Cisco Conductor 2.3 – BE6000 and BE7000

Just bringing you a few highlights about Conductor 2.3 which should align with Telepresence Server 4.0.

Conductor XC2.3 has a new API that will allow Cisco TMS to obtain conference information, capacity information, and provision conferences. The client can create a new ConfBundle with auto-dialed participants and conference aliases. It is important to note that these API provisioned conference details will only be available through the API and not the Conductor web interface. In short – you still need TMS for scheduling which isn’t a big deal.

Putting the pieces together the scheduling of TP conferences connecting TMS to Conductor is a welcome addition. I’m making an assumption that vTS 4.0 and TMS 14.4 will be available very soon. This should speed the adoption of the vTS and Conductor within the Be6000 and Be7000 platforms. I’m still not 100% positive how TMS and TMSPE with Exchange will play into this but I’m assuming those pieces will be available soon.

Most likely this will all align with announcements we’re going to hear from Cisco Live.

More Telepresence!

VCS and Expressway 8.1 to 8.1.1 Patch

If you patch 8.1 to 8.1.1 and your Mobile and Remote Access stops working you need to regenerate your certificates.

During the patch from 8.1 to 8.1.1 the XCP/XMPP router service is being introduced. When modifying anything related to XCP/XMPP on VCS or Expressway you need to regenerate the certificates. The same applies when you modify or add XMPP chat node alias.

The certificates need to be regenerated on Core and Edge. Once applied a restart will have it take effect.

The documentation does not currently reflect that this is a required step and should be updated soon.

When can I start upgrading my Cisco CM subscribers?

Upgrading a rather large Communications Manager cluster I needed to upgrade all of the subscriber nodes at the same time.

The general rule still applies when upgrading a Cisco CM cluster – Publisher upgrades first and do not switch to upgraded partition.

Now there is a certain point during the publisher upgrade that I can actually start upgrading on all the subscribers in parallel. Be sure you have the proper compute and MHz reservation because you don’t want to overload all subscribers at once.

  1. SSH to your Publisher or get on the console
  2. List the install logs
    1. admin:file list install install_* date
    2. install_log_2014-04-06.20.39.48.log
    3. dir count = 0, file count = 1
  3. Search the most recent install log for “PRODUCT_VERSION”
    1. file search install install_log_2014-04-06.20.39.48.log PRODUCT_VERSION
      1. 04/06/2014 20:52:30 post_upgrade|PRODUCT_VERSION is 9.1.2.11900-12|<LVL::Info>
      2. 04/06/2014 20:52:30 post_upgrade|PRODUCT_VERSION_DISPLAY is 9.1.2.11900-12|<LVL::Info>
      3. Search completed
  4. When the file search command finds the PRODUCT_VERSION string in the install log, you can start the upgrade of the subsequent nodes.
    1. If you want to upgrade the subsequent nodes in parallel with the publisher node, do not choose the Reboot to upgraded partition on either publisher node or subsequent nodes while configuring the upgrade options. If selected, the publisher node may complete its upgrade and reboot while the subsequent nodes are upgrading, which causes the upgrade of the subsequent nodes to fail.

When you are ready to activate the new version, you must activate the new software on the publisher node before activating it on all other nodes.

Deployment is dead! User adoption and BYOE.

Deployment is dead. It is less about technology deployment and more about getting people to actually USE it. Get out of the clouds for a moment and think about how all of these clouds are transforming your user experience. A desktop is a desktop is a desktop and I don’t care if I consume a desktop from an Android, Mac, Chrome, Windows, or Linux.

So how do we as collaboration architects stop worrying about deployment and more about the user experience? First of all we need help from Cisco, Avaya, Google, and Microsoft. The user experience has to come first. The new generation workforce has very high expectations that things just WORK. Did Twitter, Facebook, Vine, or Instagram deploy themselves to the user community? No, it was very cool and users adopted it. Our workplace has always been a place of we’re going to deploy this desktop, with this office suite, with this phone and you’re forced to like it.

Enough already! Bring Your Own Everything – BYOE. Desktop, Mobile Device, Instant Messaging app, social sharing app, and web collaboration app. I’m not the first person to talk about BYOE and a few searches around the Internet and you’ll see other posts.

Have you looked at HTML5, WebRTC, VP9, and H.265? These things may not transform your business this year but be prepared Q4FY2014 and 2015.

Jabber and Expressway – Still in beta!

Quick post — The Cisco Expressway “Mobile and Remote Access” feature for Cisco Jabber is NOT officially supported by Cisco at the time of this post.

In fact only Jabber versions 9.6.1 will support “MRA” and the IOS+Android versions of 9.6.1 are still in BETA!

Just be aware that if you’re doing a Jabber deployment today we might see the Jabber 9.6.1 clients released by end of March. There are no official commitments on that date.

Cisco Finesse

I couldn’t figure out how to turn on finesse. It’s a CLI command and only permitted to change on the primary node.

Reminder – you cannot run both CAD and Finesse agents.

Cisco Finesse is a next-generation agent and supervisor desktop designed to provide a collaborative experience for the various communities that interact with your customer service organization. It helps improve the customer experience while offering a user-centric design to enhance customer care representative satisfaction as well.

Cisco Finesse provides:

  • A browser-based administration console and a browser-based desktop for agents and supervisors; no client-side installations required.
  • A single, customizable “cockpit”, or interface, that gives customer care providers quick and easy access to multiple assets and information sources.
  • Open web 2.0 APIs that simplify the development and integration of value-added applications and minimize the need for detailed desktop development expertise.
  • By default, Cisco Finesse Service is not activated during the initial component-activation phase or when the appropriate licenses are updated on a Unified CCX deployment.

Run utils uccx finesse activate command to activate Cisco Finesse Service on each Unified CCX node in a cluster.

“””Unified CCX 10.0(1) does not support concurrent use of Cisco Agent/Supervisor Desktop and Cisco Finesse.

  • If you are using Cisco Agent/Supervisor Desktop, deactivate Cisco Finesse service.Do you want to proceed? (yes/no)””” yes

    Cisco Finesse activation in progress…

    Cisco Finesse activated successfully.

    If this is a HA deployment, run this command on both Unified CCX nodes.

    admin:

Configuration changes are permitted on only the primary server. Access to Finesse administration console on the secondary server is read-only.

When you attempt to save the changes in Finesse administration console on the secondary node, you receive a message that administration on the secondary node is read-only.

Cisco Collaboration Licensing – New Purchasing

This is more for my reference but maybe it’ll help you decipher a Cisco bill of materials. I was tired of opening the PDF. Please order UCSS and ESW.

Cisco Unified Workspace Licensing (UWL): Cisco Unified Workspace Licensing provides the most popular bundles of Cisco Collaboration applications and services in a cost-effective, simple package.

It includes soft clients, applications server software, and licensing on a per-user basis. Cisco Unified Communications Software Subscription (UCSS) is required to enable access to major software upgrades.

Cisco User Connect Licensing (UCL): A per-user based license for individual Cisco Unified Communications applications, that includes the applications server software, user licensing, and a soft client. Depending the type of device and number of devices that you require, User Connect Licensing is available in Essential, Basic, Enhanced, and Enhanced Plus versions. Cisco Unified Communications Software Subscription (UCSS) is recommended to enable access to major software upgrades.

Please notice the Enhanced PLUS – you can run a soft phone for every user and still maintain licensing compliance. 9.x and 10.x versions force licensing compliance. A soft phone IS A DEVICE.

Cisco User Connect Licensing for Cisco Unity Connection is available in the following option:

Basic Messaging (Voicemail): The Basic Messaging license includes rights to one Cisco Unity Connection user. The user has advanced voicemail access Internet Message Access Protocol [IMAP], unified messaging, phone, and web) and voice recognition. (If you are using voice recognition, you must order SpeechConnect ports separately.) SRSV

Enhanced Messaging (Voicemail): The Enhanced Messaging License includes all the capabilities of a Basic Messaging license + Survivable Remote Site Voicemail (SRSV). Enhanced Messaging licenses are included with Cisco Unified Workspace Standard and Professional licenses.

Cisco JUMP Upgrade – You need things (Part #1)

You need a lot of things to handle a JUMP upgrade. If you’re not familiar with what I’m talking about I’ll run through the basics.

You have a Cisco Communications Manager on an older release and you cannot DIRECTLY upgrade to version 9.1(2). You can JUMP from the following versions – 6.1(4), 6.1(5), 7.1(3), and 7.1(5). Another case is that you’re on Cisco MCS servers and you’re going virtualized. The upgrade to Release 9.1(2) and data migration will be performed in an isolated environment and moved to production during a service window.

The following network services must be available:

  • default gateways—recreate all relevant networks and ensure connectivity between them
  • NTP server—this can be different IP address or a local router
  • DNS server—if a DNS server is used in the existing production environment, ensure the domain name matches for forward and reverse lookup of cluster nodes.
  • FTP and SFTP server—ensure sufficient storage for firmware, images, and backups

WAIT a minute! I’m in an isolated network in VMware, how do I have all of these things available to me? You really expect me to duplicate all of this in an isolated environment? My Cisco cluster will have the same names, IP addresses and configuration. My gateway will be the same. My DNS servers will be the same. Fortunately you can change all of this later on so all we need right now is to get through the installs and make our isolated network functional.

FreeBSD to the rescue. If you don’t know me already, I like FreeBSD. If FreeBSD is good enough for Netflix and Amazon it is good enough for me. Installing and duplicating all of this on a Windows machine would take hours. I’ll get it all done in a matter of minutes with FreeBSD.

5 MINUTES – Install FreeBSD in a guest machine alongside where you plan to upgrade your isolated 9.1(2) server. The current VSwitch should be the live network because we need to pull some actual information from the live network before isolating this FreeBSD VMguest. If this VLAN doesn’t support DHCP be sure to configure the static during installation. This guest doesn’t need much processing with what you’re about to do. Give the guest enough hard drive space you’ll need to host your FTP/SFTP upgrades and backups. I typically allocate 64GB which is thin provisioned anyway.

During installation select NTPD as a system service.

During installation create a user account called “jumpupgrader” or whatever you want. Since this is a controlled environment I add this user to “wheel” so I can get into root as necessary.

Guess what? Now you have a router, NTPd server, DNS server, FTP and SFTP server. However you’ll need slightly more configuration.

NTPd – You’ll need to fudge NTP. You’re going to move this VMguest into an isolated network so NTPd is going to lose contact to upstream stratum servers. (I’m not going into routing though this machine in this blog post)

vi /etc/ntp.conf

Change the last two lines

#server 127.127.1.0 to server 127.127.1.0

#fudge 127.127.1.0 stratum 10 to fudge 127.127.1.0 stratum 1

Service ntpd restart

If I’m going to fudge something I might as well pretend I’m a GPS hardware device. Now you can move this machine into the isolated network and NTPd will continue to respond.

Ntpq –p now responds with “LOCAL(0) .LOCL. 1 l 2 64 1 0.000 0.000 0.000

SFTP – SFTP is an SSHD subsystem and is operated by a helper. You can SFTP to your FreeBSD VMguest with your previously created user account. You will be connected to /usr/home/jumpupgrader with Filezilla.

DNS and BIND (I will update and republish within the next week when FreeBSD 10 comes out. There are some changes in the local resolver from BIND to Unbind and LDNS)

Cisco Communications Manager and other Cisco Collaboration products perform reverse and forward lookups during installation. You need to create the DNS zones and host entries. Fortunately this is very easy in BIND. If you need to get more complex than the following configuration just head over to Google and research BIND. As FreeBSD reminds you – I’m not going into the hairy details of DNS.

Vi /etc/rc.conf

Add a line

named_enable=”YES”

service named start

Viola we have a DNS server.

Make a backup of your configuration

/etc/namedb # cp named.conf named.conf.original

You need DNS to listen on the IP addresses you’re going to set up on FreeBSD. You’ll also need to create some zone files for the DNS infrastructure you’re going to fudge. Just follow me on all this and you’ll get it going in no time at all. Copy and paste if you have to.

vi named.conf

listen-on { 127.0.0.1; any; };

//this enables BIND to listen on any IP address configured. A “sockstat -4 –l” after service restart should show the local LAN ip address:53 in the list.

Go to the bottom of the configuration and put these lines into the configuration. Obviously substituting your “mycompany.local” for your master DNS zone you’re Cisco Collaboration systems exist in. And obviously getting the reverse lookup zone correct for the subnet your isolation servers are going to exist in.

zone “mycompany.local” {

type master;

file “/etc/namedb/master/mycompany.db”;

};

zone “255.31.172.in-addr.arpa”{

type master;

file “/etc/namedb/master/255.31.172.in-addr.arpa”;

};

Now write and save.

Time to create the zone files and all that good information needed for a DNS zone. Change the names below and just paste it in.

root@jumpupgrader:/etc/namedb/master # ee /etc/namedb/master/mycompany.db

PASTE THIS

$TTL 3600        ; 1 hour default TTL

mycompany.local.    IN      SOA      jumpupgrader.mycompany.local. admin.mycompany.local. (

                                2006051501      ; Serial

                                10800           ; Refresh

                                3600            ; Retry

                                604800          ; Expire

                                300             ; Negative Response TTL

                        )

; DNS Servers

                IN      NS      jumpupgrader.mycompany.local.

; Machine Names

localhost    IN    A    127.0.0.1

jumpupgrader    IN    A    172.31.255.120

cucm-publisher    IN    A    172.31.255.5

cucm-subscriber    IN    A    172.31.255.6

Escape and save the file.

Command to create next zone file-

 # ee /etc/namedb/master/255.31.172.in-addr.arpa

PASTE THIS

$TTL 3600        ; 1 hour default TTL

255.31.172.in-addr.arpa.    IN      SOA      jumpupgrader.mycompany.local. admin.mycompany.local. (

                                2006051501      ; Serial

                                10800           ; Refresh

                                3600            ; Retry

                                604800          ; Expire

                                300             ; Negative Response TTL

                        )

                IN      NS      jumpupgrader.mycompany.local.

120             IN      PTR     mycompany.local.

5    IN    PTR    cucm-publisher.mycompany.local.

6    IN    PTR    cucm-subscriber.mycompany.local.

Escape and save the file.

Now do a final restart and let’s check the configuration –

service named restart

root@jumpupgrader:/etc/namedb/master # nslookup

> server 127.0.0.1

Default server: 127.0.0.1

Address: 127.0.0.1#53

> cucm-publisher.mycompany.local

Server: 127.0.0.1

Address: 127.0.0.1#53

Name: cucm-publisher.mycompany.local

Address: 172.31.255.5

> 172.31.255.5

Server: 127.0.0.1

Address: 127.0.0.1#53

5.255.31.172.in-addr.arpa name = cucm-publisher.mycompany.local.

>

Success!

Now we have the basic network services needed to handle the CUCM installations in our isolated network. If you copied and pasted most of this you should’ve been done very quickly. Must less time as compared to installing Windows Server 2012, installing DNS services, installing an NTP service, and installing an SFTP service.

The next pieces will come in PART 2!

Cisco Jabber and your XML file

Greetings! I know not many people read this blog. Primarily because I’ve rarely posted anything. I am starting to get some traction putting a few things up here and essentially it’s for my own use. For years I’ve benefited from other notes and blogs from other engineers. I think it’s time I started contributing. Smile

 

Cisco Jabber for Windows, Mac, iPhone, iPad and Android. You want to support all of these devices on your Cisco Collaboration system? You’re in for a special treat. Each different client has it’s own configuration parameters. Some of the clients need device level configuration. Some of the other devices need the jabber-config.xml file.

Specifically Jabber for Mac 8.6.6 seems to have some issues using the jabber-config.xml. Users are getting SSL prompts and directory lookup issues with Jabber for Mac 8.6.6. It is good to note here that Jabber for Mac 9.2 is in beta and should be released this month. Jabber for Mac 9.2 really fixes a lot of issues and hopefully will be available very soon.

I’ve been pushing for years that corporations move to a UPN login method. Meaning “username@domain.com” when logging into their PC, their Microsoft domain, and applications. As a general rule of thumb a users Microsoft UPN equals their primary SMTP.. and this should equal primary SIP URI.

“UPN=SMTP=SIPURI” – essentially these three values define the domain the user is in. These values are also unique across all your domains to contact your user.

Below you’ll see my sample XML that is using an integration with Cisco IM and Presence and Cisco Communications Manager 9.1.1b. This integration uses “mail” mapping to the user logon name.

The XML file needed is for obvious reasons. The Jabber client downloads this file from the Communications Manager TFTP service. I have an open TAC case to work with the LDAP connection issues and I’ll post back here with results.

If you’re looking for a decent tool to help generate your jabber-config.xml file; check out this link –

https://supportforums.cisco.com/docs/DOC-25778


Sample jabber-config.xml:

<?xml version=”1.0″ encoding=”utf-8″?>
<config version=”1.0″>
<Presence>
   <PresenceServerAddress>10.1.1.11</PresenceServerAddress>
   <PresenceServerDomain>externaldomain.net</PresenceServerDomain>
</Presence>
<Directory>
   <DirectoryServerType>EDI</DirectoryServerType>
   <PrimaryServerName>dc1.internaldomain.local</PrimaryServerName>
   <ServerPort1>3268</ServerPort1>
   <SecondaryServerName>dc2.internaldomain.local</SecondaryServerName>
   <ServerPort2>3268</ServerPort2>
   <UseSSL>0</UseSSL>
   <UseSecureConnection>0</UseSecureConnection>
   <UseWindowsCredentials>0</UseWindowsCredentials>
   <ConnectionUsername>cisco_jabber_ldap_user</ConnectionUsername>
   <ConnectionPassword>myspecialpassword</ConnectionPassword>
   <SipUri>mail</SipUri>
   <BusinessPhone>ipPhone</BusinessPhone>
   <MobilePhone>mobile</MobilePhone>
   <OtherPhone>otherTelephone</OtherPhone>
   <DomainName>userPrincipalName</DomainName>
   <BaseFilter>(&amp;(objectCategory=person))</BaseFilter>
   <UserAccountName>mail</UserAccountName>
   <SearchBase1>DC=internaldomain,DC=local</SearchBase1>
</Directory>
<Policies>
   <InitialPhoneSelection>deskphone</InitialPhoneSelection>
</Policies>
<Options>
   <Start_Client_On_Start_OS>true</Start_Client_On_Start_OS>
</Options>
</config>


Cisco ASA–Send the right enrollment request to the CA

A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.

No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.

Here is an example configuration for the ASA enrollment:

image

 

Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.