Cisco Jabber for Android Release 9.x Administration Guide
Feature Setup
Download this chapter
Feature SetupFeature Setup
Download the complete book
Cisco Jabber for Android Release 9.x Administration GuideCisco Jabber for Android Release 9.x Administration Guide (PDF - 1 MB)
 Feedback

Contents

Feature Setup

Add Mobile Connect and Mobile Identity

Mobile Connect, formerly known as Single Number Reach (SNR), allows the native mobile phone number to ring when someone calls the office number while Cisco Jabber is not available.

When Cisco Jabber is running and connected to the corporate network, and thus available to receive VoIP calls, Mobile Connect is automatically inactivated.

The user requires a Mobile Identity to transfer Cisco Jabber VoIP calls to the mobile voice network.


Note

The option to move a Cisco Jabber for Android call to a mobile voice network is not available if the user is connected to the corporate network using VPN over either a mobile data network or a noncorporate Wi-Fi network.

Procedure
    Step 1   Sign in to the Unified CM Administration portal.
    Step 2   Search for and delete any existing Remote Destination or Mobile Identity that is already set up with the mobile phone number.
    Step 3   Navigate to the End User page for the user.
    1. In the Mobility Information section, check the Enable Mobility check box.
    2. Specify the Primary User Device.
    3. Select Save.
    Step 4   Navigate to the device page for the Cisco Dual Mode mobile device settings.
    1. Enter the following information:

      Setting

      Information

      Softkey Template

      Choose a softkey template that includes the Mobility button.

      Mobility User ID

      Select the user.

      Owner User ID

      Select the user. The value must match the Mobility User ID.

      Rerouting Calling Search Space

      If your Unified CM has custom partitions and multiple calling search spaces, select a Rerouting Calling Search Space that includes the partition that applies to the mobile phone number. You will enter this mobile phone number as a Mobile Identity (described later in this procedure).

    2. Select Save.
    Step 5   Add a new Mobile Identity for the mobile phone number:
    1. Navigate to the device page for the Cisco Dual Mode mobile device settings.
    2. Select Add a New Mobile Identity.
    3. Enter the mobile phone number as the Destination Number.

      This number must be routable to an outbound gateway. Generally, the number is the full E.164 number.

    4. Enter the initial values for call timers.

      These values ensure that calls are not routed to the native device voicemail before they ring in the client on the mobile device.

      For more information, see the online help in Unified CM.



      Example:

      Setting

      Suggested Initial Value

      Answer Too Soon Timer

      3000

      Answer Too Late Timer

      20000

      Delay Before Ringing Timer

      0

      This value accommodates the relatively long call-setup times that are characteristic of mobile calls.
    5. Check the Enable Mobile Connect check box.
    6. Set up the schedule for routing calls to the mobile number.
    7. Select Save.
    What to Do Next

    Test your settings:
    1. Exit Cisco Jabber on the mobile device. For instructions, see the FAQs for users, available from the user guides list.
    2. Call the Cisco Jabber extension from another phone.
    3. Verify that the native mobile network phone number rings and that the call connects when you answer it.

    Enable Active Call Transfer from VoIP to Mobile Voice Network

    When users are within the corporate Wi-Fi network, they can transfer an active VoIP call from Cisco Jabber for Android to their mobile phone number on the mobile voice network. This feature is useful when a user on a call leaves the corporate Wi-Fi network (for example, leaving the building to walk out to the car), or if there are voice quality issues over the Wi-Fi network. This Cisco Jabber for Android feature is called Use Mobile Network.


    Note

    The option to move a Cisco Jabber for Android call to a mobile voice network is not available if the user is connected to the corporate network using VPN over either a mobile data network or a noncorporate Wi-Fi network.

    • For system-level settings, check that the Mobility softkey appears when the phone is in the connected and on-hook call states.

      1. Sign in to the Unified CM Administration portal.
      2. Select Device > Device Settings > Softkey Template.
      3. Select the softkey template that you selected when you configured the device for Mobile Connect.
      4. In the Related Links drop-down list at the upper right, choose Configure Softkey Layout and select Go.
      5. In the call state drop-down list, select the Connected state and verify that the Mobility key is in the list of selected softkeys.
      6. In the call state drop-down list, select the On Hook state and verify that the Mobility key is in the list of selected softkeys.

    • For the per-user and per-device settings in Cisco Unified Communications Manager, set the specific device to use the Mobility softkey when the device transfers calls to the mobile voice network. Ensure that you have set up both Mobile Identity and Mobile Connect for the mobile device. After the transfer feature is working, users can enable and disable Mobile Connect at their convenience without affecting the feature.

      1. Sign in to the Unified CM Administration portal.
      2. Select the Owner User ID on the Phone Configuration screen for your Cisco Dual Mode for Android device.
      3. Select the Mobility User ID. The value usually matches that of the Owner User ID.
      4. In the Product Specific Configuration Layout section, in the Transfer to Mobile Network drop-down list, choose Use Mobility Softkey.

    What to Do Next

    Test your settings by transferring an active call from VoIP to the mobile network.

    Related Tasks

    Enable Active Call Transfer from Desk Phone to Mobile Device

    Before You Begin
    • Ensure that you configured the desk phone and the Cisco Dual Mode for Android (BOTXXXX) device.
    • Ensure that you configured the Mobile Connect feature on the BOTXXXX device. See Add Mobile Connect and Mobile Identity.
    Procedure
      Step 1   Sign in to the Unified CM Administration portal.
      Step 2   Navigate to the Phone Configuration screen for the BOTXXXX device.
      Step 3   In the Device Information section, note the value of the Mobility User ID.
      Step 4   Navigate to the Phone Configuration screen for the associated desk phone.
      Step 5   In the Device Information section, ensure that the value of the Owner User ID of the desk phone matches the value for the Mobility User ID of the BOTXXXX device.
      Step 6   In the Device Information section, from the Softkey Template drop-down list, choose Mobility.
      Note   

      If you do not see the Mobility option, you must configure the Mobility softkey. See the "Mobility Softkey Configuration" section in the "Cisco Unified Mobility" chapter of Cisco Unified Communications Manager Features and Services Guide, Release 7.0(1).

      What to Do Next

      Test your settings. The procedure for moving the call to your mobile device can vary depending on your desk phone model. A sample procedure is as follows:
      1. Press the Mobility softkey on your desk phone. In some cases, you need to press More a few times before you see the Mobility softkey.
      2. Select Send call to Mobile.
      3. Answer your call on your mobile device.

      Related Tasks

      Set Up Visual Voicemail

      The visual voicemail feature is an alternative to the basic voicemail service.

      With visual voicemail, you can see a list of your messages without having to dial in to your voice mailbox. From this list, you can:

      • Play or pause your messages
      • See a transcription of your messages (if available)
      • Delete messages
      • Call back the contact who sent the message
      • Add contacts

      Set up visual voicemail with the following procedures:

      1. Verify that Voicemail Representational State Transfer (VMREST) services are set up on Cisco Unity Connection. See Verify VMREST Services.
      2. Enable settings for secure messaging on Cisco Unity Connection. See Enable Settings for Secure Messaging.
      3. Set up visual voicemail on Unified CM. See Set Up Visual Voicemail on Unified CM.

      Verify VMREST Services

      Use this procedure to verify that your Cisco Unity Connection is set up with the correct VMREST services to support visual voicemail on Cisco Jabber for Android.

      Procedure
        Step 1   Sign in to Cisco Unity Connection Administration.
        Step 2   In the Navigation drop-down list, choose Cisco Unity Connection Serviceability.
        Step 3   Select Go.
        Step 4   Choose Tools > Service Management.
        Step 5   In the Optional Services section, verify that the following services are active and running:
        • Connection Jetty
        • Connection REST Service

        Enable Settings for Secure Messaging

        Use this procedure if you want to set up the Cisco Unity Connection to support playback of secure voice messages on Cisco Jabber for Android.

        Procedure
          Step 1   Sign in to Cisco Unity Connection Administration.
          Step 2   In the Navigation drop-down list, choose Cisco Unity Connection Administration.
          Step 3   Select Go.
          Step 4   In the left pane, navigate to System Settings > Advanced > API Settings.
          Step 5   Check the following three check boxes:
          1. Allow Access to Secure Message Recordings through CUMI
          2. Display Message Header Information of Secure Messages through CUMI
          3. Allow Message Attachments through CUMI
          Step 6   Select Save.

          Set Up Visual Voicemail on Unified CM

          Before You Begin
          • Collect the values for the settings that are listed in the table in this procedure.
          • Consult your voicemail administrator if you have questions about the values for the settings in this section.
          Procedure
            Step 1   Sign in to the Unified CM Administration portal.
            Step 2   Navigate to the device page for the user.
            Step 3   In the Product Specific Configuration Layout section, enter voicemail settings.
            Setting Description
            Voicemail Username Unique username for voicemail access for this user.
            Voicemail Server (include the port)

            For the voicemail server, enter the fully qualified domain name or IP address. Use the format Servername.YourCompany.com:portnumber
            Voicemail Message Store Username

            Leave this field blank. Cisco Jabber for Android does not use this field. This field is used for devices that support Cisco Unity.
            Voicemail Message Store

            Leave this field blank. Cisco Jabber for Android does not use this field. This field is used for devices that support Cisco Unity.
            Step 4   Select Save.
            Step 5   Select Apply Config.
            Step 6   Select Reset.
            Step 7   Restart Cisco Jabber.
            Step 8   Step through the setup wizard until you see the Voicemail screen.
            Step 9   Enter your voicemail password.
            Step 10   Select Verify.
            Step 11   Complete the setup wizard.
            What to Do Next

            Test this feature.

            Enable Enhanced Message Waiting Indicator

            A Message Waiting Indicator alerts users to the presence of new voice messages. Enhanced Message Waiting Indicator provides a count of unheard messages on systems that support this feature. Users can call the voice messaging system to retrieve the messages.

            Note

            To enable the basic Message Waiting Indicator, follow the instructions in the Cisco Unified Communications Manager documentation for your release. There are no unique configurations for this client.

            If your deployment supports Enhanced Message Waiting Indicator, enable this option in the Cisco Unity Connection Administration portal.

            Procedure
              Step 1   Sign in to Cisco Unity Connection Administration.
              Step 2   In the left pane, navigate to Telephony Integrations > Phone System.
              Step 3   Select the link for the desired phone system.
              Step 4   In the Message Waiting Indicators section, select the Send Message Counts check.
              Step 5   Select Save.

              Specify Directory Search Settings

              Use this procedure to specify the settings that Cisco Jabber uses to connect to the directory server. When the user sets up Cisco Jabber, these settings are automatically configured.


              Note

              Cisco Jabber for Android does not support the Reporting Structure feature with Open LDAP. This feature is supported only with Microsoft Active Directory.

              If you want to set up the Reporting Structure, Cisco Jabber for Android uses the following elements: Manager, Direct reports, Title, and Department.

              Before You Begin

              Identify attributes in your corporate directory schema that are different from, or additional to, the application defaults. You must map changed attributes later in this procedure.

              Using the following table, verify the values for your directory:

              • If you use an Active Directory server, review the values in the column called "Default Active Directory Attribute." If your attributes differ from the values in the "Default Active Directory Attribute" column, make a note of your actual attribute name in the column titled "Your Value, if Different."
              • If you use an LDAP server that is not an Active Directory server, review the values in the column called "Default Attribute for All Other LDAP Servers." If your attributes differ from the values in the "Default Attribute for All Other LDAP Servers" column, make a note of your actual attribute name in the column titled "Your Value, if Different."


              Table 1 Directory Elements and Attributes

              Element

              Element Name

              Default Active Directory Attribute

              Default Attribute for All Other LDAP Servers

              Your Value, if Different

              Unique identifier

              identifier

              distinguishedName

              distinguishedName

              		 

              Display name

              displayName

              displayName

              cn

              		 

              Email address

              emailAddress

              mail

              mail

              		 

              First name

              firstName

              givenName

              givenName

              		 

              Last name

              lastName

              sn

              sn

              		 

              User ID

              userid

              sAMAccountName

              uid

              		 

              Main phone number

              mainPhoneNumber

              telephoneNumber

              telephoneNumber

              		 

              Home phone number

              homePhoneNumber

              		     

              Second home phone number

              homePhoneNumber2

              		     

              Mobile phone number

              mobilePhoneNumber

              		     

              Second mobile phone number

              mobilePhoneNumber2

              		     

              Direct to voicemail phone number

              voicemailPhoneNumber

              voicemail

              		   

              Fax number

              faxPhoneNumber

              facsimileTelephoneNumber

              		   

              Other phone number

              otherPhoneNumber

              		     

              Manager

              manager

              manager

              Direct reports

              directReports

              directReports

              Title

              title

              title

              Department

              department

              department

              Procedure
                Step 1   Sign in to the Unified CM Administration portal.
                Step 2   Navigate to the Cisco Dual Mode device page for the user.
                Step 3   In the Product Specific Configuration Layout section, set the Enable LDAP User Authentication setting.
                • If users do not need to enter credentials to access directory services, select Disabled.
                • If users must enter credentials to access directory services, select Enabled.
                Step 4   In the LDAP Server field, enter the IP address or hostname of the LDAP server.
                • If you do not want to deploy Directory Search in Cisco Jabber for Android, leave this field blank.
                • Otherwise, enter the IP address or hostname, and port number of your directory server.
                Use the format YourDirectoryServer.YourCompany.com:portnumber. If you enter an IP address or hostname but do not enter a port, the client tries to connect to port 389.
                Step 5   The Enable LDAP SSL drop-down list appears. Because there is no support for SSL with LDAP, SSL is disabled by default. Choosing Enabled or Disabled has no effect.
                Step 6   Enter the LDAP Search Base using one of the following formats.
                • OU=organization,DC=corp,DC=yourcompany,DC=com
                • CN=users,DC=corp,DC=yourcompany,DC=com
                By default, this application uses the search base found in a RootDSE search on the defaultNamingContext attribute. To specify a different search base, enter the Distinguished Name of the root node in your corporate directory that contains user information. Use the lowest node that includes the necessary names. Using a higher node creates a larger search base and thus reduces performance if the directory is very large.
                Note    To help determine the optimal search base, use a utility such as Active Directory Explorer (available from Microsoft) to view your data structure.
                Step 7   Enter the LDAP field mappings. LDAP field mappings identify the attributes in your directory that hold the information to search and display for directory searches. Using the Directory Elements and Attributes table, enter any field mappings that do not match the default as name=value pairs, separating each field with a semicolon (;). Enter the information that is contained in the "Element Name" column for the name. Enter the information in the "Your Value if Different" column for the value.

                Example:displayName=nickname;emailAddress=email
                Step 8   Enter the LDAP photo location. Enter the pathname to the image files on your HTTP server. Be sure to specify the correct graphics file type (for example, jpg or png). Use the variable %%LDAP Attribute %% to represent the LDAP attribute.

                Example:http://yourcompany.cisco.com/photo/std/%%userID%%.jpg

                You must include the double percent symbols in the string.

                Cisco Jabber for Android automatically resizes the images as needed, but it processes smaller images faster.

                You must store your photos on an HTTP server, with filenames that are identical to the values in an LDAP directory attribute (excluding the filename extension).

                By default, Cisco Jabber for Android uses the attribute that is mapped to the userid element in the Directory Elements and Attributes table that precedes this procedure. You can specify a different attribute in the LDAP Field Mappings field.



                Example:If an image file from your directory is named jsmith.jpg, and the value in the cn attribute is jsmith, then you can use the LDAP Field Mappings field to map the userid element to the cn attribute in your LDAP directory.
                Step 9   Select Save.
                Step 10   Restart Cisco Jabber for Android.
                What to Do Next

                Test the directory search feature.

                Set Up SIP Digest Authentication Options

                SIP Digest Authentication is a Unified CM security feature that authenticates user devices. For more information, see the Cisco Unified Communications Manager Security Guide and the Cisco Unified Communications Manager Administration Guide, available from the maintenance guides list.

                For Cisco Jabber, you have three options:

                Disable SIP Digest Authentication

                Follow these steps on each device page in Unified CM.
                Procedure
                  Step 1   Sign in to the Unified CM Administration portal.
                  Step 2   Navigate to the device page.
                  Step 3   In the Protocol Specific Information section, in the Device Security Profile drop-down list, select “Cisco Dual Mode for Android - Standard SIP Non-Secure Profile.”
                  Step 4   Complete the authentication details in the Product Specific Configuration Layout section.
                  1. In the Enable SIP Digest Authentication drop-down list, select “Disabled. ”
                  2. Leave SIP Digest Username blank.
                  Step 5   Select Save.
                  Step 6   SelectApply Config.
                  Step 7   Restart Cisco Jabber.

                  Enable SIP Digest Authentication with Automatic Password Authentication

                  Procedure
                    Step 1   Create a new profile for Cisco Dual Mode for Android under System > Security Profile > Phone Security Profile:
                    1. Select Add New.
                    2. In the Phone Security Profile Type drop-down list, select Cisco Dual Mode for Android.
                    3. Select Next.
                    4. Enter a name for your new phone security profile.
                    5. Check Enable digest authentication.
                    6. Uncheck Exclude digest credentials in configuration file.
                    7. Select Save.
                    Step 2   On each End User page, in the User Information section, complete the following tasks:
                    1. In the User ID field, verify that the user ID is entered.
                    2. In the Digest Credentials field, enter the digest credentials.
                    3. In the Confirm Digest Credentials field, reenter the digest credentials.
                    Step 3   On each Cisco Dual Mode for Android device page, complete the profile information in the Protocol Specific Information section:
                    1. In the Device Security Profile drop-down list, select the new secure profile you just created.
                    2. In the Digest User drop-down list, select the digest user.
                    Step 4   On the same device page, complete the authentication details in the Product Specific Configuration Layout section:
                    1. In the Enable SIP Digest Authentication drop-down list, select Enabled.
                    2. Leave SIP Digest Username blank.
                    Step 5   Select Save.
                    Step 6   Select Apply Config.
                    Step 7   Restart Cisco Jabber.

                    Enable SIP Digest Authentication with Manual Password Authentication

                    Procedure
                      Step 1   Create a new profile for Cisco Dual Mode for Android under System > Security Profile > Phone Security Profile:
                      1. Select Add New.
                      2. In the Phone Security Profile Type drop-down list, select Cisco Dual Mode for Android.
                      3. Select Next.
                      4. Enter a name for your new phone security profile.
                      5. Check Enable digest authentication.
                      6. Check Exclude digest credentials in configuration file.
                      7. Select Save.
                      Step 2   On each End User page, in the User Information section, complete the following tasks:
                      1. In the User ID field, verify that the user ID is entered.
                      2. In the Digest Credentials field, enter the digest credentials.
                      3. In the Confirm Digest Credentials field, reenter the digest credentials.
                      Make a note of this password. You provide this password to the user later.
                      Step 3   On each Cisco Dual Mode for Android device page, enter the new profile information in the Protocol Specific Information section:
                      1. In the Device Security Profile list, select the new secure profile you just created.
                      2. In the Digest User list, select the digest user.
                      Step 4   On the same device page, complete the authentication details in the Product Specific Configuration Layout section:
                      1. In the Enable SIP Digest Authentication list, select Enabled.
                        Important:

                        To enable SIP Digest Authentication, you must also select a custom device security profile in which you enable SIP Digest Authentication (as outlined in the previous step).

                        If you enable SIP Digest Authentication without first selecting this custom device security profile:

                        • Cisco Jabber prompts the end user to enter SIP Digest Authentication credentials.
                        • Cisco Jabber accepts any credentials.
                        • Unified CM does not authenticate the device using SIP Digest Authentication.
                      2. For the SIP Digest Username, enter the digest user you just selected.
                      Step 5   Select Save.
                      Step 6   Select Apply Config.
                      Step 7   Restart Cisco Jabber and step through the setup wizard again.
                      Step 8   On the Internet Calling Settings screen, enter your SIP Digest Authentication credentials. This password is case sensitive.

                      Set Up Cisco AnyConnect

                      Cisco AnyConnect Secure Mobility Client is a VPN application that allows Cisco Jabber to securely connect to your corporate network from a remote location using Wi-Fi or mobile data networks.

                      If you deployed Cisco Jabber for Android with secure connect previously, see the "What's New" section in the Release Notes.


                      Note

                      Cisco does not guarantee the voice quality on noncorporate Wi-Fi networks or mobile data networks.

                      To support the Cisco AnyConnect Secure Mobility Client, you must set up your system using the following procedures.

                      1. Install and set up the Cisco Adaptive Security Appliance (ASA).
                      2. Set up the ASA to support Cisco AnyConnect. Perform the following procedures in order:
                        1. Provision Application Profiles
                        2. Automate VPN Connection
                        3. Set Up Certificate-Based Authentication
                        4. Set ASA Session Parameters
                        5. Set Up Tunnel Policies
                      3. Set up the Unified CM to support Cisco AnyConnect by setting the Preset Wi-Fi Networks field. See Add User Device.

                      Note

                      Cisco supports Cisco Jabber for Android with Cisco AnyConnect Secure Mobility Client. Although other VPN clients are not officially supported, you may be able to use Cisco Jabber for Android with other VPN clients. If you use another VPN client, set up VPN as follows:

                      1. Install and configure the VPN client using the relevant third-party documentation.
                      2. Configure the Preset Wi-Fi Networks using the following procedure: Add User Device.

                      Provision Application Profiles

                      After users download the Cisco AnyConnect client to their device, the ASA must provision a configuration profile to the application.

                      The configuration profile for the Cisco AnyConnect client includes VPN policy information such as the company ASA VPN gateways, the connection protocol (IPSec or SSL), and on-demand policies.

                      Provision VPN Profiles on ASA

                      Cisco recommends that you use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect client.

                      When you use this method, the VPN profile is automatically downloaded to the Cisco AnyConnect client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA.

                      Use the following procedure to define a VPN profile.

                      Procedure
                      On the ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. For more information, see AnyConnect Administration Guide.

                      Automate VPN Connection

                      When users open Cisco Jabber from outside the corporate Wi-Fi network, Cisco Jabber needs a VPN connection to access the Cisco UC application servers. You can set up the system to allow Cisco AnyConnect Secure Mobility Client to automatically establish a VPN connection in the background, which helps ensure a seamless user experience.

                      Set Up Trusted Network Detection

                      The Trusted Network Detection feature enhances the user experience by automating the VPN connection based on the user's location. When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco Jabber automatically detects that it is outside the trusted network, and then indirectly initiates the VPN to ensure connectivity to the UC infrastructure.


                      Note

                      The Trusted Network Detection feature works with both certificate- and password-based authentication. However, certificate-based authentication provides the most seamless user experience.

                      Procedure
                        Step 1   Using ASDM, open the Cisco AnyConnect client profile.
                        Step 2   Enter the list of Trusted DNS Servers and Trusted DNS Domain Suffixes that an interface can receive when the client is within a corporate Wi-Fi network.

                        The Cisco AnyConnect client compares the current interface DNS servers and domain suffix with the settings in this profile.

                        Note   

                        You must specify all your DNS servers to ensure that the Trusted Network Detection feature works properly. If you set up both the TrustedDNSDomains and TrustedDNSServers, sessions must match both settings to be defined as a trusted network.

                        For detailed steps for setting up Trusted Network Detection, see the "Trusted Network Detection" section in the "Configuring AnyConnect Features" chapter of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5.

                        What to Do Next

                        Set up the Unified CM to support Cisco AnyConnect by setting the Preset Wi-Fi Networks field. See Add User Device.

                        Set Up Certificate-Based Authentication

                        The Cisco AnyConnect client supports many authentication methods including Microsoft Active Directory/LDAP password, RADIUS-based one-time tokens, and certificates. Of these methods, client certificate authentication provides the most seamless experience.

                        Set Up ASA for Certificate-Based Authentication

                        ASA supports certificates issued by various standard Certificate Authority (CA) servers such as Cisco IOS CA, Microsoft Windows 2003, Windows 2008 R2, Entrust, VeriSign, and RSA Keon.

                        The following procedure outlines the high-level steps for setting up the ASA for certificate-based authentication. For detailed information, see the Configuring Digital Certificates section of Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 and 6.6.

                        Procedure
                          Step 1   Import a root certificate from the CA to the ASA.
                          Step 2   Generate an identity certificate for the ASA.
                          Step 3   Use the ASA identity certificate for SSL authentication.
                          Step 4   Configure a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP).
                          Step 5   Configure the ASA to request client certificates for authentication.

                          Distribute Client Certificates

                          You must set up the system to ensure that you can issue certificates to users.

                          Distribute Client Certificate Using SCEP

                          ASA supports Simple Certificate Enrollment Protocol (SCEP) to simplify certificate distribution.

                          The ASA can use SCEP to securely issue and renew a certificate that is used for client authentication. The following is a general overview of this process.

                          1. The first time a remote user opens Cisco AnyConnect, the application authenticates the user with either Active Directory credentials or a one-time token password.
                          2. After the client establishes the VPN, the ASA provides a client profile that includes the SCEP request.
                          3. The Cisco AnyConnect client sends a certificate request and the Certificate Authority (CA) automatically accepts or denies the request.
                          4. If the CA accepts the request:
                            1. The certificate is installed in the native certificate store on the device.
                            2. Cisco AnyConnect uses the certificate for authentication, and no longer prompts the user for a password when establishing subsequent VPN connections.
                          Procedure
                          For information about how to install the SCEP module on a Windows 2008 server and set up the ASA, see the ASA 8.X: AnyConnect SCEP Enrollment Configuration Example.

                          Set ASA Session Parameters

                          You can set session parameters on the ASA to define the user experience of Cisco AnyConnect Secure Mobility Client and Cisco Jabber after the VPN connection is established.

                          ASA session parameters include the following:

                          • DTLS: DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. DTLS allows the Cisco AnyConnect client to establish an SSL VPN connection that uses two simultaneous tunnels: an SSL tunnel and a DTLS tunnel. You can use DTLS to avoid latency and bandwidth problems, and to improve the performance of real-time applications such as Cisco Jabber that are sensitive to packet delays. If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. DTLS is enabled by default.
                          • Session Persistence: This parameter allows the VPN session to recover from service disruptions and re-establish the connection. For example, as the user roams from one Wi-Fi network to another Wi-Fi or mobile data network, the Cisco AnyConnect client automatically resumes the VPN session. In addition, you can set up Cisco AnyConnect to re-establish the VPN session after the device resumes from standby, sleep, or hibernation mode.
                          • Idle Timeout: The Idle Timeout (vpn-idle-timeout) is the time after which if there is no communication activity, the ASA terminates the VPN connection. A very short idle-timeout frequently disrupts the VPN connection and forces the user to re-establish VPN for every call. On the other hand, a large idle-timeout value results in too many concurrent sessions on the ASA. You can set up the Idle Timeout value by group policy.
                          • Dead-Peer Detection (DPD): This parameter ensures that the ASA gateway or the Cisco AnyConnect client can quickly detect a condition where the peer is not responding and the connection failed. Cisco recommends that you:
                            • Disable server-side DPD to ensure that the device can sleep. (If you enable this parameter, it prevents the device from sleeping.)
                            • Enable client-side DPD because it allows the client to determine when the tunnel is terminated due to a lack of network connectivity.

                          Set ASA Session Parameters

                          Cisco recommends that you set up the ASA session parameters as follows to optimize the end user experience for Cisco AnyConnect Secure Mobility Client.
                          Procedure
                            Step 1   Set up Cisco AnyConnect to use DTLS.

                            For information about how to set ASA session parameters, see Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections.

                            Step 2   Set up session persistence (auto-reconnect).
                            1. Use ASDM to open the VPN client profile.
                            2. Set the Auto Reconnect Behavior parameter to Reconnect After Resume.

                            For detailed information about how to set up session persistence, see Configuring Auto-Reconnect.

                            Step 3   Set the idle timeout value.
                            1. Create a group policy that is specific to Jabber clients.
                            2. Set the idle timeout value to 30 minutes.

                            For detailed information about how to set the idle timeout value, see vpn-idle-timeout.

                            Step 4   Set up Dead Peer Detection (DPD).
                            1. Disable server-side DPD.
                            2. Enable client-side DPD.

                            For detailed information about how to set up DPD, see Enabling and Adjusting Dead Peer Detection.

                            Set Up Tunnel Policies

                            Use the following procedure to set up a tunnel policy that specifies how you want to direct traffic in the VPN tunnel.

                            To set up tunnel policies, you must first determine which type of tunnel policy you want to use. Tunnel policies include the following:

                            Full-Tunnel Policy

                            This is the default tunnel policy. Use this policy if you want the most secure option for Cisco Jabber and Cisco AnyConnect deployments. In case of Full-Tunnel, all the traffic from all the applications on the device is sent over the VPN tunnel to the ASA gateway. Optionally, you can enable the Local LAN Access feature to enable local printing and local network drive mapping.

                            Split-Tunnel Policy

                            Use this policy if you want to direct only Cisco Jabber-specific traffic from your phone to the corporate network. This policy directs traffic based on destination subnets. You can specify which traffic goes over VPN (encrypted) and which traffic goes in the clear (unencrypted).

                            An associated feature, Split-DNS, defines which DNS traffic to resolve over the VPN tunnel and which DNS traffic to handle with the endpoint DNS resolver.

                            Split-Include Policy with Network ACL

                            Use this policy if you want to:

                            • Limit the traffic that is sent over the VPN tunnel due to bandwidth concerns.
                            • Restrict the VPN session to the Cisco Jabber application.

                            You can use the Split-Include policy on the ASA to specify which traffic goes inside the VPN tunnel based on the destination IP address of the traffic.

                            You must include the IP subnets of the Cisco Unified CM Cluster, Directory Server, and TFTP Server. Cisco Jabber needs peer-to-peer media connections with any IP phone or computer phone on the corporate Wi-Fi network. Therefore, Cisco recommends that you include the corporate network IP address range in the Split-Include policy. This configuration may not be appropriate for all deployments (for example, if the IP space of your company is not contiguous because of acquisitions and other events).

                            This policy directs all internal traffic into the tunnel, but can prevent cloud-based services such as Facebook and YouTube from entering the tunnel.


                            Note

                            All application data that is directed to the address range specified in the split-include policy is tunneled, so applications other than Cisco Jabber also have access to the tunnel. To prevent other applications from using the corporate Wi-Fi network, you can apply a VPN filter (Network ACL) that further restricts the available ports.

                            Split-Exclude Policy

                            Use this policy if it is not practical to define the entire subnet required for Split-Include policies. You can use the Split-Exclude policy to prevent any known traffic from the VPN tunnel. For example, if you are concerned about bandwidth, you could add destination subnets for services like NetFlix, Hulu, or YouTube to your split-exclude list.

                            After you determine which type of tunnel policy you want to use, follow the detailed instructions for configuring the group policy with the desired tunnel policy, as outlined in Configuring Split-Tunneling Attributes.