0% found this document useful (0 votes)

527 views

CST Jabber 11.0 Lab Guide

321

Uploaded by

Hải Nguyễn Thanh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

527 views

CST Jabber 11.0 Lab Guide

321

Uploaded by

Hải Nguyễn Thanh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 257

Cisco dCloud

Cisco Collaboration Specialist Training for Jabber 11.x v1

Last Updated: 29-SEP-2015

About This Solution

Cisco Jabber provides enterprise-quality collaboration capability directly on your desktop or mobile device through an integrated
software client. You can chat with other users using the IM and Presence features of Cisco Jabber. Video calling and WebEx
conferencing are also available from Cisco Jabber with the click of a button. Visual voicemail helps you to access your messages
more efficiently and keep them better organized. Cisco Jabber is part of the Cisco Unified Communications architecture, a costeffective, reliable, and easy to manage software collaboration solution.
For additional information about Cisco Jabber Voice and Unified Communications, visit the product solution page.
This lab is intended to give the participant hands-on configuration experience with all of the architecture components required to
deploy Cisco Jabber for Collaboration System Release 11. The content in this lab is focused on recently added features and
functional additions to the Cisco Jabber Client product. The exercises in this lab will take the student through the process of initial
provisioning and configuration of the core solution components and then extend to configuration of advanced feature deployment.
NOTE: Participants should have a high degree of familiarity with the software, tools and methods used to deploy, configure and
maintain Cisco Collaboration technologies.

About This Lab

This Cisco Collaboration Specialist Training for Jabber 11 lab includes the following topics:

End to End Quick Start Jabber Deployment: Students will configure the integration and deployment from the ground up
including the configuration and/or installation of the following components:

Unified Communications Manager

Unified IM and Presence Service

Microsoft Active Directory LDAP

Domain Name Service (DNS)

Cisco Jabber for Windows Client.

Specialized Cisco Jabber Feature and Deployment Options

Persistent Chat

Managed File Transfer

SAML Single Sign-On

Mobile Remote Access (MRA)

Page 1 of 257

Cisco dCloud

About This Solution..................................................................................................................................... 1

About This Lab............................................................................................................................................ 1
Lab Workflow ......................................................................................................................................... 5
Lab Requirements ........................................................................................................................................ 6
Lab Configuration ....................................................................................................................................... 6
Lab Topology .............................................................................................................................................. 6
Applications and Versions ....................................................................................................................... 7
Lab Pre-Configuration ............................................................................................................................. 8
Connecting to Your Pod............................................................................................................................... 9
Lab Orientation.......................................................................................................................................... 10
Connecting to Required Resources ......................................................................................................... 10
Activity 1: Preparation for IM & Presence Deployment ............................................................................. 14
Activity Objectives ................................................................................................................................ 14
Investigate Active Directory Users and Distribution Groups .................................................................. 14
DNS Service Discovery Configuration ................................................................................................... 19
Activity 2: Unified IM and Presence Deployment ...................................................................................... 27
Activity Objectives ................................................................................................................................ 27
Service Activation and Status Verification ............................................................................................. 27
Unified CM SIP Trunk Configuration .................................................................................................... 31
Configure UC Services and Service Profile ............................................................................................ 34
Prepare Directory Synchronization and Automatic User Provisioning .................................................... 39
IM and Presence Service Configuration ................................................................................................. 47
Enabled Flexible Jabber ID (JID) and Multi-Domain Support ................................................................ 49
User and Group Import .......................................................................................................................... 55
Provision Devices and Client Configuration........................................................................................... 60
Activity 3: SSL Certificate Management: Cisco Unified CM and Cisco Unified IM and Presence ............. 70
Activity Objectives ................................................................................................................................ 70
Configure Unified CM and IM and Presence with FQDNs ..................................................................... 71
Establish Root CA Trust ........................................................................................................................ 71
Request and Install a CA Signed Tomcat Certificate .............................................................................. 74
Request and Install a CA Signed XMPP-Trust Certificate ...................................................................... 78
Service Maintenance to Finalize Certificate Installation ......................................................................... 83
Activity4: Jabber Client Installation and Feature Testing ........................................................................... 87

Page 2 of 257

Cisco dCloud

Activity Objectives ................................................................................................................................ 87

Cisco Jabber User Interface (UI) Updates .............................................................................................. 87
Install Jabber on WKST1 and Login ...................................................................................................... 88
Install Jabber on WKST2 and Login ...................................................................................................... 94
Test Chat, Calling, and Chat History ...................................................................................................... 98
Deployment Activity Conclusion ............................................................................................................. 111
Module 1: Persistent Chat and Managed File Transfer ............................................................................. 112
Module Overview ................................................................................................................................ 112
Module Objectives ............................................................................................................................... 112
PostgreSQL Database Setup................................................................................................................. 113
Set Up External Database Entries on the IM and Presence Service ....................................................... 117
Set Up an External File Server for MFT ............................................................................................... 120
Configure Persistent Group Chat .......................................................................................................... 123
Modify Jabber Client Configuration ..................................................................................................... 125
Test Persistent Chat ............................................................................................................................. 129
Configure Managed File Transfer ........................................................................................................ 137
Module 2: Mobile and Remote Access (MRA) with Cisco Expressway ................................................... 147
Module Overview ................................................................................................................................ 147
Module Objectives ............................................................................................................................... 149
Module Notes ...................................................................................................................................... 149
DNS Service Discovery Configuration ................................................................................................. 150
Expressway-C Initial Configuration ..................................................................................................... 155
Expressway-E Initial Configuration ..................................................................................................... 157
Configure Expressway-E for Unified Communications ........................................................................ 158
Certificate Management for Expressway .............................................................................................. 159
Configure Expressway-C for Unified Communications ........................................................................ 170
Create a Secure Traversal between Expressway-E and Expressway-C .................................................. 174
Validate Unified Communications Status on Expressway .................................................................... 179
Contact Photo Resolution with MRA ................................................................................................... 180
Testing Mobile and Remote Access Operation ..................................................................................... 185
Module 3(a): SAML Single Sign-On (SSO) Inside the Network .............................................................. 196
SAML Overview ................................................................................................................................. 196
Module Objectives ............................................................................................................................... 197

Page 3 of 257

Cisco dCloud

Module Notes ...................................................................................................................................... 198

Prepare to Enable SAML SSO for Unified CM and IM and Presence ................................................... 198
SAML SSO Configuration for Microsoft ADFS2.0 .............................................................................. 201
Enable SSO for Unified CM and IM and Presence ............................................................................... 209
Testing SSO Username/Password Authentication ................................................................................ 214
Enable Kerberos Authentication for SSO ............................................................................................. 216
Module 3(b): Extending (SSO) to the Collaboration Edge ........................................................................ 219
Module Overview ................................................................................................................................ 219
Pre-Requisites ...................................................................................................................................... 220
Module Objectives ............................................................................................................................... 220
Prepare to Enable SAML SSO for Expressway .................................................................................... 222
SAML SSO Configuration for Microsoft AD FS 2.0 ............................................................................ 224
Enable SSO for Cisco Expressway ....................................................................................................... 227
Verify operation on Unified CM SSO functionality.............................................................................. 228
Appendix A: PostgreSQL Installation on CentOS .................................................................................... 233
Installation of PostgreSQL Server 9.4.1 ............................................................................................... 233
Initialize PostgreSQL and Start Services .............................................................................................. 235
Configure Authentication and Access .................................................................................................. 236
Appendix B: AD FS 2.0 Install and Configuration ................................................................................... 238
How to install Microsoft AD FS2.0 ................................................................................................... 238
Appendix C: Adding Client-Server Template to Microsoft Certificate Services ....................................... 249
Appendix D: Table of Documents ............................................................................................................ 250
Appendix E: Errata .................................................................................................................................. 251
Steps of a SAML based authentication flow ......................................................................................... 251
Enterprise Groups ................................................................................................................................ 252
LDAP Integrations ............................................................................................................................... 253
Listing of IM and Presence Service Services ........................................................................................ 254

Page 4 of 257

Cisco dCloud

Lab Workflow
End-to-End Quick Start Deployment
The lab begins with a series of exercises, which guide the participant through the required activities and workflow to establish and
test a Cisco Jabber on-premise deployment. Test activities include configuration and verification of basic functionality while
emphasizing some recent feature additions and deployment methodologies.
These activities are mandatory, as the result will form the baseline system required to progress to the advanced feature modules.

Specialized Features and Deployment Modules

The remainder of this lab is divided into Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote particular time or emphasis to one or more of the feature modules may wish to be chooseive in the interest of completing
desired modules within the time allotted.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is Module 3(b), which requires Modules 2 and 3a to be completed in
order to test solution functionality.

Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)

Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

Optional with no dependencies

Module 3a: SAML Single Sign-On (SSO) Inside the Network

Optional with no dependencies

Module 3b: Extending SSO to the Collaboration Edge

Optional, but requires Modules 2 and 3a.

Page 5 of 257

Cisco dCloud

Lab Requirements
The table below outlines the requirements for this preconfigured lab activity.
Table 1.

Lab Requirements

Required

Optional

Laptop with Cisco AnyConnect

None

Lab Configuration
This lab contains preconfigured users and components to illustrate the scripted scenarios and features of this solution. All
information needed to access the demonstration components is in the Topology and Servers menus of your active session.

Topology Menu. Click on any server in the topology and a popup window will appear with available server options.

Servers Menu. Click on

Table 2.

next to any server name to display the available server options and credentials.

Demonstration User Information

User Name

User ID

Password

Endpoint Devices

Phone

Email/Directory URI

Charles Holland

cholland

C1sco12345

Cisco Jabber for Windows

+1408 555 6018

cholland@dcloud.cisco.com

Anita Perez

aperez

C1sco12345

Cisco Jabber for Windows

+1212 555 6017

aperez@alpha.com

Lab Topology
This demonstration includes several server virtual machines. Most of the servers are fully configurable using the administrative
level account. Administrative account details are included in the script steps where relevant and in the server details table.
Figure 1.

Lab Topology Overview

Page 6 of 257

Cisco dCloud

Table 3.

Equipment details

Name

Description

Host Name (FQDN)

IP Address

Username

Password

UCM1

Communications Manager 11.0 (Call Control)

cucm1.dcloud.cisco.com

198.18.133.3

administrator

dCloud123!

IMP1

IM & Presence 11.0 (Presence and Chat)

cup1.dcloud.cisco.com

198.18.133.4

administrator

dCloud123!

CUC1

Unity Connection 11.0 (Voicemail)

cuc1.dcloud.cisco.com

198.18.133.5

administrator

dCloud123!

Exp-C

Expressway-C (Core) X8.5

exp-c-1.dcloud.cisco.com

198.18.133.152

admin

dCloud123!

Exp-E

Expressway-E (Edge) X8.5

exp-e-1.dcloud.cisco.com

198.18.1.152

admin

dCloud123!

AD1

Active Directory, DNS, ADFS2.0

ad1.dcloud.cisco.com

198.18.133.1

administrator

C1sco12345

Centos

SSHFS and Postgresql Database Server

centos.dcloud.cisco.com

198.18.134.29

root

dCloud123!

AD2

External DNS server

ad2.dcloud.cisco.com

198.18.2.11

administrator

C1sco12345

Exchange

Exchange 2010

mail1.dcloud.cisco.com

198.18.133.2

administrator

C1sco12345

Workstation 1

Windows 7

wkst1.dcloud.cisco.com

198.18.133.36

cholland

C1sco12345

Workstation 2

Windows 7

wkst2.dcloud.cisco.com

198.18.133.37

aperez

C1sco12345

Workstation 2
External

Windows 7

wkst2-ext.dcloud.cisco.com

198.18.2.37

aperez

C1sco12345

NOTE: Two passwords are used throughout this lab. Password1 (dCloud123!) is used across all Cisco Collaboration components
and linux hosts. Password2 (C1sco12345) is used for all Microsoft Active Directory accounts including administrative, service, and
demonstration user accounts. This applies to both Platform and Administrative user accounts within Cisco Collaboration
Applications.

Applications and Versions

The Table below provides detail on the software components used in this Lab.
Software Description

Version Installed

Cisco Unified Communications Manager

11.0.1.10000-10

Cisco Unified IM and Presence Service

11.0.1.10000-6

Cisco Unity Connection

11.0.1.10000-10

Expressway-C (Core)

X8.5.3

Expressway-E (Edge)

X8.5.3

Microsoft Windows Server (AD, DNS, ADFS)

Microsoft Windows Server 2008 R2 with Hotfix 3

Microsoft Exchange

Microsoft Exchange 2010

External DNS server

Microsoft Windows Server 2008 R2

Mail Server

Microsoft Windows Server 2008 R2 with Exchange 2010

Demonstration Workstations

Microsoft Windows 7

Cisco Jabber for Windows

11.x

Page 7 of 257

Cisco dCloud

Lab Pre-Configuration
In order to save time, certain elements of this lab have been pre-configured in advance to provide a baseline starting point. Please
review this section before proceeding to the first configuration activity.

Jabber-Config.xml
The vast majority of service and client configuration for Cisco Jabber is provisioned using the service profiles (created earlier),
however to enable certain non-default behaviors on the Jabber client a configuration file in XML format named JabberConfig.xml must be used.
To save time and avoid the introduction of errors to the lab environment a series of Jabber-Config.xml files have been staged on
both wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com. During the lab, when a new series of
client configuration parameters are required, you will browse to and upload the required file.
File Locations: Desktop\CST-Jabber\Jabber-Config-Files
The following sub-folders contain the relevant jabber-config.xml files:

Deployment (Preliminary Jabber Deployment)

Module1 (Persistent Chat)

Module2 (Mobile and Remote Access)

Dial Plan
Basic Class of Control elements have been pre-defined as follows:
Table 1.

Partitions

Partition

Description

CST-DN-PT

Collaboration Specialist Training DN Partition

CST-URI-PT

Collaboration Specialist Training URI Partition

Table 2.

Calling Search Spaces

Calling Search Space

Partitions

CST-DN-PT

CST-DN-PT, CST-URI-PT, (All System Generated Partitions)

PostgreSQL
PostgreSQL server 9.4 (with dependencies) was installed using the YUM package installer on centos.dcloud.cisco.com running
CentOS7. The database and services have been initialized using default values and the following parameters have been
configured:

Username postgres and Password postgres

Listening on TCP 5432

Connections permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)

Page 8 of 257

Cisco dCloud

Services configured to start automatically on OS boot.

Operating system configuration to permit incoming connections on TCP 5432 has been performed for you.

Details of the steps taken to create the baseline environment can be found in Appendix A.

Single Sign On (SSO)

Microsoft AD FS 2.0 (3) has been installed on ad1.dcloud.cisco.com. The Basic AD FS 2.0 setup wizard has been run to
enable ADFS features. These operations are documented in Appendix B.

Connecting to Your Pod

Follow the steps below to schedule your demonstration and configure your demonstration environment.
1.

Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials.

Schedule a demonstration. [Show Me How]

Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How]

Verify your demonstration is Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.

It may take up to 30 minutes for your demonstration to become active.

If you are not connected to the lab from behind a router, on your laptop, use Cisco AnyConnect paired with the session
credentials from the UI to connect to the lab. [Show Me How]

From your laptop, access the demonstration workstation named wkst1 located at 198.18.133.36 and login using the following
credentials: Username: dcloud\cholland, Password: C1sco12345.

Recommended method: Use Cisco AnyConnect [Show Me How] and the local RDP client on your laptop. [Show Me
How]

Alternate method: Use the Cisco dCloud Remote Desktop client with HTML5. [Show Me How]
o

Accept any certificates or warnings

Page 9 of 257

Cisco dCloud

Lab Orientation
NOTE: Read and Complete the Activities in this section before proceeding. Connections to lab hosts require an active
connection to the assigned Lab Pod through either a supported VPN connected router or the Cisco AnyConnect VPN Client.

Connecting to Required Resources

Introduction
The student will be using a series of Remote Desktop Protocol (RDP) sessions to Microsoft Windows workstations and servers in
order to complete the following:

Access Administrative Interfaces for Configuration

Interact with the Cisco Jabber Client

Test features and functionality

In this activity, the student will configure and connect the RDP sessions required and referenced throughout the lab.
NOTE: Connections to lab hosts require an active connection to the assigned Lab Pod through either a router connected to dCloud
or the Cisco AnyConnect VPN Client.
The table below identifies the hosts, use cases, and credentials required when connecting.
Name

Use Case

Host Name (FQDN)

IP Address

Domain\Username

Password

Workstation 1

Primary Configuration Workspace,

Demonstration User Charles Holland

wkst1.dcloud.cisco.com

198.18.133.36

dcloud\cholland

C1sco12345

Workstation 2

Demonstration User Anita Perez

wkst2.dcloud.cisco.com

198.18.133.37

dcloud\aperez

C1sco12345

Workstation 2
External

Testing MRA functionality

wkst2ext.dcloud.cisco.com

198.18.2.37

dcloud\aperez

C1sco12345

AD1

Active Directory, Internal DNS, ADFS2.0

ad1.dcloud.cisco.com

198.18.133.1

dcloud\administrator

C1sco12345

AD2

External DNS server, Photo Server

ad2.dcloud.cisco.com

198.18.2.11

dcloud\administrator

C1sco12345

Throughout this guide, steps will instruct the student to Open or Switch to the RDP session connected to one of the hosts
referenced above. These statements always reference the FQDN of the host accompanied at times by contextual information. All
FQDNs should be resolvable directly from the student workstation (while connected to Lab Pod via VPN - required), however IP
addresses may be used as well.

Host Reference and Use Cases

wkst1.dcloud.cisco.com (Workstation 1):

Lab User Assignment: Charles Holland

Windows Logon Account: cholland

Windows Logon Domain: dcloud

Windows Logon Password: C1sco12345

Use Cases: Workstation 1 is the primary anchor point for configuration activities in addition to hosting the Jabber
client for lab user Charles Holland.

Page 10 of 257

Cisco dCloud

wkst2.dcloud.cisco.com (Workstation 2):

Lab User Assignment: Anita Perez

Windows Logon Account: aperez

Windows Logon Domain: dcloud

Windows Logon Password: C1sco12345

Use Cases: Workstation 2 is assigned to Lab User Anita Perez. Workstation 2 is used only for demonstration
and testing of features. Workstation 2 will be moved to an external network during the Collaboration Edge
module for testing Mobile and Remote Access.

ad1.dcloud.cisco.com (AD1):
o

Lab User Assignment: None

Windows Logon Account: administrator

Windows Logon Domain: dcloud

Windows Logon Password: C1sco12345

Use Cases: AD1 hosts the majority of internal services. This server will be used for interactions with Microsoft
Active Directory, Internal DNS, Active Directory Federation Services.

ad2.dcloud.cisco.com (AD2):
o

Lab User Assignment: None

Windows Logon Account: administrator

Windows Logon Domain: dcloud

Windows Logon Password: C1sco12345

Use Cases: AD2 is used to add DNS SRV records required to configure and demonstration the Collaboration
Edge Solution.

Page 11 of 257

Cisco dCloud

Create and Connect RDP Sessions

NOTE: These Steps will be repeated for each host specified, until an active connection has been created for each.
From the Students personal computer:
1.

Click Start > All Programs > Accessories > Remote Desktop Connection.

Click Options.

Choose the Local Resources tab.

Click Settings, under Remote audio.

Choose Play on this computer and Do Not Record.

Figure 2.

Audio Playback

Click OK.

Click the Experience tab.

Choose LAN (10Mbps or higher) from the connection speed menu.

Figure 3.

LAN Connection Speed

Click the General tab and fill in the Computer and Username fields based on the table below, according to the host to which
you are connecting:

Table 3.

RDP Connection Settings

Field

WKST1

WKST2

AD1

AD2

Computer:

wkst1.dcloud.cisco.com
or 198.18.133.36

wkst2.dcloud.cisco.com
or 198.18.133.37

ad1.dcloud.cisco.com
or 198.18.133.1

ad2.dcloud.cisco.com
or 198.18.2.11

Username:

dcloud\cholland

dcloud\aperez

dcloud\administrator

10. Click Allow me to save credentials.

Page 12 of 257

Cisco dCloud

11. (Optional) Click Save and use the Save As file dialog to name and save the session definition to your computer.
Figure 4.

Saving Session Settings

12. Click Connect.

13. When Prompted enter the Password: C1sco12345 and click Remember my credentials.
14. Click OK.
15. Acknowledge any warnings to proceed.
16. Repeat Steps 1-15 for each Host listed in the table above.

Activity Complete
This activity is complete when the student has four active RDP sessions to the hosts listed in the table above.

Page 13 of 257

Cisco dCloud

Activity 1: Preparation for IM & Presence Deployment

NOTE: Please ensure that you have completed the Lab Orientation activity before proceeding.

Activity Objectives
In this activity, you will connect to server AD1, verify the configuration of Microsoft Active Directory as it relates to our Lab topology,
and perform prerequisite DNS configuration to support service discovery.
Through this activity, you will:

Explore the dCloud Organizational Unit containing all users pertinent to the topology
o

Identify Email domains in use and discuss relation to format of the Jabber ID (JID) and multi-domain support

Review and Add Distribution Groups to leverage the new Enterprise Groups feature.

Provision service location (SRV) records in DNS to allow for service discovery.

Investigate Active Directory Users and Distribution Groups

As we will be using LDAP (provided by Microsoft Active Directory) as the primary contact source for our Jabber implementation, it
is imperative that we review the current configuration of the AD server to become acquainted. Configuration steps are performed
from within RDP sessions to both ad1.dcloud.cisco.com (198.18.133.1) and wkst1.dcloud.cisco.com (198.18.133.36). The
guide will provide explicit instruction when switching between remote desktop sessions.

Explore Active Directory Configuration

Open the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).

From the Task Bar, click the Active Directory Users and Computers icon.

Figure 5.

Task Bar Icons

Click the dCloud Organizational Unit (OU) from the Menu Tree on the left. This OU contains all of the users and distribution
groups that will addressed throughout the exercise in this lab guide.

Figure 6.

Active Directory Users and Computers

Page 14 of 257

Cisco dCloud

Users have been pre-configured and assigned to this OU and will serve as the contact source and user base for lab exercises.

Review the list of users displayed. Observe that there are three distinct email address domains in use:

Figure 7.

dcloud.cisco.com (Default Organizational Domain)

uk.dcloud.cisco.com

alpha.com
Lab User List

Notice that demonstration user Charles Holland is assigned email address (cholland@dcloud.cisco.com) while Anita Perez
is assigned (aperez@alpha.com). This distinction serves to simulate an environment wherein multiple domain name spaces
are present.

Two Distribution Groups, Engineering and Marketing were created in advance. We will be using Distribution Groups in tandem
with the new Enterprise Groups Feature in Jabber 11. This allows automatic synchronization of administrator-defined distribution
groups through an LDAP agreement in Cisco Unified Communications Manager.
7.

Double-click the Engineering distribution group to open the properties dialog. Notice that the group type is set to
Distribution. Only Distribution Groups are eligible for synchronization with Unified Communications Manager.

Figure 8.

Engineering Group

Click the Members tab. Notice that all of the users in the Engineering department are members of this distribution group.

Page 15 of 257

Cisco dCloud

Figure 9.

Members

Click Cancel to close the group properties editor.

10. The Marketing distribution group has been similarly configured with membership populated with users assigned to the
Marketing department. Optional: You may open and validate the configuration at this time. Otherwise, proceed to the next
step.

Create a New Distribution Group and Assign Users

In this activity, we will create a new Active Directory distribution group to which we will assign members of the Sales team. This
Distribution Group and the others already present will be used later to demonstrate the new Enterprise Groups feature. We will
use two different techniques to add members and to additional familiarity with the process.
1.

Right click the dCloud OU and choose New > Group.

Figure 10.

Group Option

In the Group name field, enter Sales.

Set the Group type to Distribution.

Click OK.

Page 16 of 257

Cisco dCloud

Figure 11.

Group Object

Double-click the newly added Sales Distribution Group to open the Properties editor.

Click the Members tab.

Click Add.

Figure 12.

Members Tab

In the Enter the object names to choose field type Adam.

Page 17 of 257

Cisco dCloud

Figure 13.

Enter Object Names

Click Check Names to search the Active Directory for a matching user with a display naming beginning with Adam.

10. Notice that the Check Names search utility returned a user object for Adam McKenzie (amckenzie@dcloud.cisco.com).
Figure 14.

Check Name Results

11. Click OK to add this user to the Sales Distribution Group.

12. Click OK to close the Properties Editor.
13. The previous method is adequate when assigning group membership individually. Next you will add multiple users
simultaneously.
14. Note that the list of users in the dCloud OU is currently sorted using the Department Column. All of the members of the Sales
department are listed together at the bottom of the list.
15. Click on user Alex Jones to choose.
16. Press and hold the Shift key and click on user Taylor Bard. Notice that we have excluded Adam McKenzie from the
selection as this user was added in the previous steps.
Figure 15.

User Selection

17. Right-click within the highlighted area and choose Add to a group from the menu.
18. In the Enter the object names to choose field enter the name Sales.

Page 18 of 257

Cisco dCloud

Figure 16.

Choose Groups

19. Click OK.

20. A message indicating that the Add to Group operation was successful. Click OK to continue.
Figure 17.

Operation Successful

21. Double-click the Sales Distribution Group.

22. Click the Members tab. Observe that all users in the Sales Department are members of the Sales Distribution Group.
Figure 18.

Sales Department Members

23. Click OK.

24. Close the Active Directory Users and Computers console.

DNS Service Discovery Configuration

Cisco Jabber depends heavily on DNS to identify its operating location, detect services, and connect to required services.
Service discovery is the process by which Cisco Jabber does the following:

Determines whether it is operating internal to or external to the corporate network, to influence client behavior

Locate services within the corporate network or through Expressway when operating externally.

Page 19 of 257

Cisco dCloud

Cisco Jabber clients query domain name servers (DNS) to retrieve service (SRV) records that provide the location of hosted
services on the network.
In this activity, you will provision the DNS service location records required to enable auto-discovery for Cisco Jabber while running
inside internal enterprise network.
The Cisco Jabber client will query DNS for SRV records based on user domain in parallel. The highest priority record returned will
be used for services.
Priority

Service

HTTP Request/DNS SRV

WebEx Messenger

HTTP CAS Lookup

UC Manager 9.x or later

_cisco-uds._tcp.example.com

Cisco Presence 8.x

_cuplogin._tcp.example com

Collaboration Edge

_collab-edge._tls.example.com

DNS Service Records (SRV) Inside the Enterprise Network

Ensure that the RDP session to ad1.dcloud.cisco.com has focus.

From the Task Bar, click the DNS Manager icon.

Figure 19.

Task Bar Icons

Click the + next to Forward Lookup Zones.

Click dcloud.cisco.com to highlight the zone.

Figure 20.

Cisco dCloud Zone

Right click on the dcloud.cisco.com zone.

Choose Other New Records from the menu.

Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.

Click Create Record.

Page 20 of 257

Cisco dCloud

Figure 21.

Create Record

Fill out the New Resource Record form as follows:

Domain: dcloud.cisco.com (already populated)

Service: _cisco-uds

Protocol: _tcp

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Host offering this service: ucm1.dcloud.cisco.com

Page 21 of 257

Cisco dCloud

Figure 22.

New Resource Record

10. Click OK.

11. Click Done to close the Resource Record Type dialog.
NOTE: Since our environment contains multiple domains and we will be demonstrating the new Flexible JID and multi-domain
features we will create Service Location data for all DNS domains containing presence users. In a production environment, it is
likely that each domain would have dedicated infrastructure, such as AD, DNS, and Email. For the purpose of our lab, we are using
a collapsed topology, where only one service domain will be queried.
12. Click alpha.com to highlight the zone.
13. Right click on the alpha.com zone.
14. Choose Other New Records from the menu.
15. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
16. Click Create Record.
17. Fill out the New Resource Record form as follows:

Domain: alpha.com (already populated)

Service: _cisco-uds

Protocol: _tcp

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Page 22 of 257

Cisco dCloud

Figure 23.

Host offering this service: ucm1.dcloud.cisco.com

New Resource Record

18. Click OK.

19. Click Done to close the Resource Record Type dialog.
20. Click uk.dcloud.cisco.com to highlight the zone.
21. Right click on the uk.dcloud.cisco.com.com zone.
22. Choose Other New Records from the menu.
23. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
24. Click Create Record.
25. Fill out the New Resource Record form as follows:

Domain: uk.dcloud.cisco.com (already populated)

Service: _cisco-uds

Protocol: _tcp

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Host offering this service: ucm1.dcloud.cisco.com

Page 23 of 257

Cisco dCloud

Figure 24.

New Resource Record

26. Click OK.

27. Click Done to close the Resource Record Type dialog.
28. Close the DNS Manager.

Verify DNS SRV Records

Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) to perform DNS verification.

Click the Command Prompt icon on the task bar.

Type nslookup and press Enter.

Type set type=srv (use lowercase) and press Enter.

Type _cisco-uds._tcp.dcloud.cisco.com and press Enter.

SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.

Page 24 of 257

Cisco dCloud

Figure 25.

SRV Record

A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address (es)
associated with the host(s). You should see text similar to the graphic above (Red Text).

NOTE: If you see error text indicating a failure to lookup this or subsequent _cisco-uds SRV records, for example: Non-existent
domain, follow the instructions below.

Confirm that the command entered is exactly as specified in the guide and retry.

Confirm that the settings of the SRV record match the previous configuration steps.

Figure 26.

SRV Resolution

If you are unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
8.

Type _cisco-uds._tcp.alpha.com and press Enter.

SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.

Figure 27.

SRV Record Data

10. Type _cisco-uds._tcp.uk.dcloud.cisco.com and press Enter.

11. SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.

Page 25 of 257

Cisco dCloud

Figure 28.

SRV Record Data

12. Close the Command Prompt window.

This completes the addition and validation of Service Location Records required for internal Jabber functionality.

Page 26 of 257

Cisco dCloud

Activity 2: Unified IM and Presence Deployment

With preparation for deployment complete, Activity 2 addresses, systematically the requirements and methods needed to
implement Unified IM and Presence solution with provisioned End Users, Services, and Devices.

Activity Objectives
The following are the objectives for this activity:

Identify and confirm the status of services required for the operation of Cisco Unified Communications Manager and IM
and Presence Service as they relate to features implemented in the lab

Identify and perform the activities required to integrate Cisco Unified CM and IM and Presence

Define UC Services and a Service Profile in order to assign presence capabilities to Cisco Jabber users

Implement LDAP Directory Synchronization and Authentication with Microsoft Active Directory to import Users and
Groups

Use template based automation tools to quickly and accurately provision End Users, Directory Numbers, and Devices
through the LDAP user import process

Configure Cisco Unified CM and Unified IM and Presence for the Flexible JID Address Scheme with Multi-Domain
Domain support

Interact with the Cisco Jabber client configuration file (jabber-config.xml) to enable non-default behaviors in Cisco Jabber

Service Activation and Status Verification

During this activity, we will validate that all Unified Communications Manager services required to provision and integrate the
Instant Message and Presence service cluster have been activated and are in an expected state. The service activation process
has already been performed as part of the pre-configuration of this lab. This activity is for verification and to provide further
familiarity with the lab topology and current configuration state.

Unified Communications Manager

Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36).

Launch Internet Explorer by double clicking on the desktop shortcut or clicking the Internet Explorer icon in the task bar.

From the Cisco dCloud Homepage hover over Collaboration Admin Links and choose Cisco Unified Communications
Manager to connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the
address bar.

Page 27 of 257

Cisco dCloud

Figure 29.

Cisco UCM Link

When prompted with a Certificate Error click Continue to this website.

NOTE: As part of this lab, we will be performing Certificate Management in Unified Communications Manager and IM&P in an
upcoming exercise. Until a Certificate signed by a trusted Certification Authority is installed, we will continue to receive these
errors. Please acknowledge and proceed using the Continue to this website option.
5.

From the Installed Applications list, click Cisco Unified Communications Manager.

Figure 30.

Cisco UCM Link

From the Navigation menu in the upper-right corner of the Administration Webpage, choose Cisco Unified Serviceability.

Click Go.

In the Username field type administrator.

In the Password field type dCloud123!.

10. Click Login.

Figure 31.

Page 28 of 257

Cisco dCloud

11. From the Menu choose Tools > Control Center Feature Services.
Figure 32.

Contact Center Services

12. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.
Figure 33.

Select Server Menu

13. Click Go.

14. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
o

Cisco DirSync

Cisco CallManager

Cisco CTIManager

Cisco Tftp

Cisco AXL Web Service

Page 29 of 257

Cisco dCloud

Figure 34.

Directory Services

This concludes serviceability verification for Unified Communications Manager (ucm1.dcloud.cisco.com).

Unified IM and Presence Service

From the Choose Server drop down list, choose imp1.dcloud.cisco.com.

Click Go.

Review the Control Center page to confirm that the services listed below are Activated and in a Running state:
o

Cisco AXL Web Service

Cisco SIP Proxy

Cisco Presence Engine

Cisco XCP Text Conference Manager

Cisco XCP Connection Manager

Cisco XCP Authentication Service

Page 30 of 257

Cisco dCloud

Figure 35.

Database and Admin Services

This concludes serviceability verification for Unified IM and Presence imp1.dcloud.cisco.com.

Unified CM SIP Trunk Configuration

In this task, we will create a SIP Trunk between Unified CM and the IM and Presence node. This will be used for presence updates
between the two systems (off hook/on hook updates), allowing Cisco Jabber to display information for users such as On a Call.

SIP Trunk Security Profile for IM and Presence Service

Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) if not already in focus.

From the currently open Internet Explorer window connected to ucm1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified CM Administration.

If the previous logon session has expired you may need to login. (Username: administrator, Password: dCloud123!)
Otherwise, proceed to the next step.

From the menu navigate to System > Security > SIP Trunk Security Profile.

Figure 36.

Security Menu

Click Find to display the list of configured Sip Trunk Security Profiles.

Figure 37.

SIP Trunk Security Profile

Page 31 of 257

Cisco dCloud

Click Non Secure SIP Trunk Profile to open the configuration page.

From the configuration menu, click Copy.

Set the Following Parameters (Only those requiring modification listed):

Name: IMP SIP Trunk Profile

Accept presence subscription: Checked

Accept out-of-dialog refer: Checked

Accept unsolicited notification: Checked

Accept replaces header: Checked

Figure 38.

SIP Trunk Security Profile Information

Click Save.

Configure SIP Trunk for IM and Presence Service

10. From the menu navigate to Device > Trunk.
Figure 39.

Device Menu

11. From the Find and List Trunks page, click Add New.
12. Set the Trunk Type value to SIP Trunk from the drop down menu.
13. Click Next.

Page 32 of 257

Cisco dCloud

14. Set the Following Values under the Device Configuration section.

Device Name: IMP-SIP-Trunk

Description: IMP Publish Trunk

Device Pool: Default

Figure 40.

Device Information

15. Scroll down to the section labeled SIP Information and set the following values:

Destination Address: imp1.dcloud.cisco.com

Destination Port: 5060 (Default)

SIP Trunk Security Profile: IMP SIP Trunk Profile

SIP Profile: Standard SIP Profile

Figure 41.

SIP Information

16. Click Save.

17. Click OK to acknowledge the webpage notification and proceed.
18. Click Reset.
19. Click Reset from the pop-up window.
20. Click Close.

Set the Presence Publish Trunk Parameter

We will now identify the SIP Trunk just created as the device used to send line presence information to the IM & Presence server.

Page 33 of 257

Cisco dCloud

21. From the main menu, navigate to System > Service Parameters.
22. Choose ucm1.dcloud.cisco.com from the Server drop down menu.
23. Choose Cisco CallManager from the Service drop down menu.
Figure 42.

Select Server and Service

24. Scroll to the Clusterwide Paramters (Device SIP) section.

You may expedite this process by typing Ctrl-F with the browser window in focus. This will open a search window, into which you
may type IM and Presence to jump directly to the parameter.
25. Continue until you locate the IM and Presence Publish Trunk parameter.
26. Choose IMP-SIP-Trunk from the parameter menu.
Figure 43.

IM and Presence Publish Trunk

27. Click Save.

Configure UC Services and Service Profile

Here we will provide the centralized configuration required for Cisco Jabber Clients to utilize core Collaboration application
services. We will NOT be configuring all of the available services, but rather those that will allow us to create a stable foundation in
order to configure advanced features in the lab.

Configure UC Services
1.

From the main menu navigate to User Management > User Settings > UC Service.

Figure 44.

User Settings

Click Add New.

From the drop down menu, choose IM and Presence.

Figure 45.

Add a UC Service

Page 34 of 257

Cisco dCloud

Click Next.

Set the following values:

Name: IMP-Service

Description: IMP Service

Host Name/IP Address: imp1.dcloud.cisco.com

Figure 46.

UC Service Information

Click Save.

Click Add New.

From the drop down menu, choose CTI.

Figure 47.

Add a UC Service

Click Next.

10. Set the following values:

Name: CTI-Service

Description: CTI Service

Host Name/IP Address: ucm1.dcloud.cisco.com

Port: 2748 (default)

Page 35 of 257

Cisco dCloud

Figure 48.

UC Service Information

11. Click Save.

12. Click Add New.
13. From the drop down menu, choose Voicemail.
Figure 49.

Add a UC Service

14. Click Next.

15. Set the following values:

Product Type: Unity Connection

Name: Voicemail-Service

Description: Voicemail Service

Host Name/IP Address: cuc1.dcloud.cisco.com

Port: 443

Protocol: HTTP

Figure 50.

UC Service Information

Page 36 of 257

Cisco dCloud

16. Click Save.

17. From the Related Links menu in the upper-right of the webpage, choose Back to Find/List.
18. Click Go.
19. Click Find.
20. Observe that all three services are created and match the image below.
Figure 51.

UC Services

NOTE: We have omitted the manual configuration of a Directory Service. Feature enhancements to the Jabber Client portfolio
have made it possible to leverage the Service Discovery capabilities of Jabber to automatically detect an accessible LDAP
directory. Automatic discovery using SRV is the preferred method where possible.

Configure a Service Profile

21. From the main menu choose User Management > User Settings > Service Profile.
Figure 52.

User Settings

22. Click Add New.

23. Under Service Profile Information set the following values:

Name: CST-Service-Profile

Description: CST Service Profile

Make this the default service profile for the system: Checked

Figure 53.

Service Profile Information

Page 37 of 257

Cisco dCloud

24. Under Voicemail Profile set the following values:

Primary: Voicemail-Service

Credentials source for voicemail service: Unified CM IM and Presence

Figure 54.

Voicemail Profile

25. Scroll to Directory Profile and set the following values:

Primary: None

Use UDS for Contact Resolution: Un-Checked

Figure 55.

Directory Profile

26. Under IM and Presence Profile set the following:

Primary: IMP-Service

27. Under CTI Profile set the following:

Figure 56.

Primary: CTI-Service
Profiles

28. Click Save.

Page 38 of 257

Cisco dCloud

Prepare Directory Synchronization and Automatic User Provisioning

As stated earlier LDAP Directory integration provides the foundation for User Synchronization, User Authentication, and Contact
Sources within a Collaboration Deployment. This is especially true regarding the interactions and user experience with respect to
Cisco Jabber.
We will explore the new Flexible Jabber ID and Multi-Domain support features as part of our directory synchronization exercise.
Significant advancements in End-User provisioning have been part of Unified Communications Manager since the 10.x release.
We will be using Feature Group Templates to demonstrate how quickly items such as End Users, UC Service Assignment,
Group Membership, and even Directory Numbers can be added during the first LDAP synchronization. It is beyond the scope of
this lab to delve into the design mechanics of each feature but we will be interacting with these tools and using them to expedite
our provisioning process.

Service Activation
1.

Recall that as part of our Service Activation and Status Verification activity we confirmed the status of Cisco DirSync to be
activated and running. Directory Synchronization depends on this service to function and must be activated prior to enabling
and LDAP Directory Synchronization agreement and/or LDAP Authentication.

Figure 57.

Cisco DirSync Activated

Class of Control
In order to leverage component features such as URI Dialing and to maintain consistency with Cisco Dial-Plan best practices for a
centralized call control deployment, the following Partitions and Calling Search Spaces were created in advance. We will
reference these when configuring our Provisioning Templates.
Table 4.

Partitions

Partition

Description

CST-DN-PT

Collaboration Specialist Training DN Partition

CST-URI-PT

Collaboration Specialist Training URI Partition

Table 5.

Calling Search Spaces

Calling Search Space

Partitions

CST-CSS

CST-DN-PT, CST-URI-PT, (All System Generated Partitions)

Provisioning Templates and User Profiles

In this section, we will interact with Universal Device, Universal Line, and Feature Group templates to create the foundation for
automatic provisioning.

Page 39 of 257

Cisco dCloud

Navigate to the Cisco Unified CM Administration web interface at https://ucm1.dcloud.cisco.com/ccmadmin. This should
already be open from the previous exercise.

Use the menu to navigate to User Management > User/Phone Add > Universal Device Template.

Figure 58.

Universal Device Template Menu

Click Find.

Click the Sample Device Template with TAG usage examples hyperlink to open.

Modify the Name field to be CST Device Template.

Figure 59.

CST Device Template

Click the

Set the Calling Search Space to CST-CSS by choosing it from the drop-down menu.

Figure 60.

icon to the left of Device Routing title to expand the section.

Device Routing

Click Save.

From the main menu, choose User Management > User/Phone Add > Universal Line Template.

10. Click Find.

11. Click the Sample Line Template with TAG usage examples hyperlink to open.
12. Set the following parameters:

Name: CST Line Template

Route Partition: CST-DN-PT

Calling Search Space: CST-CSS

Page 40 of 257

Cisco dCloud

Figure 61.

Calling Search Space Template

13. Click Save.

14. From the main menu choose User Management > User/Phone Add > Feature Group Template.
15. Click Find.
16. Click the Default Feature Group Template hyperlink to open.
17. Set the following parameters:

Name: CST Feature Group Template

Enable User for Unified CM IM and Presence: Checked

Allow Control of Device from CTI: Checked

SUBSCRIBE Calling Search Space: CST-CSS

Figure 62.

Feature Group Template

Page 41 of 257

Cisco dCloud

18. Click Save.

19. From the main menu choose User Management > User Settings > User Profile.
20. Click Find.
21. Click the hyperlink for Standard {Factory Default) User Profile, to open the editor page.
22. Set the following parameters:

Name: CST User Profile

Description: CST User Profile

Mobile and Desktop Devices: CST Device Template

Universal Line Template: CST Line Template

Figure 63.

User Profile

23. Click Save.

Enable LDAP Synchronization

Navigate to System > LDAP > LDAP System.

Figure 64.

LDAP Menu

In the LDAP System Configuration page, set the following values:

Enable Synchronizing from LDAP Server: Checked

LDAP Server Type: Microsoft Active Directory (default)

LDAP Attribute for User ID: sAMAccountName (default)

Page 42 of 257

Cisco dCloud

Figure 65.

LDAP System Information

Click Save.

Create a New LDAP Synchronization Agreement

Navigate to System > LDAP > LDAP Directory.

Click Add New.

In the LDAP Directory Information section, enter the following values:

LDAP Configuration Name: CST LDAP

LDAP Manager Distinguished Name: CollabLDAP@dcloud.cisco.com

LDAP Password: C1sco12345

Confirm Password: C1sco12345

LDAP User Search Base: ou=dcloud,dc=dcloud,dc=cisco,dc=com

Synchronize: Users and Groups

NOTE: The user CollabLDAP has already been created as a standard user (no administrative roles) in the active directory for use
as a service account in LDAP Synchronization and Authentication in accordance with Cisco deployment best practice.
7.

Confirm settings match the screenshot below.

Figure 66.

LDAP Directory Information

Scroll down to the section labeled Standard User Fields To Be Synchronized.

Set the Directory URI LDAP Attribute to mail.

Figure 67.

Directory URI

Page 43 of 257

Cisco dCloud

NOTICE: Our demonstration users are provisioned across three different domains in the format sAMAccountName@domain.com.
In the coming steps, we will ensure that this value will be used to populate the Jabber ID (JID).
10. Scroll to the section labeled Group Information.
11. Click the Add to Access Control Group button.
Figure 68.

Add to Access Control Group

12. In the Find Access Control Group where Name search field type: Standard.
13. Click Find.
14. From the Find and List Access Control Groups dialog, place a Check next to the following entries:

Standard CCM End Users

Standard CTI Enabled

Figure 69.

Access Lists Dialog

15. Click Add Selected

, to close the dialog and return to the LDAP Directory configuration screen.

16. Set the value of Feature Group Template to CST Feature Group Template.
17. Check the box next to Apply mask to synced telephone numbers to create a new line for inserted users.
18. In the Mask field, enter XXXXXXXXXXXXX (The letter X in CAPS 13 times).
This mask is used because we have variable length E.164 telephone numbers with demonstration users in different countries. The
maximum length of any telephone number in our demonstration is 12-digits with a leading +. Thus the mask XXXXXXXXXXXXX
will accommodate any phone number string of 13 characters or less.

Page 44 of 257

Cisco dCloud

Figure 70.

Group Information Mask

19. Scroll to the LDAP Server Information section.

20. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
Figure 71.

LDAP Server Information

21. Click Save.

22. Do NOT attempt to perform a Directory synchronization at this time. We will be performing additional configuration to
complete IM and Presence integration, and to accommodate Multi-Domain support before importing users.
Cisco Unified Communications Manager release 10.5 and onward provides support the creation E164 (with leading +) formatted
directory numbers via the Directory Synchronization process. Enhancements to the way in which the system applies the Mask field
now allow the Mask to represent the maximum length of any discovered Directory Number within the defined directory. When the
discovered telephone number is less than the value specified it is inserted as is.

Enable LDAP Authentication

23. From the main menu choose System > LDAP > LDAP Authentication.
24. In the LDAP Authentication for End Users section, enter the following values:

Use LDAP Authentication for End Users: Checked

LDAP Manager Distinguished Name: CollabLDAP@dcloud.cisco.com

LDAP Password: C1sco12345

Confirm Password: C1sco12345

LDAP User Search Base: ou=dcloud,dc=dcloud,dc=cisco,dc=com

Page 45 of 257

Cisco dCloud

Figure 72.

LDAP Authentication

25. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.
Figure 73.

LDAP Server Information

26. Click Save.

Enterprise Parameters: URI Dialing and Enterprise Groups

From the Unified Communications Manager Administration webpage, use the main menu to navigate to System > Enterprise
Parameters.

Scroll to the End User Parameters section.

Set the Directory URI Alias Partition value to CST-URI-PT.

Figure 74.

End User Parameters

Scroll to the User Management Parameters section.

Set Directory Group Operations on Cisco IM and Presence to Enabled.

Click Save.

Click Apply Config.

From the Apply Configuration popup dialog, click OK.

Page 46 of 257

Cisco dCloud

Figure 75.

Apply Configuration

IM and Presence Service Configuration

Connect to Unified IM and Presence
1.

From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer (if NOT already open) or click the New Tab
icon.

From the dCloud Homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service to connect
to imp1.dcloud.cisco.com. Optionally, you may manually type https://imp1.dcloud.cisco.com in the address bar.

Figure 76.

Collaboration Admin Links

Acknowledge the certificate error by clicking Continue to this Website.

From the Installed Applications list, click Cisco Unified IM and Presence.

Figure 77.

Installed Applications

Page 47 of 257

Cisco dCloud

In the Username field, type administrator.

In the Password field, type dCloud123!.

Click Login.

Figure 78.

Configure Presence Gateway

From the menu choose Presence > Gateways.

Figure 79.

Gateways Menu

Click Add New.

10. Under Presence Gateway Settings, set the following values:

Presence Gateway Type: CUCM (default)

Description: UCM Presence Gateway

Presence Gateway: ucm1.dcloud.cisco.com

Figure 80.

Presence Gateway Settings

Page 48 of 257

Cisco dCloud

11. Click Save.

Enabled Flexible Jabber ID (JID) and Multi-Domain Support

Flexible Jabber ID (JID)
By default, the Jabber ID (JID) is based on the Unified CM User ID<uid>@xmpp domain. The flexible JID feature allows the JID to
be constructed based on Directory URI field. The directory URI may be administratively mapped using the following LDAP
synchronized data fields:

mail (as is the case in this lab)

msRTCSIP-PrimaryUserAddress

Manually Configured by Administrator

This allows organizations to map user JIDs that align with the corporate naming address scheme in use. For example, a users JID
(IM address) can be mapped to their E-Mail address using the mail parameter, effectively creating a single address for multi-modal
communications.
The graphic below demonstrates how this feature affects the demonstration users in the Lab.
Figure 81.

Addressing Scheme Comparison

Multi-Domain Support
Jabber IDs across multiple domains are now supported in a single Unified IM and Presence cluster. For example, an organization
may manage many email domains, but only a single IM and Presence cluster. The JIDs can be formed based on the different email
domains in this scenario, such as in our lab topology:

dcloud.cisco.com

Page 49 of 257

Cisco dCloud

alpha.com

uk.dcloud.cisco.com

The Cisco Unified IM and Presence service will automatically learn the domains in the assigned topology based on those detected
in @domain portion of the JID (IM Address).

Explore Advanced Presence Settings

1.
2.

From the menu choose Presence > Settings > Advanced Configuration.
This is the configuration screen where the IM Address scheme can be modified to support flexible JID and Multi-Domain
provisioning.

Observe that all configuration items are Grayed Out. A message indicating that certain services must be stopped in order to
continue is displayed.

Figure 82.

Domain and IM Address Settings

Shutdown Required IM and Presence Services

From the active RDP session connected to wkst1.dcloud.cisco.com, launch the terminal application PuTTY by clicking on
the icon in the taskbar.

Figure 83.

PuTTY Icon

Under Saved Sessions, choose the entry imp1 and click Load.

Figure 84.

PuTTY Saved Sessions

Page 50 of 257

Cisco dCloud

Click the Open button to launch a secure shell connection to the IM and Presence node imp1.dcloud.cisco.com.

At the Login As prompt, type administrator.

At the password prompt, type dCloud123!.

Figure 85.

PuTTY Terminal Window

NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps, to paste into the PuTTY windows simply right click within the active terminal connection.
6.

Type the following command: utils service stop Cisco Presence Engine

Press Enter.

Confirm that the service has been stopped.

Figure 86.

Service Stopped

Type the following command: utils service stop Cisco SIP Proxy

10. Press Enter.

11. Confirm that the service has been stopped.
Figure 87.

Service Stopped

12. Type the following command: utils service stop Cisco XCP Router
13. Press Enter.
14. Confirm that the service has been stopped.

Page 51 of 257

Cisco dCloud

Figure 88.

Service Stopped

15. Type the following command: utils service stop Cisco Sync Agent
16. Press Enter.
17. Confirm that the service has been stopped.
Figure 89.

Service Stopped

18. Type the following command: utils service stop Cisco Client Profile Agent
19. Press Enter.
20. Confirm that the service has been stopped.
Figure 90.

Service Stopped

Configure Domain and IM Address Settings

With all of the required services stopped, we may now proceed to configure the IM Address scheme for Multi-Domain support.
1.
2.

Switch focus to the Cisco IM and Presence Administration webpage.

If the session timer has expired, log in again with Username: administrator and Password: dCloud123!. Otherwise, proceed
to the next step.

From the menu choose Presence > Settings > Advanced Configuration.

Choose the Radio Button labeled IM Address Scheme.

Use the drop down menu to choose Directory URI.

Click Save.

Click Ok to acknowledge both Webpage notifications.

Figure 91.

Webpage Notification

Page 52 of 257

Cisco dCloud

NOTE: This message is a reminder that the specified modification is applied globally to all Users assigned to this IM and Presence
cluster. In this lab, we are dealing with only 29 total users supporting this feature, in a Net-New install. If this was an existing
installation with users imported into the IM and Presence database, this operation would trigger an update of ALL user records,
which could have significant impact on system performance. This change would be permanent and requires that ALL Cisco Jabber
clients in use be at version 10.6 or higher for support.
8.

Observe the Status message at the top of the page, displayed immediately after initiating the change. This indicates that the
IM Address Scheme update has been triggered.

Figure 92.

Address Scheme Update

Wait until the message transitions to IM address Scheme change update successful before proceeding.

Figure 93.

Success Notification

Start Required IM and Presence Services

In a previous exercise, we stopped essential Unified IM and Presence services in order to modify the IM Address scheme. The
next steps will guide you through the process of starting these services to resume normal operation.
1.

Switch back to the PuTTY terminal session connected to imp1.dcloud.cisco.com. If the console session login timeout has
expired and/or PuTTY has been closed, launch the PuTTY application as described earlier, load the imp1 saved session, and
click Open.

If you are NOT actively logged in to the server, log into the imp1.dcloud.cisco.com CLI with the (administrator/dCloud123!)
password combination referenced earlier.

NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic
errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From
the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time
as instructed in the following steps. To paste into the PuTTY window, simply right click within the active terminal connection.
3.

Type the following command: utils service start Cisco Presence Engine

Press Enter.

Confirm that the service has started.

Figure 94.

Service Started

Page 53 of 257

Cisco dCloud

Type the following command: utils service start Cisco SIP Proxy

Press Enter.

Confirm that the service has started.

Figure 95.

Service Started

Type the following command: utils service start Cisco XCP Router

10. Press Enter.

11. Confirm that the service has started.
Figure 96.

Service Started

12. Type the following command: utils service start Cisco Sync Agent
13. Press Enter.
14. Confirm that the service has started.
Figure 97.

Service Started

15. Type the following command: utils service start Cisco Client Profile Agent
16. Press Enter.
17. Confirm that the service started.
Figure 98.

Service Started

NOTE: In a previous exercise, we Stopped the Cisco XCP Router service. If you Stop the Cisco XCP Router instead of choosing
to restart this service, the IM and Presence Service will automatically stop all other dependent XCP services. Subsequently when
you turn on the XCP router, the IM and Presence Service does not automatically turn on the other XCP services; you need to
manually turn on the other XCP services.
18. Type the following command utils service start Cisco XCP Connection Manager
19. Press Enter.
20. Confirm that the service started.

Page 54 of 257

Cisco dCloud

Figure 99.

Service Started

21. Type the following command utils service start Cisco XCP Authentication Service
22. Press Enter.
23. Confirm that the service started.
Figure 100. Service Started

24. Type the following command utils service start Cisco XCP Text Conference Manager
25. Press Enter.
26. Confirm that the service started.
Figure 101. Service Started

27. Type exit to close the PuTTY session.

User and Group Import

In this section, we will Import Active Directory users and Enterprise Groups based on the LDAP Directory configuration defined
previously.

Establish Active Connections to Unified CM and Unified IM and Presence

We will begin by opening a web browser session with active connections to both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com in separate tabs.
NOTE: If an active Internet Explorer window with Tabs for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com is open on
wkst1.dcloud.cisco.com. You may simply authenticate using (administrator/dCloud123!) to both interfaces and proceed to first
listed exercise: Perform LDAP Directory Synchronization.
1.
2.

From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer.

Navigate to Collaboration Admin Links > Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com.

Click the Cisco Unified Communications Manager hyperlink.

Log in to Cisco Unified CM Administration with the (administrator/dCloud123!) password combination.

Click the New Tab icon on the active Internet Explorer window.

Page 55 of 257

Cisco dCloud

From the Cisco dCloud homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.

Click the Cisco Unified Communications Manager IM and Presence hyperlink.

Log in to Cisco IM and Presence with the (administrator/dCloud123!) password combination.

The Browser tabs should appear as depicted below.

Figure 102. Browser Tab Configuration

Perform LDAP Directory Synchronization

From the Unified Communications Manager Administration interface, navigate to choose System > LDAP > LDAP
Directory.

Click Find.

Click the hyperlink for CST LDAP to open the directory configuration page.

Figure 103. LDAP Configuration Name

Click Perform Full Sync Now.

Figure 104. Full Sync Now

Acknowledge the webpage notification by clicking OK.

Figure 105. Webpage Notification

Observe the status message in upper left hand corner of the LDAP Directory configuration page.

Page 56 of 257

Cisco dCloud

Figure 106. Update Successful

Wait at least 60 seconds before proceeding.

Verify End User Import Process

From the main menu choose User Management > End User.

Click Find.

Observe that the 29 Users identified during the Active Directory review activity are listed. Pay particular attention to our two
demonstration users Charles Holland cholland and Anita Perez aperez.

Figure 107. Demonstration Users

Confirm that the synchronized Directory URI for Anita Perez is set to aperez@alpha.com.

Confirm that the synchronized Directory URI for Charles Holland is set to cholland@dcloud.cisco.com.

Verify Group Import Process

From the main menu navigate to User Management > User Settings > User Group.

Figure 108. User Group Menu

Click Find.

Page 57 of 257

Cisco dCloud

Notice that the distribution groups provisioned in the earlier exercise are synchronized through the LDAP agreement.

Figure 109. LDAP Groups

Click on the Sales group hyperlink to open the membership properties.

10. Click Find to view current group membership.

Figure 110. Group Information

NOTE: Changes to the membership of the distribution group in Active Directory will be propagated dynamically during the
scheduled LDAP sync process. Changes to assigned members will be reflected in the Jabber client where users have added these
groups as contact sources.

Verify Directory Number Creation

11. Navigate to Call Routing > Directory Number.
12. Click Find.
13. Observe that the LDAP Synchronization process has automatically generated directory numbers in the CST-DN-PT in +E164
format based on the Active Directory telephoneNumber field.

Page 58 of 257

Cisco dCloud

Figure 111. Active Directory Numbers

Verify Presence Data Synchronization and Multi-Domain List

14. Switch to the IM and Presence Service Console tab in the Internet Explorer browser window.
15. If necessary, use the (administrator/dCloud123!) username and password combination to log in.
16. Navigate to Presence > Domains.
17. Observe the list of System Managed Domains, which have been learned through the LDAP Synchronization process. Each
unique domain is detected by parsing the assigned Directory URI.
Figure 112. System Managed Domains

18. Confirm the presence of the following 3 presence domains:

dcloud.cisco.com

uk.dcloud.cisco.com

alpha.com

19. Navigate to System > Presence Topology.

20. Hover your mouse pointer over the imp1.dcloud.cisco.com node icon.

Page 59 of 257

Cisco dCloud

Figure 113. Dynamic Menu Options

21. Observe that listed items appear with a Green Check Mark.
22. Click All Assigned Users from the Presence Topology navigation pane.
Figure 114. Presence Topology

23. Click Find.

24. Observe that the IM Address (JID) assigned to each user matches the Directory URI field.
Figure 115. IM Address

Provision Devices and Client Configuration

Auto-Provision Jabber Client Service Framework (CSF) Devices
1.

Switch to the Unified CM Console tab in the Internet Explorer browser window.

If necessary, use the (administrator/dCloud123!) username and password combination to log in.

From the menu choose User Management > User/Phone Add > Quick User/Phone Add.

Page 60 of 257

Cisco dCloud

Figure 116. Quick User/Phone Add

To filter the user search results type Anita in the Find User where field. (Default Search Criteria is First Name)

Click Find.

Figure 117. User ID

Click the aperez hyperlink to choose the target user.

From the Quick User/Phone Add configuration page, click Manage Devices.

Figure 118. Manage Devices Button

Click Add New Phone.

Page 61 of 257

Cisco dCloud

Figure 119. Add New Phone Button

Set the following values in the configuration pop-up menu:

Product Type: Cisco Unified Client Services Framework

Device Protocol: SIP (Auto-populated based on Product Type chooseion)

Device Name: csfaperez

Universal Device Template: CST Device Template

Figure 120. Add Phone to User

10. Click Add Phone.

11. Observe the Success message which displays in the bottom right corner of the screen.
Figure 121. Operation Success

12. From the Related Links navigation menu, choose Back to Find List Users.
Figure 122. Back to Find List Users

Page 62 of 257

Cisco dCloud

13. Click Go.

14. To filter the user search results type Charles in the Find User where field.
15. Click the cholland hyperlink to choose the target user.
Figure 123. User ID

16. From the Quick User/Phone Add configuration page, click Manage Devices.
17. Click Add New Phone.
18. Set the following values in the configuration pop-up menu:

Product Type: Cisco Unified Client Services Framework

Device Protocol: SIP (Auto-populated based on Product Type chooseion)

Device Name: csfcholland

Universal Device Template: CST Device Template

Figure 124. Add Phone to User

19. Click Add Phone.

20. Observe the Success message which displays in the bottom right corner of the screen.
Figure 125. Operation Success

21. From the menu navigate to Device > Phone.

22. Click Find.
23. Observe that both Client Services Framework devices have been added to the Unified CM device database.

Page 63 of 257

Cisco dCloud

Figure 126. CSF Devices

24. Click the CSFCHOLLAND Device Name hyperlink to open the device configuration.
25. Observe that the Directory Number \+14085556018 created via the initial LDAP synchronization was automatically
associated to the device. Notice that configuration elements defined during the creation of Auto-Provisioning templates such
as Device CSS, have been set to the values specified through that process.
Figure 127. Phone Options

26. If desired you may investigate the auto-provisioning of the CSFAPEREZ device. When you are ready, move to the next step.
27. Navigate to User Management > End User from the main menu.
Figure 128. End User Menu

28. Locate the list entry for Charles Holland (cholland).

29. Click the cholland User ID hyperlink.
30. Scroll down to Service Settings and observe that through the Auto-Provisioning process this user has been enabled for
Unified IM and Presence, and an associated UC Service Profile has been assigned.
31. Confirm that the CSF Device CSFCHOLLAND is listed as an associated device.

Page 64 of 257

Cisco dCloud

Figure 129. Charles Holland Device Added

32. Click the Line Appearance Associate for Presence button.

33. Click Find.
34. Observe that the Auto-Provisioning process has automatically added the Directory Number line appearance of the device
CSFCHOLLAND with the end user.
Figure 130. Line Appearance Association for Presence

35. Close the Line Appearance Association for Presence dialog by clicking Cancel.
36. Through the previous activity, user Anita Perez (aperez) has been similarly provisioned. You may investigate this if you wish,
when you are ready move on to the next activity.

Review Jabber-Config.xml
As discussed in the Lab Pre-Configuration section, a series of jabber-config.xml files have been staged on
wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com.
1.

From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.

Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Deployment\.

Figure 131. Jabber-config.xml

Right click the file jabber-config.xml and choose Open with > Notepad.

Page 65 of 257

Cisco dCloud

Figure 132. Open With Notepad

The following parameters were added to the Directory section of the file to enable Flexible JID:

URI dialing allows users to make calls and resolve contacts with Uniform Resource Identifiers (URI). For example, a user named
Charles Holland has the following SIP URI associated with his directory number: cholland@dcloud.cisco.com. URI dialing enables
users to call Charles with his SIP URI rather than his directory number.
5.

The following parameters were added to support URI Dialing:

<EnableSIPURIDialling>True</EnableSIPURIDialling> (Required)
<BusinessPhone>telephoneNumber</BusinessPhone> (COSMETIC ONLY: If not added then the SIP URI will be
identified as the work number and the Business telephone will indicate unknown)

The following parameters were added to support the Save Chat to Exchange feature:

Close Notepad when finished reviewing the file.

NOTE: Each time a modification to the jabber-config.xml file is made in support of added features/enhancements, it must first be
uploaded to the Unified Communications Manager TFTP server, and the TFTP service must be restarted before the new
configuration becomes available to the client software.

Upload Jabber-Config.xml and Restart TFTP

From an active browser session to ucm1.dcloud.cisco.com on wkst1.dcloud.cisco.com, use the Navigation menu to
choose Cisco Unified OS Administration.

Figure 133. Navigation Menu

Click Go.

Enter the (administrator/dCloud123!) username/password combination.

Click Login.

Navigate to Software Upgrades > TFTP File Management.

Page 66 of 257

Cisco dCloud

Figure 134. TFTP File Management

Click Upload File.

Figure 135. Upload File

From the Upload File dialog, click the Browse button.

Figure 136. Upload File Dialog Box

Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Deployment\.

Choose the jabber-config.xml file.

10. Click Open.

11. From the Upload File dialog, click Upload File.
12. Observe the status message: File uploaded successfully.
13. Click Close.
Figure 137. File Upload Complete

14. From the Navigation menu, choose Cisco Unified Serviceability.

Figure 138. Navigation Menu

Page 67 of 257

Cisco dCloud

15. Click Go.

16. Enter the (administrator/dCloud123!) username/password combination.
17. Click Login.
18. From the Menu choose Tools > Control Center Feature Services.
Figure 139. Control Center Feature Services

19. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.
Figure 140. Select Server

20. Click Go.

21. Under CM Services, choose Cisco Tftp.
22. Click Restart.
23. Click Ok to acknowledge the Service Restart notification.
24. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
Figure 141. Restart Successful

Verify Jabber-Config.xml
To confirm that the updated jabber-config.xml is being served by ucm1.dcloud.cisco.com we will use a web-browser to request
the jabber-config.xml file from the Unified Communications Manager TFTP Server.
NOTE: Internet Explorer does not properly render the XML file when requested over http in this manner. As such, we will be using
Mozilla Firefox for the next exercise.
1.

Launch Firefox by clicking the icon in the windows taskbar.

From the Cisco dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally you
may manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.

Page 68 of 257

Cisco dCloud

Figure 142. Jabber-Config Check

Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.

Figure 143. Jabber File Output

Close the Firefox browser.

Page 69 of 257

Cisco dCloud

Activity 3: SSL Certificate Management: Cisco Unified CM and Cisco

Unified IM and Presence
Our deployment provisioning is complete. Clients should now be able to launch and use Cisco Jabber. However, one final
deployment task remains and that is SSL Certificate Management.
Currently both the Cisco Unified Communications Manager (ucm1.dcloud.cisco.com) and the Cisco Unified IM and Presence
Server (imp1.dcloud.cisco.com) are using self-signed SSL certificates generated during the installation process. Cisco Jabber
relies on SSL certificate validation to establish secure connections with applications and services hosted on servers. In so doing,
Cisco Jabber is authenticating the identity of the hosts to which it connects. Cisco Jabber will NOT automatically accept any
certificate issued by an untrusted Certificate Authority (CA), and this includes self-signed certificates.
In order to establish an environment for secure connectivity we MUST deploy CA signed certificates across all Cisco Collaboration
applications in the environment. This is also a requirement for implementation of Mobile and Remote Access with Cisco
Expressway, and SAML Single Sign-On; both addressed later in the lab.
As this is a lab environment, we will be using an instance of Microsoft Active Directory Certificate Services installed on
ad1.dcloud.cisco.com as our primary trust point. In essence, we will assume that ad1.dcloud.cisco.com is a trusted Certificate
Authority and configure Unified CM, Unified IM and Presence, and Cisco Expressway to trust any certificate signed by
ad1.dcloud.cisco.com as authentic.
In a production environment, a third party CA would take the place of ad1.dcloud.cisco.com, however the fundamental mechanics
of SSL certificate management remain unchanged.
NOTE: As Unity Connection does not play a role in the configuration or demonstration content of the exercises in this lab, a
Certificate signed by ad1.dcloud.cisco.com has already been installed as part of the pre-configuration and to avoid certificate
errors during interaction with the Cisco Jabber client in later exercises.

Activity Objectives
You will perform the following during this activity:

Identify required naming convention for Cisco Unified Collaboration service nodes

Establish a Root trust relationship between ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com with the Certificate
Authority hosted on ad1.dcloud.cisco.com

Generate and download Certificate Signing Requests for required services across Cisco Unified CM and Unified IM and
Presence

Use Microsoft Active Directory Certificate services to generate CA signed certificates for Cisco Unified CM and Unified IM
and Presence

Install CA Signed Certificates and verify operation

Page 70 of 257

Cisco dCloud

Configure Unified CM and IM and Presence with FQDNs

This operation has already been performed in advance; however, we will review the currently configured server names.
The reason for changing the Unified CM and Unified IM and Presence server names from hostname or IP address to FQDN, is so
they can be resolved by the different services and client applications, which access them over the network. The Cisco Jabber for
Windows certificate validation process expects that the identity of hosts providing services is reflected as an FQDN in the
Common Name field of CA signed certificates.
1.

From the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36), change focus of the Internet Explorer to the
browser tab connected to ucm1.dcloud.cisco.com. Use the Navigation menu to choose Cisco Unified CM Administration
and click Go.

If the login session timeout has expired from the previous activity, login with Username: administrator and
Password:dcloud123!.

From the Cisco Unified CM Administration webpage, navigate to System > Server.

Click Find.

Confirm that the server hostnames reflect their fully qualified domain name as shown.

Figure 144. FQDN List

Establish Root CA Trust

Download CA Root Certificate from CA server (AD1)
Jabber clients no longer accept the self-signed certificates installed by default on the UC servers. In this section, you will install the
CA signed certificates. You can use publicly trusted CA signed certificates or those created by an internal CA such as Microsoft
Active Directory Certificate Services. This lab makes use of the latter.
NOTE: You will download and create multiple certificates. Rename these files as they are downloaded to keep better track of them.
The default Download directory for the browsers in this lab is Desktop\CST-Jabber\Downloads.
1.
2.

On wkst1.dcloud.cisco.com, open a new tab in Internet Explorer.

From the dCloud homepage, choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.

Figure 145. Certificate Services Link

Page 71 of 257

Cisco dCloud

Authenticate with Username: administrator and Password: C1sco12345.

Figure 146. Login Prompt

Click Download a CA certificate, certificate chain, or CRL.

Choose the radio button for Base 64 and then click Download CA certificate.

Figure 147. Download CA Certificate Steps

Click Save when prompted.

Minimize Internet Explorer and open the Desktop\CST-Jabber\Downloads folder.

Rename the certnew.cer file to CARootCert.cer.

Figure 148. CARootCert File

Upload the CA Root Certificate to Unified CM, IM and Presence

In order to create a trust point for authentication we must first configure Unified Communications Manager
(ucm1.dcloud.cisco.com) and Unified IM and Presence (imp1.dcloud.cisco.com), to trust the Root Certificate associated with
our Certification Authority. To do this we will upload the Root certificate obtained in the previous exercise to the Unified
Communications Manager Publisher (ucm1.dlcoud.cisco.com).
NOTE: From Collaboration Systems Release 10.x and onward the Cisco Unified IM and Presence service is considered a part of
the Unified Communications manager cluster. Therefore certificate replication is performed by the publisher to all nodes in the
cluster. Before this enhancement, we would have needed to perform this operation on both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.

Page 72 of 257

Cisco dCloud

From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.

Login with Username: administrator and Password: dCloud123!.

Navigate to Security > Certificate Management from the menu.

Figure 149. Certificate Management Menu

Click Upload Certificate/Certificate chain.

Figure 150. Upload Certificate Icon

Choose tomcat-trust from the drop down menu. Do NOT choose tomcat.

For description, enter AD1 CA Root Certificate.

Figure 151. Upload Certificate Menu

Click Browse.

Use the file explorer to navigate to Desktop\CST-Jabber\Downloads\.

Choose the CARootCert.cer file.

Figure 152. CARootCert File

10. Click Open.

11. Click Upload.
12. Observe the Success: Certificate Uploaded message.
Figure 153. Certificate Uploaded Message

Page 73 of 257

Cisco dCloud

13. Click Close.

NOTE: In order for certificate management changes to take effect the Cisco Tomcat service must be restarted. We will restart
Cisco Tomcat in a later step.

Request and Install a CA Signed Tomcat Certificate

Generate and Download a Tomcat Certificate Signing Request (CSR)
1.

Click Generate CSR from the menu.

Figure 154. Generate CSR Icon

Set the following values in the Certificate Signing Request dialog:

Certificate Purpose: tomcat

Distribution: Multi-Server(San)

Key Length: 2048

Hash Algorithm: SHA256

Ensure that the values entered match the graphic below.

Figure 155. Generate Certificate Signing Request

Page 74 of 257

Cisco dCloud

Click Generate.

Verify that CSR generation completed successfully, and export completed for both ucm1.dcloud.cisco.com and
imp1.dcloud.cisco.com.

Figure 156. Certificate Signing Request Generated

Click Close.

Click Download CSR from the menu.

Figure 157. Download CSR Icon

Confirm Certificate Purpose is set to tomcat.

Click Download CSR.

10. Click Save when prompted.

11. Click Close to exit the download dialog.
12. Open or switch focus to the CST-Jabber\Downloads folder.
13. Right click the downloaded tomcat.csr file and choose rename.
14. Rename the file to ucm1-tomcat.csr.

Submit and Download a Tomcat CA Signed Certificate

Double click the file ucm1-tomcat.csr.

Click the button for Select a program from a list of installed programs from the file dialog pop-up.

Click OK.

Choose Notepad from the list.

Click OK.

From the Notepad main menu choose Format > Word Wrap.

Page 75 of 257

Cisco dCloud

Figure 158. Word Wrap

Press CTRL-A, to highlight all text in the open file.

Press CTRL-C, to copy highlighted data into the computer buffer.

Close the Notepad application.

10. Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.
11. Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.
12. Click Request a Certificate.
Figure 159. Request a Certificate

13. Click advanced certificate request.

Figure 160. Advanced Certificate Request

14. Click in the Saved Request field to make it active.

15. Press CTRL-V to past the data saved to the computer buffer.
16. From the Certificate Template drop-down choose Web Server.
Figure 161. Certificate Request

Page 76 of 257

Cisco dCloud

17. Click Submit.

18. Choose Base 64 encoded.
Figure 162. Certificate Issued

19. Click Download certificate.

20. Click Save.
21. Open the Desktop\CST-Jabber\Downloads folder.
22. Rename the certnew.cer file to ucm1-CA-tomcat.cer.

Upload CA Signed Tomcat Certificate to Unified CM

Return to Internet Explorer and choose the tab connected to ucm1.dcloud.cisco.com.

Use the Navigation menu to choose Cisco Unified OS Administration. (if not already there)

Login with Username: administrator and Password: dCloud123!. (If prompted)

Navigate to Security > Certificate Management from the menu.

Click Upload Certificate/Certificate Chain.

Figure 163. Upload Certificate Icon

Set the Certificate Purpose value to tomcat (NOT tomcat-trust).

Click Browse.

Use the file explorer to navigate to Desktop\CST-Jabber\Downloads\.

Choose the ucm1-CA-tomcat.cer file.

Figure 164. Certificate File

10. Click Open.

11. Click Upload.
12. Confirm that the operation is successful. The Unified CM Status message should appear as in the image below:

Page 77 of 257

Cisco dCloud

Figure 165. Status Message

13. Click Close.

NOTE: Because Unified CM supports the use of Multi-Server (Subject Alternative Name) SSL certificates, only a single CA Signed
certificate is required for all nodes in the Unified CM Cluster.

Request and Install a CA Signed XMPP-Trust Certificate

Upload the CA Root Certificate for XMPP-Trust
In the previous exercise, we uploaded the CA Root certificate (ad1.dcloud.cisco.com) to the Tomcat Trust store of both the
Unified Communications Manager (ucm1.dcloud.cisco.com) and the IM and Presence (imp1.dcloud.cisco.com). Next, we
generated CA Signed Tomcat certificates. We must now upload the CA Root certificate to the IM and Presence XMPP-Tomcat
trust in order to generate and install a CA Signed XMPP certificate.
1.

Open the Internet Explorer tab connected to imp1.dcloud.cisco.com.

Use the Navigation menu to choose Cisco Unified IM and Presence OS Administration.

Click Go.

Login with Username: administrator and Password: dCloud123!.

Navigate to Security > Certificate Management from the menu.

Click Upload Certificate/Certificate Chain.

Figure 166. Upload Certificate Icon

Set the Certificate Purpose field to cup-xmpp-trust.

For description, enter AD1 CA Root Certificate.

Click Browse.

10. Use the file explorer to navigate to Desktop\CST-Jabber\Downloads\.

11. Choose the CARootCert.cer file.
12. Click Open.

Page 78 of 257

Cisco dCloud

Figure 167. Upload Certificate Chain

13. Click Upload.

14. Notice the status message indicates that the Cisco XCP Router service must be restarted for changes to take effect. We will
restart the service in a later exercise.
Figure 168. Certificate Upload Success

15. Click Close.

Generate and Download a CUP-XMPP Certificate Signing Request

Click Generate CSR from the menu.

Set the following values in the Certificate Signing Request dialog:

Certificate Purpose: cup-xmpp

Distribution: imp1.dcloud.cisco.com

Key Length: 2048

Hash Algorithm: SHA256

NOTE: Subject Alternative Names (SANs) have been auto-populated based on the presence domains for which the IM and
Presence server has been configured. In our lab, this includes alpha.com, dcloud.cisco.com, and uk.dcloud.cisco.com.
3.

Ensure that the values entered match the graphic below.

Page 79 of 257

Cisco dCloud

Figure 169. Generate Certificate Signing Request

16. Click Generate.

17. Confirm successful generation.
Figure 170. Request Generated

18. Click Close.

19. Click Download CSR.
20. For Certificate Purpose, choose cup-xmpp.
21. Click Download CSR.
22. Click Save.
Figure 171. Save CSR File

23. Click Close to exit the dialog.

24. Open or switch focus to the CST-Jabber\Downloads folder.
25. Right click the downloaded cup-xmpp.csr file and choose rename.
26. Rename the file to imp1-cup-xmpp.csr.

Page 80 of 257

Cisco dCloud

Submit and Download a CUP-XMPP CA Signed Certificate

Double click the file imp1-cup-xmpp.csr (renamed in the previous step) to open.

From the Notepad main menu, choose Format and confirm that Word Wrap is highlighted.

Press CTRL-A, to highlight all text in the open file.

Press CTRL-C, to copy highlighted data into the computer buffer.

Close the Notepad application.

Switch focus back to Internet Explorer and open the tab connected to AD1 Certificate Services.

Click the hyperlink for Home, in the upper right of the Microsoft Active Directory Certificate Services webpage.

Click Request a Certificate.

Click advanced certificate request.

10. Click in the Saved Request field to make it active.

11. Press CTRL-V to past the data saved to the computer buffer.
12. From the Certificate Template drop down, choose Web Server.
Figure 172. Request Window

13. Click Submit.

14. Choose Base 64 encoded.

Page 81 of 257

Cisco dCloud

Figure 173. Certificate Download Window

15. Click Download certificate.

16. Click Save.
17. Open the Desktop\CST-Jabber\Downloads folder.
18. Rename the certnew.cer file to imp1-CA-cup-xmpp.cer.
Figure 174. CER File Name

Upload CA Signed CUP-XMPP Certificate to IM and Presence

Return to Internet Explorer and choose the tab connected to imp1.dcloud.cisco.com.

Navigate to Security > Certificate Management from the menu. (If not already on this page)

Click Upload Certificate/Certificate Chain.

Figure 175. Upload Certificate Icon

Choose cup-xmpp for Certificate Purpose.

Click Browse.

Use the file explorer to navigate to Desktop\CST-Jabber\Downloads\.

Choose the imp1-CA-cup-xmpp.cer file.

Click Open.

Click Upload.

10. Confirm that the upload is successful.

Figure 176. Upload Successful

11. Click Close.

Page 82 of 257

Cisco dCloud

12. Close Microsoft Internet Explorer.

Service Maintenance to Finalize Certificate Installation

In order to activate the newly uploaded CA signed certificates, the Cisco Tomcat service must be restarted on both
ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com (Cluster-wide tomcat certificate), and the Cisco Cisco XCP Router on
imp1.dcloud.cisco.com (cup-xmpp).
A new secure TFTP transfer process was introduced in Cisco Unified CM 11.0. This provides an SSL secured TFTP transfer of
configuration data from Cisco Unified CM to the Cisco Jabber client. In Unified CM Release 11.0, the modification of the installed
Cisco Tomcat security certificate requires that the Cisco Tftp service (if activated) on all nodes must be deactivated and then
activated again. This is to bind the certificates properly when performing the SSL handshake to authenticate secure TFTP
connections. As such, we will deactivate and re-activate the Cisco Tftp service running on ucm1.dcloud.cisco.com.
NOTE: This behavior will change in Unified CM Release 11.5, where a Restart of the Cisco Tftp service will bind the new
certificates.

Restart Cisco Tomcat for the Unified CM Cluster

Launch the terminal application PuTTY by clicking on the icon in the taskbar.

Figure 177. PuTTY Icon

Under Saved Sessions, choose the entry ucm1 and click Load.

Figure 178. PuTTY Saved Sessions

Click the Open button to launch a secure shell connection to ucm1.dcloud.cisco.com.

Login with Username: administrator and Password:dCloud123!.

Type the following command: utils service restart Cisco Tomcat

Press Enter.

While waiting for the restart command to complete, open another PuTTY session to imp1.dcloud.cisco.com by right clicking
the PuTTY icon in the taskbar.

Choose imp1 from the Recent Sessions list.

Page 83 of 257

Cisco dCloud

Figure 179. Recent Sessions

Login with Username: administrator and Password:dCloud123!.

10. Type the following command: utils service restart Cisco Tomcat
11. Press Enter.
12. Before proceeding, confirm that the Cisco Tomcat service has been restarted on both hosts as shown below.
Figure 180. Tomcat Restarted

Restart Cisco XCP Router for Unified IM and Presence

13. Type the following command: utils service restart Cisco XCP Router
14. Press Enter.
15. Before proceeding, confirm that the Cisco XCP Router service has been restarted.
Figure 181. Router Restarted

16. Type exit to close PuTTY.

NOTE: It will likely take at least 10 minutes for Cisco Tomcat and its dependent services to restart.This is an excellent time to take
a break. . If you are unable to log into the Administration interfaces of either imp1.dcloud.cisco.com or ucm1.dcloud.cisco.com
after 15 minutes, report the issue to a proctor.

Deactivate and Activate the Cisco Tftp Service

As described earlier in this section, the Cisco Tftp Service must be re-initialized by performing a Deactivation and subsequent
Activation. This process binds the newly uploaded CA signed Cisco Tomcat certificate to the secure TFTP listener to
authenticate secure connections.
1.

Launch Internet Explorer on wkst1.dcloud.cisco.com.

From the dCloud homepage navigate to: Collaboration Admin Links > Cisco Unified Comunications Manager.

Select Cisco Unified Communications Manager from the Installed Applications list.

Page 84 of 257

Cisco dCloud

NOTE: No error regarding an untrusted certificate is encountered and the address bar has changed from red to white. This is
because both imp1.dcloud.cisco.com and ucm1.dcloud.cisco.com are both using SSL certificates signed by our Root CA:
ad1.dcloud.cisco.com. All servers and workstations in this lab have been pre-configured to trust certificates signed by
ad1.dcloud.cisco.com. Therefore, these hosts trust the identity certificates provided by imp1.dcloud.cisco.com and
ucm1.dcloud.cisco.com.
4.

Use the Navigation drop down to select Cisco Unified Serviceability.

Click Go. Login with Username: administrator and Password: dCloud123!.

Navigate to Tools > Service Activation.

Figure 182. Service Activation

From the Select Server drop down menu, choose ucm1.dcloud.cisco.com.

Click Go.

In the CM Services section of the webpage, locate the entry for Cisco Tftp. Observe that the entry is checked and the current
Activation Status is Activated.

Figure 183. CM Services

10. Uncheck the entry for the Cisco Tftp service and click Save. It may take up to a minute for the operation to complete.
11. Confirm that the Activation Status of the Cisco Tftp service is now Deactivated.
12. To re-initialize the Cisco Tftp service, place a Checkmark next to the entry for Cisco Tftp. Click Save.
13. Acknowledge the Pop-Up message by clicking OK.

Page 85 of 257

Cisco dCloud

Figure 184. Service Notification

14. Once the service activation command completes, confirm that the Cisco Tftp service Activation Status is set to Activated.

Page 86 of 257

Cisco dCloud

Activity4: Jabber Client Installation and Feature Testing

Activity Objectives
In this activity, we will perform the following:

Install Jabber for Windows on WKST1 wkst1.dcloud.cisco.com (198.18.133.36)

Install Jabber for Windows on WKST2 wkst2.dcloud.cisco.com (198.18.133.37)

Verify Service Discovery and Login operations

Use Enterprise Groups to populate contacts

Confirm basic Client functionality

Chat

P2P Calling

Review the Locations feature

Confirm Save Chat History to Exchange

Confirm URI Dialing functionality

At the conclusion of this activity, we will confirm a functional Cisco Jabber for Windows installation on both demonstration
workstations and validate readiness for Advanced Feature Deployment Modules.

Cisco Jabber User Interface (UI) Updates

The activities in this lab are highly feature focused; however, it is important to note some enhancements to the Cisco Jabber user
interface. While the lab steps do not explicitly cover many of these features, they are active and the participant is encouraged to
take note of them throughout interactions with Cisco Jabber in this lab. See the figure below for more details.
Figure 185. Cisco Jabber UI Updates

Page 87 of 257

Cisco dCloud

Install Jabber on WKST1 and Login

Workstation1, wkst1.dcloud.cisco.com or 198.18.133.36, is the Windows 7 workstation assigned to demonstration user Charles
Holland (cholland).
1.

Open an RDP session to wkst1.dcloud.cisco.com (198.18.133.36). (May already be open from the previous exercise)

If prompted, login with Username: cholland and Password: C1sco12345.

Open Internet Explorer (or a new tab).

From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively, you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.

Click Download to download CiscoJabberSetup.msi as seen in the image below.

Figure 186. Download Jabber Setup File

Click Run when prompted to download and launch the installer.

Figure 187. Launch Installer

Click Accept and Install to begin the installation.

Figure 188. Cisco Jabber Setup Wizard

Page 88 of 257

Cisco dCloud

Once installation is complete, the following message will be displayed.

Figure 189. Jabber Installation Success

Launch Cisco Jabber should be Checked.

10. Click Finish.

11. Cisco Jabber will launch and you will see the Finding services as it initializes for the first time and performs automatic
service discovery.
Figure 190. Finding Services

12. Once service discovery is complete, a Logon screen will appear. The username cholland should be automatically populated.
Figure 191. Jabber Login Prompt

Page 89 of 257

Cisco dCloud

NOTE: Jabber has automatically detected the UPN (User Principal Name) of the logged on user, populated the sAMAccount name
in the Username field and used the @Domain portion of the UPN as the domain to query for service Discovery.
13. Enter C1sco12345 in the Password field.
14. Click Sign In.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
16. In order to get a feel for how locations may be updated and displayed, click Add to my locations.
Figure 192. New Location

17. Click Create a new location name.

18. Type a location of your choice. In our example, we use HQ as the location specified for Charles Holland.
19. Click Create.
Figure 193. Create New Location

20. Observe that Charles Holland is logged in to the Jabber client with the location data entered above.

Page 90 of 257

Cisco dCloud

Figure 194. Charles Holland Location

About the Locations feature in Cisco Jabber

The Location Update and Automated Location Detection features are new as of the Jabber 10.6 release. These allow Cisco
Jabber users to quickly and easily specify their current location and share this data with contacts as part of their presence detail.
This feature may be disabled via customization of the global jabber-config.xml file for those organizations that wish to exclude it.
The default setting for the location feature is Enabled, the default behavior of the location detection mechanism is by the detected
IP address of the clients default gateway.
Changes to Location settings can be made from within the File > Options menu of the Cisco Jabber client.
Figure 195. Cisco Jabber Options

The feature may be enabled/disabled using the Enable locations checkbox. New location detection behavior can be disabled
using the Tell me when new locations are detected checkbox. Existing locations can be deleted, edited or reassigned by
choosing a saved location from the My Locations window.
Figure 196. Locations Window

The currently assigned location can be modified by clicking on the Location icon.

Page 91 of 257

Cisco dCloud

Figure 197. Changing Location

21. Click the

Menu icon and choose File > View my profile to display and confirm information about Charles Holland.

Figure 198. Cisco Jabber Profile Menu

Figure 199. Cisco Jabber Profile Information

22. Observe and confirm the following fields and corresponding data:

Chat (IM address): cholland@dcloud.cisco.com

Work: cholland@dcloud.cisco.com and +14085556018

23. Click Cancel to close.

Page 92 of 257

Cisco dCloud

24. To test Directory lookup, type Ani in the Search or Call field. (not case sensitive)
25. Observe that the offline contact record for Anita Perez is displayed.
Figure 200. Anita Perez Contact Record

26. Click the

Menu icon and choose Help > Show connection status to confirm that the Jabber client has active

connectivity to provisioned services.

27. Confirm that the following services have Status of Connected (consult the graphic for reference):
Figure 201. Cisco Jabber Information Screen

Softphone

Status: Connected

Address: ucm1.dcloud.cisco.com

Presence

Status: Connected

Address: imp1.dcloud.cisco.com

Outlook address book

Status: Last connection successful.

Address: Outlook

Directory

Status: Last connection successful.

Address: DCLOUD.CISCO.COM (Automatically

discovered through service discovery)

28. Click Close to exit the Connection Status window.

29. This completes service discovery validation and Jabber client
connectivity.

Page 93 of 257

Cisco dCloud

Install Jabber on WKST2 and Login

Workstation2, wkst2.dcloud.cisco.com or 198.18.133.37, is the Windows 7 workstation assigned to demonstration user Anita
Perez (aperez).
1.

Open an RDP session to wkst2.dcloud.cisco.com (198.18.133.37).

Login with Username: aperez and Password: C1sco12345

Open Internet Explorer.

From the dCloud homepage navigate to Collaboration User and Test Links > Cisco Jabber Software Download.
Alternatively you may navigate to the following URL: https://cisco.box.com/CST-Jabber-Installation.

Click Download to download CiscoJabberSetup.msi as seen in the image below.

Figure 202. Cisco Jabber Setup File Download

Click Run when prompted to download and launch the installer.

Click Accept and Install to begin the installation.

Once installation is complete, the following message will be displayed.

Figure 203. Jabber Installation Success

Launch Cisco Jabber should be Checked.

10. Click Finish.

Page 94 of 257

Cisco dCloud

11. Cisco Jabber will launch and you will see the Finding services as it initializes for the first time and performs automatic
service discovery.
12. Once service discovery is complete, a Logon screen will appear. The username aperez should be automatically populated.
The lab environment has a single Active Directory domain. Even though the mail id attribute of this user is aperez@alpha.com,
the UPN assigned to the user Anita Perez is aperez@dcloud.cisco.com. In a production environment with multiple managed
domains this user would likely authenticate to a separate Active Directory infrastructure with a UPN matching the mail id attribute.
Figure 204. Login Prompt

13. Enter C1sco12345 in the Password field.

14. Click Sign In.
15. Notice the New location detected notification at first login. This will likely appear to the lower right of the remote desktop
workspace.
16. Click Add to my locations.
Figure 205. New Location

17. Click Create a new location name.

18. Type a location of your choice. In our example, we use Home Office as the location specified for Anita Perez.
19. Click Create.

Page 95 of 257

Cisco dCloud

Figure 206. Create New Location

20. Observe that Anita Perez is logged in to Jabber with the location data entered above.
Figure 207. Anita Perez Location

21. Click the

Menu icon and choose File > View my profile to display and confirm information about Anita Perez.

Figure 208. Anita Perez Profile Information

Page 96 of 257

Cisco dCloud

22. Observe and confirm the following fields and corresponding data:

Chat (IM address): aperez@alpha.com

Work: aperez@alpha.com and +12125556017

23. Click Cancel to close.

24. To test Directory lookup, type chol in the Search or Call field. (not case sensitive)
25. Observe that the contact record for Charles Holland is displayed.
Figure 209. Charles Holland Contact

26. Notice the status of Available @ HQ. This is the result of adding the HQ location in the previous activity.
27. Click the

Menu icon and choose Help > Show connection status to confirm that the Jabber client has active

connectivity to provisioned services.

28. Confirm that the following services have Status of Connected:

Softphone

Status: Connected

Address: ucm1.dcloud.cisco.com

Presence

Status: Connected

Address: imp1.dcloud.cisco.com

Outlook address book

Status: Last connection successful.

Address: Outlook

Directory

Status: Last connection successful.

Address: DCLOUD.CISCO.COM (Automatically discovered through service discovery)

29. Click Close to exit the Connection Status window.

30. This completes service discovery validation and Jabber client connectivity.

Page 97 of 257

Cisco dCloud

Test Chat, Calling, and Chat History

Add a Contact and Test Chat interaction
1.

Maintain or switch focus to the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.

From the Jabber Contacts tab, click Add Company Contact.

Figure 210. Add Company Contact

From the Add Contact dialog, click New Group to create a new group in which to place the new contact.

Figure 211. New Group

Type CST Favorites and click Create.

Figure 212. Create New Group

Type Char in the Search field.

Double click the contact record for Charles Holland.

Figure 213. Charles Holland Contact

Click Add.

Hover your mouse over the new contact and click the Chat icon.

Page 98 of 257

Cisco dCloud

Figure 214. Chat Option

In the chat window, type a message from Anita Perez to Charles Holland.

Figure 215. Jabber Chat Window

10. Open (Switch to) the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36) for user Chris Holland.
11. Click the chat notification to open the active chat session.
Figure 216. Chat Notification

12. Click the Add icon in the contact menu of the active chat window to add Anita Perez as a contact.
Figure 217. Add Contact

13. From the Add Contact dialog, click New Group.

Page 99 of 257

Cisco dCloud

Figure 218. New Group

14. Type CST Favorites and click Create.

15. Click Add.
16. In the chat window, type a reply message of your choice from Chris Holland to Anita Perez.
17. Switch back to the wkst2.dcloud.cisco.com RDP session (Anita Perez).
18. Type a reply message back to Chris indicating the need for a call to discuss.
19. The Chat window should have a flow similar to the one depicted
Figure 219. Chat Conversation

Escalate Chat to Voice/Video Call

NOTE: Both workstations in this exercise are virtual machines. We are leveraging a virtual camera and audio drivers to allow for
simulated audio and video between Jabber clients. You will NOT have live video or audio for test calls.
20. Click the Arrow directly to the left of the Call icon.
21. Observe that we may place a call to either the URI (cholland@dcloud.cisco.com) or Telephone Number assigned to
Charles Holland. This is because we have completed the configuration steps required to enable the URI Dialing feature. By
placing and completing a call using the Directory URI, we validate the operation of the URI Dialing feature.
22. Choose the Directory URI address to initiate the call.

Page 100 of 257

Cisco dCloud

Figure 220. Dialing Options

23. Switch back to the wkst1.dcloud.cisco.com RDP session (Charles Holland).

24. Click Answer on the Incoming call notification.
Figure 221. Incoming Call Notification

25. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
Figure 222. VCAM Video Stream

26. Observe that the presence indicator for Charles Holland has changed from Available to On a Call.
Figure 223. Charles Holland Presence Status

27. Switch back to Anita Perez on wkst2.dcloud.cisco.com.

28. Observe that the users presence indicator is in a state of On a Call.
29. Click the End Call icon to end the active call.

Page 101 of 257

Cisco dCloud

Figure 224. End Call Icon

This concludes the testing of baseline chat and voice/video calling.

30. You may continue to explore P2P chat and calling features, by attempting a call from Charles Holland to Anita Perez if you
wish. When ready, please move on to the next activity.

Save Chat History to Outlook

Jabber for Windows can be configured to automatically save chat histories to a Cisco Jabber Chats folder in users' Microsoft
Outlook application. When a user closes a chat window, the client saves the IM conversation to the Exchange server.
This allows users to more easily search all conversations both email and IM from a single location.
Earlier we enabled this feature by adding the following lines to the jabber-config.xml file in the Client section:
<Client>
<enablesavechathistorytoexchange>True</enablesavechathistorytoexchange>
<InternalExchangeServer>mail1.dcloud.cisco.com</InternalExchangeServer>
</Client>
In this exercise, we will open Microsoft Outlook and observe that the chat interactions undertaken thus far have been logged to the
Cisco Jabber Chats folder.
1.

Open (or switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.

Close any open chat windows (if any).

Launch Microsoft Outlook by clicking the icon in the task bar.

Figure 225. Outlook Icon

From the list of folders, click Cisco Jabber Chats.

Page 102 of 257

Cisco dCloud

Figure 226. Cisco Jabber Chats Folder

Observe that all chat interaction between Anita Perez and Charles Holland has been saved to the folder.

Figure 227. Jabber Chat Folder Contents

NOTE: If you do not see any chat history, ensure that all chat windows are closed. The save history feature is not activated until
the conversation has been closed.
6.

Hover your mouse over the contact entry for Charles Holland.

Figure 228. Charles Holland Contact

Integration between Cisco Jabber and the Microsoft Office Contact card with presence and click to call/chat capability is enabled.
In order to accomplish this, the proxyAddresses attribute for both Charles Holland and Anita Perez have been edited to include
a SIP URI. The graphic below shows the entry added for Charles Holland using the Active Directory Users and Computers
console.

Page 103 of 257

Cisco dCloud

Figure 229. proxyAddresses Attribute

You may test integration functionality by initiating IM or Calling using the contact card entry.

Close Microsoft Outlook.

If you wish, you may confirm the same functionality from wkst1.dcloud.cisco.com (Charles Holland). When ready move on to
the next activity. Manage Contacts using Enterprise Groups.

We have tested the manual management of contacts in Cisco Jabber. In the next exercise, we will streamline this process by
importing contacts through the Enterprise Groups feature.
In this next activity, we will explore the automatic population of Jabber contacts by using Distribution Groups synchronized from
Active Directory. Recall that in the first activity of this lab we reviewed and created groups for this purpose:

Sales

Engineering

Marketing

We confirmed that these groups synchronized with Active directory and are present within Unified Communications Manager under
User Management > User Settings > User Group.
We will now explore adding these groups and interacting with them. We will also demonstrate the dynamic nature of the Enterprise
Groups feature.

Adding Groups to the Jabber Contacts List

Open (Switch to) an RDP session to wkst1.dcloud.cisco.com (198.18.133.36) user Charles Holland.

Click the

Menu icon and choose File > New > Directory Group.

Figure 230. Directory Group

NOTE: You can add multiple groups at the same time by searching for the group name(s) entered in part or in whole. You can
double-click on the desired group(s) returned by the search. Continue adding groups in this manner until you are ready to add
them all to the Jabber Contacts list. In place of the mouse interaction, you may use either the Tab or Enter keys to add when a
single search result is returned.

Page 104 of 257

Cisco dCloud

In the Search field of the Add Directory Group dialog, type Sales.

Figure 231. Group Search

Double click Sales to add the group.

Click Add.

Observe the Sales group is added to the Contacts window. All of the members defined in the Active Directory distribution
group are present as contacts in the group. Notice that a total count of contact in the group is shown in the upper-right corner
of the group header.

Figure 232. Sales Group

NOTE: Only Anita Perez has an associated contact photo. This photo was added to the local cache from our chat interactions.
The others are missing because a Throttling Policy is enforced on picture download for contacts added through an Enterprise
Group. This behavior is designed to avoid performance degradation with wide use of the feature in the enterprise. The photo is
downloaded upon first interaction with an added contact. In our demonstration, we will click each user to download their photo.
Some contacts may have photos resolved through the address book entries in MS Outlook while exploring chat history.

Page 105 of 257

Cisco dCloud

Click on each contact in the list and observe that the contact photo is immediately downloaded.

Click the

In the Search field type Eng and press the Enter key.

Menu icon and choose File > New > Directory Group.

10. In the Search field type Mark and press the Enter key. Notice that the Enter or Tab key may be pressed as soon as the
predictive search returns a viable result.
11. Click Add.
12. If you wish, you may click each contact to download a photo.
13. Open (Switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) for user Anita Perez.
14. From the Jabber hub window click the

Menu icon and choose File > New > Directory Group.

15. In the Search field, type Engineering and press Enter.

16. In the Search field type Sales and press the Enter.
17. In the Search field type Marketing and press the Enter.
18. Click Add.
Figure 233. Adding Multiple Groups

19. Click on each contact in the list and observe that the contact photo downloads instantly.

The Dynamic Nature of Enterprise Groups

A major benefit of the Enterprise Groups feature is that contact management is centralized within LDAP (Microsoft Active
Directory). When changes are made to the membership of a synchronized Directory Group (Additions/Deletions), these are
replicated during the scheduled synchronization process between Unified CM and LDAP Directory.
In the next exercise, we will connect to ad1.dcloud.cisco.com (198.18.133.1) and use the Active Directory Users and
Computers console to modify group membership by removing our two demonstration users from their respective groups.

Modify Distribution Group Membership in Active Directory

RDP to ad1.dcloud.cisco.com (198.18.133.1) and login as Administrator (administrator / C1sco12345).

From the Task Bar Click the Active Directory Users and Computers icon.

Page 106 of 257

Cisco dCloud

Figure 234. Active Directory Users and Computers Icon

Choose the dCloud Organizational Unit from the menu tree.

Double click the Sales distribution group.

Click the Members tab.

Highlight the entry for Anita Perez.

Figure 235. Members Tab

Click Remove.

Click Yes when prompted for confirmation.

Figure 236. Removal Confirmation

Click Apply.

10. Click OK to close the Sales Group.

11. Double click the Engineering distribution group.
12. Click the Members tab.
13. Highlight the entry for Charles Holland.
14. Click Remove.

Page 107 of 257

Cisco dCloud

15. Click Yes when prompted for confirmation.

16. Click Apply.
17. Click OK to close the Engineering Group.

Perform LDAP Synchronization

NOTE: In a production environment, a recurring schedule for directory synchronization is established and defined as part the LDAP
Directory Synchronization agreement. It would be during these scheduled synchronization intervals that updates to synchronized
groups would occur and be registered in Cisco Unified CM. To expedite the process of synchronization we will manually initiate an
LDAP Synchronization.
1.

Open (or switch to) an RDP session to wkst1.dcloud.cisco.com (198.18.133.36).

Open Internet Explorer or a new tab.

From the Cisco dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified Communications Manager to
connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.

From the Installed Applications list, click Cisco Unified Communications Manager.

In the Username field type administrator.

In the Password field type dCloud123!.

Click Login.

In the Unified Communications Manager Administration interface, browse to System > LDAP > LDAP Directory.

Click Find.

10. Click the hyperlink for CST LDAP to open the directory configuration page.
Figure 237. Directory Configuration Page

11. Click Perform Full Sync Now.

Figure 238. Perform Full Sync Now

NOTE: In rare circumstances we have experienced an issue where the Confirm Password field, is cleared when this page is
accessed. If this happens you will receive a pop-up stating: LDAP Password:: - Passwords do not match. If this happens, enter
the password C1sco12345 in the Password and Confirm Password fields and repeat the previous step.
12. If prompted, acknowledge the webpage notification by clicking OK.

Page 108 of 257

Cisco dCloud

13. Observe the status message in upper left hand corner of the LDAP Directory configuration page.
Figure 239. Sync in Progress

14. Wait at least 60 seconds before proceeding.

Confirm User Group Update

From the main menu choose User Management > User Settings > User Group.

Click Find.

Click the Sales group hyperlink to open the membership properties.

Click Find to view current group membership.

Confirm that Anita Perez no longer appears in the list.

Figure 240. Sales Group

From the Related Links menu, choose Back to Find/List User Groups.

Click Go.

Click the Engineering group hyperlink.

Click Find.

Figure 241. Engineering Group

10. Confirm that Charles Holland has been removed from the group.

Page 109 of 257

Cisco dCloud

Observe Enterprise Group Membership Update in Jabber

If not already in focus, open the RDP session to wkst1.dcloud.cisco.com (Charles Holland).

Open the Contacts tab in Cisco Jabber.

View the Sales group and see that the contacts counter has been reduced to 9 and that Anita Perez is absent from the group.

Expand the Engineering group and see that the number of listed contacts has been reduced to 8 and that Charles Holland is
no longer listed as a member of the Engineering contact group.

Figure 242. Sales and Engineering Groups

Open (or switch to) an RDP session to wkst2.dcloud.cisco.com (Anita Perez).

Review the Sales and Engineering contact groups and confirm that the output matches the observed behavior of the Jabber
client on wkst1.

NOTE: The Contact list update for the Cisco Jabber client is almost instantaneous. Exact results may vary and depend heavily
upon load in a production environment.

Page 110 of 257

Cisco dCloud

Deployment Activity Conclusion

Congratulations! You have completed all the configuration steps required to deploy Cisco Jabber on premise. You also tested and
verified basic functionality and some new features and functionality recently added to the portfolio.

Specialized Features and Deployment Modules

The remainder of this lab is a series of Modules, each devoted to a particular advanced deployment topic. Participants are
encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to
devote extra time or emphasis to one or more of the feature modules may wish to be selective in order to complete the desired
modules within the time allotted.
Students should check the amount of time left at this point in the lab and decide on which Modules to pursue.
NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target
Module. The only module with pre-requisite dependencies is 3(b), which requires Modules 2 and 3a to be completed in advance in
order to test solution functionality.

Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)

Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

Optional with no dependencies

Module 3: SAML Single Sign-On (SSO) Inside the Network

Optional with no dependencies

Module 3a: Extending SSO to the Collaboration Edge

Optional, but requires Modules 2 and 3a.

Page 111 of 257

Cisco dCloud

Module 1: Persistent Chat and Managed File Transfer

Module Overview
In this Module, we will configure the Cisco Unified IM and Presence Service as well as external components to provide Persistent
Group Chat and Managed File Transfer capabilities.

Persistent Chat
Instant messaging is an important communication option that lets you efficiently interact in today's multitasking business
environment. Cisco Unified Presence provides personal chat, group chat, and persistent chat capabilities so you can quickly
connect with individuals and groups and conduct ongoing conversations.
Personal and Group chat have been available for some time without any special configuration however these interactions are
temporary (are deleted when all participants leave the chat.).
The Persistent Chat feature provides a richer set of capabilities allowing users to create permanent chat rooms and manage
privacy and group membership settings. Persistent Chat offers users ongoing access to a discussion thread or other topic. It is
available even if no one is currently in the chat and remains available until explicitly removed from the system.
Additional administrative configuration options were recently added to the Collaboration Systems portfolio including the ability to
limit the creation of rooms to designated Group Chat Administrators.

Managed File Transfer

Managed file transfer (MFT) allows an IM and Presence Service client, such as Cisco Jabber, to transfer files to other users, ad
hoc group chat rooms, and persistent chat rooms. The files are stored in a repository on an external file server using SSHFS to
secure file transfer operations and the transaction is logged to an external database.
Unlike Peer-to-Peer file transfers, Managed File Transfer may be used in conjunction with Group and Persistent Chat to share files
in a multi-user environment.

Configuration Notes
All pertinent external services (Database, SSHFS) will be hosted on the centos.dcloud.cisco.com (198.18.134.29) running
CentOS Linux 7.
NOTE: We will be using command line access CLI through PuTTY to connect and configure the components required. Some
familiarity with these tools and systems will be helpful, but are not required.

Module Objectives
In this module, we will perform the following tasks:

Configure External PostgreSQL Database instances to support the Persistent Chat and Managed File Transfer.

Provision an SSHFS file system for use as the file store and secure transfer protocol for Managed File Transfer.

Enable SSH Key based authentication for a dedicated Managed File Transfer User.

Configure the Cisco Unified IM and Presence Service to support Persistent Chat and Managed File Transfer.

Page 112 of 257

Cisco dCloud

Update the jabber-config.xml global configuration file to enable the Persistent Chat feature.

Verify the operation of Persistent Chat and Managed File Transfer.

PostgreSQL Database Setup

An external database is required to support both the Persistent Chat and Managed File Transfer features. In this section, we will
perform the configuration steps required to create two database instances with associated database users and permissions.
Supported Databases for IM and Presence Features

PostgreSQL database, versions 8.3.x through 9.4.x are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 9.1.9, 9.2.6, 9.3.6, and 9.4.1.

Oracle database, versions 9g, 10g, 11g, and 12c are supported, and have been tested in IM and Presence Service
Release, 11.0(1), versions 11.2.0.1.0 and 12.1.0.2.0 (Linux).

NOTE: To save time PostgreSQL server 9.4 (with dependencies) is installed on centos.dcloud.cisco.com running CentOS7.
Detailed instructions regarding the installation process and initial configuration using the YUM package installer on CentOS can be
found in Appendix A.
The database and services have been initialized using default values and the following parameters configured:

User postgres, Password postgres

PostreSQL listening on TCP port 5432

Connections and Authentication permitted from 198.18.133.0/24 (IP subnet for Collaboration Applications in the lab)

Services configured to start automatically on OS boot

Operating system configuration to permit incoming connections on TCP 5432

Some additional database parameters that are pertinent to integration are also pre-configured but these are identified
throughout the activity.

Connect to the CentOS Linux Server

NOTE: In this exercise, we will use the root account unless otherwise specified. For production environments, it is a best practice
to authenticate using a non-root account and to use the sudo option when executing commands requiring root privilege elevation.
1.

Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36).

Open PuTTY by clicking on the icon in the taskbar.

Figure 243. PuTTY Icon

Under Saved Sessions, choose the entry CentOS and click Load.

Page 113 of 257

Cisco dCloud

Figure 244. PuTTY Saved Sessions

Click the Open button to launch a secure shell connection to the Linux Server node centos.dcloud.cisco.com.

Login with Username: root, Password:dCloud123!.

Review PostgreSQL Parameters

NOTE: This information is provided for reference only. No configuration file modifications are necessary.
To save time and avoid the potential for error the following required configuration file modifications have been made for you:
Authentication Parameters: /var/lib/pgsql/9.4/data/pg_hba.conf

Authentication Method for all connection types changed md5

Added permit statement for authenticated access from network 198.18.133.0/24

Figure 245. Authentication Parameter Changes

Database Server Parameters: /var/lib/pgsql/9.4/data/postgresql.conf

Uncommented (remove # start of line) and set the following values:

listen_addresses = '*'
o

Instructs the service to listen on all IP Interfaces

port = 5432
o

instructs the service to listen on TCP Port 5432

escape_string_warning = off

standard_conforming_strings = off

NOTE: DO NOT COPY and PASTE PostgreSQL commands into the PuTTY console session. For your convenience, a text file
with the commands that may be copied and pasted into the console is located on wkst1.dcloud.cisco.com (198.18.133.36) at the
path: Desktop\CST-Jabber\Utilities\PostgreSQL-Commands.txt. Open the file in the Notepad application and copy and paste
where appropriate.

Page 114 of 257

Cisco dCloud

Launch the PSQL Client

Launch the psql utility by typing: psql U postgres

At the Password prompt type: postgres

Figure 246. PSQL Client Launch

Create Database Users

Create the Persistent Group Chat database user with permissions by typing:
CREATE ROLE tcuser LOGIN CREATEDB SUPERUSER;

Press Enter.

Create the Managed File Transfer database user with permissions by typing:
CREATE ROLE mftuser LOGIN CREATEDB SUPERUSER;

Press Enter.

Figure 247. Create User Roles

Create Databases
7.

Create the Persistent Group Chat database tcmadb by typing:

CREATE DATABASE tcmadb WITH OWNER tcuser ENCODING 'UTF8';

Press Enter.

Create the Managed File Transfer database mftadb by typing:

CREATE DATABASE mftadb WITH OWNER mftuser ENCODING 'UTF8';

10. Press Enter.

Figure 248. Create Databases

Page 115 of 257

Cisco dCloud

11. Confirm database creation by typing :

\list

12. Press Enter.

13. Confirm that both the tcmadb and mftadb databases are listed in the command output.
Figure 249. Database Creation Successful

Set DB User Passwords

14. Set the password for tcuser by typing:
ALTER ROLE tcuser WITH PASSWORD 'tcuser';

15. Press Enter.

16. Set the password for mftuser by typing:
ALTER ROLE mftuser WITH PASSWORD 'mftuser';

17. Press Enter.

Figure 250. Setting User Roles

Set Persistent Chat Database Parameters

18. Type the following to connect to the tcmadb (Persistent Chat Database) as the postgres user.
\connect tcmadb

19. Press Enter. Observe the status message: You are now connected to database "tcmadb" as user "postgres".
20. Type the following to create a required function:
CREATE FUNCTION plpgsql_call_handler () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql' LANGUAGE C;

21. Press Enter. Confirm that command output matches the graphic below.

Page 116 of 257

Cisco dCloud

Figure 251. Command Success Output

Set Managed File Transfer Database Parameters

22. Type the following to connect to the mftadb (Managed File Transfer Database) as the postgres user.
\connect mftadb

23. Press Enter. Observe the status message: You are now connected to database "mftadb" as user "postgres".
24. Enter the password postgres to authenticate.
25. Type the following to create a required function:
CREATE FUNCTION plpgsql_call_handler () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql' LANGUAGE C;

26. Press Enter. Confirm that command output matches the graphic below.
27. Command Success Output

28. Type the following command to quit the psql session:

29. Press Enter.

Set Up External Database Entries on the IM and Presence Service

In the following activity, you will configure Unified IM and Presence to connect to the database(s) created in the previous steps.
1.

Open a New Tab in the active Internet Explorer window. If necessary, open a new Internet Explorer session.

Navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.

Figure 252. Collaboration Admin Links

Page 117 of 257

Cisco dCloud

Click the Cisco Unified Communications Manager IM and Presence hyperlink.

Log in to Unified IM and Presence with the (administrator/dCloud123!) password combination.

From the menu choose Messaging > External Server Setup > External Databases.

Configure Persistent Chat Database Entry

Click Add New.

Set the following values:

Database Name: tcmadb

Database Type: Postgres

Description: Persistent Chat Database

User Name: tcuser

Password: tcuser

Confirm Password: tcuser

Hostname: centos.dcloud.cisco.com

Port Number: 5432

Figure 253. External Database Settings

8.
9.

Click Save.
Note that the External Database status indicates that the server is reachable. You may ignore the warning, which indicates
that the server must be mapped to a service for any further tests to be performed.

Page 118 of 257

Cisco dCloud

Figure 254. Database Status

Configure Managed File Transfer Database Entry

10. Click Add New.
11. Set the following values:

Database Name: mftadb

Database Type: Postgres

Description: Managed File Transfer DB

User Name: mftuser

Password: mftuser

Confirm Password: mftuser

Hostname: centos.dcloud.cisco.com

Port Number: 5432

Figure 255. External Database Settings

12. Click Save.

13. Note that the External Database status indicates that the server is reachable.

Page 119 of 257

Cisco dCloud

Set Up an External File Server for MFT

In this exercise, we will provision SSH and the file system required to support the Managed File Transfer feature.
1.

Switch back to the PuTTY session connected to centos.dcloud.cisco.com. If necessary, open a new PuTTY session to
centos.dcloud.cisco.com. Login as root with the password dCloud123!.

To allow private/public key authentication, make sure that the following fields in the /etc/ssh/sshd_config file are set as follows:

RSAAuthentication yes

PubkeyAuthentication yes

NOTE: These values are set by default; however, we will validate them with the following step.
3.

Type the following command to search the /etc/ssh/sshd_config file for the values described above.
cat /etc/ssh/sshd_config | grep Authentication

Press Enter.

Multiple lines are returned however, the output depicted in the graphic indicates that the default value of these two parameters
is set to yes.

Figure 256. Command Output

Add and Configure a User for Managed File Transfer

Type the following command to create a user name mftuser:

useradd -m mftuser

Press Enter.

Switch to the mftuser by typing:

su mftuser

Press Enter.

10. Create a .ssh directory under the mftuser home directory that is used as a key store by typing:
mkdir ~mftuser/.ssh/

11. Press Enter.

12. Create an authorized_keys file under the .ssh directory that is used to hold the public key text for each IM and Presence
Service node. Type the following:
touch ~mftuser/.ssh/authorized_keys

13. Press Enter.

Page 120 of 257

Cisco dCloud

14. Set the correct permissions for passwordless SSH to function by typing the following commands. Press Enter after each
command.
chmod 700 ~mftuser
chmod 700 ~mftuser/.ssh/
chmod 700 ~mftuser/.ssh/authorized_keys

15. Type exit to return to the root shell.

Create a Directory Structure for MFT

Next, we will create a file directory structure where files transferred using the MFT feature will be stored. We will ensure that the
user created in the previous step has ownership and the permissions needed to read, write, and delete files.
16. To create a top-level directory named mftFileStore to hold sub directories for all of the IM and Presence Service nodes that
have managed file transfer enabled. Type the following:
mkdir -p /opt/mftFileStore/

17. Press Enter.

18. Give ownership of the newly created /opt/mftFileStore directory to user mftuser.
chown mftuser:mftuser /opt/mftFileStore/

19. Press Enter.

20. Specify directory permissions that permit Read, Write, and Execute by the mftuser account only by typing:
chmod 700 /opt/mftFileStore/

21. Press Enter.

22. Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node. In our case, this is
imp1.dcloud.cisco.com. Type the following commands one per line and press Enter after each:
su mftuser
mkdir /opt/mftFileStore/imp1

23. To verify the previous exercise enter the following commands and compare the output with the graphic provided. Commands
are entered one per line and the Enter key should be pressed after each.
ls -al ~/.ssh/
ls -al /opt/mftFileStore/

24. Confirm that the output displayed in PuTTY matches the highlighted lines in the graphic. This validates that all required files
and directories have been created and assigned permissions correctly.

Page 121 of 257

Cisco dCloud

Figure 257. Command Output

Obtain the Server Public Key

In order to implement key-based SSH authentication for the mftuser for file transfers between centos.dcloud.cisco.com and
imp1.dcloud.cisco.com, both servers will need to be aware of the Public Key provided by the other. In this step, we will obtain the
Public Key of the MFT server, which will be provided to imp1.dcloud.cisco.com during the configuration process.
1.

Obtain the public key of the centos.dcloud.cisco.com file server by typing:

ssh-keyscan -t rsa centos.dcloud.cisco.com

Press Enter.

Copy the result of the ssh-keyscan command. Highlight the desired text and left-click the mouse to copy the selection to the
buffer. Be certain to copy the entire key value, from the server hostname, FQDN, or IP address to the end. Consult the graphic
below for reference.

Figure 258. Command Copy

Open the Notepad text editor by clicking on the icon in the taskbar.

Click Format and ensure that Word Wrap is un-checked. We want to paste the key as a single line.

NOTE: Do NOT paste the key text with Word Wrap enabled in Notepad. Ensure that Word Wrap is un-checked before proceeding.
6.

Paste the contents of the buffer by using the Ctrl-V key combination. You may also left click and choose Paste from the menu.

Figure 259. Pasted Command

Choose File > Save.

In the SaveAs dialog, browse to the Desktop\CST-Jabber folder.

Page 122 of 257

Cisco dCloud

Type MFT-Server-Pubkey in the File Name field.

10. Click Save.

11. Close Notepad.
12. Minimize, but leave the PuTTY session open, as it will be used during the provisioning of the MFT feature.

Configure Persistent Group Chat

While there are many permission settings and additional administrative controls introduced in the current Collaboration Systems
Release, we will focus on placing limitations for Room Creation to only those users designated as Group Chat Administrators.
1.

Open Internet Explorer and choose the tab for IM and Presence Server (imp1.dcloud.cisco.com). If necessary, launch
Internet Explorer and navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service.

Login with Username administrator and Password dCloud123!.

From the menu, choose Messaging > Group Chat and Persistent Chat.

Enable Persistent Chat

Set the following parameter values:

Enable Persistent Chat: Checked

Allow only group chat system administrators to create persistent chat rooms: Checked

Persistent Chat Database Assignment: tcmadb

Figure 260. Group Chat Alias Settings

Click Save.

Page 123 of 257

Cisco dCloud

NOTE: For this change to take effect, the Cisco XCP Router and Cisco XCP Text Conference Manager must be restarted. We
will do so in a later step.

Check Persistent Chat Database Connectivity

Navigate to Messaging > External Server Setup > External Databases.

Click Find.

Click the tcmadb hyperlink to open.

Scroll down to External Database Status viewer and observe the connectivity state. All tests should return a successful
result.

Figure 261. Connectivity States

Assign Group Chat Administrator Privileges

Our configuration specifies that ONLY Administrators have the ability to create Chat Rooms. In this exercise, Group Chat
Administrator privileges will be assigned to Charles Holland.
1.

From the menu choose Messaging > Group Chat Administrators.

Click Add New.

Enter the following parameters:

IM Address: cholland@dcloud.cisco.com

Nickname: Charles Holland

Description: Group Chat Administrator

Click Save.

From the Related Links menu, choose Back to Find/List.

Click Go.

Click Find and confirm that row for cholland@dcloud.cisco.com is returned.

Place a Checkmark in the Enable group chat system administrator privileges checkbox in the upper left of the screen.

Click Save.

Page 124 of 257

Cisco dCloud

Figure 262. User Settings

Modify Jabber Client Configuration

Review the parameters required to enable the Persistent Chat feature and upload an updated Jabber-Config.xml file.

Update Jabber-Config.xml
Persistent Chat is Disabled by default in Cisco Jabber for Windows. In order to enable the feature we must update the jabberconfig.xml file. As with our previous exercises, a pre-configured jabber-config.xml file has been staged for you.
1.

From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.

Figure 263. CST Jabber Folder

Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Module1\.

Right click the file jabber-config.xml and click Open with > Notepad.

Figure 264. Open With Notepad

The following parameters were added to the Client section of the file to enable Persistent Chat:

<Persistent_Chat_Enabled>True</Persistent_Chat_Enabled>

Upload Jabber-Config.xml
1.

From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.

Page 125 of 257

Cisco dCloud

Figure 265. Cisco Unified OS Administration

Click Go.

Login with Username administrator and Password dCloud123!.

Click Login.

From the menu choose Software Upgrades > TFTP File Management.

Figure 266. TFTP File Management

Click Upload File.

Figure 267. Upload File Icon

From the Upload File dialog, click the Browse button.

Figure 268. Upload File Dialog

Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Module1.

Choose the jabber-config.xml file.

10. Click Open.

11. From the Upload File dialog, click Upload File.
12. Observe the status message: File uploaded successfully.
13. Click Close.

Page 126 of 257

Cisco dCloud

Figure 269. File Uploaded Successfully

Restart the Cisco Tftp Service

From the Navigation menu choose Cisco Unified Serviceability

Figure 270. Cisco Unified Serviceability

Click Go.

Enter the (administrator/dCloud123!) username/password combination.

Click Login.

From the Menu choose Tools > Control Center Feature Services.

Figure 271. Tools Menu

From the Select Server drop down list, choose ucm1.dcloud.cisco.com.

Figure 272. Select Server Menu

Click Go.

Under CM Services, choose Cisco Tftp.

Click Restart.

10. Click Ok to acknowledge the Service Restart notification.

11. The page will automatically refresh, displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.

Page 127 of 257

Cisco dCloud

Figure 273. Operation Successful

Launch Firefox by clicking the icon in the windows taskbar.

From the dCloud homepage, navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may
manually navigate to the following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.

Figure 274. Jabber Config Check

Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.

Figure 275. File Output

Close the Firefox browser.

Page 128 of 257

Cisco dCloud

Restart IM and Presence Services

As stated earlier, when making changes to the Persistent Chat configuration, a restart of the Cisco XCP Router service is
required. In this case, the Cisco XCP Text Conference Manager must also be restarted.
1.

Switch back to the active Internet Explorer browser tab connected to the Control Center Feature Services page.

From the Select Server menu to choose imp1.dcloud.cisco.com.

Click Go.

In the IM and Presence Services section, click the radio button for Cisco XCP Text Conference Manager.

If the service status is Running, click Restart. If the service status is Not running, click Start.

Confirm that service starts successfully.

Figure 276. Service Start Successful

Navigate to Tools > Control Center Network Services.

From the Select Server menu, choose imp1.dcloud.cisco.com.

Click Go.

10. Scroll to the IM and Presence Services section and click the radio button for Cisco XCP Router.
11. Click Restart. You may need to scroll to the top of the page to see the Restart option.
12. Acknowledge the Restart warning if prompted.
NOTE: Because a Restart of the Cisco XCP Router services causes a restart to all dependent XCP related services it may take
some time for this command to fully complete and return a result.
13. Verify a successful restart message is received.
Figure 277. Restart Successful

Test Persistent Chat

In this activity, we will interact with the Group Chat feature to confirm functionality.

Confirm Feature Activation

Close the Cisco Jabber for Windows clients (if open) on both wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by
Clicking Menu

> Exit.

Page 129 of 257

Cisco dCloud

Switch focus to the wkst1.dcloud.cisco.com (198.18.133.36) RDP session.

Launch Cisco Jabber by double clicking the icon on the desktop.

Figure 278. Jabber Icon

Login with Username cholland and Password C1sco12345.

Notice the Chat Rooms tab now present in the Jabber Client user interface.

Figure 279. Jabber Chat Rooms Icon

Switch focus to the wkst2.dcloud.cisco.com (198.18.133.37) RDP session.

Launch Cisco Jabber by double clicking the icon on the desktop.

Login with Username aperez and Password C1sco12345.

Confirm that the Chat Rooms tab is visible.

Create a Restricted Persistent Chat Room

Switch to the RDP session for wkst1.dcloud.cisco.com(198.18.133.36).

From the Jabber client click the Chat Rooms tab.

Choose All Rooms.

Click New Room.

Page 130 of 257

Cisco dCloud

Figure 280. New Chat Room

Enter the following values in the dialog:

Name: CST Members Only

Description: Collaboration Specialist Training

Type: Restricted

Add to My Rooms: Checked

Click the Password button to set a room password.

On the Set Room Password pop-up, Click Password protect this chat room.

Type a password of your choice in the Password field, and re-type in Verify field.

Click Save.

Figure 281. Room Password

Page 131 of 257

Cisco dCloud

10. Confirm that the settings entered match the graphic below and click Create.
Figure 282. New Room Information

11. When the add members to the room dialog is displayed, click Add Now.
Figure 283. Add Room Members

12. In the Add room members search field enter Anita.

13. Double click the contact entry for Anita Perez to add to the list.
14. Click Save.
15. Observe that the CST Members Only group chat window is opened automatically and that Charles Holland is added as an
active conversation participant.

Page 132 of 257

Cisco dCloud

Figure 284. Active Chat Room

Interacting with Persistent Chat

Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).

Click the Chat Rooms tab.

Observe that CST Members Only was automatically added to the My Rooms list for Anita Perez. This is because we added
Anita Perez as a user during the room creation process.

Figure 285. Anita Perez Chat Rooms

Double click the CST Members Only chat room entry.

Enter the password created for the room earlier and click Ok.

Observe that both Charles Holland and Anita Perez are present in the participants list.

Feel free to type a chat message of your choice such as Hi Charles.

Switch back to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

Page 133 of 257

Cisco dCloud

From the main Jabber Client window, click the Chat Rooms tab and choose All rooms.

10. Observe that there are no rooms listed. This is because CST Members Only was created as an unlisted Restricted room
visible only to members. Only Room Moderators can add additional participants, who will then be able to access the room
from the My Rooms list, as we saw in the case of Anita Perez once added as a member.
Figure 286. Charles Holland Chat Rooms

11. Notice a key difference between the CST Members Only room layout displayed for Charles Holland versus Anita Perez; the
room layout for Charles Holland contains an Edit Room menu option as seen below, which is absent from the chat window
on Anitas Jabber client.
Figure 287. Edit Room Option

12. Recall that Charles Holland is a room administrator while Anita Perez is only a participant. He therefore has the capability to
administer features of the room.

Adding Members and Moderators

13. Click the Edit Room icon.
14. Add Anita Perez as a room moderator by searching for Anita Perez in the Moderators field.
15. Double click the contact record for Anita Perez, to add to the list of moderators.
Figure 288. Room Moderators

16. Click Save.

17. Close the CST Members Only chat window to leave for now.

Page 134 of 257

Cisco dCloud

18. Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).

19. Close the active Group Chat window.
20. Notice that a moderator notification is delivered to the Desktop. Click the Enter button.
Figure 289. Room Moderator Notification

21. Examine the Group Chat window and verify that the Edit Room option is now an option for Anita Perez.
22. Click the Edit Room icon.
23. Click the green + icon next to Members.
24. Search for and add Adam McKenzie, click Save.
25. Observe the current room properties.
Figure 290. Room Information

26. Click Save to complete this change.

Page 135 of 257

Cisco dCloud

Other Persistent Chat Features

The Persistent Chat interface offers several ways to filter notifications giving priority to activity in rooms that is of particular interest.
One of the built in filters, My Mentions, delivers notifications about new chat topics where the Jabber user has been tagged. This
can be especially valuable when a user is a member of multiple active rooms and requires a way to identify priority communication.
1.

Open the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).

Open the CST Members Only Chat Room.

Type the @ symbol in the chat window, and notice that this brings up a search field.

Search for Charles Holland and double click the contact record.

Figure 291. Charles Holland Contact Record

Jabber has created a Tag for user Charles Holland. Type some text of your choice and then press Enter.

Figure 292. User Tagging

Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

Observe that there are two notifications displayed on the Chat Rooms tab. When clicked it is apparent that both My Rooms
and Filters have new entries.

Figure 293. Chat Room Notifications

Click Filters and observe that the My Mentions filter has an entry because of the IM in which Charles was tagged.

Page 136 of 257

Cisco dCloud

Double click the entry for My Mentions @ Charles Holland. An entry for each tagged post will appear.

Figure 294. My Mentions

10. Mouse over the entry from Anita Perez in CST Members Only and click the Door icon to enter the room automatically.
Figure 295. My Mentions Entry

Figure 296. Chat Room Conversation

11. This example illustrates how filters can be used to quickly identify priority communication and join pertinent conversations and
Chat interactions.
12. Feel free to continue testing this feature between our demonstration users. When ready, close all open chat windows on
wkst1 and wkst2 and proceed to the next activity.

Configure Managed File Transfer

While Peer-to-Peer file transfer between Jabber clients has been available for some time, Managed File Transfer is new feature
introduced beginning with the Jabber 10.6 client with Collaboration System release 10.5(2).
Managed File Transfer provides the following key capabilities:

Support for File Transfer operations in Group Chat/Persistent Chat Rooms

Page 137 of 257

Cisco dCloud

Compliance and Policy Control for File Transfers

Administrative control of maximum file transfer size

Confirm the Behavior of Peer-to-Peer File Transfer

Open the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

Start a new conversation with Anita Perez.

Click the Send a file icon.

Figure 297. Send File Icon

Browse to the Desktop\CST-Jabber\FileTransfer folder and choose Expenses.xlsx.

Figure 298. File Navigator

Click Open.

Observe the file transfer status in the chat window.

Figure 299. File Transfer

Page 138 of 257

Cisco dCloud

Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).

An incoming chat notification is in the task bar. Hover the mouse over the jabber icon in the Windows task tray and choose the
entry for Charles Holland.

A notification in the conversation window of the Jabber Client is displayed prompting the user to accept or decline the file
transfer. Click Accept.

Figure 300. Accept File Transfer

10. Once the transfer is complete, click Show Folder.

11. Files transferred in this way are stored in the path My Documents\MyJabberFiles\<JID of file sender>\. In this case, it was
sent from cholland@dcloud.cisco.com, so the path would be:
My Documents\MyJabberFiles\cholland@dcloud.cisco.com\ Expenses.xlsx
Figure 301. Transferred File

12. Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

13. Open the CST Members Only chat room, by clicking Chat Rooms > My rooms > CST Members Only.
14. Observe that no file transfer option is available in the Group Chat interface. This is because File Transfer in Group chat is only
available given the implementation of Managed File Transfer.
Figure 302. Group Chat Interface

Enable Managed File Transfer in Unified IM and Presence

From the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland), open Internet Explorer and click the tab
for IM and Presence Server (imp1.dcloud.cisco.com). Open and navigate to the server if necessary.

Ensure that Cisco Unified CM IM and Presence Administration is selected in the Navigation menu and click Go.

Login with Username administrator, Password dCloud123!.

Page 139 of 257

Cisco dCloud

Navigate to Messaging > External Server Setup > External File Servers.

Figure 303. External File Servers

Click Add New.

Configure the following values under External File Server Configuration.

Name: centos.dcloud.cisco.com

Host/IP Address: centos.dcloud.cisco.com

External File Server Directory: /opt/mftFileStore/imp1

User Name: mftuser

NOTE: Do not attempt to save at this time. The Public Key for centos.dcloud.cisco.com obtained and saved earlier must be
retrieved to complete the configuration.
7.

If not already open, open the text file Desktop\CST-Jabber\MFT-Server-Pubkey saved earlier in this exercise.

Press Ctrl-A to select all text and then Ctrl-C to copy the text to the computer copy buffer.

Switch back to the External File Server Configuration dialog in Internet Explorer.

10. Paste the copied text into the External File Server Public Key field by clicking in the field and using the Ctrl-V keystroke
combination.
Figure 304. Public Key Information

11. Click Save.

12. The External File Server Status output may be disregarded at this point. No connection attempt or test is made until the
feature has been fully enabled.
13. From the menu, choose Messaging > File Transfer.
14. Set the following parameters:

File Transfer Type: Managed File Transfer

Maximum File Size: 4096

Page 140 of 257

Cisco dCloud

External Database: mftadb

External File Server: centos.dcloud.cisco.com

Figure 305. File Transfer Configuration

15. Click Save.

Add IM and P Public Key for Key based Authentication

16. Locate the hyperlink for Public Key now present in Node Public Key field in the Managed File Transfer Assignment section
at the bottom of the configuration page.
Figure 306. Public Key

17. Click the Public Key hyperlink.

18. Copy the key text displayed in the View Node Public Key dialog.
Figure 307. Public Key Text

Page 141 of 257

Cisco dCloud

19. Click Close to exit the View Node Public Key dialog.
20. Switch focus to the PuTTY session currently connected to centos.dcloud.cisco.com. (left open from earlier in this module)
21. Ensure that you are logged on as user mftuser. To check type the following command followed by the Enter key.
whoami

22. If the result is anything other than mftuser, type su mftuser, followed by the Enter key, otherwise move on to the next step.
23. Use the nano editor to add the Public Key of the imp1.dcloud.cisco.com IM and Presence node to the authorized_keys file
created earlier by typing:
nano /home/mftuser/.ssh/authorized_keys

24. Right click the mouse anywhere inside the PuTTY console to paste the contents of the copy buffer into the editor. The output
should be similar to the graphic below.
Figure 308. Key Output

25. Press Ctrl-Shift X.

26. When prompted to save type y.
Figure 309. Save Dialog

27. Press Enter to confirm the filename.

Figure 310. File Name Confirmation

28. Confirm that the file has been updated by typing the following command:
cat /home/mftuser/.ssh/authorized_keys

29. The key should be displayed as in the graphic below.

Figure 311. Key Output

Page 142 of 257

Cisco dCloud

30. Close PuTTY once confirmed.

Activate the XCP File Transfer Manager Service

In order to activate the Managed File Transfer features, the Cisco XCP File Transfer Manager service must be activated.
1.

Switch back to the active Internet Explorer browser tab connected to imp1.dcloud.cisco.com.

From the Navigation menu, choose Cisco Unified IM and Presence Serviceability.

Click Go.

Login with Username: administrator, Password: dCloud123! (if prompted).

From the menu choose Tools > Service Activation.

Choose imp1.dcloud.cisco.com and click Go.

Place a checkmark next to the Cisco XCP File Transfer Manager service.

Figure 312. File Transfer Manager Service

Click Save.

Click OK, to acknowledge the Service Activation warning.

10. Observe service activation, by confirming that the Activation Status has transitioned from Deactivated to Activated.

Confirm Connectivity between Unified IM and Presence and SSHFS

Use the Navigation drop down to choose Cisco Unified IM and Presence Administration, click Go.

Navigate to Messaging > External Server Setup > External File Servers.

Click Find.

Click the hyperlink for centos.dcloud.cisco.com.

Confirm that all connectivity test indicate a successful result (as below):

Figure 313. Connectivity Test

Page 143 of 257

Cisco dCloud

At this time, close the Cisco Jabber for Windows clients running on wkst1 and wkst2, by choosing Menu > Exit.

Testing Managed File Transfer

Open the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

If the Jabber client is open, close it now by choosing Menu > Exit.

Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.

Login with Username cholland and Password C1sco12345.

Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).

If the Jabber client is open, close it now by choosing Menu > Exit.

Launch Cisco Jabber by double clicking on the Jabber icon on the Desktop.

Login with Username: aperez and Password: C1sco12345.

Switch back the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

10. Double click the contact for Anita Perez to open a chat window.
11. Click the Send a file icon.
Figure 314. Send File Icon

12. Browse to the Desktop\Jabber-Files\FileTransfer folder and choose Budget.xlsx.

Figure 315. File Navigator

13. Click Open.

14. Switch to the RDP session connected to wkst2.dcloud.cisco.com (Anita Perez).
15. Open the conversation with Charles Holland from the Jabber application running in the task bar.
Figure 316. Task Bar Conversation

16. Notice that rather than being prompted to Accept or Decline the transfer, Anita has the option to Download if desired.

Page 144 of 257

Cisco dCloud

Figure 317. Download Option

This is because with Managed File Transfer activated for all transfers, the file is transferred to the External File Server
(centos.dcloud.cisco.com), rather than directly to Anitas workstation. Now, Anita Perez can choose to download the file at her
leisure.
17. Click Download to complete the file transfer.
18. Click Show Folder and notice that just as with peer to peer file transfer the newly added Budget.xlsx has been saved to the
path My Documents\MyJabberFiles\cholland@dcloud.cisco.com\Budget.xlsx.
19. Close or minimize the active conversation with Charles Holland.
20. Click the Chat Rooms tab.
21. Choose the My Rooms list and open the CST Members Only chat room.
22. Enter the password you assigned to the room when created and OK.
23. Confirm that the Send a file icon is now present from within the Group Chat interface.
Figure 318. Group Chat Interface

.
24. Feel free to execute a file transfer for either the Budge.xlsx or Expenses.xlsx file in Desktop\CST-Jabber\FileTransfer to
confirm that a permitted file size is transferred successfully through the Group Chat interface.

Test Administrative Size Restriction for Managed File Transfer

Recall that when configuring the Managed File Transfer feature we set a size limit of 4096 kB or 4MB. We will now attempt to
transfer a file that exceeds this limit, to confirm and observe how this restriction is enforced.
25. Click the Send a file icon to initiate the file transfer.
26. Browse to Desktop\CST-Jabber\FileTransfer.

Page 145 of 257

Cisco dCloud

27. Notice that the file SRND.pdf is approximately 48MB in size, which is well over the administrative limit we defined.
28. Choose SRND.pdf and click Open.
29. A notification indicating that the file size exceeds the defined limit is immediately presented in the conversation window.
Figure 319. File Size Restriction

This concludes the Persistent Chat and Managed File Transfer Lab Module.

Page 146 of 257

Cisco dCloud

Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

Module Overview
In this Module, we configure Expressway Core and Edge to provide Mobile and Remote Access (MRA) capability.

About the Cisco Expressway

Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified
Communications Manager. It features established firewall-traversal technology and helps redefine traditional enterprise
collaboration boundaries, supporting our vision of any-to-any collaboration.

As its primary features and benefits, Cisco Expressway:

Offers proven and highly secure firewall-traversal technology to extend your organizational reach

Helps enable business-to-business, business-to-consumer, and business-to-cloud-service-provider connections

Provides session-based access to comprehensive collaboration for remote workers, without the need for a separate VPN
client

Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and desktops

Complements bring-your-own-device (BYOD) strategies and policies for remote and mobile workers

The Expressway solution is deployed as a pair, an Expressway-C with a trunk and line-side connection to Unified CM, and an
Expressway-E deployed in the DMZ and configured with a traversal zone to an Expressway-C. Expressway may be clustered to
provide High Availability (HA) for deployments.

Expressway-C
Expressway-C delivers any-to-any enterprise wide conference and session management and interworking capabilities. It extends
the reach of TelePresence conferences by enabling interworking between Session Initiation Protocol (SIP) and H.323-compliant
endpoints, interworking with third-party endpoints. It integrates with Unified CM and supports third-party IP private branch
exchange (IP PBX) solutions. Expressway-C implements the tools required for creative session management, including definition
of aspects such as routing, dial plans, and bandwidth usage, while allowing organizations to define call-management applications,
customized to their requirements.

Expressway-E
The Expressway-E deployed with the Expressway-C enables smooth video communications easily and securely outside the
enterprise. It enables business-to-business video collaboration, improves the productivity of remote and home-based workers, and
enables service providers to provide video communications to customers. The application performs securely through standardsbased, secure firewall traversal for all SIP and H.323 devices. As a result, organizations benefit from increased employee
productivity and enhanced communication with partners and customers.

Page 147 of 257

Cisco dCloud

It uses an intelligent framework that allows endpoints behind firewalls to discover paths through which they can pass media, verify
peer-to-peer connectivity through each of these paths, and then choose the optimal connection path, eliminating the need to
reconfigure enterprise firewalls.
The Expressway-E is built for high reliability and scalability, supporting multi-vendor firewalls, and can traverse any number of
firewalls regardless of SIP or H.323 protocol.

External (Remote) Jabber Service Discovery

Jabber Edge Detection is the Jabber Client service discovery process, which allows Cisco Jabber to determine whether it is
operating internal or external to services inside the corporate network.
If the DNS query process returns at least one _cisco-uds SRV record , Jabber assumes itself to be internal and will use the
configuration in the assigned UC Service Profile to determine the location and type of services such as the Corporate Directory.
Alternatively, if no _cisco-uds record is returned and at least one _collab-edge DNS SRV record is located: Cisco Jabber
determines that it is remote (outside the corporate network) and will use the host information specified in the _collab-edge SRV
lookup to negotiate a registration with Expressway.
When operating outside the network, the service discovery process functions as seen in the diagram below.
Figure 320. Collaboration Edge Architecture

Pre-Configuration
The following configuration on Expressway-C and Expressway-E were performed in advance to save time:

x8.5.3 Software installed

IP Addresses and Virtual Network interfaces provisioned and connected

Option Keys Installed to enable Expressway-Core and Expressway-Edge

Default admin and root account passwords changed

NTP configured and synchronized

Page 148 of 257

Cisco dCloud

DNS service and domain name configured

Module Objectives
In this module, we will perform the following tasks:

Review the baseline configuration of both Expressway-C and Express-E

Identify and add required DNS Records required to enable Collaboration Edge

Perform Certificate Management for Expressway-C and E

Configure Expressway-C and Expressway-E to enable Mobile Remote Access (MRA)

Update the jabber-config.xml file to allow for the retrieval of contact photos hosted on a Web Server

Verify MRA Operation

Module Notes
NOTE: In order to eliminate the possibility of any unexpected interaction and maintain consistency with best practice, Mozilla
Firefox will be used throughout this module when configuring the Cisco Expressway appliances. This is because Microsoft
Internet Explorer 10 is not a supported browser for accessing the Expressway administration pages.

Page 149 of 257

Cisco dCloud

DNS Service Discovery Configuration

Overview
The topology for this lab leverages an internal DNS server (AD1) and a mock external (public) DNS server (AD2). As this is a selfcontained lab pod with no true internet-facing network, VLAN separation will be used for the purpose of simulating a client placed
outside the enterprise network to test MRA functionality. When placed onto the external network the workstation will query ONLY
external DNS.

The following is a summary of what DNS A (host) and SRV (service location) records required.
Internal DNS Server ad1.dcloud.cisco.com (198.18.133.1)
The following records have already been configured on ad1.dcloud.cisco.com:

exp-c-1.dcloud.cisco.com (A record) pointing to IP address of Expressway-C

exp-e-1.dcloud.cisco.com (A record) pointing to the LAN1 IP address of Expressway-E

_cisco-uds._tcp.dcloud.cisco.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)

_cisco-uds._tcp.uk.dcloud.cisco.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)

_cisco-uds._tcp.alpha.com (SRV record) pointing to Unified CM (ucm1.dcloud.cisco.com)

External DNS Server ad2.dcloud.cisco.com (198.18.2.11)

In this exercise, one A record for Expressway E is already present and three SRV records will be added:

exp-e-1.dcloud.cisco.com (A record) pointing to the LAN2 IP address (public) of Expressway-E

_collab-edge._tls.dcloud.cisco.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)

_collab-edge._tls.uk.dcloud.cisco.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)

_collab-edge._tls.alpha.com (SRV record) pointing to Expressway-E (exp-e-1.dcloud.cisco.com)

DNS Service Records (SRV) for External Resolution

Switch focus to or launch the RDP session connected to ad2.dcloud.cisco.com (198.18.2.11). If opening a new session,
login using (administrator / C1sco12345).

From the Task Bar Click the DNS Manager icon.

Click the + next to Forward Lookup Zones.

Choose dcloud.cisco.com to highlight the zone.

Page 150 of 257

Cisco dCloud

Figure 321. Cisco dCloud Zone

Review the listed DNS host records in the right-hand pane. Confirm that a record for exp-e-1 (198.18.1.152) exists as seen in
the graphic below.

Figure 322. Record Information

Right-click on the dcloud.cisco.com zone.

Choose Other New Records from the menu.

Figure 323. Other New Records

Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.

Click Create Record.

10. Fill out the New Resource Record form as follows:

Domain: dcloud.cisco.com (already populated)

Service: _collab-edge

Protocol: _tls

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Host offering this service: exp-e-1.dcloud.cisco.com

Page 151 of 257

Cisco dCloud

Figure 324. SRV Information

11. Click OK.

12. Click Done to close the Resource Record Type dialog.
NOTE: As mentioned earlier, the addition of records for alpha.com and uk.dcloud.cisco.com are NOT required to successfully
demonstrate the functionality featured in this lab. For practical consistency, we will add the required records as though the
environment did support three fully independent domains.
13. Choose alpha.com to highlight the zone.
14. Right-click on the alpha.com zone.
15. Choose Other New Records from the menu.
16. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
17. Click Create Record.
18. Fill out the New Resource Record form as follows:
o

Domain: alpha.com (already populated)

Service: _collab-edge

Protocol: _tls

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Host offering this service: exp-e-1.dcloud.cisco.com

Page 152 of 257

Cisco dCloud

Figure 325. SRV Location

19. Click OK.

20. Click Done to close the Resource Record Type dialog.
21. Choose uk.dcloud.cisco.com to highlight the zone.
22. Right-click on the uk.dcloud.cisco.com.com zone.
23. Choose Other New Records from the menu.
24. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.
25. Click Create Record.
26. Fill out the New Resource Record form as follows:
o

Domain: uk.dcloud.cisco.com (already populated)

Service: _collab-edge

Protocol: _tls

Priority: 0 (default)

Weight: 0 (default)

Port Number: 8443

Host offering this service: exp-e-1.dcloud.cisco.com

Figure 326. SRV Location

Page 153 of 257

Cisco dCloud

27. Click OK.

28. Click Done to close the Resource Record Type dialog.
29. Close the DNS Manager application.

Verify DNS Records

Click the Command Prompt icon on the task bar.

Figure 327. Command Prompt Icon

Type nslookup and press Enter.

Type set type=srv (use lowercase) and press Enter.

Type _collab-edge._tls.dcloud.cisco.com and press Enter.

SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com. Because we are
using the nslookup utility on ad2.dcloud.cisco.com the DNS server name will be localhost.

Figure 328. SRV Record Data

A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address(es) associated
with the host(s). As depicted in the graphic above (Red Text)

NOTE: If you see error text, indicating a failure to lookup this or subsequent _collab-edge SRV records, for example: Nonexistent domain, perform the following steps:
-Confirm that the command entered is exactly as specified in the guide and retry.
-Confirm that the settings of the SRV record match the previous configuration steps.
If unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned.
Figure 329. Error Message

Type _collab-edge._tls.alpha.com and press Enter.

Page 154 of 257

Cisco dCloud

SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).

Figure 330. Correct Output

Type _collab-edge._tls.uk.dcloud.cisco.com and press Enter.

10. SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com (localhost).
Figure 331. SRV Record Return

11. Type exit and press Enter to close the Command Prompt.
12. This completes the addition of Service Location Records required to support Mobile and Remote Access (MRA) functionality.
13. Close the Command Prompt.

Expressway-C Initial Configuration

Open the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).

Launch the Mozilla Firefox browser by clicking on the icon in the task bar.

Figure 332. Firefox Icon

From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-C.

Figure 333. Expressway-C Server

Page 155 of 257

Cisco dCloud

Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.

Login with Username: admin, Password: dCloud123!.

Figure 334. Login Prompt

DNS
6.

From the menu choose System > DNS.

Review the following configuration parameters:

System host name: exp-c-1

Domain name: dcloud.cisco.com

Address 1: 198.18.133.1

Figure 335. DNS Settings

NTP
8.

Navigate to System > Time.

Review the following parameters:

NTP server 1: 198.18.128.1

Time zone: UTC

10. Confirm that the current NTP State value is Synchronized.

Page 156 of 257

Cisco dCloud

Figure 336. NTP State

Expressway-E Initial Configuration

Open a new tab in the active Firefox browser.

From the dCloud homepage menu choose Collaboration Admin Links > Cisco Expressway-E.

Figure 337. Expressway-E Link

Acknowledge any certificate warnings and proceed to the website. We will be installing a CA signed certificate in a later step.

Login with Username: admin, Password: dCloud123!.

Figure 338. Login Prompt

DNS
5.

From the menu choose System > DNS.

Review the following configuration parameters:

System host name: exp-e-1

Domain name: dcloud.cisco.com

Address 1: 198.18.133.1

Page 157 of 257

Cisco dCloud

Figure 339. DNS Settings

NTP
7.

Navigate to System > Time.

Review the following parameters:

NTP server 1: 198.18.128.1

Time zone: UTC

Confirm that the current NTP State value is Synchronized.

Figure 340. NTP State

Configure Expressway-E for Unified Communications

It is necessary to set the Unified Communications mode on Expressway-E, before performing certificate management.

Set the Unified Communications Mode

Open the Firefox browser tab connected to Expressway-E (exp-e-1).

Login with Username: admin and Password: dCloud123! (If prompted).

Navigate to Configuration > Unified Communications > Configuration.

Set the Unified Communications mode value to Mobile and remote access.

Click Save.

Page 158 of 257

Cisco dCloud

Certificate Management for Expressway

Obtain the CA Root Certificate
In an earlier activity related to the initial deployment of Cisco Unified IM and Presence, the Root Certificate was downloaded from
the CA hosted on ad1.dcloud.cisco.com.
1.

From the active RDP session to wkst1.dcloud.cisco.com (198.18.133.36).

Use the Windows file explorer to browse to the Desktop\CST-Jabber\Downloads folder.

Confirm the presence of the file CARootCert.cer.

NOTE: If CARootCert.cer is present in this folder, move on to the next activity: Install CA Root on Expressway-C
4.

If unable to locate the CARootCert.cer, follow the next steps to obtain and download it.

Launch Internet Explorer, or open a new tab if already open.

From the dCloud homepage choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.

Figure 341. AD1 Certificate Services

Authenticate with Username: administrator and Password: C1sco12345.

Figure 342. Login Prompt

Click Download a CA certificate, certificate chain, or CRL.

Choose the radio button for Base 64 and then click Download CA certificate.

10. Click Save when prompted.

11. Minimize Internet Explorer and open the Desktop\CST-Jabber\Downloads folder.
12. Rename the certnew.cer file to CARootCert.cer.

Install CA Root Certificate on Expressway-C

Switch to the Firefox browser tab connected to Expressway-C (exp-c-1).

Page 159 of 257

Cisco dCloud

If prompted login with admin/dCloud123!.

From the menu choose Maintenance > Security certificates > Trusted CA certificate.

In the Upload section, click the Browse button.

Figure 343. Trusted CA Certificate

Use the file explorer to browse to Desktop\CST-Jabber\Downloads.

Choose the file CARootCert.cer.

Figure 344. File Browser

Click Open.

Click Append CA certificate, to complete the upload.

Figure 345. Append CA Certificate

Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.

Figure 346. Trusted Certificate

Page 160 of 257

Cisco dCloud

Generate and Download a Client-Server CSR on Expressway-C

10. From the main menu choose Maintenance > Security certificates > Server Certificate.
11. Click Generate CSR.
12. Set the following values:

Key Length: 2048

Country: US

State or province: Texas

Locality: Richardson

Organization: Cisco Systems

Organizational unit: dCloud

Figure 347. CSR Information

13. Click Generate CSR.

14. Click Download.

Page 161 of 257

Cisco dCloud

Figure 348. Download CSR

15. Choose the radio button for Save when prompted and click OK.
16. Use the windows file explorer to navigate to the folder Desktop\CST-Jabber\Downloads.
17. Locate the filename beginning with CSR_exp-c-1.
Figure 349. File Navigator

18. Rename the file as exp-c-1-server.csr.

19. Click Yes to acknowledge the filename extension warning.
Figure 350. Extension Warning

Install CA Root Certificate on Expressway-E

Open the Firefox browser tab connected to Expressway-E (exp-e-1).

If prompted, login as admin/dCloud123!.

From the menu choose Maintenance > Security certificates > Trusted CA certificate.

In the Upload section, click the Browse button.

Figure 351. Upload CA Certificate

Page 162 of 257

Cisco dCloud

Use the file explorer to browse to Desktop\CST-Jabber\Downloads.

Choose the file CARootCert.cer.

Figure 352. CA File

Click Open.

Click Append CA certificate, to complete the upload.

Confirm that the upload was successful. Note that a new certificate appears in the list: CN=dcloud-AD1-CA.

Generate and Download a Client-Server CSR on Expressway-E

NOTE: The CSR field Unified CM registration domains is not added to the CSR until the Unified Communications mode is
enabled on Expressway-E. Recall that this configuration step was performed earlier in the module.
1.

From the main menu choose Maintenance > Security certificates > Server Certificate.

Click Generate CSR.

Set the following values:

Unified CM registration domains: dcloud.cisco.com,uk.dcloud.cisco.com,alpha.com

Key Length: 2048

Country: US

State or province: Texas

Locality: Richardson

Organization: Cisco Systems

Organizational unit: dCloud

Page 163 of 257

Cisco dCloud

Figure 353. CSR Configuration

Click Generate CSR.

Click Download.

Figure 354. Download CSR

Choose the radio button for Save when prompted and click OK.

Use the windows file explorer to navigate to the folder Desktop\CST-Jabber\Downloads.

Locate the filename beginning with CSR_exp-e-1.

Page 164 of 257

Cisco dCloud

Figure 355. File Navigator

Rename the file as exp-e-1-server.csr.

10. Click Yes to acknowledge the filename extension warning.

Submit and Download a CA Signed Certificate for Expressway-C

Open or switch focus to the CST-Jabber\Downloads folder.

Double click the file exp-c-1-server.csr to open.

From the Notepad main menu choose Format > Word Wrap.

Figure 356. Word Wrap

Press CTRL-A to highlight all text in the open file.

Press CTRL-C to copy highlighted data into the computer buffer.

Close the Notepad application.

Switch focus back to Firefox and open a new tab.

From the menu choose dCloud Certificates > AD1 Certificate Services. Optionally, you may navigate to
http://ad1.dcloud.cisco.com/certsrv.

Authenticate with Username: administrator and Password: C1sco12345 (if prompted).

Figure 357. Login Prompt

10. Click Request a certificate.

Page 165 of 257

Cisco dCloud

11. Click advanced certificate request.

12. Click in the Saved Request field to make it active.
13. Press CTRL-V to past the data saved to the computer buffer.
14. From the Certificate Template drop down choose ClientServer.
Figure 358. Certificate Request

15. Click Submit.

16. Choose Base 64 encoded.
Figure 359. Download Certificate

17. Click Download certificate.

18. Select Save File and click OK.
19. Open the Desktop\CST-Jabber\Downloads folder.
20. Rename the certnew.cer file to exp-c-1-CA-server.cer.
Figure 360. CA File Rename

Submit and Download a CA Signed Certificate for Expressway-E

Open or switch focus to the CST-Jabber\Downloads folder.

Page 166 of 257

Cisco dCloud

Double click the file exp-e-1-server.csr to open.

Press CTRL-A to highlight all text in the open file.

Press CTRL-C to copy highlighted data into the computer buffer.

Close the Notepad application.

Switch focus back to Firefox and the Active Directory Certificate Services webpage.

Click the Home hyperlink in the upper right of the page.

Click Request a certificate.

Click advanced certificate request.

10. Click in the Saved Request field to make it active.

11. Press CTRL-V to past the data saved to the computer buffer.
12. From the Certificate Template drop down choose ClientServer.
Figure 361. Certificate Request

13. Click Submit.

14. Choose Base 64 encoded.
Figure 362. Download Certificate

15. Click Download certificate.

16. Choose Save File and click OK..

Page 167 of 257

Cisco dCloud

17. Open the Desktop\CST-Jabber\Downloads folder.

18. Rename the certnew.cer file to exp-e-1-CA-server.cer.
Figure 363. File Rename

NOTE: A custom certificate template covering Client/Server authentication is required to support CA signed certificate generation
for Cisco Expressway. This template has been pre-configured and the details of this process can be found in Appendix C.

Upload CA Signed Certificate to Expressway-C

Open the Firefox browser tab connected to Expressway-C (exp-c-1).

If prompted login with admin/dCloud123!.

From the menu choose Maintenance > Security certificates > Server certificate.

In the Upload new certificate section, click Browse.

Navigate to the Desktop\CST-Jabber\Downloads folder.

Choose the file exp-c-1-CA-server.cer and click Open.

Figure 364. Upload New Certificate

Click Upload server certificate data.

Observe the status message after the upload indicating success, with a need to perform a restart.

Figure 365. Upload Success Message

Choose Maintenance > Restart Options.

10. Click Restart on the Restart options page.

Page 168 of 257

Cisco dCloud

Figure 366. System Restart

11. Click OK to confirm the restart.

12. The page will provide progress updates as the restart progresses.
Figure 367. Restart Progress Message

Upload CA Signed Certificate to Expressway-E

Open the Firefox browser tab connected to Expressway-E (exp-e-1).

If prompted login as admin/dCloud123!.

From the menu choose Maintenance > Security certificates > Server certificate.

In the Upload new certificate section, click Browse.

Navigate to the Desktop\CST-Jabber\Downloads folder.

Choose the file exp-e-1-CA-server.cer and click Open.

Figure 368. Upload New Certificate

Click Upload server certificate data.

Observe the status message after the upload indicating success, with a need to perform a restart.

Page 169 of 257

Cisco dCloud

Figure 369. File Upload Success

Choose Maintenance > Restart Options.

10. Click Restart on the Restart options page.

Figure 370. System Restart

11. Click OK to confirm the restart.

12. The page will provide progress updates as the restart progresses.
Figure 371. Restart Progress

Configure Expressway-C for Unified Communications

Set the Unified Communications Mode
1.

Open the Firefox browser tab connected to Expressway-C (exp-c-1).

Login with Username: admin and Password: dCloud123! (If prompted).

Navigate to Configuration > Unified Communications > Configuration.

In the Unified Communications mode field, use the drop-down menu to choose Mobile and Remote Access.

Set the Single Sign-On support field to off.

Page 170 of 257

Cisco dCloud

Figure 372. Expressway Settings

Click Save.

Configure Unified Communications Domains

You must identify the domains for which registration, call control, provisioning, messaging, and presence services are to be routed
to Unified CM. Recall that our IM and Presence deployment has been implemented with Multi-Domain support, servicing
dcloud.cisco.com, uk.dcloud.cisco.com, and alpha.com. In the following steps, you will create a domain entry for each.

SIP registrations and provisioning on Unified CM: Endpoint registration, call control and provisioning for this SIP
domain is serviced by Unified CM. The Expressway acts as a Unified Communications gateway to provide secure
firewall traversal and line-side support for Unified CM registrations.

IM and Presence services on Unified CM: Instant messaging and presence services for this SIP domain are
provided by the Unified CM IM and Presence service.

Navigate to Configuration > Domains.

Click New.

Enter the following parameters:

Domain Name: dcloud.cisco.com

SIP registration: On

IM and Presence: On

Figure 373. Domain Parameters

Page 171 of 257

Cisco dCloud

Click Create Domain.

Repeat the steps above to add uk.dcloud.cisco.com and alpha.com.

Confirm that the list of domains appears as below:

Figure 374. Domain Status

Discovering IM and Presence Services

The Expressway-C must be configured with the address details of the IM&P servers and Unified CM servers that are to provide
registration call control, provisioning, and messaging and presence services.
NOTE: An application user with id CollabEdgeAXL has been created in advance on Unified CM. This user is assigned ONLY the
Standard AXL API Access role.
1.

Navigate to Configuration > Unified Communications > IM and Presence Service nodes.

Click New.

Configure the following parameters:

IM and Presence publisher address: imp1.dcloud.cisco.com

Username: CollabEdgeAXL

Password: dCloud123!

TLS verify mode: On

Figure 375. Add Address

Click Add address.

Confirm that the IM and Presence node is added successfully with communication established.

Page 172 of 257

Cisco dCloud

Figure 376. IM and Presence Node Added

Discovering Unified CM Services

NOTE: Expressway-C uses the information from the Unified CM node discovery process to automatically generate nonconfigurable neighbor zones between itself and each unified CM node.
6.

Navigate to Configuration > Unified Communications > Unified CM servers.

Click New.

Configure the following parameters:

Unified CM publisher address: ucm1.dcloud.cisco.com

Username: CollabEdgeAXL

Password: dCloud123!

TLS verify mode: On

Figure 377. Unified CM Server Parameters

Click Add address.

10. Notice that after discovery, there is both an error message regarding security of SIP messages exchanged between
Expressway-C and Unified CM and a success indicator. The error regarding a failure to connect on a secure SIP signaling port
may be disregarded. Confirm that a successful addition is made.
Figure 378. Discovery Messages

NOTE: The error referenced above is NOT in relationship to the SSL certificate verification enabled when the TLS verify mode is
set to ON. Rather, the discovery process makes an attempt to communicate on a secure SIP port toward Unified CM. This would
only be successful if the Unified CM Cluster Security mode had been set to Mixed or Secure enabling TLS for signaling traffic. Our
Unified CM Cluster is running in Mode 0 Insecure (default).

Page 173 of 257

Cisco dCloud

Discovering Unity Connection Services

11. Navigate to Configuration > Unified Communications > Unity Connection servers.
12. Click New.
13. Configure the following parameters:

Unified CM publisher address: cuc1.dcloud.cisco.com

Username: administrator

Password: dCloud123!

TLS verify mode: On

Figure 379. Unity Connection Server Parameters

14. Click Add address.

15. Confirm that the Unity Connection node is added successfully with communication established.
Figure 380. Communication Established

Create a Secure Traversal between Expressway-E and Expressway-C

Follow these steps to create a new Unified Communications Traversal zone to allow for securely tunneled communication between
Expressway-C and Expressway-E.

Configure a Unified Communications Traversal Zone on Expressway-E

Recall that the Traversal between Expressway-C and Expressway-E operates on a Client/Server relationship. Expressway-E
operates as the server and Expressway-C, the client. Notice that during the configuration process a local user account is created
on Expressway-E for authentication of the Traversal connection. During the configuration of the Traversal Zone on Expressway-C
this username and password combination will be entered and then used to authenticate the Traversal Tunnel.
1.

Switch to the Firefox browser tab connected to Expressway-E (exp-e-1).

Page 174 of 257

Cisco dCloud

Login with Username: admin and Password: dCloud123!.

Go to Configuration > Zones > Zones.

Click New.

Figure 381. New Zone

In the Name field, type UC Traversal Zone.

Choose Unified Communications traversal from the drop-down list.

Under Connection credentials, click the hyperlink for Add/Edit local authentication database to quickly add an
authentication user and credential which will be assigned to this zone.

Figure 382. Add User

The Local authentication database configuration screen will pop-up in a new window.

Click the New button to add a new user.

10. For Name type, enter traversal-admin.

11. In the Password field type, enter dCloud123!.
Figure 383. Credentials Dialog

12. Click Create credential.

13. Close the Local authentication database window to resume configuration of the Traversal Zone.
14. In the Username field, type traversal-admin.
15. Set the TLS verify subject name value to exp-c-1.dcloud.cisco.com.
16. Consult the figure below to ensure accuracy of configured field values:

Page 175 of 257

Cisco dCloud

Figure 384. Zone Parameters

17. Click Create zone.

Configure a Unified Communications Traversal Zone on Expressway-C

Follow these steps to create a new Unified Communications Traversal zone matching the configuration of the Zone already created
on Expressway-E. Note that when defining the Traversal on Expressway-C, we must supply the username and password created
for authentication on Expressway-E. The encrypted traversal tunnel is always initiated by Expressway-C as the client, which must
successfully authenticate to the server (Expressway-E).
1.

Switch to the Firefox tab connected to Expressway-C (exp-c-1).

Navigate to Configuration > Zones > Zones.

Click New.

Configure the Zone with the following settings:

Name: UC Traversal Zone

Type: Unified Communications traversal

Username: traversal-admin

Password: dCloud123!

Page 176 of 257

Cisco dCloud

Port: 7001

Peer 1 address: exp-e-1.dcloud.cisco.com

Consult the graphic to confirm accuracy and when ready click Create zone.

Figure 385. New Zone Parameters

Verify Unified Communications Traversal on Expressway-C

The list of configured zones for Expressway-C along with current status should appear as below, immediately following zone
creation:

Figure 386. Zone Status

Click the hyperlink for UC Traversal Zone.

Scroll to the bottom of the page and confirm that Peer 1 address displays a SIP: Reachable message and that the Status is
Active.

Page 177 of 257

Cisco dCloud

Figure 387. SIP Reachable

Status Errors: If you see an error such as the following

and the zone status fails to

transition to active, it is likely that there is a credential error. Re-type the password of the traversal-admin user and ensure that the
user name is typed exactly as defined earlier on Expressway-E. If this fails to bring the zone active, open the Expressway-E
console and confirm that the user account specified is spelled as expected. If the username spelling is correct, then reset the
password of the user ensuring complete accuracy. Check the zone status on Expressway-C once more and proceed if a
successful validation result is achieved.
4.

Navigate to Configuration > Zones > Zones. Check the list of Zones on Expressway-C against the graphic below:

Figure 388. Zone Status

CEtcp-ucm1.dcloud.cisco.com: Neighbor zone created automatically during the discovery process.

UC Traversal Zone: Secure Unified Communications Traversal.

Verify Unified Communications Traversal Expressway-E

Open the Firefox browser tab connected to Expressway-E (exp-e-1).

Navigate to Configuration > Zones > Zones.

Page 178 of 257

Cisco dCloud

Figure 389. Zone Status

Confirm that the status of the UC Traversal Zone is active.

Validate Unified Communications Status on Expressway

With Expressway configuration complete to enable MRA, we will use the Unified Communications status page on both
Expressway-C and Expressway-E to confirm that all required services provisioning and routing have been successfully added.

Unified Communications Status Expressway-C

Open the Firefox browser tab connected to Expressway-C (exp-c-1).

From the menu choose Status > Unified Communications.

Confirm that the output of the webpage matches the highlighted areas of the graphic below.

Figure 390. Unified Communications Status

Page 179 of 257

Cisco dCloud

Unified Communications Status Expressway-E

Open the Firefox browser tab connected to Expressway-E (exp-e-1).

From the menu choose Status > Unified Communications.

Confirm the output of the webpage matches the highlighted areas of the graphic below.

Figure 391. Unified Communications Status

Contact Photo Resolution with MRA

Overview
Until now, our Jabber clients have been connected to the internal network, freely able to resolve the LDAP directory through
service discovery and using the User Photo attribute in Microsoft Active directory as the source for contact photo resolution.
When registered via MRA through Cisco Expressway however the Jabber client will automatically use UDS for contact resolution.
NOTE: When Cisco Jabber is running in remote mode through MRA, the Corporate Directory and contact source type is
automatically set to UDS. There is no additional configuration required for this behavior to function.
For contact photo resolution outside the enterprise network, a Web Server must be used to host directory contact photos. A
parameter is then added to the jabber-config.xml file to notify the Jabber Client of the location of contact photos.
Server ad2.dcloud.cisco.com has been configured to host contact photos at the following URL:

http://ad2.dcloud.cisco.com/directory/.

Contact photos stored in this directory are named with the following convention:

<sAMAccountName>.jpg

Page 180 of 257

Cisco dCloud

Recall that during the deployment process we specified that the User ID for Unified CM and IM and Presence users would be
mapped to the LDAP attribute sAMAccountName.
So for example, one could view the directory photo for user Anita Perez (aperez) by navigating to
http://ad2.dcloud.cisco.com/directory/aperez.jpg.
Because we have a predictable naming convention that matches an attribute (User ID) that the Cisco Jabber client is aware of, we
can define a query string using substitution that will request and return the photos of users in our Jabber contact list.
Use the following activity to review the parameter and format required to enable the resolution of contact photos while
connected using MRA. Upload an updated Jabber-Config.xml file. Finally configure an HTTP server allow list to permit tunneled
access to the Web Server hosting photos from the Jabber Client when registered via MRA.

Update Jabber-Config.xml
In order to enable external contact photo resolution we must update the jabber-config.xml file. As with previous exercises, a preconfigured jabber-config.xml file has been staged for you.
1.

From the Desktop of wkst1.dcloud.cisco.com, locate and open the folder CST-Jabber.

Use the windows file explorer to browse to CST-Jabber\Jabber-Config-Files\Module2\.

Right click the file jabber-config.xml and choose Open with > Notepad.

Figure 392. Open With Notepad

The following parameter is appended to the Directory section of the file to enable contact photo resolution from a web server.
Observe the substitution or Token value highlighted in red (%%uid%%) :
<UDSPhotoURIWithToken>http://ad2.dcloud.cisco.com/directory/%%uid%%.jpg</UDSPhotoURIWithToken>

Close the file when finished reviewing.

Upload Jabber-Config.xml
1.

From an active browser session to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified OS
Administration.

Figure 393. OS Administration

Click Go.

Login with Username: administrator and Password: dCloud123!.

Navigate to Software Upgrades > TFTP File Management.

Page 181 of 257

Cisco dCloud

Figure 394. TFTP File Management

Click Upload File.

Figure 395. Upload File Icon

From the Upload File dialog, click the Browse button.

Figure 396. Upload File Dialog

Use the file explorer to navigate to Desktop\CST-Jabber\Jabber-Config-Files\Module2.

Choose the jabber-config.xml file.

Click Open.

10. From the Upload File dialog, click Upload File.

11. Observe the status message: File uploaded successfully.
12. Click Close.

Restart the Cisco Tftp Service

From the Navigation menu, choose Cisco Unified Serviceability.

Figure 397. Cisco Unified Serviceability

Click Go.

Enter the (administrator/dCloud123!) username/password combination.

Click Login.

Page 182 of 257

Cisco dCloud

From the menu choose Tools > Control Center Feature Services.

Figure 398. Feature Services

From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.

Figure 399. Select Server

Click Go.

Under CM Services, choose Cisco Tftp.

Click Restart.

10. Click Ok to acknowledge the Service Restart notification.

11. The page will automatically refresh displaying the status of the restart command. Wait until the message Cisco Tftp Service
Restart Operation was Successful.
Figure 400. Operation Successful

Verify Jabber-Config.xml
1.
2.

Launch Mozilla Firefox and/or open a new tab.

Navigate to Collaboration User and Test Links > Jabber-Config Check. Optionally, you may manually navigate to the
following URL: http://ucm1.dcloud.cisco.com:6970/jabber-config.xml.

Figure 401. Jabber Configuration Check

Confirm that jabber-config.xml file reviewed earlier matches the output of the web browser.

Your output should also match the graphic below.

Page 183 of 257

Cisco dCloud

Figure 402. Browser Ouput

Shutdown the Jabber Client(s) running on wkst1.dcloud.cisco.com and wkst2.dcloud.cisco.com, by choosing Menu >
Exit.

HTTP Server Allow List on Expressway-C

As indicated earlier, contact photos are served from ad2.dcloud.cisco.com over http. In order for the Jabber client to successfully
access contact photos when registered using MRA, an http traffic permit statement must be explicitly added.
1.

Open the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).

Open the Firefox browser tab connected to Expressway-C (exp-c-1).

Navigate to Configuration > Unified Communications > Configuration.

In the Advanced section of the configuration page, locate and click the hyperlink for Configure HTTP server allow list.

Figure 403. Server Allow List

Click New.

Enter the following values:

Server hostname: ad2.dcloud.cisco.com

Description: Contact Photo Webserver

Page 184 of 257

Cisco dCloud

Figure 404. Server Allow List

Click Create entry.

Confirm the entry has been added.

Notice the Auto-configured allow list with data populated based on the discovery process. The list contains the FQDNs and
resolved IP addresses of imp1.dcloud.cisco.com, ucm1.dcloud.cisco.com, and cuc1.dcloud.cisco.com.

Figure 405. Server Allow List

Testing Mobile and Remote Access Operation

At this point, you have completed all the configuration steps required to enable Mobile and Remote Access with Cisco Expressway.
In order to test the solution, we will move wkst2.dcloud.cisco.com (Anita Perez) onto another VLAN with access to external DNS
resolution via ad2.dcloud.cisco.com.

Create a new RDP session for Workstation 2 External

Thus far, we have been able to use a single RDP session connected to wkst2.dcloud.cisco.com on IP address 198.18.133.37 to
connect and test Jabber Client functionality from WKST2 as Anita Perez.
During the migration process, the active IP address of the workstation will change to 198.18.2.37 which will be resolvable by DNS
using host name wkst2-ext.dcloud.cisco.com.
To facilitate switching between the two modes we will configure and save an RDP session definition for connecting to Workstation
2 when operating in the external VLAN.
NOTE: This operation is to be performed from the Students Personal Computer, NOT an active RDP session.
1.

Click Start > All Programs > Accessories > Remote Desktop Connection from the students personal computer.

Click Options.

Page 185 of 257

Cisco dCloud

Choose Local Resources Tab.

Click Settings, under Remote audio.

Choose Play on this computer & Do Not Record.

Figure 406. RDP Settings

Click OK.

Click the Experience tab.

Choose LAN (10Mbps or higher) from the connection speed menu.

Figure 407. LAN Connection Speed

In the Computer field type: wkst2-ext.dcloud.cisco.com or 198.18.2.37.

10. In the Username field type: dcloud\aperez.

11. Click Allow me to save credentials.
12. Click Save and use the Save As file dialog to name and save the session definition to your computer as wkst2-ext to a
location in your file system that will be easy to find later.

Review Status Details of Jabber (On-Net)

In this activity, we will briefly review connection details of the Cisco Jabber client running on wkst2.dcloud.cisco.com while
registered to services on the internal network. This will assist in identifying the differences in behavior when registered to services
via MRA through Expressway.
1.

Open (switch to) an RDP session to wkst2.dcloud.cisco.com (198.18.133.37) user Anita Perez.

If Cisco Jabber is open from a previous activity, exit and restart it at this time. This is necessary in order for changes to the
jabber-config.xml file to be assimilated. If closed, launch Cisco Jabber.

Login to Jabber with Username aperez and Password C1sco12345.

Click the

Menu icon and choose Help > Show connection status to confirm that the Jabber client has active

connectivity to provisioned services.

Page 186 of 257

Cisco dCloud

Pay close attention to the following entries which will alter when connected through MRA:

Softphone

Presence

Address: ucm1.dcloud.cisco.com (CCMCIP)

Address: imp1.dcloud.cisco.com

Directory

Address: DCLOUD.CISCO.COM (No host reference because Jabber discovered it automatically using DNS)

Figure 408. Settings Summary

Open a Microsoft Internet Explorer browser session.

From the dCloud homepage choose Collaboration Admin Links > Cisco Unified Communications Manager.

Choose Cisco Unified Communications Manager from the list of Installed Applications.

Login with Username administrator and Password dCloud123!.

10. From the menu choose Device > Phone.

11. Click Find.

Page 187 of 257

Cisco dCloud

12. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of wkst2.dcloud.cisco.com (198.18.133.37).
Figure 409. IP Address and Device

13. Take note of the Contact Photo associated with Charles Holland in the contact list of Anita Perez.
Figure 410. Contact Photo

14. The contact photos hosted on the web server have been modified in order to verify the source and confirm that contact photos
presented are served from the web server defined earlier.
15. Quit Jabber by choosing Menu > Exit.

Move Workstation 2 to the External Network

NOTE: This procedure will disconnect the active RDP session, which is the expected result.
1.

From the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37).

Navigate to the Desktop and locate the windows batch executable named External Network On.

Figure 411. External Network On

Double click the file to execute the migration procedure.

This will disconnect the active RDP session as expected.

Connect to Workstation 2 on the External Network

From the Student Laptop, open the Remote Desktop Connection client program.

Click Options.

On the General tab, under Connection Settings click Open.

Browse the location where you saved the RDP session definition wkst2-ext.

Page 188 of 257

Cisco dCloud

Figure 412. RDP Saved Sessions

Choose the file and click Open.

Confirm that the settings match the graphic.

Figure 413. RDP Settings

Click Open.

Acknowledge any certificate warnings and proceed.

When prompted for the password type C1sco12345.

Clearing the Contact Photo Cache

Under normal circumstances, it would take a considerable amount of time for the Jabber client to clear its locally cached contact
photos. To expedite this process we will clear the contents of the locally cached information for the Jabber client on Workstation 2.
1.

On the desktop of wkst2-ext.dcloud.cisco.com locate a windows batch executable file named Clear Jabber Cache.

Double click to execute and clear cached contact photo records.

Verify External Connectivity and DNS resolution

Click the Command Prompt icon on the task bar.

Figure 414. Command Prompt Icon

Type ipconfig and press Enter.

Confirm that the IP Address displayed is 198.18.2.37, and the Default Gateway is 198.18.2.1.

Page 189 of 257

Cisco dCloud

Figure 415. Ipconfig Output

Type nslookup and press Enter.

Type set type=srv (use lowercase) and press Enter.

Type _collab-edge._tls.dcloud.cisco.com and press Enter.

SRV record data similar to the output shown below should be returned by DNS server ad2.dcloud.cisco.com.

Figure 416. Command Output

A successful result returns the FQDN exp-e-1.dcloud.cisco.com as well as the resolved IP 198.18.1.152 as depicted in the
graphic above (Red Text).

Launch Cisco Jabber and Connect via MRA

Launch Cisco Jabber by double clicking on the desktop icon.

Login with Username aperez and Password C1sco12345.

Figure 417. Login Prompt

Notice the New location detected notification since Jabber has detected that we are connecting from a new network. This will
likely appear to the lower right of the remote desktop workspace.

Page 190 of 257

Cisco dCloud

Click Add to my locations.

Figure 418. Add to My Locations

Click Create a new location name.

Type a location of your choice. In our example, we use Mobile Remote Access as the location specified for Anita Perez.

Click Create.

Notice that both the contact photos for Anita Perez and Charles Holland are present but in Black and White as opposed to the
full color images resolved through LDAP.

Figure 419. Contact Photos in Jabber

Test contact search by typing Muk in the search window and confirm that the lookup returns a contact record for Mukul
Kumar.

Figure 420. Mukul Kumar Contact

NOTE: Notice that all of the cached images for contacts added through the Directory Group/Enterprise Group feature are now
missing. This is a result of the removal of all cached contact photos in tandem with the Throttling Policy for photo download of
contacts added through enterprise groups. As before, you can manually initiate the download of contact photos by clicking the
contact record.

Page 191 of 257

Cisco dCloud

Review Status Details of Jabber (MRA)

Click the

Menu icon and choose Help > Show connection status to confirm that the Jabber client has active

connectivity to provisioned services.

Pay close attention to the following entries which will alter when connected through MRA:

Softphone

Presence

Address: ucm1.dcloud.cisco.com (CCMCIP - Expressway)

Address: exp-e-1.dcloud.cisco.com

Directory

Address: ucm1.dcloud.cisco.com (UDS via Unified CM)

Figure 421. Connection Status Differences

Connection Status - INTERNAL

Connection Status - MRA

As you can see, all services are connected. The entries for Softphone, Presence, and Directory have modified values
indicating a tunneled connection through Expressway-E.

Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

Page 192 of 257

Cisco dCloud

Open the Internet Explorer tab connected to ucm1.dcloud.cisco.com.

From the Navigation drop down select Cisco Unified CM Administration and click Go.

If prompted, login with Username: administrator and Password: dCloud123!.

From the menu choose Device > Phone.

Click Find.

10. Observe that the Client Services Framework device (Jabber softphone) named CSFAPEREZ is actively registered with the IP
address of Expressway-C (198.18.133.152). This is because Expressway-C serves is the anchor point for SIP Registration
with Unified CM for all MRA sessions.
Figure 422. Device IP Address

Test Chat and Calling Capability through MRA

Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

If Cisco Jabber is open from a previous activity, exit and restart it. This is necessary for changes to the jabber-config.xml file to
be assimilated. If closed, launch Cisco Jabber.

Login to Jabber with Username: cholland and Password: C1sco12345.

Observe that the location information associated with Anitas current presence status has been updated based on the new
location created.

Figure 423. Jabber Location

Double click the contact record for Anita Perez to launch a conversation window.

Type a message of your choice.

Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (Anita Perez).

Page 193 of 257

Cisco dCloud

Feel free to type a reply.

Figure 424. Jabber Chat Window

Click the Call icon to initiate a call to Charles Holland.

10. Switch to the RDP session connected to wkst1.dcloud.cisco.com (Charles Holland).

11. Click Answer on the Incoming call notification.
12. Note that the call is active and the virtual camera drivers are showing the text VCAM in both remote and self-view windows.
13. See that the presence indicators for both Charles Holland and Anita Perez have transitioned from Available to On a Call.
Figure 425. Jabber Presence Indicators

14. Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (Anita Perez).

15. Hang up the call.
16. This concludes the Mobile Remote Access Module. Students may continue to test features and functionality (time permitting).
When ready, please proceed to the next activity.

Move Workstation 2 to the Internal Network

NOTE: This procedure will disconnect the active RDP session, which is the expected result.
1.

Switch to the RDP session connected to wkst2-ext.dcloud.cisco.com (198.18.2.37).

Navigate to the Desktop and locate the windows batch executable named Internal Network On.

Page 194 of 257

Cisco dCloud

Figure 426. Internal Network On Executable

Double-click the file to execute the migration procedure.

This will disconnect the active RDP session as expected.

Reconnect to the RDP session for wkst2.dcloud.cisco.com (198.18.133.37).

Page 195 of 257

Cisco dCloud

Module 3(a): SAML Single Sign-On (SSO) Inside the Network

SAML Overview
What is SAML SSO?
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration
applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information
between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified
Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an
Identity Provider (IdP) and a service provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco collaboration solutions.
SAML 2.0 enables SSO across Cisco applications and enables federation between Cisco applications and an IdP. SAML 2.0
allows Cisco administrative users to access secure web domains to exchange user authentication and authorization data, between
an IdP and a Service Provider while maintaining high security levels. The feature provides secure mechanisms to use common
credentials and relevant information across various applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the provisioning process
between the IdP and the Service Provider. The Service Provider trusts the IdP's user information to provide access to the various
services or applications. In this interaction, the Service Provider (SP) would be Unified CM and Unified IM and Presence.
The client authenticates against the IdP and the IdP grants an Assertion to the client. The client presents the Assertion to the
Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion and grants access to the client.

SAML-Based SSO Features

Reduces password fatigue by removing the need for entering different user name and password combinations
Transfers the authentication from your system that hosts the applications to a third party system. Using SAML SSO, you
can create a circle of trust between an IdP and a service provider. The service provider trusts and relies on the IdP to
authenticate the users

Protects and secures authentication information. It provides encryption functions to protect authentication information
passed between the IdP, service provider, and user. SAML SSO can also hide authentication messages passed between
the IdP and the service provider from any external user.

Improves productivity because you spend less time re-entering credentials for the same identity

Reduces costs as fewer help desk calls are made for password reset, thereby leading to more savings

Elements of a SAML SSO Solution

Client (the users client): This is a browser-based client or software client that can leverage a browser instance for
authentication. For example, a system administrators browser.

Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified
Communications Manager.

An Identity Provider (IdP) server: This is the entity that authenticates user credentials and issues SAML Assertions.

Page 196 of 257

Cisco dCloud

Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example
Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server.

SAML Assertion: It consists of pieces of security information that are transferred from IdPs to the service provider for user
authentication. An assertion is an XML document that contains trusted statements about a subject including, username
and privileges. SAML assertions are usually digitally signed to ensure their authenticity.

SAML Request: This is an authentication request that is generated by a Unified Communications application. To
authenticate the LDAP user, the Unified Communications application delegates an authentication request to the IdP.

Circle of Trust (CoT): The various service providers that share and authenticate against one IdP in common.

Metadata: An XML file generated by an SSO-enabled Unified Communications application, such as Cisco Unified
Communications Manager or Cisco Unity Connection, as well as an IdP. The exchange of SAML metadata builds a trust
relationship between the IdP and the service provider.

Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the
IdP to post the final SAML response to a particular URL.

Figure 427. SAML SSO Process

Module Objectives
In this module, we will perform the following tasks:

Create a Circle of Trust (CoT) between ADFS 2.0 (IdP) and Unified CM and IM and Presence (SP)

Enable SSO for Unified Communications Manager and Unified IM and Presence

Test Username/Password authentication by accessing Web Interfaces and Cisco Jabber

Test Kerberos authentication for cross/application authentication using Microsoft Internet Explorer and Cisco Jabber

Page 197 of 257

Cisco dCloud

Module Notes
NOTE: In the interest of time, Microsoft AD FS2.0 has been preinstalled on ad1.dcloud.cisco.com. The Basic AD FS 2.0
setup wizard was run to enable ADFS features. These operations are documented in Appendix B. By default, AD FS2.0 has
Username/Password Authentication enabled, so no extra steps are needed to prepare AD FS2.0 to enable this Authentication
method. For other authentication methods, AD FS2.0 needs customization to be part of the lab steps.

Pre-Requisites
These are the dependencies that must be in place and functional prior to the implementation of SAML SSO for Cisco Unified
Communications. ALL of these pre-requisite requirements have been met during lab configuration activities or as part of the preconfiguration of the lab environment.

NTP All components of the solution must be configured to use a reliable NTP source for clock synchronization.
This requirement is already provisioned across all installed Cisco Collaboration Applications (Services Providers) and
Identity Providers (ADFS 2.0 on ad1.dcloud.cisco.com)

DNS All hosts involved in SSO transactions must be fully resolvable by FQDN via DNS. All of the Service Providers
(ucm1.dcloud.cisco.com, imp1.dcloud.cisco.com) have DNS A (Host) records and are resolvable by FQDN.

Directory Setup - LDAP directory synchronization is a prerequisite and a mandatory step to enable SAML SSO
across various Unified Communications applications. Synchronization of Unified Communications applications with
an LDAP directory allows the administrator to provision users easily by mapping Unified Communications
applications data fields to directory attributes. Recall that the foundation of our deployment activity was the import of
Jabber users through an LDAP synchronization agreement.

Certificates signed by a CA - In SAML SSO, the IdP and service providers must have CA signed certificates with
the correct domains in the CN or SAN. If the correct CA certificates are not validated, the browser issues a pop up
warning. We have performed the certificate management required to meet this pre-requisite as part of our
deployment activities.

Prepare to Enable SAML SSO for Unified CM and IM and Presence

Configure an LDAP Synchronized End User with the Administrative Privileges
Once SSO is enabled, access to the Unified CM and IM and Presence administrative interfaces will be limited to End Users
synchronized from LDAP. Therefore at least one End User account must be delegated administrative access.
NOTE: There is a Recovery URL that may be used in case of SSO failure that is accessed with the default administration account,
if needed.
1.

Connect or switch to the RDP session for ad1.dcloud.cisco.com (198.18.133.1).

Launch Internet Explorer.

Page 198 of 257

Cisco dCloud

From the Cisco dCloud Homepage choose Cisco Unified Communications Manager to connect to
ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.

From the Installed Applications list, click Cisco Unified Communications Manager.

Enter Username administrator and Password dCloud123!.

Click Login.

Use the menu to choose User Management > End User.

Click Find.

Click the hyperlink for user cholland (Charles Holland) to open the End User configuration page.

10. Scroll to the bottom of the page and locate the Permissions Information section. Notice that Charles Holland is currently
assigned to the Standard CCM End Users, and Standard CTI Enabled groups.
Figure 428. Permissions

11. Click Add to Access Control Group.

12. In the Find tool, user the drop-down menu to choose contains and type Super.
13. Click Find.
14. Choose Standard CCM Super Users.
Figure 429. Access Control Group

15. Click Add Selected.

16. Confirm that the Standard CCM Super Users group has been added to the Groups field.
Figure 430. Groups Listing

17. Click Save.

Page 199 of 257

Cisco dCloud

Obtain Metadata for the Unified CM and Unified IM and Presence Cluster
As part of the CoT (Circle of Trust) configuration between ADFS and Unified CM and Unified IM and Presence, the Metadata from
deployed Unified Collaboration nodes must be obtained. This will be used to create a Relying Party Trust on the IdP.
1.

Navigate to to System > SAML Single Sign-On.

Click on Export All Metadata.

Figure 431. Export Metadata

After a few seconds, click the Save As option on the bottom of the page to save to the SPMetadata.zip file.

Figure 432. Save As Dialog

.
4.

In the Save As file dialog, browse to the folder Desktop\CST-Jabber\SSO.

Click Save.

Figure 433. Save As Location

Page 200 of 257

Cisco dCloud

Minimize Internet Explorer and use the File Explorer to navigate to Desktop\CST-Jabber\SSO.

Right click the SPMetadata.zip file, choose Extract All and then click Extract.

Check that you have the following two files in the new Desktop\CST-Jabber\SSO\SPMetadata directory.

Figure 434. Zip File Contents

There will be one SPMetadata file generated for each node in the cluster since Unified CM automatically exports the Unified
CM and IM&P Metadata. The contents in each file define the parameters that will be used for the authorization process
between the SP (Unified CM and Unified IM and Presence) and the IdP (Microsoft AD FS).

SAML SSO Configuration for Microsoft ADFS2.0

This section will describe the steps to configure SAML SSO using Microsoft Active Directory Federation Services as the
Identity Provider (IdP).

Add a Relying Party Trust for Unified CM

A relying party trust must be added to Microsoft ADFS for every node in your deployment on which SSO will be enabled. Follow
these steps to add a Relying Party Trust for ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com.

Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [

Click the link for Required:Add a trusted relying party.

] in the taskbar.

Figure 435. Add a Trusted Relying Party

Click Start to begin the Add Relying Party Trust Wizard.

From the Choose Data Source screen, click the Import data about the relying party from a file radio button.

Page 201 of 257

Cisco dCloud

Figure 436. Import Data Source

Click Browse.

Use the Browse for Metadata file dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.

Choose the file SPMetadata_ucm1.dcloud.cisco.com.xml to choose the file for Unified CM.

Figure 437. File Explorer

Click Open.

Click Next.

10. On the Specify Display Name screen enter the following values:

Display name: ucm1.dcloud.cisco.com

Notes: Unified Communications Manager

Figure 438. Defining Screen Names

Page 202 of 257

Cisco dCloud

11. Click Next.

12. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
Figure 439. Permit All Users to Access

13. Click Next.

14. Click Next on the Ready to Add Trust screen.
15. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
Figure 440. Open Edit Claim Rules

16. Click Close.

17. On the Edit Claim rules screen click the Add Rule button.

Page 203 of 257

Cisco dCloud

Figure 441. Add Rule

18. Choose the default Claim Rule template Send LDAP Attributes as Claims.
Figure 442. Choose Claim Rule

19. Click Next.

Caution: Use care when entering the Outgoing Claim Type value. The value uid must be typed in lowercase letters exactly as
specified, there is no matching menu value.
20. On the Configure Claim Rule screen set the following values:

Claim rule name: Send uid attribute

Attribute Store: Active Directory

LDAP Attribute: SAM-Account-Name

Outgoing Claim Type: uid

Page 204 of 257

Cisco dCloud

Figure 443. Configure Claim Rule Screen

21. Click Finish.

22. To add a second rule, click Add Rule.
23. From the Claim rule template drop-down list, choose Send Claims Using a Custom Rule.
24. Click Next.
NOTE: To prevent copy/paste errors and erroneous formatting during the Custom Claim Rules creation, 2 text files containing the
required claims format have been placed in the Desktop\CST-Jabber\SSO directory on ad1.dcloud.cisco.com.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
27. Locate the file SAML-SSO-Custom-Claims-Rule-ucm.txt.
28. Double click to open in the Notepad editor. Notice the custom portion of the rule highlighted in green below. The first row
specifies the IdP asserted ID, which can be found the in the exported Metadata from the ADFS instance. This will remain
constant for our environment. The second highlighted text entry specifies the Service Provider asserted identity supplied by
ucm1.dcloud.cisco.com in the exported Metadata field.
Figure 444. Claims Rule Information

29. Copy the file contents to the computer buffer by pressing Ctrl + C.
30. Close the notepad file when done.
31. Paste the contents of the file into the Custom Rule field by pressing Ctrl + V.

Page 205 of 257

Cisco dCloud

Figure 445. Configure Claim Rule

32. Click Finish.

33. Click Apply and then OK.

Add a Relying Party Trust for Unified IM and Presence

From the ADFS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.

Figure 446. Add Relying Party Trust

Click Start to begin the Add Relying Party Trust Wizard.

From the Choose Data Source screen, click the Import data about the relying party from a file radio button.

Click Browse.

Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\SPMetadata directory.

Choose the file SPMetadata_imp1.dcloud.cisco.com.xml to choose the file for Unified CM.

Page 206 of 257

Cisco dCloud

Figure 447. Browse for Metadata File

Click Open.

Click Next.

On the Specify Display Name screen enter the following values:

Display name: imp1.dcloud.cisco.com

Notes: Unified IM and Presence

10. Click Next.

11. On the Choose Issuance Authorization Rules screen confirm that the Permit all users to access this relying party radio
button is selected.
Figure 448. Choose Issuance Authorization Rules

12. Click Next.

13. Click Next on the Ready to Add Trust screen.
14. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
Figure 449. Open Edit Claims Rules Dialog

Page 207 of 257

Cisco dCloud

15. Click Close.

16. On the Edit Claim rules screen click the Add Rule button.
17. Choose the default Claim Rule template Send LDAP Attributes as Claims.
Figure 450. Claim Rule Template

18. Click Next.

19. On the Configure Claim Rule screen set the following values:

Claim rule name: Send uid attribute

Attribute Store: Active Directory

LDAP Attribute: SAM-Account-Name

Outgoing Claim Type: uid

Figure 451. Claim Rule Settings

20. Click Finish.

21. To add a second rule, click Add Rule.
22. Choose Send Claims using a Custom Rule.
23. Click Next.
24. From the Claim rule template drop-down list, choose Send Claims Using a Custom Rule.
25. In the Claim rule name field, type Send custom attributes.
26. Use the Windows File Exporer to navigate to the Desktop\CST-Jabber\SSO folder.
27. Locate the file SAML-SSO-Custom-Claims-Rule-imp.txt. Double-click to open in the Notepad editor. Notice the custom
portion of the rule highlighted in green below. The first row specifies the IdP asserted ID which can be found the in the
exported Metadata from the ADFS instance. This will remain constant for our environment. The second highlighted text entry
specifies the Service Provider asserted identity supplied by imp1.dcloud.cisco.com in the exported Metadata field.

Page 208 of 257

Cisco dCloud

Figure 452. Custom Claims Rule Details

28. Copy the file contents to the computer buffer by selecting all the text and pressing Ctrl + C.
29. Close the notepad file when done.
30. Paste the contents of the file into the Custom Rule field pressing Ctrl + V.
31. Click Finish.
32. Click Apply and then OK.
33. The list of Relying Party Trusts should appear as follows when finished:
Figure 453. Relying Party Trusts

Enable SSO for Unified CM and IM and Presence

As with our configuration in ADFS to add an entry for both Unified CM and IM and Presence nodes, we must do the same to
complete the establishment of the Circle of Trust in Unified CM with the IdP details. The following exercise will detail the process
for enabling SSO from the Unified Communications Manager interface.
NOTE: For your convenience the IdP Metadata was exported from the ADFS2.0 instance on ad1.dcloud.cisco.com and has been
placed in the file: Desktop\CST-Jabber\SSO\FederationMetadata.xml. This file can be manually downloaded at
https://ad1.dcloud.cisco.com/FederationMetadata/2007-06/FederationMetadata.xml.
1.

From the RDP session connected to ad1.dcloud.cisco.com, open Internet Explorer and choose the tab connected to
ucm1.dcloud.cisco.com.

It is likely that the logon timer has expired. If so, login with Username: administrator and Password: dCloud123!.

Navigate to to System > SAML Single Sign-On.

Click Enable SAML SSO.

Page 209 of 257

Cisco dCloud

Figure 454. Enable SAML Single Sign-On

On the Warning Popup, click Continue.

Figure 455. Warning Message

Click Next. The IdP Metadata Trust File has already been obtained for you and is present in the Desktop\CST-Jabber\SSO
folder.

Click on Browse.

Browse to the Desktop\CST-Jabber\SSO\ folder and choose the file FederationMetadata.xml.

Figure 456. File Browser

Click Open.

10. Click Import IdP Metadata.

Figure 457. Import Metadata

11. Confirm that the import is successful.

Page 210 of 257

Cisco dCloud

Figure 458. Import Successful

12. Click Next.

13. Click Next on the next screen of the wizard. This screen is not relevant as we have already exported SP Metadata for
ucm1.dcloud.cisco.com and imp1.dcloud.cisco.com and used it to create a trust on the IdP.
NOTE: There is a 60-second timer running to complete the next few steps. If you do not enter the username and password in Step
16 below in time then you will get an error on the SSO Test as shown below.
14. The next process will verify the SAML Assertion with ADFS2.0. Click the user cholland, and then click Run SSO Test.
Figure 459. Run SSO Test

15. In the new window that pops up click Continue to this website.
16. When the Windows Security login prompt appears enter Username: cholland and Password: C1sco12345.
17. Click OK.
Figure 460. Login Prompt

18. Check if the output message indicates a successful result. SSO Metadata Test Successful.

Page 211 of 257

Cisco dCloud

Figure 461. Test Successful

19. Click Close.

20. Click Finish.
21. You have now successfully completed the basic configuration tasks to enable SSO on UCM using ADFS2.0. Close the web
browser so it clears all of the session cookies.
Figure 462. Process Initiated

NOTE: It is VERY important to close and reopen Internet Explorer. You are asked to do this several times in this lab. Please be
sure to perform this step, as it will clear the cookies from the browser and make it request new login information from the server.
22. Minimize the Remote desktop Connection to ad1.dcloud.cisco.com.

Verify operation on Unified CM SSO functionality

In the next activity, you will test SSO with a Username and Password from wkst1.dcloud.cisco.com (198.18.133.36).
1.

Switch focus to the RDP session connected to from wkst1.dcloud.cisco.com (198.18.133.36).

If the Cisco Jabber client is still open from a previous activity, close it by choosing Menu > Exit.

If either Internet Explorer and/or Firefox are open from a previous activity, close them as well.

Launch Internet Explorer, from the Cisco dCloud homepage and navigate to Collaboration Admin Links > Cisco Unified
Communications Manager. Optionally you may navigate to https://ucm1.dcloud.cisco.com.

Notice under Installed Applications there is a new option for Recovery URL to bypass Single Sign-on (SSO). If the new
link is not visible, continue to refresh your browser until it appears.

Figure 463. Recovery URL

The SSO recovery link may be used in cases where the SSO IdP has failed. This allows for authentication with the default
administrative application user, providing a mechanism for administration and recovery.

Page 212 of 257

Cisco dCloud

Click the hyperlink for Cisco Unified Communications Manager under Installed Applications.

NOTE: If you get a 404 error this means the Tomcat service is still restarting. Refresh your browser until you get a login screen.
8.

Observe that in place of the Unified Communications Manager Administration webpage you are now presented with a
Windows authentication prompt. If you do NOT see a windows authentication prompt, move to the Troubleshooting note
below, complete the steps to disable, and re-enable SSO. Otherwise Proceed to step 23 of this activity.

Troubleshooting: In rare instances, the first time you enable SSO on Unified CM it will not work on the Administration
page initially but it will work on the Self Care Portal. The quick fix for this is to disable and then re-enable SSO. The next few
steps will first test SSO with the Self Care Portal and then proceed to disable SSO so you can complete the steps above again to
re-enable SSO.
9.

Click the home button to go back to the Cisco dCloud links page.

10. Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.
11. Click the Cisco Unified Communications Self Care Portal link.
12. This time you should receive an SSO login, which proves that SSO is enabled. There is no need to login at this time. First, you
will disable SSO.
13. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager and click Cisco Unified Communications Manager.
14. Login with Username: administrator and Password: dCloud123!.
15. Navigate to System > SAML Single Sign-On.
16. Click Disable SAML SSO and then Continue.
17. Close the browser and then reopen it.
18. Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified Communications
Manager.
19. If you still see the Recovery URL to bypass Single Sign On (SSO) link then SSO is still disabled. Keep refreshing your page
until that link disappears.
20. Once the link disappears, click the Cisco Unified Communications Manager link and login with Username: administrator
and Password: dCloud123!.
21. Navigate to System > SAML Single Sign-On.
22. Follow this link to run through the steps in this section again and re-enable SSO. You should then have a successful SSO test
and continue with the rest of this lab.
23. Login as cholland with password C1sco12345 and click OK to continue.

Page 213 of 257

Cisco dCloud

24. Confirm that authentication succeeds and you are presented with the Unified Communications Manage administration
page.
Before enabling SSO, the Unified CM admin page prompted you with a HTML form for username and password. After enabling
SSO, Unified CM is no longer responsible for handling Authentication; rather Unified CM redirects the client request to the IdP
(ADFS). It is the IdP prompting you with a basic username and password pop-up.

Verify Operation of SSO for Unified IM and Presence

To complete the configuration of SSO for Unified IM and Presence, we must initiate an SSO test from the SAML SSO
administration interface. Since we have already created a Relying Party Trust in ADFS for imp1.dcloud.cisco.com and have
enabled SSO for the cluster, we will run the SSO test utility from the Unified Communications Manager Administration
interface.
1.

Navigate to System > SAML Single Sign-On.

Click the Run SSO Test Button associated with the imp1.dcloud.cisco.com node.

Choose user cholland.

Click Run SSO Test.

Click on Continue to this website (not recommended).

Click OK.

NOTE: You may not be prompted to authenticate, as you have already authenticated to ucm1.dcloud.cisco.com and since SSO is
active for the Unified CM and Unified IM and Presence Cluster the active authentication token is used.
7.

Confirm the output message SSO Test Succeeded.

Figure 464. SSO Test Succeeded

Click Close.

Testing SSO Username/Password Authentication

In this activity, we will confirm the end-user experience in terms of SSO with username and password authentication and Cisco
Jabber. Remember that Username/Password authentication is enabled by default with no additional configuration.
1.

Maintain focus or switch to the RDP session connected to wkst1dcloud.cisco.com (198.18.133.36).

Close any active web browser sessions connected to either ucm1.dcloud.cisco.com or imp1.dcloud.cisco.com.

Page 214 of 257

Cisco dCloud

Launch Internet Explorer and Navigate to Collaboration Admin Links > Cisco Unified Communications Manager.

From the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.

Figure 465. Self Care Portal

When the Windows Security login prompt appears, enter Username: cholland and Password: C1sco12345.

Figure 466. Login Prompt

Click OK.

Confirm that the Unified Communications Self-Care portal page for Charles Holland is displayed.

Figure 467. Self Care Portal Landing Page

Launch Cisco Jabber by double clicking on the desktop icon.

When the Windows Security login prompt appears, login with Username: cholland and Password: C1sco12345.

10. Confirm that Jabber is authenticated successfully and the interface displays as expected for user Charles Holland.

Page 215 of 257

Cisco dCloud

NOTE: Even though Charles Holland had an active authentication session via SSO to the Unified CM Self-Care portal, credentials
were required when logging into Cisco Jabber. This behavior will change when Kerberos authentication is enabled.

Enable Kerberos Authentication for SSO

In this section, you are going to utilize the fact that the user is logged in to Active Directory. This will remove the username and
password prompt at the SSO server and instead let the web browser use the Kerberos authentication mechanism of the Windows
Domain to automatically supply the credentials of the Logged in user. No user interaction will be required for authentication via
SSO to complete.
NOTE: By default, AD FS 2.0 has Kerberos authentication enabled with priority over username/password authentication. The
configuration required is performed within the client web-browser, in this case Internet Explorer.

Configuring Microsoft Internet Explorer for Kerberos-based authentication

Modify the security settings in Microsoft Internet Explorer to permit Kerberos authentication on intranet sites.
1.

Switch focus to the RDP session actively connected to wkst1.dcloud.cisco.com (198.18.133.36).

Open Internet Explorer and click the Tools icon [

], then choose Internet options from the menu.

Figure 468. Internet Options

Choose the Security tab and choose Local intranet.

Click the Sites button.

Figure 469. Security Tab

Page 216 of 257

Cisco dCloud

In the Local intranet configuration screen, place a checkmark in the Automatically detect intranet network option.

Click Advanced.

In the Add this website to the zone field type *.dcloud.cisco.com.

Click Add.

Click Close.

Figure 470. Secure Zones

10. Click OK on the Local intranet configuration screen to close the dialog.
11. From the Security tab, click the button Custom level.
12. Scroll to the bottom of the dialog to User Authentication settings.
13. Click the radio button for Automatic logon only in Intranet zone.
Figure 471. User Authentication Mode

14. Click OK to apply this change.

15. Click Yes to acknowledge the warning and proceed.
Figure 472. Acknowledge Warning Message

16. Click the Apply button, followed by the OK button.

17. Close the Internet Explorer browser and re-open.

Page 217 of 257

Cisco dCloud

Verify operation of Kerberos based Authentication

NOTE: Be sure to close and re-open Internet Explorer if you have not done so after making the Kerberos configuration changes in
the previous activity. Close Cisco Jabber if it is open by choosing Menu > Exit.
Because Cisco Jabber for Windows uses the settings defined in Microsoft Internet Explorer to control Keberos authentication, it will
use the Kerberos authentication token already active due the workstation login session and authenticate the user against the IdP.
1.

Switch focus to the RDP session actively connected to wkst1.dcloud.cisco.com (Charles Holland).

Close cisco Jabber if currently open by choosing Menu > Exit.

From the open Internet Explorer window navigate to Collaboration Admin Links > Cisco Unified Communications
Manager.

Under the Installed Applications list, click the hyperlink for Cisco Unified Communications Self Care Portal.

Confirm that you are directed to the Self Care portal for user Charles Holland without being challenged to authenticate.

Double-click the Cisco Jabber shortcut on the workstation desktop to launch the application.

Observe that Jabber launches and authenticates without challenging the user for credentials.

Page 218 of 257

Cisco dCloud

Module 3(b): Extending (SSO) to the Collaboration Edge

NOTE: This module builds on the SAML Single Sign-On configuration performed in Module 3(a) and requires a fully functional
Mobile and Remote Access (MRA) solution based on the completion of Module 2.

Module Overview
This module builds on the Mobile and Remote Access configuration and the SAML SSO deployment developed through the
completion of Modules 2 and 3a. Cisco Expressway may be configured to enable single sign-on for endpoints access Unified
Communications services from outside the network.
The functionality relies on the secure traversal capabilities of the Expressway pair at the edge, and the established CoT (Circle of
Trust) between Internal Service Providers (SPs) such as Unified CM and Unified IM and Presence and an externally resolvable
Identity provider (IdP).
All authentication responsibility is owned by the IdP with authentication directly to the configured SPs.

Identity Transaction Flow

Cisco Jabber uses DNS service discovery to determine whether it is operating internal to or external to the services within the
organizations network. If the _collab-edge._tls.example.com DNS record is resolved it will proceed as normal to attempt
registration via MRA. If single sign-on is enabled on Expressway, the Expressway-E redirects Jabber to the IdP with a request to
authenticate the user.
The IdP challenges the client to identify itself, and if the identity is authenticated, the IdP redirects Jabbers service request back to
Expressway-E with a signed assertion that the identity is authentic.
The Expressway-E is configured to trust the IdP, so it will pass the request to the appropriate service inside the network. The
Unified Communications SPs are already provisioned as part of the Circle of Trust with the IdP, and Expressway pair, so they
provide the requested services to the Jabber client.

Page 219 of 257

Cisco dCloud

Figure 473. Cisco Collaboration Edge Architecture

NOTE: In a production environment, it is customary to place a secondary, externally reachable IdP in a DMZ network. In the case
of AD FS, this would be an AD FS proxy. Our environment uses only a single IdP resolvable by both the internal SPs and the
External SP (Expressway-E).

Pre-Requisites
The following are pre-requisites for deployment of SSO over the Collaboration Edge.

Expressway-C and Expressway-E are fully configured to provide secure Unified Communications traversal

The SIP domain that will be accessed via SSO is configured on Expressway-C

The Expressway-C is in Mobile and Remote Access mode and has discovered the Unified CM Topology

The hostnames of all Unified CM nodes have been added to the HTTP server allow list on the Expressway-C

Cisco Jabber clients are configured to request the internal services using the correct domain names, SIP URIs, and
Chat Aliases

The default browser of the client can resolve the Expressway-E and IdP

The IdP must be resolvable in DNS

The IdP must support SAML 2.0

Module Objectives
In this module, we will perform the following tasks:

Extend the existing Circle of Trust (CoT) between AD FS 2.0 (IdP) to include the Expressway pair (SP)

Enable SSO for Mobile and Remote Access

Page 220 of 257

Cisco dCloud

Move Workstation 2 to the External network and confirm authentication and authorization through Expressway using
SSO.

Test Username/Password Authentication over SSO through MRA.

Page 221 of 257

Cisco dCloud

Prepare to Enable SAML SSO for Expressway

IdP Configuration on Cisco Expressway-C
In this activity, we will import the FederatationData.xml file into the configuration for Expressway-C to establish a trust relationship
between Expressway and ADFS.
1.

Switch to or open the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).

Open the Firefox web browser and Navigate to Collaboration Admin Links > Cisco Expressway-C.

Login with Username admin and Password dCloud123!.

Navigate to Configuration > Unified Communications > Identity providers (IdP).

Figure 474. Identity Providers

Click the Import new IdP from SAML button.

Figure 475. Import New IdP from SAML

Click on Browse.

Browse to the Desktop\CST-Jabber\SSO\ folder and choose the file FederationMetadata.xml.

Figure 476. IdP File

Click Open.

Click the Upload button.

10. Confirm that an entry for ADFS on ad1.dcloud.cisco.com is present.

Page 222 of 257

Cisco dCloud

Figure 477. Import Success

Assign Domain for IdP

Associate a services domain for use with the defined IdP.
1.

From the Configuration > Unified Communications > Identity providers (IdP) page, locate the IdP entry with Entity ID
http://ad1.dcloud.cisco.com/adfs/services/trust.

Under the Actions column, click the hyperlink for Associate domains.

Place a checkmark in for each domain in the list:

uk.dcloud.cisco.com

dcloud.cisco.com

alpha.com

Figure 478. Associate Domains

Click Save.

Export SP Metadata from Expressway-C

To define the relying party trust in ADFS for Expressway we will need to obtain the Service Provider Metadata.
1.

Navigate to Configuration > Unified Communications > Export SAML data.

Notice that what we are actually downloading is Metadata from the Expressway-E peered to this Expressway-C system.

Under the Export SAML data section, click the Download button.

Page 223 of 257

Cisco dCloud

Figure 479. Download SAML Data

Choose the Save File radio button and click OK.

Use the Save As dialog to save the resulting xml file to the Desktop\CST-Jabber\SSO folder.

SAML SSO Configuration for Microsoft AD FS 2.0

Add a Relying Party Trust for Cisco Expressway-E
A relying party trust must be added to Microsoft AD FS for each Expressway-E in the cluster. Follow these steps to add a Relying
Party Trust for exp-e-1.dcloud.cisco.com.
1.

From the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).

Open the Active Directory Federation Services 2.0 Management Console by clicking the icon [

From the AD FS Management console choose Add Relying Party Trust from the Actions Menu in the right-hand pane.

] in the taskbar.

Figure 480. Add Relying Party Trust

Click Start to begin the Add Relying Party Trust Wizard.

From the Choose Data Source screen, click the Import data about the relying party from a file radio button.

Click Browse.

Use the Browse for Metadata file.. dialog to navigate to the Desktop\CST-Jabber\SSO\ directory.

Choose the XML filename that begins saml_exp-c-1 downloaded in the previous step.

Click Open.

Page 224 of 257

Cisco dCloud

10. Click Next.

11. On the Specify Display Name screen enter the following values:

Display name: exp-e-1.dcloud.cisco.com

Notes: Expressway-E

12. Click Next.

13. On the Choose Issuance Authorization Rules screen confirm that the Permit All Users to access this relying party radio
button is selected.
Figure 481. Issuance Authorization Rules

14. Click Next.

15. Click Next on the Ready to Add Trust screen.
16. From the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
check box.
Figure 482. Edit Claim Rules Option

17. Click Close.

18. On the Edit Claim rules screen click the Add Rule button.
19. Choose the default Claim Rule template Send LDAP Attributes as Claims.

Page 225 of 257

Cisco dCloud

Figure 483. Claim Rule Template

20. Click Next.

21. On the Configure Claim Rule screen set the following values:

Claim rule name: Send uid attribute

Attribute Store: Active Directory

LDAP Attribute: SAM-Account-Name

Outgoing Claim Type: uid

Figure 484. Claim Rule Settings

22. Click Finish.

23. Click OK to close the Edit Claim Rules dialog.
24. Observe that an entry for exp-e-1.dcloud.cisco.com is now present in the list of Relying Party Trusts.
Figure 485. Relying Party Trusts Status

Set Relying Party Trust Properties for Expressway-E

To ensure that AD FS formulates the SAML responses as Expressway-E expects them we will use the Microsoft Windows
PowerShell utility to configure the following properties assigned to the Relying Party Trust entity for Expressway-E:

SAMLResponsSignature

Page 226 of 257

Cisco dCloud

SignatureAlgorithm

Instruct ADFS to sign both the message and assertion during negotiation

Instruct ADFS to use the SHA1 hashing algorithm for encryption

Right click the icon for the Windows PowerShell in the task bar and click Import system modules to launch Windows
PowerShell with system module commands for AD FS.

Figure 486. Import System Modules

Copy and paste the following command text and then press Enter.

Set-ADFSRElyingPartyTrust -TargetName "exp-e-1.dcloud.cisco.com" -SAMLResponseSignature MessageAndAssertion

-SignatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1

A succesful command will result in NO return data as shown below.

Figure 487. PowerShell Output

Close the Windows PowerShell.

Enable SSO for Cisco Expressway

In the next section, we finalize our configuration by turning on Single Sign-On support. Signle Sign-On support for Unified
Communications must be enabled on both Expressway-C and Expressway-E to complete the process.

Enable Single Sign-On for Expressway-C

Swith to the RDP session connected to ad1.dcloud.cisco.com.

Open the Firefox web browser and navigate to Collaboration Admin Links > Cisco Expressway-C. Optionally, navigate to
https://exp-c-1.dcloud.cisco.com.

Login with Username: admin and Password: dCloud123!.

Page 227 of 257

Cisco dCloud

Navigate to Configuration > Unified Communications > Configuration.

Locate the section of the page labeled Single Sign-On.

From the Single Sign-On support drop-down menu change the value from off to on.

Figure 488. Single Sign-On Support

Click Save.

Enable Single Sign-On for Expressway-E

Open a new tab in Firefox and choose Collaboration Admin Links > Cisco Expressway-E.

Login with Username: admin and Password: dCloud123!.

From the menu choose Configuration > Unified Communications > Configuration.

Locate the section of the page labeled Single Sign-On.

From the Single Sign-On support drop-down menu, choose On.

Set the value of Check for internal SSO availability to No.

Figure 489. Single Sign-On Settings

Click Save.

NOTE: Check for internal SSO availability setting controls whether the Expressway-C will check if the user's home Unified CM
node has SSO available. By choosing No, the Expressway-E always tells the client that SSO is available, without actually checking
the home node. This results in reduced traffic on the internal network; however this should ONLY be used when ALL nodes
have SSO available.

Verify operation on Unified CM SSO functionality

In the next activity, you will test SSO over MRA with a Username and Password after moving Workstation to the external network
in order to confirm that the Single Sign-On Assertion chain is complete.

Page 228 of 257

Cisco dCloud

Move Workstation 2 to the External Network

NOTE: This procedure will disconnect the active RDP session, which is the expected result.
1.

Switch focus to the RDP session connected to wkst2.dcloud.cisco.com (198.18.133.37).

If Cisco Jabber is open, close it by choosing Menu > Exit.

Navigate to the Desktop and locate the windows batch executable named External Network On.

Figure 490. Windows Batch File

Double-click the file to execute the migration procedure.

This will disconnect the active RDP session as expected.

Connect to Workstation 2 on the External Network

10. From the Student Laptop, open the Remote Desktop Connection client program.
11. Click Options.
12. On the General tab under Connection Settings, click Open.
13. Browse the location where you saved the RDP session definition wkst2-ext.
Figure 491. Saved RDP Sessions

14. Choose the file and click Open.

15. Confirm that the settings match the graphic.

Page 229 of 257

Cisco dCloud

Figure 492. Logon Settings

16. Click Open.

17. Acknowledge any certificate warnings and proceed.
18. When prompted for the password, type C1sco12345.

Launch Cisco Jabber from Workstation 2 External using SSO

Launch Cisco Jabber by double clicking on the desktop icon.

Notice that a Windows Security authentication prompt is displayed, rather than the Cisco Jabber Sign-In prompt.

Login with Username: aperez and Password: C1sco12345.

Figure 493. Login Prompt

Verify that authentication succeeds and that all services are available.

Page 230 of 257

Cisco dCloud

Figure 494. Login Successful

Confirm SSO Operational State

With SSO support for Mobile and Remote Access fully enabled and tested, several new sources of information under the Status >
Unified Communications page of the Cisco Expressway-C are now available.
1.

Switch focus to the RDP session connected to wkst1.dcloud.cisco.com (198.18.133.36).

In the active Firefox browser, choose the tab connected to Expressway-C (exp-c-1).

If the logon timer has expired, login with Username: admin and Password: dCloud123!.

From the menu, navigate to Status > Unified Communications.

Observe the new SSO related data present in the Activity section of the page. These describe the number of SSO access
requests and responses made by Expressway during assertion.

Figure 495. SSO Assertion Data

SSO provisioned sessions indicates the number of MRA connections made using SSO

View detailed SSO statistics provides detailed information about SSO processing on Expressway

View and manage active SSO token holders provides a convenient interface for validation and troubleshooting of
active SSO user session via MRA.

Click the hyperlink for View and manage active SSO token holders.

Page 231 of 257

Cisco dCloud

Observe that a single active token holder is displayed: aperez. This is as a direct result of the SSO testing performed in the
previous activity.

Figure 496. SSO Token Holders

Click the hyperlink for aperez to view details about the active authentication tokens associated with this user. An entry is
present for both Unified CM and Expressway. If we had provisioned Unity Connection as part of the SSO module, an entry for
this would be present as well.

Figure 497. SSO Tokens for Anita Perez

This completes the Extension of SAML SSO to the Collaboration Edge with Cisco Expressway.

Page 232 of 257

Cisco dCloud

Appendix A: PostgreSQL Installation on CentOS

Installation of PostgreSQL Server 9.4.1
Edit the YUM Repository
For procedural documentation visit: https://wiki.postgresql.org/wiki/YUM_Installation
1.

Log into the target CentOS 7 host with Root Privileges or as a user with sudo privileges.

To edit the YUM repository configuration file on CentOS type.

nano /etc/yum.repos.d/CentOS-Base.repo

Locate the [base] and [updates] section of the file and append the line exclude=postrgres*.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
exclude=postgresql*

Save the file and exit the nano editor.

Download Installation Packages and Dependencies with YUM

Download the PostgreSQL server and package dependencies by typing:

yum localinstall http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/pgdg-centos94-9.4-1.noarch.rpm

Observe the following output:

Dependencies Resolved
============================================================================================================
=====================================
Package
Arch
Version
Repository
Size
============================================================================================================
=====================================
Installing:
pgdg-centos94
noarch
9.4-1
/pgdg-centos949.4-1.noarch
2.1 k
Transaction Summary
============================================================================================================
=====================================
Install 1 Package

Page 233 of 257

Cisco dCloud

Total size: 2.1 k

Installed size: 2.1 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pgdg-centos94-9.4-1.noarch
1/1
Verifying : pgdg-centos94-9.4-1.noarch
1/1
Installed:
pgdg-centos94.noarch 0:9.4-1
Complete!

Check for a list of resolved packages and dependencies by entering the following command:

yum list postgres*

Available Packages
postgresql94.x86_64
pgdg94
postgresql94-contrib.x86_64
pgdg94
postgresql94-debuginfo.x86_64
pgdg94
postgresql94-devel.x86_64
pgdg94
postgresql94-docs.x86_64
pgdg94
postgresql94-jdbc.noarch
pgdg94
postgresql94-jdbc-javadoc.noarch
pgdg94
postgresql94-libs.x86_64
pgdg94
postgresql94-odbc.x86_64
pgdg94
postgresql94-odbc-debuginfo.x86_64
pgdg94
postgresql94-plperl.x86_64
pgdg94
postgresql94-plpython.x86_64
pgdg94
postgresql94-pltcl.x86_64
pgdg94
postgresql94-python.x86_64
pgdg94
postgresql94-python-debuginfo.x86_64
pgdg94
postgresql94-server.x86_64
pgdg94
postgresql94-test.x86_64
pgdg94

9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.3.1101-2.rhel7
9.3.1101-2.rhel7
9.4.4-1PGDG.rhel7
09.03.0400-1PGDG.rhel7
09.03.0400-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7
4.1.1-1PGDG.rhel7
4.1.1-1PGDG.rhel7
9.4.4-1PGDG.rhel7
9.4.4-1PGDG.rhel7

Note that postgresql94-serverx86_64 is returned as part of the command. We are ready to install the postgresql server software.

Page 234 of 257

Cisco dCloud

Install PostgreSQL Server 9.4.1 and Dependencies

Initiate the installation by issuing the following command:

yum install postgresql94-server

If PostrgreSQL 9.4.1 installation is successful, output should appear as follows (some output omitted).

Installed:
postgresql94-server.x86_64 0:9.4.4-1PGDG.rhel7
Dependency Installed:
postgresql94.x86_64 0:9.4.4-1PGDG.rhel7
1PGDG.rhel7

postgresql94-libs.x86_64 0:9.4.4-

Complete!

Initialize PostgreSQL and Start Services

Initialize the PostgreSQL Database
Next, we must initialize the Postgres SQL Server Software
1.

Type the following command to initialize the PostgreSQL database with default parameters.

/usr/pgsql-9.4/bin/postgresql94-setup initdb

Confirm that the command returns the following result: Initializing database ... OK.

Enable Automatic Service Statrup

To enable automatic service startup with OS Boot, type the following command:

chkconfig postgresql-9.4 on

Start PostgreSQL Services

Services must be started for the first time to begin interacting with the software.
1.

Type the following command to start the PostgreSQL server:

service postgresql-9.4 start

Output will appear as follows to indicate successful entry.

Redirecting to /bin/systemctl start

postgresql-9.4.service

Check to ensure that the PostgreSQL process is actively running:

ps -ef | grep pgsql

At least one server process should be running as below:

postgres

8654

0 15:57 ?

00:00:00 /usr/pgsql-9.4/bin/postgres -D /var/lib/pgsql/9.4/data

Notice that the process is running as OS user postgres, which is automatically created during the package installation.

Page 235 of 257

Cisco dCloud

Configure Authentication and Access

Set the Password for Database User postgres
On Windows and OS X, the default password is postgres. However, on Linux systems, there is no default password set. This is
required to gain superuser access to create and modify databases and users.
1.

Switch User to postgres.

su postgres

Use the psql client utility to connect to the PostgreSQL instance which is accessible locally, as user postgres with no
password.

psql postgres

Use the \password <username> command to the set the postgres user password.

postgres=# \password postgres

Enter new password: <yourpasswordhere>
Enter it again: <yourpasswordhere>

Quit the psql client utility by typing \q.

postgres=# \q

Exit the postgres user shell to return to Root.

Allow Local and Remote Connections via PW authentication by editing the pg_hba.conf
Use the following command to edit the authentication parameter file to enable password based authentication for local and remote
connections.
1.

Use the nano editor to make the following modifications to the pg_hba.conf file.

nano /var/lib/pgsql/9.4/data/pg_hba.conf

Items in bold red typeface where added/modified.

# TYPE

DATABASE

USER

ADDRESS

# "local" is for Unix domain socket connections only

local
all
all
# IPv4 local connections:
host
all
all
127.0.0.1/32
host
all
all
192.18.133.0/24
# IPv6 local connections:
host
all
all
::1/128

METHOD

md5
md5
md5
md5

Pres Ctrl+Shift+X to exit and save when prompted.

Edit PostgreSQL Configuration File postgresql.conf

Modify the configuration to allow connections from remote hosts, confirm the TCP listening port, set global parameters required for
integration with Cisco Unified IM and Presence.

Page 236 of 257

Cisco dCloud

Use the nano editor to make the following modifications to the postgresql.conf file.

nano /var/lib/pgsql/9.4/data/postgresql.conf

Edit the listen_addresses parameter by uncommenting and setting the value to * to enable listening on all configured IP
interfaces.

listen_addresses = '*'

Confirm that the TCP port is set to 5432.

port = 5432

Set the escap_string_warning and standard_confirming_strings values to off. This is a requirement for using PostgreSQL
to provide external database services for Cisco Unified IM and Presence.

escape_string_warning = off
standard_conforming_strings = off

Restart PostgreSQL for configuration changes to take effect.

service postgresql-9.4 restart

Add a Firewall Rule in CentOS

The built-in firewall process in CentOS Linux iptables must be updated to permit incoming IP connections on TCP port 5432 in
order for database connectivity between Cisco Unified IM and Presence and the PostgreSQL server.
1.

Type the following command to make a permanent iptables permit for TCP/5432.

firewall-cmd --permanent --add-port=5432/tcp

Reload the iptables process to make the configuration changes effective.

firewall-cmd --reload

Page 237 of 257

Cisco dCloud

Appendix B: AD FS 2.0 Install and Configuration

NOTE: This chapter is for your reference only; everything has been already done for you. You can read this section and use it in
future deployments. All these changes have already been made in the master images.

How to install Microsoft AD FS2.0

After having installed a Windows 2008 R2 Server with DNS role, you need to promote the server to Domain Controller (Deploy
Active Directory).
The next task will be installing Microsoft Certificate Services.
1.

Go to Server Manager and in Roles click Add Roles.

Figure 498. Server Manager

Click the box for the Active Directory Certificate Services Role. Click Next.

Figure 499. AD Certificate Services Role

You have the option to deploy additional services. Deploy the services Certificate Authority and Certificate Authority Web
Enrollment, at that time another Wizard will start to add extra Roles for IIS.

Page 238 of 257

Cisco dCloud

Figure 500. Additional Services

For the setup type, you choose Enterprise, it should be what you see in most of our customer installations, but it makes no
difference for our specific deployment, could even be Standalone CA. Click Next.

Figure 501. Setup Type

Page 239 of 257

Cisco dCloud

For the CA Type you choose Root CA, since you do not have other CA already running in our organization.

Figure 502. CA Type

The next step will be to create the private key for your CA. Choose this option and click Next.

Figure 503. Private Key

After configuring the CA, you need to configure the Sole Services for IIS, since it is necessary for the Web Enrolment of the
CA. For our ADFS deployment you will need an extra Role in IIS, click on ASP.NET under Application Development.

Page 240 of 257

Cisco dCloud

Figure 504. Add Role

In the Server Manager click on Web Server > IIS, and then right click on Default Web Site. You need to change the Binding
to allow HTTPS along with HTTP.

Figure 505. Server Manager

After you right-click, you need to choose Edit Bindings.

Page 241 of 257

Cisco dCloud

Figure 506. Edit Bindings

10. Add a new Site Bindings and choose https as the type. Choose for SSL certificate the server certificate that should have the
same FQDN as your Ad1 server (ad1.cloud.cisco.com).
Figure 507. Adding HTTPS to Bindings

Everything is complete from a platform perspective, now you need to install AD FS 2.0. In the roles that you have in the server
manager you will see AD FS but that version is version 1.0 and does not provide SAML.
Therefore, you need to go on the web to get AD FS 2.0.
11. Go to the link http://www.microsoft.com/en-us/download/details.aspx?id=10909. Set the language and click the Continue
button.

Page 242 of 257

Cisco dCloud

Figure 508. Download Center

12. Choose the correct version for your OS. In our case, it is the first check box for Windows 2008 R2. Click Download.
13. Double-click on the AdfsSetup.exe file that you downloaded.
14. For the Server Role choose the Federation Server, since you are installing the IdP to be inside the customer network in the
private LAN. Click Next.
Figure 509. Server Role

15. The product is installed and you can open it from the taskbar or start menu.

Page 243 of 257

Cisco dCloud

Figure 510. AD FS 2.0

ADFS 2.0 initial configuration

Launch the ADFS Management console. You may need to perform a search from the start menu if not listed. Start >
Administrative Tools > AD FS 2.0 Management is the typical path.

Figure 511. AD FS 2.0 Management

Click the AD FS 2.0 Federation Server Configuration Wizard option to start your ADFS server configuration.

Page 244 of 257

Cisco dCloud

Figure 512. AD FS 2.0 Configuration Wizard

Choose Create a new Federation Service and click Next.

Figure 513. Create a New Federation Service

Choose Stand-alone Federation Server and click Next.

Page 245 of 257

Cisco dCloud

Figure 514. Stand-alone Federation Server

Under SSL certificate, choose the ad1.dcloud.cisco.com certificate from the list. The Federation Service name will autopopulate. Click Next.

Figure 515. SSL Certificate

Review the settings and click Next to apply the settings.

Page 246 of 257

Cisco dCloud

Figure 516. Settings Summary

Confirm all the components have completed successfully and click Close to end the wizard and return to the main
management console. This may take a few minutes.

ADFS is now effectively enabled and configured as an Identity Provider (IdP). Next, you need to add Cisco UCM as a trusted
Relying partner. Before you can to this, you need to configure Cisco UCM Administration.

Setting up Certificates Services on the Active Directory Server

Re-open the Remote Desktop Connection to ad1.dcloud.cisco.com.

Open Server Manager and expand Roles > Web Server(IIS). Click Add Role Services.

Page 247 of 257

Cisco dCloud

Figure 517. Server Manager

Click Security > IIS Client Certificate Mapping Authentication, click Next and let it install.

Figure 518. Certificate Mapping Authentication

Page 248 of 257

Cisco dCloud

Appendix C: Adding Client-Server Template to Microsoft Certificate

Services
In this lab, you generated your own certificates using the Microsoft CA role. However, the base install of the CA role needed to be
modified to support the type of certificate the Expressways require. In this appendix, you will find the steps to add the new ClientServer template that was pre-configured for you.
1.

From within your RDP session to AD1 open the Certificate Authority application by going to Start > All Programs >
Administrative Tools > Certification Authority.

Click the plus (+) sign next to dcloud-AD1-CA to expand it and click on Certificate Templates below.

Right click on Certificate Templates and choose Manage from the pop-up menu.

Right click on Web Server and choose Duplicate Template from the pop-up menu.

Verify Microsoft Server 2003 Enterprise is selected and then click OK.

Configure the following parameters for the New Template.

Template display name: ClientServer

Template name: ClientServer (pre-populated)

Click the Request Handling tab and click the checkbox for Allow private key to be exported

Click the Extensions tab

Verify that Application Policies is selected and then click Edit

Click Add

Click to highlight Client Authentication from the list, click OK, and then click OK to confirm the addition

Click OK one more time to save the new template

Close the Certificate Template Console by using the X in the top right corner of the window.

Right click on Certificate Templates and choose New > Certificate Template to Issue from the pop-up menu.

Click ClientServer from the list to highlight it and then click OK.

10. Close the Certificate Authority (certsrv) console.

Page 249 of 257

Cisco dCloud

Appendix D: Table of Documents

Reference documents related to Cisco products and technology used in the creation of this Lab Guide are listed below.

Collaboration Systems Release 11

Cisco Collaboration System 11.x Solution Reference Network Designs (SRND)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11.html

Expressway x8.5
Unified Communications Mobile and Remote Access via Cisco Expressway
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-viaExpressway-Deployment-Guide-X8-5.pdf

Unified CM and IM and Presence

Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager, Release 11.0(1)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_0_1/CUP0_BK_C36EBE60_00_c
onfig-admin-guide-110.html
IM and Presence Service External Database Setup
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/database_setup/10_5_2/CUP0_BK_D4BFFAC9_00_dat
abase-setup-guide-imp-1052/CUP0_BK_D4BFFAC9_00_database-setup-guide-imp-1052_chapter_011.html

SAML SSO Deployment

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.5
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/10_5_1/CUCM_BK_S52C3A64_00_s
aml-sso-deployment-guide-105.html

SAML SSO Configure Microsoft Active Directory Federation Services Identity Provider on Windows Platform
http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Wind
ows_Platform

Page 250 of 257

Cisco dCloud

Appendix E: Errata
Steps of a SAML based authentication flow
Figure 519. SP-Initiated SSO (Redirect/POST binding)

The user tries to access a service or resource by pointing the browser to the URL hosted on the application server. The
browser at this moment does not have an active session with the service.

The SP realizes that the request originates from a client without an active session. Based on the SSO configuration the SP
now generates a SAML authentication request to be sent to the appropriate the IdP defined as part of SSO configuration. The
SAML request contains information about the SP generating the request. This is required so that the IdP can identify the SPs
sending SAML requests.

The SP does not communicate directly with the IdP to authenticate the user. Instead, the SP redirects the browser to the IdP.
The URL used for this redirect is taken from the IdP metadata exchanged earlier. The SAML request to be sent to the IDP is
included in the redirect as a URL query parameter using Base64 encoding.

The browser receives the redirect, follows the URL and issues the corresponding GET to the IdP. The SAML request is
maintained. The browser at this stage does not have an active session with the IdP

After receiving the new request from a browser with no active session, the IdP authenticates the user based on the preconfigured authentication mechanisms. Possible authentication mechanisms include user/password, PKI/CAC or Kerberos.
For user/password authentication, the IdP might push a form to the user to enter the credentials (e.g. 200 OK with IdP login
form). For the actual authentication, the IdP might depend on backend systems like for example an LDAP server for
user/password authentication.

Page 251 of 257

Cisco dCloud

One key point here is that the exchange of credentials for the purpose of authentication takes place between the IdP and the
browser. The SP is not involved and does not see the credentials.
6.

The browser provides further information required for the authentication process. For the user/password case, this would be a
POST with the information. For other authentication mechanisms, other details would need to be sent to the IdP by the
browser.

The IdP now checks and validates the provided credentials. The check could involve interactions with respective backend
systems (LDAP bind for user/password based authentication against LDAP, communication with Kerberos server to validate
ticket etc.).

Finally, the IdP generates a SAML response for the SP. This response contains the SAML assertion documenting the result of
the authentication process. The SAML assertion in addition to the basic Yes/No information also contains validity
information and information about attributes describing the authenticated entity. At least the user id of the authenticated entity
has to be included in the well-known attribute uid so that the SP can extract this information from the assertion to relate the
authenticated entity to users existing in the local database.
The SAML assertion is signed by the IdP according to the SSO key information published in the IdP metadata. This ensures
that the SP can verify the authenticity of the SAML assertion.
The IdP returns the SAML assertion to the browser in a hidden form in a 200 OK message. The hidden form instructs the
browser to POST the SAML assertion to the Assertion Consumer Service (ACS) of the SP.
The IdP also sets a session cookie, which is cached by the browser. If the browser needs to get additinal SAML assertions, it
will send the session cookie with the SAML requests. The IdP will then realize it already has a valid session with the browser
and will assert the authentication of the previously authenticated user without prompting for credentials again. This enables
SSO against multiple SPs. Session expiry times for these session cookies are configured on the IdP.

The browser follows the hidden POST received in the 200 OK and POSTs the SAML assertion to the Assertion Consumer
Service on the SP.

10. The SP extracts the SAML assertion from the POST and validates the signature of the assertion. This guarantees the
authenticity of the SAML assertion and the IdP. The user identifier received in the SAML assertion in attribute uid is then
used to decide whether the user is authorized to access the requested service. This is based on local access control
configuration on the SP.
11. The SP grants access to the requested resource and sends back the content in a 200 OK to the browser. The SP also sets a
session cookie in the browser so that for subsequent requests from the same browser to the same SP the SP does not need
to initiate an exchange with the IdP anymore. The IdP will only be involved for requests from the same browser after the SP
session cookie has expired.

Enterprise Groups
With Cisco Unified Communications Manager Release 11.0, Cisco Jabber users can search for groups in Microsoft Active
Directory and add them to their contact lists. If a group already in the contact list is updated, the contact list is automatically
updated. Cisco Unified Communications Manager synchronizes its database with Microsoft Active Directory groups at specified
intervals.
When a user adds a group to their contact list, IM and Presence Service provides the following information for each group member:

display name

Page 252 of 257

Cisco dCloud

user ID

title

phone number

mail ID

Only the group members that are assigned to IM and Presence Service nodes can be added to the contact list. Other group
members are discarded.

NOTE: Currently, the enterprise groups feature is supported only on Microsoft Active Directory server. It is not supported on other
corporate directories.

The enterprise groups feature is enabled system-wide with the Cisco Unified Communications Manager Directory Group
Operations on Cisco IM and Presence enterprise parameter. For more information about enterprise groups, see the Feature
Configuration Guide for Cisco Unified Communications Manager.

LDAP Integrations
You can configure a corporate LDAP directory in this integration to satisfy a number of different requirements:
User provisioning: You can provision users automatically from the LDAP directory into the Cisco Unified Communications
Manager database. Cisco Unified Communications Manager synchronizes with the LDAP directory content so you avoid having to
add, remove, or modify user information manually each time a change occurs in the LDAP directory.

User authentication: You can authenticate users using the LDAP directory credentials. The IM and Presence Service
synchronizes all the user information from Cisco Unified Communications Manager to provide authentication for users of the Cisco
Jabber client and IM and Presence Service user interface.

Cisco recommends integration of Cisco Unified Communications Manager and Directory server for user synchronization and
authentication purposes.

NOTE: When Cisco Unified Communications Manager is not integrated with LDAP, you must verify that the username is the same
in Active Directory and Cisco Unified Communications Manager before deploying IM and Presence Service.

Page 253 of 257

Cisco dCloud

Listing of IM and Presence Service Services

Feature Services
Cisco SIP Proxy
The Cisco SIP Proxy service is responsible for providing the SIP registrar and proxy functionality. This includes request routing,
requestor identification, and transport interconnection.
Cisco Presence Engine
The Cisco Presence Engine collects, aggregates, and distributes user capabilities and attributes using the standards-based SIP
and SIMPLE interface. It collects information about the availability status and communications capabilities of a user.
Cisco XCP Text Conference Manager
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
Cisco XCP Connection Manager
The Cisco XCP Text Conference Manager supports the Chat feature. The Chat feature allows users to communicate with each
other in online chat rooms. It supports chat functionality using ad hoc (temporary) and permanent chat rooms, which remain on a
Cisco-supported external database until they are deleted.
Cisco XCP Authentication Service
The Cisco XCP Authentication Service handles all authentication requests from XMPP clients that are connecting to IM and
Presence Service. This includes Jabber clients authenticating through Collaboration Edge.
Cisco XCP Web Connection Manager (NA)
The Cisco XCP Web Connection Manager service enables browser-based clients to connect to IM and Presence Service.
Cisco XCP SIP Federation Connection Manager (NA)
The Cisco XCP SIP Federation Connection Manager supports interdomain federation with Microsoft OCS over the SIP protocol.
You must also turn on this service when your deployment contains an intercluster connection between an IM and Presence Service
Release 9.0 cluster, and a Cisco Unified Presence Release 8.6 cluster.
Cisco XCP XMPP Federation Connection Manager (NA)
The Cisco XCP XMPP Federation Connection Manager supports interdomain federation with third party enterprises such as IBM
Lotus Sametime, Cisco Webex Meeting Center, and GoogleTalk over the XMPP protocol, as well as supports interdomain
federation with another IM and Presence Service enterprise over the XMPP protocol.
Cisco XCP Message Archiver
The Cisco XCP Message Archiver service supports the IM Compliance feature. The IM Compliance feature logs all messages sent
to and from the IM and Presence Service server, including point-to-point messages, and messages from ad hoc (temporary) and
permanent chat rooms for the Chat feature. Messages are logged to an external Cisco-supported database.
Cisco XCP Directory Service (NA) but may be needed for pidgin

Page 254 of 257

Cisco dCloud

The Cisco XCP Directory Service supports the integration of XMPP clients with the LDAP directory to allow users to search and
add contacts from the LDAP directory.

Network Services (automatically activated and started)

IM and Presence Service services apply only to IM and Presence Service.

Cisco Login Datastore

The Cisco Login Datastore is a real-time database for storing client sessions to the Cisco Client Profile Agent.

Cisco Route Datastore

The Cisco Route Datastore is a real-time database for storing a cache of route information and assigned users for the Cisco SIP
Proxy and the Cisco Client Profile Agent.

Cisco Config Agent

The Cisco Configuration Agent is a change-notification service that notifies the Cisco SIP Proxy of configuration changes in the IM
and Presence Service IDS database.

Cisco Sync Agent

The Cisco Sync Agent keeps IM and Presence data synchronized with Cisco Unified Communications Manager data. It sends
SOAP requests to the Cisco Unified Communications Manager for data of interest to IM and Presence and subscribes to change
notifications from Cisco Unified Communications Manager and updates the IM and Presence IDS database.

Cisco OAM Agent

The Cisco OAM Agent service monitors configuration parameters in the IM and Presence Service IDS database that are of interest
to the Presence Engine. When a change is made in the database, the OAM Agent writes a configuration file and sends an RPC
notification to the Presence Engine.

Cisco Client Profile Agent

The Cisco Client Profile Agent service provides a secure SOAP interface to or from external clients using HTTPS.

Cisco Intercluster Sync Agent

The Cisco Intercluster Sync Agent service provides the following: DND propagation to Cisco Unified Communications Manager and
syncs end user information between IM and Presence Service clusters for intercluster SIP routing.

Page 255 of 257

Cisco dCloud

Cisco XCP Router

The XCP Router is the core communication functionality on the IM and Presence Service server. It provides XMPP-based routing
functionality on the IM and Presence Service. It routes XMPP data to the other active XCP services on IM and Presence Service
and it accesses SDNS to allow the system to route XMPP data to IM and Presence Service users. The XCP router manages
XMPP sessions for users, and routes XMPP messages to and from these sessions.
After IM and Presence Service installation, the system turns on Cisco XCP Router by default.
NOTE: If you restart the Cisco XCP Router, the IM and Presence Service automatically restarts all active XCP services. Note that
you must choose the Restart option to restart the Cisco XCP Router; this is not the same as turning off and turning on the Cisco
XCP Router. If you turn off the Cisco XCP Router, rather than restart this service, IM and Presence Service stops all other XCP
services. Subsequently when you turn on the XCP router, IM and Presence Service does not automatically turn on the other XCP
services; you need to manually turn on the other XCP services.

Cisco XCP Config Manager

The Cisco XCP Config Manager service monitors the configuration and system topology changes made through the administration
GUI (as well as topology changes that are synchronized from an InterCluster Peer) that affect other XCP components (for
example, Router and Message Archiver), and updates these components as needed. The Cisco XCP Config Manager service
creates notifications for the administrator indicating when an XCP component requires a restart (due to these changes), and it
automatically clears the notifications after the restarts are complete.

Cisco Server Recovery Manager

The Cisco Server Recovery Manager (SRM) service manages the failover between nodes in a presence redundancy group. The
SRM manages all state changes in a node; state changes are either automatic or initiated by the administrator (manual). Once you
turn on high availability in a presence redundancy group, the SRM on each node establishes heartbeat connections with the peer
node and begins to monitor the critical processes.

Cisco IM and Presence Data Monitor

The Cisco IM and Presence Data Monitor monitors IDS replication state on the IM and Presence Service. Other IM and Presence
services are dependent on the Cisco IM and Presence Data Monitor. These dependent services use the Cisco service to delay
startup until such time as IDS replication is in a stable state.

The Cisco IM and Presence Data Monitor also checks the status of the Cisco Sync Agent sync from Cisco Unified Communications
Manager. Dependent services are only allowed to start after IDS replication has set up and the Sync Agent on the IM and
Presence database publisher node has completed its sync from Cisco Unified Communications Manager. After the timeout has
been reached, the Cisco IM and Presence Data Monitor on the Publisher node will allow dependent services to start even if IDS
replication and the Sync Agent have not completed.

Page 256 of 257

Cisco dCloud

On the subscriber nodes, the Cisco IM and Presence Data Monitor delays the startup of feature services until IDS replication is
successfully established. The Cisco IM and Presence Data Monitor only delays the startup of feature services on the problem
subscriber node in a cluster, it will not delay the startup of feature services on all subscriber nodes due to one problem node. For
example, if IDS replication is successfully established on node1 and node2, but not on node3, the Cisco IM and Presence Data
Monitor allows feature services to start on node1 and node2, but delays feature service startup on node3.

Cisco Presence Datastore

The Cisco Presence Datastore is a real-time database for storing transient presence data and subscriptions.

Cisco SIP Registration Datastore

The Cisco Presence SIP Registration Datastore is a real-time database for storing SIP Registration data.

Cisco RCC Device Selection

The Cisco RCC Device Selection service is the Cisco IM and Presence user device selection service for Remote Call Control.

Page 257 of 257

Recording As A Solution Over MRA (An Overview) : Technical Consulting Engineer Telepresence Solutions Group
No ratings yet
Recording As A Solution Over MRA (An Overview) : Technical Consulting Engineer Telepresence Solutions Group
16 pages
IPT T4 Trading Datasheet Linx Networks
No ratings yet
IPT T4 Trading Datasheet Linx Networks
4 pages
Cisco Unified Enterprise Attendant Console Web Admin and Installation Guide
No ratings yet
Cisco Unified Enterprise Attendant Console Web Admin and Installation Guide
164 pages
Deploying Enterprise SIP Trunks With CUBE, CUCM and MediaSense SBC PDF
No ratings yet
Deploying Enterprise SIP Trunks With CUBE, CUCM and MediaSense SBC PDF
96 pages
Configuring TCL IVR 2.0 Session Interaction
No ratings yet
Configuring TCL IVR 2.0 Session Interaction
16 pages
Jabber Deployment Installation Guide Jabber 11.0
No ratings yet
Jabber Deployment Installation Guide Jabber 11.0
266 pages
Ultimate Jabber Deploy Lab For UC10 5 LabGuideVersion 8 9 1
No ratings yet
Ultimate Jabber Deploy Lab For UC10 5 LabGuideVersion 8 9 1
193 pages
Collaboration Security For The Enterprise On-Premises Preferred Architecture 12.5 - Lab Guide
No ratings yet
Collaboration Security For The Enterprise On-Premises Preferred Architecture 12.5 - Lab Guide
185 pages
PVT 2012 Lab Cisco Jabber
No ratings yet
PVT 2012 Lab Cisco Jabber
88 pages
Building Telephony Systems with OpenSER
From Everand
Building Telephony Systems with OpenSER
Goncalves Flavio E.
No ratings yet
Deploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMS
From Everand
Deploying Certificates Cisco Meeting Server: Design your certificates for CMS services and integrate with Cisco UCM Expressway and TMS
Redouane MEDDANE
No ratings yet
Introduction To Voice Gateways: Understanding Cisco Unified Communications Networks and The Role of Gateways
No ratings yet
Introduction To Voice Gateways: Understanding Cisco Unified Communications Networks and The Role of Gateways
193 pages
Cube Book
No ratings yet
Cube Book
1,120 pages
Cisco Meeting Server Feature Update Lab v1: About This Demonstration
No ratings yet
Cisco Meeting Server Feature Update Lab v1: About This Demonstration
75 pages
QM Installation Guide Cisco 115 PDF
No ratings yet
QM Installation Guide Cisco 115 PDF
232 pages
LTRT-28647 SIP Message Manipulation Reference Guide Ver. 7.0
100% (1)
LTRT-28647 SIP Message Manipulation Reference Guide Ver. 7.0
96 pages
UCCX BK UAF969F8 00 Uccx-serviceability-Admin-guide
No ratings yet
UCCX BK UAF969F8 00 Uccx-serviceability-Admin-guide
50 pages
Cisco VCS Administrator Guide X8 7
No ratings yet
Cisco VCS Administrator Guide X8 7
519 pages
Why Upgrade 12-13-16
No ratings yet
Why Upgrade 12-13-16
23 pages
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols PDF
No ratings yet
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols PDF
42 pages
Cisco Anyconnect VPN Client Administrator Guide: Americas Headquarters
No ratings yet
Cisco Anyconnect VPN Client Administrator Guide: Americas Headquarters
116 pages
Cisco ConfiguratioGuide SW4500 IOS
No ratings yet
Cisco ConfiguratioGuide SW4500 IOS
608 pages
CRS50 GettingStartedWithIPIVR
No ratings yet
CRS50 GettingStartedWithIPIVR
98 pages
Detailed SIP Call Flow With CVP Comprehensive Model
100% (1)
Detailed SIP Call Flow With CVP Comprehensive Model
6 pages
Unified Border Element (CUBE) With Cisco Unified Communications Manager (CUCM) Configuration Example
No ratings yet
Unified Border Element (CUBE) With Cisco Unified Communications Manager (CUCM) Configuration Example
12 pages
VVB 11.6 Messge Flow With Comprehensive Call Flow PDF
No ratings yet
VVB 11.6 Messge Flow With Comprehensive Call Flow PDF
22 pages
CCX Enablement Modules Lab Guide
No ratings yet
CCX Enablement Modules Lab Guide
182 pages
Cisco CCNA-Voice Check List - Training Notes Updated October 2009
100% (1)
Cisco CCNA-Voice Check List - Training Notes Updated October 2009
17 pages
Ucce Lab Design d3
No ratings yet
Ucce Lab Design d3
20 pages
Cucm B Administration Guide 1251SU1
No ratings yet
Cucm B Administration Guide 1251SU1
494 pages
Metode Reset Jabber
No ratings yet
Metode Reset Jabber
4 pages
BRKUCC-2668 Best Practises in Upgrading Your Unified Communications Environment To Version 10 PDF
No ratings yet
BRKUCC-2668 Best Practises in Upgrading Your Unified Communications Environment To Version 10 PDF
158 pages
Cisco Unified ICM ACD Supplement For VRU PG
No ratings yet
Cisco Unified ICM ACD Supplement For VRU PG
33 pages
Oracle ESBC - NTT - CUCM10.5
No ratings yet
Oracle ESBC - NTT - CUCM10.5
70 pages
Polycom UC Cisco Deployment W5
No ratings yet
Polycom UC Cisco Deployment W5
117 pages
Cucm B System Configuration Guide 1251
No ratings yet
Cucm B System Configuration Guide 1251
760 pages
Cisco Unified Callmanager Bulk Administration Guide 5.0 (2) : Corporate Headquarters
No ratings yet
Cisco Unified Callmanager Bulk Administration Guide 5.0 (2) : Corporate Headquarters
424 pages
Cisco Unified Contact Center Express: Aleksandar Vulović System Engineer
No ratings yet
Cisco Unified Contact Center Express: Aleksandar Vulović System Engineer
45 pages
AudioCodes Mediant Enterprise Session Border Controller (SBC) Family Brochure PDF
No ratings yet
AudioCodes Mediant Enterprise Session Border Controller (SBC) Family Brochure PDF
2 pages
Study Guide: Cisco Video Network Devices Exam
No ratings yet
Study Guide: Cisco Video Network Devices Exam
106 pages
Cisco Jabber Auto Discovery Service - SRV Records
No ratings yet
Cisco Jabber Auto Discovery Service - SRV Records
10 pages
British Telecom All Ip Sip Trunking
No ratings yet
British Telecom All Ip Sip Trunking
72 pages
550-08741 01.03 SBC 8.2 MS Teams Solution Guide
No ratings yet
550-08741 01.03 SBC 8.2 MS Teams Solution Guide
154 pages
CCIE Net Workers Voice 3 0
No ratings yet
CCIE Net Workers Voice 3 0
182 pages
Dx70 Dx80 Administrator Guide Ce90
No ratings yet
Dx70 Dx80 Administrator Guide Ce90
135 pages
UCCE SRND 8-5 Dated 08-03-2011
No ratings yet
UCCE SRND 8-5 Dated 08-03-2011
367 pages
EdgeSwitch AdminGuide
No ratings yet
EdgeSwitch AdminGuide
274 pages
ICM Script PDF
No ratings yet
ICM Script PDF
30 pages
Ucce B 1201 Staging-Guide PDF
No ratings yet
Ucce B 1201 Staging-Guide PDF
106 pages
CISCO ICM Deployment Models
No ratings yet
CISCO ICM Deployment Models
20 pages
Expert Reference Series of White Papers CUCM v7 Dial Plan Enhancements and Their Effect On The Dial Plan - Global Knowledge
No ratings yet
Expert Reference Series of White Papers CUCM v7 Dial Plan Enhancements and Their Effect On The Dial Plan - Global Knowledge
12 pages
SBC Edge一日教育訓練 Ribbon 2020
No ratings yet
SBC Edge一日教育訓練 Ribbon 2020
89 pages
ICM 7.0 Scripting Guide
No ratings yet
ICM 7.0 Scripting Guide
269 pages
Ucce B Database Schema Handbook For Cisco
No ratings yet
Ucce B Database Schema Handbook For Cisco
658 pages
ICM Configuration: IP Contact Center Enterprise (IPCCE) v1.0
No ratings yet
ICM Configuration: IP Contact Center Enterprise (IPCCE) v1.0
39 pages
Multi-Line Voice Terminal - 4610 Quick Reference Guide: Call Processing
No ratings yet
Multi-Line Voice Terminal - 4610 Quick Reference Guide: Call Processing
3 pages
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
From Everand
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
Peter van de Put
4.5/5 (2)
Windows Server 2008 For Dummies
From Everand
Windows Server 2008 For Dummies
Ed Tittel
No ratings yet
Cisco Unified Communications Manager 8: Expert Administration Cookbook
From Everand
Cisco Unified Communications Manager 8: Expert Administration Cookbook
Ezell
No ratings yet
Installing SQL Server 2012 Step by Step
From Everand
Installing SQL Server 2012 Step by Step
Stephen Thomas
No ratings yet
Learning SaltStack - Second Edition
From Everand
Learning SaltStack - Second Edition
Colton Myers
No ratings yet
Smart-UPS On-Line - SRT3000RMXLI
No ratings yet
Smart-UPS On-Line - SRT3000RMXLI
4 pages
SIP To PSTN Cause Codes
No ratings yet
SIP To PSTN Cause Codes
24 pages
(7!1!2015) .What Do You Know About E-Banking in Vietnam BO1732 Homework
No ratings yet
(7!1!2015) .What Do You Know About E-Banking in Vietnam BO1732 Homework
10 pages
Atestat Engleza
No ratings yet
Atestat Engleza
16 pages
Educational Research and Statistics
No ratings yet
Educational Research and Statistics
21 pages
Project Management
75% (4)
Project Management
20 pages
Convex and Conic Optimization: Spring 2017
No ratings yet
Convex and Conic Optimization: Spring 2017
3 pages
College Management System Presentation
No ratings yet
College Management System Presentation
36 pages
FTB-500 Platform: Boundless Capabilities, Testing Unlimited
No ratings yet
FTB-500 Platform: Boundless Capabilities, Testing Unlimited
9 pages
poweredge-rack-quick-reference-guide (12-3-2025) (002)
No ratings yet
poweredge-rack-quick-reference-guide (12-3-2025) (002)
6 pages
CS1354
No ratings yet
CS1354
6 pages
Cryptography Using Matrices in Real Life
100% (2)
Cryptography Using Matrices in Real Life
15 pages
Seekho_Assgn1_Raman_Jorewal
No ratings yet
Seekho_Assgn1_Raman_Jorewal
9 pages
Monte Carlo Optimization
No ratings yet
Monte Carlo Optimization
13 pages
Core 6 Succinctly
No ratings yet
Core 6 Succinctly
102 pages
Adaptive Braking System Using Labview
No ratings yet
Adaptive Braking System Using Labview
10 pages
Leonarddorschnerresume 010622
No ratings yet
Leonarddorschnerresume 010622
1 page
LA Irish Standard
No ratings yet
LA Irish Standard
18 pages
VoIP Cookbook
100% (3)
VoIP Cookbook
327 pages
PN 1900036-D Elite IFU English (En)
No ratings yet
PN 1900036-D Elite IFU English (En)
22 pages
13
No ratings yet
13
18 pages
C.S. Xi
No ratings yet
C.S. Xi
4 pages
Safeencironmnetlettertovolunteers3 3
No ratings yet
Safeencironmnetlettertovolunteers3 3
1 page
Kamei - Art Direction Street Fighter
No ratings yet
Kamei - Art Direction Street Fighter
117 pages
Well Planning Release Notes
No ratings yet
Well Planning Release Notes
21 pages
GRADES 1 To 12 Daily Lesson Log Monday Tuesday Wednesday Thursday Friday
No ratings yet
GRADES 1 To 12 Daily Lesson Log Monday Tuesday Wednesday Thursday Friday
8 pages
Apelem Kristal X-Ray Table - User Manual PDF
No ratings yet
Apelem Kristal X-Ray Table - User Manual PDF
42 pages
Plan 8 CS Generator PDF
100% (1)
Plan 8 CS Generator PDF
3 pages
CV For Industry Marketing
No ratings yet
CV For Industry Marketing
2 pages
Content Server Enterprise Edition 6.6 Release Notes
No ratings yet
Content Server Enterprise Edition 6.6 Release Notes
107 pages
Company Code Payroll Creation
No ratings yet
Company Code Payroll Creation
2 pages
Integrating With ERP Cloud Using ICS
No ratings yet
Integrating With ERP Cloud Using ICS
20 pages
Marketing 20 Plan
No ratings yet
Marketing 20 Plan
5 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.