Scribd Logo
Upload

Welcome to Scribd!

  • Cisco Jabber - MRA and SSO

    Uploaded by

    kepke86
    519 views16 pages
    How to setup Mobile Remote Access with Single Sign-On support.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    How to setup Mobile Remote Access with Single Sign-On support.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    519 views16 pages

    Cisco Jabber - MRA and SSO

    Uploaded by

    kepke86
    How to setup Mobile Remote Access with Single Sign-On support.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Jabber Mobile and Remote Access (MRA)

    with Cisco Expressway featured with


    SSO
    Prerequisite
    This post will complete the configuring Expressway Core and Edge to provide MRA capability with
    SSO enabled. My test environment is under 11.5 and what else I have as following:

     Public domain name: voicelab.ca by Go Daddy


     Two public IPs assigned to Expressway E and IDP. You may have your own.
     Internal SRV record: _cisco-uds._tcp.MYDOMAIN.COM
     External SRV records: _collab-edge._tls.YOURDOMAIN.COM , _sips._tcp.MYDOMAIN.COM
     Assuming Jabber is working on promise with SSO

    External SRV
    _collab-edge._tls

    IDP A record

    Expressway-E A record

    Use https://cway.cisco.com/tools/SrvRecord/ to check all required SRV are found.


    CA Root Certificate
    Assuming you have basic configuration done on both Expressway C and E, the next is to upload CA
    Root certificate.

    Client-Server CSR
    On both C and E

    Download CSRs and save them

    Client-Server Template
    1. open the Certificate Authority application by going to Start > All Programs > Administrative Tools >
    Certification Authority.
    2. Click the plus (+) sign next to dcloud-AD1-CA to expand it and click on Certificate Templates below.
    3. Right click on Certificate Templates and choose Manage from the pop-up menu.
    4. Right click on Web Server and choose Duplicate Template from the pop-up menu.
    5. Verify Microsoft Server 2003 Enterprise is selected and then click OK.
    6. Configure the following parameters for the New Template.
    • Template display name: ClientServer
    • Template name: ClientServer (pre-populated)
    • Click the Request Handling tab and click the checkbox for Allow private key to be exported
    • Click the Extensions tab
    • Verify that Application Policies is selected and then click Edit
    • Click Add
    • Click to highlight Client Authentication from the list, click OK, and then click OK to confirm the
    addition
    • Click OK one more time to save the new template
    7. Close the Certificate Template Console by using the X in the top right corner of the window.
    8. Right click on Certificate Templates and choose New > Certificate Template to Issue from the pop-
    up menu.
    9. Click ClientServer from the list to highlight it and then click OK.
    10. Close the Certificate Authority (certsrv) console.
    Submit and Download a CA Signed Certificate
    Do this on both E and C

    Upload CA Signed Certificate


    Do this on both E and C
    After this, restart both server.

    Expressway-C for Unified Communications


    Secure Traversal between Expressway-E and Expressway-C
    Contact Photo Resolution

    When Cisco Jabber is running in remote mode through MRA, the Corporate Directory and contact source type is
    automatically set to UDS. There is no additional configuration required for this behavior to function.

    A webserver has been configured to host contact photos at the following URL:

    http://Ad1.YOURDOMAIN.COM/directory/

    Upload Jabber-Config.xml
    <config>
    <Policies>
    <EnableSIPURIDialling>True</EnableSIPURIDialling>
    <File_Transfer_Enabled>True</File_Transfer_Enabled>
    </Policies>
    <Client>
    <enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
    <InternalExchangeServer>ad1.yourdomain.com</InternalExchangeServer>
    <Persistent_Chat_Enabled>true</Persistent_Chat_Enabled>
    </Client>
    <Directory>
    <SipUri>mail</SipUri>
    <UseSIPURIToResolveContacts>true</UseSIPURIToResolveContacts>
    <BDISipUri>mail</BDISipUri>
    <BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
    <BusinessPhone>telephoneNumber</BusinessPhone>
    <UDSPhotoURIWithToken>http://ad1.yourdomain.com/directory/%%uid%%.jpg</UDSP
    hotoURIWithToken>
    </Directory>
    </config>

    Verify:
    http://ucm-pub.YOURDOMAIN.COM:6970/jabber-config.xml

    HTTP Server Allow List

    SAML Single Sign-On (SSO) Inside the Network


    IdP Configuration
    Upload Metadata:

    Assign Domain for IdP


    Export SP Metadata from Expressway-C

    Add a Relying Party Trust for Cisco Expressway-E


    Set Relying Party Trust Properties for Expressway-E

    Right click the icon for the Windows PowerShell in the task bar and click Import system modules to launch
    Windows PowerShell with system module commands for AD FS.

    Copy and paste the following command text and then press Enter.
    Set-ADFSRElyingPartyTrust -TargetName "sat-expe1.scheuch.com" -SAMLResponseSignature
    MessageAndAssertion -SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1

    A succesful command will result in NO return data as shown below.


    Jabber off-net login through mobile phone

    You might also like