The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Webex Hybrid Services enable Webex Teams customers to connect on-premises collaboration services to Webex. Integrating directory services between the on-premises LDAP directory and the identity service within the customer's Webex Teams organization adds value by simplifying user on-boarding.
The Webex Hybrid Directory Service high-level architecture, depicted in Figure 2-1, allows the Webex Teams customer to synchronize their corporate Microsoft Active Directory with the identity store of their organization in Webex. This makes Webex Teams user on-boarding and service provisioning simple and consistent.
Figure 2-1 Cisco Webex Hybrid Directory Service High-Level Architecture
Prior to implementing and deploying Webex Hybrid Directory Service, perform the following requirements:
The core components for Cisco Webex Hybrid Directory Service include:
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the following:
Webex Hybrid Directory Service provides the following benefits:
Figure 2-2 shows the Webex Hybrid Directory Service integration to the enterprise directory. This integration relies on the Cisco Directory Connectors, which are co-located in the central site with the Microsoft Active Directory. Cisco Directory Connector is deployed on two Microsoft Windows Servers for redundancy and high availability.
Figure 2-2 Architecture for Integration of Webex Hybrid Directory Service with the Enterprise Directory
Cisco Directory Connector relies on Microsoft Active Directory application programming interfaces (APIs) to pull user information from the Microsoft Active Directory. The APIs are based on the Microsoft.NET framework. Directory Connector uses HTTPS to push user information to the organization's Webex identity store.
Cisco Directory Connector plays the role of synchronization agent between the corporate Microsoft Active Directory and the organization's identity store in Webex. The Directory Connector initially populates Webex with user and resource information from the Active Directory and maintains this information with subsequent synchronizations to update the organization's Webex identity store with the latest moves, adds, changes, and deletions occurring on the enterprise Active Directory.
Microsoft Active Directory is the enterprise resource and user repository and the single source of validation for that information. The directory administrator maintains the enterprise resource and user information contained within the directory with moves, adds, changes, and deletions. Any updates to this information in Active Directory are propagated to the Cisco Directory Connector (and in turn to Webex) during synchronization.
Figure 2-3 shows the high-level steps required to deploy Webex Hybrid Directory Service. Virtual Microsoft Windows Servers are created and deployed in the enterprise data center (step 1). After the Windows servers are deployed, the administrator logs into the Webex Control Hub at https://admin.webex.com to enable directory synchronization and download the Cisco Directory Connector software installation package (step 2). Next, Directory Connector is installed on the Windows servers (step 3). After Directory Connector is installed, the administrator configures the connector (step 4), and an initial synchronization occurs between Microsoft Active Directory and the Directory Connector (step 4A) and between the Directory Connector and Webex (step 4B).
Figure 2-3 Webex Hybrid Directory Service Deployment Overview
Once the initial synchronization completes, the administrator configures the schedule for periodic incremental and full synchronizations (step 5). After that, the administrator manages users and provisions them for cloud services as appropriate (step 6).
As shown in Figure 2-4, two Cisco Directory Connectors are deployed. These Windows Servers virtual machines are deployed on separate hosts in separate buildings or data centers to provide high availability and redundancy. Directory Connectors are deployed as a pair, and both are capable of synchronizing directory information between the enterprise directory and the cloud. However, under normal operation, one Directory Connector (primary) handles directory synchronization while the other (backup) maintains connectivity to Webex but does not perform any synchronization. In the event that the primary Directory Connector fails, the backup Directory Connector will continue to handle synchronization operations based on the configured failover interval.
Figure 2-4 Webex Hybrid Directory Service High Availability
Note In cases where only a single Cisco Directory Connector is deployed (non-redundant deployments), if the Directory Connector fails, user information is no longer synchronized between Active Directory and the Webex identity store. The administrator is able to manage existing users and to provision them for services while the Directory Connector is down, but no users or resources can be added or removed from the Webex identity store until the Directory Connector is returned to service.
In addition to Cisco Directory Connector high availability considerations, also consider providing redundancy for other aspects of the integration such as the Active Directory services, connectivity to Webex (HTTPS), and availability of cloud services.
Microsoft components (Active Directory, Domain Controllers, and other Microsoft enterprise network services) should be deployed in a redundant fashion. Consult Microsoft product documentation for information on high availability.
Highly available network connectivity to the Internet is also required to ensure that Webex Teams and other Webex services are reachable from the enterprise. Redundant physical Internet connections, preferably from different providers, are recommended.
Webex services are highly available because those services and components are deployed across multiple physical data centers on elastic compute platforms.
The primary sizing and scalability considerations for Webex Hybrid Directory Service is the size of the synchronization. The larger the enterprise directory and the search base in terms of number of resources and users, the longer a synchronization will take to complete. For this reason it is important to monitor synchronization operations initially to ensure that both incremental and full synchronizations are completing prior to the beginning of the next synchronization period. We recommend running the Directory Connector on a dedicated Windows server host. Additional load on the Windows server can reduce performance and increase overall system response and synchronization times.
For more information on Webex Hybrid Directory Service scaling, see the chapter on Sizing Cisco Webex Hybrid Services.
Webex Hybrid Directory Service requires the deployment of the Cisco Directory Connector and synchronization between the on-premises directory and the organizations Webex identity store.
Directory synchronization allows corporate users and resources to be imported into Webex. Directory synchronization is facilitated using the Webex Control Hub and Cisco Directory Connector. The Directory Connector allows for automatic synchronization of corporate directory information with Webex. Without Directory Connector, users and resources must be imported manually to Webex using a .csv file.
Note This section presents high-level guidance for deploying Webex Hybrid Directory Service. This guidance should be used in conjunction with the detailed instructions provided in the latest version of the Deployment Guide for Cisco Directory Connector, available at https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html.
The deployment of Webex Hybrid Directory Service starts with the Windows Server installation followed by the download, installation, and initial configuration of Cisco Directory Connector. To deploy Webex Hybrid Directory Service, perform the following tasks in the order listed here:
1. Deploy Microsoft Windows Server hosts for Cisco Directory Connector.
2. Enable directory synchronization and download Cisco Directory Connector software from the Webex Control Hub.
3. Install Cisco Directory Connector on the Windows Server host.
4. Configure Directory Connector and complete the initial synchronization.
5. Schedule periodic incremental and full synchronizations.
6. Manage imported users and provision them for Webex services.
The Cisco Directory Connector runs on a trusted Microsoft Windows domain server deployed in the corporate network. The server joins the Active Directory domain and needs an administrator read-only account to authenticate the Cisco Directory Connector server to the on-premises domain.
Deploy a new Microsoft Windows Server and join the corporate Microsoft Active Directory domain. To ensure a highly available deployment of Webex Hybrid Directory Service, install a second domain Microsoft Windows Server on a separate host.
For information about the specific Microsoft Windows Server and Microsoft Active Directory versions supported for Webex Hybrid Directory Service, refer to the latest version of the Deployment Guide for Cisco Directory Connector, available at
https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html
Note Microsoft Windows Servers should be deployed and configured according to corporate standards and policies and should adhere to any requirements around virus and malware protection, device management, and security.
Log into the Webex Control Hub at https://admin.webex.com from the web browser on the Windows Server host you deployed in Step 1. Use your Webex Teams organization administrator credentials.
On the Webex Control Hub, enable directory synchronization by navigating to Users and clicking Manage Users. Next, click Enable Directory Synchronization and choose Next to continue. Then click the Download and Install link to save the Cisco Directory Connector installation .zip file (for example, DirectoryConnector.zip) to the local server.
Locate the .zip file saved to the host server in Step 2. Unzip the file, navigate to the setup folder, and run the .msi file (for example, CiscoDirectoryConnector.msi) in the setup folder to launch the Cisco Directory Connector Setup wizard.
Select I accept the terms in the License Agreement and click Next to accept the license agreement. Click Next to accept the default installation location.
Select the Domain Account option for the service account and enter the username and password for the domain account. In the Username field include the Active Directory domain and username with the format <domain> \ <user_name> (for example, ENT-PA\administrator). Click Next to save the domain account information.
Then click Install to start the installation of Cisco Directory Connector.
When the installation completes, repeat this step on the second Windows Server host to install a redundant Directory Connector.
Launch Cisco Directory Connector and sign into the Webex Teams organization by entering the email address and password of the administrator account for the organization. Note that this is the same email address and password used to log into the Webex Control Hub management portal. Click to confirm the Webex Teams organization and domain.
Next, perform initial configuration of Directory Connector. From the Directory Connector dashboard click the Configuration tab.
Note If a configuration tab or field value is not mentioned here, then the default setting and value should be assumed.
Navigate the tabs on the Configuration screen and configure the settings as shown in Table 2-1 .
Click Apply to save and apply the configuration settings.
Once Directory Connector is installed and configured as above, perform an initial full synchronization to pull directory information from the corporate Microsoft Active Directory and push it to the organization's Webex identity store.
On the redundant Cisco Directory Connector, configure the same settings shown in Table 2-1 , but use a unique name for the Connector Name setting (for example, DIRSYNC2).
After the initial synchronization, it is important to keep the organization's Webex identity store updated with moves, adds, and changes that occur in the corporate Active Directory.
To keep Webex up to date with corporate directory changes, configure periodic incremental and full synchronizations on one of the Directory Connectors. Return to the Directory Connector Configuration tab and select Schedule. Then configure synchronization settings as shown in Table 2-2 .
The settings in Table 2-2 are shared and apply to both Directory Connectors in the deployment.
After the enterprise directory user information has been propagated to Webex, the administrator is able to provision users for cloud services and manage those service features and settings by using the Webex Control Hub.
Use your Webex organization administrator credentials to log into the Webex Control Hub at https://admin.webex.com from a web browser.
On the Webex Control Hub, begin managing and provisioning user services by navigating to Users and then clicking Manage Users. Once directory synchronization is enabled, there are multiple ways to modify users and the services they use. Users can be modified individually or in bulk.
To modify large numbers of users in bulk, choose either Export and modify users with a CSV file or Modify all synchronized users. The CSV file method is good for modifying groups of users in bulk (up to 1,100 users at a time); however, preparing the CSV file for bulk modification is a manual process.
To enable a feature or service for all users, click Modify all synchronized users and click Next. If prompted, acknowledge that users will automatically be sent an email by clicking Next. On the next screen, wait for the system to synchronize the list of users from the latest synchronization agreement, and then click Next.
On the subsequent screen, provision users for Message, Meeting, and other services including Hybrid Services. Once you have selected the services, click Next to start the update of user accounts. When the update is complete, users can begin to use the added services and features.
Note Valid licenses are required to add and enable licensed services and features.