Guest

Cisco Prime Unified Provisioning Manager

Cisco Unified Provisioning Manager 8.7 Deployment and Best Practices

  • Viewing Options

  • PDF (2.6 MB)
  • Feedback

Contents

Introduction

Terms

What Is Cisco Prime Unified Provisioning Manager?

About Cisco Prime

How Does It Differ from Other Provisioning Applications?

Direct Versus Indirect Provisioning

What Do Companies Use Cisco Prime Unified Provisioning Manager For?

Usage by Problem to Be Solved

I need to roll out one or more sites

I want onsite or regional administrators to handle MACs and password reset

I need to create uniform configurations across one or more clusters

I need to be notified when an event occurs

I need to create distribution lists. Are there any limitations/recommendations?

New Features Per Release in Cisco Prime UPM

UPM Version 8.7

UPM Version 8.6

Analog Voice Gateway and Phone Support

Lock/Unlock User Account

Logged in Session Management

Corporate Email Address

UPM Version 8.5

Move Subscriber

Move Services

Cisco IOS Software Templates

Localization

UPM Version 2.2

Mobility Enhancement

Dual-Mode Phones

SIP Trunk Enhancements

UPM Version 2.1

LDAP Synchronization

Infrastructure Configuration Role

Call Pickup Group Enhancement

CPG Directory Number Management

Call Pickup Group Batch Provisioning

Reference Materials and Software Links

Training

Concepts

Cisco Prime UPM Concepts

Business Analysis

Installing Cisco Prime UPM

How to Select Hardware

How to Select the OS

Loading Other Software with Cisco Prime UPM

Information Needed During Installation

VMware Support in UPM

Cisco Unified Computing System Support

How to Assure a Clean Install

Preparing End Systems

Licensing

Basic Task Flow

How to Choose the Synchronization Rules

Domain Sync Rules

Domain Sync Rules Interoperability

Configuring Rules Step by Step

How-To Examples

Taking Over an Existing Cisco Unified Communications Network

Network Descriptions

Collecting Information for UPM Design and Configuration

Preparing End Systems

Configuring Cisco Prime UPM: Set Up Devices

Configuring Cisco Prime UPM: Set Up Domains

Configuring Cisco Prime UPM: Set Up Service Areas

Configuring Cisco Prime UPM: Set Up Administration

Subscriber Services Provisioning: Order, Update, or Change Subscriber Services

Setting Up a New Cisco Unified Communications Network

Typical Problems with Setup and Operation

Things to Remember When Using Batch Files

Dealing with LDAP-Integrated Cisco Unified Communications Manager

Behaviors for Adding/Deleting Subscribers in UPM and UCM (Non-LDAP-Integrated UCM)

AAA Server Integration

NAT Issues

To Sync or Not to Sync

Setting Up Scheduled Sync

Why Am I Not Able to See the Phones and Line Under Some Subscriber Records?

Enabling Non-RestrictedDomainSync to Reduce the Number of Service Areas

Why Did Some Subscriber Services Show Up in Multiple Locations (Service Areas)?

Why Doesn't the Extension Mobility Service Show Up in the Subscriber Record?

How to Batch-Create Service Areas

Moving Users Between Domains or Services Between Service Areas

Handling Common Directory Number Mapping Across Multiple Service Areas

Working with TAPS

How to Manage Phones Without Associated Users

Using Cisco IOS Templates to Provision Communications Manager Express/Cisco Unity Express/SRST/Cisco IOS Devices

Windows Security Patch Update

Changing IP Address of UPM

Troubleshooting the Most Common Licensing Problems

Frequently Asked Questions

What Is the Set-Only Provisioning Attribute?

What Northbound APIs Were Introduced in UPM 2.0?

Does UPM Support Lotus Domino Unified Messaging with Cisco Unity/Cisco Unity Connection?

How Many Concurrent Users Are Possible?

How Does UPM Autoassign DID?

Can I Copy the Settings from One Phone to Another Phone?

What Is the Number of Clusters Supported in UPM?

Is Secondary Logon Service Needed at Run Time?

Can UPM Manage Users on Cisco Unity Who Do Not Have an Account on Communications Manager?

Can UPM Support Communications Manager Business Edition?

Can UPM Reset an Existing Extension Mobility User PIN?

What Happens If a UPM User Tries to Update a Subscriber Password and the UCM is LDAP Integrated?

Are the Configuration of 7916 Sidecards and VG224 Analog Voice Gateway Lines Supported in UPM?

Does UPM work with TAPS (Tool for Auto-Registered Phones Support)?

What are the bandwidth requirements for different user scenarios in UPM?

Troubleshooting Tips

Install or Upgrade

Communications Manager Synchronization

Communications Manager Express and Cisco Unity Express Synchronization

Cisco Unity and Cisco Unity Connection Synchronization

Batch Operations

Orders

Call Pickup Group

LDAP Synchronization

Cisco Unified Computing System

Others


Introduction

It is assumed that the reader has done some evaluation of the product and has looked through the data sheet and user guides. This guide is not structured or written to aid in purchasing but rather is about what to do with the product once you receive it.
This document outlines best practices for a successful deployment of Cisco Prime Unified Provisioning Manager (UPM) in Cisco ® Unified Communications initial deployment and ongoing operational environments. It documents different aspects of installation guidelines, server sizing, initial device setup, and best practices for initial setup, ongoing administration, and maintenance of the product.
This document is not an alternative to the installation guide or the user guide as it does not cover all the features or all the steps for the operations suggested. It is a supplement to the installation guide and the user guide. Detailed steps are provided for best practices wherever relevant.

Terms

A variety of terms used within Cisco Prime Unified Provisioning Manager and this document may be new to the reader or may need to be clarified in the context of Cisco Prime Unified Provisioning Manager (Table 1).

Table 1. Terms Related to Cisco Prime Unified Provisioning Manager

Term

Definition

Attributes

Option settings. These may have true/false, text, template, or keyword settings.

Admins

Admins are those with authorization to perform various tasks in Cisco Prime Unified Provisioning Manager. There are global admins and domain admins.

Communications Manager

Cisco Unified Communications Manager (UCM), formerly Cisco Unified CallManager.

Provisioning Manager or UPM

Refers to the Cisco Prime Unified Provisioning Manager application.

Domain

A logical partition to subdivide a shared environment to create separate local administrative partitions.

Domain Admin

An administrator that has provisioning access to one or more domains. A domain admin generally will not have higher-level access to set up infrastructure devices or the overall Cisco Prime Unified Provisioning Manager system.

Domain Sync

Domain synchronization.

MAC or MACD

Moves, adds, changes, or deletes.

PMAdmin

Top-level administrator with access to all system resources. Typically the PMAdmin sets up the system and delegates management tasks to domain admins.

Service Area

A logical partition to subdivide a shared environment within a domain.

Subscriber

An entity that uses IP telephony services provided by the Cisco Unified Communications System.

Sync

Import configuration information from Cisco Unified Communications devices. There are three types of sync: infrastructure sync, subscriber sync, and domain sync.

Users

Also referred to as admins.

What Is Cisco Prime Unified Provisioning Manager?

Cisco Prime Unified Provisioning Manager is a component of the Cisco Prime family and is a business-process-oriented provisioning tool that utilizes management domains, rules, and policy to control provisioning of subscriber services and network infrastructure.
For the remainder of this document, Cisco Prime Unified Provisioning Manager will be referred to as Cisco Prime UPM or UPM.

About Cisco Prime

Cisco Prime Unified Provisioning Manager is a product in the Cisco Prime network management portfolio.
The Cisco Prime portfolio of enterprise and service provider management offerings supports integrated lifecycle management of Cisco architectures and technologies based on a service-centered framework. Built on an intuitive workflow-oriented user experience, Cisco Prime products help increase IT productivity and reduce operational costs through innovative management solutions for network services, infrastructure, and endpoints.

How Does It Differ from Other Provisioning Applications?

Provisioning is done by ordering services or ordering service changes rather than by modifying individual attributes on individual applications. Every change to the infrastructure or subscriber services is done by submitting an order, and all orders are tracked to provide an audit trail. Orders can be submitted through the provisioning GUIs or through templates, batch files, and APIs.
Cisco Prime UPM is subscriber/infrastructure oriented. Every order is placed against a subscriber ID or the infrastructure ID. Phones are assigned to subscribers. Services are provisioned for subscribers.
Cisco Prime UPM is designed to support Cisco products only. There is no direct support for third-party call devices. UPM does not use Simple Network Management Protocol (SNMP) for provisioning. It uses Cisco AXL, SQL calls, and Telnet or Secure Shell (SSH) Protocol style communications depending on the device type being provisioned.
Cisco Prime UPM supports a large number of Cisco Unified Communications Manager (UCM), Communications Manager Express, Cisco Unity ®, Cisco Unity Express, Cisco IOS ® Software devices, and Cisco Unity Connection revisions. Nearly all third-party provisioning tools are designed to support a small number of target revisions and Cisco Unified Communications applications.

Direct Versus Indirect Provisioning

Cisco Prime UPM does not always directly communicate with devices to set configurations. Endpoints, for example, get their provisioned settings from Communications Manager, which is directly provisioned by UPM. The following sections outline how devices are provisioned.
Direct Provisioning
Cisco Unified Communications Manager and Cisco Unity devices: Cisco Unified Communications Manager has API interfaces referred to as AXL interfaces. UPM talks directly to Cisco Unified Communications Manager through AXL and connects to Cisco Unity SQL server using Java Database Connectivity (JDBC).
Communications Manager Express: Communications Manager Express is a Cisco IOS Software application that runs on Cisco routers and provides telephony services. Since Communications Manager Express is a Cisco IOS Software application, UPM communicates with the router using the Cisco IOS Software command-line interface (CLI).
Cisco Unity Express: Cisco Unity Express is a software application that runs on a service module installed either in a Cisco modular router or in integrated hardware in a Cisco modular router. Part of the Cisco Unity Express configuration is done through the Cisco IOS Software interface for the router and part through the service module command interface.
Indirect Provisioning
Phones: UPM does not directly communicate with the phones, but configures Cisco Unified Communications Manager with phone settings. The phones get their configurations from Cisco Unified Communications Manager.
Microsoft Exchange: UPM does not directly communicate with Exchange, but Microsoft Exchange indirectly gets users added during the provisioning of a voice mail account to a Cisco Unity subscriber.
Presence: UPM support of Presence server devices is limited to Cisco Unified Personal Communicator (UPC) provisioning. Presence settings related to a subscriber's service are also set on Cisco Unified Communications Manager.

What Do Companies Use Cisco Prime Unified Provisioning Manager For?

Different companies have different pain points or return on investment (ROI) goals they would like solved by Cisco Prime Unified Provisioning Manager. They use all or part of Cisco Prime UPM's "toolbox" to solve their business problems. The toolbox can be subdivided into a set of tools by problem to be solved or by type of operation.

Usage by Problem to Be Solved

I need to roll out one or more sites

For the first site or two, it generally is best to use the Cisco Unified Communications applications' GUIs to directly set up the Cisco Unified Communications applications and devices. If more sites are going to be deployed, it is best to capture common deployment settings in templates with keywords for devices or site names. It is usually better to make smaller templates of common settings and later nest them to create a larger template to describe a specific site. Some large companies have rolled out many sites by creating templates for common areas, such as manufacturing buildings, sales offices, and retail stores. These sites can be added to templates that are built for different physical regions or countries to make sites uniformly configured based on function while customized by state or country.
When rolling out new sites, it is often required to add many subscribers and their services all at once. If this is the case, batches can be created with lists of user IDs, phone types, and services. These batches can be loaded into the order management system in Cisco Prime Unified Provisioning Manager to be executed immediately or at a future date to bulk-create users and user services in a new site. This functionality is sometimes used to bulk-migrate subscribers from a legacy PBX into a Cisco voice-over-IP (VoIP) network.
Summary: The tools are infrastructure templates and the batch order functions.

I want onsite or regional administrators to handle MACs and password reset

Cisco Prime UPM can have a single domain for all subscribers or multiple domains with subscribers. In order to delegate day 2 tasks to different regional administration groups, subscribers for each group can be put in different domains. With this configuration, administration for a specific subscriber group can be delegated to a specific regional administrator or regional administration group. A regional administrator assigned to manage subscribers in one domain will not be able to make changes to subscribers in another domain.
When a day 2 administrator is created in the provisioning system, that person can be assigned to multiple domains.
Summary: The deployment architecture needed is multidomain. Tools required are the order manager GUI and possibly the multidomain administration feature.

I need to create uniform configurations across one or more clusters

In some cases companies have had turnover in IT staff, causing many different individuals to configure Communications Manager and resulting in inconsistent provisioning. Another case is when multiple companies merge and want to bring together two or more Cisco Unified Communications networks, each configured differently. Rather than manually sorting out the configurations server by server, templates can be used to create uniform configurations. This is similar to rolling out new sites. The templates can be pushed out to all Communications Managers, making the configurations consistent.
Summary: Nested templates with keyword replacement are used to produce consistent, repeatable configurations across clusters.

I need to be notified when an event occurs

Cisco Prime UPM allows you to set up notifications in case of an event's occurrence. You can choose whether you want the system events to be aggregated or sent out as soon as the event occurs. The time that you enter will start after the occurrence of the first event. During this time, should other related events occur, an aggregated notification with details of all such events will be sent out in one single email once the time value expires.
Notifications can be set at two levels:

System settings: Settings to configure notifications for system events like order failures and synchronization failures. Events are aggregated based on type. For example, all synchronization failures will be aggregated in one email and order failures in a separate email.

Domain settings: Settings to configure notifications for workflow events like order approvals, assignment, shipping, and receiving in the domain. Again, events are based on workflow event type. For example, all approval emails are aggregated together whereas all emails about assignment will be aggregated in a separate email. You can also set an escalation window in the domain notifications template. The value set for the escalation window would make the system send out an email to the system administrators after the time specified if no action was taken for the triggering event (for example, order approvals).

Summary: The email notifications improve the manageability by allowing you to view the critical events like synchronization failures, order failures, and order approvals.

I need to create distribution lists. Are there any limitations/recommendations?

Cisco Prime UPM supports distribution lists on Cisco Unity and Cisco Unity Connection devices but with the following recommendations:

• It is recommended to organize the distribution list in a hierarchy structure. Each distribution list should contain a maximum of 500 members. You can make it nested by having another distribution list as a member under the top distribution list that can again contain 500 members.

• If you are adding members to a distribution list through UPM, it supports adding 200 new members in one instance.

• If you are modifying (adding or deleting members) a distribution list through UPM, the total number of modifications (removals and additions) in one instance should not be more than 200. For example, if you are removing some members (say X members) and adding new members (say Y members), the sum of X and Y should not be more than 200 members.

• UPM does not limit the creation of distribution lists, which may have thousands of members, as long as the add operation is done by adding 200 members each time. However, slow response in the user interface may be encountered when a user views a distribution list that has a large number of members.

New Features Per Release in Cisco Prime UPM

UPM Version 8.7

Cisco Prime Unified Provisioning Manager 8.7 adds the following features:

Introduction of Global Admin Dashboard

Global Search Tool for Sorting, Filtering, and Searching

Quick Site Builder

The major new features are discussed in detail in the following sections.

Introduction of Global Admin Dashboard: The Home dashboard allows you to view important statistics and details of the processors, pending orders, status of the device synchronization, domains and their deployment details, and users who are logged in as well as locked.

You can see all of this on a single page, instead of navigating through several pages. You can also click the links provided in the dashboard to view the relevant details.

A pie chart displays the details of the licensed and used voice terminals (phones). To view the pie chart, you need to have Adobe Flash Player installed in your system. If it is not installed, you are prompted to install it.

For additional information on Global Admin Dashboard, please refer to the User Guide for Cisco Prime Unified Provisioning Manager.

Using the Global Search Tool: You can use the search tool to:

– Locate a subscriber

– Locate a user

– Locate a MAC address

– Locate a directory number

Quick Site Builder: Quick Site Builder helps UPM administrators to easily create domains and configure multiple service areas for a domain in a single window, thereby reducing the time spent on day one activities. Using Quick Site Builder, you can create a domain with a maximum of 21 service areas.

You can only create sites but not manage them using Quick Site Builder. You cannot modify the existing service areas associated with the domain. Only service areas created through Quick Site Builder can be modified.

You can use the service area screens to modify or delete the sites. Advanced service area settings like Directory Number Block Assignment and Provisioning Attributes Configuration will be enabled only after creating the service areas. Using Quick Site Builder, you can clone or create a copy of the service area, make multiple edits, and also filter the service areas. The session will be active until the Quick Site Builder screen is closed.

UPM Version 8.6

Cisco Prime Unified Provisioning Manager 8.6 adds the following features:

Analog voice gateway and Analog phone support: Support for VG202, VG204, and VG224 infrastructure products and analog phones

Enhanced device support: Support for new versions of devices and new phones (for example, Cius tablets)

Batch enhancements: Ability to add, update, or delete devices through bulk provisioning

Security enhancements:

– Logged-in user sessions with audit logging

– Locking/unlocking user accounts after failed logins

– Encryption of device passwords stored in UPM using the Advanced Encryption Standard (AES) 128-bit algorithm

Corporate email address: Support for corporate email address in voice mail product

• Subscriber ID can contain space and apostrophe

• UI performance improvements for ordering and service area

• DN block report

• Non-case-sensitive subscriber ID search

The major new features are discussed in detail in the following sections.

Analog Voice Gateway and Phone Support

UPM 8.6 allows provisioning analog voice gateway references and analog phones.
What is a voice gateway reference?

• Each analog voice gateway registered to UCM is called a voice gateway reference in UPM.

• UPM supports voice gateways (VG224, VG204, VG202) with Skinny Call Control Protocol (SCCP).

Why do we need a voice gateway reference?

• To provision analog phones from UPM

How do you get voice gateway references in UPM?

• To get the voice gateway reference from UCM into UPM, perform an infrastructure sync on the UCM to which the analog voice gateway is registered.

• UPM also allows addition of voice gateway references into UCM through:

– Infrastructure configuration

– Configuration template

– API

– Batch

Voice Gateway Infrastructure Provisioning

• UPM supports voice gateways (VG224, VG204, VG202) as an infrastructure product on Communications Manager.

• UPM will sync back all the voice gateway references with SCCP during UCM infrastructure sync. See Table 2.

Table 2. Voice Gateways Synchronized with SCCP

Product Type

Protocol

Supported UCM Versions

Subunit Value

VG224

SCCP

6.x and later

24FXS-SCCP

VG204

SCCP

6.x and later

4FXS-SCCP

VG202

SCCP

6.x and later

2FXS-SCCP

Setting Up Voice Gateways to Register with UCM

• Using the "Generic IOS Router Pre-Built" configuration template, required configurations can be set in the voice gateway to get registered with UCM.

• Select "Analog Voice Gateway Configurations" for the field directory name.

Generic Cisco IOS Router Prebuilt for Voice Gateways
If the generic Cisco IOS Router Prebuilt is selected, you are prompted for a directory. A new directory, "Analog Voice Gateway Configurations," is added, which will contain the configurations to be pushed to the analog voice gateway. See Figure 1.

Figure 1. Analog Voice Gateway Configurations

Enabling Analog Phone Support in UPM
To manage analog phones, we need to set the following property to Y in ipt.properties to enable this feature:
dfc.ipt.cisco.callmanager.analog_phone_support: Y
After updating the ipt.properties file, UPM restart is required.
By default, analog phones cannot be managed in UPM.
Analog Voice Gateway Configuration in Service Area UI
To order analog phones, users must add voice gateway references to the service area from the service area UI. See Figure 2.

Figure 2. Adding Voice Gateway References from the Service Area UI

Analog Phone Support

• Analog phone provisioning (add/change/replace/cancel) will be supported through the GUI, an API, and batch processing.

• UPM will sync back all the analog phones with SCCP during UCM subscriber sync. See Table 3.

Table 3. Terms Related to Cisco Unified Provisioning Manager

Phone Type

Protocol

Supported UCM Versions

Supported Subscriber Roles

New Provisioning Attributes

Analog Phone

SCCP

6.x and later

Employee, Contractor, and Pseudo

None

Figure 3. Provisioning Analog Phones

• On ordering an analog phone, first the analog voice gateway will be selected. On selecting the voice gateway the voice port will be generated and listed in the GUI. The list will have the occupied and available port. Only the available port will be selected for ordering. On selection of the voice port, a MAC address will be generated. See Figure 3.

• Replacing the phone type from Analog Phone to another phone type is not allowed and vice versa.

• From the API a batch message will be shown to the user for the same.

• Users can perform change and replace operations on synced phones even though the corresponding voice gateway reference is not associated with the service area, but users cannot place add orders.

• Copy phone and reserved phone are not supported.

Analog Phone Using Batch
Sample batch files for add, change, replace, and cancel operations for analog phones will be available in:
<CUPM_INSTALL_DIR>/sep/ipt/config/sample/batchProvisioning/
1. AddAnalog_Phone.txt
2. AddAnalog_PhoneService.txt
3. ChangeAnalog_Phone.txt
4. ReplaceAnalog_Phone.txt
5. CancelAnalog_Phone.txt

Lock/Unlock User Account

• UPM user accounts will be locked when the number of failed login attempts reaches its maximum limit (default: 5).

• Limit can be changed in the ipt.properties file: dfc.ipt.security.maxFailedLoginAttempt: 15.

• After updating the ipt.properties file, you should restart the UPM services.

• To disable this feature, the login attempts limit should be set to 0.

• It's recommended to avoid using the PMAdmin login account; instead create a secondary user account with admin privilege.

• Locked user accounts can be viewed at System Administration à Users and Permissions à Locked Users. See Figure 4.

• Only administrators can unlock user accounts.

Figure 4. Unlocking User Accounts

Audit Trail for Locking and Unlocking User Accounts

• Locked and Unlocked User Audit log will be created in the Audit Trail Report.

• Audit Trail Reports can be viewed at System Administration à Reports à Audit Trail. See Figure 5.

Figure 5. UPM Audit Trail Report

Note: Once the user account is locked, the user cannot log in through a web browser even with the correct password. Unlock the user account from the Locked User page.

Logged in Session Management

• The current UPM logged in users session list will be shown under the Logged in Users page at System Administration à Users and Permissions à Logged In Users. See Figure 6.

• Users can be forcefully logged out through this UI.

Figure 6. UPM Logged In Users Page

• Audit Trail Report will show when a user session is created or removed. See Figure 7.

Figure 7. Audit Trail Report Shows When User Sessions Are Created or Removed

Corporate Email Address

• After subscriber sync and domain sync, the subscriber record will show corporate email information when users expand the voicemail product. See Figure 8.

• Corporate email address is supported only for Unified Communications 8.5 and later.

• Valid email address can be set to this only during an add order.

Figure 8. The Order Entry Page

UPM Version 8.5

Cisco Prime Unified Provisioning Manager 8.5 added the following features:

• Movement of subscribers and their services between domains and service areas on the same call processor

• Support for 6945 and 7926 phones

• Voicemail enhancements such as:

– Support for public distribution list infrastructure voicemail attributes

– Support for "change" to voicemail attributes

– Support for clusters of virtual machine (VM) servers

– Support for caller input subscriber voicemail attributes and switch ID Provisioning Attribute (PA) on voicemail

– PIN and password resets tracked in audit trail

• Cisco IOS Software template GUI and enhancements

– New template GUI for Cisco IOS Software with support for keyword substitution list and validation

– Cisco IOS Software template management

– Ability to load prebuilt templates

• UPM will be updated to be capable of multilanguage support

• Windows Server 2008 support

• Localization

• Ability to export audit trail for orders and new phone report support

• Email notifications on major failure events

• Batch file enhancements:

– Support for Infrastructure configuration products through batch operations: Load dozens of translation patterns and call search spaces at once

– Service area provisioning through batch operations with directory number blocks and the complete set of provisioning attributes

The major features introduced in UPM Version 8.5 are discussed in detail in the following sections.

Move Subscriber

UPM 8.5 supports the movement of a subscriber from one domain to another. The subscriber's services along with the subscriber will be moved to the new domain as well. However, in this release, UPM will support moving the services to a service area that is associated with the same processor. This feature is supported through the UI, batch operations, and the API. UPM will support full rollback in this feature; that is, if the move fails for one service area, the rest of the service area's settings are rolled back.
This feature is not supported in the following scenarios:

• Subscriber is a pseudo subscriber

• Subscriber has pending orders

• Syncs are running on the subscriber's domain or the devices in that domain

• Deletion is running on the subscriber's domain or the devices in that domain

• Subscriber is being moved from one call processer to another

Move Services

UPM 8.5 supports the movement of a subscriber service from one service area to another. This will be similar to the movement of subscriber services in the Move Subscriber feature. The difference is that with Move Service, the end user will be able to move a service to another service area in the same domain only. The service will be allowed to move to any service area that is associated with the same processor.
This feature is also helpful if there are some changes made to the subscriber's existing service area settings and the administrator would like them to be applied to the subscriber's existing services. The admin can move the services to the same service area and check Apply All to apply the new service area settings to all the existing services.
When moving multiple services, if one move operation fails, a rollback order will be created and all the completed move orders are rolled back to their earlier service area.

Cisco IOS Software Templates

With UPM, you can create generic Cisco IOS Software templates to autoconfigure specific functionality on any Cisco IOS device supported by Provisioning Manager.
You can download prebuilt Cisco IOS Software templates from Cisco.com and use them for autoconfiguration. Cisco IOS Software templates are text files containing Cisco IOS commands with variables. Cisco IOS Software template files, along with variable files, will be stored under the UPM installation directory \IOSTemplates. The existing configuration templates UI has been enhanced to support the Cisco IOS Software template format.
Cisco IOS Software prebuilt templates consist of a pair of files with the following naming convention:

• <NAME>-swconfig.txt: This file contains the Cisco IOS Software commands. It is different from the Commands attribute for generic Cisco IOS Software commands in one aspect: the keywords are delimited with the @ character.

• Config-UserGuide-<NAME>.txt: This file lists all the keywords or variables that are used in the swconfig.txt file. The variables must include the leading @ character.

Table 4 shows two examples of the same prebuilt Cisco IOS Software template being used with different keyword files and the resulting Cisco IOS Software commands. Note the difference in the output files.

Table 4. Two Examples of the Prebuilt Cisco IOS Software Templates

Prebuilt Cisco IOS Software Template File

Keyword File for the Gateway

Commands to the Gateway

hostname ${hostname}

voice class codec 1

codec preference 1 ${codec-pref-1}

codec preference 2 ${codec-pref-2}

codec preference 3 ${codec-pref-3}

hostname SIP_Trunk_GW-NY

codec-pref-1 g711ulaw

codec-pref-2 g711alaw

codec-pref-3 g729r8

hostname SIP_Trunk_GW-NY

voice class codec 1

codec preference 1 g711ulaw

codec preference 2 g711alaw

codec preference 3 g729r8

hostname ${hostname}

voice class codec 1

codec preference 1 ${codec-pref-1}

codec preference 2 ${codec-pref-2}

codec preference 3 ${codec-pref-3}

hostname SIP_Trunk_GW-LA

codec-pref-1 g729r8

codec-pref-2 g711ulaw

codec-pref-3 CUPM-IGNORE

hostname SIP_Trunk_GW-LA

voice class codec 1

codec preference 1 g729r8

codec preference 2 g711ulaw

Localization

UPM 8.5 supports translated language files. A bundle with the user guide was made available at Cisco.com for German and French within a quarter after UPM 8.5 first customer shipment. Users could download the bundle and run the utility that comes with the bundle to install the localization files. Once the installation is completed, the admin will need to restart the UPM server. The language (German, French, or English) setting in the browser is used to select the language to be shown in the browser. Other language files will be created based on business opportunities.

UPM Version 2.2

Cisco Prime Unified Provisioning Manager Version 2.2 added the following features:

• Support for managing Presence Server version 8.0

• Support for Nokia and iPhone dual-mode phones

• Enhancements to existing mobility support

• Addition of missing attribute support for the Session Initiation Protocol (SIP) trunk infrastructure product to bring it on par with UCM

• Addition of UPM user and subscriber password complexity checks

• Added support for UCM 8.0.3

• Synchronization script enhancements

The major features introduced in UPM 2.2 are discussed in detail in the following sections.

Mobility Enhancement

Mobility support in UPM was enhanced to be capable of explicitly provisioning remote desktop profiles and lines on UCM through new subscriber products and bundles.

Dual-Mode Phones

UPM 2.2 supports the provisioning of two dual-mode phones, Nokia S60 and Cisco Dual Mode for iPhone, on UCM version 8.0.3. The phone types are named Nokia S60 and Cisco Dual Mode for iPhone. UPM 2.2 is preconfigured to associate these two phone types to the two subscriber roles Executive and Senior Manager.

SIP Trunk Enhancements

In UPM 2.2, the SIP trunk infrastructure configuration product was enhanced to support new attributes that brought it on par with UCM. These attributes can be provisioned on the existing SIP trunk product through the infrastructure configuration and configuration templates UIs or through the northbound interface. During infrastructure sync all the supported attributes of SIP trunk are synced to UPM from the device.

UPM Version 2.1

Cisco Unified Provisioning Manager 2.1 added the following features:

• Ability to synchronize Provisioning Manager with Lightweight Directory Access Protocol (LDAP) servers

• Infrastructure configuration management authorization role

• Enhancements to the call pickup group (CPG) infrastructure configuration

• Ability to use batch provisioning for the call pickup group

• Ability to use batch provisioning to configure subscriber passwords

• Ability to update the Cisco Unity Connection PIN and web password using the DefaultUnitySubscriberPassword rule

• Ability to set subscriber passwords using the Provisioning Manager northbound interface

• Option to install on Cisco Unified Computing System (Cisco UCS)

• Support for Cisco Unified Communications Manager Business Edition 8.0

• Support for Cisco Unified Communications Manager 8.0

• Support for Cisco Unified Communications Manager Express 8.0

• Support for Cisco Unity 8.0

• Support for Cisco Unity Express 8.0

• Support for Cisco Unity Connection 8.0

• Support for the following Cisco Unified IP Phones:

– 6901

– 6911

– 8961

– 9951

• Support for Cisco Unified Client Services Framework

• Support for the following provisioning attributes:

– Cisco Camera

– Module 3

– Module 3 Load Name

The major features are discussed in detail in the following sections.

LDAP Synchronization

This feature is important in LDAP environments. Prior to 2.1, UPM could get LDAP subscribers from Communications Manager only when it was LDAP integrated. This is a pass-through method of synchronizing all LDAP subscribers known by Communications Manager. When provisioning new users in Communications Manager, you need to be sure the subscribers' user IDs exactly match the user IDs in Communications Manager or it will reject the order. UPM 2.1 allows end users to configure UPM to synchronize users/subscribers from an external LDAP server. With this feature, UPM can populate its subscriber database with user IDs directly from an associated LDAP source. Configuring and scheduling LDAP synchronization are done through domain configuration.
A filter query can be configured at the domain level to allow UPM to get only user IDs that belong in a specific domain, as opposed to importing the entire LDAP directory into each domain. Complex filters can be created based on the available fields in Active Directory.
There are options to control how UPM removes the users. The "Always Delete" option can be configured when a user is no longer in the LDAP directory; then the user will be removed from UPM and the user's services will be moved to the global namespace. The "Delete if user has no services" option prevents a user from being deleted if the user still has associated services. These optional settings can help remove unused services and free up directory numbers after employees have left a company.
After an LDAP synchronization occurs, a report is generated. The report lists the number of new users created, the number of existing users updated, and the number of users deleted during the synchronization. The report also lists the operations that could not be performed during the synchronization. The failed operations can be due to incorrect data entered into the LDAP server or due to wrong setting.
Notes:

• UPM will only read the user information from the LDAP server. UPM will not write any information to the LDAP server.

• Only Microsoft Active Directory servers 2000, 2003, and 2008 are supported as LDAP servers.

• LDAP synchronization only creates the users. It does not add their services to their subscriber records. Make sure you run domain synchronization after LDAP synchronization so that the subscribers' services are added to their subscriber records.

• The user search base configured in LDAP services in the domain is used to synchronize LDAP users into the UPM subscriber database. While the LDAP user search base is configured when users are added, the authentication, authorization, and accounting (AAA) server (System Administration à AAA Servers) is used to authenticate UPM subscribers when they log in to UPM.

Infrastructure Configuration Role

The infrastructure configuration role is a domain role that allows granular control over management of infrastructure products for nonglobal administrators.
Global administrators need to follow the steps below to grant access:

• Create permission profiles to identify a list of permitted products.

• Assign the infrastructure configuration role to users:

– Select a domain.

– Select the corresponding permission profile.

– Repeat the preceding two steps for each domain.

– Repeat the steps for all users that require infrastructure access.

Note: Multiple permission profiles cannot be assigned to a user in a domain. Infrastructure configuration roles apply to all processors within a domain.

Call Pickup Group Enhancement

Call pickup group directory number management in UCM is cumbersome today, as every directory number must be manipulated individually. CPG enhancement addresses this issue by facilitating bulk directory number management through the UI, batch files, and APIs. Full rollback is supported for CPG directory number management. The entire set will be rolled back even if a single directory number operation fails.

CPG Directory Number Management

CPG directory number management is performed through the Processor Configuration à Configure Product Instance page. See Figure 9.

Figure 9. Call Pickup Group Directory Number Management

Configure the Directory Number Info field in the Infrastructure Configuration à Configure Product Instance page. See Figure 10.
A directory number chooser is provided with columns for Directory Number, Route Partition, Subscriber ID, and Call Pickup Group (current). Users have the ability to sort in ascending or descending order based on the column header.
UCM provides a warning to inform users that a directory number has already been assigned to a CPG during assignment operation.

Figure 10. Configure the Directory Number Info

Notes:

• The maximum number of directory numbers that can be added in one add/update/remove operation is 200.

• UCM limits each directory number to belong to only one CPG.

• In the configuration template, users must provide each directory number and route partition for CPG.

• The service area field is required but is not used for provisioning.

Call Pickup Group Batch Provisioning

Batch provisioning is supported for only one infrastructure product, CPG. In CPG batch provisioning, input data is validated and proper error messages are given. The new CPG batch data field is called Directory Number Info.
The data format in a batch file is: DirectoryNumber1/RoutePartition1:DirectoryNumber2/RoutePartion2:
A sample data file for add, change, and cancel operations is located at the usual batch sample files location: <CUPMInstallDir>\sep\ipt\config\sample\batchProvisioning.
Notes:

• Service Area is a required field in the batch data file header.

• The entire set of directory numbers should be present for CPG update operations.

Reference Materials and Software Links

Following are useful reference materials on Cisco Unified Provisioning Manager:
Cisco Prime Unified Provisioning Manager User Guide http://www.cisco.com/en/US/products/ps7125/products_user_guide_list.html.
Cisco Prime Unified Provisioning Manager Installation and Upgrade Guides http://www.cisco.com/en/US/partner/products/ps7125/prod_installation_guides_list.html.
Cisco Prime Unified Provisioning Manager Supported Devices Table http://www.cisco.com/en/US/products/ps7125/products_device_support_tables_list.html.
Programming Guide for Cisco Prime Unified Provisioning Manager Northbound Interface http://www.cisco.com/en/US/products/ps7125/products_programming_reference_guides_list.html.
Evaluation, upgrade, and patch files
http://www.cisco.com/cgi-bin/tablebuild.pl/cupm-patch.
Cisco Prime Unified Provisioning Manager overview documents http://www.cisco.com/en/US/partner/products/ps7125/index.html.

Training

Cisco provides an excellent, self-led tutorial for UPM, which should be considered mandatory reading for people who will be managing UPM. This tutorial takes less than two hours to go through and provides task-based walkthroughs for how to use UPM in various scenarios. The tutorial can be found at http://www.cisco.com/en/US/products/ps7125/prod_presentation_list.html.
Cisco also provides a two-day instructor-led training (ILT) course, with "hands-on" labs for people who prefer a classroom forum in which to learn more about the product. Further information about training can be found at http://www.cisco.com/go/ndm.

Concepts

Cisco Prime UPM is a business-oriented product that operates differently from the devices it manages. An understanding of the concepts around Cisco Prime Unified Provisioning Manager is necessary to understand how to get the maximum value from the product.

Cisco Prime UPM Concepts

UPM uses concepts to ease the management of Cisco Unified Communications Manager deployment (Figure 11). The concepts consist of the following:

• Domain

– A logical partition to subdivide a shared environment to create separate local administrative partitions containing service areas with domain partitions and subscribers. A domain can contain multiple service areas and may be associated with multiple Cisco Unified Communications Manager or Cisco Unity clusters.

– Example: A domain could be a company headquarters building or all subscribers in western Europe or each department in a large enterprise.

Best practice
If you want to give a group of subadministrators the ability to manage only a limited part of the voice network, then most likely you will want to create a domain for them to manage.

• Service area

– A logical partition to subdivide a shared environment within a domain to determine the class of service for each subscriber type. Subscriber services are mapped to the devices and application in the voice network. A service area is associated with only one Cisco Unified Communications Manager or one Cisco Unity cluster.

– Example: A service area can be a department within a company headquarters building domain (for example, engineering, marketing, finance, and other departments) or may be tied to a specific location or site.

Best practice
You most likely will have a service area for each class of service for each location you manage.

Figure 11. Domain-Service Area Concept

• Users

– Users are those with authorization to perform various tasks in Cisco Unified Provisioning Manager. See Table 5 for more information on user roles.

– Global

· Complete authorization to perform all tasks in UPM.

· UPM admin (PMAdmin user), created at install, has global administrator rights.

– Domain

· Authorization is limited to tasks within a specific domain or, if using the Multi Domain Admin function, one or more domains.

· Users can be assigned more than one user role within a single domain.

· Users can be assigned to manage multiple domains.

· Global administrators: Cisco Unified Communications experts who install the UPM application and set up the infrastructure, rules, and policy. They can assign domain admin roles to users.

· Domain admins: Junior help desk technicians who can order predefined service offerings.

· Domain admins with advance ordering privileges: Senior help desk technicians who can set provisioning attributes at time of order.

– Domain admin with infrastructure configuration role: A new domain role to allow nonglobal administrators to provision a specific set of infrastructure configuration objects. Service can be ordered for users. Thus, users become subscribers.

– User roles determine the level of access within UPM.

– Some domain-specific roles are applicable only if workflow is enabled.

– Example: A company wants to manage a Cisco Unified Communications network and give day 2 tasks to an IT help desk. In the IT help desk, there are junior and senior technicians. The roles could be as follows:

· Global administrators: Cisco Unified Communications experts who install the Cisco Prime Unified Provisioning Manager application and set up the infrastructure, rules, and policy. They can assign domain admin roles to users.

· Domain admin: Junior help desk personnel who can order predefined service offerings.

· Domain admin with advance ordering privileges: Senior help desk personnel who can set provisioning attributes at the time of the order.

· Domain admin with infrastructure configuration role: Senior help desk personnel who can add/edit/view/delete specific sets of infrastructure configuration objects to all call processors in a domain.

Best practice
Initially, for each domain, set up one or more users with the ordering role at a minimum. If the preset workflow rules (see below) are used, no other roles need be assigned, since workflow will perform activation automatically. Giving only the ordering role will allow users very fixed functionality. The administrator can provide more access once the users become familiar with the system.

Table 5. User Roles

User Type

User Roles

Rights

Global

Administration

Maintenance

Full rights (except maintenance)

Configure system cleanup activities

Domain specific (Users with these roles can only perform authorized tasks within their assigned domain.)

• Policy infrastructure configuration management
• Ordering
• Advance assignment
• Approval
• Assignment
• Shipping
• Receiving
• Manage phone inventory, create new subscriber types, and set phone button templates
• Allows granular control over management of infrastructure products for nonglobal users
• All ordering privileges plus the ability to assign MAC at time of order
• Approve or reject orders
• Assign phone (MAC address) to an order
• Help ensure that the equipment is sent before order processing continues
• Help ensure that the equipment is received before order processing continues

• Subscribers

Entities that use IP telephony services provided by the Cisco Unified Communications System (that is, that have phones, lines, voicemail accounts, and so on).

Subscriber role type defines the products and services that can be provisioned for a subscriber.

Subscriber role types (refer to the User Guide for Cisco Unified Provisioning Manager for details):

– Employee

– Contractor

– Manager

– Sr. Manager

– Executive

– Operator

· Subscriber role types can be modified in a global template or on a per domain basis. The products and product bundles associated to a subscriber type can be customized. For example, one can configure the employee subscriber type only to provision phones of type 7961.

· Additional customized subscriber role types can be created in Cisco Unified Provisioning Manager.

If UPM Self-Care mode is enabled, subscribers can order services for themselves. Thus, a subscriber also becomes a limited user.

• Business rules

UPM contains a predefined set of business rules that control processing of orders, behavior of the synchronization process, and default values for various objects. Rules can be set per domain or in a global template assigned to all new domains.

Some commonly used rules (eight domain synchronization rules are introduced later in the section "How to Choose the Synchronization Rules"):

– Domain synchronization rules (see the section "How to Choose the Synchronization Rules" for more details on how to use them)

· AssociateAllUsersInCallProcessor

· AssociateAllUsersInUMProcessor

· AssociateOnlyExistingUsers (1.3)

· AssociateUsersByDeptCode

· AssociateUsersByDevicePool (1.3.1)

· AssociateUsersByLocation (1.3.1)

· TakePrimaryUserInfoFromUMProcessor (1.3)

· Non-RestrictedDomainSync (1.3)

– Workflow rules (see the User Guide for UPM for more details):

· IsAuthorizationRequiredForAddOrder

· IsAuthorizationRequiredForCancelOrder

· IsAuthorizationRequiredForChangeOrder

· PhoneAssignmentDoneBy

· PhoneReceiptDoneBy

· PhoneShippingDoneBy

– Rules by problem to be solved:

· Need to remove exchange data when a Cisco Unity account is deleted: Enable PurgeUponUmRemoval.

· Need subscribers to order service for themselves: Enable CreateSelfCareAccounts.

· Don't want help desk to choose phone template when provisioning phones: Disable ChoosePhoneButtonTemplates.

· Want to force a Cisco Unity subscriber to change the password after the password is reset by UPM: Enable ChangeUnityPasswordOnNextLogin.

· Need to import a user from Cisco Unified Communications Manager and to assign the subscriber role automatically: Configure the DefaultUserType rule as desired. By default this is configured to be Employee.

· Need to keep a phone number reserved after deleting it from a subscriber for a period of time before reassigning it back into the available numbers block: Enable the DNAutoReservation rule and configure DNAutoReservationTimeout as desired.

– Rules related to default values of provisioning attribute:

· DefaultCallManagerPassword

· DefaultCallManagerPIN

· DefaultCUPMPassword

· DefaultDeviceProfile

· DefaultUnitySubscriberPassword

· DescriptionString

· LineDisplayString

· ExternalNumberMasks

Best practice

• Set the synchronization rules up for domains before the first sync. (See the section "How to Choose the Synchronization Rules" for more details on how to select domain synchronization rules.)

• Leave the default settings for other rules until you gain experience with UPM. (Example: Workflow rules can be modified afterward.)

• Provisioning attributes

Both call and messaging services have many attributes that can be assigned and that further define and enhance the service provided to the subscriber. For example, one attribute that can be defined on a phone as an enhancement to its use is the setting of speed dials. Within UPM, these settings are known as provisioning attributes, and they can be set at multiple levels within UPM to enforce policy, again simplifying the overall provisioning of subscriber services.

The provisioning attributes supported by UPM are documented in the User Guide for Cisco Prime Unified Provisioning Manager.

Provisioning attributes can be set for domains, subscriber types, service areas, and during order entry. This order also defines the default order of precedence in the event that the same attribute is set at multiple levels. Cisco UPM 2.0 allows users to reorder the precedence of domain, subscriber type, and service area.

– Let's look at a brief example to help clarify this.

· A policy at Chambers Engineering states that no subscribers in any of the offices in France are to have video capabilities on their phones except the executives.

· One way to implement this would be to set the phone attribute Video Capabilities to Enabled at the domain level and true for the executive subscriber type.

· Now, all orders for phones in the France domain will set Video Capabilities to Enabled, but for subscribers of type Executive, this will be overridden with a value of true.

· If an individual employee is also given clearance for video privileges, the employee's false setting can be overridden during order entry using the Advanced Options button.

Best practice
Customers tend to set up provisioning attributes for the service area to establish templates for subscriber services; however, if you have a large number of service areas and the majority of them share the same provisioning attributes, set them at the domain level to reduce potential service area updating efforts.

• Ordering workflow

UPM has a built-in ordering workflow to coordinate activities in the ordering process. The activities include approving the order, assigning a phone to the order, shipping the product, and receiving the product.

This workflow can be customized to fit the customer's exact needs by enabling or disabling each step and assigning the enabled steps to UPM user roles.

By default, all steps are disabled. The workflow rules control enabling of any step of the workflow.

Best practice
Leave workflow default values until you gain experience with UPM.

Business Analysis

Because UPM is typically used within the business processes of an organization, a brief business analysis activity early in the deployment process is highly recommended. This will provide the information necessary for how best to configure various UPM system objects. The following questions will help drive this analysis:

• Will fewer technical staff be "delegated" management capabilities for the day 2 (move, add, change) activity for subscriber services (example: a help desk, or administrative staff in various locations)?

• What groupings of subscribers map best to how you want to do this "delegated" management (example: geographic-based groupings or organizational-based groupings)?

– These questions will dictate the number of domains that will be created in UPM. Note that users with the domain-level access role (called the ordering role for a single domain within UPM) can only see subscribers in their own domain.

• Within each grouping of subscribers, which sites or locations do you want to manage?

• For each site or location, what classes of services are required?

• For each site or location, what device pools, phone protocols, voice mail templates, common device configuration, locations, and partitions are required?

• For each site or location, which devices will support that location?

– These questions will dictate the number of service areas that will be created in UPM for that domain. Service areas point to unique combinations of call processors and message processors (example: Cisco Unified Communications Manager and Cisco Unity). They also contain policy information on calling privilege, like calling search spaces within the Cisco Unified Communications Manager to be used for the service area. Directory number blocks can also be defined in service areas.

• Is a single Cisco Unified Communications application (example: Cisco Unified Communications Manager) shared across these groupings of subscribers and locations?

– This question will dictate how basic synchronization rules are set within UPM. For example, will Cisco Prime UPM need to place subscribers into domains automatically at synchronization time based on the department code in the Cisco Unified Communications Manager, or can it put all users it finds into a Cisco Unified Communications Manager single domain?

Best practice

• It is recommended that the initial deployment of UPM focus on defining the correct domains and service areas, provisioning attributes against these, and the basic rules covered in the section "Usage by Problem to Be Solved."

• Try to avoid flat domain/service area design; for example, having one domain with a thousand or hundreds of domains with one service area per domain is not good design.

• Domains can be designed based on delegation needs or geographic location.

• It is recommended to calculate the service areas needed for each domain beforehand. By default, the number of service areas needed will be the permutation and combination of six or seven attributes in the service area setup (class of service, device pool, phone protocols, voice mail templates, common device configuration, location, partition). If the number of service areas needed for a domain exceeds 100, consider breaking into two domains for easier manageability and optimal usability.

• It is easier to create multiple domains and remove some later, consolidating subscribers into fewer domains, than it is to create a small number of domains and later split subscribers into more domains.

• Consider the use of subscriber types, advanced rule settings, and other configuration parameters after these concepts are well understood.

Installing Cisco Prime UPM

How to Select Hardware

There are several things to consider in selecting hardware (also see Table 6):

• Platforms: Cisco Prime Unified Provisioning Manager does not require special Cisco hardware, but it is tested on various Cisco 7835 (2 GB RAM) and 7845 (4 GB RAM) server platforms. The Cisco Unified Communications network to be managed is mission critical, so serious consideration should be used in choosing a platform for management applications. The platform chosen must meet the published requirements as listed below. The recommendations below are provided as guidelines when you are not sure how much performance is really needed to provide a good administrator experience.

• Number of phones to be managed: UPM is tested at several tiers, and hardware recommendations are listed below for each tier. The number of phones to be managed has a major impact on disk performance requirements, especially during device sync operations.

• Concurrent user load on the system: The responsiveness of the system may change as more concurrent users are added. More concurrent administrators generally require more CPU for processing and memory for user space. The 10,000 and lower phone recommendation assumes 1 to 5 operators. The 20,000 phone and larger phone recommendation assumes up to 10 concurrent users. In smaller environments with more than 5 concurrent administrators, you should consider going to a faster computer tier to assure responsiveness. See the section "VMware Support in UPM" for virtualization recommendations.

• Network growth effect on hardware: As the number of phones increases, the number of concurrent administrators will usually also increase. Sometimes the increase in managed phones will cause the hardware platform to be upgraded. It is a good practice to look at growth requirements versus platform cost depreciation to decide which tier of performance should be considered for the initial purchase.

Table 6. Minimum Hardware Requirements

Server Requirements

1-1000 Phones

1001-10,000 Phones

10,001-60,000 Phones

CPU

Single 3.0 GHz Intel P4 processor or equivalent

2.33 GHz or higher quad core processor or equivalent

2-machine deployment with a 2.33 GHz or higher quad core processor or equivalent for both the database server and the web/application server

Memory

2 GB RAM

4 GB RAM

• 4 GB RAM on each of the application and database servers for 10,001-30,000 phones
• 4 GB RAM on the application server and 8 GB RAM is required on the database server for 30,001-60,000 phones

Available Disk Space

30 GB of available hard disk space 

60 GB of available hard disk space with SAS or SCSI drives

• 30 GB of available hard disk space on machine for the web/application server, and
• 80 GB of available disk space in SAS hard drive in a RAID 1+0 configuration for the database for up to 30,000 phones
• 120 GB of available disk space in SAS hard drive in a RAID 1+0 configuration is recommended for 30,001-60,000 phones

Network

100 Mbps network interface card (NIC)

100 Mbps NIC

1 Gbps NIC (Recommended strongly for better performance, especially for 30,001-60,000 phones)

Note: Make sure that hyper threading is enabled in the BIOS.

How to Select the OS

• UPM is supported with off-the-shelf Windows Server 2003 or 2008.

– The latest service pack, currently Service Pack 2, should be installed.

• Windows Server 2003/2008: Standard and Enterprise

– Cisco Unified Provisioning Manager is tested on both versions. Choosing which one to use is based on the amount of RAM and swap (virtual memory/page file) space required. The Standard version, for example, will only allow a maximum of 4 GB of swap space. If you feel you need more swap space, use the Enterprise version.

• 32-bit or 64-bit OS

– UPM can be installed on either 32-bit or 64-bit versions of Windows Server 2003/2008 and will run as a 32-bit application. UPM has not been tested with Windows servers that are 64-bit only, such as Windows Server 2008 R2, and is not expected to work in this environment.

• Cisco custom OS versions

– Cisco provides a customized version of Windows Server 2003 with some of its Cisco Unified Communications applications and hardware. UPM will not operate properly with these custom versions. If you user Cisco hardware, don't buy a Media Convergence Server (MCS) with Windows installed.

Loading Other Software with Cisco Prime UPM

Cisco Prime UPM is expected to be loaded on a hardware platform running Windows Server 2003/2008 along with the UPM application. If a UPM patch is required, this may be loaded.
UPM does not require CiscoWorks Common Services, so do not attempt to load it on a server running UPM.
UPM has undergone interoperability testing with McAfee VirusScan Enterprise 8.0, 8.5i, and 8.7i. For McAfee Enterprise VirusScan 8.0, you must have Patch Version 11 installed. Install the McAfee VirusScan Enterprise 8.0 Patch Version 11 before installing UPM on the system.
OpenSSL may be loaded as described in the Installation Guide for Cisco Prime UPM for support of HTTPS connections between your web browser and UPM server.
Provisioning Manager can be coresident with Operations Manager, Service Monitor, and Service Statistics Manager:

• Maximum of 10,000 phones are supported with this deployment.

• Requires two-way quad-core Xeon X5365 processors at 3 GHz, 16 GB RAM, 320 GB hard disk space, Windows Server 2003 Enterprise Edition with Service Pack 2. See the installation guide for detailed requirements.

• Each application should be installed on separate physical disk drives.

• Recommended installation order:

– Operations Manager (including Service Monitoring)

– Service Statistics Manager

– Provisioning Manager (in Advanced Mode)

• Port numbers (like SSL) may conflict, so will need to be changed on one of the applications.

Other software must not be loaded unless directed by the Cisco Prime Unified Provisioning Manager product team.

Information Needed During Installation

If you are installing for the first time, the best practice is to use the default port numbers offered during the installation unless they are known to interfere with other services on the same network. Make sure you save your settings in case you need to reuse them for a future reinstall, recovery, or upgrade. This is especially important if you do an advanced installation.
You may need to supply the following information during the installation of Provisioning Manager:

• You will need your hardware MAC in order to get a license generated. If you are installing UPM in a VMware environment, you must have a static MAC address in the following range: 00:50:56:00:00:00 to 00:50:56:3F:FF:FF

• For a simple installation, you will need to have the following:

– A license file, or you can choose to use the evaluation version for 90 days

– Password for the administrator user; does not have to be the password for the Windows server administrator

• For an advanced installation, what you need depends on your installation. The following list contains information you may need:

– License files, or you can choose to use the evaluation version for 90 days

– A port number for the Apache web server

– A port number for the PostgreSQL database

– Hostname or IP address for the systems that can connect to the PostgreSQL database

– Username and password for the Windows user that the PostgreSQL database uses

– Username and password for the PostgreSQL administrator

– The JBoss application server name

– The port number for the JBoss application server

– Username and password for the application database user

– Password for the administrator user

– Port number for the NICE service

VMware Support in UPM

UPM supports the VMware environment. UPM has been tested on VMware ESX Server version 3.5/4.0 and VMware ESX Server 3i version 3.5/4.1. To use Provisioning Manager in a VMware environment, your virtual machine must be configured with a static MAC address.
If you need to configure a static MAC address after installation, perform the following procedure:

Note: The following procedure applies to VMware GSX and VMware ESX prior to version 3.0. If you are running VMware ESX 3.0 or later, you can use the Edit Settings option on the virtual machine to configure a static MAC address.

1. Power down the VMware server.
2. On the virtual machine, remove the VMware server from the VirtualCenter inventory.
3. On the virtual machine, change the .vmx file according to the following:

• Change the value of the ethernet0.addressType entry to static.

• Change the value of the ethernet0.GeneratedAddress entry to ethernet0.Address.

4. Change the current MAC address of the virtual machine to a MAC address in the following range: 00:50:56:00:00:00 to 00:50:56:3F:FF:FF
5. In VirtualCenter, select a VMware ESX and select Storage.
6. In data storage locate your virtual machine.
7. Right-click the .vmx file and then select Add to inventory.
8. Power on the VMware server.
9. On the VMware server open a command prompt.
10. Enter the command ipconfig/all.
11. In the command output, locate the VMware NIC and verify that your manually assigned MAC address appears as the MAC address for the NIC.
See Table 7 for additional VMware configuration information.

Table 7. Cisco UPM Configuration for VMware

Feature/Requirement

UPM (1000 Phones)

UPM (Up to 10,000 Phones)

UPM (10,000+ Phones)

Number of VMs

1 VM

1 VM

2 VMs (application/database)

Open Virtualization Archive (OVA)* Configuration

1 vCPU
2 GB RAM
30 GB disk

4 vCPU
4 GB RAM
60 GB disk

4 vCPU 4 vCPU
4 GB RAM 8 GB RAM
30 GB disk 80-120 GB disk

IOPS per VM (avg)**

100

100

100

IOPS per VM (max)**

500

500

500

VM Oversubscription per Blade

Not supported

Not supported

Not supported

VMware vNIC Settings

Static MAC address

Static MAC address

Static MAC address

VMware - vMotion Live Migration

Yes (during VM quiescence)

Yes (during VM quiescence)

Yes (during VM quiescence)

VMware vMotion Maintenance Window

Yes

Yes

Yes

VMware - HA

Yes

Yes

Yes

VMware - Snapshot

Not for High Performance VMs; long-running snapshots not recommended

Not for High Performance VMs; long-running snapshots not recommended

Not for High Performance VMs; long-running snapshots not recommended

Notes:
* OVAs can be downloaded from cisco.com/go/cupm for 1000, 10,000, and 60,000 (dual server) configurations.
** IOPS are for each Communications Manager publisher synced in parallel. If there is only one Communications Manager publisher then IOPS are 100/500. The maximum figures would be expected during nightly infrastructure or subscriber syncs.

Cisco Unified Computing System Support

UPM can be installed on a Cisco Unified Computing System. If you are going to install UPM on a Cisco Unified Computing System, make sure that the system has the latest firmware installed.

How to Assure a Clean Install

• Always make sure you turn off all virus checkers before installing UPM. This is one of the most common reasons for failed installs.

• You must exclude the following from virus scanning:

– The pgsql folder (if you selected the default location during installation, it is C:\CUPM\pgsql).

– The postmaster.exe file (located in the CUPM\pgsql\bin folder).

• Check that the password policy in Windows is not set to eight characters minimum. Change to five characters if possible. If not, do an advanced install and specify passwords that meet the minimum password length.

• The root directory on the server you install should have access to the group Users.

• Make sure you record and store the passwords and port numbers. Sometimes you need these later, especially if you migrate the application to a new PC.

• Do not install Provisioning Manager on a primary domain controller (PDC) or backup domain controller (BDC).

• Make sure you use a directory that does not contain a space in the name. Unless there is a major reason to pick a nonstandard directory name, use the default directory.

• Make sure Service Pack 1 or Service Pack 2 is installed for Windows Server 2003. Otherwise, msiexec is only at version 2.x. UPM needs version 3.x.

• Make sure the service Secondary Login is running.

• It is best to start with a standard install.

• After installing or upgrading UPM, apply any recommended UPM patches.

• When using two servers for a distributed install, make sure the application maintains IP connectivity. Consider using a ping utility to look for connectivity issues.

• UPM will not install in either medium or large model configurations, required for more than 1000 phones, if Windows Server 2003 reports less than 4 GB of memory. There is a known issue with the Windows Server 2003 operating system, when working with certain hardware, where 4 GB of memory may be installed and Windows reports less than 4 GB of memory. Refer to http://msdn2.microsoft.com/en-us/library/ms791485.aspx for more details.

Do the following to enable the 4 GB memory:
1. On the UPM system, in Windows, right-click My Computer.
2. Select Properties.
3. Select the Advanced tab.
4. Under Startup and Recovery, click Settings.
5. Click Edit. The boot.ini file opens.
6. In the file, add "/PAE" in the line starting with "multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=...".
7. Restart the system.

Note: To verify the system has detected the full 4 GB of memory, launch Task Manager and display the Performance tab. The "Total" under the block headed "Physical Memory (K)" should be ~ 4192968.

• On the UPM system, install Win32 OpenSSL v0.9.8j Light (latest version as of the writing of this guide) in C:\OpenSSL.

• When installing OpenSSL, there will be a prompt for "Copy OpenSSL DLLs to" and there will be two options, "The Windows System Directory" or "The OpenSSL binaries(/bin) directory". Choose "The OpenSSL binaries(/bin) directory". After the OpenSSL install is done, copy the libraries ssleay32.dll and libeay32.dll, which are under the c:\OpenSSL\bin folder, to the c:\CUPM\httpd\bin folder, where c:\CUPM is the location where Cisco Prime Unified Provisioning Manager is installed and c:\OpenSSL is the location where OpenSSL is installed. Installing this way will allow UPM to coexist with other management applications, which may have different SSL support, when management application coresidence becomes available in the future.

Note: If you receive an error message stating that Visual C++ 2008 Redistributables are missing, you must download and install the Visual C++ 2008 Redistributables before proceeding. It is available at the same location (http://www.slproweb.com/products/Win32OpenSSL.html).

Preparing End Systems

• Make sure that AXL services are running on the Cisco Unified Communications Manager server. The UPM sync process and provisioning process require AXL service.

– In versions earlier than Cisco Unified Communications Manager 5.0, enable the following from the Control Center:

· Cisco Serviceability Reporter

· Cisco RIS Data Collector

– In Cisco Unified Communications Manager Version 5.0 and later, enable the following from Control Center à Feature Services:

– Database and Admin Services à Cisco AXL Web Service

– Performance and Monitoring Services à Cisco Serviceability Reporter

For additional information on preparing the end system, please refer to the Installation Guide for Cisco Prime Unified Provisioning Manager at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/.

Licensing

The following types of licenses are available for Cisco Prime Unified Provisioning Manager:

• Eval (built-in license)

– UPM image defaults to Eval mode if no license is present.

– Supports 100 phones, 5 call processors and message processors for 90 days.

– API is turned off in Eval mode.

• Image (L-CUPM-8.7-K9)

– Mandatory license to turn on UPM services, such as NICE, and put product in production mode. There is no phone count in this license.

• Add-On-Phone (also known as a scale license) (L-CUPM-B-2K-LIC)

– Needed for new installations or expansion; licenses the number of phones to support

• API (L-CUPM-B-API-FL)

– Mandatory to turn on the northbound API interface

• Upgrade (L-CUPM-B-2K-UPG)

– Needed to upgrade UPM 1.x licenses to 2.x licenses

• NFR (UPM2-NFR-SEP11.lic, about 17K. This license expired in September 2011.)

– Special Eval license for Cisco partners; no MAC is needed, but the license is locked to an end date

New installations of UPM 8.7 must have an image license and at least one scale license. New installations must also have an API license if the customer wants to use the northbound API.
No license changes are needed to upgrade from UPM 2.x to 8.7. UPM 8.7 is a free upgrade from 2.1/2.2.
To upgrade from UPM 1.3.1 to 8.7, users must upgrade from 1.3.1 to 2.0 first, then upgrade to 2.1 and then from 2.1 to 8.7. Users must have a 2.x image license and must have all of the old 1.3.1 licenses to convert. Users must also have B upgrade licenses as required to recover the old 1.3.1 phone license counts to use in UPM 2.x - the 1.3.1 plus B upgrade licenses are used to get entitlement out of the old 1.3.1 licenses. Users can purchase more B add-on licenses to increase support.
All MAC addresses in the licenses must match the server MAC addresses.
During fresh installations of UPM 8.7, users should select the image (K9) license file when prompted. Add-on license files must be copied to <install dir>/license when the install completes.
During upgrades from 1.3.1 to 2.0 (to get to 2.1), old 1.3.1 licenses, image licenses, and upgrade licenses should be put in a temporary directory, which UPM will ask for during installation. The installer will display license entitlement based on licenses in the temporary directory. UPM will then copy all licenses into the license directory.
Total phone licenses are calculated as follows:
2.x image license must be present + new add-on phone licenses + ((1.x base licenses + total 1.x add-on licenses) ∩ total 2.x add-on upgrade licenses) = total phone licenses.
At least one image license must be present. Feature counts within the image licenses are cumulative. These may be phones, call processors, and message processors.
A "B" in the license PID means this license is good for the 2.x family of releases.

Basic Task Flow

• Set up devices

– Add call processors (Cisco Unified Communications Manager publishers only, when using Cisco Unified Communications Manager clusters) and message processors to UPM as devices with capabilities assigned

– Configure call processors and message processors

– Perform infrastructure synchronization

– Perform subscriber synchronization

• Set up domain deployment

– Create domains and assign call processors and message processors

– Create service areas

– Configure rules

– Perform domain synchronization

– For preexisting call processors and message processors, verify that subscribers get created

• Provision network

– Create and push templates to configure Cisco Unified Communications Manager

– Or sync current provisioning configurations from existing deployment

• Set up deployment

– Create new service areas, as needed, for each domain, typically one per class of service

– Assign subscriber types to each service area

• Admin

– Add subscriber types

– Modify products available to subscriber types

– Create administrative users for each domain

– Configure business rules

• Set ordering workflow

– Order, update, or change subscriber services

Please refer to the UPM tutorial for details on the initial setup process of each of the above listed areas.

How to Choose the Synchronization Rules

Domain Sync Rules

There are three types of synchronization in UPM: infrastructure sync, subscriber sync, and domain sync. Infrastructure sync discovers all objects in Communications Manager that UPM uses and that are not specific to individual subscribers, for example, calling search space, voice device groups, route patterns, and translation patterns. Subscriber sync discovers all objects related to individual subscribers, for example, configured phones, configured lines, and device profiles. Domain sync puts existing subscribers discovered during subscriber sync into the domain and appropriate service area.
Infrastructure sync and subscriber sync retrieve information from the device. These are unidirectional syncs. UPM does not update devices during these syncs. They should be completed on all devices before a domain sync is started. Domain sync aggregates data from the processor syncs. Devices are not accessed during this sync.
Domain sync behavior is controlled by the business rules. There are eight rules that can be configured for synchronizing a domain:
1. AssociateAllUsersInCallProcessor
If this rule is enabled, during a domain synchronization, all of the user accounts in all of the call processors in the domain are assigned to the domain being synchronized. In the example in Figure 12, all users in the call processor are placed in Domain 1. Sync on another domain will not have any users since all users have been placed to Domain 1. So this rule should be used to control domain sync when only one domain is configured in UPM. See Figure 12.

Figure 12. Example: Domain Sync with AssociateAllUsersInCallProcessor

2. AssociateAllUsersInUMProcessor
This behaves the same as AssociateAllUsersInCallProcessor. If this rule is enabled, all user accounts in a given Cisco Unified Message Processor are assigned to a UPM domain. This rule can be used to control domain sync when only one domain is configured in UPM.
3. AssociateOnlyExistingUsers
Users are first created in Cisco Unified Provisioning Manager in the desired domain. Domain sync associates users in a call processor only if they are already created on the domain. This rule is used only when you want to manually define the user assignment in a multidomain environment or none of other rules meets the requirement. Figure 13 shows an example.

Figure 13. Example: Domain Sync with AssociateOnlyExistingUsers

4. AssociateUsersByDeptCode
Users created in Cisco Unified Communications Manager with the department code field filled in are associated to the domain based on the value placed in this field. The list of department code values should be enclosed in double quotation marks (") and separated by the semicolon delimiter (;). Department code values may contain wildcards (* or %); for example, "Dept 1";"";"Dept 2";"Dept*3". Figure 14 shows an example.

Figure 14. Example: Domain Sync with AssociateUsersByDeptCode

This rule is used to partition users based on the department code in a multidomain environment. If you don't have a department code clearly defined for every user or a department code is not guaranteed to be unique across domains, this rule cannot be used.
5. AssociateUsersByDevicePool
Users are associated to a domain based on the device pool setting on the phone. Users are not associated if they do not have a phone. If this rule is set, domain sync will sync only those users that have a phone with the device pool specified in the data field. This rule is applicable only to Cisco Unified Communications Manager, not Communications Manager Express.
Sample data in the rule: "CCM1:DevicePool1";"CCM2:DevicePool2"; CCM1 or CCM2 is the UPM call processor name.
With this data, users that have a phone in CCM1 with device pool as DevicePool1 and users that have a phone in CCM2 with device pool as DevicePool2 will by synchronized. If either CCM1 or CCM2 is not part of the current domain, that part of the data will be ignored.
6. AssociateUsersByLocation
Users are associated to a domain based on the location setting on the phone. Users are not associated if they do not have a phone. If this rule is set, domain sync will sync only those users that have a phone with the location specified in the data field. This rule is applicable only to Cisco Unified Communications Manager, not Communications Manager Express. Sample data in the rule: "CCM1:Location1";"CCM2:Location2"; CCM1 or CCM2 is the UPM call processor name.
With this data, users that have a phone in CCM1 with location as Location1 and users that have a phone in CCM2 with location as Location2 will by synchronized.
If either CCM1 or CCM2 is not part of the current domain, that part of the data will be ignored.
7. TakePrimaryUserInfoFromUMProcessor
If enabled, user and subscriber information is updated from the associated Cisco Unified Message Processor account; otherwise it is updated from the call processor. When the rule is enabled, you can also specify the message processor ID, which takes precedence if a user has accounts on multiple message processors. This value can also be left blank to indicate no preference. This rule is used to handle inconsistent configurations across different call processors and message processors. Figure 15 shows an example.

Figure 15. Example: Domain Sync with TakePrimaryUserInfoFromUMProcessor

8. Non-RestrictedDomainSync
If this rule is enabled, UPM performs nonrestricted domain synchronization. Criteria used to find the service area for a product are relaxed to use only a call processor and protocol for the phone product; a call processor for the CTI port, line, enable extension mobility, and enable mobility support products; a call processor and messaging processor for the voicemail, email, and unified messaging products. In addition, only a call processor and messaging processor are used as criteria to match the directory number and voicemail. The user can define a list of service areas to be used. When more than one service area satisfies such criteria, the first matching service area from this list is selected. If no service area is defined or found, UPM selects a service area that satisfies the criteria. The service area names should be enclosed in double quotation marks (") and separated by the semicolon delimiter (;), for example, "DefaultSA1";"SA2".
When this rule is disabled, services are assigned to a user only if there are matching service area settings. For phones, UPM matches the following attributes: device pool, common device configuration, calling search space of phone, location, and protocol. For lines, UPM matches the following attributes: device pool of phone, common device configuration of phone, route partition of line, calling search space of line, location of phone. The domain sync log will show all services that do not have matching service areas.
Figure 16 gives an example with the Non-RestrictedDomainSync rule disabled.

Figure 16. Example: Domain Sync with Non-RestrictedDomainSync Rule Disabled

Figure 17 shows an example with the Non-RestrictedDomainSync rule enabled.

Figure 17. Example: Domain Sync with Non-RestrictedDomainSync Rule Enabled

From Figure 17, you can see that, by default, services are only assigned to subscribers and displayed under a subscriber record if there are matching service area settings. The number of service areas required might be a lot based on permutations and combinations of different service area attributes. The Non-RestrictedDomainSync rule will come in handy when you want to reduce the number of service areas needed and make sure all subscriber services show up and are manageable in Cisco Prime Unified Provisioning Manager.

Note: Be aware that if you run a domain synchronization and then change the configured domain rule to Non-RestrictedDomainSync and then run another domain synchronization, any services that were not previously synchronized will be placed in a service area based on the Non-RestrictedDomainSync rule. This could result in services for a subscriber showing up in multiple service areas.

When configuring the rules, please follow the below general guidelines:

• Rules 1-6 determine how subscribers are placed into the domain

• Rule 7 determines where information for a subscriber comes from

• Rule 8 determines how services are matched to service areas in a domain

• Some rules work in conjunction with others, while some rules are set exclusively

• The rules AssociateUsersByDeptCode, AssociateUsersByDevicePool, and AssociateUsersByLocation can be used together

• Once users are assigned to a domain, they cannot be moved to another domain. Users who need to be deleted need to be deleted for the entire domain

If none of the business rules match your requirements, you can still import the users to domains through LDAP, UI, or a batch file.

Domain Sync Rules Interoperability

The following are all the rules that determine the call processor users that will be synchronized in a domain sync (includes the two new rules):
1. AssociateAllUsersinCallProcessor
2. AssociateOnlyExistingUsers
3. AssociateUsersByDeptCode
4. AssociateUsersByDevicePool
5. AssociateUsersByLocation
If the first rule is enabled, the settings of all the other rules are ignored. If the second rule is enabled, the settings of rules 3, 4, and 5 are ignored. The last three rules are additive in the sense that if two of them enabled, then only users that satisfy both the constraints are synchronized.
Suppose a domain has three call processors, CCM1, CCM2, and CCM3, and its rules are set like this:

• AssociateUsersByDeptCode: Enabled with data "Dept1"

• AssociateUsersByDevicePool: Enabled with data "CCM2:DevicePool2";"CCM3:DevicePool3"

• AssociateUsersByLocation: Enabled with data "CCM3:Location3"

When the domain sync is run, these users are synchronized:

• CCM1: Users with department code "Dept1"

• CCM2: Users with department code "Dept1" and with phones whose device pool is "DevicePool2"

• CCM3: Users with the department code "Dept1" and with phones whose device pool is "DevicePool3" and whose location is "Location3"

Configuring Rules Step by Step

Domains rules need to be configured properly before a sync is performed.

Step 1. Configure how users are placed in the domain.

Select

• AssociateAllUsersInCallProcessor + AssociateAllUsersInUMProcessor

OR

• AssociateOnlyExistingUsers

OR any combination of

• AssociateUsersByDeptCode

• AssociateUsersByDevicePool

• AssociateUsersByLocation

Step 2. Configure how services for a user are assigned to service areas.

• Non-RestrictedDomainSync
(disabled by default)

Optional:

• AssociateAllUsersInUMProcessor

• TakePrimaryUserInfoFromUMProcessor

Example:
Customer has an Active Directory integrated Communications Manager and has different domains set up for different branches.
Option 1:

• Set the department in Active Directory for users.

• Enable the AssociateUsersByDeptCode rule for each domain and specify the department code.

Option 2:

• Users can be placed using a combination of these rules: AssociateUsersByDevicePool and AssociateUsersByLocation.

• This requires that all users have an associated phone.

Option 3:
If the department code cannot be set and some users don't have associated phones:

• Create subscribers in UPM first in the desired domain. The batch action can be used if there are a lot of users.

• Enable the AssociateOnlyExistingUsers rule for domains.

  1. Enable the Non-RestrictedDomainSync rule to reduce the number of service areas needed. By default there will be a lot of service areas per domain needed for this customer to cover permutations on different calling search spaces and different device pools.

How-To Examples

Taking Over an Existing Cisco Unified Communications Network

This section follows the exploits of a fictitious company as it deploys UPM to simplify the Cisco Unified Communications deployment.

Network Descriptions

With operations in multiple countries, a fictional France-based utility firm is in the process of deploying UPM to simplify moves, adds, changes, and deletes (MACD). Customer already has an operational Cisco Unified Communications network so UPM will mainly be used for day 2 operations to speed up MACD.

Collecting Information for UPM Design and Configuration

The following information is collected to determine how to design and configure Cisco Prime Unified Provisioning Manager:

• Sites

– 100 physical branch offices in total

– 10,000 IP phones

• Call processors

– Three Communications Manager clusters

– For each of the three Communications Manager publishers:

· Release 6.1(1)

· Lightweight Directory Access Protocol synchronization and authentication

· Extension mobility

• Messages processors

– Three Cisco Unity Version 5

• Administrative partitioning

– Based on delegation requirements, users are partitioned into eight administrative sites

• Subscriber services provisioning requirement

– Most users have phone, line, voicemail, and email

– Some users are provisioned with extension mobility (device profile and line) and voicemail

• Dial plan information

– There is one device calling search space per branch office

– There are four line calling search spaces per branch office

– There is one location code per branch office

– There is one device pool per branch office

– There are two common device configurations for all sites

– Only Skinny Client Control Protocol (SCCP) is used for phones

– Only one voicemail template is used per branch office

– Only one route partition is used for all sites

Preparing End Systems

• Create a SQL Server user and password that can be used by Provisioning Manager to access the SQL Server database on Cisco Unity. The SQL Server user requires access to both the Cisco Unity and master databases and with mixed authentication (default is Windows only). Detailed procedure is located at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/1.3/installation/guide/PMinstll.html#wp1048066.

• Create a user and password with administrator privileges that can be used by UPM to access Cisco Unified Communications Manager. Standard AXL API access is one of the predefined roles in the Linux version of Cisco Unified Communications Manager that can be used by UPM.

Configuring Cisco Prime UPM: Set Up Devices

• Each Communications Manager publisher is entered in UPM:

– With extension mobility service and URL

– LDAP integration: Synchronization and authentication

• Three call processors are defined

• Each Cisco Unity (primary Cisco Unity) device is entered in UPM. Note: Cisco Prime Unified Provisioning Manager doesn't support provisioning backup for Cisco Unity devices.

• If the user used SQL Server to access the message processor then the Cisco Unity device must be configured to allow:

– SQL and Windows access (default is Windows only)

– A user must be created with the appropriate db-owner, db-read, db-write on master-db, and unity-db parameters

• Perform infrastructure sync and subscriber sync for each Communications Manager and Cisco Unity component

Configuring Cisco Prime UPM: Set Up Domains

• Five domains are created, one per administrative site (Figure 18)

• Each domain uses only one call processor and one message processor

• UPM allows automatic subscriber synchronization by matching the department code in the directory

• The department code is not guaranteed to be unique across domains

• For each domain, configure the AssociateUsersByDevicePool and/or AssociateUsersByLocation rules in UPM to allow synchronization of the subscriber in the domain

• Provisioning attributes: Phone: user_locale: French, Extension mobility access (device profile): user_locale: French

Figure 18. Domain Setup

Configuring Cisco Prime UPM: Set Up Service Areas

By default (without enabling the Non-RestrictedDomainSync rule), around 8 service areas per branch office are needed based on two common device configurations and four line calling search spaces per branch office. See Figure 19. In this case, the 800 service areas are distributed among eight domains, which might not cause usability issues. But the Non-RestrictedDomainSync rule can be enabled to reduce the number of service areas to 500. In that case, the most common device configuration is selected to be the common device configuration in the service area. The domain administrator is assigned the advanced ordering role and can modify the common device configuration during order time if needed. Bulk service area creation can be done through batch action.

• One service area per site containing:

– One call processor

· Phone Calling Searching Space: Site-specific value

· Line Calling Search Space: Select one out of four

· Common Device Config: Select one out of two

· Location: Site-specific value

· Device pool: Site-specific value

· Router Partition/Protocol: Default value for all sites

– One messaging processor

– Employee subscriber type is selected for the service area

– Directory number block: One predefined block per site to allow autoassignation

– Some provisioning attributes:

· Forward xxx: Set as the same line calling search spaces

· Description (extension mobility line)

Figure 19. Service Area Setup

• Domain sync needs to be performed before ordering services and after creating service areas.

Configuring Cisco Prime UPM: Set Up Administration

• Multiple administrators will be defined (Figure 20):

– Some global administrators

– Some administrators per domains

• Workflow rules are not enabled

• No additional subscriber roles are created, but edit the employee role to associate Unified Messaging Service and Extension Mobility Access with Line (Figure 21).

• Nightly sync is run to make sure that Communications Manager and Cisco Prime UPM have the same data. For detailed information on scheduling sync, please use the schedule information documented in the User Guide for Cisco Prime Unified Provisioning Manager at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/1.3/user/guide/admin.html#wp1058592.

Figure 20. Domain Admin Setup

Figure 21. Customize Orderable Products for the Subscriber Role

Subscriber Services Provisioning: Order, Update, or Change Subscriber Services

Subscriber services can be provisioned by a domain administrator or a global administrator.
Subscriber services can be provisioned using the batch provisioning feature or using the GUI (Figure 22).

• Order services for users that have phone, line, voicemail, and email:

– For subscribers, one Unified Messaging Service will be ordered where the administrator will have to choose:

· The domain (only if it's a global administrator)

· The unified messaging service (phone, line, voicemail, and email)

· The line type: Autoassigned line

· Voicemail alias and voicemail display name

· Email ID and display name

· The MAC address

· The service area

· The phone button template

For each subscriber that has an extension mobility line and voicemail, two orders are needed for the initial deployment.

• First order:

– Extension mobility access and line

– The line type: Autoassigned line

– Phone button template

– Some provisioning attribute:

· On the line: Pickup groups, line groups

• Second order:

– Voicemail

Note: From UPM 2.1 onward, selection of the service area is the first step of the order, and this selection will limit the number of products displayed in the subsequent step.

Figure 22. Provisioning Manager Ordering GUI

Setting Up a New Cisco Unified Communications Network

Setting up Cisco Prime UPM for a new Cisco Unified Communications network is slightly different. The following describes the differences:
· Synchronization (infrastructure sync, subscriber sync, and domain sync) doesn't need to be performed the first time when the call processors, messaging processors, and domains are set up in UPM as no configurations/users exist in the call processors and messaging processors. Nightly syncs are recommended to run when users configure Cisco Unified Communications devices with both UPM and a native Cisco Unified Communications interface.
· On day 1 of voice deployments, the main activity is to roll out the new branches and cut over subscribers from the older PBX network to the VoIP network. Templates (Figures 23 and 24) can be utilized, so it is best to capture common deployment settings in templates with keywords for devices or site names. For example, with the traditional approach, a customer might have three device calling search spaces (local, international, national) set up for each site. If you have 50 sites, you might end up defining hundreds of calling search spaces repeatedly using the native Communications Manager interface. An UPM template can be configured as in the example below to allow for both consistency and reuse.

Note: The ${KEYWORD} construct allows you to create generic templates. The keyword is defined during configuration.

Figure 23. Provisioning Manager Configuration Template

Then you can further define the keyword list with each keyword defined to be a real value such as Austin, San Jose, and so on.

Figure 24. Provisioning Manager Keyword List

· Batches are used to bulk-add new users and move users to help enable easy rollouts of new offices. UPM provides sample files that contain most of the commonly used actions. The sample files are located in the <Installation Directory>/sep/ipt/config/sample/batchProvisioning folder.

Typical Problems with Setup and Operation

Things to Remember When Using Batch Files

Batch action files must contain a single row of column headers. The data columns can be in any order, but must be in a tab-delimited text file, not in comma-separated value (CSV) format. You can compile the data in any text editor, provided that the resulting file conforms to these guidelines. For example, you can create batch files in a spreadsheet and then export them as tab-delimited files.
UPM provides sample files that contain most of the commonly used actions. The sample files are located in the <Installation Directory>/sep/ipt/config/sample/batchProvisioning folder.
Please also make sure that none of the data values contain a comma in your template creation, as the comma causes the parsing of the template to fail.
A certain minimum set of fields is required for every batch file. Some types of batches need more fields. Table 8 describes the minimum fields required for every batch action file.

Table 8. Minimum Required Fields for a Batch Action File

Order Type

User ID

Product Name

Service Area

add

tsmith

xxxxx

San Jose

The Domain field is optional but recommended.
Table 9 describes the minimum fields required for new users.

Table 9. Minimum Fields for New Users

Order Type

User ID

First Name

Last Name

Domain

Product Name

Service Area

add

tsmith

Tom

Smith

westcoast

xxxx

San Jose

The FirstName field is optional but recommended.
For changing line batch operation, the following fields need to be there:

• OrderType

• UserID

• ProductName

• Domain

• ServiceArea

• Directory Number

• Route Partition

When creating batch action files, keep in mind the following guidelines:

• MAC address is required when ProductName is Phone (or a bundle containing a phone) and Phone Type is not a virtual phone (for example, CTI Port)

• New MAC address is required when changing phones

• Object name is required when canceling products

• Phone button template is required when ProductName is Phone (or a bundle containing a phone) or Extension Mobility Access (or a bundle containing an extension mobility access) and Phone Type is not a virtual phone (CTI Port) and when ordered in a service area associated with Cisco Unified Communications Manager only

• Cisco Unity devices (Cisco Unity, Cisco Unity Connection, and Cisco Unity Express) do not support all products and services. If the batch action file is configured for a product that is not supported by the device in the specified service area, batch provisioning will fail

• Product attributes that require user input during the manual order entry process are required to successfully complete the equivalent order in a batch project. Examples include:

– Phone Type: Type of phone (for example, Cisco 7960, Cisco 7912) if ordered product is a phone or a bundle that contains a phone

– Line Type: Type of line (for example, autoassigned line or chosen line) if ordered product is a line or a bundle that contains a line

– Directory Number: Required when ProductName is Line and Type is Chosen Line. Additionally, ordering a product with a dependency that is not met by the order itself (for example, ordering a single line) requires a column specifying the dependent object

– Route Partition: Required when ProductName is Line and Order Type is Change

For additional guidelines, please refer to the User Guide for Cisco Prime Unified Provisioning Manager at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/1.3/user/guide/infrstct.html#wp1150270.

Dealing with LDAP-Integrated Cisco Unified Communications Manager

Cisco Prime UPM supports LDAP-integrated call managers for Communications Manager Versions 5.x and later. When adding an Active Directory-integrated Communications Manager to UPM using the CallProcessor wizard, you have the option of selecting the LDAP directory integration to be one of synchronization or of synchronization and authentication. This value must exactly match the value configured in Cisco Unified Communications Manager. If Cisco Unified Communications Manager is integrated with an external LDAP, subscribers are not created through UPM; instead they are synchronized through Cisco Unified Communications Manager. When placing an order in UPM, if a subscriber is not available on Cisco Unified Communications Manager, the workflow subsystem waits for a predefined period of time (24 hours by default) for the subscriber to be available on Cisco Unified Communications Manager and then continues processing the order. The 24-hour period can be configured on UPM in the ipt.properties file. Change the following two settings and restart Cisco Unified Provisioning Manager:

• dfc.oem.extdir.retries: 24

• dfc.oem.extdir.retry_interval: 3600

If a user is added into Active Directory, the user needs first to be synchronized to Communications Manager, and then the user can be synchronized from Communications Manager to Cisco Prime Unified Provisioning Manager. How long it takes to get the user into Cisco Unified Provisioning Manager depends upon a couple of things:

• How often Communication Manager does the synchronization from Active Directory (which is configured on Cisco Unified Communications Manager), and

• Whether a synchronization from Cisco Unified Communications Manager to UPM is performed to automatically pull in the user to a domain, or whether a user is manually added in Cisco Prime Unified Provisioning Manager

To avoid performing UPM syncs after a user is added in Active Directory, a user can be added in both Active Directory and UPM in parallel. With UPM 2.1, you can also enable UPM LDAP sync to import users directly from LDAP. When services are ordered in UPM, the services will not be activated until the Active Directory to Communications Manager synchronization happens. But in this case, it is not necessary to do a UPM subscriber sync after a user is added in Active Directory.

Behaviors for Adding/Deleting Subscribers in UPM and UCM (Non-LDAP-Integrated UCM)

If you add a new subscriber in UPM, pseudo-subscriber or not, the user initially exists only in UPM.
When you provision services for a pseudo-subscriber, only the phone settings get provisioned into Cisco Unified Communications Manager. When you provision services for a real subscriber, the subscriber is created in UCM and the phone settings get provisioned into UCM.
If you create a new subscriber in UCM, it will usually get into UPM after subscriber and domain sync. But if you have sync rules such as "AssociateUsersByDevicePool" or "AssociateUsersByDevicePool" set up for a domain, then the subscribers without phones will not show up in UPM. You will have to manually add those subscribers into UPM.
If you delete a subscriber in UCM, UPM will not know it immediately because UCM does not have a notification function. After subscriber sync and domain sync, UPM will remove the service association from the subscriber. Phone services are not longer associated with the user. You can only delete or change them through the pseudo-subscriber approach. See the section "How to Manage Phones Without Associated Users."
If people have left the company, you can cancel their services and then remove those users from UPM. UPM will remove those users along with their services from UCM. This is why you should manage your users from UPM, not UCM. All your MAC work should be from UPM.

AAA Server Integration

UPM allows end users to configure UPM to use authentication, authorization, and accounting for authentication while users are logging in to UPM. UPM will neither retrieve authorization/accounting information nor write any kind of information to the AAA servers. UPM allows the addition of LDAP servers and ACS servers (using TACACS+). Microsoft Active Directory Server 2003 is used to test LDAP support.

NAT Issues

Devices managed by UPM must have unique IP addresses. Two different Communications Managers in two different networks cannot have the same IP address. This scenario sometimes occurs in a multitenant management environment. The most common solution is to sort out unique IP addresses or use Network Address Translation (NAT). UPM only needs to reach the call processors and message processors. Phones can have overlapping addresses since UPM does not directly communicate with the phones.

To Sync or Not to Sync

Some things to keep in mind when it comes to synchronizing call processors and message processors to Cisco Prime Unified Provisioning Manager:

When UPM encounters an error while in the middle of provisioning:

– Only partially configured information will be saved to the devices.

– Manual configuration is required to the device to complete the provisioning tasks; however, the changes made manually to the device will be resynchronized to the inventory database when Cisco Prime Unified Provisioning Manager is back up again and a synchronization is requested.

What happens when Cisco Unified Communications Manager Publisher fails?

– Will not be able to access any of the information on Cisco Unified Communications Manager server or cluster. It is recommended to add only Publisher to the UPM.

What happens when UPM is being rebooted or is not available?

– Client browser shows this message: "The application server you are trying to access is currently unavailable. Please try again later."

How long does it take to sync?

– First-time synchronization for a large network (around 30,000 phones) may take as much as 22 hours for one domain.

– Second-time synchronization with 10 percent changed takes less (approximately 10 hours).

Setting Up Scheduled Sync

• It is recommended to run sync at off-peak/midnight hours to avoid impact on both Communications Manager and UPM.

• It is recommended to have a nightly sync run to help ensure that Communications Manager and UPM have the same data.

• Besides running synchronizations on demand through the appropriate Provisioning Manager functional area, you can set up scheduled synchronizations. You must use the Scheduled Tasks functionality that comes with your operating system. For detailed information on scheduling sync, please use documentation in the User Guide for Cisco Prime Unified Provisioning Manager at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/1.3/user/guide/admin.html#wp1058592.

• There are five environment variables that should be set for the user you configured to run the sync script: DEV_DIR, EOSS_BASE, JBOSS_HOME, JAVA_HOME, and DFC_PROPERTIES.

Why Am I Not Able to See the Phones and Line Under Some Subscriber Records?

By default, services are assigned to subscribers and displayed under the subscriber record only if there are matching service area settings. For phones, UPM matches the following attributes: Device Pool, Common Device Configuration, Calling Search Space of Phone, Location, and Protocol. For lines, UPM matches the following attributes: Device Pool of Phone, Common Device Configuration of Phone, Route Partition of Line, Calling Search Space of Line, Location of Phone. Make sure you add the corresponding service areas and redo the domain sync.

Note: Direct Inward Dialing (DID) blocks assigned to the service area are not used for synchronization.

Enabling Non-RestrictedDomainSync to Reduce the Number of Service Areas

By default, services are assigned to subscribers and displayed under the subscriber record only if there are matching service area settings. The number of service areas required might be a lot based on permutations and combinations of different service area attributes. To reduce the number of service areas needed, you can enable Non-RestrictedDomainSync rule with one default service area per call processor to make sure services for all the existing users are manageable in UPM. Then you can create the new service areas to serve as service templates for UPM to manage all the new users.
Notes:

• The Non-RestrictedDomainSync always picks up the first service area from the list of service areas in the data field of the Non-RestrictedDomainSync rule and adds the service under that service area. Therefore if you have only one Communications Manager cluster, adding more than one service area to the data field will not have any effect. Only the first one will be used.

• Be aware that if you run a domain synchronization and then change the configured domain rule to Non-RestrictedDomainSync and then run another domain synchronization, any services that were not previously synchronized will be placed in a service area based on the Non-RestrictedDomainSync rule. This could result in services for a subscriber showing up in multiple service areas.

Why Did Some Subscriber Services Show Up in Multiple Locations (Service Areas)?

The services were probably already categorized under different service areas based on regular sync rules before the Non-RestrictedDomainSync rule was enabled. After the rule was enabled, it would have picked up the services that either could not be added to any customer record during previous syncs since matching service area was not found, or services that were added to the Communications Manager after the rule was enabled.
Those are the only reasons services might show up under different service areas. The only option is to delete the domain (not the call processors or Unified Message processors) and re-create the domains/service areas and then do a synchronization.

Why Doesn't the Extension Mobility Service Show Up in the Subscriber Record?

Please check the following:

• Make sure you have Extension Mobility Service subscribed for the subscriber.

• Make sure the service name defined in Provisioning Manager is the name of the Extension Mobility Service configured on a call processor.

• Make sure the service URL defined in Provisioning Manager is the Extension Mobility Service configured on the call processor: http://<IPAddress>/emapp/EMAppServlet?device=#DEVICENAME#
Where <IPAddress> is the name or the IP address of the server where Extension Mobility is installed.

How to Batch-Create Service Areas

Bulk service area management allows you to create multiple service areas in one batch action. In the /sep/ipt/config/sample/batchProvisioning folder, there is a sample file called AddServiceArea.txt. Users can modify that sample file and load it into UPM through batch provisioning to create multiple service areas in one shot.

Note: In UPM 2.x, the support for batch service area configuration only covers the attributes that you see in the first screen of the service area UI configuration page, which does not include (1) the directory number block configuration and (2) the provisioning attributes configuration that you see in the UI. Due to usability and navigation issues, no more than five phones per user are recommended.

Moving Users Between Domains or Services Between Service Areas

Once a subscriber is added to a domain in Cisco UPM, subsequent syncs do not move subscribers from one domain to the other even if changes are made to the key properties that dictate to which domain the subscriber should be added. UPM 1.3 introduced a new batch action file column for deleting users: OnlyFromCUPM. If this column is enabled (set to Y), any services on the subscriber record for the user will be moved to the Global Resources namespace, and the subscribers or their services on the actual device (the call processors or message processor device) will not be removed. If this column is not enabled, the user will be removed from both Provisioning Manager and the device.
This provides you with a way to move users between domains or move subscriber services across service areas. To move users between domains, a batch action file for deleting users can be created as shown in Table 10.

Table 10. A Batch Action File for Deleting Users

Order Type

User ID

Product Name

Domain

Only From CUPM

Service Area

deleteUser

tsmith

*

westcoast

Y

*

* Leave these fields empty (even if something is entered, it will be ignored).
After the batch project is executed, another batch action file for adding users can be created as shown in Table 11.

Table 11. A Batch Action File for Adding Users.

Order Type

User ID

First Name

Last Name

Domain

Product Name

Service Area

addUser

tsmith

Tom

Smith

eastcoast

*

*

* Leave these fields empty (even if something is entered, it will be ignored).
Lastly, enable AssociateOnlyExistingUsers for the desired domain and perform a domain synchronization.

Note: Removing a subscriber only from UPM can be also done through the Cisco UPM 2.0 UI. If there are services associating with the subscriber, UPM will first give you a warning; if you wish to proceed, it will remove the subscriber only from UPM.

Handling Common Directory Number Mapping Across Multiple Service Areas

There are multiple ways to deploy, depending on whether the directory numbers need to have some significance within a domain or significance within a service area.
If directory numbers can be random within the entire domain, the directory number pool can be added to each service area. The directory number allocation in UPM will check whether the directory number it would be picking out of a block has been used, so the first service area to pick a directory number will get it and the other service area will then skip it to get the next one. In this design, subscribers get the next available number in the pool.
You may also allocate directory number blocks based on the calling search spaces setup or how many users are expected within a service area. In this case, some network planning needs to be done to decide how to allocate directory numbers. This option may be useful if each service area is to use certain ranges of directory numbers. For example building 1 is in SA1 and has extensions with 1xxxx, and building 2 is in SA2 and has extensions with 2xxxx.
In either case, you can have multiple directory number blocks per service area to fine-tune how the numbers get allocated.

Working with TAPS

The Tool for Auto-Registered Phones Support (TAPS) feature is supported on Communications Manager 4.x, 5.x, and 6.x. So far it is suggested to be used in conjunction with the Bulk Administration Tool (BAT) to provide two features:

• Update MAC addresses and download predefined configuration for new phones.

• Reload configuration for replacement phones.

When new phones are added to Cisco Communications Manager, TAPS works in conjunction with BAT to update phones that were added to BAT using dummy MAC addresses. After BAT has been use to bulk-add the phones with dummy MAC addresses to Cisco Communications Manager Administration, one can plug the phones into the network. The user can dial a TAPS directory number that causes the phone to download its configuration. At the same time, the phone gets updated in Cisco Communications Manager Administration with the correct MAC address.
For the first case, instead of using BAT to provision the phones with dummy MAC addresses, UPM is extended to be able to provision these phones. During phone order entry, a choice box is presented to the user indicating whether this phone should use a dummy address (only available to users with advanced assignment role). Possible values are "Y" and "N" (default). When the user chooses "Y", the MAC address field will be hidden (and anything previously entered in that field will be cleared) to prevent the user from entering additional values. During order processing, UPM will generate a dummy MAC address that is not currently used in the system. The dummy MAC address assigned by UPM will be an internal MAC address that is not valid in the public domain. UPM will use a specific prefix for the MAC address (first three octets).
For the second case, if Communications Manager TAPS is configured to "Allow Auto-Registered phones to reset with any profile", the user can switch to a new phone simply by using the TAPS feature. UPM just needs to sync back the changes. If Communications Manager TAPS is configured to "Allow Auto-Registered phones to reset with a profile with dummy MAC address", the user can use UPM to change the MAC address of the existing phone to a dummy MAC address and use the same procedure to get the physical MAC address of the new phone updated in Communications Manager.
After a phone with a dummy MAC address is registered, the subscriber needs to be synchronized in order to get the new MAC address. Alternatively, subsequent UPM subscriber and domain sync will bring the system to the latest state.
For batch provisioning, if the product attribute "use DummyAddress" with the value "Y" is provided (value "N" instructs UPM to use existing logic), UPM will ignore the MAC address in the batch file (if presented) and generate a dummy address.
In the subscriber record, the phones configured for TAPS won't be showing any special attribute to indicate that. The only way the user will be able to find that a phone is configured for TAPS is by looking at the device name string next to the phone in the subscriber record, which will show a different prefix ( BAT instead of SEP). This will happen only until the TAPS phone logs in to the TAPS application and gets the real address and a subsequent subscriber and domain sync has been done.

How to Manage Phones Without Associated Users

UPM supports management and provisioning of phones that are not assigned to users. When users need to order products for some lobby or conference room, they can log in as admin and add a user with the pseudo-subscriber role and then use the UPM order system to order phone, line, voicemail, email, and other products for this user. To manage existing phones in Communications Manager that don't have any associated users, users can export orphan phones of one domain or of some call processors in a domain in a change owner batch file (Figure 25 and Table 12). Users could edit the file if needed and upload back into UPM through batch provisioning. Users must run a domain sync to get the orphan phones and dependant products as line, voicemail, and email created in the customer record.

Figure 25. Domain - Export Phone Without Associated Users

Table 12. Sample Change Owner Batch File

Order Type

Domain

ServiceArea

Processor Name

ProductName

User ID

New User ID

New First Name

New Last Name

MAC Address

Subscriber Type

Change

Domain_1

 

CCM1

Phone

 

pseudo

-55001

 

Conf_1

00000010001

Pseudo

Change

Domain_1

 

CCM1

Phone

 

pseudo

-66001-RP1

 

Lobby

00000010002

Pseudo

Change

Domain_1

 

CCM2

Phone

 

pseudo

-SoftPhone_1

 

SoftPhone_1

SoftPhone_1

Pseudo

Note: For optimal usability, it is recommended that you do not assign more than five phones to a single subscriber (pseudo-users or real users).

Using Cisco IOS Templates to Provision Communications Manager Express/Cisco Unity Express/SRST/Cisco IOS Devices

• UPM supports some functions without templates:

– Communications Manager Express: Create users, phones, and lines.

– Cisco Unity Express: Create users and voicemail boxes.

• Cisco IOS template support:

– The Cisco IOS template is a freeform text box that allows commands to be entered and then pushed to the target integrated services router device.

– Commands can have keywords typed in and then a keyword list is created.

– Templates exist in the infrastructure configuration and can be used with any user-assigned keyword.

– Templates also exist as provisioning attributes to phone and line. These templates have predefined keywords FIRSTNAME, LASTNAME, DIRECTORYNUMBER, and USERID.

– A Cisco IOS Software write is executed at the end of each template to save settings on the integrated services router device.

• Caveats for using Cisco IOS templates for Communications Manager Express/Cisco Unity Express/Survivable Remote Site Telephony (SRST)/Cisco IOS devices:

– All CLI commands entered must be syntactically correct.

– Commands (for example, exit) that change the line configuration mode should not be used.

– Do not use line configuration commands (for example, number or description) in this template. They will overwrite the configuration done by Provisioning Manager when provisioning the line product.

– Do not use phone configuration commands (for example; mac-address, description, button, type, or username) in this template. They will overwrite the configuration done by Provisioning Manager when provisioning the phone product.

– Keywords must be unique and not match any Cisco IOS command tokens or settings. It is recommended that keywords be proceeded with a dollar sign to assure uniqueness.

– Templates do not have a provision for interactive responses.

– The button command can only support ":".

– Can send integrated services router setup commands for SRST through the CLI template function but must set up SRST on Cisco Unified Communications Manager through the Cisco Unified Communications Manager GUI interface. (No AXL support is provided for provisioning SRST in Cisco Unified Communications Manager using Cisco Unified Provisioning Manager.)

Windows Security Patch Update

We also internally apply critical security patches when they are recommended by our network administrators. Since it is not possible to predict critical patches in advance, we leave this level of discretion to the customer. We do not recommend that automatic updates be enabled.

Changing IP Address of UPM

To change the IP address of Cisco UPM, please follow the procedure documented in the User Guide for Cisco Prime Unified Provisioning Manager at http://www.cisco.com/en/US/docs/net_mgmt/cisco_unified_provisioning_manager/1.3.1/user/guide/admin.html#wp1098959.

Troubleshooting the Most Common Licensing Problems

Problem
UPM is in Eval mode but there is an add-on license in the license directory.
Recommended action
Customer forgot to order and install the image license; obtain an image license and put it in the directory.
Problem
Phone count is incorrect but call/message processor count is correct.
Recommended action

• If there is no phone add-on license, obtain an add-on license and put it in the license directory.

• If one or more of the add-on licenses has an incorrect MAC address, rehost the incorrect MAC address licenses to match the server.

Problem
Phone count is different than the customer expected in the UPM license audit GUI.
Recommended action
· Look at the licenses in the license directory.

a. Remove any that are expired or for the wrong revision (1.0).

b. Make sure all MACs match and match the server MAC. Copy all that don't to a temporary directory. The customer needs to rehost these.

· Look at what is left.

a. Count up all B add-on license phone counts; call this Count A.

b. If present, determine how many 1.x phone counts can be upgraded to 2.x.

• Count up all 1.x license phone counts (from the ipt_phone_max field).

• Count up all B upgrade license counts (from the ipt_phone_max field).

• The smaller of these two numbers is the upgrade entitlement, Count B.

c. Add Count A to Count B to get the number of phones UPM should support.

d. After rehosting bad MAC licenses and putting them in the license directory, redo the count to see what the new phone count is.

Note: UPM checks its database every minute to count the total number of MACs that have been synchronized from publishers. The customer is expected to buy a license that covers all the phones to be managed. If the phones synchronized in the database exceed the phone counts allowed by the license, UPM will not allow another phone to be added (a new order related to adding a phone will fail) until the user removes additional phones from the system or adds additional phone licenses to get the license level raised to manage more phones.

Frequently Asked Questions

What Is the Set-Only Provisioning Attribute?

Set-Only is a provisioning attribute that contains a collection of attributes as follows:

• UPM only provisions the settings on the device, but does not sync and manage them in the Cisco UPM database.

• UPM does not support validation for their values.

• Brief description and data format are provided for each Set-Only attribute by i (information) icon on UI.

• Supported assignment levels are service area, domain, and user type.

• These attributes can be set for phone, line, extension mobility line, and extension mobility access products.

What Northbound APIs Were Introduced in UPM 2.0?

UPM 2.0 exposes northbound APIs to allow Cisco and third parties to integrate with external applications such as human-resource systems, custom/branded user portals, other provisioning systems, and directory servers. The Provisioning Manager northbound interface provides the following:

• The ability to submit work orders for infrastructure products

• The ability to query Provisioning Manager inventory

• The ability to submit a Provisioning Manager work order

• Management of Provisioning Manager infrastructure (devices, domains, and service areas)

• The ability to configure products

• Management of subscriber objects

• The ability to configure subscriber services

• The ability to submit work orders for subscribers

• The ability to submit get list work orders

• One entry point for client systems to issue commands to Provisioning Manager

• The ability to use HTTPS for transport

• The ability to receive results from asynchronous requests using WS-Notification specification recommendations

• The ability to retrieve list data using WS-Enumeration specification recommendations

• Query for status of any northbound interface request accepted by the Provisioning Manager server

• The listProductAttributeChoice request, which provides real-time choice lists for product configuration

• The ability to list SRST phone information

• The ability to get work order summary information for a specified time period

• The ability to execute a Cisco IOS command template on a device

• A Software Development Kit (SDK) for client development support in both Java and Perl

Note: UPM northbound API requires the API license to activate the feature. There is no northbound interface request for setting the domain synchronization rules; you must do so through the Provisioning Manager user interface.

Does UPM Support Lotus Domino Unified Messaging with Cisco Unity/Cisco Unity Connection?

No, UPM doesn't support Lotus Domino Unified Messaging with Cisco Unity/Cisco Unity Connection.

How Many Concurrent Users Are Possible?

There is nothing inherent in the code that limits the total number of administrators. Generally, the number of concurrent users (users placing orders with screen refreshes) is affected by the available performance. The number of logged in web clients is limited only by the amount of RAM and the Apache defaults. The recommendation is to allow 5 users concurrently.
Further description related to usage patterns and concurrent logins is given below:
UPM can be used to allow level 1 admins to perform general maintenance to a subscriber base. The subscribers could be broken up into groups and one or more groups could be assigned to one or more admins to manage.
UPM's operating characteristics are much like a Internet website. Lots of people can be on, most can be looking, but usually only a few are doing something that causes the website to do some background work. UPM will service the work based on performance available.
Are some of the changes across many subscribers? You have the option to build up a spreadsheet of changes and bulk load them into UPM to process. This might be to add 100 new subscribers and their services or change 50 phones to a newer model at an existing site. So some work can be done in bulk instead of needing to be done by a bunch of admins.
For northbound API requests, a maximum of 20 requests can be executing at any one time. Additional requests will be rejected; they will not be queued.

How Does UPM Autoassign DID?

When UPM goes to use a directory number out of a DID block, it first checks to see if it is already used (assumption here is that it is in sync with the Communications Manager). If it is used, it skips that one and gets the next number until it finds an unused one. So if users assign a pool of 5000 for autoassignment and 1200 of those were already used, it won't hand out duplicates.

Can I Copy the Settings from One Phone to Another Phone?

Yes. With UPM 2.0, users can provision a new phone with settings that are the same as those on an existing phone, except for directory number, MAC, device description, and name-related fields. When a phone is copied, no services (lines, voicemails, or emails) on this phone are copied to the new phone.

Note: Feature is only available to users with advanced ordering role. Batch provisioning and API are not supported for this feature.

What Is the Number of Clusters Supported in UPM?

There is no upper limit for the number of cluster supported in Cisco Prime UPM.

Is Secondary Logon Service Needed at Run Time?

The Windows Secondary Logon service is needed for Postgres installation but it is not needed at run time.

Can UPM Manage Users on Cisco Unity Who Do Not Have an Account on Communications Manager?

No.

Can UPM Support Communications Manager Business Edition?

Yes, with the limitation that each user can only have one voicemail and email in Communications Manager Business Edition. Also a combination of Communications Manager with Cisco Unity Connection in Communications Manager Business Edition is not supported.

Can UPM Reset an Existing Extension Mobility User PIN?

Yes. UPM can reset the Cisco Unified Communications Manager password and PIN, which is also the extension mobility PIN.

What Happens If a UPM User Tries to Update a Subscriber Password and the UCM is LDAP Integrated?

If UCM is integrated with LDAP, UPM doesn't show an option to change the subscriber password on UCM but will still show an option to change the subscriber PIN on UCM. This is because the PIN is still stored locally in UCM. If the user has services on both LDAP-integrated and non-LDAP-integrated UCM then UPM will still show the option to change the subscriber password on UCM but will apply the change only to the UCM that is not integrated with LDAP.

Are the Configuration of 7916 Sidecards and VG224 Analog Voice Gateway Lines Supported in UPM?

The 7916 sidecards are supported, but VG224 Analog Voice Gateway lines are not. The 7916 sidecards won't be shown as top-level products, but when you order a phone, they will show up in the Advanced Order Configuration section under the attribute "Module 1" and "Module 2."

Does UPM work with TAPS (Tool for Auto-Registered Phones Support)?

TAPs does not work with UPM, it works with CM. UPM can create a phone with a dummy MAC address and provision CM.
Subscriber plugs in the phone and TAPs manages to collect the MAC and userID. The TAPs server is used to get the MAC into CM and will switch the real MAC for the dummy MAC. UPM will sync in the MACs from CM. UPM will match up the dummy address's of the phones with the real MACs and put it into the subscriber record. Now CM and UPM will show the correct MAC for the subscribers phone.

What are the bandwidth requirements for different user scenarios in UPM?

Bandwidth requirements are very low in nearly all cases.
1. Browser to UPM

Data transfer is very sporadic, only when requested. UPM does not use a lot of fancy graphics or flash presentation. Mouse clicks and typed text are generally passed from the browser to UPM and a fairly simple screen is presented back to the browser. In the case of provisioning through the wizard, if the admin does not manually refresh the screen, it will refresh once a minute. When a new screen is requested UPM will require between 5K bytes and 300K bytes to get the new screen. When nothing is being updated on the browser screen bandwidth is essentially zero.

Worst case per admin logged in budget: 500K bytes burst every 5 seconds when ordering services, provisioning infrastructure or doing a search, for the duration of the task.

300K byte burst every 1 minute when admin is not using UPM only when the admin has left a screen visible that would normally receive an auto update (such as a subscriber record), otherwise this is zero bytes per second.

2. UPM to managed device.

A. During sync

UPM will use the available bandwidth so more bandwidth means shorter sync times. Both UPM and CUCM have throttling mechanisms to prevent either from overrunning the other. Many large customers deploy one UPM and sync worldwide clusters.

B. Provisioning CM or other UC application

During the actual time provisioning is being done, UPM will use the available bandwidth to perform provisioning. Provisioning runs as a background process.

C. Talking to routers
This is IOS oriented telnet type traffic. Small bursts and uses what bandwidth is available. 2400bps to 9600bps is sufficient.

D. All other times
Little or no traffic occurs.

Timeout values are in multiple minutes so loss of connectivity for short periods of time are tolerated. There are no sub second latency requirements to engineer into your network design to accommodate UPM. UPM uses a two phase commit to complete orders so if an order is in progress when a link failure occurs and subsequently times out, UPM will not mark the order complete, rather it will attempt to provision the order again when the link is reestablished UPM will start the order again. When complete it marks the order complete.

Troubleshooting Tips

Install or Upgrade

Problem
Install fails - "msiexec failed with 1625".
Recommended action
The user installing UPM does not have Windows administrator privileges and so cannot create a Windows user account. Clean up the machine, log in as administrator, and try installing again.
Problem
Install fails - "msiexec failed with 1603".
Recommended action
Please check the following:

• Cisco Security Agent is not running

• Windows Secondary Logon service is running

• There is a group named Users

• Service Pack 1 or Service Pack 2 is installed

Problem
Upgrade fails - "The system is not in a safe state to upgrade at this point. For more details, please check the install.log file."
Recommended action
This indicates that one of the conditions for the system to be in safe state has failed.

• No orders are in the Released state

• All workflows are in the Finished state

• No infrastructure, subscriber, or domain synchronizations are running

• No batch projects are running or are in the active state

Check the ${installLocation}/install.log file for one of the following messages and correct the condition for the upgrade to continue:

• WARNING: At least one domain synchronization is running

• WARNING: At least on one device, either subscriber or infrastructure synchronization is running

• WARNING: At least one batch project is in running/active state

• WARNING: At least one order is found in released state with extended status not in unrecoverable error

Problem
Upgrade fails - "Database connection could not be made. Database service may be down, so the upgrade cannot be continued."
Recommended action
Go to Control Panel à Administrative Tools à Services à cupmPostgreSQL service.
Select the service, right-click it, and start it.
Problem
Upgrade fails - "WARNING: At least one order is found in released state with extended status not in unrecoverable error."
Recommended action
One of the upgrade requirements is that there should be no pending orders, that is, any orders in the RELEASED state and not in UNRECOVERABLE ERROR status. Please go to the Provisioning Dashboard à Manage Orders à Search Orders and search for all orders (by leaving all fields blank). Look at the "Status" and "Extended Status" columns for any orders in meeting the above criteria. Take necessary action to move them away from that state.

Communications Manager Synchronization

Problem
Cisco Unified Communications Manager Infrastructure sync fails - "Host or service not found".
Recommended Action
Please make sure there is network connectivity between the Cisco Unified Provisioning Manager server and the Cisco Unified Communications Manager. If so, then make sure that the Cisco Unified Communications Manager AXL web service is enabled.
Problem
Cisco Unified Communications Manager 6.0.1 subscriber sync fails - "Attribute `SOAPAction' is not allowed to appear in element `SOAP-ENV:Header'."
Recommended Action
The problem occurs if a new device pack for a new phone model support is installed on Cisco Unified Communications Manager 6.0.1. This is a known Communications Manager issue (CSCsj38775), which is fixed as of version 6.1. A Cisco Unified Communications Manager 6.0.1 Early Release can also be requested.
Problem
Cisco Unified Communications Manager 6.0.1 infrastructure sync fails - "A device error occurred, please check NICE log to determine the problem."
Recommended Action
Cisco Unified Communications Manager is sending an unrecognized namespace. There is a service parameter on Communications Manager that decides the namespace sent in the response. It should be set to true:
1. Log in to the Cisco Unified Communications Manager user interface with the following URL: http://<Communications Manager ip address>/ccmadmin. Credentials should be the same as the ones that are provided in UPM while adding the call processor.
2. Go to System à Service Parameters.
3. Select the correct server in the Server pull-down menu. In the Service pull-down menu, select Cisco Database Layer Monitor.
4. The page refreshes; click the Advanced button at the bottom of the page.
5. In the parameter names section, set the value of the parameter Send Valid Namespace in AXL Response to true. Save the new value.
After doing the above, restart the Cisco Unified Communications Manager services:
6. In the pull-down Navigation menu at the top right corner, select Cisco Unified Serviceability and click Go.
7. Go to Tools à Service Activation.
8. Select the correct server, and you should see a list of services.
9. Deactivate and activate this service: "Cisco AXL Web Service".

Communications Manager Express and Cisco Unity Express Synchronization

Problem
Communications Manager Express Infrastructure sync fails.
Recommended Action
UPM tries to establish a successful Telnet or SSH connection. UPM requires a direct Telnet connection to Communications Manager Express. Please try to create a direct Telnet session with the Communications Manager Express IP address from UPM server and check if that works. If it fails, please look at the nice.log file for more details. Check if you have entered the correct Telnet credentials in UPM and make sure that the Communications Manager Express device is configured to support at least four Telnet sessions.
Problem
A service area with Communications Manager Express assigned won't save because it requires a device pool.
Recommended Action
Communications Manager Express does not have a device pool; however, to be consistent with call managers, it uses a default device pool. Please select Default_Communications Manager Express to create the required service area.
Problem
Cisco Unity Express infrastructure or subscriber sync fails - "Failed to create a session with Cisco Unity Express module".
Recommended Action
The Cisco Unity Express module allows only one connection, and UPM is not able to establish a Telnet session on the Cisco Unity Express module. Close all open Telnet sessions with the Cisco Unity Express module and try again.
Problem
Infrastructure or subscriber sync with Cisco Unity Express fails - "Access Denied, Please check Username/password".
Recommended Action
UPM was unable to create a Telnet or SSH session with the host router or Cisco Unity Express module due to the following:

• Incorrect device protocol

• Incorrect access password or passwords

• The host router device is set up to use special device prompts

We recommend the following action:

• Check the host router configuration to see whether it is set to use Telnet, SSHv1, or SSHv2. Update the protocol selection in UPM.

• Get the correct Telnet passwords for the host router device and Cisco Unity Express module and update the device passwords in UPM.

• If your Cisco Unity Express host router device is set up for custom TACACS authentication prompts, check the device authentication prompts and add the prompts in the configuration file in the <Install Dir>\sep\ipt\config\ios\DevicePromts.ini file and restart UPM.

• Check the "line vty" configuration on the host router and make sure it is configured to handle at least five or more Telnet connections.

• Close all open Telnet connections with the host router device to make the connection available for Cisco Prime Unified Provisioning Manager.

Cisco Unity and Cisco Unity Connection Synchronization

Problem
Cisco Unity Connection 1.1 infrastructure/subscriber sync fails - "IPT-0200: Communication Failure. Please check your network connectivity."
Recommended Action
This error happens if the IP address for the Cisco Unity Connection device is not reachable or if the TCP/IP port on SQL Server (used for JDBC connection) is not accessible. For the Cisco Unity Connection 1.1 case, the firewall on the Cisco Unity Connection device typically blocks the port for the Cisco Unified Communications case. Please make sure that the firewall allows traffic to go through the SQL Server TCP/IP port. Note that the port on Cisco Unified Communications is different from that of Cisco Unity; it's typically 1431 by default.
Please check the port number by going to the SQL Server Properties screen.
Click the Network Configuration button on the SQL Server Network Utility screen, select TCP/IP from the list of Enabled Protocols, and click Properties. The default port is listed there.
Problem
Cisco Unity infrastructure/subscriber sync fails - "Access Denied. Please check username/password."
Recommended Action
1. Make sure that the entire SQL Server is configured for both Windows and SQL Server Authentication. Please use the following steps:

a. Expand Enterprise Manager.

b. Find your server name in the tree on the left.

c. Right-click the server name and select properties.

d. Click the Security folder. Make sure that SQL Server and Windows is checked for the authentication.

2. Create a new database user (check the User Guide for Cisco Prime Unified Provisioning Manager for details).
3. Verify the TCP/IP port used by Cisco Unity:

a. On the Cisco Unity system, select Start à SQL Server à Enterprise Manager. The Enterprise Manager appears.

b. From the menu, click Action. Then select Properties. The SQL Server Properties (Configure) dialog box appears.

c. In the General tab, click Network Configuration. The SQL Server Network Utility window appears.

d. Select TCP/IP, and click Properties.

e. In the window that appears, the default TCP/IP port is displayed. Make sure this port number is the one provided in Provisioning Manager.

4. Make sure the newly added username and password get updated on Provisioning Manager.
If the Cisco Unity device is running Microsoft SQL Server Desktop Engine without Enterprise Manager installed, you have two options to install Enterprise Manager:

• Use Enterprise Manager from another server and register to the one where the new user is required. After registering, create the new user.

• Customers can install the component by running the SQL Server 2000 install by following the steps in "To install client tools only for SQL Server 2000" at
http://msdn.microsoft.com/en-us/library/aa197918(SQL.80).aspx.

Batch Operations

Orders

Problem
Unable to cancel an order in the Hold state.
Recommended Action
The Hold state is a valid state for an order. An order goes to this state if the user selects Abort the remainder of the order from the workflow process manager when an order has encountered a failure. This is equivalent to canceling the order after a recoverable or unrecoverable error, indicating to the system not to process the order any further. No action, such as cancel, can be taken on an order in this state as it has run its course of processing.

Call Pickup Group

Problem
CPG provisioning too slow.
Recommended action
There might be multiple provisioning requests being sent to the UCMs for each directory number in the CPG. It is recommended to separate the directory numbers into multiple chunks and to update the CPG chunk by chunk.

LDAP Synchronization

Problem
After synchronizing a user from an LDAP server, you cannot log in to UPM with that user.
Recommended action
UPM creates login accounts for users only if the CreateSelfCareAccounts rule is enabled while creating that user. So delete that user in UPM, enable the CreateSelfCareAccounts rule and run the LDAP sync again so that the user is created again. Now try to log in to UPM with that user.
Problem
After you successfully run an LDAP sync, user details (updated in LDAP) are not getting updated in UPM.
Recommended action
Customer has probably set the Update Existing User Details field to "Do not update." In this case, UPM will not update any existing users' details. Change the value for the Update Existing User Details field to "All fields" so that all the existing users' fields are updated during the sync.

Cisco Unified Computing System

Problem
UPM seems unstable with processes like NICE Server crashing in a Cisco UCS environment.
Recommended action
Check all the versions of the underlying components against the Cisco UCS supported list.
If the versions are not certified, upgrade the hardware, firmware, and software versions to the following:

• Cisco UCS firmware version 1.1.(1j) or an approved later version

• VMware ESXi 4.0 U1 (4.0.0, 219382 or later)

• VMware vCenter 4.0 (Build 208111 or later) - recommended, not mandatory

Others

Problem
A service area or processor deletion was performed, and the affected subscriber records are now out of sync.
Recommended Action
Domain sync needs to be executed after performing the delete operations to clean up and reassign the products accordingly.
Problem
Failed to order "Extension Mobility Access" product - `IPT-0500: Object Not Valid'.
Recommended Action
This can be due to the extension mobility services on the call processor not being properly configured according to the setup on the Cisco Unified Communications Manager. Check that the extension mobility services defined match those on the Cisco Unified Communications Manager.
Indication
MAC Address of analog phone is not updated in subscriber records.
Problem
Updating the MAC Address of the voice gateways will update all the associated phone's MAC addresses. However, if the user does not perform a domain synchronization, subscriber records will not be updated.
Recommended Action
User has to perform the domain synchronization. Domain sync should always be performed after the MAC address of the gateway reference is changed.
Indication
Analog phones are removed on Communications Manager but are still shown in subscriber records in UPM.
Problem
Deleting the voice gateways from UPM will in turn delete all the associated analog phones. However, if the user does not perform a domain synchronization, analog phones in the Subscriber records will not be removed.
Recommended Action
User has to perform the domain synchronization.
Indication
Analog Phone type is not shown in phone type dropdown in the subscriber order entry page.
Problem

• Voice gateway references are not added to that service area.

• Analog phone is not orderable for the subscriber type.

Recommended Action

• Add voice gateway references to that service area.

• In case of an upgrade UPM system, analog phone needs to be associated to a subscriber type.

Indication
After provisioning Analog Phone from UPM you cannot see the voice port and dial peer configurations in the voice gateway.
Problem
Voice gateway is not registered with UCM.
Recommended action
Using the "Generic IOS Router Pre-Built" configuration template, the required configuration can be set in the voice gateway to get registered with UCM.
Troubleshooting - Voice gateway and Analog Phone Provisioning
Indication
Voice gateway references chooser in the service area UI does not show gateways.
Problem
· Infrastructure sync of UCM has not been performed.
· Slot and subunit of voice gateway is not configured.
Recommended action
· Perform Infrastructure sync of UCM.
· A value must be specified for the slot and subunit of the gateway. This can be configured from the Infrastructure Configuration UI or UCM UI (then perform infrastructure sync).