Professional Documents
Culture Documents
BRKCRT-2602
#clmel Ciscoli
Agenda
• Terminology Introduction
• CCNA and CCNP Collaboration
• Expressway Mobile & Remote
Access Solution Overview
• MRA Configuration Procedure
• Cisco Unified Communications
Manager Configuration
• Cisco Unified IM and Presence
Configuration
• Expressway Series
Configuration
•
Troubleshooting
•
Conclusion
BRKCRT-2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Terminology
Introduction
Introducing Cisco Collaboration Edge Architecture
Industry’s Most Comprehensive Any-to-Any Collaboration Solution
collaboration
TDM & analog gateways
PSTN or
ISDN video gateways Consumers IP PSTN
Session border control
Standards-based
Firewall traversal & secure
3rd Branch
s
Partie Office
Cloud Analog
Services Devices
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Cisco Expressway
A gateway solving & simplifying business relevant use
cases
Mobile Telework ers
W orkers
• For Unified CM & Business
Edition environments B2B
TDM or
IP PBX
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
X8.1 Product Line Options
X8.1
VCS Expressway
• VoIP technologies
• Video end points • Integrated voice, video, web
collaboration in converged
• Configuration of converged IP networks
network
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
CCNA Collaboration
What We Learn How We Learn
ng
Education s
co
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Exams and Recommended Training
Required Exam(s) Recommended Training*
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
CCNP Collaboration
What We Learn How We Learn
r-led
Education T
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Exams and Recommended Training
Required Exam(s) Recommended Training*
300-070 CIPTV1 v1.0 Implementi ng Cisco IP Telephony & Video, Part 1 v1.0
300-075 CIPTV2 v1.0 Implementi ng Cisco IP Telephony & Video, Part 2 v1.0
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Expressway Mobile and Remote
Access
Solution Overview
Mobile and Remote Collaboration with Expressway
Simple, Secure Collaboration:
It just works...inside and outside the
network, no compromises
Jabber @
the café
Inside firewall DMZ Outside firewall Easy to use, easy to deploy:
(Intranet) Works with most firewall
Expressway policies
Collaboration
Services Internet Jabber @ True Hybrid: Supports on-
home premise and cloud
offerings
Unified Expressway Expressway
CM C E simultaneously
J
abber @ Standards-based
work Interoperability, Widely
Jabber @ Adopted
SFO, LHR
Protocols
or PVG
Application Driven Security:
Fixed remote endpoints Allow the application to
(TC Series) establish
security associations it needs
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Cisco Jabber Remote Access Options
• Layer 3 VPN Solution
• Secures the entire
device and it’s contents
• AnyConnect allows users
access to any permitted
AnyConnect applications & data
VPN
• Session-based firewall
traversal
Unified CM
• Secures access to
collaboration applications
ONLY
Expressw ay • Personal data not routed
Firew through enterprise
all network
Traversal
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
What can a Jabber client do with Expressway?
A fully featured client outside the network
Access visual
voicemail
Collaboration Instant
Internet
Services Message
and Presence
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway Firewall Expressway Firewall
E Signalling
C
Keep-alive
Media
1. Expressway-E is the traversal server installed in DMZ. Expressway-C is the traversal client installed inside
the enterprise network
2. Expressway-C initiates traversal connections outbound through the firewall to specific ports on Expressway-
E with secure login credentials
3. Once the connection has been established, Expressway-C sends keep-alive packets to Expressway-E to
maintain the connection
4. When Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C
5. Expressway-C then routes the call to Unified CM to reach the called user or endpoint
The call is established and media traverses the firewall securely over an existing traversal connection
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Expressway Firewall Traversal Basics
Enterprise Network DMZ Outside Network
Unified Internet
CM
Expressway Firewall Expressway Firewall
E Signalling
C
Keep-alive
Media
6. For outbound calls (from inside corporate), Unified CM will send a SIP Invite to Jabber with the Expressway-C
IP address. (Unified CM knows that the Jabber client is registered through Expressway-C as proxy server)
7. Expressway-C forwards SIP Invite across the SSH Tunnel (Unified Communications Traversal Zone) to
Expressway-E
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
X8.1 Firewall Traversal Capabilities Expanded
The X8.1 release delivers 3 key capabilities enabling the Expressway Mobile
and
Remote Access feature
• XCP Router for XMPP traffic
• HTTPS Reverse proxy
• Proxy SIP registrations to Unified
CM Expressway Firewall Expressway
C E
UUnified CM
IM
& Presence
Cisco
Jabber
Internet
Expressway-C Expressway-E
Unified CM XMPP
Inside Outside
Firewall HTTPS
Firewall
Cisco SIP
Jabber
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Public (external) DNS SRV Requirements
Domain Service Protocol Priority Weight Port Target Host
expressway-
collab-
edge
collab10x.cisco.com tls 10 10 8443 e.collab10x.cisco.
om
c
pub10x-
collab10x.cisco.com cisco-uds tcp 10 10 8443 hq.collab10x.cisco
.co
m
imp10x-
collab10x.cisco.com cuplogin tcp 10 10 8443 hq.collab10x.cisco
BRKCRT -2602 © 2015 Cisco r i ts affi liates. Al l ri ghts erved. Ci sco Public
.co
and/o res
m
Allowed Reverse Proxy Traffic
• Expressway-E server will be listening on TCP 8443 for HTTPS traffic
• Basic mobile & remote access configuration allows inbound authenticated
HTTPS requests to the following destinations on the enterprise network
– All discovered Unified CM nodes TCP 6970 (TFTP file requests) & TCP 8443 (UDS
API)
– All discovered IM&P nodes TCP 7400 (XCP Router) & TCP (SOAP API)
8443
• HTTPS traffic to any additional hosts need to be administratively added to
the
Expressway-C allow list
•
The allow list provides a mechanism to support Visual Voice Mail access,
contact photo retrieval, Jabber custom tabs, etc.
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Firewall Port Details
• No inbound ports required to be opened on the internal firewall
• Internal firewall needs to allow the following outbound connections
from
Expressway-C
– SIP: TCP 7001 to Expressway-E
– Traversal Media: UDP 36000 to 36011
– XMPP: TCP 7400
– HTTPS (tunneled over SSH between C and E): TCP
2222
• External firewall needs to allow the following inbound connections
to
Expressway
– SIP: TCP 5061
– HTTPS: TCP 8443
– XMPP: TCP 5222
– Media: UDP 36002 to 59999
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Registering Remote Cisco Jabber to Cisco
Unified
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
DNS SRV Lookup:
_cisco-uds._tcp.domain
Not found
DNS SRV Lookup:
_collab-edge._tls.domain
Expressway-E address
TLS Handshake, Trusted certificate
authentication
get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Registering Remote Cisco Jabber to Cisco
Unified
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
127.0.0.1 Loopback
address
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
GET/cucm-uds/clusterUser?username=jdoe HTTP/1.1"
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Registering Remote Cisco Jabber to Cisco
Unified
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
127.0.0.1 Loopback
address
GET /cucm-uds/servers HTTP/1.1
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
MRA Configuration
Procedure
Unified Communications Mobile and Remote Access
Configuration Procedure
1. Configure Cisco Unified Communications
Manager
2.
Configure Cisco Unified IM and Presence
3.
Configure Expressway Series
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Cisco Unified Communications
Manager
Configuration
1. Cisco Unified Communications Manager
Configuration
a) Configure SIP Trunk to Cisco Unified IM and Presence server
b) Configure Domain and Publish SIP Trunk
c) Configure Jabber in Cisco Unified Communications Manager
d) Configure UC Service and Service Profile in Cisco Unified
Communications
Manager
e)
Enable User for Unified CM IM and Presence
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
a) Configure SIP Trunk to Cisco Unified CM IM and
Presence server
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
b) Configure Domain and Publish SIP Trunk
Enterprise Parameters
FQDN
Service Parameters
Publish Trunk
This parameter specifies the SIP trunk that
Cisco Unified Communications
Manager uses to send PUBLISH
messages that pertain to presence
activities to Cisco Unified Presence
(CUP).
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved.
Public
Ci sco
c) Configure Jabber in Cisco Unified
Communications Manager
Device Name
Any name – has
no
significance
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
c) Configure Jabber in Cisco Unified
Communications Manager
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
c) Enable Video for Jabber in Cisco Unified
Communications Manager
Device CSF
Enable Video
Calling
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
c) Configure Cisco Jabber Directory Number
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
d) Configure UC Services
UC Service Type
UDS – Universal
Directory Services on
CUCM
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
d) Configure Service Profile
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
e) End User Configuration
Associate devices
Enable User for Unified CM and
Presence
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
e) End User Configuration
Shared line
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
a) Configure Service Parameter
CUCM Domain
Domain name configured
in
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco CUCM
Public
b) Configure Presence Settings
Presence
Gateway
IP Address of CUCM
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
d) Configure Client Settings
TFTP Servers
Phone Control
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
e) Restart All Proxy Services
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
f) Check System Dashboard
,ol1oo Cisco Unified CM IM and Presence Administration I Navigation:
node 10.1.5.18
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Expressway Series
Configuration
3. Expressway Series Configuration
a) Setup basic configurations on Expressway Series
b) Configure domains and supported services on Expressway-
C
c)
Enable MRA on Expressway Series
d)
Configure Unified CM Servers on Expressway-C
e)
Configure IM and Presence Server on Expressway-C
f)
Check Status of servers and Search Rules on Expressway-C
g)
Expressway server certificates requirements
h)
Subject Alternative Name (SAN) requirements
i)
Generate CSR on Expressway-C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
3. Expressway Series Configuration
j) Generate CSR on Expressway-E
k) Download Expressway certificates for signing by
CA
l)
Upload signed certificates
m) Upload CA certificate to Expressway-C and Expressway-E
n) Configure Traversal Client on Expressway-C
o) Configure Server on Expressway-
Traversal E
p)
Verification
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
a) Basic Configuration - System Name
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
a) Basic Configuration - DNS
SIP mode
© SIP
SIP mode
<JE
I Off .,.
UDP
mode
I
Off .,. I
UDP
?J>
I
* 506'0, mode ** ll
UDP port so&o
On ., UDP port I On .,.
**1 I
TCP
mode . I TCP
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
c) Enable MRA
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
d) Configure Unified CM Servers on Expressway-C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
f) Check Status of Servers on Expressway-C
IM and Presence
node
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
g) Check Search Rules
Automatic search
rules created
CEtcp-10.1.5.15 and CEtcp-10.1.5.16 or
CEtls-10.1.5.15 and CEtls-10.1.5.16 if using TLS Verify
ON
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
h) Expressway Server Certificates
Requirements
• Expressway-E server certificates should be signed by 3rd party public
• CA
Expressway-C server certificates can be signed by 3rd party public CA
• or
Enterprise CA
authentication
Expressway serverKey
X509v3 Extended certificates
Usage: need to allow for both client & server
TLS Web Client Authentication
TLS Web Server Authentication
• Public CA signed certificates allow Jabber clients and endpoints to validate
the
• server certificate without a CTL
Jabber clients with a CTL will not use the CTL to validate Expressway
certificate - no requirement to include Expressway certs in CTL
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
i) Subject Alternative Name (SAN)
Requirements
Expressway-E Server Certificate
• Customer’s service discovery domain is required to be
included as a DNS SAN in all Expressway-E server
certificates
• Service discovery domain in this case is
collab10x.cisco.com
DNS X509v3 Subject Alternative Name: DNS:collab10x.cisco.com
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
i) Subject Alternative Name (SAN) Requirements
Expressway-E Server Certificate
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
j) Generate CSR: Expressway-C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
k) Generate CSR: Expressway-E
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
l) Download Expressway Certificates for Signing by
CA
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
m) Upload Signed Certificates
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
n) Upload CA Certificate to Expressway-C and
Expressway-E
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
o) Configure Traversal Client on Expressway-C
Create Zone
Unified
Communications
Traversal
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
p) Configure Traversal Client on Expressway-C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
q) Configure Traversal Server on Expressway-E
Transport TLS
SSH Tunnel only
supports TLS
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
r) Verify Traversal Zone Status
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
r) Verify SSH Tunnel Status
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
s) Verification: Login to Cisco Jabber
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
s) Verification: Login to Cisco Jabber
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
s) Verification: Check Status on Expressway-C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
s) Verification: Check Status in Cisco Unified
Communications Manager
Device> Phone
Cisco Jabber shows IP
address of Expressway-
C
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
s) Verification: Check Call Status
Traversal Call
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Troubleshooting
Registering Remote Cisco Jabber Cisco Unified
to
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
DNS SRV Lookup:
_cisco-uds._tcp.domain
Not found
DNS SRV Lookup:
_collab-edge._tls.domain
Expressway-E address
TLS Handshake, Trusted certificate
authentication
get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Registering Remote Cisco Jabber Cisco Unified
to
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
127.0.0.1
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
GET/cucm-uds/clusterUser?username=jdoe HTTP/1.1"
127.0.0.1
Loopback
address
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Registering Remote Cisco Jabber Cisco Unified
to
Communications Manager
Unified CM Local DNS CM IM & Presence Expressway-C Inside Firewall Expressway-E Outside Firewall Public DNS Cisco Jabber
127.0.0.1
127.0.0.1
Loopback
address
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Tools: Cisco Unified Communications Manager
Real Time Monitoring Tool
• Call Activity
• Session Trace Log
View
•
Call Activity
•
SDL Trace
•
Called Party Tracing
(These are some examples)
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Tools: Expressway Series
Network Log
• Status > Logs > Network Log
• Filter
network.http.trafficserver
•
Filter network.sip
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Tools: Expressway Series
Search History
• Status > Search History
• Search details of call
• View call information
• View all events for the call
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Tools: Cisco Jabber
Network Log
• %user_profile%\AppData\Local\Cisco\Unified Communications\Jabber\CSF\
Logs
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 1: Cannot Find Services
Does Cisco Jabber register locally?
Is_cisco-uds SRV request blocked?
X Do we get a response to _collab-
edge.tls SRV request?
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 1: Cannot Find Services
W ireshark Trace
Domain Name System
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 2: Cannot Communicate with Server
Does Cisco Jabber register locally?
Is_cisco-uds SRV request blocked?
Do we get a response to _collab-
edge.tls SRV request?
Can the Expressway-E address
IP
be resolved?
X Is the SSH Tunnel OK?
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 2: Cannot Communicate with Server
o1 I IIo1 I
CISCO Cisco Expressway-C
1,
Total
x CISCO com Unified CM registrations, Ud and Presence Service
red
(Config ------- TraversalToExpressway-
E ure a
Uame domar,
SIP status
Uame on
Fa led
Expres
colab1 sway-
O C)
11,1 and Presence
11,1 and Presence Service 1 (XMPP router:
Nol
Service
nodes Inactive)
configu
2
Unified CM servers
VtI
red
T(Enable
Unity hon the
ConnedK>nservers eUnified
rComm
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public eun1cat,
\,l~\;U"
reserved. aons
Scenario 2: Cannot Communicate with Server
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 2: Cannot Communicate with Server
Uses Temporary
CA
Fix by applying CA
certificate used to
sign CSR
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 3: Cannot Communicate with Server
Does Cisco Jabber register locally?
Is_cisco-uds SRV request blocked?
Do we get a response to _collab-
edge.tls SRV request?
Can the Expressway-E address
IP
be resolved?
Is the SSH Tunnel OK?
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 3: Cannot Communicate with Server
get_edge_config OK?
X GET/cucm-
uds/clusterUser?email=jdoe@collab
1
0x.cisco.com HTTP/1.1
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 3: Cannot Communicate with Server
Expressway-E Network
Log
Filter on ‘trafficserver’ to
view HTTPS traffic
Cisco Jabber Log
AppData\Local\Cisco\
Unified
Communications\Jabber
DNS name
collab10x.cisco.com
does not exist
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 3: Cannot Communicate with Server
Expressway-E DNS
DNS name cisco.com
does not match name
requested by Cisco
Jabber
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 4: Username/Password Not Valid
Does Cisco Jabber register locally?
Is_cisco-uds SRV must blocked?
Do we get a response to _collab-
edge.tls SRV request?
Can the Expressway-E address
IP
be resolved?
Is the SSH Tunnel OK?
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 4: Username/Password Not Valid
X get_edge_config OK?
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 4: Username/Password Not Valid
.11 .. ,1 ..
CISCO Cisco Expressway-C
Status
Statu System Contlquratlo
Syste Contlquratlon Applicatio User Maintenan
Applic
s m n ns s ce
Domains
Configuration
Domain name
I
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts
reserved.
Ci sco Public
y
Ciscoli
Scenario 5: Cannot Place Calls
CM IM &
Presence
HQ
Cisco Jabber
Ext. 2001
Internet
Expresswa
Expressway-C Expressway-E
XMPP
Inside Outside HTTPS
Firewall Firewall
SIP
BR1
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 5: Cannot Place Calls
Is the SIP Invite received by CM IM &
Expressway-E? Presence
the
SIP Invite to the Unified Ext.
3001
Ext.
3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 5: Cannot Place Calls
Is the Invite received by Expressway-
E?
CM IM &
Presence
HQ
Cisco
Jabber
Internet Ext.
Expres s Expressway- 2001
way- C E
Inside Outside
Firewall Firewall
BR1
Ext.
3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 5: Cannot Place Calls
Is the Invite forwarded to Expressway-
C through the Unified
Communications Traversal Zone?
CM IM &
Presence
HQ
Ci sco Jabber
Ext. 2001
Internet
Expressway-C Expressway-E
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 5: Cannot Place Calls
Is the Expressway-C forwarding the Invite to
HQ Unified Communications Manager
through
the CEtcp-@ neighbour zone?
CM IM &
Presence
HQ
Ci sco Jabber
Ext. 2001
Internet
Expressway-C Expressway-E
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 5: Cannot Place Calls
HQ
Is the Invite received by
Communications Server at HQ?
Unified
CM IM &
Presence
Ci sco Jabber
Ext. 2001
HQ
Internet
Expressway-C Expressway-E
10.1.5.15 10.1.5.1
10.1.5.19 Insi de Outsi de
Fi rewall Fi rewall
Ci sco
BR1 Jabbe
Jabber
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Scenario 5: Cannot Place Calls
HQ
Is the Invite received by
Communications Server at BR1?
Unified
CM IM &
Presence
Ci sco Jabber
Ext. 2001
HQ
Internet
Expressway-C Expressway-E
Insi de Outsi de
Fi rewall Fi rewall
BR1
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Scenario 5: Cannot Place Calls
HQ
X Can BR1 reach device at 3001?
CM IM &
Presence
Ci sco Jabber
Ext. 2001
HQ
Internet
Expressway-C Expressway-E
Insi de Outsi de
Fi rewall Fi rewall
404 Not Fo
Found
BR1
Ext. 3001
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Q&A
Complete Your Online Evaluation
Session
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco
Live
Mobile App
• By visiting the Cisco Live Mobile Site http://showc
ase.genie-connect.com/clmelbo urne2015
• Visit any Cisco Live Internet Station
located Learn online with Cisco Live!
throughout the venue Visit us online after the conference for
T-Shirts can be collected in the World of full access to session videos and
Solutions presentations. www.CiscoLiveAPAC.co
on Friday 20 March 12:00pm - 2:00pm m
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Ciscolive,I
I I II I I I
CISCO
Appendix A
Certificates
Request a Certificate using Microsoft CA
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Submit an Advanced Certificate Request
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Submit a Certificate Request
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Paste Certificate from CSR file
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Certificate Pending
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Issue Certificate from CA
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
View Status: MS Active Directory Certificate
Services
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Download Certificate
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Check Certificate
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Download CA Certificate
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Download CA Certificate
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Appendix B
Single Sign On
over Collaboration
Edge
Overvie
w
• x8.5 supports SSO.
• Jabber 10.6 has added Edge to its SSO login flow
• This support is an extension of the existing SSO login and discovery
features
added in 10.5
•
This feature adds no visible change to the existing login flows
• Jabber also discovers if edge is SSO enabled. Edge credential prompt SSO if
via
available
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
API’s
In order to implement EDGE SSO two new API’s added on
VCS/Expressways:
1. “get_edge_sso”: an API enables Jabber to query if the Edge server
supports
SSO
2.
The “authorise” : an API enable Jabber to request tokens used for SSO
from
the VCS/Expressway server
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
/get_edge_sso
• The get_edge_sso API takes a single parameter that identifies the user
making the request. This can be the user name, the user’s email address or
the user identifier
– GET https://edge.com:8443/#(domain)/get_edge_sso?username=USER-NAME
– GET https://edge.com:8443/#(domain)/get_edge_sso?email=EMAIL
– GET https://edge.com:8443/#(domain)/get_edge_sso?useridentifier=USER-
IDENTIFIER
• The Expressway always replies to the /get_edge_sso request with a 200
OK
response
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
EDGE - Call Flow
SSO Sequence CUCM:
Auth &
iDP
Service
Expressways Resour
Jabber GET /oauthcb Detects VCS vers ion.
1 ce
Discovery
2 GET /get_edge_s s o More details
More details in previous s
in previous s des /get_edge_sso and
lili
GET /authoris e /authorise.
Request
Authorization
3
302 Found Location: Simplified Call-Flow.
- OAUTH
https ://ad01.eft.cis co.com /adfs
/ls
4
equ
GET https ://ad01.eft.cis co.com /adfs /ls /?SAMLR est=...
5
200 OK[Login Form]
SAML 6
POST [Credentials]
7
200
200 OK+
OK+ Post[SAML
Post[SAML Asertion]
Asertion] +IDP
+IDP
8 Co
Cookie
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
EDGE - Call Flow
SSO Sequence CUCM:
iDP
Auth &
Expressways Resour
Jabber
Service 200 ok [acces s _token] ce
12 Once VCS has authoris ed the
us
er, it caches the oauth token,
generates the SIP token –not for
Authorization unity- and gives it to Jabber
response
200 OK [Oauth Token + Sip
Token + Us er nam e + Tim ers ]
14
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Edge SSO
Tokens
• Jabber receives three token via two different calls to the VCS authorise API.
• First request to VCS Jabber retrieves the CUCM OAUTH Token which is used
to authenticate all HTTP and XMPP traffic traversing the edge.
• Same request also provides Jabber with a SIP token which is required for
SIP traffic to traverse the edge. This token has a longer lifetime than the
CUCM token.
• Subsequent request to VCS Jabber retrieves the Unity OAUTH Token for use by
voicemail HTTP traffic.
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Edge SSO
Timers D) SIP REGIST ER expiry
–A)Configured on timeout
the IdP (e.g. ADFS2, refresh
IdP Session
OpenAM, Ping) CUCM (various settings depending
on device type)
– Default depends on IDP
For mobile device types, register
– Typically expect 8 – 10 expires typically 10 to 12 minutes
B)hours
OAUT H T oken expiry With 12 minute register expiry, SIP
stack attempts to refresh register 10
– CUCM - Default 60
minutes after last successful one
minutes
C) SIP T oken Extra T For all other devices (including CSF)
TL
– Configured on VCS-C / Expressway- register expires is 2 minutes.
–C SIP stack attempts to refresh register 1
Value is added onto OAuth Token minute 55 seconds after
one using lastOAUTHToken
Unity successful
expiry to get SIP Token Expiry Voicemail,
–
Default 0, Max 48 hours expiry
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
Edge Transition
Behaviour
• If you login to Jabber while on Edge and then transition to an on -prem network
while still logged in then Jabber will seamlessly reconnect as the tokens
issued
by VCS are valid for CUCM and Unity.
•
However, if you login to jabber while on-prem, and then transition to Edge,
then the tokens that were issued directly by CUCM and Unity will not be valid
for traffic through VCS.
•
Jabber must re-authenticate with VCS and the user may be prompted to do
this via the standard re-establish SSO session pop-up, if the cookie has
expired otherwise it will be invisible to the user.
•
If logging in on-prem with SSO and then transitioning to a non SSO Edge
results
Jabber going
BRKCRT -2602 offline.
© 2015 Cisco
Public
The
and/or i ts affi client
liates. Al must Cisign
l ri ghts reserved. sco out to reestablish connection.
Logs
• This line is the result from checking if the VCS/Expressway server is a version
capable of SSO.
• [EdgeSSODetector::Impl::isSSOSupported] - VCS has
<SUPPORTED> SSO and it <was/wasn't> previously SSO Enabled
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts reserved. Ci sco
Public
Logs
• This means that the client needs credentials for the VCS server, and will use
SSO to get a token.
• [LifeCycleImpl::Impl::OnCredentialsRequired] - SSO
Enabled
and ServiceID: 1001 is configured for SSO – doSingleSignOn
[SingleSignOn::Impl::appendAndAuthenticate]
appendAndAuthenticate for authenticatorId -
[1001]
BRKCRT -2602 © 2015 Cisco and/or i ts affi liates. Al l ri ghts Ci sco Public
reserved.
I I II I I I
CISCO