save As file dialog to name and save the session definition to your computer.
Figure 4. Saving Session Settings
12. Click Connect.
13. When Prompted enter the Password: C1sco12345 and click Remember my credentials.
14. Click OK.
15. Acknowledge any warnings to proceed.
16. Repeat Steps 1-15 for each Host listed in the table above.
Activity Complete
This activity is complete when the student has four active RDP sessions to the hosts listed in the table above.
Cisco dCloud
Activity 1: Preparation for IM & Presence Deployment

NOTE: Please ensure that you have completed the Lab Orientation activity before proceeding.
Activity Objectives
In this activity, you will connect to server AD1, verify the configuration of Microsoft Active Directory as it relates to our Lab topology,
and perform prerequisite DNS configuration to support service discovery.
Through this activity, you will:
• Explore the dCloud Organizational Unit containing all users pertinent to the topology
o Identify Email domains in use and discuss relation to format of the Jabber ID (JID) and multi-domain support
o Review and Add Distribution Groups to leverage the new Enterprise Groups feature.
• Provision service location (SRV) records in DNS to allow for service discovery.
Investigate Active Directory Users and Distribution Groups

As we will be using LDAP (provided by Microsoft Active Directory) as the primary contact source for our Jabber implementation, it
is imperative that we review the current configuration of the AD server to become acquainted. Configuration steps are performed
from within RDP sessions to both ad1.dcloud.cisco.com (198.18.133.1) and wkst1.dcloud.cisco.com (198.18.133.36). The
guide will provide explicit instruction when switching between remote desktop sessions.
Explore Active Directory Configuration
1. Open the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).
2. From the Task Bar, click the Active Directory Users and Computers icon.
Figure 5. Task Bar Icons
3. Click the dCloud Organizational Unit (OU) from the Menu Tree on the left. This OU contains all of the users and distribution
groups that will addressed throughout the exercise in this lab guide.
Figure 6. Active Directory Users and Computers
Cisco dCloud
4. Users have been pre-configured and assigned to this OU and will serve as the contact source and user base for lab exercises.
5. Review the list of users displayed. Observe that there are three distinct email address domains in use:
• dcloud.cisco.com (Default Organizational Domain)
• uk.dcloud.cisco.com
• alpha.com
Figure 7. Lab User List
6. Notice that demonstration user Charles Holland is assigned email address (cholland@dcloud.cisco.com) while Anita Perez
is assigned (aperez@alpha.com). This distinction serves to simulate an environment wherein multiple domain name spaces
are present.
Two Distribution Groups, Engineering and Marketing were created in advance. We will be using Distribution Groups in tandem
with the new Enterprise Groups Feature in Jabber 11. This allows automatic synchronization of administrator-defined distribution
groups through an LDAP agreement in Cisco Unified Communications Manager.
7. Double-click the Engineering distribution group to open the properties dialog. Notice that the group type is set to
Distribution. Only Distribution Groups are eligible for synchronization with Unified Communications Manager.
Figure 8. Engineering Group
8. Click the Members tab. Notice that all of the users in the Engineering department are members of this distribution group.
Cisco dCloud
Figure 9. Members
9. Click Cancel to close the group properties editor.
10. The Marketing distribution group has been similarly configured with membership populated with users assigned to the
Marketing department. Optional: You may open and validate the configuration at this time. Otherwise, proceed to the next
step.
Create a New Distribution Group and Assign Users
In this activity, we will create a new Active Directory distribution group to which we will assign members of the Sales team. This
Distribution Group and the others already present will be used later to demonstrate the new Enterprise Groups feature. We will
use two different techniques to add members and to additional familiarity with the process.
1. Right click the dCloud OU and choose New > Group.
Figure 10. Group Option
2. In the Group name field, enter Sales.
3. Set the Group type to Distribution.
4. Click OK.
Cisco dCloud
Figure 11. Group Object
5. Double-click the newly added Sales Distribution Group to open the Properties editor.
6. Click the Members tab.
7. Click Add.
Figure 12. Members Tab
8. In the Enter the object names to choose field type Adam.
Cisco dCloud
Figure 13. Enter Object Names
9. Click Check Names to search the Active Directory for a matching user with a display naming beginning with Adam.
10. Notice that the Check Names search utility returned a user object for Adam McKenzie (amckenzie@dcloud.cisco.com).
Figure 14. Check Name Results
11. Click OK to add this user to the Sales Distribution Group.
12. Click OK to close the Properties Editor.
13. The previous method is adequate when assigning group membership individually. Next you will add multiple users
simultaneously.
14. Note that the list of users in the dCloud OU is currently sorted using the Department Column. All of the members of the Sales
department are listed together at the bottom of the list.
15. Click on user Alex Jones to choose.
16. Press and hold the Shift key and click on user Taylor Bard. Notice that we have excluded Adam McKenzie from the
selection as this user was added in the previous steps.
Figure 15. User Selection
17. Right-click within the highlighted area and choose Add to a group from the menu.
18. In the Enter the object names to choose field enter the name Sales.
Cisco dCloud
Figure 16. Choose Groups
19. Click OK.
20. A message indicating that the Add to Group operation was successful. Click OK to continue.
Figure 17. Operation Successful
21. Double-click the Sales Distribution Group.
22. Click the Members tab. Observe that all users in the Sales Department are members of the Sales Distribution Group.
Figure 18. Sales Department Members
23. Click OK.
24. Close the Active Directory Users and Computers console.
DNS Service Discovery Configuration

Cisco Jabber depends heavily on DNS to identify its operating location, detect services, and connect to required services.
Service discovery is the process by which Cisco Jabber does the following:
• Determines whether it is operating internal to or external to the corporate network, to influence client behavior
• Locate services within the corporate network or through Expressway when operating externally.
Cisco dCloud
Cisco Jabber clients query domain name servers (DNS) to retrieve service (SRV) records that provide the location of hosted
services on the network.
In this activity, you will provision the DNS service location records required to enable auto-discovery for Cisco Jabber while running
inside internal enterprise network.
The Cisco Jabber client will query DNS for SRV records based on user domain in parallel. The highest priority record returned will
be used for services.
Priority Service HTTP Request/DNS SRV
1 WebEx Messenger HTTP CAS Lookup
2 UC Manager 9.x or later _cisco-uds._tcp.example.com
3 Cisco Presence 8.x _cuplogin._tcp.example com

4 Collaboration Edge _collab-edge._tls.example.com
DNS Service Records (SRV) Inside the Enterprise Network
1. Ensure that the RDP session to ad1.dcloud.cisco.com has focus.
2. From the Task Bar, click the DNS Manager icon.
Figure 19. Task Bar Icons
3. Click the + next to Forward Lookup Zones.
4. Click dcloud.cisco.com to highlight the zone.
Figure 20. Cisco dCloud Zone
5. Right click on the dcloud.cisco.com zone.
6. Choose Other New Records from the menu.
7. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
8. Click Create Record.
Cisco dCloud
Figure 21. Create Record
9. Fill out the New Resource Record form as follows:
• Domain: dcloud.cisco.com (already populated)
• Service: _cisco-uds
• Protocol: _tcp
• Priority: 0 (default)
• Weight: 0 (default)
• Port Number: 8443
• Host offering this service: ucm1.dcloud.cisco.com
Cisco dCloud
Figure 22. New Resource Record
10. Click OK.
11. Click Done to close the Resource Record Type dialog.
NOTE: Since our environment contains multiple domains and we will be demonstrating the new Flexible JID and multi-domain
features we will create Service Location data for all DNS domains containing presence users. In a production environment, it is
likely that each domain would have dedicated infrastructure, such as AD, DNS, and Email. For the purpose of our lab, we are using
a collapsed topology, where only one service domain will be queried.
12. Click alpha.com to highlight the zone.
13. Right click on the alpha.com zone.
• Domain: alpha.com (already populated)
• Protocol: _tcp
Cisco dCloud
18. Click OK.
20. Click uk.dcloud.cisco.com to highlight the zone.
21. Right click on the uk.dcloud.cisco.com.com zone.
• Domain: uk.dcloud.cisco.com (already populated)
• Protocol: _tcp
Cisco dCloud
26. Click OK.
28. Close the DNS Manager.
Verify DNS SRV Records
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) to perform DNS verification.
2. Click the Command Prompt icon on the task bar.
3. Type nslookup and press Enter.
4. Type set type=srv (use lowercase) and press Enter.
5. Type _cisco-uds._tcp.dcloud.cisco.com and press Enter.
6. SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.
Cisco dCloud
Figure 25. SRV Record
7. A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address (es)
associated with the host(s). You should see text similar to the graphic above (Red Text).
NOTE: If you see error text indicating a failure to lookup this or subsequent _cisco-uds SRV records, for example: Non-existent
domain, follow the instructions below.
• Confirm that the command entered is exactly as specified in the guide and retry.
• Confirm that the settings of the SRV record match the previous configuration steps.
Figure 26. SRV Resolution
If you are unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
8. Type _cisco-uds._tcp.alpha.com and press Enter.
Figure 27. SRV Record Data
10. Type _cisco-uds._tcp.uk.dcloud.cisco.com and press Enter.

Cisco dCloud
12. Close the Command Prompt window.
This completes the addition and validation of Service Location Records required for internal Jabber functionality.
Cisco dCloud
Activity 2: Unified IM and Presence Deployment
With preparation for deployment complete, Activity 2 addresses, systematically the requirements and methods needed to
implement Unified IM and Presence solution with provisioned End Users, Services, and Devices.
Activity Objectives
The following are the objectives for this activity:
• Identify and confirm the status of services required for the operation of Cisco Unified Communications Manager and IM
and Presence Service as they relate to features implemented in the lab
• Identify and perform the activities required to integrate Cisco Unified CM and IM and Presence
• Define UC Services and a Service Profile in order to assign presence capabilities to Cisco Jabber users
• Implement LDAP Directory Synchronization and Authentication with Microsoft Active Directory to import Users and
Groups
• Use template based automation tools to quickly and accurately provision End Users, Directory Numbers, and Devices
through the LDAP user import process
• Configure Cisco Unified CM and Unified IM and Presence for the Flexible JID Address Scheme with Multi-Domain
Domain support
• Interact with the Cisco Jabber client configuration file (jabber-config.xml) to enable non-default behaviors in Cisco Jabber
Service Activation and Status Verification

During this activity, we will validate that all Unified Communications Manager services required to provision and integrate the
Instant Message and Presence service cluster have been activated and are in an expected state. The service activation process
has already been performed as part of the pre-configuration of this lab. This activity is for verification and to provide further
familiarity with the lab topology and current configuration state.
Unified Communications Manager
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36).
2. Launch Internet Explorer by double clicking on the desktop shortcut or clicking the Internet Explorer icon in the task bar.
3. From the Cisco dCloud Homepage hover over Collaboration Admin Links and choose Cisco Unified Communications
Manager to connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the
address bar.
Cisco dCloud
Figure 29. Cisco UCM Link
4. When prompted with a Certificate Error click Continue to this website.
NOTE: As part of this lab, we will be performing Certificate Management in Unified Communications Manager and IM&P in an
upcoming exercise. Until a Certificate signed by a trusted Certification Authority is installed, we will continue to receive these
errors. Please acknowledge and proceed using the Continue to this website option.
5. From the Installed Applications list, click Cisco Unified Communications Manager.
Figure 30. Cisco UCM Link
6. From the Navigation menu in the upper-right corner of the Administration Webpage, choose Cisco Unified Serviceability.
7. Click Go.
8. In the Username field type administrator.
9. In the Password field type dCloud123!.
10. Click Login.
Figure 31. Login Prompt
Cisco dCloud
11. From the Menu choose Tools > Control Center – Feature Services.
Figure 32. Contact Center Services
12. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.
Figure 33. Select Server Menu
13. Click Go.
14. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
o Cisco DirSync
o Cisco CallManager
o Cisco CTIManager
o Cisco Tftp
o Cisco AXL Web Service
Cisco dCloud
Figure 34. Directory Services
This concludes serviceability verification for Unified Communications Manager (ucm1.dcloud.cisco.com).
Unified IM and Presence Service
1. From the Choose Server drop down list, choose imp1.dcloud.cisco.com.
2. Click Go.
3. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
o Cisco AXL Web Service
o Cisco SIP Proxy
o Cisco Presence Engine
o Cisco XCP Text Conference Manager
o Cisco XCP Connection Manager
o Cisco XCP Authentication Service
Cisco dCloud
Figure 35. Database and Admin Services
This concludes serviceability verification for Unified IM and Presence imp1.dcloud.cisco.com.
Unified CM SIP Trunk Configuration

In this task, we will create a SIP Trunk between Unified CM and the IM and Presence node. This will be used for presence updates
between the two systems (off hook/on hook updates), allowing Cisco Jabber to display information for users such as On a Call.
SIP Trunk Security Profile for IM and Presence Service
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) if not already in focus.
2. From the currently open Internet Explorer window connected to ucm1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified CM Administration.
3. If the previous logon session has expired you may need to login. (Username: administrator, Password: dCloud123!)
Otherwise, proceed to the next step.
4. From the menu navigate to System > Security > SIP Trunk Security Profile.
Figure 36. Security Menu
5. Click Find to display the list of configured Sip Trunk Security Profiles.
Figure 37. SIP Trunk Security Profile
Cisco dCloud
6. Click Non Secure SIP Trunk Profile to open the configuration page.
7. From the configuration menu, click Copy.
8. Set the Following Parameters (Only those requiring modification listed):
• Name: IMP SIP Trunk Profile
• Accept presence subscription: Checked
• Accept out-of-dialog refer: Checked
• Accept unsolicited notification: Checked
• Accept replaces header: Checked
Figure 38. SIP Trunk Security Profile Information
9. Click Save.
Configure SIP Trunk for IM and Presence Service
10. From the menu navigate to Device > Trunk.
Figure 39. Device Menu
11. From the Find and List Trunks page, click Add New.
12. Set the Trunk Type value to SIP Trunk from the drop down menu.
13. Click Next.
Cisco dCloud
14. Set the Following Values under the Device Configuration section.
• Device Name: IMP-SIP-Trunk
• Description: IMP Publish Trunk
• Device Pool: Default
Figure 40. Device Information
15. Scroll down to the section labeled SIP Information and set the following values:
• Destination Address: imp1.dcloud.cisco.com
• Destination Port: 5060 (Default)
• SIP Trunk Security Profile: IMP SIP Trunk Profile
• SIP Profile: Standard SIP Profile
Figure 41. SIP Information
16. Click Save.
17. Click OK to acknowledge the webpage notification and proceed.
18. Click Reset.
19. Click Reset from the pop-up window.
20. Click Close.
Set the Presence Publish Trunk Parameter
We will now identify the SIP Trunk just created as the device used to send line presence information to the IM & Presence server.
Cisco dCloud
21. From the main menu, navigate to System > Service Parameters.
22. Choose ucm1.dcloud.cisco.com from the Server drop down menu.
23. Choose Cisco CallManager from the Service drop down menu.
Figure 42. Select Server and Service
24. Scroll to the Clusterwide Paramters (Device – SIP) section.
You may expedite this process by typing Ctrl-F with the browser window in focus. This will open a search window, into which you
may type IM and Presence to jump directly to the parameter.
25. Continue until you locate the IM and Presence Publish Trunk parameter.
26. Choose IMP-SIP-Trunk from the parameter menu.
Figure 43. IM and Presence Publish Trunk
27. Click Save.
Configure UC Services and Service Profile

Here we will provide the centralized configuration required for Cisco Jabber Clients to utilize core Collaboration application
services. We will NOT be configuring all of the available services, but rather those that will allow us to create a stable foundation in
order to configure advanced features in the lab.
Configure UC Services
1. From the main menu navigate to User Management > User Settings > UC Service.
Figure 44. User Settings
2. Click Add New.
3. From the drop down menu, choose IM and Presence.
Figure 45. Add a UC Service
Cisco dCloud
4. Click Next.
5. Set the following values:
• Name: IMP-Service
• Description: IMP Service
• Host Name/IP Address: imp1.dcloud.cisco.com
Figure 46. UC Service Information
6. Click Save.
7. Click Add New.
8. From the drop down menu, choose CTI.
9. Click Next.
• Name: CTI-Service
• Description: CTI Service
• Host Name/IP Address: ucm1.dcloud.cisco.com
• Port: 2748 (default)
Cisco dCloud
11. Click Save.
12. Click Add New.
13. From the drop down menu, choose Voicemail.
14. Click Next.
• Product Type: Unity Connection
• Name: Voicemail-Service
• Description: Voicemail Service
• Host Name/IP Address: cuc1.dcloud.cisco.com
• Port: 443
• Protocol: HTTP
Cisco dCloud
16. Click Save.
17. From the Related Links menu in the upper-right of the webpage, choose Back to Find/List.
18. Click Go.
19. Click Find.
20. Observe that all three services are created and match the image below.
Figure 51. UC Services
NOTE: We have omitted the manual configuration of a Directory Service. Feature enhancements to the Jabber Client portfolio
have made it possible to leverage the Service Discovery capabilities of Jabber to automatically detect an accessible LDAP
directory. Automatic discovery using SRV is the preferred method where possible.
Configure a Service Profile
21. From the main menu choose User Management > User Settings > Service Profile.
22. Click Add New.
23. Under Service Profile Information set the following values:
• Name: CST-Service-Profile
• Description: CST Service Profile
• Make this the default service profile for the system: Checked
Figure 53. Service Profile Information
Cisco dCloud
24. Under Voicemail Profile set the following values:
• Primary: Voicemail-Service
• Credentials source for voicemail service: Unified CM – IM and Presence
Figure 54. Voicemail Profile
25. Scroll to Directory Profile and set the following values:
• Primary: None
• Use UDS for Contact Resolution: Un-Checked
Figure 55. Directory Profile
26. Under IM and Presence Profile set the following:
• Primary: IMP-Service
27. Under CTI Profile set the following:
• Primary: CTI-Service
Figure 56. Profiles
28. Click Save.
Cisco dCloud
Prepare Directory Synchronization and Automatic User Provisioning

As stated earlier LDAP Directory integration provides the foundation for User Synchronization, User Authentication, and Contact
Sources within a Collaboration Deployment. This is especially true regarding the interactions and user experience with respect to
Cisco Jabber.
We will explore the new Flexible Jabber ID and Multi-Domain support features as part of our directory synchronization exercise.
Significant advancements in End-User provisioning have been part of Unified Communications Manager since the 10.x release.
We will be using Feature Group Templates to demonstrate how quickly items such as End Users, UC Service Assignment,
Group Membership, and even Directory Numbers can be added during the first LDAP synchronization. It is beyond the scope of
this lab to delve into the design mechanics of each feature but we will be interacting with these tools and using them to expedite
our provisioning process.
Service Activation
1. Recall that as part of our Service Activation and Status Verification activity we confirmed the status of Cisco DirSync to be
activated and running. Directory Synchronization depends on this service to function and must be activated prior to enabling
and LDAP Directory Synchronization agreement and/or LDAP Authentication.
Figure 57. Cisco DirSync Activated
Class of Control
In order to leverage component features such as URI Dialing and to maintain consistency with Cisco Dial-Plan best practices for a
centralized call control deployment, the following Partitions and Calling Search Spaces were created in advance. We will
reference these when configuring our Provisioning Templates.
Table 4. Partitions
Partition Description
CST-DN-PT Collaboration Specialist Training DN Partition
CST-URI-PT Collaboration Specialist Training URI Partition
Table 5. Calling Search Spaces
Calling Search Space Partitions

CST-CSS CST-DN-PT, CST-URI-PT, (All System Generated Partitions)
Provisioning Templates and User Profiles
In this section, we will interact with Universal Device, Universal Line, and Feature Group templates to create the foundation for
automatic provisioning.
Cisco dCloud
1. Navigate to the Cisco Unified CM Administration web interface at https://ucm1.dcloud.cisco.com/ccmadmin. This should
already be open from the previous exercise.
2. Use the menu to navigate to User Management > User/Phone Add > Universal Device Template.
Figure 58. Universal Device Template Menu
3. Click Find.
4. Click the Sample Device Template with TAG usage examples hyperlink to open.
5. Modify the Name field to be CST Device Template.
Figure 59. CST Device Template
6. Click the icon to the left of Device Routing title to expand the section.
7. Set the Calling Search Space to CST-CSS by choosing it from the drop-down menu.
Figure 60. Device Routing
8. Click Save.
9. From the main menu, choose User Management > User/Phone Add > Universal Line Template.
10. Click Find.
11. Click the Sample Line Template with TAG usage examples hyperlink to open.
12. Set the following parameters:
• Name: CST Line Template
• Route Partition: CST-DN-PT
• Calling Search Space: CST-CSS
Cisco dCloud
Figure 61. Calling Search Space Template
13. Click Save.
14. From the main menu choose User Management > User/Phone Add > Feature Group Template.
15. Click Find.
16. Click the Default Feature Group Template hyperlink to open.
• Name: CST Feature Group Template
• Enable User for Unified CM IM and Presence: Checked
• Allow Control of Device from CTI: Checked
• SUBSCRIBE Calling Search Space: CST-CSS
Figure 62. Feature Group Template
Cisco dCloud
18. Click Save.
19. From the main menu choose User Management > User Settings > User Profile.
20. Click Find.
21. Click the hyperlink for Standard {Factory Default) User Profile, to open the editor page.
• Name: CST User Profile
• Description: CST User Profile
• Mobile and Desktop Devices: CST Device Template
• Universal Line Template: CST Line Template
Figure 63. User Profile
23. Click Save.
Enable LDAP Synchronization
1. Navigate to System > LDAP > LDAP System.
Figure 64. LDAP Menu
2. In the LDAP System Configuration page, set the following values:
• Enable Synchronizing from LDAP Server: Checked
• LDAP Server Type: Microsoft Active Directory (default)
• LDAP Attribute for User ID: sAMAccountName (default)
Cisco dCloud
Figure 65. LDAP System Information
3. Click Save.
Create a New LDAP Synchronization Agreement
4. Navigate to System > LDAP > LDAP Directory.
5. Click Add New.
6. In the LDAP Directory Information section, enter the following values:
• LDAP Configuration Name: CST LDAP
• LDAP Manager Distinguished Name: CollabLDAP@dcloud.cisco.com
• LDAP Password: C1sco12345
• Confirm Password: C1sco12345
• LDAP User Search Base: ou=dcloud,dc=dcloud,dc=cisco,dc=com
• Synchronize: Users and Groups
NOTE: The user CollabLDAP has already been created as a standard user (no administrative roles) in the active directory for use
as a service account in LDAP Synchronization and Authentication in accordance with Cisco deployment best practice.
7. Confirm settings match the screenshot below.
Figure 66. LDAP Directory Information
8. Scroll down to the section labeled Standard User Fields To Be Synchronized.
9. Set the Directory URI LDAP Attribute to mail.
Figure 67. Directory URI
Cisco dCloud
NOTICE: Our demonstration users are provisioned across three different domains in the format sAMAccountName@domain.com.
In the coming steps, we will ensure that this value will be used to populate the Jabber ID (JID).
10. Scroll to the section labeled Group Information.
11. Click the Add to Access Control Group button.
Figure 68. Add to Access Control Group
12. In the Find Access Control Group where Name search field type: Standard.
13. Click Find.
14. From the Find and List Access Control Groups dialog, place a Check next to the following entries:
• Standard CCM End Users
• Standard CTI Enabled
Figure 69. Access Lists Dialog
15. Click Add Selected , to close the dialog and return to the LDAP Directory configuration screen.
16. Set the value of Feature Group Template to CST Feature Group Template.
17. Check the box next to Apply mask to synced telephone numbers to create a new line for inserted users.
18. In the Mask field, enter XXXXXXXXXXXXX (The letter “X” in CAPS 13 times).
This mask is used because we have variable length E.164 telephone numbers with demonstration users in different countries. The
maximum length of any telephone number in our demonstration is 12-digits with a leading +. Thus the mask XXXXXXXXXXXXX
will accommodate any phone number string of 13 characters or less.
Cisco dCloud
Figure 70. Group Information Mask
19. Scroll to the LDAP Server Information section.
20. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
Figure 71. LDAP Server Information
21. Click Save.
22. Do NOT attempt to perform a Directory synchronization at this time. We will be performing additional configuration to
complete IM and Presence integration, and to accommodate Multi-Domain support before importing users.
Cisco Unified Communications Manager release 10.5 and onward provides support the creation E164 (with leading “+”) formatted
directory numbers via the Directory Synchronization process. Enhancements to the way in which the system applies the Mask field
now allow the Mask to represent the maximum length of any discovered Directory Number within the defined directory. When the
discovered telephone number is less than the value specified it is inserted “as is”.
Enable LDAP Authentication
23. From the main menu choose System > LDAP > LDAP Authentication.
24. In the LDAP Authentication for End Users section, enter the following values:
• Use LDAP Authentication for End Users: Checked
• LDAP Manager Distinguished Name: CollabLDAP@dcloud.cisco.com
• LDAP Password: C1sco12345
• Confirm Password: C1sco12345
• LDAP User Search Base: ou=dcloud,dc=dcloud,dc=cisco,dc=com
Cisco dCloud
Figure 72. LDAP Authentication
25. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
Figure 73. LDAP Server Information
26. Click Save.
Enterprise Parameters: URI Dialing and Enterprise Groups
1. From the Unified Communications Manager Administration webpage, use the main menu to navigate to System > Enterprise
Parameters.
2. Scroll to the End User Parameters section.
3. Set the Directory URI Alias Partition value to CST-URI-PT.
Figure 74. End User Parameters
4. Scroll to the User Management Parameters section.
5. Set Directory Group Operations on Cisco IM and Presence to Enabled.
6. Click Save.
7. Click Apply Config.
8. From the Apply Configuration popup dialog, click OK.
Cisco dCloud
Figure 75. Apply Configuration
IM and Presence Service Configuration

Connect to Unified IM and Presence
1. From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer (if NOT already open) or click the New Tab
icon.
2. From the dCloud Homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service to connect
to imp1.dcloud.cisco.com. Optionally, you may manually type https://imp1.dcloud.cisco.com in the address bar.
Figure 76. Collaboration Admin Links
3. Acknowledge the certificate error by clicking Continue to this Website.
4. From the Installed Applications list, click Cisco Unified IM and Presence.
Figure 77. Installed Applications
Cisco dCloud
5. In the Username field, type administrator.
6. In the Password field, type dCloud123!.
7. Click Login.
Configure Presence Gateway
8. From the menu choose Presence > Gateways.
Figure 79. Gateways Menu
9. Click Add New.
10. Under Presence Gateway Settings, set the following values:
• Presence Gateway Type: CUCM (default)
• Description: UCM Presence Gateway
• Presence Gateway: ucm1.dcloud.cisco.com
Figure 80. Presence Gateway Settings
Cisco dCloud
11. Click Save.
Enabled Flexible Jabber ID (JID) and Multi-Domain Support

Flexible Jabber ID (JID)
By default, the Jabber ID (JID) is based on the Unified CM User ID<uid>@xmpp domain. The flexible JID feature allows the JID to
be constructed based on Directory URI field. The directory URI may be administratively mapped using the following LDAP
synchronized data fields:
• mail (as is the case in this lab)
• msRTCSIP-PrimaryUserAddress
• Manually Configured by Administrator
This allows organizations to map user JIDs that align with the corporate naming address scheme in use. For example, a user’s JID
(IM address) can be mapped to their E-Mail address using the mail parameter, effectively creating a single address for multi-modal
communications.
The graphic below demonstrates how this feature affects the demonstration users in the Lab.
Figure 81. Addressing Scheme Comparison
Multi-Domain Support
Jabber IDs across multiple domains are now supported in a single Unified IM and Presence cluster. For example, an organization
may manage many email domains, but only a single IM and Presence cluster. The JIDs can be formed based on the different email
domains in this scenario, such as in our lab topology:
• dcloud.cisco.com
Cisco dCloud
• alpha.com
The Cisco Unified IM and Presence service will automatically learn the domains in the assigned topology based on those detected
in @domain portion of the JID (IM Address).
Explore Advanced Presence Settings
1. From the menu choose Presence > Settings > Advanced Configuration.
2. This is the configuration screen where the IM Address scheme can be modified to support flexible JID and Multi-Domain
provisioning.
3. Observe that all configuration items are Grayed Out. A message indicating that certain services must be stopped in order to
continue is displayed.
Figure 82. Domain and IM Address Settings
Shutdown Required IM and Presence Services
1. From the active RDP session connected to wkst1.dcloud.cisco.com, launch the terminal application PuTTY by clicking on
the icon in the taskbar.
Figure 83. PuTTY Icon
2. Under Saved Sessions, choose the entry imp1 and click Load.
Figure 84. PuTTY Saved Sessions
Cisco dCloud
3. Click the Open button to launch a secure shell connection to the IM and Presence node imp1.dcloud.cisco.com.
4. At the Login As prompt, type administrator.
5. At the password prompt, type dCloud123!.
Figure 85. PuTTY Terminal Window
NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps, to paste into the PuTTY windows simply right click within the active terminal connection.
6. Type the following command: utils service stop Cisco Presence Engine
7. Press Enter.
8. Confirm that the service has been stopped.
Figure 86. Service Stopped
9. Type the following command: utils service stop Cisco SIP Proxy
10. Press Enter.
12. Type the following command: utils service stop Cisco XCP Router
13. Press Enter.
Cisco dCloud
15. Type the following command: utils service stop Cisco Sync Agent
16. Press Enter.
18. Type the following command: utils service stop Cisco Client Profile Agent
19. Press Enter.
Configure Domain and IM Address Settings
With all of the required services stopped, we may now proceed to configure the IM Address scheme for Multi-Domain support.
1. Switch focus to the Cisco IM and Presence Administration webpage.
2. If the session timer has expired, log in again with Username: administrator and Password: dCloud123!. Otherwise, proceed
to the next step.
3. From the menu choose Presence > Settings > Advanced Configuration.
4. Choose the Radio Button labeled IM Address Scheme.
5. Use the drop down menu to choose Directory URI.
6. Click Save.
7. Click Ok to acknowledge both Webpage notifications.
Figure 91. Webpage Notification
Cisco dCloud
NOTE: This message is a reminder that the specified modification is applied globally to all Users assigned to this IM and Presence
cluster. In this lab, we are dealing with only 29 total users supporting this feature, in a Net-New install. If this was an existing
installation with users imported into the IM and Presence database, this operation would trigger an update of ALL user records,
which could have significant impact on system performance. This change would be permanent and requires that ALL Cisco Jabber
clients in use be at version 10.6 or higher for support.
8. Observe the Status message at the top of the page, displayed immediately after initiating the change. This indicates that the
IM Address Scheme update has been triggered.
Figure 92. Address Scheme Update
9. Wait until the message transitions to IM address Scheme change update successful before proceeding.
Figure 93. Success Notification
Start Required IM and Presence Services
In a previous exercise, we stopped essential Unified IM and Presence services in order to modify the IM Address scheme. The
next steps will guide you through the process of starting these services to resume normal operation.
1. Switch back to the PuTTY terminal session connected to imp1.dcloud.cisco.com. If the console session login timeout has
expired and/or PuTTY has been closed, launch the PuTTY application as described earlier, load the imp1 saved session, and
click Open.
2. If you are NOT actively logged in to the server, log into the imp1.dcloud.cisco.com CLI with the (administrator/dCloud123!)
password combination referenced earlier.
NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps. To paste into the PuTTY window, simply right click within the active terminal connection.
3. Type the following command: utils service start Cisco Presence Engine
4. Press Enter.
5. Confirm that the service has started.
Figure 94. Service Started
Cisco dCloud
6. Type the following command: utils service start Cisco SIP Proxy
7. Press Enter.
9. Type the following command: utils service start Cisco XCP Router
10. Press Enter.
12. Type the following command: utils service start Cisco Sync Agent
13. Press Enter.
15. Type the following command: utils service start Cisco Client Profile Agent
16. Press Enter.
17. Confirm that the service started.
NOTE: In a previous exercise, we Stopped the Cisco XCP Router service. If you Stop the Cisco XCP Router instead of choosing
to restart this service, the IM and Presence Service will automatically stop all other dependent XCP services. Subsequently when
you turn on the XCP router, the IM and Presence Service does not automatically turn on the other XCP services; you need to
manually turn on the other XCP services.
18. Type the following command utils service start Cisco XCP Connection Manager
19. Press Enter.
Cisco dCloud
21. Type the following command utils service start Cisco XCP Authentication Service
22. Press Enter.
24. Type the following command utils service start Cisco XCP Text Conference Manager
25. Press Enter.
27. Type exit to close the PuTTY session.
User and Group Import

In this section, we will Import Active Directory users and Enterprise Groups based on the LDAP Directory configuration defined
previously.
Establish Active Connections to Unified CM and Unified IM and Presence
We will begin by opening a web browser session with active connections to both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com in separate tabs.
NOTE: If an active Internet Explorer window with Tabs for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com is open on
wkst1.dcloud.cisco.com. You may simply authenticate using (administrator/dCloud123!) to both interfaces and proceed to first
listed exercise: Perform LDAP Directory Synchronization.
1. From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer.
2. Navigate to Collaboration Admin Links > Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com.
3. Click the Cisco Unified Communications Manager hyperlink.
4. Log in to Cisco Unified CM Administration with the (administrator/dCloud123!) password combination.
5. Click the New Tab icon on the active Internet Explorer window.
Cisco dCloud
6. From the Cisco dCloud homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
7. Click the Cisco Unified Communications Manager IM and Presence hyperlink.
8. Log in to Cisco IM and Presence with the (administrator/dCloud123!) password combination.
9. The Browser tabs should appear as depicted below.
Figure 102. Browser Tab Configuration
Perform LDAP Directory Synchronization
1. From the Unified Communications Manager Administration interface, navigate to choose System > LDAP > LDAP
Directory.
2. Click Find.
3. Click the hyperlink for CST LDAP to open the directory configuration page.
Figure 103. LDAP Configuration Name
4. Click Perform Full Sync Now.
Figure 104. Full Sync Now
5. Acknowledge the webpage notification by clicking OK.
Figure 105. Webpage Notification
6. Observe the status message in upper left hand corner of the LDAP Directory configuration page.
Cisco dCloud
Figure 106. Update Successful
7. Wait at least 60 seconds before proceeding.
Verify End User Import Process
1. From the main menu choose User Management > End User.
2. Click Find.
3. Observe that the 29 Users identified during the Active Directory review activity are listed. Pay particular attention to our two
demonstration users Charles Holland – cholland and Anita Perez – aperez.
Figure 107. Demonstration Users
4. Confirm that the synchronized Directory URI for Anita Perez is set to aperez@alpha.com.
5. Confirm that the synchronized Directory URI for Charles Holland is set to cholland@dcloud.cisco.com.
Verify Group Import Process
6. From the main menu navigate to User Management > User Settings > User Group.
Figure 108. User Group Menu
7. Click Find.
Cisco dCloud
8. Notice that the distribution groups provisioned in the earlier exercise are synchronized through the LDAP agreement.
Figure 109. LDAP Groups
9. Click on the Sales group hyperlink to open the membership properties.
10. Click Find to view current group membership.
Figure 110. Group Information
NOTE: Changes to the membership of the distribution group in Active Directory will be propagated dynamically during the
scheduled LDAP sync process. Changes to assigned members will be reflected in the Jabber client where users have added these
groups as contact sources.
Verify Directory Number Creation
11. Navigate to Call Routing > Directory Number.
12. Click Find.
13. Observe that the LDAP Synchronization process has automatically generated directory numbers in the CST-DN-PT in +E164
format based on the Active Directory telephoneNumber field.
Cisco dCloud
Figure 111. Active Directory Numbers
Verify Presence Data Synchronization and Multi-Domain List
14. Switch to the IM and Presence Service Console tab in the Internet Explorer browser window.
15. If necessary, use the (administrator/dCloud123!) username and password combination to log in.
16. Navigate to Presence > Domains.
17. Observe the list of System Managed Domains, which have been learned through the LDAP Synchronization process. Each
unique domain is detected by parsing the assigned Directory URI.
Figure 112. System Managed Domains
18. Confirm the presence of the following 3 presence domains:
• alpha.com
19. Navigate to System > Presence Topology.
20. Hover your mouse pointer over the imp1.dcloud.cisco.com node icon.
Cisco dCloud
Figure 113. Dynamic Menu Options
21. Observe that listed items appear with a Green Check Mark.
22. Click All Assigned Users from the Presence Topology navigation pane.
Figure 114. Presence Topology
23. Click Find.
24. Observe that the IM Address (JID) assigned to each user matches the Directory URI field.
Figure 115. IM Address
Provision Devices and Client Configuration

Auto-Provision Jabber Client Service Framework (CSF) Devices
1. Switch to the Unified CM Console tab in the Internet Explorer browser window.
2. If necessary, use the (administrator/dCloud123!) username and password combination to log in.
3. From the menu choose User Management > User/Phone Add > Quick User/Phone Add.
Cisco dCloud
Figure 116. Quick User/Phone Add
4. To filter the user search results type Anita in the Find User where field. (Default Search Criteria is First Name)
5. Click Find.
Figure 117. User ID
6. Click the aperez hyperlink to choose the target user.
7. From the Quick User/Phone Add configuration page, click Manage Devices.
Figure 118. Manage Devices Button
8. Click Add New Phone.
Cisco dCloud
Figure 119. Add New Phone Button
9. Set the following values in the configuration pop-up menu:
• Product Type: Cisco Unified Client Services Framework
• Device Protocol: SIP (Auto-populated based on Product Type chooseion)
• Device Name: csfaperez
• Universal Device Template: CST Device Template
Figure 120. Add Phone to User
10. Click Add Phone.
11. Observe the Success message which displays in the bottom right corner of the screen.
Figure 121. Operation Success
12. From the Related Links navigation menu, choose Back to Find List Users.
Figure 122. Back to Find List Users
Cisco dCloud
13. Click Go.
14. To filter the user search results type Charles in the Find User where field.
15. Click the cholland hyperlink to choose the target user.
Figure 123. User ID
16. From the Quick User/Phone Add configuration page, click Manage Devices.
17. Click Add New Phone.
18. Set the following values in the configuration pop-up menu:
• Product Type: Cisco Unified Client Services Framework
• Device Protocol: SIP (Auto-populated based on Product Type chooseion)
• Device Name: csfcholland
• Universal Device Template: CST Device Template
Figure 124. Add Phone to User
19. Click Add Phone.
20. Observe the Success message which displays in the bottom right corner of the screen.
Figure 125. Operation Success
21. From the menu navigate to Device > Phone.
22. Click Find.
23. Observe that both Client Services Framework devices have been added to the Unified CM device database.
Cisco dCloud
Figure 126. CSF Devices
24. Click the CSFCHOLLAND Device Name hyperlink to open the device configuration.
25. Observe that the Directory Number \+14085556018 created via the initial LDAP synchronization was automatically
associated to the device. Notice that configuration elements defined during the creation of Auto-Provisioning templates such
as Device CSS, have been set to the values specified through that process.
Figure 127. Phone Options
26. If desired you may investigate the auto-provisioning of the CSFAPEREZ device. When you are ready, move to the next step.
27. Navigate to User Management > End User from the main menu.
Figure 128. End User Menu
28. Locate the list entry for Charles Holland (cholland).
29. Click the cholland User ID hyperlink.
30. Scroll down to Service Settings and observe that through the Auto-Provisioning process this user has been enabled for
Unified IM and Presence, and an associated UC Service Profile has been assigned.
31. Confirm that the CSF Device CSFCHOLLAND is listed as an associated device.
Cisco dCloud
Figure 129. Charles Holland Device Added
32. Click the Line Appearance Associate for Presence button.
33. Click Find.
34. Observe that the Auto-Provisioning process has automatically added the Directory Number line appearance of the device
CSFCHOLLAND with the end user.
Figure 130. Line Appearance Association for Presence
35. Close the Line Appearance Association for Presence dialog by clicking Cancel.
36. Through the previous activity, user Anita Perez (aperez) has been similarly provisioned. You may investigate this if you wish,
when you are ready move on to the next activity.
Review Jabber-Config.xml
As discussed in the Lab Pre-Configuration section, a series of jabber-config.xml files have been staged on
wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com.
1. From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.
2. Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Deployment\.
Figure 131. Jabber-config.xml
3. Right click the file jabber-config.xml and choose Open with > Notepad.
Cisco dCloud
Figure 132. Open With Notepad
4. The following parameters were added to the Directory section of the file to enable Flexible JID:
• <SipUri>mail</SipUri>
• <UseSIPURIToResolveContacts>true</UseSIPURIToResolveContacts>
• <BDISipUri>mail</BDISipUri>
• <BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
URI dialing allows users to make calls and resolve contacts with Uniform Resource Identifiers (URI). For example, a user named
Charles Holland has the following SIP URI associated with his directory number: cholland@dcloud.cisco.com. URI dialing enables
users to call Charles with his SIP URI rather than his directory number.
5. The following parameters were added to support URI Dialing:
• <EnableSIPURIDialling>True</EnableSIPURIDialling> (Required)
• <BusinessPhone>telephoneNumber</BusinessPhone> (COSMETIC ONLY: If not added then the SIP URI will be
identified as the work number and the Business telephone will indicate unknown)
6. The following parameters were added to support the Save Chat to Exchange feature:
• <enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
• <InternalExchangeServer>mail1 </InternalExchangeServer>
7. Close Notepad when finished reviewing the file.
NOTE: Each time a modification to the jabber-config.xml file is made in support of added features/enhancements, it must first be
uploaded to the Unified Communications Manager TFTP server, and the TFTP service must be restarted before the new
configuration becomes available to the client software.
Upload Jabber-Config.xml and Restart TFTP
1. From an active browser session to ucm1.dcloud.cisco.com on wkst1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified OS Administration.
Figure 133. Navigation Menu
2. Click Go.
3. Enter the (administrator/dCloud123!) username/password combination.
4. Click Login.
5. Navigate to Software Upgrades > TFTP File Management.
Cisco dCloud
Figure 134. TFTP File Management
6. Click Upload File.
Figure 135. Upload File
7. From the Upload File dialog, click the Browse button.
Figure 136. Upload File Dialog Box
8. Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Deployment\.
9. Choose the jabber-config.xml file.
10. Click Open.
11. From the Upload File dialog, click Upload File.
12. Observe the status message: File uploaded successfully.
13. Click Close.
Figure 137. File Upload Complete
14. From the Navigation menu, choose Cisco Unified Serviceability.
Figure 138. Navigation Menu
Cisco dCloud
15. Click Go.
17. Click Login.
Figure 139. Control Center – Feature Services
Figure 140. Select Server
20. Click Go.
21. Under CM Services, choose Cisco Tftp.
22. Click Restart.
23. Click Ok to acknowledge the Service Restart notification.
24. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
Figure 141. Restart Successful
Verify Jabber-Config.xml
To confirm that the updated jabber-config.xml is being served by ucm1.dcloud.cisco.com we will use a web-browser to request
the jabber-config.xml file from the Unified Communications Manager TFTP Server.
NOTE: Internet Explorer does not properly render the XML file when requested over http in this manner. As such, we will be using
Mozilla Firefox for the next exercise.
1. Launch Firefox by clicking the icon in the windows taskbar.
2. From the Cisco dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally you
may manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
Cisco dCloud
Figure 142. Jabber-Config Check
3. Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.
Figure 143. Jabber File Output
4. Close the Firefox browser.
Cisco dCloud
Activity 3: SSL Certificate Management: Cisco Unified CM and Cisco

Unified IM and Presence
Our deployment provisioning is complete. Clients should now be able to launch and use Cisco Jabber. However, one final
deployment task remains and that is SSL Certificate Management.
Currently both the Cisco Unified Communications Manager (ucm1.dcloud.cisco.com) and the Cisco Unified IM and Presence
Server (imp1.dcloud.cisco.com) are using self-signed SSL certificates generated during the installation process. Cisco Jabber
relies on SSL certificate validation to establish secure connections with applications and services hosted on servers. In so doing,
Cisco Jabber is authenticating the identity of the hosts to which it connects. Cisco Jabber will NOT automatically accept any
certificate issued by an untrusted Certificate Authority (CA), and this includes self-signed certificates.
In order to establish an environment for secure connectivity we MUST deploy CA signed certificates across all Cisco Collaboration
applications in the environment. This is also a requirement for implementation of Mobile and Remote Access with Cisco
Expressway, and SAML Single Sign-On; both addressed later in the lab.
As this is a lab environment, we will be using an instance of Microsoft Active Directory Certificate Services installed on
ad1.dcloud.cisco.com as our primary trust point. In essence, we will assume that ad1.dcloud.cisco.com is a trusted Certificate
Authority and configure Unified CM, Unified IM and Presence, and Cisco Expressway to trust any certificate signed by
ad1.dcloud.cisco.com as authentic.
In a production environment, a third party CA would take the place of ad1.dcloud.cisco.com, however the fundamental mechanics
of SSL certificate management remain unchanged.
NOTE: As Unity Connection does not play a role in the configuration or demonstration content of the exercises in this lab, a
Certificate signed by ad1.dcloud.cisco.com has already been installed as part of the pre-configuration and to avoid certificate
errors during interaction with the Cisco Jabber client in later exercises.
Activity Objectives
You will perform the following during this activity:
• Identify required naming convention for Cisco Unified Collaboration service nodes
• Establish a Root trust relationship between ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com with the Certificate
Authority hosted on ad1.dcloud.cisco.com
• Generate and download Certificate Signing Requests for required services across Cisco Unified CM and Unified IM and
Presence
• Use Microsoft Active Directory Certificate services to generate CA signed certificates for Cisco Unified CM and Unified IM
and Presence
• Install CA Signed Certificates and verify operation
Cisco dCloud
Configure Unified CM and IM and Presence with FQDNs

This operation has already been performed in advance; however, we will review the currently configured server names.
The reason for changing the Unified CM and Unified IM and Presence server names from hostname or IP address to FQDN, is so
they can be resolved by the different services and client applications, which access them over the network. The Cisco Jabber for
Windows certificate validation process expects that the identity of hosts providing services is reflected as an FQDN in the
Common Name field of CA signed certificates.
1. From the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36), change focus of the Internet Explorer to the
browser tab connected to ucm1.dcloud.cisco.com. Use the Navigation menu to choose Cisco Unified CM Administration
and click Go.
2. If the login session timeout has expired from the previous activity, login with Username: administrator and
Password:dcloud123!.
3. From the Cisco Unified CM Administration webpage, navigate to System > Server.
4. Click Find.
5. Confirm that the server hostnames reflect their fully qualified domain name as shown.
Figure 144. FQDN List
Establish Root CA Trust

Download CA Root Certificate from CA server (AD1)
Jabber clients no longer accept the self-signed certificates installed by default on the UC servers. In this section, you will install the
CA signed certificates. You can use publicly trusted CA signed certificates or those created by an internal CA such as Microsoft
Active Directory Certificate Services. This lab makes use of the latter.
NOTE: You will download and create multiple certificates. Rename these files as they are downloaded to keep better track of them.
The default Download directory for the browsers in this lab is Desktop\CST-Jabber\Downloads.
1. On wkst1.dcloud.cisco.com, open a new tab in Internet Explorer.
2. From the dCloud homepage, choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.
Figure 145. Certificate Services Link
Cisco dCloud
3. Authenticate with Username: administrator and Password: C1sco12345.
1. Click Download a CA certificate, certificate chain, or CRL.
2. Choose the radio button for Base 64 and then click Download CA certificate.
Figure 147. Download CA Certificate Steps
3. Click Save when prompted.
4. Minimize Internet Explorer and open the Desktop\CST-Jabber\Downloads folder.
5. Rename the certnew.cer file to CARootCert.cer.
Figure 148. CARootCert File
Upload the CA Root Certificate to Unified CM, IM and Presence
In order to create a trust point for authentication we must first configure Unified Communications Manager
(ucm1.dcloud.cisco.com) and Unified IM and Presence (imp1.dcloud.cisco.com), to trust the Root Certificate associated with
our Certification Authority. To do this we will upload the Root certificate obtained in the previous exercise to the Unified
Communications Manager Publisher (ucm1.dlcoud.cisco.com).
NOTE: From Collaboration Systems Release 10.x and onward the Cisco Unified IM and Presence service is considered a part of
the Unified Communications manager cluster. Therefore certificate replication is performed by the publisher to all nodes in the
cluster. Before this enhancement, we would have needed to perform this operation on both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.
Cisco dCloud
1. From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.
2. Login with Username: administrator and Password: dCloud123!.
3. Navigate to Security > Certificate Management from the menu.
Figure 149. Certificate Management Menu
4. Click Upload Certificate/Certificate chain.
Figure 150. Upload Certificate Icon
5. Choose tomcat-trust from the drop down menu. Do NOT choose tomcat.
6. For description, enter AD1 CA Root Certificate.
Figure 151. Upload Certificate Menu
7. Click Browse.
8. Use the file explorer to navigate to Desktop\CST-Jabber\Downloads\.
9. Choose the CARootCert.cer file.
Figure 152. CARootCert File
10. Click Open.
11. Click Upload.
12. Observe the Success: Certificate Uploaded message.
Figure 153. Certificate Uploaded Message
Cisco dCloud
13. Click Close.
NOTE: In order for certificate management changes to take effect the Cisco Tomcat service must be restarted. We will restart
Cisco Tomcat in a later step.
Request and Install a CA Signed Tomcat Certificate

Generate and Download a Tomcat Certificate Signing Request (CSR)
1. Click Generate CSR from the menu.
Figure 154. Generate CSR Icon
2. Set the following values in the Certificate Signing Request dialog:
• Certificate Purpose: tomcat
• Distribution: Multi-Server(San)
• Key Length: 2048
• Hash Algorithm: SHA256
3. Ensure that the values entered match the graphic below.
Figure 155. Generate Certificate Signing Request
Cisco dCloud
4. Click Generate.
5. Verify that CSR generation completed successfully, and export completed for both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.
Figure 156. Certificate Signing Request Generated
6. Click Close.
7. Click Download CSR from the menu.
Figure 157. Download CSR Icon
8. Confirm Certificate Purpose is set to tomcat.
9. Click Download CSR.
11. Click Close to exit the download dialog.
12. Open or switch focus to the CST-Jabber\Downloads folder.
13. Right click the downloaded tomcat.csr file and choose rename.
14. Rename the file to ucm1-tomcat.csr.
Submit and Download a Tomcat CA Signed Certificate
1. Double click the file ucm1-tomcat.csr.
2. Click the button for Select a program from a list of installed programs from the file dialog pop-up.
3. Click OK.
4. Choose Notepad from the list.
5. Click OK.
6. From the Notepad main menu choose Format > Word Wrap.
Cisco dCloud
Figure 158. Word Wrap
7. Press CTRL-A, to highlight all text in the open file.
8. Press CTRL-C, to copy highlighted data into the computer buffer.
9. Close the Notepad application.
10. Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.
11. Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.
12. Click Request a Certificate.
Figure 159. Request a Certificate
13. Click advanced certificate request.
Figure 160. Advanced Certificate Request
14. Click in the Saved Request field to make it active.
15. Press CTRL-V to past the data saved to the computer buffer.
16. From the Certificate Template drop-down choose Web Server.
Figure 161. Certificate Request
Cisco dCloud
17. Click Submit.
18. Choose Base 64 encoded.
Figure 162. Certificate Issued
19. Click Download certificate.
20. Click Save.
21. Open the Desktop\CST-Jabber\Downloads folder.
22. Rename the certnew.cer file to ucm1-CA-tomcat.cer.
Upload CA Signed Tomcat Certificate to Unified CM
1. Return to Internet Explorer and choose the tab connected to ucm1.dcloud.cisco.com.
2. Use the Navigation menu to choose Cisco Unified OS Administration. (if not already there)
3. Login with Username: administrator and Password: dCloud123!. (If prompted)
5. Click Upload Certificate/Certificate Chain.
6. Set the Certificate Purpose value to tomcat (NOT tomcat-trust).
7. Click Browse.
9. Choose the ucm1-CA-tomcat.cer file.
Figure 164. Certificate File
10. Click Open.
11. Click Upload.
12. Confirm that the operation is successful. The Unified CM Status message should appear as in the image below:
Cisco dCloud
Figure 165. Status Message
13. Click Close.
NOTE: Because Unified CM supports the use of Multi-Server (Subject Alternative Name) SSL certificates, only a single CA Signed
certificate is required for all nodes in the Unified CM Cluster.
Request and Install a CA Signed XMPP-Trust Certificate

Upload the CA Root Certificate for XMPP-Trust
In the previous exercise, we uploaded the CA Root certificate (ad1.dcloud.cisco.com) to the Tomcat Trust store of both the
Unified Communications Manager (ucm1.dcloud.cisco.com) and the IM and Presence (imp1.dcloud.cisco.com). Next, we
generated CA Signed Tomcat certificates. We must now upload the CA Root certificate to the IM and Presence XMPP-Tomcat
trust in order to generate and install a CA Signed XMPP certificate.
1. Open the Internet Explorer tab connected to imp1.dcloud.cisco.com.
2. Use the Navigation menu to choose Cisco Unified IM and Presence OS Administration.
3. Click Go.
7. Set the Certificate Purpose field to cup-xmpp-trust.
8. For description, enter AD1 CA Root Certificate.
9. Click Browse.
11. Choose the CARootCert.cer file.
12. Click Open.
Cisco dCloud
Figure 167. Upload Certificate Chain
13. Click Upload.
14. Notice the status message indicates that the Cisco XCP Router service must be restarted for changes to take effect. We will
restart the service in a later exercise.
Figure 168. Certificate Upload Success
15. Click Close.
Generate and Download a CUP-XMPP Certificate Signing Request
1. Click Generate CSR from the menu.
2. Set the following values in the Certificate Signing Request dialog:
• Certificate Purpose: cup-xmpp
• Distribution: imp1.dcloud.cisco.com
• Hash Algorithm: SHA256
NOTE: Subject Alternative Names (SANs) have been auto-populated based on the presence domains for which the IM and
Presence server has been configured. In our lab, this includes alpha.com, dcloud.cisco.com, and uk.dcloud.cisco.com.
3. Ensure that the values entered match the graphic below.
Cisco dCloud
Figure 169. Generate Certificate Signing Request
16. Click Generate.
17. Confirm successful generation.
Figure 170. Request Generated
18. Click Close.
20. For Certificate Purpose, choose cup-xmpp.
22. Click Save.
Figure 171. Save CSR File
23. Click Close to exit the dialog.
25. Right click the downloaded cup-xmpp.csr file and choose rename.
26. Rename the file to imp1-cup-xmpp.csr.
Cisco dCloud
Submit and Download a CUP-XMPP CA Signed Certificate
1. Double click the file imp1-cup-xmpp.csr (renamed in the previous step) to open.
2. From the Notepad main menu, choose Format and confirm that Word Wrap is highlighted.
3. Press CTRL-A, to highlight all text in the open file.
4. Press CTRL-C, to copy highlighted data into the computer buffer.
6. Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.
7. Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.
8. Click Request a Certificate.
12. From the Certificate Template drop down, choose Web Server.
Figure 172. Request Window
13. Click Submit.
Cisco dCloud
Figure 173. Certificate Download Window
16. Click Save.
18. Rename the certnew.cer file to imp1-CA-cup-xmpp.cer.
Figure 174. CER File Name
Upload CA Signed CUP-XMPP Certificate to IM and Presence
1. Return to Internet Explorer and choose the tab connected to imp1.dcloud.cisco.com.
2. Navigate to Security > Certificate Management from the menu. (If not already on this page)
4. Choose cup-xmpp for Certificate Purpose.
5. Click Browse.
7. Choose the imp1-CA-cup-xmpp.cer file.
8. Click Open.
9. Click Upload.
10. Confirm that the upload is successful.
Figure 176. Upload Successful
11. Click Close.
Cisco dCloud
12. Close Microsoft Internet Explorer.
Service Maintenance to Finalize Certificate Installation

In order to activate the newly uploaded CA signed certificates, the Cisco Tomcat service must be restarted on both
ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com (Cluster-wide tomcat certificate), and the Cisco Cisco XCP Router on
imp1.dcloud.cisco.com (cup-xmpp).
A new secure TFTP transfer process was introduced in Cisco Unified CM 11.0. This provides an SSL secured TFTP transfer of
configuration data from Cisco Unified CM to the Cisco Jabber client. In Unified CM Release 11.0, the modification of the installed
Cisco Tomcat security certificate requires that the Cisco Tftp service (if activated) on all nodes must be deactivated and then
activated again. This is to bind the certificates properly when performing the SSL handshake to authenticate secure TFTP
connections. As such, we will deactivate and re-activate the Cisco Tftp service running on ucm1.dcloud.cisco.com.
NOTE: This behavior will change in Unified CM Release 11.5, where a Restart of the Cisco Tftp service will bind the new
certificates.
Restart Cisco Tomcat for the Unified CM Cluster
1. Launch the terminal application PuTTY by clicking on the icon in the taskbar.
2. Under Saved Sessions, choose the entry ucm1 and click Load.
3. Click the Open button to launch a secure shell connection to ucm1.dcloud.cisco.com.
4. Login with Username: administrator and Password:dCloud123!.
5. Type the following command: utils service restart Cisco Tomcat
6. Press Enter.
7. While waiting for the restart command to complete, open another PuTTY session to imp1.dcloud.cisco.com by right clicking
the PuTTY icon in the taskbar.
8. Choose imp1 from the Recent Sessions list.
Cisco dCloud
Figure 179. Recent Sessions
9. Login with Username: administrator and Password:dCloud123!.
10. Type the following command: utils service restart Cisco Tomcat
11. Press Enter.
12. Before proceeding, confirm that the Cisco Tomcat service has been restarted on both hosts as shown below.
Figure 180. Tomcat Restarted
Restart Cisco XCP Router for Unified IM and Presence
13. Type the following command: utils service restart Cisco XCP Router
14. Press Enter.
15. Before proceeding, confirm that the Cisco XCP Router service has been restarted.
Figure 181. Router Restarted
16. Type exit to close PuTTY.
NOTE: It will likely take at least 10 minutes for Cisco Tomcat and its dependent services to restart.This is an excellent time to take
a break. . If you are unable to log into the Administration interfaces of either imp1.dcloud.cisco.com or ucm1.dcloud.cisco.com
after 15 minutes, report the issue to a proctor.
Deactivate and Activate the Cisco Tftp Service
As described earlier in this section, the Cisco Tftp Service must be re-initialized by performing a Deactivation and subsequent
Activation. This process binds the newly uploaded CA signed Cisco Tomcat certificate to the secure TFTP listener to
authenticate secure connections.
1. Launch Internet Explorer on wkst1.dcloud.cisco.com.
2. From the dCloud homepage navigate to: Collaboration Admin Links > Cisco Unified Comunications Manager.
3. Select Cisco Unified Communications Manager from the Installed Applications list.
Cisco dCloud
NOTE: No error regarding an untrusted certificate is encountered and the address bar has changed from red to white. This is
because both imp1.dcloud.cisco.com and ucm1.dcloud.cisco.com are both using SSL certificates signed by our Root CA:
ad1.dcloud.cisco.com. All servers and workstations in this lab have been pre-configured to trust certificates signed by
ad1.dcloud.cisco.com. Therefore, these hosts trust the identity certificates provided by imp1.dcloud.cisco.com and
4. Use the Navigation drop down to select Cisco Unified Serviceability.
5. Click Go. Login with Username: administrator and Password: dCloud123!.
6. Navigate to Tools > Service Activation.
Figure 182. Service Activation
7. From the Select Server drop down menu, choose ucm1.dcloud.cisco.com.
8. Click Go.
9. In the CM Services section of the webpage, locate the entry for Cisco Tftp. Observe that the entry is checked and the current
Activation Status is Activated.
Figure 183. CM Services
10. Uncheck the entry for the Cisco Tftp service and click Save. It may take up to a minute for the operation to complete.
11. Confirm that the Activation Status of the Cisco Tftp service is now Deactivated.
12. To re-initialize the Cisco Tftp service, place a Checkmark next to the entry for Cisco Tftp. Click Save.
13. Acknowledge the Pop-Up message by clicking OK.
Cisco dCloud
Figure 184. Service Notification
14. Once the service activation command completes, confirm that the Cisco Tftp service Activation Status is set to Activated.
Cisco dCloud
Activity4: Jabber Client Installation and Feature Testing

Activity Objectives
In this activity, we will perform the following:
• Install Jabber for Windows on WKST1 wkst1.dcloud.cisco.com (198.18.133.36)
• Install Jabber for Windows on WKST2 wkst2.dcloud.cisco.com (198.18.133.37)
• Verify Service Discovery and Login operations
• Use Enterprise Groups to populate contacts
• Confirm basic Client functionality
 Chat
 P2P Calling
• Review the Locations feature
• Confirm Save Chat History to Exchange
• Confirm URI Dialing functionality
At the conclusion of this activity, we will confirm a functional Cisco Jabber for Windows installation on both demonstration
workstations and validate readiness for Advanced Feature Deployment Modules.
Cisco Jabber User Interface (UI) Updates

The activities in this lab are highly feature focused; however, it is important to note some enhancements to the Cisco Jabber user
interface. While the lab steps do not explicitly cover many of these features, they are active and the participant is encouraged to
take note of them throughout interactions with Cisco Jabber in this lab. See the figure below for more details.
Figure 185. Cisco Jabber UI Updates
Cisco dCloud
Install Jabber on WKST1 and Login

Workstation1, wkst1.dcloud.cisco.com or 198.18.133.36, is the Windows 7 workstation assigned to demonstration user Charles
Holland (cholland).
1. Open an RDP session to wkst1.dcloud.cisco.com (198.18.133.36). (May already be open from the previous exercise)
2. If prompted, login with Username: cholland and Password: C1sco12345.
3. Open Internet Explorer (or a new tab).
4. From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively, you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.
5. Click Download to download CiscoJabberSetup.msi as seen in the image below.
Figure 186. Download Jabber Setup File
6. Click Run when prompted to download and launch the installer.
Figure 187. Launch Installer
7. Click Accept and Install to begin the installation.
Figure 188. Cisco Jabber Setup Wizard
Cisco dCloud
8. Once installation is complete, the following message will be displayed.
Figure 189. Jabber Installation Success
9. Launch Cisco Jabber should be Checked.
10. Click Finish.
11. Cisco Jabber will launch and you will see the Finding services… as it initializes for the first time and performs automatic
service discovery.
Figure 190. Finding Services
12. Once service discovery is complete, a Logon screen will appear. The username cholland should be automatically populated.
Figure 191. Jabber Login Prompt
Cisco dCloud
NOTE: Jabber has automatically detected the UPN (User Principal Name) of the logged on user, populated the sAMAccount name
in the Username field and used the @Domain portion of the UPN as the domain to query for service Discovery.
13. Enter C1sco12345 in the Password field.
14. Click Sign In.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
16. In order to get a feel for how locations may be updated and displayed, click Add to my locations.
Figure 192. New Location
17. Click Create a new location name.
18. Type a location of your choice. In our example, we use HQ as the location specified for Charles Holland.
19. Click Create.
Figure 193. Create New Location
20. Observe that Charles Holland is logged in to the Jabber client with the location data entered above.
Cisco dCloud
Figure 194. Charles Holland Location
About the Locations feature in Cisco Jabber
The Location Update and Automated Location Detection features are new as of the Jabber 10.6 release. These allow Cisco
Jabber users to quickly and easily specify their current location and share this data with contacts as part of their presence detail.
This feature may be disabled via customization of the global jabber-config.xml file for those organizations that wish to exclude it.
The default setting for the location feature is Enabled, the default behavior of the location detection mechanism is by the detected
IP address of the client’s default gateway.
Changes to Location settings can be made from within the File > Options menu of the Cisco Jabber client.
Figure 195. Cisco Jabber Options
The feature may be enabled/disabled using the Enable locations checkbox. New location detection behavior can be disabled
using the Tell me when new locations are detected checkbox. Existing locations can be deleted, edited or reassigned by
choosing a saved location from the My Locations window.
Figure 196. Locations Window
The currently assigned location can be modified by clicking on the Location icon.
Cisco dCloud
Figure 197. Changing Location
21. Click the Menu icon and choose File > View my profile to display and confirm information about Charles Holland.
Figure 198. Cisco Jabber Profile Menu
Figure 199. Cisco Jabber Profile Information
22. Observe and confirm the following fields and corresponding data:
• Chat (IM address): cholland@dcloud.cisco.com
• Work: cholland@dcloud.cisco.com and +14085556018
23. Click Cancel to close.
Cisco dCloud
24. To test Directory lookup, type Ani in the Search or Call field. (not case sensitive)
25. Observe that the offline contact record for Anita Perez is displayed.
Figure 200. Anita Perez Contact Record
26. Click the Menu icon and choose Help > Show connection status to confirm that the Jabber client has active
connectivity to provisioned services.
27. Confirm that the following services have Status of Connected (consult the graphic for reference):
Figure 201. Cisco Jabber Information Screen
• Softphone
 Status: Connected
 Address: ucm1.dcloud.cisco.com
• Presence
 Address: imp1.dcloud.cisco.com
• Outlook address book
 Status: Last connection successful.
 Address: Outlook
• Directory
 Address: DCLOUD.CISCO.COM (Automatically

discovered through service discovery)
28. Click Close to exit the Connection Status window.
29. This completes service discovery validation and Jabber client

connectivity.
Cisco dCloud
Install Jabber on WKST2 and Login

Workstation2, wkst2.dcloud.cisco.com or 198.18.133.37, is the Windows 7 workstation assigned to demonstration user Anita
Perez (aperez).
1. Open an RDP session to wkst2.dcloud.cisco.com (198.18.133.37).
2. Login with Username: aperez and Password: C1sco12345
3. Open Internet Explorer.
4. From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.
5. Click Download to download CiscoJabberSetup.msi as seen in the image below.
Figure 202. Cisco Jabber Setup File Download
6. Click Run when prompted to download and launch the installer.
7. Click Accept and Install to begin the installation.
8. Once installation is complete, the following message will be displayed.
Figure 203. Jabber Installation Success
9. Launch Cisco Jabber should be Checked.
10. Click Finish.
Cisco dCloud
11. Cisco Jabber will launch and you will see the Finding services… as it initializes for the first time and performs automatic
service discovery.
12. Once service discovery is complete, a Logon screen will appear. The username aperez should be automatically populated.
The lab environment has a single Active Directory domain. Even though the mail id attribute of this user is aperez@alpha.com,
the UPN assigned to the user Anita Perez is aperez@dcloud.cisco.com. In a production environment with multiple managed
domains this user would likely authenticate to a separate Active Directory infrastructure with a UPN matching the mail id attribute.
13. Enter C1sco12345 in the Password field.
14. Click Sign In.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
16. Click Add to my locations.
Figure 205. New Location
18. Type a location of your choice. In our example, we use Home Office as the location specified for Anita Perez.
19. Click Create.
Cisco dCloud
Figure 206. Create New Location
20. Observe that Anita Perez is logged in to Jabber with the location data entered above.
Figure 207. Anita Perez Location
21. Click the Menu icon and choose File > View my profile to display and confirm information about Anita Perez.
Figure 208. Anita Perez Profile Information
Cisco dCloud
22. Observe and confirm the following fields and corresponding data:
• Chat (IM address): aperez@alpha.com
• Work: aperez@alpha.com and +12125556017
23. Click Cancel to close.
24. To test Directory lookup, type chol in the Search or Call field. (not case sensitive)
25. Observe that the contact record for Charles Holland is displayed.
Figure 209. Charles Holland Contact
26. Notice the status of Available @ HQ. This is the result of adding the HQ location in the previous activity.
28. Confirm that the following services have Status of Connected:
• Softphone
 Address: ucm1.dcloud.cisco.com
• Presence
• Outlook address book
 Address: Outlook
• Directory
 Address: DCLOUD.CISCO.COM (Automatically discovered through service discovery)
29. Click Close to exit the Connection Status window.
30. This completes service discovery validation and Jabber client connectivity.
Cisco dCloud
Test Chat, Calling, and Chat History

Add a Contact and Test Chat interaction
1. Maintain or switch focus to the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
2. From the Jabber Contacts tab, click Add Company Contact.
Figure 210. Add Company Contact
3. From the Add Contact dialog, click New Group to create a new group in which to place the new contact.
Figure 211. New Group
4. Type CST Favorites and click Create.
Figure 212. Create New Group
5. Type Char in the Search field.
6. Double click the contact record for Charles Holland.
7. Click Add.
8. Hover your mouse over the new contact and click the Chat icon.
Cisco dCloud
Figure 214. Chat Option
9. In the chat window, type a message from Anita Perez to Charles Holland.
Figure 215. Jabber Chat Window
10. Open (Switch to) the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36) for user Chris Holland.
11. Click the chat notification to open the active chat session.
Figure 216. Chat Notification
12. Click the Add icon in the contact menu of the active chat window to add Anita Perez as a contact.
Figure 217. Add Contact
13. From the Add Contact dialog, click New Group.
Cisco dCloud
Figure 218. New Group
14. Type CST Favorites and click Create.
15. Click Add.
16. In the chat window, type a reply message of your choice from Chris Holland to Anita Perez.
17. Switch back to the wkst2.dcloud.cisco.com RDP session (Anita Perez).
18. Type a reply message back to Chris indicating the need for a call to discuss.
19. The Chat window should have a flow similar to the one depicted
Figure 219. Chat Conversation
Escalate Chat to Voice/Video Call
NOTE: Both workstations in this exercise are virtual machines. We are leveraging a virtual camera and audio drivers to allow for
simulated audio and video between Jabber clients. You will NOT have live video or audio for test calls.
20. Click the Arrow directly to the left of the Call icon.
21. Observe that we may place a call to either the URI (cholland@dcloud.cisco.com) or Telephone Number assigned to
Charles Holland. This is because we have completed the configuration steps required to enable the URI Dialing feature. By
placing and completing a call using the Directory URI, we validate the operation of the URI Dialing feature.
22. Choose the Directory URI address to initiate the call.
Cisco dCloud
Figure 220. Dialing Options
23. Switch back to the wkst1.dcloud.cisco.com RDP session (Charles Holland).
24. Click Answer on the Incoming call notification.
Figure 221. Incoming Call Notification
25. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
Figure 222. VCAM Video Stream
26. Observe that the presence indicator for Charles Holland has changed from Available to On a Call.
Figure 223. Charles Holland Presence Status
27. Switch back to Anita Perez on wkst2.dcloud.cisco.com.
28. Observe that the user’s presence indicator is in a state of On a Call.
29. Click the End Call icon to end the active call.
Cisco dCloud
Figure 224. End Call Icon
This concludes the testing of baseline chat and voice/video calling.
30. You may continue to explore P2P chat and calling features, by attempting a call from Charles Holland to Anita Perez if you
wish. When ready, please move on to the next activity.
Save Chat History to Outlook
Jabber for Windows can be configured to automatically save chat histories to a Cisco Jabber Chats folder in users' Microsoft
Outlook application. When a user closes a chat window, the client saves the IM conversation to the Exchange server.
This allows users to more easily search all conversations both email and IM from a single location.
Earlier we enabled this feature by adding the following lines to the jabber-config.xml file in the Client section:
<Client>
<enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
<InternalExchangeServer>mail1.dcloud.cisco.com</InternalExchangeServer>
</Client>
In this exercise, we will open Microsoft Outlook and observe that the chat interactions undertaken thus far have been logged to the
Cisco Jabber Chats folder.
1. Open (or switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
2. Close any open chat windows (if any).
3. Launch Microsoft Outlook by clicking the icon in the task bar.
Figure 225. Outlook Icon
4. From the list of folders, click Cisco Jabber Chats.
Cisco dCloud
Figure 226. Cisco Jabber Chats Folder
5. Observe that all chat interaction between Anita Perez and Charles Holland has been saved to the folder.
Figure 227. Jabber Chat Folder Contents
NOTE: If you do not see any chat history, ensure that all chat windows are closed. The save history feature is not activated until
the conversation has been closed.
6. Hover your mouse over the contact entry for Charles Holland.
Integration between Cisco Jabber and the Microsoft Office Contact card with presence and click to call/chat capability is enabled.
In order to accomplish this, the proxyAddresses attribute for both Charles Holland and Anita Perez have been edited to include
a SIP URI. The graphic below shows the entry added for Charles Holland using the Active Directory Users and Computers
console.
Cisco dCloud
Figure 229. proxyAddresses Attribute
7. You may test integration functionality by initiating IM or Calling using the contact card entry.
8. Close Microsoft Outlook.
9. If you wish, you may confirm the same functionality from wkst1.dcloud.cisco.com (Charles Holland). When ready move on to
the next activity. Manage Contacts using Enterprise Groups.
We have tested the manual management of contacts in Cisco Jabber. In the next exercise, we will streamline this process by
importing contacts through the Enterprise Groups feature.
In this next activity, we will explore the automatic population of Jabber contacts by using Distribution Groups synchronized from
Active Directory. Recall that in the first activity of this lab we reviewed and created groups for this purpose:
• Sales
• Engineering
• Marketing
We confirmed that these groups synchronized with Active directory and are present within Unified Communications Manager under
User Management > User Settings > User Group.
We will now explore adding these groups and interacting with them. We will also demonstrate the dynamic nature of the Enterprise
Groups feature.
Adding Groups to the Jabber Contacts List
1. Open (Switch to) an RDP session to wkst1.dcloud.cisco.com (198.18.133.36) user Charles Holland.
2. Click the Menu icon and choose File > New > Directory Group.
Figure 230. Directory Group
NOTE: You can add multiple groups at the same time by searching for the group name(s) entered in part or in whole. You can
double-click on the desired group(s) returned by the search. Continue adding groups in this manner until you are ready to add
them all to the Jabber Contacts list. In place of the mouse interaction, you may use either the Tab or Enter keys to add when a
single search result is returned.
Cisco dCloud
3. In the Search field of the Add Directory Group dialog, type Sales.
Figure 231. Group Search
4. Double click Sales to add the group.
5. Click Add.
6. Observe the Sales group is added to the Contacts window. All of the members defined in the Active Directory distribution
group are present as contacts in the group. Notice that a total count of contact in the group is shown in the upper-right corner
of the group header.
Figure 232. Sales Group
NOTE: Only Anita Perez has an associated contact photo. This photo was added to the local cache from our chat interactions.
The others are missing because a Throttling Policy is enforced on picture download for contacts added through an Enterprise
Group. This behavior is designed to avoid performance degradation with wide use of the feature in the enterprise. The photo is
downloaded upon first interaction with an added contact. In our demonstration, we will click each user to download their photo.
Some contacts may have photos resolved through the address book entries in MS Outlook while exploring chat history.
Cisco dCloud
7. Click on each contact in the list and observe that the contact photo is immediately downloaded.
8. Click the Menu icon and choose File > New > Directory Group.
9. In the Search field type Eng and press the Enter key.
10. In the Search field type Mark and press the Enter key. Notice that the Enter or Tab key may be pressed as soon as the
predictive search returns a viable result.
11. Click Add.
12. If you wish, you may click each contact to download a photo.
13. Open (Switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
14. From the Jabber hub window click the Menu icon and choose File > New > Directory Group.
15. In the Search field, type Engineering and press Enter.
16. In the Search field type Sales and press the Enter.
17. In the Search field type Marketing and press the Enter.
18. Click Add.
Figure 233. Adding Multiple Groups
19. Click on each contact in the list and observe that the contact photo downloads instantly.
The Dynamic Nature of Enterprise Groups
A major benefit of the Enterprise Groups feature is that contact management is centralized within LDAP (Microsoft Active
Directory). When changes are made to the membership of a synchronized Directory Group (Additions/Deletions), these are
replicated during the scheduled synchronization process between Unified CM and LDAP Directory.
In the next exercise, we will connect to ad1.dcloud.cisco.com (198.18.133.1) and use the Active Directory Users and
Computers console to modify group membership by removing our two demonstration users from their respective groups.
Modify Distribution Group Membership in Active Directory
1. RDP to ad1.dcloud.cisco.com (198.18.133.1) and login as Administrator (administrator / C1sco12345).
2. From the Task Bar Click the Active Directory Users and Computers icon.
Cisco dCloud
Figure 234. Active Directory Users and Computers Icon
3. Choose the dCloud Organizational Unit from the menu tree.
4. Double click the Sales distribution group.
6. Highlight the entry for Anita Perez.
Figure 235. Members Tab
7. Click Remove.
8. Click Yes when prompted for confirmation.
Figure 236. Removal Confirmation
9. Click Apply.
10. Click OK to close the Sales Group.
11. Double click the Engineering distribution group.
13. Highlight the entry for Charles Holland.
14. Click Remove.
Cisco dCloud
15. Click Yes when prompted for confirmation.
16. Click Apply.
17. Click OK to close the Engineering Group.
Perform LDAP Synchronization
NOTE: In a production environment, a recurring schedule for directory synchronization is established and defined as part the LDAP
Directory Synchronization agreement. It would be during these scheduled synchronization intervals that updates to synchronized
groups would occur and be registered in Cisco Unified CM. To expedite the process of synchronization we will manually initiate an
LDAP Synchronization.
1. Open (or switch to) an RDP session to wkst1.dcloud.cisco.com (198.18.133.36).
2. Open Internet Explorer or a new tab.
3. From the Cisco dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified Communications Manager to
connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.
5. In the Username field type administrator.
6. In the Password field type dCloud123!.
7. Click Login.
8. In the Unified Communications Manager Administration interface, browse to System > LDAP > LDAP Directory.
9. Click Find.
10. Click the hyperlink for CST LDAP to open the directory configuration page.
Figure 237. Directory Configuration Page
11. Click Perform Full Sync Now.
Figure 238. Perform Full Sync Now
NOTE: In rare circumstances we have experienced an issue where the Confirm Password field, is cleared when this page is
accessed. If this happens you will receive a pop-up stating: LDAP Password:: - Passwords do not match. If this happens, enter
the password C1sco12345 in the Password and Confirm Password fields and repeat the previous step.
12. If prompted, acknowledge the webpage notification by clicking OK.
Cisco dCloud
13. Observe the status message in upper left hand corner of the LDAP Directory configuration page.
Figure 239. Sync in Progress
14. Wait at least 60 seconds before proceeding.
Confirm User Group Update
1. From the main menu choose User Management > User Settings > User Group.
2. Click Find.
3. Click the Sales group hyperlink to open the membership properties.
4. Click Find to view current group membership.
5. Confirm that Anita Perez no longer appears in the list.
Figure 240. Sales Group
6. From the Related Links menu, choose Back to Find/List User Groups.
7. Click Go.
8. Click the Engineering group hyperlink.
9. Click Find.
Figure 241. Engineering Group
10. Confirm that Charles Holland has been removed from the group.
Cisco dCloud
Observe Enterprise Group Membership Update in Jabber
1. If not already in focus, open the RDP session to wkst1.dcloud.cisco.com (Charles Holland).
2. Open the Contacts tab in Cisco Jabber.
3. View the Sales group and see that the contacts counter has been reduced to 9 and that Anita Perez is absent from the group.
4. Expand the Engineering group and see that the number of listed contacts has been reduced to 8 and that Charles Holland is
no longer listed as a member of the Engineering contact group.
Figure 242. Sales and Engineering Groups
5. Open (or switch to) an RDP session to wkst2.dcloud.cisco.com (Anita Perez).
6. Review the Sales and Engineering contact groups and confirm that the output matches the observed behavior of the Jabber
client on wkst1.
NOTE: The Contact list update for the Cisco Jabber client is almost instantaneous. Exact results may vary and depend heavily
upon load in a production environment.
Cisco dCloud
Deployment Activity Conclusion

Congratulations! You have completed all the configuration steps required to deploy Cisco Jabber on premise. You also tested and
verified basic functionality and some new features and functionality recently added to the portfolio.
Specialized Features and Deployment Modules
The remainder of this lab is a series of Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote extra time or emphasis to one or more of the feature modules may wish to be selective in order to complete the desired
modules within the time allotted.
Students should check the amount of time left at this point in the lab and decide on which Modules to pursue.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is 3(b), which requires Modules 2 and 3a to be completed in advance in
order to test solution functionality.
• Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)
• Module 2: Mobile and Remote Access (MRA) with Cisco Expressway
• Module 3: SAML Single Sign-On (SSO) Inside the Network
• Module 3a: Extending SSO to the Collaboration Edge
o Optional, but requires Modules 2 and 3a.
Cisco dCloud
Module 1: Persistent Chat and Managed File Transfer

Module Overview
In this Module, we will configure the Cisco Unified IM and Presence Service as well as external components to provide Persistent
Group Chat and Managed File Transfer capabilities.
Persistent Chat
Instant messaging is an important communication option that lets you efficiently interact in today's multitasking business
environment. Cisco Unified Presence provides personal chat, group chat, and persistent chat capabilities so you can quickly
connect with individuals and groups and conduct ongoing conversations.
Personal and Group chat have been available for some time without any special configuration however these interactions are
temporary (are deleted when all participants leave the chat.).
The Persistent Chat feature provides a richer set of capabilities allowing users to create permanent chat rooms and manage
privacy and group membership settings. Persistent Chat offers users ongoing access to a discussion thread or other topic. It is
available even if no one is currently in the chat and remains available until explicitly removed from the system.
Additional administrative configuration options were recently added to the Collaboration Systems portfolio including the ability to
limit the creation of rooms to designated Group Chat Administrators.
Managed File Transfer
Managed file transfer (MFT) allows an IM and Presence Service client, such as Cisco Jabber, to transfer files to other users, ad
hoc group chat rooms, and persistent chat rooms. The files are stored in a repository on an external file server using SSHFS to
secure file transfer operations and the transaction is logged to an external database.
Unlike Peer-to-Peer file transfers, Managed File Transfer may be used in conjunction with Group and Persistent Chat to share files
in a multi-user environment.
Configuration Notes
All pertinent external services (Database, SSHFS) will be hosted on the centos.dcloud.cisco.com (198.18.134.29) running
CentOS Linux 7.
NOTE: We will be using command line access CLI through PuTTY to connect and configure the components required. Some
familiarity with these tools and systems will be helpful, but are not required.
Module Objectives
In this module, we will perform the following tasks:
• Configure External PostgreSQL Database instances to support the Persistent Chat and Managed File Transfer.
• Provision an SSHFS file system for use as the file store and secure transfer protocol for Managed File Transfer.
• Enable SSH Key based authentication for a dedicated Managed File Transfer User.
• Configure the Cisco Unified IM and Presence Service to support Persistent Chat and Managed File Transfer.
Cisco dCloud
• Update the jabber-config.xml global configuration file to enable the Persistent Chat feature.
• Verify the operation of Persistent Chat and Managed File Transfer.
PostgreSQL Database Setup

An external database is required to support both the Persistent Chat and Managed File Transfer features. In this section, we will
perform the configuration steps required to create two database instances with associated database users and permissions.
Supported Databases for IM and Presence Features
• PostgreSQL database, versions 8.3.x through 9.4.x are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 9.1.9, 9.2.6, 9.3.6, and 9.4.1.
• Oracle database, versions 9g, 10g, 11g, and 12c are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 11.2.0.1.0 and 12.1.0.2.0 (Linux).
NOTE: To save time PostgreSQL server 9.4 (with dependencies) is installed on centos.dcloud.cisco.com running CentOS7.
Detailed instructions regarding the installation process and initial configuration using the YUM package installer on CentOS can be
found in Appendix A.
The database and services have been initialized using default values and the following parameters configured:
• User postgres, Password postgres
• PostreSQL listening on TCP port 5432
• Connections and Authentication permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)
• Services configured to start automatically on OS boot
• Operating system configuration to permit incoming connections on TCP 5432
• Some additional database parameters that are pertinent to integration are also pre-configured but these are identified
throughout the activity.
Connect to the CentOS Linux Server
NOTE: In this exercise, we will use the root account unless otherwise specified. For production environments, it is a best practice
to authenticate using a non-root account and to use the sudo option when executing commands requiring root privilege elevation.
1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36).
2. Open PuTTY by clicking on the icon in the taskbar.
3. Under Saved Sessions, choose the entry CentOS and click Load.
Cisco dCloud
4. Click the Open button to launch a secure shell connection to the Linux Server node centos.dcloud.cisco.com.
5. Login with Username: root, Password:dCloud123!.
Review PostgreSQL Parameters
NOTE: This information is provided for reference only. No configuration file modifications are necessary.
To save time and avoid the potential for error the following required configuration file modifications have been made for you:
Authentication Parameters: /var/lib/pgsql/9.4/data/pg_hba.conf
• Authentication Method for all connection types changed md5
• Added permit statement for authenticated access from network 198.18.133.0/24
Figure 245. Authentication Parameter Changes
Database Server Parameters: /var/lib/pgsql/9.4/data/postgresql.conf
Uncommented (remove # start of line) and set the following values:
• listen_addresses = '*'
o Instructs the service to listen on all IP Interfaces
• port = 5432
o instructs the service to listen on TCP Port 5432
• escape_string_warning = off
• standard_conforming_strings = off
NOTE: DO NOT COPY and PASTE PostgreSQL commands into the PuTTY console session. For your convenience, a text file
with the commands that may be copied and pasted into the console is located on wkst1.dcloud.cisco.com (198.18.133.36) at the
path: Desktop\CST-Jabber\Utilities\PostgreSQL-Commands.txt. Open the file in the Notepad application and copy and paste
where appropriate.
Cisco dCloud
Launch the PSQL Client
1. Launch the psql utility by typing: psql –U postgres
2. At the Password prompt type: postgres
Figure 246. PSQL Client Launch
Create Database Users
3. Create the Persistent Group Chat database user with permissions by typing:
CREATE ROLE tcuser LOGIN CREATEDB SUPERUSER;
4. Press Enter.
5. Create the Managed File Transfer database user with permissions by typing:
CREATE ROLE mftuser LOGIN CREATEDB SUPERUSER;
6. Press Enter.
Figure 247. Create User Roles
Create Databases
7. Create the Persistent Group Chat database tcmadb by typing:
CREATE DATABASE tcmadb WITH OWNER tcuser ENCODING 'UTF8';
8. Press Enter.
9. Create the Managed File Transfer database mftadb by typing:
CREATE DATABASE mftadb WITH OWNER mftuser ENCODING 'UTF8';
10. Press Enter.
Figure 248. Create Databases
Cisco dCloud
11. Confirm database creation by typing :
\list
12. Press Enter.
13. Confirm that both the tcmadb and mftadb databases are listed in the command output.
Figure 249. Database Creation Successful
Set DB User Passwords
14. Set the password for tcuser by typing:
ALTER ROLE tcuser WITH PASSWORD 'tcuser';
15. Press Enter.
16. Set the password for mftuser by typing:
ALTER ROLE mftuser WITH PASSWORD 'mftuser';
17. Press Enter.
Figure 250. Setting User Roles
Set Persistent Chat Database Parameters
18. Type the following to connect to the tcmadb (Persistent Chat Database) as the postgres user.
\connect tcmadb
19. Press Enter. Observe the status message: You are now connected to database "tcmadb" as user "postgres".
20. Type the following to create a required function:
CREATE FUNCTION plpgsql_call_handler () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql' LANGUAGE C;
21. Press Enter. Confirm that command output matches the graphic below.
Cisco dCloud
Figure 251. Command Success Output
Set Managed File Transfer Database Parameters
22. Type the following to connect to the mftadb (Managed File Transfer Database) as the postgres user.
\connect mftadb
23. Press Enter. Observe the status message: You are now connected to database "mftadb" as user "postgres".
24. Enter the password postgres to authenticate.
25. Type the following to create a required function:
CREATE FUNCTION plpgsql_call_handler () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql' LANGUAGE C;
26. Press Enter. Confirm that command output matches the graphic below.
27. Command Success Output
28. Type the following command to quit the psql session:
\q
29. Press Enter.
Set Up External Database Entries on the IM and Presence Service

In the following activity, you will configure Unified IM and Presence to connect to the database(s) created in the previous steps.
1. Open a New Tab in the active Internet Explorer window. If necessary, open a new Internet Explorer session.
2. Navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
Figure 252. Collaboration Admin Links
Cisco dCloud
3. Click the Cisco Unified Communications Manager IM and Presence hyperlink.
4. Log in to Unified IM and Presence with the (administrator/dCloud123!) password combination.
5. From the menu choose Messaging > External Server Setup > External Databases.
Configure Persistent Chat Database Entry
6. Click Add New.
• Database Name: tcmadb
• Database Type: Postgres
• Description: Persistent Chat Database
• User Name: tcuser
• Password: tcuser
• Confirm Password: tcuser
• Hostname: centos.dcloud.cisco.com
Figure 253. External Database Settings
8. Click Save.
9. Note that the External Database status indicates that the server is reachable. You may ignore the warning, which indicates
that the server must be mapped to a service for any further tests to be performed.
Cisco dCloud
Figure 254. Database Status
Configure Managed File Transfer Database Entry
10. Click Add New.
• Database Name: mftadb
• Database Type: Postgres
• Description: Managed File Transfer DB
• User Name: mftuser
• Password: mftuser
• Confirm Password: mftuser
• Hostname: centos.dcloud.cisco.com
Figure 255. External Database Settings
12. Click Save.
13. Note that the External Database status indicates that the server is reachable.
Cisco dCloud
Set Up an External File Server for MFT

In this exercise, we will provision SSH and the file system required to support the Managed File Transfer feature.
1. Switch back to the PuTTY session connected to centos.dcloud.cisco.com. If necessary, open a new PuTTY session to
centos.dcloud.cisco.com. Login as root with the password dCloud123!.
2. To allow private/public key authentication, make sure that the following fields in the /etc/ssh/sshd_config file are set as follows:
• RSAAuthentication yes
• PubkeyAuthentication yes
NOTE: These values are set by default; however, we will validate them with the following step.
3. Type the following command to search the /etc/ssh/sshd_config file for the values described above.
cat /etc/ssh/sshd_config | grep Authentication
4. Press Enter.
5. Multiple lines are returned however, the output depicted in the graphic indicates that the default value of these two parameters
is set to yes.
Figure 256. Command Output
Add and Configure a User for Managed File Transfer
6. Type the following command to create a user name mftuser:
useradd -m mftuser
7. Press Enter.
8. Switch to the mftuser by typing:
su mftuser
9. Press Enter.
10. Create a .ssh directory under the mftuser home directory that is used as a key store by typing:
mkdir ~mftuser/.ssh/
11. Press Enter.
12. Create an authorized_keys file under the .ssh directory that is used to hold the public key text for each IM and Presence
Service node. Type the following:
touch ~mftuser/.ssh/authorized_keys
13. Press Enter.
Cisco dCloud
14. Set the correct permissions for passwordless SSH to function by typing the following commands. Press Enter after each
command.
chmod 700 ~mftuser
chmod 700 ~mftuser/.ssh/
chmod 700 ~mftuser/.ssh/authorized_keys
15. Type exit to return to the root shell.
Create a Directory Structure for MFT
Next, we will create a file directory structure where files transferred using the MFT feature will be stored. We will ensure that the
user created in the previous step has ownership and the permissions needed to read, write, and delete files.
16. To create a top-level directory named mftFileStore to hold sub directories for all of the IM and Presence Service nodes that
have managed file transfer enabled. Type the following:
mkdir -p /opt/mftFileStore/
17. Press Enter.
18. Give ownership of the newly created /opt/mftFileStore directory to user mftuser.
chown mftuser:mftuser /opt/mftFileStore/
19. Press Enter.
20. Specify directory permissions that permit Read, Write, and Execute by the mftuser account only by typing:
chmod 700 /opt/mftFileStore/
21. Press Enter.
22. Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node. In our case, this is
imp1.dcloud.cisco.com. Type the following commands one per line and press Enter after each:
su mftuser
mkdir /opt/mftFileStore/imp1
23. To verify the previous exercise enter the following commands and compare the output with the graphic provided. Commands
are entered one per line and the Enter key should be pressed after each.
ls -al ~/.ssh/
ls -al /opt/mftFileStore/
24. Confirm that the output displayed in PuTTY matches the highlighted lines in the graphic. This validates that all required files
and directories have been created and assigned permissions correctly.
Cisco dCloud
Obtain the Server Public Key
In order to implement key-based SSH authentication for the mftuser for file transfers between centos.dcloud.cisco.com and
imp1.dcloud.cisco.com, both servers will need to be aware of the Public Key provided by the other. In this step, we will obtain the
Public Key of the MFT server, which will be provided to imp1.dcloud.cisco.com during the configuration process.
1. Obtain the public key of the centos.dcloud.cisco.com file server by typing:
ssh-keyscan -t rsa centos.dcloud.cisco.com
2. Press Enter.
3. Copy the result of the ssh-keyscan command. Highlight the desired text and left-click the mouse to copy the selection to the
buffer. Be certain to copy the entire key value, from the server hostname, FQDN, or IP address to the end. Consult the graphic
below for reference.
Figure 258. Command Copy
4. Open the Notepad text editor by clicking on the icon in the taskbar.
5. Click Format and ensure that Word Wrap is un-checked. We want to paste the key as a single line.
NOTE: Do NOT paste the key text with Word Wrap enabled in Notepad. Ensure that Word Wrap is un-checked before proceeding.
6. Paste the contents of the buffer by using the Ctrl-V key combination. You may also left click and choose Paste from the menu.
Figure 259. Pasted Command
7. Choose File > Save.
8. In the SaveAs dialog, browse to the Desktop\CST-Jabber folder.
Cisco dCloud
9. Type MFT-Server-Pubkey in the File Name field.
10. Click Save.
11. Close Notepad.
12. Minimize, but leave the PuTTY session open, as it will be used during the provisioning of the MFT feature.
Configure Persistent Group Chat

While there are many permission settings and additional administrative controls introduced in the current Collaboration Systems
Release, we will focus on placing limitations for Room Creation to only those users designated as Group Chat Administrators.
1. Open Internet Explorer and choose the tab for IM and Presence Server (imp1.dcloud.cisco.com). If necessary, launch
Internet Explorer and navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.
2. Login with Username administrator and Password dCloud123!.
3. From the menu, choose Messaging > Group Chat and Persistent Chat.
Enable Persistent Chat
4. Set the following parameter values:
• Enable Persistent Chat: Checked
• Allow only group chat system administrators to create persistent chat rooms: Checked
• Persistent Chat Database Assignment: tcmadb
Figure 260. Group Chat Alias Settings
5. Click Save.
Cisco dCloud
NOTE: For this change to take effect, the Cisco XCP Router and Cisco XCP Text Conference Manager must be restarted. We
will do so in a later step.
Check Persistent Chat Database Connectivity
6. Navigate to Messaging > External Server Setup > External Databases.
7. Click Find.
8. Click the tcmadb hyperlink to open.
9. Scroll down to External Database Status viewer and observe the connectivity state. All tests should return a successful
result.
Figure 261. Connectivity States
Assign Group Chat Administrator Privileges
Our configuration specifies that ONLY Administrators have the ability to create Chat Rooms. In this exercise, Group Chat
Administrator privileges will be assigned to Charles Holland.
1. From the menu choose Messaging > Group Chat Administrators.
2. Click Add New.
3. Enter the following parameters:
• IM Address: cholland@dcloud.cisco.com
• Nickname: Charles Holland
• Description: Group Chat Administrator
4. Click Save.
5. From the Related Links menu, choose Back to Find/List.
6. Click Go.
7. Click Find and confirm that row for cholland@dcloud.cisco.com is returned.
8. Place a Checkmark in the Enable group chat system administrator privileges checkbox in the upper left of the screen.
9. Click Save.
Cisco dCloud
Modify Jabber Client Configuration

Review the parameters required to enable the Persistent Chat feature and upload an updated Jabber-Config.xml file.
Update Jabber-Config.xml
Persistent Chat is Disabled by default in Cisco Jabber for Windows. In order to enable the feature we must update the jabber-
config.xml file. As with our previous exercises, a pre-configured jabber-config.xml file has been staged for you.
Figure 263. CST Jabber Folder
2. Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Module1\.
3. Right click the file jabber-config.xml and click Open with > Notepad.
4. The following parameters were added to the Client section of the file to enable Persistent Chat:
• <Persistent_Chat_Enabled>True</Persistent_Chat_Enabled>
Upload Jabber-Config.xml
Administration.
Cisco dCloud
Figure 265. Cisco Unified OS Administration
2. Click Go.
4. Click Login.
5. From the menu choose Software Upgrades > TFTP File Management.
Figure 267. Upload File Icon
Figure 268. Upload File Dialog
8. Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Module1.
10. Click Open.
13. Click Close.
Cisco dCloud
Figure 269. File Uploaded Successfully
Restart the Cisco Tftp Service
1. From the Navigation menu choose Cisco Unified Serviceability
Figure 270. Cisco Unified Serviceability
2. Click Go.
4. Click Login.
Figure 271. Tools Menu
6. From the Select Server drop down list, choose ucm1.dcloud.cisco.com.
Figure 272. Select Server Menu
7. Click Go.
9. Click Restart.
11. The page will automatically refresh, displaying the status of the restart command. Wait until the message Cisco Tftp Service
Cisco dCloud
To confirm that the updated jabber-config.xml is being served by ucm1.dcloud.cisco.com we will use a web-browser to request
the jabber-config.xml file from the Unified Communications Manager TFTP Server.
1. Launch Firefox by clicking the icon in the windows taskbar.
2. From the dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may
manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
Figure 274. Jabber Config Check
Figure 275. File Output
4. Close the Firefox browser.
Cisco dCloud
Restart IM and Presence Services
As stated earlier, when making changes to the Persistent Chat configuration, a restart of the Cisco XCP Router service is
required. In this case, the Cisco XCP Text Conference Manager must also be restarted.
1. Switch back to the active Internet Explorer browser tab connected to the Control Center – Feature Services page.
2. From the Select Server menu to choose imp1.dcloud.cisco.com.
3. Click Go.
4. In the IM and Presence Services section, click the radio button for Cisco XCP Text Conference Manager.
5. If the service status is Running, click Restart. If the service status is Not running, click Start.
6. Confirm that service starts successfully.
Figure 276. Service Start Successful
7. Navigate to Tools > Control Center – Network Services.
8. From the Select Server menu, choose imp1.dcloud.cisco.com.
9. Click Go.
10. Scroll to the IM and Presence Services section and click the radio button for Cisco XCP Router.
11. Click Restart. You may need to scroll to the top of the page to see the Restart option.
12. Acknowledge the Restart warning if prompted.
NOTE: Because a Restart of the Cisco XCP Router services causes a restart to all dependent XCP related services it may take
some time for this command to fully complete and return a result.
13. Verify a successful restart message is received.
Figure 277. Restart Successful
Test Persistent Chat

In this activity, we will interact with the Group Chat feature to confirm functionality.
Confirm Feature Activation
1. Close the Cisco Jabber for Windows clients (if open) on both wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by
Clicking Menu > Exit.
Cisco dCloud
2. Switch focus to the wkst1.dcloud.cisco.com (198.18.133.36) RDP session.
3. Launch Cisco Jabber by double clicking the icon on the desktop.
Figure 278. Jabber Icon
4. Login with Username cholland and Password C1sco12345.
5. Notice the Chat Rooms tab now present in the Jabber Client user interface.
Figure 279. Jabber Chat Rooms Icon
6. Switch focus to the wkst2.dcloud.cisco.com (198.18.133.37) RDP session.
7. Launch Cisco Jabber by double clicking the icon on the desktop.
8. Login with Username aperez and Password C1sco12345.
9. Confirm that the Chat Rooms tab is visible.
Create a Restricted Persistent Chat Room
1. Switch to the RDP session for wkst1.dcloud.cisco.com(198.18.133.36).
2. From the Jabber client click the Chat Rooms tab.
3. Choose All Rooms.
4. Click New Room.
Cisco dCloud
Figure 280. New Chat Room
5. Enter the following values in the dialog:
• Name: CST Members Only
• Description: Collaboration Specialist Training
• Type: Restricted
• Add to My Rooms: Checked
6. Click the Password button to set a room password.
7. On the Set Room Password pop-up, Click Password protect this chat room.
8. Type a password of your choice in the Password field, and re-type in Verify field.
9. Click Save.
Figure 281. Room Password
Cisco dCloud
10. Confirm that the settings entered match the graphic below and click Create.
Figure 282. New Room Information
11. When the add members to the room dialog is displayed, click Add Now.
Figure 283. Add Room Members
12. In the Add room members search field enter Anita.
13. Double click the contact entry for Anita Perez to add to the list.
14. Click Save.
15. Observe that the CST Members Only group chat window is opened automatically and that Charles Holland is added as an
active conversation participant.
Cisco dCloud
Figure 284. Active Chat Room
Interacting with Persistent Chat
1. Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).
2. Click the Chat Rooms tab.
3. Observe that CST Members Only was automatically added to the My Rooms list for Anita Perez. This is because we added
Anita Perez as a user during the room creation process.
Figure 285. Anita Perez Chat Rooms
4. Double click the CST Members Only chat room entry.
5. Enter the password created for the room earlier and click Ok.
6. Observe that both Charles Holland and Anita Perez are present in the participants list.
7. Feel free to type a chat message of your choice such as Hi Charles.
8. Switch back to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).
Cisco dCloud
9. From the main Jabber Client window, click the Chat Rooms tab and choose All rooms.
10. Observe that there are no rooms listed. This is because CST Members Only was created as an unlisted Restricted room
visible only to members. Only Room Moderators can add additional participants, who will then be able to access the room
from the My Rooms list, as we saw in the case of Anita Perez once added as a member.
Figure 286. Charles Holland Chat Rooms
11. Notice a key difference between the CST Members Only room layout displayed for Charles Holland versus Anita Perez; the
room layout for Charles Holland contains an Edit Room menu option as seen below, which is absent from the chat window
on Anita’s Jabber client.
Figure 287. Edit Room Option
12. Recall that Charles Holland is a room administrator while Anita Perez is only a participant. He therefore has the capability to
administer features of the room.
Adding Members and Moderators
13. Click the Edit Room icon.
14. Add Anita Perez as a room moderator by searching for Anita Perez in the Moderators field.
15. Double click the contact record for Anita Perez, to add to the list of moderators.
Figure 288. Room Moderators
16. Click Save.
17. Close the CST Members Only chat window to leave for now.
Cisco dCloud
19. Close the active Group Chat window.
20. Notice that a moderator notification is delivered to the Desktop. Click the Enter button.
Figure 289. Room Moderator Notification
21. Examine the Group Chat window and verify that the Edit Room option is now an option for Anita Perez.
22. Click the Edit Room icon.
23. Click the green + icon next to Members.
24. Search for and add Adam McKenzie, click Save.
25. Observe the current room properties.
Figure 290. Room Information
26. Click Save to complete this change.
Cisco dCloud
Other Persistent Chat Features
The Persistent Chat interface offers several ways to filter notifications giving priority to activity in rooms that is of particular interest.
One of the built in filters, My Mentions, delivers notifications about new chat topics where the Jabber user has been tagged. This
can be especially valuable when a user is a member of multiple active rooms and requires a way to identify priority communication.
1. Open the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).
2. Open the CST Members Only Chat Room.
3. Type the @ symbol in the chat window, and notice that this brings up a search field.
4. Search for Charles Holland and double click the contact record.
Figure 291. Charles Holland Contact Record
5. Jabber has created a Tag for user Charles Holland. Type some text of your choice and then press Enter.
Figure 292. User Tagging
6. Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).
7. Observe that there are two notifications displayed on the Chat Rooms tab. When clicked it is apparent that both My Rooms
and Filters have new entries.
Figure 293. Chat Room Notifications
8. Click Filters and observe that the My Mentions filter has an entry because of the IM in which Charles was tagged.
Cisco dCloud
9. Double click the entry for My Mentions @ Charles Holland. An entry for each tagged post will appear.
Figure 294. My Mentions
10. Mouse over the entry from Anita Perez in CST Members Only and click the Door icon to enter the room automatically.
Figure 295. My Mentions Entry
Figure 296. Chat Room Conversation
11. This example illustrates how filters can be used to quickly identify priority communication and join pertinent conversations and
Chat interactions.
12. Feel free to continue testing this feature between our demonstration users. When ready, close all open chat windows on
wkst1 and wkst2 and proceed to the next activity.
Configure Managed File Transfer

While Peer-to-Peer file transfer between Jabber clients has been available for some time, Managed File Transfer is new feature
introduced beginning with the Jabber 10.6 client with Collaboration System release 10.5(2).
Managed File Transfer provides the following key capabilities:
• Support for File Transfer operations in Group Chat/Persistent Chat Rooms
Cisco dCloud
• Compliance and Policy Control for File Transfers
• Administrative control of maximum file transfer size
Confirm the Behavior of Peer-to-Peer File Transfer
1. Open the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).
2. Start a new conversation with Anita Perez.
3. Click the Send a file icon.
Figure 297. Send File Icon
4. Browse to the Desktop\CST-Jabber\FileTransfer folder and choose Expenses.xlsx.
Figure 298. File Navigator
5. Click Open.
6. Observe the file transfer status in the chat window.
Figure 299. File Transfer
Cisco dCloud
8. An incoming chat notification is in the task bar. Hover the mouse over the jabber icon in the Windows task tray and choose the
entry for Charles Holland.
9. A notification in the conversation window of the Jabber Client is displayed prompting the user to accept or decline the file
transfer. Click Accept.
Figure 300. Accept File Transfer
10. Once the transfer is complete, click Show Folder.
11. Files transferred in this way are stored in the path My Documents\MyJabberFiles\<JID of file sender>\. In this case, it was
sent from cholland@dcloud.cisco.com, so the path would be:
My Documents\MyJabberFiles\cholland@dcloud.cisco.com\ Expenses.xlsx
Figure 301. Transferred File
13. Open the CST Members Only chat room, by clicking Chat Rooms > My rooms > CST Members Only.
14. Observe that no file transfer option is available in the Group Chat interface. This is because File Transfer in Group chat is only
available given the implementation of Managed File Transfer.
Figure 302. Group Chat Interface
Enable Managed File Transfer in Unified IM and Presence
1. From the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland), open Internet Explorer and click the tab
for IM and Presence Server (imp1.dcloud.cisco.com). Open and navigate to the server if necessary.
2. Ensure that Cisco Unified CM IM and Presence Administration is selected in the Navigation menu and click Go.
3. Login with Username administrator, Password dCloud123!.
Cisco dCloud
4. Navigate to Messaging > External Server Setup > External File Servers.
Figure 303. External File Servers
5. Click Add New.
6. Configure the following values under External File Server Configuration.
• Name: centos.dcloud.cisco.com
• Host/IP Address: centos.dcloud.cisco.com
• External File Server Directory: /opt/mftFileStore/imp1
• User Name: mftuser
NOTE: Do not attempt to save at this time. The Public Key for centos.dcloud.cisco.com obtained and saved earlier must be
retrieved to complete the configuration.
7. If not already open, open the text file Desktop\CST-Jabber\MFT-Server-Pubkey saved earlier in this exercise.
8. Press Ctrl-A to select all text and then Ctrl-C to copy the text to the computer copy buffer.
9. Switch back to the External File Server Configuration dialog in Internet Explorer.
10. Paste the copied text into the External File Server Public Key field by clicking in the field and using the Ctrl-V keystroke
combination.
Figure 304. Public Key Information
11. Click Save.
12. The External File Server Status output may be disregarded at this point. No connection attempt or test is made until the
feature has been fully enabled.
13. From the menu, choose Messaging > File Transfer.
• File Transfer Type: Managed File Transfer
• Maximum File Size: 4096
Cisco dCloud
• External Database: mftadb
• External File Server: centos.dcloud.cisco.com
Figure 305. File Transfer Configuration
15. Click Save.
Add IM and P Public Key for Key based Authentication
16. Locate the hyperlink for Public Key now present in Node Public Key field in the Managed File Transfer Assignment section
at the bottom of the configuration page.
Figure 306. Public Key
17. Click the Public Key hyperlink.
18. Copy the key text displayed in the View Node Public Key dialog.
Figure 307. Public Key Text
Cisco dCloud
19. Click Close to exit the View Node Public Key dialog.
20. Switch focus to the PuTTY session currently connected to centos.dcloud.cisco.com. (left open from earlier in this module)
21. Ensure that you are logged on as user mftuser. To check type the following command followed by the Enter key.
whoami
22. If the result is anything other than mftuser, type su mftuser, followed by the Enter key, otherwise move on to the next step.
23. Use the nano editor to add the Public Key of the imp1.dcloud.cisco.com IM and Presence node to the authorized_keys file
created earlier by typing:
nano /home/mftuser/.ssh/authorized_keys
24. Right click the mouse anywhere inside the PuTTY console to paste the contents of the copy buffer into the editor. The output
should be similar to the graphic below.
Figure 308. Key Output
25. Press Ctrl-Shift X.
26. When prompted to save type y.
Figure 309. Save Dialog
27. Press Enter to confirm the filename.
Figure 310. File Name Confirmation
28. Confirm that the file has been updated by typing the following command:
cat /home/mftuser/.ssh/authorized_keys
29. The key should be displayed as in the graphic below.
Figure 311. Key Output
Cisco dCloud
30. Close PuTTY once confirmed.
Activate the XCP File Transfer Manager Service
In order to activate the Managed File Transfer features, the Cisco XCP File Transfer Manager service must be activated.
1. Switch back to the active Internet Explorer browser tab connected to imp1.dcloud.cisco.com.
2. From the Navigation menu, choose Cisco Unified IM and Presence Serviceability.
3. Click Go.
4. Login with Username: administrator, Password: dCloud123! (if prompted).
5. From the menu choose Tools > Service Activation.
6. Choose imp1.dcloud.cisco.com and click Go.
7. Place a checkmark next to the Cisco XCP File Transfer Manager service.
Figure 312. File Transfer Manager Service
8. Click Save.
9. Click OK, to acknowledge the Service Activation warning.
10. Observe service activation, by confirming that the Activation Status has transitioned from Deactivated to Activated.
Confirm Connectivity between Unified IM and Presence and SSHFS
1. Use the Navigation drop down to choose Cisco Unified IM and Presence Administration, click Go.
2. Navigate to Messaging > External Server Setup > External File Servers.
3. Click Find.
4. Click the hyperlink for centos.dcloud.cisco.com.
5. Confirm that all connectivity test indicate a successful result (as below):
Figure 313. Connectivity Test
Cisco dCloud
6. At this time, close the Cisco Jabber for Windows clients running on wkst1 and wkst2, by choosing Menu > Exit.
Testing Managed File Transfer
1. Open the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).
2. If the Jabber client is open, close it now by choosing Menu > Exit.
3. Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.
4. Login with Username cholland and Password C1sco12345.
6. If the Jabber client is open, close it now by choosing Menu > Exit.
7. Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.
8. Login with Username: aperez and Password: C1sco12345.
9. Switch back the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).
10. Double click the contact for Anita Perez to open a chat window.
11. Click the Send a file icon.
Figure 314. Send File Icon
12. Browse to the Desktop\Jabber-Files\FileTransfer folder and choose Budget.xlsx.
13. Click Open.
15. Open the conversation with Charles Holland from the Jabber application running in the task bar.
Figure 316. Task Bar Conversation
16. Notice that rather than being prompted to Accept or Decline the transfer, Anita has the option to Download if desired.
Cisco dCloud
Figure 317. Download Option
This is because with Managed File Transfer activated for all transfers, the file is transferred to the External File Server
(centos.dcloud.cisco.com), rather than directly to Anita’s workstation. Now, Anita Perez can choose to download the file at her
leisure.
17. Click Download to complete the file transfer.
18. Click Show Folder and notice that just as with peer to peer file transfer the newly added Budget.xlsx has been saved to the
path My Documents\MyJabberFiles\cholland@dcloud.cisco.com\Budget.xlsx.
19. Close or minimize the active conversation with Charles Holland.
20. Click the Chat Rooms tab.
21. Choose the My Rooms list and open the CST Members Only chat room.
22. Enter the password you assigned to the room when created and OK.
23. Confirm that the Send a file icon is now present from within the Group Chat interface.
Figure 318. Group Chat Interface
24. Feel free to execute a file transfer for either the Budge.xlsx or Expenses.xlsx file in Desktop\CST-Jabber\FileTransfer to
confirm that a permitted file size is transferred successfully through the Group Chat interface.
Test Administrative Size Restriction for Managed File Transfer
Recall that when configuring the Managed File Transfer feature we set a size limit of 4096 kB or 4MB. We will now attempt to
transfer a file that exceeds this limit, to confirm and observe how this restriction is enforced.
25. Click the Send a file icon to initiate the file transfer.
26. Browse to Desktop\CST-Jabber\FileTransfer.
Cisco dCloud
27. Notice that the file SRND.pdf is approximately 48MB in size, which is well over the administrative limit we defined.
28. Choose SRND.pdf and click Open.
29. A notification indicating that the file size exceeds the defined limit is immediately presented in the conversation window.
Figure 319. File Size Restriction
This concludes the Persistent Chat and Managed File Transfer Lab Module.
Cisco dCloud
Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

Module Overview
In this Module, we configure Expressway Core and Edge to provide Mobile and Remote Access (MRA) capability.
About the Cisco Expressway
Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified
Communications Manager. It features established firewall-traversal technology and helps redefine traditional enterprise
collaboration boundaries, supporting our vision of any-to-any collaboration.
As its primary features and benefits, Cisco Expressway:
• Offers proven and highly secure firewall-traversal technology to extend your organizational reach
• Helps enable business-to-business, business-to-consumer, and business-to-cloud-service-provider connections
• Provides session-based access to comprehensive collaboration for remote workers, without the need for a separate VPN
client
• Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and desktops
• Complements bring-your-own-device (BYOD) strategies and policies for remote and mobile workers
The Expressway solution is deployed as a pair, an Expressway-C with a trunk and line-side connection to Unified CM, and an
Expressway-E deployed in the DMZ and configured with a traversal zone to an Expressway-C. Expressway may be clustered to
provide High Availability (HA) for deployments.
Expressway-C
Expressway-C delivers any-to-any enterprise wide conference and session management and interworking capabilities. It extends
the reach of TelePresence conferences by enabling interworking between Session Initiation Protocol (SIP) and H.323-compliant
endpoints, interworking with third-party endpoints. It integrates with Unified CM and supports third-party IP private branch
exchange (IP PBX) solutions. Expressway-C implements the tools required for creative session management, including definition
of aspects such as routing, dial plans, and bandwidth usage, while allowing organizations to define call-management applications,
customized to their requirements.
Expressway-E
The Expressway-E deployed with the Expressway-C enables smooth video communications easily and securely outside the
enterprise. It enables business-to-business video collaboration, improves the productivity of remote and home-based workers, and
enables service providers to provide video communications to customers. The application performs securely through standards-
based, secure firewall traversal for all SIP and H.323 devices. As a result, organizations benefit from increased employee
productivity and enhanced communication with partners and customers.
Cisco dCloud
It uses an intelligent framework that allows endpoints behind firewalls to discover paths through which they can pass media, verify
peer-to-peer connectivity through each of these paths, and then choose the optimal connection path, eliminating the need to
reconfigure enterprise firewalls.
The Expressway-E is built for high reliability and scalability, supporting multi-vendor firewalls, and can traverse any number of
firewalls regardless of SIP or H.323 protocol.
External (Remote) Jabber Service Discovery
Jabber Edge Detection is the Jabber Client service discovery process, which allows Cisco Jabber to determine whether it is
operating internal or external to services inside the corporate network.
If the DNS query process returns at least one _cisco-uds SRV record , Jabber assumes itself to be internal and will use the
configuration in the assigned UC Service Profile to determine the location and type of services such as the Corporate Directory.
Alternatively, if no _cisco-uds record is returned and at least one _collab-edge DNS SRV record is located: Cisco Jabber
determines that it is remote (outside the corporate network) and will use the host information specified in the _collab-edge SRV
lookup to negotiate a registration with Expressway.
When operating outside the network, the service discovery process functions as seen in the diagram below.
Figure 320. Collaboration Edge Architecture
Pre-Configuration
The following configuration on Expressway-C and Expressway-E were performed in advance to save time:
• x8.5.3 Software installed
• IP Addresses and Virtual Network interfaces provisioned and connected
• Option Keys Installed to enable Expressway-Core and Expressway-Edge
• Default admin and root account passwords changed
• NTP configured and synchronized
Cisco dCloud
• DNS service and domain name configured
Module Objectives
• Review the baseline configuration of both Expressway-C and Express-E
• Identify and add required DNS Records required to enable Collaboration Edge
• Perform Certificate Management for Expressway-C and E
• Configure Expressway-C and Expressway-E to enable Mobile Remote Access (MRA)
• Update the jabber-config.xml file to allow for the retrieval of contact photos hosted on a Web Server
• Verify MRA Operation
Module Notes
NOTE: In order to eliminate the possibility of any unexpected interaction and maintain consistency with best practice, Mozilla
Firefox will be used throughout this module when configuring the Cisco Expressway appliances. This is because Microsoft
Internet Explorer 10 is not a supported browser for accessing the Expressway administration pages.
Cisco dCloud
DNS Service Discovery Configuration

Overview
The topology for this lab leverages an internal DNS server (AD1) and a mock external (public) DNS server (AD2). As this is a self-
contained lab pod with no true internet-facing network, VLAN separation will be used for the purpose of simulating a client placed
outside the enterprise network to test MRA functionality. When placed onto the external network the workstation will query ONLY
external DNS.
The following is a summary of what DNS A (host) and SRV (service location) records required.
Internal DNS Server – ad1.dcloud.cisco.com (198.18.133.1)
The following records have already been configured on ad1.dcloud.cisco.com:
• exp-c-1.dcloud.cisco.com (A record) pointing to IP address of Expressway-C
• exp-e-1.dcloud.cisco.com (A record) pointing to the LAN1 IP address of Expressway-E
• _cisco-uds._tcp.dcloud.cisco.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)
• _cisco-uds._tcp.uk.dcloud.cisco.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)
• _cisco-uds._tcp.alpha.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)
External DNS Server – ad2.dcloud.cisco.com (198.18.2.11)
In this exercise, one A record for Expressway E is already present and three SRV records will be added:
• exp-e-1.dcloud.cisco.com (A record) pointing to the LAN2 IP address (public) of Expressway-E
• _collab-edge._tls.dcloud.cisco.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)

• _collab-edge._tls.uk.dcloud.cisco.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)
• _collab-edge._tls.alpha.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)
DNS Service Records (SRV) for External Resolution
1. Switch focus to or launch the RDP session connected to ad2.dcloud.cisco.com (198.18.2.11). If opening a new session,
login using (administrator / C1sco12345).
2. From the Task Bar Click the DNS Manager icon.
3. Click the + next to Forward Lookup Zones.
4. Choose dcloud.cisco.com to highlight the zone.
Cisco dCloud
Figure 321. Cisco dCloud Zone
5. Review the listed DNS host records in the right-hand pane. Confirm that a record for exp-e-1 (198.18.1.152) exists as seen in
the graphic below.
Figure 322. Record Information
6. Right-click on the dcloud.cisco.com zone.
Figure 323. Other New Records
o Domain: dcloud.cisco.com (already populated)
o Service: _collab-edge
o Protocol: _tls
o Priority: 0 (default)
o Weight: 0 (default)
o Port Number: 8443
o Host offering this service: exp-e-1.dcloud.cisco.com
Cisco dCloud
Figure 324. SRV Information
11. Click OK.
NOTE: As mentioned earlier, the addition of records for alpha.com and uk.dcloud.cisco.com are NOT required to successfully
demonstrate the functionality featured in this lab. For practical consistency, we will add the required records as though the
environment did support three fully independent domains.
13. Choose alpha.com to highlight the zone.
14. Right-click on the alpha.com zone.
o Domain: alpha.com (already populated)
o Protocol: _tls
o Port Number: 8443
Cisco dCloud
Figure 325. SRV Location
19. Click OK.
21. Choose uk.dcloud.cisco.com to highlight the zone.
22. Right-click on the uk.dcloud.cisco.com.com zone.
o Domain: uk.dcloud.cisco.com (already populated)
o Protocol: _tls
o Port Number: 8443
Figure 326. SRV Location
Cisco dCloud
27. Click OK.
29. Close the DNS Manager application.
Verify DNS Records
Figure 327. Command Prompt Icon
4. Type _collab-edge._tls.dcloud.cisco.com and press Enter.
5. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com. Because we are
using the nslookup utility on ad2.dcloud.cisco.com the DNS server name will be localhost.
6. A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address(es) associated
with the host(s). As depicted in the graphic above (Red Text)
NOTE: If you see error text, indicating a failure to lookup this or subsequent _collab-edge SRV records, for example: Non-
existent domain, perform the following steps:
-Confirm that the command entered is exactly as specified in the guide and retry.
-Confirm that the settings of the SRV record match the previous configuration steps.
If unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
Figure 329. Error Message
7. Type _collab-edge._tls.alpha.com and press Enter.
Cisco dCloud
8. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).
Figure 330. Correct Output
9. Type _collab-edge._tls.uk.dcloud.cisco.com and press Enter.
10. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).
Figure 331. SRV Record Return
11. Type exit and press Enter to close the Command Prompt.
12. This completes the addition of Service Location Records required to support Mobile and Remote Access (MRA) functionality.
13. Close the Command Prompt.
Expressway-C Initial Configuration

1. Open the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).
2. Launch the Mozilla Firefox browser by clicking on the icon in the task bar.
Figure 332. Firefox Icon
3. From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-C.
Figure 333. Expressway-C Server
Cisco dCloud
4. Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.
5. Login with Username: admin, Password: dCloud123!.
DNS
6. From the menu choose System > DNS.
7. Review the following configuration parameters:
• System host name: exp-c-1
• Domain name: dcloud.cisco.com
• Address 1: 198.18.133.1
Figure 335. DNS Settings
NTP
8. Navigate to System > Time.
9. Review the following parameters:
• NTP server 1: 198.18.128.1
• Time zone: UTC
10. Confirm that the current NTP State value is Synchronized.
Cisco dCloud
Figure 336. NTP State
Expressway-E Initial Configuration

1. Open a new tab in the active Firefox browser.
2. From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-E.
Figure 337. Expressway-E Link
3. Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.
4. Login with Username: admin, Password: dCloud123!.
DNS
5. From the menu choose System > DNS.
6. Review the following configuration parameters:
• System host name: exp-e-1
• Domain name: dcloud.cisco.com
• Address 1: 198.18.133.1
Cisco dCloud
Figure 339. DNS Settings
NTP
7. Navigate to System > Time.
8. Review the following parameters:
• NTP server 1: 198.18.128.1
• Time zone: UTC
9. Confirm that the current NTP State value is Synchronized.
Figure 340. NTP State
Configure Expressway-E for Unified Communications

It is necessary to set the Unified Communications mode on Expressway-E, before performing certificate management.
Set the Unified Communications Mode
1. Open the Firefox browser tab connected to Expressway-E (exp-e-1).
2. Login with Username: admin and Password: dCloud123! (If prompted).
3. Navigate to Configuration > Unified Communications > Configuration.
4. Set the Unified Communications mode value to Mobile and remote access.
5. Click Save.
Cisco dCloud
Certificate Management for Expressway

Obtain the CA Root Certificate
In an earlier activity related to the initial deployment of Cisco Unified IM and Presence, the Root Certificate was downloaded from
the CA hosted on ad1.dcloud.cisco.com.
1. From the active RDP session to wkst1.dcloud.cisco.com (198.18.133.36).
2. Use the Windows file explorer to browse to the Desktop\CST-Jabber\Downloads folder.
3. Confirm the presence of the file CARootCert.cer.
NOTE: If CARootCert.cer is present in this folder, move on to the next activity: Install CA Root on Expressway-C
4. If unable to locate the CARootCert.cer, follow the next steps to obtain and download it.
5. Launch Internet Explorer, or open a new tab if already open.
6. From the dCloud homepage choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
Figure 341. AD1 Certificate Services
7. Authenticate with Username: administrator and Password: C1sco12345.
8. Click Download a CA certificate, certificate chain, or CRL.
9. Choose the radio button for Base 64 and then click Download CA certificate.
11. Minimize Internet Explorer and open the Desktop\CST-Jabber\Downloads folder.
12. Rename the certnew.cer file to CARootCert.cer.
Install CA Root Certificate on Expressway-C
1. Switch to the Firefox browser tab connected to Expressway-C (exp-c-1).
Cisco dCloud
2. If prompted login with admin/dCloud123!.
3. From the menu choose Maintenance > Security certificates > Trusted CA certificate.
4. In the Upload section, click the Browse button.
Figure 343. Trusted CA Certificate
5. Use the file explorer to browse to Desktop\CST-Jabber\Downloads.
6. Choose the file CARootCert.cer.
Figure 344. File Browser
7. Click Open.
8. Click Append CA certificate, to complete the upload.
Figure 345. Append CA Certificate
9. Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.
Figure 346. Trusted Certificate
Cisco dCloud
Generate and Download a Client-Server CSR on Expressway-C
10. From the main menu choose Maintenance > Security certificates > Server Certificate.
11. Click Generate CSR.
• Country: US
• State or province: Texas
• Locality: Richardson
• Organization: Cisco Systems
• Organizational unit: dCloud
Figure 347. CSR Information
14. Click Download.
Cisco dCloud
Figure 348. Download CSR
15. Choose the radio button for Save when prompted and click OK.
16. Use the windows file explorer to navigate to the folder Desktop\CST-Jabber\Downloads.
17. Locate the filename beginning with CSR_exp-c-1.
18. Rename the file as exp-c-1-server.csr.
19. Click Yes to acknowledge the filename extension warning.
Figure 350. Extension Warning
Install CA Root Certificate on Expressway-E
2. If prompted, login as admin/dCloud123!.
3. From the menu choose Maintenance > Security certificates > Trusted CA certificate.
4. In the Upload section, click the Browse button.
Figure 351. Upload CA Certificate
Cisco dCloud
5. Use the file explorer to browse to Desktop\CST-Jabber\Downloads.
6. Choose the file CARootCert.cer.
Figure 352. CA File
7. Click Open.
8. Click Append CA certificate, to complete the upload.
9. Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.
Generate and Download a Client-Server CSR on Expressway-E
NOTE: The CSR field Unified CM registration domains is not added to the CSR until the Unified Communications mode is
enabled on Expressway-E. Recall that this configuration step was performed earlier in the module.
1. From the main menu choose Maintenance > Security certificates > Server Certificate.
• Unified CM registration domains: dcloud.cisco.com,uk.dcloud.cisco.com,alpha.com
• Country: US
• State or province: Texas
• Locality: Richardson
• Organization: Cisco Systems
• Organizational unit: dCloud
Cisco dCloud
Figure 353. CSR Configuration
5. Click Download.
Figure 354. Download CSR
6. Choose the radio button for Save when prompted and click OK.
7. Use the windows file explorer to navigate to the folder Desktop\CST-Jabber\Downloads.
8. Locate the filename beginning with CSR_exp-e-1.
Cisco dCloud
9. Rename the file as exp-e-1-server.csr.
10. Click Yes to acknowledge the filename extension warning.
Submit and Download a CA Signed Certificate for Expressway-C
2. Double click the file exp-c-1-server.csr to open.
3. From the Notepad main menu choose Format > Word Wrap.
Figure 356. Word Wrap
4. Press CTRL-A to highlight all text in the open file.
5. Press CTRL-C to copy highlighted data into the computer buffer.
7. Switch focus back to Firefox and open a new tab.
8. From the menu choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
9. Authenticate with Username: administrator and Password: C1sco12345 (if prompted).
10. Click Request a certificate.
Cisco dCloud
14. From the Certificate Template drop down choose ClientServer.
15. Click Submit.
Figure 359. Download Certificate
18. Select Save File and click OK.
20. Rename the certnew.cer file to exp-c-1-CA-server.cer.
Figure 360. CA File Rename
Submit and Download a CA Signed Certificate for Expressway-E
Cisco dCloud
2. Double click the file exp-e-1-server.csr to open.
3. Press CTRL-A to highlight all text in the open file.
4. Press CTRL-C to copy highlighted data into the computer buffer.
6. Switch focus back to Firefox and the Active Directory Certificate Services webpage.
7. Click the Home hyperlink in the upper right of the page.
8. Click Request a certificate.
12. From the Certificate Template drop down choose ClientServer.
13. Click Submit.
Figure 362. Download Certificate
16. Choose Save File and click OK..
Cisco dCloud
18. Rename the certnew.cer file to exp-e-1-CA-server.cer.
Figure 363. File Rename
NOTE: A custom certificate template covering Client/Server authentication is required to support CA signed certificate generation
for Cisco Expressway. This template has been pre-configured and the details of this process can be found in Appendix C.
Upload CA Signed Certificate to Expressway-C
1. Open the Firefox browser tab connected to Expressway-C (exp-c-1).
2. If prompted login with admin/dCloud123!.
3. From the menu choose Maintenance > Security certificates > Server certificate.
4. In the Upload new certificate section, click Browse.
5. Navigate to the Desktop\CST-Jabber\Downloads folder.
6. Choose the file exp-c-1-CA-server.cer and click Open.
Figure 364. Upload New Certificate
7. Click Upload server certificate data.
8. Observe the status message after the upload indicating success, with a need to perform a restart.
Figure 365. Upload Success Message
9. Choose Maintenance > Restart Options.
10. Click Restart on the Restart options page.
Cisco dCloud
Figure 366. System Restart
11. Click OK to confirm the restart.
12. The page will provide progress updates as the restart progresses.
Figure 367. Restart Progress Message
Upload CA Signed Certificate to Expressway-E
2. If prompted login as admin/dCloud123!.
3. From the menu choose Maintenance > Security certificates > Server certificate.
4. In the Upload new certificate section, click Browse.
5. Navigate to the Desktop\CST-Jabber\Downloads folder.
6. Choose the file exp-e-1-CA-server.cer and click Open.
Figure 368. Upload New Certificate
7. Click Upload server certificate data.
8. Observe the status message after the upload indicating success, with a need to perform a restart.
Cisco dCloud
Figure 369. File Upload Success
9. Choose Maintenance > Restart Options.
10. Click Restart on the Restart options page.
Figure 370. System Restart
11. Click OK to confirm the restart.
12. The page will provide progress updates as the restart progresses.
Figure 371. Restart Progress
Configure Expressway-C for Unified Communications

Set the Unified Communications Mode
2. Login with Username: admin and Password: dCloud123! (If prompted).
4. In the Unified Communications mode field, use the drop-down menu to choose Mobile and Remote Access.
5. Set the Single Sign-On support field to off.
Cisco dCloud
Figure 372. Expressway Settings
6. Click Save.
Configure Unified Communications Domains
You must identify the domains for which registration, call control, provisioning, messaging, and presence services are to be routed
to Unified CM. Recall that our IM and Presence deployment has been implemented with Multi-Domain support, servicing
dcloud.cisco.com, uk.dcloud.cisco.com, and alpha.com. In the following steps, you will create a domain entry for each.
• SIP registrations and provisioning on Unified CM: Endpoint registration, call control and provisioning for this SIP
domain is serviced by Unified CM. The Expressway acts as a Unified Communications gateway to provide secure
firewall traversal and line-side support for Unified CM registrations.
• IM and Presence services on Unified CM: Instant messaging and presence services for this SIP domain are
provided by the Unified CM IM and Presence service.
1. Navigate to Configuration > Domains.
2. Click New.
3. Enter the following parameters:
• Domain Name: dcloud.cisco.com
• SIP registration: On
• IM and Presence: On
Figure 373. Domain Parameters
Cisco dCloud
4. Click Create Domain.
5. Repeat the steps above to add uk.dcloud.cisco.com and alpha.com.
6. Confirm that the list of domains appears as below:
Figure 374. Domain Status
Discovering IM and Presence Services
The Expressway-C must be configured with the address details of the IM&P servers and Unified CM servers that are to provide
registration call control, provisioning, and messaging and presence services.
NOTE: An application user with id CollabEdgeAXL has been created in advance on Unified CM. This user is assigned ONLY the
Standard AXL API Access role.
1. Navigate to Configuration > Unified Communications > IM and Presence Service nodes.
2. Click New.
3. Configure the following parameters:
• IM and Presence publisher address: imp1.dcloud.cisco.com
• Username: CollabEdgeAXL
• Password: dCloud123!
• TLS verify mode: On
Figure 375. Add Address
4. Click Add address.
5. Confirm that the IM and Presence node is added successfully with communication established.
Cisco dCloud
Figure 376. IM and Presence Node Added
Discovering Unified CM Services
NOTE: Expressway-C uses the information from the Unified CM node discovery process to automatically generate non-
configurable neighbor zones between itself and each unified CM node.
6. Navigate to Configuration > Unified Communications > Unified CM servers.
7. Click New.
• Unified CM publisher address: ucm1.dcloud.cisco.com
• Username: CollabEdgeAXL
Figure 377. Unified CM Server Parameters
10. Notice that after discovery, there is both an error message regarding security of SIP messages exchanged between
Expressway-C and Unified CM and a success indicator. The error regarding a failure to connect on a secure SIP signaling port
may be disregarded. Confirm that a successful addition is made.
Figure 378. Discovery Messages
NOTE: The error referenced above is NOT in relationship to the SSL certificate verification enabled when the TLS verify mode is
set to ON. Rather, the discovery process makes an attempt to communicate on a secure SIP port toward Unified CM. This would
only be successful if the Unified CM Cluster Security mode had been set to Mixed or Secure enabling TLS for signaling traffic. Our
Unified CM Cluster is running in Mode 0 Insecure (default).
Cisco dCloud
Discovering Unity Connection Services
11. Navigate to Configuration > Unified Communications > Unity Connection servers.
12. Click New.
• Unified CM publisher address: cuc1.dcloud.cisco.com
• Username: administrator
Figure 379. Unity Connection Server Parameters
15. Confirm that the Unity Connection node is added successfully with communication established.
Figure 380. Communication Established
Create a Secure Traversal between Expressway-E and Expressway-C

Follow these steps to create a new Unified Communications Traversal zone to allow for securely tunneled communication between
Expressway-C and Expressway-E.
Configure a Unified Communications Traversal Zone on Expressway-E
Recall that the Traversal between Expressway-C and Expressway-E operates on a Client/Server relationship. Expressway-E
operates as the server and Expressway-C, the client. Notice that during the configuration process a local user account is created
on Expressway-E for authentication of the Traversal connection. During the configuration of the Traversal Zone on Expressway-C
this username and password combination will be entered and then used to authenticate the Traversal Tunnel.
1. Switch to the Firefox browser tab connected to Expressway-E (exp-e-1).
Cisco dCloud
2. Login with Username: admin and Password: dCloud123!.
3. Go to Configuration > Zones > Zones.
4. Click New.
Figure 381. New Zone
5. In the Name field, type UC Traversal Zone.
6. Choose Unified Communications traversal from the drop-down list.
7. Under Connection credentials, click the hyperlink for Add/Edit local authentication database to quickly add an
authentication user and credential which will be assigned to this zone.
Figure 382. Add User
8. The Local authentication database configuration screen will pop-up in a new window.
9. Click the New button to add a new user.
10. For Name type, enter traversal-admin.
11. In the Password field type, enter dCloud123!.
Figure 383. Credentials Dialog
12. Click Create credential.
13. Close the Local authentication database window to resume configuration of the Traversal Zone.
14. In the Username field, type traversal-admin.
15. Set the TLS verify subject name value to exp-c-1.dcloud.cisco.com.
16. Consult the figure below to ensure accuracy of configured field values:
Cisco dCloud
Figure 384. Zone Parameters
17. Click Create zone.
Configure a Unified Communications Traversal Zone on Expressway-C
Follow these steps to create a new Unified Communications Traversal zone matching the configuration of the Zone already created
on Expressway-E. Note that when defining the Traversal on Expressway-C, we must supply the username and password created
for authentication on Expressway-E. The encrypted traversal tunnel is always initiated by Expressway-C as the client, which must
successfully authenticate to the server (Expressway-E).
1. Switch to the Firefox tab connected to Expressway-C (exp-c-1).
2. Navigate to Configuration > Zones > Zones.
3. Click New.
4. Configure the Zone with the following settings:
• Name: UC Traversal Zone
• Type: Unified Communications traversal
• Username: traversal-admin
Cisco dCloud
• Port: 7001
• Peer 1 address: exp-e-1.dcloud.cisco.com
5. Consult the graphic to confirm accuracy and when ready click Create zone.
Figure 385. New Zone Parameters
Verify Unified Communications Traversal on Expressway-C
1. The list of configured zones for Expressway-C along with current status should appear as below, immediately following zone
creation:
Figure 386. Zone Status
2. Click the hyperlink for UC Traversal Zone.
3. Scroll to the bottom of the page and confirm that Peer 1 address displays a SIP: Reachable message and that the Status is
Active.
Cisco dCloud
Figure 387. SIP Reachable
Status Errors: If you see an error such as the following and the zone status fails to
transition to active, it is likely that there is a credential error. Re-type the password of the traversal-admin user and ensure that the
user name is typed exactly as defined earlier on Expressway-E. If this fails to bring the zone active, open the Expressway-E
console and confirm that the user account specified is spelled as expected. If the username spelling is correct, then reset the
password of the user ensuring complete accuracy. Check the zone status on Expressway-C once more and proceed if a
successful validation result is achieved.
4. Navigate to Configuration > Zones > Zones. Check the list of Zones on Expressway-C against the graphic below:
• CEtcp-ucm1.dcloud.cisco.com: Neighbor zone created automatically during the discovery process.
• UC Traversal Zone: Secure Unified Communications Traversal.
Verify Unified Communications Traversal Expressway-E
2. Navigate to Configuration > Zones > Zones.
Cisco dCloud
3. Confirm that the status of the UC Traversal Zone is active.
Validate Unified Communications Status on Expressway

With Expressway configuration complete to enable MRA, we will use the Unified Communications status page on both
Expressway-C and Expressway-E to confirm that all required services provisioning and routing have been successfully added.
Unified Communications Status Expressway-C
2. From the menu choose Status > Unified Communications.
3. Confirm that the output of the webpage matches the highlighted areas of the graphic below.
Figure 390. Unified Communications Status
Cisco dCloud
Unified Communications Status Expressway-E
2. From the menu choose Status > Unified Communications.
3. Confirm the output of the webpage matches the highlighted areas of the graphic below.
Figure 391. Unified Communications Status
Contact Photo Resolution with MRA

Overview
Until now, our Jabber clients have been connected to the internal network, freely able to resolve the LDAP directory through
service discovery and using the User Photo attribute in Microsoft Active directory as the source for contact photo resolution.
When registered via MRA through Cisco Expressway however the Jabber client will automatically use UDS for contact resolution.
NOTE: When Cisco Jabber is running in remote mode through MRA, the Corporate Directory and contact source type is
automatically set to UDS. There is no additional configuration required for this behavior to function.
For contact photo resolution outside the enterprise network, a Web Server must be used to host directory contact photos. A
parameter is then added to the jabber-config.xml file to notify the Jabber Client of the location of contact photos.
Server ad2.dcloud.cisco.com has been configured to host contact photos at the following URL:
• http://ad2.dcloud.cisco.com/directory/.
Contact photos stored in this directory are named with the following convention:
• <sAMAccountName>.jpg
Cisco dCloud
Recall that during the deployment process we specified that the User ID for Unified CM and IM and Presence users would be
mapped to the LDAP attribute sAMAccountName.
So for example, one could view the directory photo for user Anita Perez (aperez) by navigating to
http://ad2.dcloud.cisco.com/directory/aperez.jpg.
Because we have a predictable naming convention that matches an attribute (User ID) that the Cisco Jabber client is aware of, we
can define a query string using substitution that will request and return the photos of users in our Jabber contact list.
Use the following activity to review the parameter and format required to enable the resolution of contact photos while
connected using MRA. Upload an updated Jabber-Config.xml file. Finally configure an HTTP server allow list to permit tunneled
access to the Web Server hosting photos from the Jabber Client when registered via MRA.
Update Jabber-Config.xml
In order to enable external contact photo resolution we must update the jabber-config.xml file. As with previous exercises, a pre-
configured jabber-config.xml file has been staged for you.
2. Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Module2\.
3. Right click the file jabber-config.xml and choose Open with > Notepad.
4. The following parameter is appended to the Directory section of the file to enable contact photo resolution from a web server.
Observe the substitution or Token value highlighted in red (%%uid%%) :
<UDSPhotoURIWithToken>http://ad2.dcloud.cisco.com/directory/%%uid%%.jpg</UDSPhotoURIWithToken>
5. Close the file when finished reviewing.
Upload Jabber-Config.xml
Administration.
Figure 393. OS Administration
2. Click Go.
4. Navigate to Software Upgrades > TFTP File Management.
Cisco dCloud
Figure 395. Upload File Icon
Figure 396. Upload File Dialog
7. Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Module2.
9. Click Open.
12. Click Close.
Restart the Cisco Tftp Service
1. From the Navigation menu, choose Cisco Unified Serviceability.
Figure 397. Cisco Unified Serviceability
2. Click Go.
4. Click Login.
Cisco dCloud
5. From the menu choose Tools > Control Center – Feature Services.
Figure 398. Feature Services
Figure 399. Select Server
7. Click Go.
9. Click Restart.
11. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
1. Launch Mozilla Firefox and/or open a new tab.
2. Navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may manually navigate to the
following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.
Figure 401. Jabber Configuration Check
4. Your output should also match the graphic below.
Cisco dCloud
Figure 402. Browser Ouput
5. Shutdown the Jabber Client(s) running on wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by choosing Menu >
Exit.
HTTP Server Allow List on Expressway-C
As indicated earlier, contact photos are served from ad2.dcloud.cisco.com over http. In order for the Jabber client to successfully
access contact photos when registered using MRA, an http traffic permit statement must be explicitly added.
1. Open the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).
4. In the Advanced section of the configuration page, locate and click the hyperlink for Configure HTTP server allow list.
Figure 403. Server Allow List
5. Click New.
6. Enter the following values:
• Server hostname: ad2.dcloud.cisco.com
• Description: Contact Photo Webserver
Cisco dCloud
7. Click Create entry.
8. Confirm the entry has been added.
9. Notice the Auto-configured allow list with data populated based on the discovery process. The list contains the FQDNs and
resolved IP addresses of imp1.dcloud.cisco.com, ucm1.dcloud.cisco.com, and cuc1.dcloud.cisco.com.
Testing Mobile and Remote Access Operation

At this point, you have completed all the configuration steps required to enable Mobile and Remote Access with Cisco Expressway.
In order to test the solution, we will move wkst2.dcloud.cisco.com (Anita Perez) onto another VLAN with access to external DNS
resolution via ad2.dcloud.cisco.com.
Create a new RDP session for Workstation 2 External
Thus far, we have been able to use a single RDP session connected to wkst2.dcloud.cisco.com on IP address 198.18.133.37 to
connect and test Jabber Client functionality from WKST2 as Anita Perez.
During the migration process, the active IP address of the workstation will change to 198.18.2.37 which will be resolvable by DNS
using host name wkst2-ext.dcloud.cisco.com.
To facilitate switching between the two modes we will configure and save an RDP session definition for connecting to Workstation
2 when operating in the external VLAN.
NOTE: This operation is to be performed from the Students Personal Computer, NOT an active RDP session.
1. Click Start > All Programs > Accessories > Remote Desktop Connection from the student’s personal computer.
2. Click Options.
Cisco dCloud
3. Choose Local Resources Tab.
4. Click Settings, under Remote audio.
5. Choose Play on this computer & Do Not Record.
Figure 406. RDP Settings
6. Click OK.
7. Click the Experience tab.
8. Choose LAN (10Mbps or higher) from the connection speed menu.
Figure 407. LAN Connection Speed
9. In the Computer field type: wkst2-ext.dcloud.cisco.com or 198.18.2.37.
10. In the Username field type: dcloud\aperez.
11. Click Allow me to save credentials.
12. Click Save and use the Save As file dialog to name and save the session definition to your computer as wkst2-ext to a
location in your file system that will be easy to find later.
Review Status Details of Jabber (On-Net)
In this activity, we will briefly review connection details of the Cisco Jabber client running on wkst2.dcloud.cisco.com while
registered to services on the internal network. This will assist in identifying the differences in behavior when registered to services
via MRA through Expressway.
1. Open (switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) user Anita Perez.
2. If Cisco Jabber is open from a previous activity, exit and restart it at this time. This is necessary in order for changes to the
jabber-config.xml file to be assimilated. If closed, launch Cisco Jabber.
3. Login to Jabber with Username aperez and Password C1sco12345.
Cisco dCloud
5. Pay close attention to the following entries which will alter when connected through MRA:
• Softphone
 Address: ucm1.dcloud.cisco.com (CCMCIP)
• Presence
• Directory
 Address: DCLOUD.CISCO.COM (No host reference because Jabber discovered it automatically using DNS)
Figure 408. Settings Summary
6. Open a Microsoft Internet Explorer browser session.
7. From the dCloud homepage choose Collaboration Admin Links > Cisco Unified Communications Manager.
8. Choose Cisco Unified Communications Manager from the list of Installed Applications.
10. From the menu choose Device > Phone.
11. Click Find.
Cisco dCloud
12. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of wkst2.dcloud.cisco.com (198.18.133.37).
Figure 409. IP Address and Device
13. Take note of the Contact Photo associated with Charles Holland in the contact list of Anita Perez.
Figure 410. Contact Photo
14. The contact photos hosted on the web server have been modified in order to verify the source and confirm that contact photos
presented are served from the web server defined earlier.
15. Quit Jabber by choosing Menu > Exit.
Move Workstation 2 to the External Network
NOTE: This procedure will disconnect the active RDP session, which is the expected result.
1. From the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37).
2. Navigate to the Desktop and locate the windows batch executable named External Network On.
Figure 411. External Network On
3. Double click the file to execute the migration procedure.
4. This will disconnect the active RDP session as expected.
Connect to Workstation 2 on the External Network
1. From the Student Laptop, open the Remote Desktop Connection client program.
2. Click Options.
3. On the General tab, under Connection Settings click Open.
4. Browse the location where you saved the RDP session definition wkst2-ext.
Cisco dCloud
Figure 412. RDP Saved Sessions
5. Choose the file and click Open.
6. Confirm that the settings match the graphic.
Figure 413. RDP Settings
7. Click Open.
8. Acknowledge any certificate warnings and proceed.
9. When prompted for the password type C1sco12345.
Clearing the Contact Photo Cache
Under normal circumstances, it would take a considerable amount of time for the Jabber client to clear its locally cached contact
photos. To expedite this process we will clear the contents of the locally cached information for the Jabber client on Workstation 2.
1. On the desktop of wkst2-ext.dcloud.cisco.com locate a windows batch executable file named Clear Jabber Cache.
2. Double click to execute and clear cached contact photo records.
Verify External Connectivity and DNS resolution
Figure 414. Command Prompt Icon
2. Type ipconfig and press Enter.
3. Confirm that the IP Address displayed is 198.18.2.37, and the Default Gateway is 198.18.2.1.
Cisco dCloud
Figure 415. Ipconfig Output
6. Type _collab-edge._tls.dcloud.cisco.com and press Enter.
8. A successful result returns the FQDN exp-e-1.dcloud.cisco.com as well as the resolved IP 198.18.1.152 as depicted in the
graphic above (Red Text).
Launch Cisco Jabber and Connect via MRA
1. Launch Cisco Jabber by double clicking on the desktop icon.
2. Login with Username aperez and Password C1sco12345.
3. Notice the New location detected notification since Jabber has detected that we are connecting from a new network. This will
likely appear to the lower right of the remote desktop workspace.
Cisco dCloud
4. Click Add to my locations.
Figure 418. Add to My Locations
6. Type a location of your choice. In our example, we use Mobile Remote Access as the location specified for Anita Perez.
7. Click Create.
8. Notice that both the contact photos for Anita Perez and Charles Holland are present but in Black and White as opposed to the
full color images resolved through LDAP.
Figure 419. Contact Photos in Jabber
9. Test contact search by typing Muk in the search window and confirm that the lookup returns a contact record for Mukul
Kumar.
Figure 420. Mukul Kumar Contact
NOTE: Notice that all of the cached images for contacts added through the Directory Group/Enterprise Group feature are now
missing. This is a result of the removal of all cached contact photos in tandem with the Throttling Policy for photo download of
contacts added through enterprise groups. As before, you can manually initiate the download of contact photos by clicking the
contact record.
Cisco dCloud
Review Status Details of Jabber (MRA)
2. Pay close attention to the following entries which will alter when connected through MRA:
• Softphone
 Address: ucm1.dcloud.cisco.com (CCMCIP - Expressway)
• Presence
 Address: exp-e-1.dcloud.cisco.com
• Directory
 Address: ucm1.dcloud.cisco.com (UDS via Unified CM)
Figure 421. Connection Status Differences
Connection Status - INTERNAL Connection Status - MRA
3. As you can see, all services are connected. The entries for Softphone, Presence, and Directory have modified values
indicating a tunneled connection through Expressway-E.
Cisco dCloud
5. Open the Internet Explorer tab connected to ucm1.dcloud.cisco.com.
6. From the Navigation drop down select Cisco Unified CM Administration and click Go.
7. If prompted, login with Username: administrator and Password: dCloud123!.
8. From the menu choose Device > Phone.
9. Click Find.
10. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of Expressway-C (198.18.133.152). This is because Expressway-C serves is the anchor point for SIP Registration
with Unified CM for all MRA sessions.
Figure 422. Device IP Address
Test Chat and Calling Capability through MRA
2. If Cisco Jabber is open from a previous activity, exit and restart it. This is necessary for changes to the jabber-config.xml file to
be assimilated. If closed, launch Cisco Jabber.
3. Login to Jabber with Username: cholland and Password: C1sco12345.
4. Observe that the location information associated with Anita’s current presence status has been updated based on the new
location created.
Figure 423. Jabber Location
5. Double click the contact record for Anita Perez to launch a conversation window.
6. Type a message of your choice.
7. Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (Anita Perez).
Cisco dCloud
8. Feel free to type a reply.
Figure 424. Jabber Chat Window
9. Click the Call icon to initiate a call to Charles Holland.
11. Click Answer on the Incoming call notification.
12. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
13. See that the presence indicators for both Charles Holland and Anita Perez have transitioned from Available to On a Call.
Figure 425. Jabber Presence Indicators
14. Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (Anita Perez).
15. Hang up the call.
16. This concludes the Mobile Remote Access Module. Students may continue to test features and functionality (time permitting).
When ready, please proceed to the next activity.
Move Workstation 2 to the Internal Network
1. Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (198.18.2.37).
2. Navigate to the Desktop and locate the windows batch executable named Internal Network On.
Cisco dCloud
Figure 426. Internal Network On Executable
3. Double-click the file to execute the migration procedure.
5. Reconnect to the RDP session for wkst2.dcloud.cisco.com (198.18.133.37).
Cisco dCloud
Module 3(a): SAML Single Sign-On (SSO) Inside the Network

SAML Overview
What is SAML SSO?
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration
applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information
between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified
Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an
Identity Provider (IdP) and a service provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco collaboration solutions.
SAML 2.0 enables SSO across Cisco applications and enables federation between Cisco applications and an IdP. SAML 2.0
allows Cisco administrative users to access secure web domains to exchange user authentication and authorization data, between
an IdP and a Service Provider while maintaining high security levels. The feature provides secure mechanisms to use common
credentials and relevant information across various applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the provisioning process
between the IdP and the Service Provider. The Service Provider trusts the IdP's user information to provide access to the various
services or applications. In this interaction, the Service Provider (SP) would be Unified CM and Unified IM and Presence.
The client authenticates against the IdP and the IdP grants an Assertion to the client. The client presents the Assertion to the
Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion and grants access to the client.
SAML-Based SSO Features
• Reduces password fatigue by removing the need for entering different user name and password combinations
• Transfers the authentication from your system that hosts the applications to a third party system. Using SAML SSO, you
can create a circle of trust between an IdP and a service provider. The service provider trusts and relies on the IdP to
authenticate the users
• Protects and secures authentication information. It provides encryption functions to protect authentication information
passed between the IdP, service provider, and user. SAML SSO can also hide authentication messages passed between
the IdP and the service provider from any external user.
• Improves productivity because you spend less time re-entering credentials for the same identity
• Reduces costs as fewer help desk calls are made for password reset, thereby leading to more savings
Elements of a SAML SSO Solution
• Client (the user’s client): This is a browser-based client or software client that can leverage a browser instance for
authentication. For example, a system administrator’s browser.
• Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified
Communications Manager.
• An Identity Provider (IdP) server: This is the entity that authenticates user credentials and issues SAML Assertions.
Cisco dCloud
• Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example
Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server.
• SAML Assertion: It consists of pieces of security information that are transferred from IdPs to the service provider for user
authentication. An assertion is an XML document that contains trusted statements about a subject including, username
and privileges. SAML assertions are usually digitally signed to ensure their authenticity.
• SAML Request: This is an authentication request that is generated by a Unified Communications application. To
authenticate the LDAP user, the Unified Communications application delegates an authentication request to the IdP.
• Circle of Trust (CoT): The various service providers that share and authenticate against one IdP in common.
• Metadata: An XML file generated by an SSO-enabled Unified Communications application, such as Cisco Unified
Communications Manager or Cisco Unity Connection, as well as an IdP. The exchange of SAML metadata builds a trust
relationship between the IdP and the service provider.
• Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the
IdP to post the final SAML response to a particular URL.
Figure 427. SAML SSO Process
Module Objectives
• Create a Circle of Trust (CoT) between ADFS 2.0 (IdP) and Unified CM and IM and Presence (SP)
• Enable SSO for Unified Communications Manager and Unified IM and Presence
• Test Username/Password authentication by accessing Web Interfaces and Cisco Jabber
• Test Kerberos authentication for cross/application authentication using Microsoft Internet Explorer and Cisco Jabber
Cisco dCloud
Module Notes
NOTE: In the interest of time, Microsoft™ AD FS2.0 has been preinstalled on ad1.dcloud.cisco.com. The Basic AD FS 2.0
setup wizard was run to enable ADFS features. These operations are documented in Appendix B. By default, AD FS2.0 has
Username/Password Authentication enabled, so no extra steps are needed to prepare AD FS2.0 to enable this Authentication
method. For other authentication methods, AD FS2.0 needs customization to be part of the lab steps.
Pre-Requisites
These are the dependencies that must be in place and functional prior to the implementation of SAML SSO for Cisco Unified
Communications. ALL of these pre-requisite requirements have been met during lab configuration activities or as part of the pre-
configuration of the lab environment.
• NTP – All components of the solution must be configured to use a reliable NTP source for clock synchronization.
This requirement is already provisioned across all installed Cisco Collaboration Applications (Services Providers) and
Identity Providers (ADFS 2.0 on ad1.dcloud.cisco.com)
• DNS – All hosts involved in SSO transactions must be fully resolvable by FQDN via DNS. All of the Service Providers
(ucm1.dcloud.cisco.com, imp1.dcloud.cisco.com) have DNS A (Host) records and are resolvable by FQDN.
• Directory Setup - LDAP directory synchronization is a prerequisite and a mandatory step to enable SAML SSO
across various Unified Communications applications. Synchronization of Unified Communications applications with
an LDAP directory allows the administrator to provision users easily by mapping Unified Communications
applications data fields to directory attributes. Recall that the foundation of our deployment activity was the import of
Jabber users through an LDAP synchronization agreement.
• Certificates signed by a CA - In SAML SSO, the IdP and service providers must have CA signed certificates with
the correct domains in the CN or SAN. If the correct CA certificates are not validated, the browser issues a pop up
warning. We have performed the certificate management required to meet this pre-requisite as part of our
deployment activities.
Prepare to Enable SAML SSO for Unified CM and IM and Presence

Configure an LDAP Synchronized End User with the Administrative Privileges
Once SSO is enabled, access to the Unified CM and IM and Presence administrative interfaces will be limited to End Users
synchronized from LDAP. Therefore at least one End User account must be delegated administrative access.
NOTE: There is a Recovery URL that may be used in case of SSO failure that is accessed with the default administration account,
if needed.
1. Connect or switch to the RDP session for ad1.dcloud.cisco.com (198.18.133.1).
2. Launch Internet Explorer.
Cisco dCloud
3. From the Cisco dCloud Homepage choose Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.
5. Enter Username administrator and Password dCloud123!.
6. Click Login.
7. Use the menu to choose User Management > End User.
8. Click Find.
9. Click the hyperlink for user cholland (Charles Holland) to open the End User configuration page.
10. Scroll to the bottom of the page and locate the Permissions Information section. Notice that Charles Holland is currently
assigned to the Standard CCM End Users, and Standard CTI Enabled groups.
Figure 428. Permissions
11. Click Add to Access Control Group.
12. In the Find tool, user the drop-down menu to choose contains and type Super.
13. Click Find.
14. Choose Standard CCM Super Users.
Figure 429. Access Control Group
15. Click Add Selected.
16. Confirm that the Standard CCM Super Users group has been added to the Groups field.
Figure 430. Groups Listing
17. Click Save.
Cisco dCloud
Obtain Metadata for the Unified CM and Unified IM and Presence Cluster
As part of the CoT (Circle of Trust) configuration between ADFS and Unified CM and Unified IM and Presence, the Metadata from
deployed Unified Collaboration nodes must be obtained. This will be used to create a Relying Party Trust on the IdP.
1. Navigate to to System > SAML Single Sign-On.
2. Click on Export All Metadata.
Figure 431. Export Metadata
3. After a few seconds, click the Save As option on the bottom of the page to save to the SPMetadata.zip file.
Figure 432. Save As Dialog
4. In the Save As file dialog, browse to the folder Desktop\CST-Jabber\SSO.
5. Click Save.
Figure 433. Save As Location
Cisco dCloud
6. Minimize Internet Explorer and use the File Explorer to navigate to Desktop\CST-Jabber\SSO.
7. Right click the SPMetadata.zip file, choose Extract All and then click Extract.
8. Check that you have the following two files in the new Desktop\CST-Jabber\SSO\SPMetadata directory.
Figure 434. Zip File Contents
9. There will be one SPMetadata file generated for each node in the cluster since Unified CM automatically exports the Unified
CM and IM&P Metadata. The contents in each file define the parameters that will be used for the authorization process
between the SP (Unified CM and Unified IM and Presence) and the IdP (Microsoft AD FS).
SAML SSO Configuration for Microsoft ADFS2.0

This section will describe the steps to configure SAML SSO using Microsoft™ Active Directory Federation Services® as the
Identity Provider (IdP).
Add a Relying Party Trust for Unified CM
A relying party trust must be added to Microsoft ADFS for every node in your deployment on which SSO will be enabled. Follow
these steps to add a Relying Party Trust for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com.
1. Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [ ] in the taskbar.
2. Click the link for Required:Add a trusted relying party.
Figure 435. Add a Trusted Relying Party
3. Click Start to begin the Add Relying Party Trust Wizard.
4. From the Choose Data Source screen, click the Import data about the relying party from a file radio button.
Cisco dCloud
Figure 436. Import Data Source
5. Click Browse.
6. Use the Browse for Metadata file dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.
7. Choose the file SPMetadata_ucm1.dcloud.cisco.com.xml to choose the file for Unified CM.
Figure 437. File Explorer
8. Click Open.
9. Click Next.
10. On the Specify Display Name screen enter the following values:
• Display name: ucm1.dcloud.cisco.com
• Notes: Unified Communications Manager
Figure 438. Defining Screen Names
Cisco dCloud
11. Click Next.
12. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
Figure 439. Permit All Users to Access
13. Click Next.
14. Click Next on the Ready to Add Trust screen.
15. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
Figure 440. Open Edit Claim Rules
16. Click Close.
17. On the Edit Claim rules screen click the Add Rule button.
Cisco dCloud
Figure 441. Add Rule
18. Choose the default Claim Rule template Send LDAP Attributes as Claims.
Figure 442. Choose Claim Rule
19. Click Next.
Caution: Use care when entering the Outgoing Claim Type value. The value uid must be typed in lowercase letters exactly as
specified, there is no matching menu value.
20. On the Configure Claim Rule screen set the following values:
• Claim rule name: Send uid attribute
• Attribute Store: Active Directory
• LDAP Attribute: SAM-Account-Name
• Outgoing Claim Type: uid
Cisco dCloud
Figure 443. Configure Claim Rule Screen
21. Click Finish.
22. To add a second rule, click Add Rule.

23. From the Claim rule template drop-down list, choose Send Claims Using a Custom Rule.
24. Click Next.
NOTE: To prevent copy/paste errors and erroneous formatting during the Custom Claim Rules creation, 2 text files containing the
required claims format have been placed in the Desktop\CST-Jabber\SSO directory on ad1.dcloud.cisco.com.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
27. Locate the file SAML-SSO-Custom-Claims-Rule-ucm.txt.
28. Double click to open in the Notepad editor. Notice the custom portion of the rule highlighted in green below. The first row
specifies the IdP asserted ID, which can be found the in the exported Metadata from the ADFS instance. This will remain
constant for our environment. The second highlighted text entry specifies the Service Provider asserted identity supplied by
ucm1.dcloud.cisco.com in the exported Metadata field.
Figure 444. Claims Rule Information
29. Copy the file contents to the computer buffer by pressing Ctrl + C.
30. Close the notepad file when done.
31. Paste the contents of the file into the Custom Rule field by pressing Ctrl + V.
Cisco dCloud
Figure 445. Configure Claim Rule
32. Click Finish.
33. Click Apply and then OK.
Add a Relying Party Trust for Unified IM and Presence
1. From the ADFS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.
Figure 446. Add Relying Party Trust
4. Click Browse.
5. Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.
6. Choose the file SPMetadata_imp1.dcloud.cisco.com.xml to choose the file for Unified CM.
Cisco dCloud
Figure 447. Browse for Metadata File
7. Click Open.
8. Click Next.
• Display name: imp1.dcloud.cisco.com
• Notes: Unified IM and Presence
10. Click Next.
11. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
Figure 448. Choose Issuance Authorization Rules
12. Click Next.
check box.
Figure 449. Open Edit Claims Rules Dialog
Cisco dCloud
15. Click Close.
Figure 450. Claim Rule Template
18. Click Next.
Figure 451. Claim Rule Settings
20. Click Finish.
21. To add a second rule, click Add Rule.
22. Choose Send Claims using a Custom Rule.
23. Click Next.
24. From the Claim rule template drop-down list, choose Send Claims Using a Custom Rule.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
27. Locate the file SAML-SSO-Custom-Claims-Rule-imp.txt. Double-click to open in the Notepad editor. Notice the custom
portion of the rule highlighted in green below. The first row specifies the IdP asserted ID which can be found the in the
exported Metadata from the ADFS instance. This will remain constant for our environment. The second highlighted text entry
specifies the Service Provider asserted identity supplied by imp1.dcloud.cisco.com in the exported Metadata field.
Cisco dCloud
Figure 452. Custom Claims Rule Details
28. Copy the file contents to the computer buffer by selecting all the text and pressing Ctrl + C.
29. Close the notepad file when done.
30. Paste the contents of the file into the Custom Rule field pressing Ctrl + V.
31. Click Finish.
32. Click Apply and then OK.
33. The list of Relying Party Trusts should appear as follows when finished:
Figure 453. Relying Party Trusts
Enable SSO for Unified CM and IM and Presence

As with our configuration in ADFS to add an entry for both Unified CM and IM and Presence nodes, we must do the same to
complete the establishment of the Circle of Trust in Unified CM with the IdP details. The following exercise will detail the process
for enabling SSO from the Unified Communications Manager interface.
NOTE: For your convenience the IdP Metadata was exported from the ADFS2.0 instance on ad1.dcloud.cisco.com and has been
placed in the file: Desktop\CST-Jabber\SSO\FederationMetadata.xml. This file can be manually downloaded at
https://ad1.dcloud.cisco.com/FederationMetadata/2007-06/FederationMetadata.xml.
1. From the RDP session connected to ad1.dcloud.cisco.com, open Internet Explorer and choose the tab connected to
2. It is likely that the logon timer has expired. If so, login with Username: administrator and Password: dCloud123!.
3. Navigate to to System > SAML Single Sign-On.
4. Click Enable SAML SSO.
Cisco dCloud
Figure 454. Enable SAML Single Sign-On
5. On the Warning Popup, click Continue.
Figure 455. Warning Message
6. Click Next. The IdP Metadata Trust File has already been obtained for you and is present in the Desktop\CST-Jabber\SSO
folder.
7. Click on Browse.
8. Browse to the Desktop\CST-Jabber\SSO\ folder and choose the file FederationMetadata.xml.
Figure 456. File Browser
9. Click Open.
10. Click Import IdP Metadata.
Figure 457. Import Metadata
11. Confirm that the import is successful.
Cisco dCloud
Figure 458. Import Successful
12. Click Next.
13. Click Next on the next screen of the wizard. This screen is not relevant as we have already exported SP Metadata for
ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com and used it to create a trust on the IdP.
NOTE: There is a 60-second timer running to complete the next few steps. If you do not enter the username and password in Step
16 below in time then you will get an error on the SSO Test as shown below.
14. The next process will verify the SAML Assertion with ADFS2.0. Click the user cholland, and then click Run SSO Test.
Figure 459. Run SSO Test
15. In the new window that pops up click Continue to this website.
16. When the Windows Security login prompt appears enter Username: cholland and Password: C1sco12345.
17. Click OK.
18. Check if the output message indicates a successful result. SSO Metadata Test Successful.
Cisco dCloud
Figure 461. Test Successful
19. Click Close.
20. Click Finish.
21. You have now successfully completed the basic configuration tasks to enable SSO on UCM using ADFS2.0. Close the web
browser so it clears all of the session cookies.
Figure 462. Process Initiated
NOTE: It is VERY important to close and reopen Internet Explorer. You are asked to do this several times in this lab. Please be
sure to perform this step, as it will clear the cookies from the browser and make it request new login information from the server.
22. Minimize the Remote desktop Connection to ad1.dcloud.cisco.com.
Verify operation on Unified CM SSO functionality
In the next activity, you will test SSO with a Username and Password from wkst1.dcloud.cisco.com (198.18.133.36).
1. Switch focus to the RDP session connected to from wkst1.dcloud.cisco.com (198.18.133.36).
2. If the Cisco Jabber client is still open from a previous activity, close it by choosing Menu > Exit.
3. If either Internet Explorer and/or Firefox are open from a previous activity, close them as well.
4. Launch Internet Explorer, from the Cisco dCloud homepage and navigate to Collaboration Admin Links > Cisco Unified
Communications Manager. Optionally you may navigate to https://ucm1.dcloud.cisco.com.
5. Notice under Installed Applications there is a new option for Recovery URL to bypass Single Sign-on (SSO). If the new
link is not visible, continue to refresh your browser until it appears.
Figure 463. Recovery URL
6. The SSO recovery link may be used in cases where the SSO IdP has failed. This allows for authentication with the default
administrative application user, providing a mechanism for administration and recovery.
Cisco dCloud
7. Click the hyperlink for Cisco Unified Communications Manager under Installed Applications.
NOTE: If you get a 404 error this means the Tomcat service is still restarting. Refresh your browser until you get a login screen.
8. Observe that in place of the Unified Communications Manager Administration webpage you are now presented with a
Windows authentication prompt. If you do NOT see a windows authentication prompt, move to the Troubleshooting note
below, complete the steps to disable, and re-enable SSO. Otherwise Proceed to step 23 of this activity.
Troubleshooting: In rare instances, the first time you enable SSO on Unified CM it will not work on the Administration
page initially but it will work on the Self Care Portal. The quick fix for this is to disable and then re-enable SSO. The next few
steps will first test SSO with the Self Care Portal and then proceed to disable SSO so you can complete the steps above again to
re-enable SSO.
9. Click the home button to go back to the Cisco dCloud links page.
10. Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.
11. Click the Cisco Unified Communications Self Care Portal link.
12. This time you should receive an SSO login, which proves that SSO is enabled. There is no need to login at this time. First, you
will disable SSO.
13. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager and click Cisco Unified Communications Manager.
15. Navigate to System > SAML Single Sign-On.
16. Click Disable SAML SSO and then Continue.
17. Close the browser and then reopen it.
18. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager.
19. If you still see the Recovery URL to bypass Single Sign On (SSO) link then SSO is still disabled. Keep refreshing your page
until that link disappears.
20. Once the link disappears, click the Cisco Unified Communications Manager link and login with Username: administrator
and Password: dCloud123!.
22. Follow this link to run through the steps in this section again and re-enable SSO. You should then have a successful SSO test
and continue with the rest of this lab.
23. Login as cholland with password C1sco12345 and click OK to continue.
Cisco dCloud
24. Confirm that authentication succeeds and you are presented with the Unified Communications Manage administration
page.
Before enabling SSO, the Unified CM admin page prompted you with a HTML form for username and password. After enabling
SSO, Unified CM is no longer responsible for handling Authentication; rather Unified CM redirects the client request to the IdP
(ADFS). It is the IdP prompting you with a basic username and password pop-up.
Verify Operation of SSO for Unified IM and Presence
To complete the configuration of SSO for Unified IM and Presence, we must initiate an SSO test from the SAML SSO
administration interface. Since we have already created a Relying Party Trust in ADFS for imp1.dcloud.cisco.com and have
enabled SSO for the cluster, we will run the SSO test utility from the Unified Communications Manager Administration
interface.
2. Click the Run SSO Test Button associated with the imp1.dcloud.cisco.com node.
3. Choose user cholland.
4. Click Run SSO Test.
5. Click on Continue to this website (not recommended).
6. Click OK.
NOTE: You may not be prompted to authenticate, as you have already authenticated to ucm1.dcloud.cisco.com and since SSO is
active for the Unified CM and Unified IM and Presence Cluster the active authentication token is used.
7. Confirm the output message SSO Test Succeeded.
Figure 464. SSO Test Succeeded
8. Click Close.
Testing SSO Username/Password Authentication

In this activity, we will confirm the end-user experience in terms of SSO with username and password authentication and Cisco
Jabber. Remember that Username/Password authentication is enabled by default with no additional configuration.
1. Maintain focus or switch to the RDP session connected to wkst1dcloud.cisco.com (198.18.133.36).
2. Close any active web browser sessions connected to either ucm1.dcloud.cisco.com or imp1.dcloud.cisco.com.
Cisco dCloud
3. Launch Internet Explorer and Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.
4. From the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.
Figure 465. Self Care Portal
5. When the Windows Security login prompt appears, enter Username: cholland and Password: C1sco12345.
6. Click OK.
7. Confirm that the Unified Communications Self-Care portal page for Charles Holland is displayed.
Figure 467. Self Care Portal Landing Page
9. When the Windows Security login prompt appears, login with Username: cholland and Password: C1sco12345.
10. Confirm that Jabber is authenticated successfully and the interface displays as expected for user Charles Holland.
Cisco dCloud
NOTE: Even though Charles Holland had an active authentication session via SSO to the Unified CM Self-Care portal, credentials
were required when logging into Cisco Jabber. This behavior will change when Kerberos authentication is enabled.
Enable Kerberos Authentication for SSO

In this section, you are going to utilize the fact that the user is logged in to Active Directory. This will remove the username and
password prompt at the SSO server and instead let the web browser use the Kerberos authentication mechanism of the Windows
Domain to automatically supply the credentials of the Logged in user. No user interaction will be required for authentication via
SSO to complete.
NOTE: By default, AD FS 2.0 has Kerberos authentication enabled with priority over username/password authentication. The
configuration required is performed within the client web-browser, in this case Internet Explorer.
Configuring Microsoft Internet Explorer for Kerberos-based authentication
Modify the security settings in Microsoft Internet Explorer to permit Kerberos authentication on intranet sites.
1. Switch focus to the RDP session actively connected to wkst1.dcloud.cisco.com (198.18.133.36).
2. Open Internet Explorer and click the Tools icon [ ], then choose Internet options from the menu.
Figure 468. Internet Options
3. Choose the Security tab and choose Local intranet.
4. Click the Sites button.
Figure 469. Security Tab
Cisco dCloud
5. In the Local intranet configuration screen, place a checkmark in the Automatically detect intranet network option.
6. Click Advanced.
7. In the Add this website to the zone field type *.dcloud.cisco.com.
8. Click Add.
9. Click Close.
Figure 470. Secure Zones
10. Click OK on the Local intranet configuration screen to close the dialog.
11. From the Security tab, click the button Custom level.
12. Scroll to the bottom of the dialog to User Authentication settings.
13. Click the radio button for Automatic logon only in Intranet zone.
Figure 471. User Authentication Mode
14. Click OK to apply this change.
15. Click Yes to acknowledge the warning and proceed.
Figure 472. Acknowledge Warning Message
16. Click the Apply button, followed by the OK button.
17. Close the Internet Explorer browser and re-open.
Cisco dCloud
Verify operation of Kerberos based Authentication
NOTE: Be sure to close and re-open Internet Explorer if you have not done so after making the Kerberos configuration changes in
the previous activity. Close Cisco Jabber if it is open by choosing Menu > Exit.
Because Cisco Jabber for Windows uses the settings defined in Microsoft Internet Explorer to control Keberos authentication, it will
use the Kerberos authentication token already active due the workstation login session and authenticate the user against the IdP.
1. Switch focus to the RDP session actively connected to wkst1.dcloud.cisco.com (Charles Holland).
2. Close cisco Jabber if currently open by choosing Menu > Exit.
3. From the open Internet Explorer window navigate to Collaboration Admin Links > Cisco Unified Communications
Manager.
4. Under the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.
5. Confirm that you are directed to the Self Care portal for user Charles Holland without being challenged to authenticate.
6. Double-click the Cisco Jabber shortcut on the workstation desktop to launch the application.
7. Observe that Jabber launches and authenticates without challenging the user for credentials.
Cisco dCloud
Module 3(b): Extending (SSO) to the Collaboration Edge

NOTE: This module builds on the SAML Single Sign-On configuration performed in Module 3(a) and requires a fully functional
Mobile and Remote Access (MRA) solution based on the completion of Module 2.
Module Overview
This module builds on the Mobile and Remote Access configuration and the SAML SSO deployment developed through the
completion of Modules 2 and 3a. Cisco Expressway may be configured to enable single sign-on for endpoints access Unified
Communications services from outside the network.
The functionality relies on the secure traversal capabilities of the Expressway pair at the edge, and the established CoT (Circle of
Trust) between Internal Service Providers (SPs) such as Unified CM and Unified IM and Presence and an externally resolvable
Identity provider (IdP).
All authentication responsibility is owned by the IdP with authentication directly to the configured SPs.
Identity Transaction Flow
Cisco Jabber uses DNS service discovery to determine whether it is operating internal to or external to the services within the
organizations network. If the _collab-edge._tls.example.com DNS record is resolved it will proceed as normal to attempt
registration via MRA. If single sign-on is enabled on Expressway, the Expressway-E redirects Jabber to the IdP with a request to
authenticate the user.
The IdP challenges the client to identify itself, and if the identity is authenticated, the IdP redirects Jabber’s service request back to
Expressway-E with a signed assertion that the identity is authentic.
The Expressway-E is configured to trust the IdP, so it will pass the request to the appropriate service inside the network. The
Unified Communications SPs are already provisioned as part of the Circle of Trust with the IdP, and Expressway pair, so they
provide the requested services to the Jabber client.
Cisco dCloud
Figure 473. Cisco Collaboration Edge Architecture
NOTE: In a production environment, it is customary to place a secondary, externally reachable IdP in a DMZ network. In the case
of AD FS, this would be an AD FS proxy. Our environment uses only a single IdP resolvable by both the internal SPs and the
External SP (Expressway-E).
Pre-Requisites
The following are pre-requisites for deployment of SSO over the Collaboration Edge.
• Expressway-C and Expressway-E are fully configured to provide secure Unified Communications traversal
• The SIP domain that will be accessed via SSO is configured on Expressway-C
• The Expressway-C is in Mobile and Remote Access mode and has discovered the Unified CM Topology
• The hostnames of all Unified CM nodes have been added to the HTTP server allow list on the Expressway-C
• Cisco Jabber clients are configured to request the internal services using the correct domain names, SIP URIs, and
Chat Aliases
• The default browser of the client can resolve the Expressway-E and IdP
• The IdP must be resolvable in DNS
• The IdP must support SAML 2.0
Module Objectives
• Extend the existing Circle of Trust (CoT) between AD FS 2.0 (IdP) to include the Expressway pair (SP)
• Enable SSO for Mobile and Remote Access
Cisco dCloud
• Move Workstation 2 to the External network and confirm authentication and authorization through Expressway using
SSO.
• Test Username/Password Authentication over SSO through MRA.
Cisco dCloud
Prepare to Enable SAML SSO for Expressway

IdP Configuration on Cisco Expressway-C
In this activity, we will import the FederatationData.xml file into the configuration for Expressway-C to establish a trust relationship
between Expressway and ADFS.
1. Switch to or open the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).
2. Open the Firefox web browser and Navigate to Collaboration Admin Links > Cisco Expressway-C.
3. Login with Username admin and Password dCloud123!.
4. Navigate to Configuration > Unified Communications > Identity providers (IdP).
Figure 474. Identity Providers
5. Click the Import new IdP from SAML button.
Figure 475. Import New IdP from SAML
6. Click on Browse.
7. Browse to the Desktop\CST-Jabber\SSO\ folder and choose the file FederationMetadata.xml.
Figure 476. IdP File
8. Click Open.
9. Click the Upload button.
10. Confirm that an entry for ADFS on ad1.dcloud.cisco.com is present.
Cisco dCloud
Figure 477. Import Success
Assign Domain for IdP
Associate a services domain for use with the defined IdP.
1. From the Configuration > Unified Communications > Identity providers (IdP) page, locate the IdP entry with Entity ID
http://ad1.dcloud.cisco.com/adfs/services/trust.
2. Under the Actions column, click the hyperlink for Associate domains.
3. Place a checkmark in for each domain in the list:
• alpha.com
Figure 478. Associate Domains
4. Click Save.
Export SP Metadata from Expressway-C
To define the relying party trust in ADFS for Expressway we will need to obtain the Service Provider Metadata.
1. Navigate to Configuration > Unified Communications > Export SAML data.
2. Notice that what we are actually downloading is Metadata from the Expressway-E peered to this Expressway-C system.
3. Under the Export SAML data section, click the Download button.
Cisco dCloud
Figure 479. Download SAML Data
4. Choose the Save File radio button and click OK.
5. Use the Save As dialog to save the resulting xml file to the Desktop\CST-Jabber\SSO folder.
SAML SSO Configuration for Microsoft AD FS 2.0

Add a Relying Party Trust for Cisco Expressway-E
A relying party trust must be added to Microsoft AD FS for each Expressway-E in the cluster. Follow these steps to add a Relying
Party Trust for exp-e-1.dcloud.cisco.com.
1. From the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).
2. Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [ ] in the taskbar.
3. From the AD FS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.
Figure 480. Add Relying Party Trust
6. Click Browse.
7. Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\ directory.
8. Choose the XML filename that begins saml_exp-c-1 downloaded in the previous step.
9. Click Open.
Cisco dCloud
10. Click Next.
• Display name: exp-e-1.dcloud.cisco.com
• Notes: Expressway-E
12. Click Next.
13. On the Choose Issuance Authorization Rules screen confirm that the Permit All Users to access this relying party radio
button is selected.
Figure 481. Issuance Authorization Rules
14. Click Next.
check box.
Figure 482. Edit Claim Rules Option
17. Click Close.
Cisco dCloud
Figure 483. Claim Rule Template
20. Click Next.
Figure 484. Claim Rule Settings
22. Click Finish.
23. Click OK to close the Edit Claim Rules dialog.
24. Observe that an entry for exp-e-1.dcloud.cisco.com is now present in the list of Relying Party Trusts.
Figure 485. Relying Party Trusts Status
Set Relying Party Trust Properties for Expressway-E
To ensure that AD FS formulates the SAML responses as Expressway-E expects them we will use the Microsoft Windows
PowerShell utility to configure the following properties assigned to the Relying Party Trust entity for Expressway-E:
• SAMLResponsSignature
Cisco dCloud
 Instruct ADFS to sign both the message and assertion during negotiation
• SignatureAlgorithm
 Instruct ADFS to use the SHA1 hashing algorithm for encryption
1. Right click the icon for the Windows PowerShell in the task bar and click Import system modules to launch Windows
PowerShell with system module commands for AD FS.
Figure 486. Import System Modules
2. Copy and paste the following command text and then press Enter.
Set-ADFSRElyingPartyTrust -TargetName "exp-e-1.dcloud.cisco.com" -SAMLResponseSignature MessageAndAssertion
-SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1
3. A succesful command will result in NO return data as shown below.
Figure 487. PowerShell Output
4. Close the Windows PowerShell.
Enable SSO for Cisco Expressway

In the next section, we finalize our configuration by turning on Single Sign-On support. Signle Sign-On support for Unified
Communications must be enabled on both Expressway-C and Expressway-E to complete the process.
Enable Single Sign-On for Expressway-C
1. Swith to the RDP session connected to ad1.dcloud.cisco.com.
2. Open the Firefox web browser and navigate to Collaboration Admin Links > Cisco Expressway-C. Optionally, navigate to
https://exp-c-1.dcloud.cisco.com.
Cisco dCloud
5. Locate the section of the page labeled Single Sign-On.
6. From the Single Sign-On support drop-down menu change the value from off to on.
Figure 488. Single Sign-On Support
7. Click Save.
Enable Single Sign-On for Expressway-E
1. Open a new tab in Firefox and choose Collaboration Admin Links > Cisco Expressway-E.
3. From the menu choose Configuration > Unified Communications > Configuration.
4. Locate the section of the page labeled Single Sign-On.
5. From the Single Sign-On support drop-down menu, choose On.
6. Set the value of Check for internal SSO availability to No.
Figure 489. Single Sign-On Settings
7. Click Save.
NOTE: Check for internal SSO availability setting controls whether the Expressway-C will check if the user's home Unified CM
node has SSO available. By choosing No, the Expressway-E always tells the client that SSO is available, without actually checking
the home node. This results in reduced traffic on the internal network; however this should ONLY be used when ALL nodes
have SSO available.
Verify operation on Unified CM SSO functionality

In the next activity, you will test SSO over MRA with a Username and Password after moving Workstation to the external network
in order to confirm that the Single Sign-On Assertion chain is complete.
Cisco dCloud
Move Workstation 2 to the External Network
1. Switch focus to the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37).
2. If Cisco Jabber is open, close it by choosing Menu > Exit.
3. Navigate to the Desktop and locate the windows batch executable named External Network On.
Figure 490. Windows Batch File
4. Double-click the file to execute the migration procedure.
Connect to Workstation 2 on the External Network
10. From the Student Laptop, open the Remote Desktop Connection client program.
11. Click Options.
12. On the General tab under Connection Settings, click Open.
13. Browse the location where you saved the RDP session definition wkst2-ext.
Figure 491. Saved RDP Sessions
14. Choose the file and click Open.
15. Confirm that the settings match the graphic.
Cisco dCloud
Figure 492. Logon Settings
16. Click Open.
17. Acknowledge any certificate warnings and proceed.
18. When prompted for the password, type C1sco12345.
Launch Cisco Jabber from Workstation 2 External using SSO
2. Notice that a Windows Security authentication prompt is displayed, rather than the Cisco Jabber Sign-In prompt.
3. Login with Username: aperez and Password: C1sco12345.
4. Verify that authentication succeeds and that all services are available.
Cisco dCloud
Figure 494. Login Successful
Confirm SSO Operational State
With SSO support for Mobile and Remote Access fully enabled and tested, several new sources of information under the Status >
Unified Communications page of the Cisco Expressway-C are now available.
1. Switch focus to the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).
2. In the active Firefox browser, choose the tab connected to Expressway-C (exp-c-1).
3. If the logon timer has expired, login with Username: admin and Password: dCloud123!.
4. From the menu, navigate to Status > Unified Communications.
5. Observe the new SSO related data present in the Activity section of the page. These describe the number of SSO access
requests and responses made by Expressway during assertion.
Figure 495. SSO Assertion Data
• SSO provisioned sessions indicates the number of MRA connections made using SSO
• View detailed SSO statistics provides detailed information about SSO processing on Expressway
• View and manage active SSO token holders provides a convenient interface for validation and troubleshooting of
active SSO user session via MRA.
6. Click the hyperlink for View and manage active SSO token holders.
Cisco dCloud
7. Observe that a single active token holder is displayed: aperez. This is as a direct result of the SSO testing performed in the
previous activity.
Figure 496. SSO Token Holders
8. Click the hyperlink for aperez to view details about the active authentication tokens associated with this user. An entry is
present for both Unified CM and Expressway. If we had provisioned Unity Connection as part of the SSO module, an entry for
this would be present as well.
Figure 497. SSO Tokens for Anita Perez
This completes the Extension of SAML SSO to the Collaboration Edge with Cisco Expressway.
Cisco dCloud
Appendix A: PostgreSQL Installation on CentOS

Installation of PostgreSQL Server 9.4.1
Edit the YUM Repository
For procedural documentation visit: https://wiki.postgresql.org/wiki/YUM_Installation
1. Log into the target CentOS 7 host with Root Privileges or as a user with sudo privileges.
2. To edit the YUM repository configuration file on CentOS type.
nano /etc/yum.repos.d/CentOS-Base.repo
3. Locate the [base] and [updates] section of the file and append the line exclude=postrgres*.
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*
4. Save the file and exit the nano editor.
Download Installation Packages and Dependencies with YUM
1. Download the PostgreSQL server and package dependencies by typing:

yum localinstall http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/pgdg-centos94-9.4-1.noarch.rpm
2. Observe the following output:

Dependencies Resolved
============================================================================================================
=====================================
Package Arch Version Repository
Size
============================================================================================================
=====================================
Installing:
pgdg-centos94 noarch 9.4-1 /pgdg-centos94-
9.4-1.noarch 2.1 k
Transaction Summary
============================================================================================================
=====================================
Install 1 Package
Cisco dCloud
Total size: 2.1 k

Installed size: 2.1 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pgdg-centos94-9.4-1.noarch
1/1
Verifying : pgdg-centos94-9.4-1.noarch
1/1
Installed:
pgdg-centos94.noarch 0:9.4-1
Complete!
3. Check for a list of resolved packages and dependencies by entering the following command:
yum list postgres*
Available Packages
postgresql94.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-contrib.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-debuginfo.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-devel.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-docs.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-jdbc.noarch 9.3.1101-2.rhel7
pgdg94
postgresql94-jdbc-javadoc.noarch 9.3.1101-2.rhel7
pgdg94
postgresql94-libs.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-odbc.x86_64 09.03.0400-1PGDG.rhel7
pgdg94
postgresql94-odbc-debuginfo.x86_64 09.03.0400-1PGDG.rhel7
pgdg94
postgresql94-plperl.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-plpython.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-pltcl.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-python.x86_64 4.1.1-1PGDG.rhel7
pgdg94
postgresql94-python-debuginfo.x86_64 4.1.1-1PGDG.rhel7
pgdg94
postgresql94-server.x86_64 9.4.4-1PGDG.rhel7
pgdg94
postgresql94-test.x86_64 9.4.4-1PGDG.rhel7
pgdg94
Note that postgresql94-serverx86_64 is returned as part of the command. We are ready to install the postgresql server software.
Cisco dCloud
Install PostgreSQL Server 9.4.1 and Dependencies
1. Initiate the installation by issuing the following command:

yum install postgresql94-server
2. If PostrgreSQL 9.4.1 installation is successful, output should appear as follows (some output omitted).
Installed:
postgresql94-server.x86_64 0:9.4.4-1PGDG.rhel7
Dependency Installed:
postgresql94.x86_64 0:9.4.4-1PGDG.rhel7 postgresql94-libs.x86_64 0:9.4.4-
1PGDG.rhel7
Complete!
Initialize PostgreSQL and Start Services

Initialize the PostgreSQL Database
Next, we must initialize the Postgres SQL Server Software
1. Type the following command to initialize the PostgreSQL database with default parameters.
/usr/pgsql-9.4/bin/postgresql94-setup initdb
2. Confirm that the command returns the following result: Initializing database ... OK.
Enable Automatic Service Statrup
1. To enable automatic service startup with OS Boot, type the following command:
chkconfig postgresql-9.4 on
Start PostgreSQL Services
Services must be started for the first time to begin interacting with the software.
1. Type the following command to start the PostgreSQL server:

service postgresql-9.4 start
2. Output will appear as follows to indicate successful entry.

Redirecting to /bin/systemctl start postgresql-9.4.service
3. Check to ensure that the PostgreSQL process is actively running:

ps -ef | grep pgsql
4. At least one server process should be running as below:

postgres 8654 1 0 15:57 ? 00:00:00 /usr/pgsql-9.4/bin/postgres -D /var/lib/pgsql/9.4/data
5. Notice that the process is running as OS user postgres, which is automatically created during the package installation.
Cisco dCloud
Configure Authentication and Access

Set the Password for Database User postgres
On Windows and OS X, the default password is postgres. However, on Linux systems, there is no default password set. This is
required to gain superuser access to create and modify databases and users.
1. Switch User to postgres.

su postgres
2. Use the psql client utility to connect to the PostgreSQL instance which is accessible locally, as user postgres with no
password.
psql postgres
3. Use the \password <username> command to the set the postgres user password.
postgres=# \password postgres
Enter new password: <yourpasswordhere>
Enter it again: <yourpasswordhere>
4. Quit the psql client utility by typing \q.

postgres=# \q
5. Exit the postgres user shell to return to Root.
Allow Local and Remote Connections via PW authentication by editing the pg_hba.conf
Use the following command to edit the authentication parameter file to enable password based authentication for local and remote
connections.
1. Use the nano editor to make the following modifications to the pg_hba.conf file.
nano /var/lib/pgsql/9.4/data/pg_hba.conf
2. Items in bold red typeface where added/modified.

# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only

local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 192.18.133.0/24 md5
# IPv6 local connections:
host all all ::1/128 md5
3. Pres Ctrl+Shift+X to exit and save when prompted.
Edit PostgreSQL Configuration File postgresql.conf
Modify the configuration to allow connections from remote hosts, confirm the TCP listening port, set global parameters required for
integration with Cisco Unified IM and Presence.
Cisco dCloud
1. Use the nano editor to make the following modifications to the postgresql.conf file.
nano /var/lib/pgsql/9.4/data/postgresql.conf
2. Edit the listen_addresses parameter by uncommenting and setting the value to ‘*’ to enable listening on all configured IP
interfaces.
listen_addresses = '*'
3. Confirm that the TCP port is set to 5432.

port = 5432
4. Set the escap_string_warning and standard_confirming_strings values to off. This is a requirement for using PostgreSQL
to provide external database services for Cisco Unified IM and Presence.
escape_string_warning = off
standard_conforming_strings = off
5. Restart PostgreSQL for configuration changes to take effect.

service postgresql-9.4 restart
Add a Firewall Rule in CentOS
The built-in firewall process in CentOS Linux iptables must be updated to permit incoming IP connections on TCP port 5432 in
order for database connectivity between Cisco Unified IM and Presence and the PostgreSQL server.
1. Type the following command to make a permanent iptables permit for TCP/5432.
firewall-cmd --permanent --add-port=5432/tcp
2. Reload the iptables process to make the configuration changes effective.

firewall-cmd --reload
Cisco dCloud
Appendix B: AD FS 2.0 Install and Configuration

NOTE: This chapter is for your reference only; everything has been already done for you. You can read this section and use it in
future deployments. All these changes have already been made in the master images.
How to install Microsoft AD FS2.0

After having installed a Windows 2008 R2 Server with DNS role, you need to promote the server to Domain Controller (Deploy
Active Directory).
The next task will be installing Microsoft Certificate Services.
1. Go to Server Manager and in Roles click Add Roles.
Figure 498. Server Manager
2. Click the box for the Active Directory Certificate Services Role. Click Next.
Figure 499. AD Certificate Services Role
3. You have the option to deploy additional services. Deploy the services Certificate Authority and Certificate Authority Web
Enrollment, at that time another Wizard will start to add extra Roles for IIS.
Cisco dCloud
Figure 500. Additional Services
4. For the setup type, you choose Enterprise, it should be what you see in most of our customer installations, but it makes no
difference for our specific deployment, could even be Standalone CA. Click Next.
Figure 501. Setup Type
Cisco dCloud
5. For the CA Type you choose Root CA, since you do not have other CA already running in our organization.
Figure 502. CA Type
6. The next step will be to create the private key for your CA. Choose this option and click Next.
Figure 503. Private Key
7. After configuring the CA, you need to configure the Sole Services for IIS, since it is necessary for the Web Enrolment of the
CA. For our ADFS deployment you will need an extra Role in IIS, click on ASP.NET under Application Development.
Cisco dCloud
Figure 504. Add Role
8. In the Server Manager click on Web Server > IIS, and then right click on Default Web Site. You need to change the Binding
to allow HTTPS along with HTTP.
9. After you right-click, you need to choose Edit Bindings.
Cisco dCloud
Figure 506. Edit Bindings
10. Add a new Site Bindings and choose https as the type. Choose for SSL certificate the server certificate that should have the
same FQDN as your Ad1 server (ad1.cloud.cisco.com).
Figure 507. Adding HTTPS to Bindings
Everything is complete from a platform perspective, now you need to install AD FS 2.0. In the roles that you have in the server
manager you will see AD FS but that version is version 1.0 and does not provide SAML.
Therefore, you need to go on the web to get AD FS 2.0.
11. Go to the link http://www.microsoft.com/en-us/download/details.aspx?id=10909. Set the language and click the Continue
button.
Cisco dCloud
Figure 508. Download Center
12. Choose the correct version for your OS. In our case, it is the first check box for Windows 2008 R2. Click Download.
13. Double-click on the AdfsSetup.exe file that you downloaded.
14. For the Server Role choose the Federation Server, since you are installing the IdP to be inside the customer network in the
private LAN. Click Next.
Figure 509. Server Role
15. The product is installed and you can open it from the taskbar or start menu.
Cisco dCloud
Figure 510. AD FS 2.0
ADFS 2.0 initial configuration
1. Launch the ADFS Management console. You may need to perform a search from the start menu if not listed. Start >
Administrative Tools > AD FS 2.0 Management is the typical path.
Figure 511. AD FS 2.0 Management
2. Click the AD FS 2.0 Federation Server Configuration Wizard option to start your ADFS server configuration.
Cisco dCloud
Figure 512. AD FS 2.0 Configuration Wizard
3. Choose Create a new Federation Service and click Next.
Figure 513. Create a New Federation Service
4. Choose Stand-alone Federation Server and click Next.
Cisco dCloud
Figure 514. Stand-alone Federation Server
4. Under SSL certificate, choose the ad1.dcloud.cisco.com certificate from the list. The Federation Service name will auto-
populate. Click Next.
Figure 515. SSL Certificate
5. Review the settings and click Next to apply the settings.
Cisco dCloud
Figure 516. Settings Summary
6. Confirm all the components have completed successfully and click Close to end the wizard and return to the main
management console. This may take a few minutes.
7. ADFS is now effectively enabled and configured as an Identity Provider (IdP). Next, you need to add Cisco UCM as a trusted
Relying partner. Before you can to this, you need to configure Cisco UCM Administration.
Setting up Certificates Services on the Active Directory Server
1. Re-open the Remote Desktop Connection to ad1.dcloud.cisco.com.
2. Open Server Manager and expand Roles > Web Server(IIS). Click Add Role Services.
Cisco dCloud
3. Click Security > IIS Client Certificate Mapping Authentication, click Next and let it install.
Figure 518. Certificate Mapping Authentication
Cisco dCloud
Appendix C: Adding Client-Server Template to Microsoft Certificate

Services
In this lab, you generated your own certificates using the Microsoft CA role. However, the base install of the CA role needed to be
modified to support the type of certificate the Expressways require. In this appendix, you will find the steps to add the new Client-
Server template that was pre-configured for you.
1. From within your RDP session to AD1 open the Certificate Authority application by going to Start > All Programs >
Administrative Tools > Certification Authority.
2. Click the plus (+) sign next to dcloud-AD1-CA to expand it and click on Certificate Templates below.
3. Right click on Certificate Templates and choose Manage from the pop-up menu.
4. Right click on Web Server and choose Duplicate Template from the pop-up menu.
5. Verify Microsoft Server 2003 Enterprise is selected and then click OK.
6. Configure the following parameters for the New Template.
• Template display name: ClientServer
• Template name: ClientServer (pre-populated)
• Click the Request Handling tab and click the checkbox for Allow private key to be exported
• Click the Extensions tab
• Verify that Application Policies is selected and then click Edit
• Click Add
• Click to highlight Client Authentication from the list, click OK, and then click OK to confirm the addition
• Click OK one more time to save the new template
7. Close the Certificate Template Console by using the X in the top right corner of the window.
8. Right click on Certificate Templates and choose New > Certificate Template to Issue from the pop-up menu.
9. Click ClientServer from the list to highlight it and then click OK.
10. Close the Certificate Authority (certsrv) console.
Cisco dCloud
Appendix D: Table of Documents

Reference documents related to Cisco products and technology used in the creation of this Lab Guide are listed below.
Collaboration Systems Release 11
Cisco Collaboration System 11.x Solution Reference Network Designs (SRND)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11.html
Expressway x8.5
Unified Communications Mobile and Remote Access via Cisco Expressway
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-
Expressway-Deployment-Guide-X8-5.pdf
Unified CM and IM and Presence
Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager, Release 11.0(1)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_0_1/CUP0_BK_C36EBE60_00_c
onfig-admin-guide-110.html
IM and Presence Service External Database Setup
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/database_setup/10_5_2/CUP0_BK_D4BFFAC9_00_dat
abase-setup-guide-imp-1052/CUP0_BK_D4BFFAC9_00_database-setup-guide-imp-1052_chapter_011.html
SAML SSO Deployment
SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.5
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/10_5_1/CUCM_BK_S52C3A64_00_s
aml-sso-deployment-guide-105.html
SAML SSO Configure Microsoft Active Directory Federation Services Identity Provider on Windows Platform
http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Wind
ows_Platform
Cisco dCloud
Appendix E: Errata
Steps of a SAML based authentication flow
Figure 519. SP-Initiated SSO (Redirect/POST binding)
1. The user tries to access a service or resource by pointing the browser to the URL hosted on the application server. The
browser at this moment does not have an active session with the service.
2. The SP realizes that the request originates from a client without an active session. Based on the SSO configuration the SP
now generates a SAML authentication request to be sent to the appropriate the IdP defined as part of SSO configuration. The
SAML request contains information about the SP generating the request. This is required so that the IdP can identify the SPs
sending SAML requests.
3. The SP does not communicate directly with the IdP to authenticate the user. Instead, the SP redirects the browser to the IdP.
The URL used for this redirect is taken from the IdP metadata exchanged earlier. The SAML request to be sent to the IDP is
included in the redirect as a URL query parameter using Base64 encoding.
4. The browser receives the redirect, follows the URL and issues the corresponding GET to the IdP. The SAML request is
maintained. The browser at this stage does not have an active session with the IdP
5. After receiving the new request from a browser with no active session, the IdP authenticates the user based on the pre-
configured authentication mechanisms. Possible authentication mechanisms include user/password, PKI/CAC or Kerberos.
For user/password authentication, the IdP might push a form to the user to enter the credentials (e.g. 200 OK with IdP login
form). For the actual authentication, the IdP might depend on backend systems like for example an LDAP server for
user/password authentication.
Cisco dCloud
One key point here is that the exchange of credentials for the purpose of authentication takes place between the IdP and the
browser. The SP is not involved and does not see the credentials.
6. The browser provides further information required for the authentication process. For the user/password case, this would be a
POST with the information. For other authentication mechanisms, other details would need to be sent to the IdP by the
browser.
7. The IdP now checks and validates the provided credentials. The check could involve interactions with respective backend
systems (LDAP bind for user/password based authentication against LDAP, communication with Kerberos server to validate
ticket etc.).
8. Finally, the IdP generates a SAML response for the SP. This response contains the SAML assertion documenting the result of
the authentication process. The SAML assertion in addition to the basic “Yes/No” information also contains validity
information and information about attributes describing the authenticated entity. At least the user id of the authenticated entity
has to be included in the well-known attribute “uid” so that the SP can extract this information from the assertion to relate the
authenticated entity to users existing in the local database.
The SAML assertion is signed by the IdP according to the SSO key information published in the IdP metadata. This ensures
that the SP can verify the authenticity of the SAML assertion.
The IdP returns the SAML assertion to the browser in a hidden form in a 200 OK message. The hidden form instructs the
browser to POST the SAML assertion to the Assertion Consumer Service (ACS) of the SP.
The IdP also sets a session cookie, which is cached by the browser. If the browser needs to get additinal SAML assertions, it
will send the session cookie with the SAML requests. The IdP will then realize it already has a valid session with the browser
and will assert the authentication of the previously authenticated user without prompting for credentials again. This enables
SSO against multiple SPs. Session expiry times for these session cookies are configured on the IdP.
9. The browser follows the hidden POST received in the 200 OK and POSTs the SAML assertion to the Assertion Consumer
Service on the SP.
10. The SP extracts the SAML assertion from the POST and validates the signature of the assertion. This guarantees the
authenticity of the SAML assertion and the IdP. The user identifier received in the SAML assertion in attribute “uid” is then
used to decide whether the user is authorized to access the requested service. This is based on local access control
configuration on the SP.
11. The SP grants access to the requested resource and sends back the content in a 200 OK to the browser. The SP also sets a
session cookie in the browser so that for subsequent requests from the same browser to the same SP the SP does not need
to initiate an exchange with the IdP anymore. The IdP will only be involved for requests from the same browser after the SP
session cookie has expired.
Enterprise Groups
With Cisco Unified Communications Manager Release 11.0, Cisco Jabber users can search for groups in Microsoft Active
Directory and add them to their contact lists. If a group already in the contact list is updated, the contact list is automatically
updated. Cisco Unified Communications Manager synchronizes its database with Microsoft Active Directory groups at specified
intervals.
When a user adds a group to their contact list, IM and Presence Service provides the following information for each group member:
• display name
Cisco dCloud
• user ID
• title
• phone number
• mail ID
Only the group members that are assigned to IM and Presence Service nodes can be added to the contact list. Other group
members are discarded.
NOTE: Currently, the enterprise groups feature is supported only on Microsoft Active Directory server. It is not supported on other
corporate directories.
The enterprise groups feature is enabled system-wide with the Cisco Unified Communications Manager Directory Group
Operations on Cisco IM and Presence enterprise parameter. For more information about enterprise groups, see the Feature
Configuration Guide for Cisco Unified Communications Manager.
LDAP Integrations
You can configure a corporate LDAP directory in this integration to satisfy a number of different requirements:
User provisioning: You can provision users automatically from the LDAP directory into the Cisco Unified Communications
Manager database. Cisco Unified Communications Manager synchronizes with the LDAP directory content so you avoid having to
add, remove, or modify user information manually each time a change occurs in the LDAP directory.
User authentication: You can authenticate users using the LDAP directory credentials. The IM and Presence Service
synchronizes all the user information from Cisco Unified Communications Manager to provide authentication for users of the Cisco
Jabber client and IM and Presence Service user interface.
Cisco recommends integration of Cisco Unified Communications Manager and Directory server for user synchronization and
authentication purposes.
NOTE: When Cisco Unified Communications Manager is not integrated with LDAP, you must verify that the username is the same
in Active Directory and Cisco Unified Communications Manager before deploying IM and Presence Service.
Cisco dCloud
Listing of IM and Presence Service Services

Feature Services
Cisco SIP Proxy
The Cisco SIP Proxy service is responsible for providing the SIP registrar and proxy functionality. This includes request routing,
requestor identification, and transport interconnection.
Cisco Presence Engine
The Cisco Presence Engine collects, aggregates, and distributes user capabilities and attributes using the standards-based SIP
and SIMPLE interface. It collects information about the availability status and communications capabilities of a user.
Cisco XCP Text Conference Manager
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
Cisco XCP Connection Manager
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
Cisco XCP Authentication Service
The Cisco XCP Authentication Service handles all authentication requests from XMPP clients that are connecting to IM and
Presence Service. This includes Jabber clients authenticating through Collaboration Edge.
Cisco XCP Web Connection Manager (NA)
The Cisco XCP Web Connection Manager service enables browser-based clients to connect to IM and Presence Service.
Cisco XCP SIP Federation Connection Manager (NA)
The Cisco XCP SIP Federation Connection Manager supports interdomain federation with Microsoft OCS over the SIP protocol.
You must also turn on this service when your deployment contains an intercluster connection between an IM and Presence Service
Release 9.0 cluster, and a Cisco Unified Presence Release 8.6 cluster.
Cisco XCP XMPP Federation Connection Manager (NA)
The Cisco XCP XMPP Federation Connection Manager supports interdomain federation with third party enterprises such as IBM
Lotus Sametime, Cisco Webex Meeting Center, and GoogleTalk over the XMPP protocol, as well as supports interdomain
federation with another IM and Presence Service enterprise over the XMPP protocol.
Cisco XCP Message Archiver
The Cisco XCP Message Archiver service supports the IM Compliance feature. The IM Compliance feature logs all messages sent
to and from the IM and Presence Service server, including point-to-point messages, and messages from ad hoc (temporary) and
permanent chat rooms for the Chat feature. Messages are logged to an external Cisco-supported database.
Cisco XCP Directory Service (NA) but may be needed for pidgin
Cisco dCloud
The Cisco XCP Directory Service supports the integration of XMPP clients with the LDAP directory to allow users to search and
add contacts from the LDAP directory.
Network Services (automatically activated and started)
IM and Presence Service services apply only to IM and Presence Service.
Cisco Login Datastore
The Cisco Login Datastore is a real-time database for storing client sessions to the Cisco Client Profile Agent.
Cisco Route Datastore
The Cisco Route Datastore is a real-time database for storing a cache of route information and assigned users for the Cisco SIP
Proxy and the Cisco Client Profile Agent.
Cisco Config Agent
The Cisco Configuration Agent is a change-notification service that notifies the Cisco SIP Proxy of configuration changes in the IM
and Presence Service IDS database.
Cisco Sync Agent
The Cisco Sync Agent keeps IM and Presence data synchronized with Cisco Unified Communications Manager data. It sends
SOAP requests to the Cisco Unified Communications Manager for data of interest to IM and Presence and subscribes to change
notifications from Cisco Unified Communications Manager and updates the IM and Presence IDS database.
Cisco OAM Agent
The Cisco OAM Agent service monitors configuration parameters in the IM and Presence Service IDS database that are of interest
to the Presence Engine. When a change is made in the database, the OAM Agent writes a configuration file and sends an RPC
notification to the Presence Engine.
Cisco Client Profile Agent
The Cisco Client Profile Agent service provides a secure SOAP interface to or from external clients using HTTPS.
Cisco Intercluster Sync Agent
The Cisco Intercluster Sync Agent service provides the following: DND propagation to Cisco Unified Communications Manager and
syncs end user information between IM and Presence Service clusters for intercluster SIP routing.
Cisco dCloud
Cisco XCP Router
The XCP Router is the core communication functionality on the IM and Presence Service server. It provides XMPP-based routing
functionality on the IM and Presence Service. It routes XMPP data to the other active XCP services on IM and Presence Service
and it accesses SDNS to allow the system to route XMPP data to IM and Presence Service users. The XCP router manages
XMPP sessions for users, and routes XMPP messages to and from these sessions.
After IM and Presence Service installation, the system turns on Cisco XCP Router by default.
NOTE: If you restart the Cisco XCP Router, the IM and Presence Service automatically restarts all active XCP services. Note that
you must choose the Restart option to restart the Cisco XCP Router; this is not the same as turning off and turning on the Cisco
XCP Router. If you turn off the Cisco XCP Router, rather than restart this service, IM and Presence Service stops all other XCP
services. Subsequently when you turn on the XCP router, IM and Presence Service does not automatically turn on the other XCP
services; you need to manually turn on the other XCP services.
Cisco XCP Config Manager
The Cisco XCP Config Manager service monitors the configuration and system topology changes made through the administration
GUI (as well as topology changes that are synchronized from an InterCluster Peer) that affect other XCP components (for
example, Router and Message Archiver), and updates these components as needed. The Cisco XCP Config Manager service
creates notifications for the administrator indicating when an XCP component requires a restart (due to these changes), and it
automatically clears the notifications after the restarts are complete.
Cisco Server Recovery Manager
The Cisco Server Recovery Manager (SRM) service manages the failover between nodes in a presence redundancy group. The
SRM manages all state changes in a node; state changes are either automatic or initiated by the administrator (manual). Once you
turn on high availability in a presence redundancy group, the SRM on each node establishes heartbeat connections with the peer
node and begins to monitor the critical processes.
Cisco IM and Presence Data Monitor
The Cisco IM and Presence Data Monitor monitors IDS replication state on the IM and Presence Service. Other IM and Presence
services are dependent on the Cisco IM and Presence Data Monitor. These dependent services use the Cisco service to delay
startup until such time as IDS replication is in a stable state.
The Cisco IM and Presence Data Monitor also checks the status of the Cisco Sync Agent sync from Cisco Unified Communications
Manager. Dependent services are only allowed to start after IDS replication has set up and the Sync Agent on the IM and
Presence database publisher node has completed its sync from Cisco Unified Communications Manager. After the timeout has
been reached, the Cisco IM and Presence Data Monitor on the Publisher node will allow dependent services to start even if IDS
replication and the Sync Agent have not completed.
Cisco dCloud
On the subscriber nodes, the Cisco IM and Presence Data Monitor delays the startup of feature services until IDS replication is
successfully established. The Cisco IM and Presence Data Monitor only delays the startup of feature services on the problem
subscriber node in a cluster, it will not delay the startup of feature services on all subscriber nodes due to one problem node. For
example, if IDS replication is successfully established on node1 and node2, but not on node3, the Cisco IM and Presence Data
Monitor allows feature services to start on node1 and node2, but delays feature service startup on node3.
Cisco Presence Datastore
The Cisco Presence Datastore is a real-time database for storing transient presence data and subscriptions.
Cisco SIP Registration Datastore
The Cisco Presence SIP Registration Datastore is a real-time database for storing SIP Registration data.
Cisco RCC Device Selection
The Cisco RCC Device Selection service is the Cisco IM and Presence user device selection service for Remote Call Control.

CST Jabber 11 0 Lab Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CST Jabber 11 0 Lab Guide PDF

Uploaded by

Copyright:

Available Formats

Cisco dCloud

Cisco Collaboration Specialist Training for Jabber 11.x v1

About This Solution

About This Lab

o Unified Communications Manager

o Unified IM and Presence Service

o Microsoft Active Directory LDAP

o Domain Name Service (DNS)

o Cisco Jabber for Windows Client.

• Specialized Cisco Jabber Feature and Deployment Options

o Managed File Transfer

o SAML Single Sign-On

o Mobile Remote Access (MRA)

About This Solution..................................................................................................................................... 1

Activity Objectives ................................................................................................................................ 87

Module Notes ...................................................................................................................................... 198

Specialized Features and Deployment Modules

• Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)

o Optional with no dependencies

• Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

o Optional with no dependencies

• Module 3a: SAML Single Sign-On (SSO) Inside the Network

o Optional with no dependencies

• Module 3b: Extending SSO to the Collaboration Edge

o Optional, but requires Modules 2 and 3a.

Table 1. Lab Requirements

• Laptop with Cisco AnyConnect • None

Table 2. Demonstration User Information

User Name User ID Password Endpoint Devices Phone Email/Directory URI

Figure 1. Lab Topology Overview

Table 3. Equipment details

Name Description Host Name (FQDN) IP Address Username Password

CUC1 Unity Connection 11.0 (Voicemail) cuc1.dcloud.cisco.com 198.18.133.5 administrator dCloud123!

Exp-E Expressway-E (Edge) X8.5 exp-e-1.dcloud.cisco.com 198.18.1.152 admin dCloud123!

AD2 External DNS server ad2.dcloud.cisco.com 198.18.2.11 administrator C1sco12345

Exchange Exchange 2010 mail1.dcloud.cisco.com 198.18.133.2 administrator C1sco12345

Workstation 1 Windows 7 wkst1.dcloud.cisco.com 198.18.133.36 cholland C1sco12345

Workstation 2 Windows 7 wkst2.dcloud.cisco.com 198.18.133.37 aperez C1sco12345

Workstation 2 Windows 7 wkst2-ext.dcloud.cisco.com 198.18.2.37 aperez C1sco12345

Applications and Versions

Cisco Unified Communications Manager 11.0.1.10000-10

Cisco Unified IM and Presence Service 11.0.1.10000-6

Expressway-C (Core) X8.5.3

Expressway-E (Edge) X8.5.3

Microsoft Exchange Microsoft Exchange 2010

External DNS server Microsoft Windows Server 2008 R2

Mail Server Microsoft Windows Server 2008 R2 with Exchange 2010

Demonstration Workstations Microsoft Windows 7

Cisco Jabber for Windows 11.x

File Locations: Desktop\CST-Jabber\Jabber-Config-Files

The following sub-folders contain the relevant jabber-config.xml files:

• Deployment (Preliminary Jabber Deployment)

• Module1 (Persistent Chat)

• Module2 (Mobile and Remote Access)

Basic Class of Control elements have been pre-defined as follows:

CST-DN-PT Collaboration Specialist Training DN Partition

Table 2. Calling Search Spaces

Calling Search Space Partitions

• Username postgres and Password postgres

• Listening on TCP 5432

• Services configured to start automatically on OS boot.

Single Sign On (SSO)

Connecting to Your Pod