CST Jabber 11.0 Lab Guide

(1)

Cisco dCloud

Cisco Collaboration Specialist Training for Jabber 11.x v1

Last Updated: 29-SEP-2015

About This Solution

Cisco Jabber provides enterprise-quality collaboration capability directly on your desktop or mobile device through an integrated software client. You can chat with other users using the IM and Presence features of Cisco Jabber. Video calling and WebEx conferencing are also available from Cisco Jabber with the click of a button. Visual voicemail helps you to access your messages more efficiently and keep them better organized. Cisco Jabber is part of the Cisco Unified Communications architecture, a cost-effective, reliable, and easy to manage software collaboration solution.

For additional information about Cisco Jabber Voice and Unified Communications, visit the product solution page.

This lab is intended to give the participant hands-on configuration experience with all of the architecture components required to deploy Cisco Jabber for Collaboration System Release 11. The content in this lab is focused on recently added features and functional additions to the Cisco Jabber Client product. The exercises in this lab will take the student through the process of initial provisioning and configuration of the core solution components and then extend to configuration of advanced feature deployment.

NOTE: Participants should have a high degree of familiarity with the software, tools and methods used to deploy, configure and maintain Cisco Collaboration technologies.

About This Lab

This Cisco Collaboration Specialist Training for Jabber 11 lab includes the following topics:

• End to End Quick Start Jabber Deployment: Students will configure the integration and deployment from the ground up including the configuration and/or installation of the following components:

o Unified Communications Manager

o Unified IM and Presence Service

o Microsoft Active Directory LDAP

o Domain Name Service (DNS)

o Cisco Jabber for Windows Client.

• Specialized Cisco Jabber Feature and Deployment Options o Persistent Chat

o Managed File Transfer

o SAML Single Sign-On

(2)

Cisco dCloud

About This Solution ... 1

About This Lab ... 1

Lab Workflow ... 5

Lab Requirements ... 6

Lab Configuration ... 6

Lab Topology ... 6

Applications and Versions ... 7

Lab Pre-Configuration ... 8

Connecting to Your Pod... 9

Lab Orientation... 10

Connecting to Required Resources ... 10

Activity 1: Preparation for IM & Presence Deployment ... 14

Activity Objectives ... 14

Investigate Active Directory Users and Distribution Groups ... 14

DNS Service Discovery Configuration ... 19

Activity 2: Unified IM and Presence Deployment ... 27

Activity Objectives ... 27

Service Activation and Status Verification ... 27

Unified CM SIP Trunk Configuration ... 31

Configure UC Services and Service Profile ... 34

Prepare Directory Synchronization and Automatic User Provisioning ... 39

IM and Presence Service Configuration ... 47

Enabled Flexible Jabber ID (JID) and Multi-Domain Support ... 49

User and Group Import ... 55

Provision Devices and Client Configuration ... 60

Activity 3: SSL Certificate Management: Cisco Unified CM and Cisco Unified IM and Presence ... 70

Activity Objectives ... 70

Configure Unified CM and IM and Presence with FQDNs ... 71

Establish Root CA Trust ... 71

Request and Install a CA Signed Tomcat Certificate ... 74

Request and Install a CA Signed XMPP-Trust Certificate ... 78

Service Maintenance to Finalize Certificate Installation ... 83

(3)

Cisco dCloud

Activity Objectives ... 87

Cisco Jabber User Interface (UI) Updates ... 87

Install Jabber on WKST1 and Login ... 88

Install Jabber on WKST2 and Login ... 94

Test Chat, Calling, and Chat History ... 98

Deployment Activity Conclusion ... 111

Module 1: Persistent Chat and Managed File Transfer ... 112

Module Overview ... 112

Module Objectives ... 112

PostgreSQL Database Setup ... 113

Set Up External Database Entries on the IM and Presence Service ... 117

Set Up an External File Server for MFT ... 120

Configure Persistent Group Chat ... 123

Modify Jabber Client Configuration ... 125

Test Persistent Chat ... 129

Configure Managed File Transfer ... 137

Module 2: Mobile and Remote Access (MRA) with Cisco Expressway ... 147

Module Overview ... 147

Module Objectives ... 149

Module Notes ... 149

DNS Service Discovery Configuration ... 150

Expressway-C Initial Configuration ... 155

Expressway-E Initial Configuration ... 157

Configure Expressway-E for Unified Communications ... 158

Certificate Management for Expressway ... 159

Configure Expressway-C for Unified Communications ... 170

Create a Secure Traversal between Expressway-E and Expressway-C ... 174

Validate Unified Communications Status on Expressway ... 179

Contact Photo Resolution with MRA ... 180

Testing Mobile and Remote Access Operation ... 185

Module 3(a): SAML Single Sign-On (SSO) Inside the Network ... 196

SAML Overview ... 196

(4)

Cisco dCloud

Module Notes ... 198

Prepare to Enable SAML SSO for Unified CM and IM and Presence ... 198

SAML SSO Configuration for Microsoft ADFS2.0 ... 201

Enable SSO for Unified CM and IM and Presence ... 209

Testing SSO Username/Password Authentication ... 214

Enable Kerberos Authentication for SSO ... 216

Module 3(b): Extending (SSO) to the Collaboration Edge ... 219

Module Overview ... 219

Pre-Requisites ... 220

Module Objectives ... 220

Prepare to Enable SAML SSO for Expressway ... 222

SAML SSO Configuration for Microsoft AD FS 2.0 ... 224

Enable SSO for Cisco Expressway ... 227

Verify operation on Unified CM SSO functionality... 228

Appendix A: PostgreSQL Installation on CentOS ... 233

Installation of PostgreSQL Server 9.4.1 ... 233

Initialize PostgreSQL and Start Services ... 235

Configure Authentication and Access ... 236

Appendix B: AD FS 2.0 Install and Configuration ... 238

How to install Microsoft AD FS2.0 ... 238

Appendix C: Adding Client-Server Template to Microsoft Certificate Services ... 249

Appendix D: Table of Documents ... 250

Appendix E: Errata ... 251

Steps of a SAML based authentication flow ... 251

Enterprise Groups ... 252

LDAP Integrations ... 253

(5)

Cisco dCloud

Lab Workflow

End-to-End Quick Start Deployment

The lab begins with a series of exercises, which guide the participant through the required activities and workflow to establish and test a Cisco Jabber on-premise deployment. Test activities include configuration and verification of basic functionality while emphasizing some recent feature additions and deployment methodologies.

These activities are mandatory, as the result will form the baseline system required to progress to the advanced feature modules.

Specialized Features and Deployment Modules

The remainder of this lab is divided into Modules, each devoted to a particular advanced deployment topic. Participants are encouraged to complete all of the modules in sequential order. However, the time limit for this lab is 4 Hours. Students wishing to devote particular time or emphasis to one or more of the feature modules may wish to be chooseive in the interest of completing desired modules within the time allotted.

NOTE: Modules are optional and may be completed independently except where listed as a dependency for another target Module. The only module with pre-requisite dependencies is Module 3(b), which requires Modules 2 and 3a to be completed in order to test solution functionality.

• Module 1: Persistent Chat (PCHAT) and Managed File Transfer (MFT)

o Optional with no dependencies

• Module 2: Mobile and Remote Access (MRA) with Cisco Expressway

• Module 3a: SAML Single Sign-On (SSO) Inside the Network

• Module 3b: Extending SSO to the Collaboration Edge

(6)

Cisco dCloud

Lab Requirements

The table below outlines the requirements for this preconfigured lab activity.

Table 1. Lab Requirements

Required Optional

• Laptop with Cisco AnyConnect • None

Lab Configuration

This lab contains preconfigured users and components to illustrate the scripted scenarios and features of this solution. All information needed to access the demonstration components is in the Topology and Servers menus of your active session. • Topology Menu. Click on any server in the topology and a popup window will appear with available server options. • Servers Menu. Click on or next to any server name to display the available server options and credentials.

Table 2. Demonstration User Information

User Name User ID Password Endpoint Devices Phone Email/Directory URI

Charles Holland cholland C1sco12345 Cisco Jabber for Windows +1408 555 6018 [email protected]

Anita Perez aperez C1sco12345 Cisco Jabber for Windows +1212 555 6017 [email protected]

Lab Topology

This demonstration includes several server virtual machines. Most of the servers are fully configurable using the administrative level account. Administrative account details are included in the script steps where relevant and in the server details table.

(7)

Cisco dCloud

Name Description Host Name (FQDN) IP Address Username Password

UCM1 Communications Manager 11.0 (Call Control) cucm1.dcloud.cisco.com 198.18.133.3 administrator dCloud123! IMP1 IM & Presence 11.0 (Presence and Chat) cup1.dcloud.cisco.com 198.18.133.4 administrator dCloud123! CUC1 Unity Connection 11.0 (Voicemail) cuc1.dcloud.cisco.com 198.18.133.5 administrator dCloud123! Exp-C Expressway-C (Core) X8.5 exp-c-1.dcloud.cisco.com 198.18.133.152 admin dCloud123! Exp-E Expressway-E (Edge) X8.5 exp-e-1.dcloud.cisco.com 198.18.1.152 admin dCloud123! AD1 Active Directory, DNS, ADFS2.0 ad1.dcloud.cisco.com 198.18.133.1 administrator C1sco12345 Centos SSHFS and Postgresql Database Server centos.dcloud.cisco.com 198.18.134.29 root dCloud123!

AD2 External DNS server ad2.dcloud.cisco.com 198.18.2.11 administrator C1sco12345

Exchange Exchange 2010 mail1.dcloud.cisco.com 198.18.133.2 administrator C1sco12345

Workstation 1 Windows 7 wkst1.dcloud.cisco.com 198.18.133.36 cholland C1sco12345

Workstation 2 Windows 7 wkst2.dcloud.cisco.com 198.18.133.37 aperez C1sco12345

Workstation 2 External

Windows 7 wkst2-ext.dcloud.cisco.com 198.18.2.37 aperez C1sco12345

NOTE: Two passwords are used throughout this lab. Password1 (dCloud123!) is used across all Cisco Collaboration components and linux hosts. Password2 (C1sco12345) is used for all Microsoft Active Directory accounts including administrative, service, and demonstration user accounts. This applies to both Platform and Administrative user accounts within Cisco Collaboration

Applications.

Applications and Versions

The Table below provides detail on the software components used in this Lab.

Software Description Version Installed

Cisco Unified Communications Manager 11.0.1.10000-10 Cisco Unified IM and Presence Service 11.0.1.10000-6

Cisco Unity Connection 11.0.1.10000-10

Expressway-C (Core) X8.5.3

Expressway-E (Edge) X8.5.3

Microsoft Windows Server (AD, DNS, ADFS) Microsoft Windows Server 2008 R2 with Hotfix 3

Microsoft Exchange Microsoft Exchange 2010

External DNS server Microsoft Windows Server 2008 R2

Mail Server Microsoft Windows Server 2008 R2 with Exchange 2010

Demonstration Workstations Microsoft Windows 7

(8)

Cisco dCloud

Lab Pre-Configuration

In order to save time, certain elements of this lab have been pre-configured in advance to provide a baseline starting point. Please review this section before proceeding to the first configuration activity.

Jabber-Config.xml

The vast majority of service and client configuration for Cisco Jabber is provisioned using the service profiles (created earlier), however to enable certain non-default behaviors on the Jabber client a configuration file in XML format named Jabber-Config.xml must be used.

To save time and avoid the introduction of errors to the lab environment a series of Jabber-Config.xml files have been staged on both wkst1.dcloud.cisco.com, wkst2.dcloud.cisco.com, and ad1.dcloud.cisco.com. During the lab, when a new series of client configuration parameters are required, you will browse to and upload the required file.

File Locations: Desktop\CST-Jabber\Jabber-Config-Files

The following sub-folders contain the relevant jabber-config.xml files:

• Deployment (Preliminary Jabber Deployment) • Module1 (Persistent Chat)

• Module2 (Mobile and Remote Access)

Dial Plan

Basic Class of Control elements have been pre-defined as follows:

Table 1. Partitions

Partition Description

CST-DN-PT Collaboration Specialist Training DN Partition CST-URI-PT Collaboration Specialist Training URI Partition

Table 2. Calling Search Spaces

Calling Search Space Partitions

CST-DN-PT CST-DN-PT, CST-URI-PT, (All System Generated Partitions)

PostgreSQL

PostgreSQL server 9.4 (with dependencies) was installed using the YUM package installer on centos.dcloud.cisco.com running CentOS7. The database and services have been initialized using default values and the following parameters have been

configured:

• Username postgres and Password postgres • Listening on TCP 5432

(9)

Cisco dCloud

• Services configured to start automatically on OS boot.

• Operating system configuration to permit incoming connections on TCP 5432 has been performed for you. Details of the steps taken to create the baseline environment can be found in Appendix A.

Single Sign On (SSO)

Microsoft™ AD FS 2.0 (3) has been installed on ad1.dcloud.cisco.com. The Basic AD FS 2.0 setup wizard has been run to enable ADFS features. These operations are documented in Appendix B.

Connecting to Your Pod

Follow the steps below to schedule your demonstration and configure your demonstration environment.

1. Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials. 2. Schedule a demonstration. [Show Me How]

3. Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How] 4. Verify your demonstration is Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.

• It may take up to 30 minutes for your demonstration to become active.

5. If you are not connected to the lab from behind a router, on your laptop, use Cisco AnyConnect paired with the session credentials from the UI to connect to the lab. [Show Me How]

6. From your laptop, access the demonstration workstation named wkst1 located at 198.18.133.36 and login using the following credentials: Username: dcloud\cholland, Password: C1sco12345.

• Recommended method: Use Cisco AnyConnect [Show Me How] and the local RDP client on your laptop. [Show Me How]

• Alternate method: Use the Cisco dCloud Remote Desktop client with HTML5. [Show Me How] o Accept any certificates or warnings

(10)

Cisco dCloud

Lab Orientation

NOTE: Read and Complete the Activities in this section before proceeding. Connections to lab hosts require an active connection to the assigned Lab Pod through either a supported VPN connected router or the Cisco AnyConnect VPN Client.

Connecting to Required Resources

Introduction

The student will be using a series of Remote Desktop Protocol (RDP) sessions to Microsoft Windows workstations and servers in order to complete the following:

• Access Administrative Interfaces for Configuration • Interact with the Cisco Jabber Client

• Test features and functionality

In this activity, the student will configure and connect the RDP sessions required and referenced throughout the lab.

NOTE: Connections to lab hosts require an active connection to the assigned Lab Pod through either a router connected to dCloud or the Cisco AnyConnect VPN Client.

The table below identifies the hosts, use cases, and credentials required when connecting.

Throughout this guide, steps will instruct the student to Open or Switch to the RDP session connected to one of the hosts referenced above. These statements always reference the FQDN of the host accompanied at times by contextual information. All FQDNs should be resolvable directly from the student workstation (while connected to Lab Pod via VPN - required), however IP addresses may be used as well.

Host Reference and Use Cases

• wkst1.dcloud.cisco.com (Workstation 1): o Lab User Assignment: Charles Holland

 Windows Logon Account: cholland

 Windows Logon Domain: dcloud

 Windows Logon Password: C1sco12345

o Use Cases: Workstation 1 is the primary anchor point for configuration activities in addition to hosting the Jabber client for lab user Charles Holland.

Name Use Case Host Name (FQDN) IP Address Domain\Username Password

Workstation 1 Primary Configuration Workspace,

Demonstration User Charles Holland

wkst1.dcloud.cisco.com 198.18.133.36 dcloud\cholland C1sco12345

Workstation 2 Demonstration User Anita Perez wkst2.dcloud.cisco.com 198.18.133.37 dcloud\aperez C1sco12345 Workstation 2

External

Testing MRA functionality

wkst2-ext.dcloud.cisco.com

198.18.2.37 dcloud\aperez C1sco12345

AD1 Active Directory, Internal DNS, ADFS2.0 ad1.dcloud.cisco.com 198.18.133.1 dcloud\administrator C1sco12345 AD2 External DNS server, Photo Server ad2.dcloud.cisco.com 198.18.2.11 dcloud\administrator C1sco12345

(11)

Cisco dCloud

• wkst2.dcloud.cisco.com (Workstation 2): o Lab User Assignment: Anita Perez

 Windows Logon Account: aperez

o Use Cases: Workstation 2 is assigned to Lab User Anita Perez. Workstation 2 is used only for demonstration and testing of features. Workstation 2 will be moved to an external network during the Collaboration Edge module for testing Mobile and Remote Access.

• ad1.dcloud.cisco.com (AD1): o Lab User Assignment: None

 Windows Logon Account: administrator

o Use Cases: AD1 hosts the majority of internal services. This server will be used for interactions with Microsoft Active Directory, Internal DNS, Active Directory Federation Services.

• ad2.dcloud.cisco.com (AD2): o Lab User Assignment: None

 Windows Logon Account: administrator

o Use Cases: AD2 is used to add DNS SRV records required to configure and demonstration the Collaboration Edge Solution.

(12)

Cisco dCloud

Create and Connect RDP Sessions

NOTE: These Steps will be repeated for each host specified, until an active connection has been created for each. From the Student’s personal computer:

1. Click Start > All Programs > Accessories > Remote Desktop Connection.

2. Click Options.

3. Choose the Local Resources tab.

4. Click Settings, under Remote audio.

5. Choose Play on this computer and Do Not Record.

Figure 2. Audio Playback

6. Click OK.

7. Click the Experience tab.

8. Choose LAN (10Mbps or higher) from the connection speed menu.

Figure 3. LAN Connection Speed

9. Click the General tab and fill in the Computer and Username fields based on the table below, according to the host to which you are connecting:

Table 3. RDP Connection Settings

Field WKST1 WKST2 AD1 AD2

Computer: wkst1.dcloud.cisco.com or 198.18.133.36 wkst2.dcloud.cisco.com or 198.18.133.37 ad1.dcloud.cisco.com or 198.18.133.1 ad2.dcloud.cisco.com or 198.18.2.11

Username: dcloud\cholland dcloud\aperez dcloud\administrator dcloud\administrator

(13)

Cisco dCloud

11. (Optional) Click Save and use the Save As file dialog to name and save the session definition to your computer.

Figure 4. Saving Session Settings

12. Click Connect.

13. When Prompted enter the Password: C1sco12345 and click Remember my credentials.

14. Click OK.

15. Acknowledge any warnings to proceed.

16. Repeat Steps 1-15 for each Host listed in the table above.

Activity Complete

(14)

Cisco dCloud

Activity 1: Preparation for IM & Presence Deployment

NOTE: Please ensure that you have completed the Lab Orientation activity before proceeding.

Activity Objectives

In this activity, you will connect to server AD1, verify the configuration of Microsoft Active Directory as it relates to our Lab topology, and perform prerequisite DNS configuration to support service discovery.

Through this activity, you will:

• Explore the dCloud Organizational Unit containing all users pertinent to the topology

o Identify Email domains in use and discuss relation to format of the Jabber ID (JID) and multi-domain support

o Review and Add Distribution Groups to leverage the new Enterprise Groups feature. • Provision service location (SRV) records in DNS to allow for service discovery.

Investigate Active Directory Users and Distribution Groups

As we will be using LDAP (provided by Microsoft Active Directory) as the primary contact source for our Jabber implementation, it is imperative that we review the current configuration of the AD server to become acquainted. Configuration steps are performed from within RDP sessions to both ad1.dcloud.cisco.com (198.18.133.1) and wkst1.dcloud.cisco.com (198.18.133.36). The guide will provide explicit instruction when switching between remote desktop sessions.

Explore Active Directory Configuration

1. Open the RDP session connected to ad1.dcloud.cisco.com (198.18.133.1).

2. From the Task Bar, click the Active Directory Users and Computers icon.

Figure 5. Task Bar Icons

3. Click the dCloud Organizational Unit (OU) from the Menu Tree on the left. This OU contains all of the users and distribution groups that will addressed throughout the exercise in this lab guide.

(15)

Cisco dCloud

4. Users have been pre-configured and assigned to this OU and will serve as the contact source and user base for lab exercises.

5. Review the list of users displayed. Observe that there are three distinct email address domains in use:

• dcloud.cisco.com (Default Organizational Domain) • uk.dcloud.cisco.com

• alpha.com

Figure 7. Lab User List

6. Notice that demonstration user Charles Holland is assigned email address ([email protected]) while Anita Perez is assigned ([email protected]). This distinction serves to simulate an environment wherein multiple domain name spaces are present.

Two Distribution Groups, Engineering and Marketing were created in advance. We will be using Distribution Groups in tandem with the new Enterprise Groups Feature in Jabber 11. This allows automatic synchronization of administrator-defined distribution groups through an LDAP agreement in Cisco Unified Communications Manager.

7. Double-click the Engineering distribution group to open the properties dialog. Notice that the group type is set to Distribution. Only Distribution Groups are eligible for synchronization with Unified Communications Manager.

Figure 8. Engineering Group

(16)

Cisco dCloud

9. Click Cancel to close the group properties editor.

10. The Marketing distribution group has been similarly configured with membership populated with users assigned to the Marketing department. Optional: You may open and validate the configuration at this time. Otherwise, proceed to the next step.

Create a New Distribution Group and Assign Users

In this activity, we will create a new Active Directory distribution group to which we will assign members of the Sales team. This Distribution Group and the others already present will be used later to demonstrate the new Enterprise Groups feature. We will use two different techniques to add members and to additional familiarity with the process.

1. Right click the dCloud OU and choose New > Group.

Figure 10. Group Option

2. In the Group name field, enter Sales.

3. Set the Group type to Distribution.

(17)

Cisco dCloud

5. Double-click the newly added Sales Distribution Group to open the Properties editor.

6. Click the Members tab.

7. Click Add.

Figure 12. Members Tab

(18)

Cisco dCloud

9. Click Check Names to search the Active Directory for a matching user with a display naming beginning with Adam.

10. Notice that the Check Names search utility returned a user object for Adam McKenzie ([email protected]).

Figure 14. Check Name Results

11. Click OK to add this user to the Sales Distribution Group.

12. Click OK to close the Properties Editor.

13. The previous method is adequate when assigning group membership individually. Next you will add multiple users simultaneously.

14. Note that the list of users in the dCloud OU is currently sorted using the Department Column. All of the members of the Sales department are listed together at the bottom of the list.

15. Click on user Alex Jones to choose.

16. Press and hold the Shift key and click on user Taylor Bard. Notice that we have excluded Adam McKenzie from the selection as this user was added in the previous steps.

Figure 15. User Selection

17. Right-click within the highlighted area and choose Add to a group from the menu. 18. In the Enter the object names to choose field enter the name Sales.

(19)

Cisco dCloud

19. Click OK.

20. A message indicating that the Add to Group operation was successful. Click OK to continue.

Figure 17. Operation Successful

21. Double-click the Sales Distribution Group.

22. Click the Members tab. Observe that all users in the Sales Department are members of the Sales Distribution Group.

Figure 18. Sales Department Members

23. Click OK.

24. Close the Active Directory Users and Computers console.

DNS Service Discovery Configuration

Cisco Jabber depends heavily on DNS to identify its operating location, detect services, and connect to required services.

Service discovery is the process by which Cisco Jabber does the following:

• Determines whether it is operating internal to or external to the corporate network, to influence client behavior • Locate services within the corporate network or through Expressway when operating externally.

(20)

Cisco dCloud

Cisco Jabber clients query domain name servers (DNS) to retrieve service (SRV) records that provide the location of hosted services on the network.

In this activity, you will provision the DNS service location records required to enable auto-discovery for Cisco Jabber while running inside internal enterprise network.

The Cisco Jabber client will query DNS for SRV records based on user domain in parallel. The highest priority record returned will be used for services.

Priority Service HTTP Request/DNS SRV 1 WebEx Messenger HTTP CAS Lookup

2 UC Manager 9.x or later _cisco-uds._tcp.example.com 3 Cisco Presence 8.x _cuplogin._tcp.example com 4 Collaboration Edge _collab-edge._tls.example.com

DNS Service Records (SRV) Inside the Enterprise Network

1. Ensure that the RDP session to ad1.dcloud.cisco.com has focus.

2. From the Task Bar, click the DNS Manager icon.

Figure 19. Task Bar Icons

3. Click the + next to Forward Lookup Zones.

4. Click dcloud.cisco.com to highlight the zone.

Figure 20. Cisco dCloud Zone

5. Right click on the dcloud.cisco.com zone.

6. Choose Other New Records from the menu.

7. Scroll down and choose Service Location (SRV) from the Resource Record Type dialog.

(21)

Cisco dCloud

9. Fill out the New Resource Record form as follows: • Domain: dcloud.cisco.com (already populated) • Service: _cisco-uds

• Protocol: _tcp • Priority: 0 (default) • Weight: 0 (default) • Port Number: 8443

(22)

Cisco dCloud

10. Click OK.

11. Click Done to close the Resource Record Type dialog.

NOTE: Since our environment contains multiple domains and we will be demonstrating the new Flexible JID and multi-domain features we will create Service Location data for all DNS domains containing presence users. In a production environment, it is likely that each domain would have dedicated infrastructure, such as AD, DNS, and Email. For the purpose of our lab, we are using a collapsed topology, where only one service domain will be queried.

12. Click alpha.com to highlight the zone.

13. Right click on the alpha.com zone.

16. Click Create Record.

17. Fill out the New Resource Record form as follows: • Domain: alpha.com (already populated) • Service: _cisco-uds

(23)

Cisco dCloud

• Host offering this service: ucm1.dcloud.cisco.com

Figure 23. New Resource Record

18. Click OK.

20. Click uk.dcloud.cisco.com to highlight the zone.

21. Right click on the uk.dcloud.cisco.com.com zone.

24. Click Create Record.

25. Fill out the New Resource Record form as follows:

• Domain: uk.dcloud.cisco.com (already populated) • Service: _cisco-uds

(24)

Cisco dCloud

26. Click OK.

28. Close the DNS Manager.

Verify DNS SRV Records

1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) to perform DNS verification.

2. Click the Command Prompt icon on the task bar.

3. Type nslookup and press Enter.

4. Type set type=srv (use lowercase) and press Enter.

5. Type _cisco-uds._tcp.dcloud.cisco.com and press Enter.

(25)

Cisco dCloud

7. A successful result returns both the FQDN of the host(s) offering the service as well as the resolved IP Address (es) associated with the host(s). You should see text similar to the graphic above (Red Text).

NOTE: If you see error text indicating a failure to lookup this or subsequent _cisco-uds SRV records, for example: Non-existent domain, follow the instructions below.

• Confirm that the command entered is exactly as specified in the guide and retry. • Confirm that the settings of the SRV record match the previous configuration steps.

Figure 26. SRV Resolution

If you are unable to resolve the issue, please notify a proctor. Do not continue until a successful validation result is returned. 8. Type _cisco-uds._tcp.alpha.com and press Enter.

9. SRV record data similar to the output shown below should be returned by DNS server ad1.dcloud.cisco.com.

Figure 27. SRV Record Data

10. Type _cisco-uds._tcp.uk.dcloud.cisco.com and press Enter.

(26)

Cisco dCloud

12. Close the Command Prompt window.

(27)

Cisco dCloud

Activity 2: Unified IM and Presence Deployment

With preparation for deployment complete, Activity 2 addresses, systematically the requirements and methods needed to implement Unified IM and Presence solution with provisioned End Users, Services, and Devices.

Activity Objectives

The following are the objectives for this activity:

• Identify and confirm the status of services required for the operation of Cisco Unified Communications Manager and IM and Presence Service as they relate to features implemented in the lab

• Identify and perform the activities required to integrate Cisco Unified CM and IM and Presence

• Define UC Services and a Service Profile in order to assign presence capabilities to Cisco Jabber users

• Implement LDAP Directory Synchronization and Authentication with Microsoft Active Directory to import Users and Groups

• Use template based automation tools to quickly and accurately provision End Users, Directory Numbers, and Devices through the LDAP user import process

• Configure Cisco Unified CM and Unified IM and Presence for the Flexible JID Address Scheme with Multi-Domain Domain support

• Interact with the Cisco Jabber client configuration file (jabber-config.xml) to enable non-default behaviors in Cisco Jabber

Service Activation and Status Verification

During this activity, we will validate that all Unified Communications Manager services required to provision and integrate the Instant Message and Presence service cluster have been activated and are in an expected state. The service activation process has already been performed as part of the pre-configuration of this lab. This activity is for verification and to provide further familiarity with the lab topology and current configuration state.

Unified Communications Manager

1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36).

2. Launch Internet Explorer by double clicking on the desktop shortcut or clicking the Internet Explorer icon in the task bar.

3. From the Cisco dCloud Homepage hover over Collaboration Admin Links and choose Cisco Unified Communications Manager to connect to ucm1.dcloud.cisco.com. Optionally you may manually type https://ucm1.dcloud.cisco.com in the address bar.

(28)

Cisco dCloud

4. When prompted with a Certificate Error click Continue to this website.

NOTE: As part of this lab, we will be performing Certificate Management in Unified Communications Manager and IM&P in an upcoming exercise. Until a Certificate signed by a trusted Certification Authority is installed, we will continue to receive these errors. Please acknowledge and proceed using the Continue to this website option.

5. From the Installed Applications list, click Cisco Unified Communications Manager.

Figure 30. Cisco UCM Link

6. From the Navigation menu in the upper-right corner of the Administration Webpage, choose Cisco Unified Serviceability.

7. Click Go.

8. In the Username field type administrator.

9. In the Password field type dCloud123!.

10. Click Login.

(29)

Cisco dCloud

11. From the Menu choose Tools > Control Center – Feature Services.

Figure 32. Contact Center Services

12. From the Choose Server drop down list, choose ucm1.dcloud.cisco.com.

Figure 33. Select Server Menu

13. Click Go.

14. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:

o Cisco DirSync

o Cisco CallManager

o Cisco CTIManager

o Cisco Tftp

(30)

Cisco dCloud

This concludes serviceability verification for Unified Communications Manager (ucm1.dcloud.cisco.com).

Unified IM and Presence Service

1. From the Choose Server drop down list, choose imp1.dcloud.cisco.com.

2. Click Go.

3. Review the Control Center page to confirm that the services listed below are Activated and in a Running state:

o Cisco AXL Web Service

o Cisco SIP Proxy

o Cisco Presence Engine

o Cisco XCP Text Conference Manager

o Cisco XCP Connection Manager

(31)

Cisco dCloud

This concludes serviceability verification for Unified IM and Presence imp1.dcloud.cisco.com.

Unified CM SIP Trunk Configuration

In this task, we will create a SIP Trunk between Unified CM and the IM and Presence node. This will be used for presence updates between the two systems (off hook/on hook updates), allowing Cisco Jabber to display information for users such as On a Call.

SIP Trunk Security Profile for IM and Presence Service

1. Connect and/or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.133.36) if not already in focus.

2. From the currently open Internet Explorer window connected to ucm1.dcloud.cisco.com, use the Navigation menu to choose Cisco Unified CM Administration.

3. If the previous logon session has expired you may need to login. (Username: administrator, Password: dCloud123!) Otherwise, proceed to the next step.

4. From the menu navigate to System > Security > SIP Trunk Security Profile.

Figure 36. Security Menu

5. Click Find to display the list of configured Sip Trunk Security Profiles.

(32)

Cisco dCloud

6. Click Non Secure SIP Trunk Profile to open the configuration page.

7. From the configuration menu, click Copy.

8. Set the Following Parameters (Only those requiring modification listed): • Name: IMP SIP Trunk Profile

• Accept presence subscription: Checked • Accept out-of-dialog refer: Checked • Accept unsolicited notification: Checked • Accept replaces header: Checked

Figure 38. SIP Trunk Security Profile Information

9. Click Save.

Configure SIP Trunk for IM and Presence Service

10. From the menu navigate to Device > Trunk.

Figure 39. Device Menu

11. From the Find and List Trunks page, click Add New.

12. Set the Trunk Type value to SIP Trunk from the drop down menu.

(33)

Cisco dCloud

14. Set the Following Values under the Device Configuration section. • Device Name: IMP-SIP-Trunk

• Description: IMP Publish Trunk • Device Pool: Default

Figure 40. Device Information

15. Scroll down to the section labeled SIP Information and set the following values: • Destination Address: imp1.dcloud.cisco.com

• Destination Port: 5060 (Default)

• SIP Trunk Security Profile: IMP SIP Trunk Profile • SIP Profile: Standard SIP Profile

Figure 41. SIP Information

16. Click Save.

17. Click OK to acknowledge the webpage notification and proceed.

18. Click Reset.

19. Click Reset from the pop-up window.

20. Click Close.

Set the Presence Publish Trunk Parameter

(34)

Cisco dCloud

21. From the main menu, navigate to System > Service Parameters.

22. Choose ucm1.dcloud.cisco.com from the Server drop down menu.

23. Choose Cisco CallManager from the Service drop down menu.

Figure 42. Select Server and Service

24. Scroll to the Clusterwide Paramters (Device – SIP) section.

You may expedite this process by typing Ctrl-F with the browser window in focus. This will open a search window, into which you may type IM and Presence to jump directly to the parameter.

25. Continue until you locate the IM and Presence Publish Trunk parameter.

26. Choose IMP-SIP-Trunk from the parameter menu.

Figure 43. IM and Presence Publish Trunk

27. Click Save.

Configure UC Services and Service Profile

Here we will provide the centralized configuration required for Cisco Jabber Clients to utilize core Collaboration application services. We will NOT be configuring all of the available services, but rather those that will allow us to create a stable foundation in order to configure advanced features in the lab.

Configure UC Services

1. From the main menu navigate to User Management > User Settings > UC Service.

Figure 44. User Settings

2. Click Add New.

3. From the drop down menu, choose IM and Presence.

(35)

Cisco dCloud

4. Click Next.

5. Set the following values:

• Name: IMP-Service

• Description: IMP Service

• Host Name/IP Address: imp1.dcloud.cisco.com

Figure 46. UC Service Information

6. Click Save.

8. From the drop down menu, choose CTI.

Figure 47. Add a UC Service

9. Click Next.

10. Set the following values: • Name: CTI-Service • Description: CTI Service

• Host Name/IP Address: ucm1.dcloud.cisco.com • Port: 2748 (default)

(36)

Cisco dCloud

11. Click Save.

13. From the drop down menu, choose Voicemail.

Figure 49. Add a UC Service

14. Click Next.

15. Set the following values:

• Product Type: Unity Connection • Name: Voicemail-Service • Description: Voicemail Service

• Host Name/IP Address: cuc1.dcloud.cisco.com • Port: 443

• Protocol: HTTP

(37)

Cisco dCloud

16. Click Save.

17. From the Related Links menu in the upper-right of the webpage, choose Back to Find/List.

18. Click Go.

19. Click Find.

20. Observe that all three services are created and match the image below.

Figure 51. UC Services

NOTE: We have omitted the manual configuration of a Directory Service. Feature enhancements to the Jabber Client portfolio have made it possible to leverage the Service Discovery capabilities of Jabber to automatically detect an accessible LDAP directory. Automatic discovery using SRV is the preferred method where possible.

Configure a Service Profile

21. From the main menu choose User Management > User Settings > Service Profile.

Figure 52. User Settings

23. Under Service Profile Information set the following values: • Name: CST-Service-Profile

• Description: CST Service Profile

• Make this the default service profile for the system: Checked

(38)

Cisco dCloud

24. Under Voicemail Profile set the following values: • Primary: Voicemail-Service

• Credentials source for voicemail service: Unified CM – IM and Presence

Figure 54. Voicemail Profile

25. Scroll to Directory Profile and set the following values: • Primary: None

• Use UDS for Contact Resolution: Un-Checked

Figure 55. Directory Profile

26. Under IM and Presence Profile set the following:

• Primary: IMP-Service 27. Under CTI Profile set the following:

• Primary: CTI-Service

Figure 56. Profiles

(39)

Cisco dCloud

Prepare Directory Synchronization and Automatic User Provisioning

As stated earlier LDAP Directory integration provides the foundation for User Synchronization, User Authentication, and Contact Sources within a Collaboration Deployment. This is especially true regarding the interactions and user experience with respect to Cisco Jabber.

We will explore the new Flexible Jabber ID and Multi-Domain support features as part of our directory synchronization exercise.

Significant advancements in End-User provisioning have been part of Unified Communications Manager since the 10.x release. We will be using Feature Group Templates to demonstrate how quickly items such as End Users, UC Service Assignment, Group Membership, and even Directory Numbers can be added during the first LDAP synchronization. It is beyond the scope of this lab to delve into the design mechanics of each feature but we will be interacting with these tools and using them to expedite our provisioning process.

Service Activation

1. Recall that as part of our Service Activation and Status Verification activity we confirmed the status of Cisco DirSync to be activated and running. Directory Synchronization depends on this service to function and must be activated prior to enabling and LDAP Directory Synchronization agreement and/or LDAP Authentication.

Figure 57. Cisco DirSync Activated

Class of Control

In order to leverage component features such as URI Dialing and to maintain consistency with Cisco Dial-Plan best practices for a centralized call control deployment, the following Partitions and Calling Search Spaces were created in advance. We will reference these when configuring our Provisioning Templates.

Table 4. Partitions

Partition Description

CST-DN-PT Collaboration Specialist Training DN Partition CST-URI-PT Collaboration Specialist Training URI Partition

Table 5. Calling Search Spaces

Calling Search Space Partitions

CST-CSS CST-DN-PT, CST-URI-PT, (All System Generated Partitions)

Provisioning Templates and User Profiles

In this section, we will interact with Universal Device, Universal Line, and Feature Group templates to create the foundation for automatic provisioning.

(40)

Cisco dCloud

1. Navigate to the Cisco Unified CM Administration web interface at https://ucm1.dcloud.cisco.com/ccmadmin. This should already be open from the previous exercise.

2. Use the menu to navigate to User Management > User/Phone Add > Universal Device Template.

Figure 58. Universal Device Template Menu

3. Click Find.

4. Click the Sample Device Template with TAG usage examples hyperlink to open.

5. Modify the Name field to be CST Device Template.

Figure 59. CST Device Template

6. Click the icon to the left of Device Routing title to expand the section.

7. Set the Calling Search Space to CST-CSS by choosing it from the drop-down menu.

Figure 60. Device Routing

8. Click Save.

9. From the main menu, choose User Management > User/Phone Add > Universal Line Template.

10. Click Find.

11. Click the Sample Line Template with TAG usage examples hyperlink to open.

12. Set the following parameters:

• Name: CST Line Template

• Route Partition: CST-DN-PT • Calling Search Space: CST-CSS

(41)

Cisco dCloud

13. Click Save.

14. From the main menu choose User Management > User/Phone Add > Feature Group Template.

15. Click Find.

16. Click the Default Feature Group Template hyperlink to open.

• Name: CST Feature Group Template

• Enable User for Unified CM IM and Presence: Checked • Allow Control of Device from CTI: Checked

• SUBSCRIBE Calling Search Space: CST-CSS

(42)

Cisco dCloud

18. Click Save.

19. From the main menu choose User Management > User Settings > User Profile.

20. Click Find.

21. Click the hyperlink for Standard {Factory Default) User Profile, to open the editor page.

• Name: CST User Profile • Description: CST User Profile

• Mobile and Desktop Devices: CST Device Template • Universal Line Template: CST Line Template

Figure 63. User Profile

23. Click Save.

Enable LDAP Synchronization

1. Navigate to System > LDAP > LDAP System.

Figure 64. LDAP Menu

2. In the LDAP System Configuration page, set the following values: • Enable Synchronizing from LDAP Server: Checked • LDAP Server Type: Microsoft Active Directory (default) • LDAP Attribute for User ID: sAMAccountName (default)

(43)

Cisco dCloud

3. Click Save.

Create a New LDAP Synchronization Agreement

4. Navigate to System > LDAP > LDAP Directory.

6. In the LDAP Directory Information section, enter the following values:

• LDAP Configuration Name: CST LDAP

• LDAP Manager Distinguished Name: [email protected]

• LDAP Password: C1sco12345

• Confirm Password: C1sco12345

• LDAP User Search Base: ou=dcloud,dc=dcloud,dc=cisco,dc=com

• Synchronize: Users and Groups

NOTE: The user CollabLDAP has already been created as a standard user (no administrative roles) in the active directory for use as a service account in LDAP Synchronization and Authentication in accordance with Cisco deployment best practice.

7. Confirm settings match the screenshot below.

Figure 66. LDAP Directory Information

8. Scroll down to the section labeled Standard User Fields To Be Synchronized.

9. Set the Directory URI LDAP Attribute to mail.

(44)

Cisco dCloud

NOTICE: Our demonstration users are provisioned across three different domains in the format [email protected]. In the coming steps, we will ensure that this value will be used to populate the Jabber ID (JID).

10. Scroll to the section labeled Group Information.

11. Click the Add to Access Control Group button.

Figure 68. Add to Access Control Group

12. In the Find Access Control Group where Name search field type: Standard.

13. Click Find.

14. From the Find and List Access Control Groups dialog, place a Check next to the following entries: • Standard CCM End Users

• Standard CTI Enabled

Figure 69. Access Lists Dialog

15. Click Add Selected , to close the dialog and return to the LDAP Directory configuration screen.

16. Set the value of Feature Group Template to CST Feature Group Template.

17. Check the box next to Apply mask to synced telephone numbers to create a new line for inserted users.

18. In the Mask field, enter XXXXXXXXXXXXX (The letter “X” in CAPS 13 times).

This mask is used because we have variable length E.164 telephone numbers with demonstration users in different countries. The maximum length of any telephone number in our demonstration is 12-digits with a leading +. Thus the mask XXXXXXXXXXXXX will accommodate any phone number string of 13 characters or less.

(45)

Cisco dCloud

19. Scroll to the LDAP Server Information section.

20. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.

Figure 71. LDAP Server Information

21. Click Save.

22. Do NOT attempt to perform a Directory synchronization at this time. We will be performing additional configuration to complete IM and Presence integration, and to accommodate Multi-Domain support before importing users.

Cisco Unified Communications Manager release 10.5 and onward provides support the creation E164 (with leading “+”) formatted directory numbers via the Directory Synchronization process. Enhancements to the way in which the system applies the Mask field now allow the Mask to represent the maximum length of any discovered Directory Number within the defined directory. When the discovered telephone number is less than the value specified it is inserted “as is”.

Enable LDAP Authentication

23. From the main menu choose System > LDAP > LDAP Authentication.

24. In the LDAP Authentication for End Users section, enter the following values: • Use LDAP Authentication for End Users: Checked

• LDAP Manager Distinguished Name: [email protected]

• LDAP Password: C1sco12345

• Confirm Password: C1sco12345

(46)

Cisco dCloud

25. In the Host Name or IP Address for Server field, type: ad1.dcloud.cisco.com.

Figure 73. LDAP Server Information

26. Click Save.

Enterprise Parameters: URI Dialing and Enterprise Groups

1. From the Unified Communications Manager Administration webpage, use the main menu to navigate to System > Enterprise Parameters.

2. Scroll to the End User Parameters section.

3. Set the Directory URI Alias Partition value to CST-URI-PT.

Figure 74. End User Parameters

4. Scroll to the User Management Parameters section.

5. Set Directory Group Operations on Cisco IM and Presence to Enabled.

6. Click Save.

7. Click Apply Config.

(47)

Cisco dCloud

IM and Presence Service Configuration

Connect to Unified IM and Presence

1. From the RDP session on wkst1.dcloud.cisco.com, launch Internet Explorer (if NOT already open) or click the New Tab icon.

2. From the dCloud Homepage navigate to Collaboration Admin Links > Cisco Unified IM and Presence Service to connect to imp1.dcloud.cisco.com. Optionally, you may manually type https://imp1.dcloud.cisco.com in the address bar.

Figure 76. Collaboration Admin Links

3. Acknowledge the certificate error by clicking Continue to this Website.

4. From the Installed Applications list, click Cisco Unified IM and Presence.

(48)

Cisco dCloud

5. In the Username field, type administrator.

6. In the Password field, type dCloud123!.

7. Click Login.

Figure 78. Login Prompt

Configure Presence Gateway

8. From the menu choose Presence > Gateways.

Figure 79. Gateways Menu

10. Under Presence Gateway Settings, set the following values: • Presence Gateway Type: CUCM (default)

• Description: UCM Presence Gateway

• Presence Gateway: ucm1.dcloud.cisco.com

(49)

Cisco dCloud

11. Click Save.

Enabled Flexible Jabber ID (JID) and Multi-Domain Support

Flexible Jabber ID (JID)

By default, the Jabber ID (JID) is based on the Unified CM User ID<uid>@xmpp domain. The flexible JID feature allows the JID to be constructed based on Directory URI field. The directory URI may be administratively mapped using the following LDAP synchronized data fields:

• mail (as is the case in this lab) • msRTCSIP-PrimaryUserAddress • Manually Configured by Administrator

This allows organizations to map user JIDs that align with the corporate naming address scheme in use. For example, a user’s JID (IM address) can be mapped to their E-Mail address using the mail parameter, effectively creating a single address for multi-modal communications.

The graphic below demonstrates how this feature affects the demonstration users in the Lab.

Figure 81. Addressing Scheme Comparison

Multi-Domain Support

Jabber IDs across multiple domains are now supported in a single Unified IM and Presence cluster. For example, an organization may manage many email domains, but only a single IM and Presence cluster. The JIDs can be formed based on the different email domains in this scenario, such as in our lab topology:

(50)

Cisco dCloud

• alpha.com

• uk.dcloud.cisco.com

The Cisco Unified IM and Presence service will automatically learn the domains in the assigned topology based on those detected in @domain portion of the JID (IM Address).

Explore Advanced Presence Settings

1. From the menu choose Presence > Settings > Advanced Configuration.

2. This is the configuration screen where the IM Address scheme can be modified to support flexible JID and Multi-Domain provisioning.

3. Observe that all configuration items are Grayed Out. A message indicating that certain services must be stopped in order to continue is displayed.

Figure 82. Domain and IM Address Settings

Shutdown Required IM and Presence Services

1. From the active RDP session connected to wkst1.dcloud.cisco.com, launch the terminal application PuTTY by clicking on the icon in the taskbar.

Figure 83. PuTTY Icon

2. Under Saved Sessions, choose the entry imp1 and click Load.

(51)

Cisco dCloud

3. Click the Open button to launch a secure shell connection to the IM and Presence node imp1.dcloud.cisco.com.

4. At the Login As prompt, type administrator.

5. At the password prompt, type dCloud123!.

Figure 85. PuTTY Terminal Window

NOTE: In the next section, you will type a series of serviceability commands. In order to eliminate the possibility of typographic errors and to save time, you may open a file with pre-configured text and copy and paste each command in place of typing. From the Desktop of Wkst1 browse to CST-Jabber > Utilities and open the file: service-stop-start.txt. Copy commands one at a time as instructed in the following steps, to paste into the PuTTY windows simply right click within the active terminal connection.

6. Type the following command: utils service stop Cisco Presence Engine

7. Press Enter.

8. Confirm that the service has been stopped.

Figure 86. Service Stopped

9. Type the following command: utils service stop Cisco SIP Proxy

10. Press Enter.

11. Confirm that the service has been stopped.

Figure 87. Service Stopped

12. Type the following command: utils service stop Cisco XCP Router

13. Press Enter.