Cisco JUMP Upgrade – You need things (Part #1)

You need a lot of things to handle a JUMP upgrade. If you’re not familiar with what I’m talking about I’ll run through the basics.

You have a Cisco Communications Manager on an older release and you cannot DIRECTLY upgrade to version 9.1(2). You can JUMP from the following versions – 6.1(4), 6.1(5), 7.1(3), and 7.1(5). Another case is that you’re on Cisco MCS servers and you’re going virtualized. The upgrade to Release 9.1(2) and data migration will be performed in an isolated environment and moved to production during a service window.

The following network services must be available:

  • default gateways—recreate all relevant networks and ensure connectivity between them
  • NTP server—this can be different IP address or a local router
  • DNS server—if a DNS server is used in the existing production environment, ensure the domain name matches for forward and reverse lookup of cluster nodes.
  • FTP and SFTP server—ensure sufficient storage for firmware, images, and backups

WAIT a minute! I’m in an isolated network in VMware, how do I have all of these things available to me? You really expect me to duplicate all of this in an isolated environment? My Cisco cluster will have the same names, IP addresses and configuration. My gateway will be the same. My DNS servers will be the same. Fortunately you can change all of this later on so all we need right now is to get through the installs and make our isolated network functional.

FreeBSD to the rescue. If you don’t know me already, I like FreeBSD. If FreeBSD is good enough for Netflix and Amazon it is good enough for me. Installing and duplicating all of this on a Windows machine would take hours. I’ll get it all done in a matter of minutes with FreeBSD.

5 MINUTES – Install FreeBSD in a guest machine alongside where you plan to upgrade your isolated 9.1(2) server. The current VSwitch should be the live network because we need to pull some actual information from the live network before isolating this FreeBSD VMguest. If this VLAN doesn’t support DHCP be sure to configure the static during installation. This guest doesn’t need much processing with what you’re about to do. Give the guest enough hard drive space you’ll need to host your FTP/SFTP upgrades and backups. I typically allocate 64GB which is thin provisioned anyway.

During installation select NTPD as a system service.

During installation create a user account called “jumpupgrader” or whatever you want. Since this is a controlled environment I add this user to “wheel” so I can get into root as necessary.

Guess what? Now you have a router, NTPd server, DNS server, FTP and SFTP server. However you’ll need slightly more configuration.

NTPd – You’ll need to fudge NTP. You’re going to move this VMguest into an isolated network so NTPd is going to lose contact to upstream stratum servers. (I’m not going into routing though this machine in this blog post)

vi /etc/ntp.conf

Change the last two lines

#server to server

#fudge stratum 10 to fudge stratum 1

Service ntpd restart

If I’m going to fudge something I might as well pretend I’m a GPS hardware device. Now you can move this machine into the isolated network and NTPd will continue to respond.

Ntpq –p now responds with “LOCAL(0) .LOCL. 1 l 2 64 1 0.000 0.000 0.000

SFTP – SFTP is an SSHD subsystem and is operated by a helper. You can SFTP to your FreeBSD VMguest with your previously created user account. You will be connected to /usr/home/jumpupgrader with Filezilla.

DNS and BIND (I will update and republish within the next week when FreeBSD 10 comes out. There are some changes in the local resolver from BIND to Unbind and LDNS)

Cisco Communications Manager and other Cisco Collaboration products perform reverse and forward lookups during installation. You need to create the DNS zones and host entries. Fortunately this is very easy in BIND. If you need to get more complex than the following configuration just head over to Google and research BIND. As FreeBSD reminds you – I’m not going into the hairy details of DNS.

Vi /etc/rc.conf

Add a line


service named start

Viola we have a DNS server.

Make a backup of your configuration

/etc/namedb # cp named.conf named.conf.original

You need DNS to listen on the IP addresses you’re going to set up on FreeBSD. You’ll also need to create some zone files for the DNS infrastructure you’re going to fudge. Just follow me on all this and you’ll get it going in no time at all. Copy and paste if you have to.

vi named.conf

listen-on {; any; };

//this enables BIND to listen on any IP address configured. A “sockstat -4 –l” after service restart should show the local LAN ip address:53 in the list.

Go to the bottom of the configuration and put these lines into the configuration. Obviously substituting your “mycompany.local” for your master DNS zone you’re Cisco Collaboration systems exist in. And obviously getting the reverse lookup zone correct for the subnet your isolation servers are going to exist in.

zone “mycompany.local” {

type master;

file “/etc/namedb/master/mycompany.db”;


zone “”{

type master;

file “/etc/namedb/master/”;


Now write and save.

Time to create the zone files and all that good information needed for a DNS zone. Change the names below and just paste it in.

root@jumpupgrader:/etc/namedb/master # ee /etc/namedb/master/mycompany.db


$TTL 3600        ; 1 hour default TTL

mycompany.local.    IN      SOA      jumpupgrader.mycompany.local. admin.mycompany.local. (

                                2006051501      ; Serial

                                10800           ; Refresh

                                3600            ; Retry

                                604800          ; Expire

                                300             ; Negative Response TTL


; DNS Servers

                IN      NS      jumpupgrader.mycompany.local.

; Machine Names

localhost    IN    A

jumpupgrader    IN    A

cucm-publisher    IN    A

cucm-subscriber    IN    A

Escape and save the file.

Command to create next zone file-

 # ee /etc/namedb/master/


$TTL 3600        ; 1 hour default TTL    IN      SOA      jumpupgrader.mycompany.local. admin.mycompany.local. (

                                2006051501      ; Serial

                                10800           ; Refresh

                                3600            ; Retry

                                604800          ; Expire

                                300             ; Negative Response TTL


                IN      NS      jumpupgrader.mycompany.local.

120             IN      PTR     mycompany.local.

5    IN    PTR    cucm-publisher.mycompany.local.

6    IN    PTR    cucm-subscriber.mycompany.local.

Escape and save the file.

Now do a final restart and let’s check the configuration –

service named restart

root@jumpupgrader:/etc/namedb/master # nslookup

> server

Default server:


> cucm-publisher.mycompany.local



Name: cucm-publisher.mycompany.local




Address: name = cucm-publisher.mycompany.local.



Now we have the basic network services needed to handle the CUCM installations in our isolated network. If you copied and pasted most of this you should’ve been done very quickly. Must less time as compared to installing Windows Server 2012, installing DNS services, installing an NTP service, and installing an SFTP service.

The next pieces will come in PART 2!

Cisco Jabber and your XML file

Greetings! I know not many people read this blog. Primarily because I’ve rarely posted anything. I am starting to get some traction putting a few things up here and essentially it’s for my own use. For years I’ve benefited from other notes and blogs from other engineers. I think it’s time I started contributing. Smile


Cisco Jabber for Windows, Mac, iPhone, iPad and Android. You want to support all of these devices on your Cisco Collaboration system? You’re in for a special treat. Each different client has it’s own configuration parameters. Some of the clients need device level configuration. Some of the other devices need the jabber-config.xml file.

Specifically Jabber for Mac 8.6.6 seems to have some issues using the jabber-config.xml. Users are getting SSL prompts and directory lookup issues with Jabber for Mac 8.6.6. It is good to note here that Jabber for Mac 9.2 is in beta and should be released this month. Jabber for Mac 9.2 really fixes a lot of issues and hopefully will be available very soon.

I’ve been pushing for years that corporations move to a UPN login method. Meaning “” when logging into their PC, their Microsoft domain, and applications. As a general rule of thumb a users Microsoft UPN equals their primary SMTP.. and this should equal primary SIP URI.

“UPN=SMTP=SIPURI” – essentially these three values define the domain the user is in. These values are also unique across all your domains to contact your user.

Below you’ll see my sample XML that is using an integration with Cisco IM and Presence and Cisco Communications Manager 9.1.1b. This integration uses “mail” mapping to the user logon name.

The XML file needed is for obvious reasons. The Jabber client downloads this file from the Communications Manager TFTP service. I have an open TAC case to work with the LDAP connection issues and I’ll post back here with results.

If you’re looking for a decent tool to help generate your jabber-config.xml file; check out this link –

Sample jabber-config.xml:

<?xml version=”1.0″ encoding=”utf-8″?>
<config version=”1.0″>

Cisco ASA–Send the right enrollment request to the CA

A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.

No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.

Here is an example configuration for the ASA enrollment:



Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.

NDES Server Configuration for SCEP (Cisco ASA SCEP Proxy)

A quick little reminder – the Microsoft NDES implementation requires a one-time password to enroll network devices. However this gets rather complicated because the whole BYOD concept means you do not have access to that one-time password. The administrator is not involved to get you on the network right? You get credentials and that’s all..

An adjustment needs to be made to Microsoft NDES implementation to let the Cisco ASA proxy the SCEP enrollment request.

Disabling the “one-time password” on the NDES server is configured in the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword

EnforcePassword value data is set to “0”. “0” ensures no password is requested by NDES.


Another thing to keep in mind – default NDES implementation will use the “IPSEC (Offline Request)” certificate template. You need to make a decision if this is the template you want to have enrolled for those getting a BYOD certificate.


Let’s say you want some better control of the certificate getting issued. I would recommend creating a custom template. And this is a user device so lets give is the right key usage.

  • Duplicate the “IPsec (Offline Request)” template – I use “User NDES”
  • Modify the extensions so the extension list looks like – You don’t have to assign all of these uses, but this mirrors the most likely use cases.
    • Server Authentication
    • Secure Email
    • Encrypting File System
    • Client Authentication
    • IPSec IKE Intermediate
  • Adjust the certificate validity period and renewal period according to your policy for user certificates.
  • Check the box for publish in Active Directory if you are using EFS
  • Add the NDES service account to the security permissions on the template with “Read and Enroll” checked.
  • Modify the registry key to assign what certificate is assigned during enrollment
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
    • image

Cisco CUBE and MOH issues

Recent issue and a quick reminder about Cisco CUBE and MOH issues. If you’re having issues dealing with inbound callers not hearing MOH when being placed on hold – then the issue might not be CUBE.

Check this service parameter on CUCM – Duplex Streaming Enabled

“”This parameter determines whether music on hold (MOH) and Annunciator use duplex streaming. Valid values specify True (use duplex [two-way] streaming for MOH and Annunciator) or False (use simplex [one-way] streaming for MOH and Annunciator). Specifying True facilitates interoperability with certain firewalls and NATs. The default value is “false”.””


Simple answer – Cisco 15.x IOS likes duplex audio streams.

Cisco ASA enrollment for SSL using SCEP

Alright – so if you’ve set up Microsoft NDES on server 2012 and followed the basic instructions your CA is now ready to auto enroll based on the “IPSECIntermediateOffline” template.

However, let’s say you want to actually enroll the Cisco ASA using SCEP to provide a server authentication certificate? You’re wanting to do this so your AnyConnect SSL/WebVPN will use an SSL certificate from your internal Active Directory Enterprise CA.

Simple – change the registry value for the MSCEP.dll and restart IIS. Then go back to your Cisco ASA and perform an new identity certificate enrollment. Be sure to populate all of the certificate name fields getting your CN correct.



Set this to GeneralPurposeTemplate = Webserver

You can now enroll your Cisco ASA using SCEP to obtain a Server Authentication certificate. You can check the CA certificate and now you you should see an assigned certificate using the WebServer template.

Be sure to set the GeneralPurposeTemplate back to “IPSECIntermediateOffline” once you’re done unless you need to SCEP enroll more Web Servers.

Windows Server 2012 NDES (SCEP)

So I’ve been working with the Windows Server 2012 NDES/SCEP installation. I’m setting this up to get a lot of Cisco networking equipment certificates from the Windows Active Directory domain. Since this also extends to iPhones and iPads it will be beneficial when I’m setting up client certificate authentication.

So with Windows Server 2012 and installing NDES (SCEP) you definitely need to give it its own service account. I recommend using service accounts vs. the default IIS App Pool permissions.

Once you have this service account added to IIS Users Group go ahead and configure the feature.

An additional thing to note is if you also install the CES/CEP features you’re going to have a problem with your handlers.

This post is more or less helping me remember to check these properties when installing the NDES role. The issue is once you get it all installed you will start getting HTTP 500 errors when browsing http://localhost/certsrv/mscep/

A workaround for this issue is to change the order of the handlers for the Microsoft Simple Certificate Enrollment Protocol (MSCEP) applications in IIS so that the ExtensionlessUrlHandler-ISAPI-4.0_64bit handler comes after the StaticFile handler. To do so, you can follow the steps below:

1) Install and configure NDES (and CEP/CES).
2) Open IIS.
3) Select “Default Web Site”.
4) Click “View Applications” in the action panel on the right.
5) Double click the mscep application.
6) Double click “Handler Mappings”.
7) Click “View Ordered List…” in the action panel.
8) Select ExtensionlessUrlHandler-ISAPI-4.0_64bit and move it down so it is below StaticFile.
9) Repeat steps 6-8 for the mscep_admin application.
10) Restart IIS.


Thanks for the comment that is related to error code 0x800700ea.

Exchange 2013–Wait for SP1

Exchange 2013 is heading in the right direction, but it is missing some key features before corporations should deploy it. The adaption for touch interfaces is certainly one of the more appealing features. As Windows 8 gains adoption in the Enterprise it will be important that applications support this type of interaction. Personally being used to Windows 8 RT, Windows 8, and Windows Phone 8 all on touch screens it certainly makes sense to ensure the corporate apps support it.

Here are some highlights –

  • OWA has been slimmed down a little to much. The help menus are unavailable, it’s ‘pokey’, and lacking S/MIME support. Even with the changes to public folders the access to these folders through OWA is lacking. Outlook Anywhere certainly makes up for this so it is understandable public folders are on their way out in OWA. Built-in spell check is gone and since this is adapted for IE10 and Windows 8 the native anywhere available spell check makes up for this.
  • BES support is unavailable at this time. A large majority of corporations I’ve worked for still largely supporting Blackberry. With Blackberry support completely lacking it contains Exchange 2013 to SMB and lab deployments.
  • Outlook 2003 no longer supported. Even though Outlook 2003 is still around, customers should be looking to upgrade their Microsoft Office suite if Office 2003 is still lurking around. Once Office 2003 has been upgraded to Office 2010 or Office 2013, then consider Exchange 2013.
  • Overall architecture is completely changed. Many enterprises have wholly adopted the Exchange 2010 architecture and are used to its operation. Exchange 2013 combines CAS and HUB into a multiple role server once again.
  • Deployment and sizing guidelines are somewhat lacking. While this isn’t an issue if you contract an Exchange 2013 guru it does mean a DYI deployment is a little more risky.
  • Cannot currently be installed alongside Exchange 2007 or Exchange 2010. This is a big one since greenfield deployments of Exchange are rare. Exchange 2010 SP3 arriving soon will eliminate this concern. Continue to monitor the Microsoft Exchange team for updates.
  • Exchange Management GUI is gone. Junior level admins who have no prior experience with PowerShell need to start learning it now. If the enterprise is going from Exchange 2003 to Exchange 2013 be prepared for a steep learning curve. Contract an experienced Exchange professional to help assist you with a migration effort.

There are many more low-level technical reasons why you should wait until Exchange 2013 SP1. If anything the patching and rollup release mechanism used by the Exchange team needs some review.

It is a great product and look forward to large scale adoption, but at this time it is relegated to the lab.