The Cisco Jabber mobile client for Apple iOS devices, such as the iPhone and iPad, enable smartphones and tablets to make and receive enterprise calls with voice or voice and video over IP. The Cisco Jabber mobile client application with Apple iOS device registers and communicates with Unified Communications Manager (UCM) that uses the Session Initiation Protocol (SIP) signaling protocol.
The Cisco Jabber mobile client also enables additional features, such as corporate directory access, enterprise visual voicemail, and in some cases, enterprise instant messaging, and presence.
This document provides information and a configuration example for AnyConnect with the Jabber On-Demand feature for Apple iOS devices.
The Cisco Call Manager Server should be prepared to support Cisco Jabber from Apple iOS devices. Refer to these resources for more information.
Connect On-Demand supports only certificate-authenticated connections; the certificate authentication is not covered in this document. Before you begin, be sure to:
- Confirm you have a valid secure socket layer (SSL) certificate installed in the mobile device.
- Confirm the Adaptive Security Appliance (ASA) is enrolled with a valid SSL certificate.
- Confirm the ASA is set up to authenticate the session with the use of certificates.
Ensure that you meet these requirements before you attempt this configuration:
- AnyConnect Premium or AnyConnect Essentials license.
- AnyConnect for mobile license.
Refer to What ASA License Is Needed for IP Phone and Mobile VPN Connections? for further details.
The System Requirements might be different dependent on the Jabber version. Refer to the Release Notes for the exact requirements.
The information in this document is compatible with these software and hardware versions:
- Cisco Unified Communications Manager (CUCM) 7.1.5, 8.0.3, 8.5, 8.6, and 9.0
- AnyConnect Secure Mobility Client version 2.5.5130 and later
- Cisco ASA 5500 Series Adaptive Security Appliance Version 8.4(1) or later
- Cisco Adaptive Security Device Manager (ASDM) Version 6.4 or later
- iPhone model 3GS, 4, 4S, and 5
- iPod Touch third, fourth, or fifth generation (third-generation iPod Touch requires an external microphone for calls)
- iOS support: iOS 5, 6, and 6.1
- iPad 2 or the iPad with Retina display
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
AnyConnect with Jabber On-Demand Feature
Many administrators like the idea that the Jabber application automatically triggers the VPN connection when it is needed.
For example, the Jabber application works fine when users are at the corporate network over wireless and VPN when AnyConnect is manually opened and connected. However, you might want to avoid user interaction and have an On-Demand feature in place.
The Jabber application first contacts the TFTP server. If it is unreachable, it then uses a DNS search to the On-Demand VPN URL defined on the TCT device in the Call Manager. It means if the client is on the corporate network, then the VPN should not be triggered. However, if the client is on an external network, then the On-Demand feature is triggered.
In order for Jabber to trigger the VPN connection automatically:
- The same URL used on the trace collection tool (TCT) devices must be used on the AnyConnect On-Demand Domain:
- The corporate network must not be directly available when users launch Jabber.
- The iPhone can connect with On-Demand access with certificate-based authentication.
- Jabber must identify a URL that is set up to launch VPN On-Demand; then you must enter the URL in the AnyConnect client; the trigger for VPN On-Demand is a failed DNS query on this domain.
In order to set up the Jabber On-Demand feature, use one of these methods:
Configure CUCM to be accessed through a domain name (not an IP address) and ensure that this domain name is not resolvable outside the firewall. Include this domain in the Connect If Needed list in the AnyConnect client connection's Connect On-Demand Domain List.
If you cannot use a domain name to access CUCM or cannot make the DNS lookup of that domain name that failed from outside the firewall, then you must enter a non-existent domain in the On-Demand URL (this fails a DNS query inside and outside the firewall). Then, add that domain to the Always Connect list in the AnyConnect client connection's Connect On-Demand Domain List.
Apple iOS establishes a VPN connection on behalf of an application only if all of these factors are true:
- A VPN connection is not already established.
- An application specifies a destination with its fully-qualified domain name (FQDN) rather than an IP address.
- The connection entry is configured to use a valid certificate.
- Connect On-Demand is enabled in the connection entry.
- AnyConnect fails to match a string in the Never Connect list to the domain request.
- Either of the following is true:
- AnyConnect matches a string in the Always Connect list to the domain request.
- A DNS lookup failed, and AnyConnect matches a string in the Connect if Needed list to the domain request.
User Experience, VPN Initiation on iOS
- The remote end-user launches the Jabber Client.
- The Jabber Client triggers On-Demand VPN, and the AnyConnect Client establishes an SSL VPN connection with the ASA VPN Gateway with Certificate-based authentication.
- Jabber connects to the CUCM using the SSL VPN tunnel as transport method.
- When the SSL VPN is established as a result of the On-Demand feature, the user does not see a popup or message. The only indication that the AnyConnect is connected is the VPN logo indicator in the top bar.
- Apple iOS provides mechanisms, such as On-Demand VPN, to automatically start the VPN tunnel for the user. However, these mechanisms do not automatically close the tunnel when the user has finished their access to the corporate network.
- Remember in AnyConnect Release 2.5.4038 and later, you can take advantage of the mobile-specific additions to the AnyConnect VPN Client Profile and configure the On-Demand attributes on the profile.
- Users cannot manually configure Connect On-Demand in connection profiles downloaded from the ASA.
- For the AnyConnect On-Demand XML Profile configuration, use the same URL that you entered for the CUCM On-Demand VPN URL.
- The SSL connection between the AnyConnect and ASA should use group-url or certificate mapping in order to select to which Connection Profile (tunnel-group) it connects; the connection should not request any user interaction in order for the On-Demand feature to work.
- Currently, Cisco Jabber IM (instant messaging) does not support the On-Demand feature. Therefore, you must manually establish the VPN connection for the IM.
Jabber On-Demand Configuration Example
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
Step 1: Find the Domain
Find the domain the Jabber needs to use in order to trigger the On-Demand feature. This can be found when the Jabber application is opened on the iPhone, for example. Go to Settings > Internet Calling > TFTP Server. In this example, the value is cucm.cisco.com.
Step 2: Create the XML Profile
The next step is to create the XML Profile for the AnyConnect. Go to the Adaptive Security Device Manager (ASDM).
Open the profile in the AnyConnect Client Profile Editor - On_Demand, and go to Server List.
Select the Server List and click Edit.
Check the box for Additional mobile-only settings and click Edit. The Mobile Settings window opens.
On the Mobile Settings window, check the box Connect On Demand (requires certificate authentication).
Under Match Domain or Host/On-Demand Action, include the URL for the Jabber to connect and select the correct On Demand Action dependent on your needs (Always Connect or Connect If Needed).
Step 3: Download the XML and check the Domain(s) in the Profile
When the XML Profile is downloaded to the AnyConnect, check the domains on the iPhone and make sure the XML Profile is the same that was configured in the ASDM.
Step 4: Find the Jabber Device ID in the Communications Manager on the phone
In this example, the Device ID shows TCTIPHONE.
Step 5: Find the device in CUCM Administration
In CUCM, click Device > Phone and the list of phones connected (or configured) are displayed. In this example, TCTIPHONE is listed.
Step 6: Add the Domain to the TCT Phone
In Phone Configuration, enter the URL in the On-Demand VPN URL field.
Note: The URL must include only the domain name. Do not include a protocol or a path.
In the TCT device, define the On-Demand VPN URL field to a value that cannot be resolved externally. This is only to trigger the connection. For example, you can use "cucm.cisco.com" without https:// or http://. Also, make sure that you enter that same domain on the AnyConnect client profile.