Contents

• Feature Setup
• Set Up Mobile Connect
• Enable Mobile Connect
• Add Mobility Identity
• Add Remote Destination (Optional)
• Enable Active Call Transfer from VoIP to Mobile Voice Network
• Enable Active Call Transfer from Desk Phone to Mobile Device
• Set Up Dial Via Office
• Set Up Unified CM to Support DVO-R
• Set Up Enterprise Feature Access Number
• Set Up Mobility Profile
• Verify Device COP File Version
• Set Up Dial Via Office for Each Device
• Add Mobility Identity
• Enable Dial Via Office on Each Device
• Set Up Voicemail Avoidance
• Set Up Timer-Controlled Voicemail Avoidance
• Set Up User-Controlled Voicemail Avoidance
• Set Up Unified CM to Support User-Controlled Voicemail Avoidance
• Enable User-Controlled Voicemail Avoidance on Mobility Identity
• Enable User-Controlled Voicemail Avoidance on Remote Destination
• Set Up Visual Voicemail
• Verify VMREST Services
• Enable Settings for Secure Messaging
• Set Up Visual Voicemail on Unified CM
• Enable Enhanced Message Waiting Indicator
• Specify Directory Search Settings
• Set Up SIP Digest Authentication Options
• Disable SIP Digest Authentication
• Enable SIP Digest Authentication with Automatic Password Authentication
• Enable SIP Digest Authentication with Manual Password Authentication
• Set Up Cisco AnyConnect
• Provision Application Profiles
• Provision VPN Profiles on ASA
• Automate VPN Connection
• Set Up Trusted Network Detection
• Set Up Certificate-Based Authentication
• Set Up ASA for Certificate-Based Authentication
• Distribute Client Certificates
• Distribute Client Certificate Using SCEP
• Set ASA Session Parameters
• Set ASA Session Parameters
• Set Up Tunnel Policies

Feature Setup

---

Set Up Mobile Connect

Mobile Connect, formerly known as Single Number Reach (SNR), allows the native mobile phone number to ring when someone calls the work number if:

• Cisco Jabber is not available. After Cisco Jabber becomes available again and connects to the corporate network, the Unified CM returns to placing VoIP calls rather than using Mobile Connect.
• The user selects the Always Use DVO Jabber calling option.
• The user selects the Automatically select Jabber calling option and the user is outside of the Wi-Fi network.

To set up Mobile Connect, perform the following procedures:

1. Enable Mobile Connect
2. Specify one or more remote phone numbers to which Mobile Connect connects using one or both of the following procedures:
   • (Preferred) To specify the GSM number of the mobile device, see Add Mobility Identity.
   • (Optional) To specify alternate phone numbers, see Add Remote Destination (Optional). Alternate numbers can be any type of phone number, such as home phone numbers, conference room numbers, desk phone numbers, or a GSM number for a second mobile device.
3. Test your settings:
   • Exit Cisco Jabber on the mobile device. For instructions, see the FAQs for users, available from the user guides list.
   • Call the Cisco Jabber extension from another phone.
   • Verify that the native mobile network phone number rings and that the call connects when you answer it.

• Enable Mobile Connect
• Add Mobility Identity
• Add Remote Destination (Optional)

Enable Mobile Connect

Use the following procedure to enable mobile connect for an end user.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Search for and delete any existing Remote Destination or Mobility Identity that is already set up with the mobile phone number.
Step 3	Navigate to the End User page for the user. In the Mobility Information section, check the Enable Mobility check box. On Unified CM Release 9.0 and earlier, specify the Primary User Device. Select Save.
Step 4	Navigate to the device page for the Cisco Dual Mode mobile device settings. Enter the following information: Setting Information Softkey Template Choose a softkey template that includes the Mobility button. For information about setting up softkey templates, see the related information in the Cisco Unified Communications Manager Administration Guide for your release. This documentation can be found in the maintenance guides list. Mobility User ID Select the user. Owner User ID Select the user. The value must match the Mobility User ID. Rerouting Calling Search Space Choose a Rerouting Calling Search Space that includes both of the following: The partition of the desk phone extension of the user. This requirement is used by the system to provide the Dial via Office feature, not for routing calls. A route to the mobile phone number. The route to the mobile phone number (that is, the Gateway/Trunk partition) must have a higher preference than the partitions of the enterprise extension that is associated with the device. Note that Cisco Jabber allows users to specify a callback number for Dial via Office-Reverse calls that is different from the mobile phone number of the device, and the Rerouting Calling Search Space controls which callback numbers are reachable. If the user sets up the DVO Callback Number with an alternate number, ensure that you set up the trunk Calling Search Space (CSS) to route to destination of the alternate phone number. Select Save.

---

Add Mobility Identity

Use this procedure to add a Mobility Identity to specify the GSM number of the mobile device as the destination number. This destination number is used by features such as Dial via Office or Mobile Connect.

You can specify only one number when you add a mobility identity. If you want to specify an alternate number such as a second GSM number for a mobile device, you can set up a remote destination. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the Cisco Dual Mode mobile device settings.
Step 3	In the Associated Mobility Identity section, select Add a New Mobility Identity.
Step 4	Enter the mobile phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number. Note    If you enable the Dial via Office - Reverse feature for a user, you must enter a destination number for the user's mobility identity. If you enable Dial via Office - Reverse and leave the destination number empty in the mobility identity: The phone service cannot connect if the user selects the Automatically select Jabber calling option while using a 3G network and VPN. The phone service cannot connect if the user selects the Always use DVO Jabber calling option on any type of network. The logs do not indicate why the phone service cannot connect. When using Dial via Office - Reverse, the system does not automatically push updated destination numbers for the user's mobility identity to the client after you already entered a destination number. To work around this issue, ask the user to do one of the following: In the Cisco Jabber for Android Settings, manually update the phone number in the DVO Callback Number field. In the Cisco Jabber for Android Settings, delete the current number in the DVO Callback Number field, and then exit and restart Cisco Jabber for Android. Use the Android Settings to clear the Cisco Jabber for Android application data, and then reprovision Cisco Jabber for Android. For more information about using the Android Settings or the Cisco Jabber for Android Settings, see the FAQs.
Step 5	Enter the initial values for call timers. These values ensure that calls are not routed to the mobile service provider voicemail before they ring in the client on the mobile device. For more information, see the online help in Unified CM. Example: Setting Suggested Initial Value Answer Too Soon Timer 3000 Answer Too Late Timer 20000 Delay Before Ringing Timer 0 Note    This setting does not apply to DVO-R calls.
Step 6	Check the Enable Mobile Connect check box.
Step 7	If you are setting up the Dial via Office feature, in the Mobility Profile drop-down list, select one of the following options. Option Description Leave blank Choose this option if you want users to use the Enterprise Feature Access Number (EFAN). Mobility Profile Choose the Mobility Profile that you just created if you want users to use a Mobility Profile instead of an EFAN.
Step 8	Set up the schedule for routing calls to the mobile number.
Step 9	Select Save.

---

Related Tasks

Set Up Enterprise Feature Access Number

Add Remote Destination (Optional)

Use this procedure to add a Remote Destination to specify any alternate number as the destination number. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.

Alternate numbers can be any type of phone number, such as home phone numbers, conference room numbers, desk phone numbers, or multiple GSM numbers for additional mobile devices. You can add more than one remote destination.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the Cisco Dual Mode mobile device settings.
Step 3	In the Associated Remote Destinations section, select Add a New Remote Destination.
Step 4	Enter the desired phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number.
Step 5	Enter the initial values for call timers. These values ensure that calls are not routed to the mobile service provider voicemail before they ring in the client on the mobile device. For more information, see the online help in Unified CM. Example: Setting Suggested Initial Value Answer Too Soon Timer 3000 Answer Too Late Timer 20000 Delay Before Ringing Timer 0 Note    This setting does not apply to DVO-R calls.
Step 6	Check the Enable Mobile Connect check box.
Step 7	Set up the schedule for routing calls to the mobile number.
Step 8	Select Save.

---

Enable Active Call Transfer from VoIP to Mobile Voice Network

Users can transfer an active VoIP call from Cisco Jabber for Android to their mobile phone number on the mobile voice network. This feature is useful when a user on a call leaves the corporate Wi-Fi network (for example, leaving the building to walk out to the car), or if there are voice quality issues over the Wi-Fi or mobile data network. This Cisco Jabber for Android feature is called Use Mobile Network.

• For system-level settings, check that the Mobility softkey appears when the phone is in the connected and on-hook call states.

  1. Sign in to the Unified CM Administration portal.
  2. Select Device > Device Settings > Softkey Template.
  3. Select the softkey template that you selected when you configured the device for Mobile Connect.
  4. In the Related Links drop-down list at the upper right, choose Configure Softkey Layout and select Go.
  5. In the call state drop-down list, select the Connected state and verify that the Mobility key is in the list of selected softkeys.
  6. In the call state drop-down list, select the On Hook state and verify that the Mobility key is in the list of selected softkeys.

• For the per-user and per-device settings in Cisco Unified Communications Manager, set the specific device to use the Mobility softkey when the device transfers calls to the mobile voice network. Ensure that you have set up both MobilityIdentity and Mobile Connect for the mobile device. After the transfer feature is working, users can enable and disable Mobile Connect at their convenience without affecting the feature.

  1. Sign in to the Unified CM Administration portal.
  2. Select the Owner User ID on the Phone Configuration screen for your Cisco Dual Mode for Android device.
  3. Select the Mobility User ID. The value usually matches that of the Owner User ID.
  4. In the Product Specific Configuration Layout section, in the Transfer to Mobile Network drop-down list, choose Use Mobility Softkey.

What to Do Next

Test your settings by transferring an active call from VoIP to the mobile network.

Related Tasks

Add user device

Related Information

Set Up Mobile Connect

Enable Active Call Transfer from Desk Phone to Mobile Device

Before You Begin

• Ensure that you configured the desk phone and the Cisco Dual Mode for Android (BOTXXXX) device.
• Ensure that you configured the Mobile Connect feature on the BOTXXXX device. See Set Up Mobile Connect.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the Phone Configuration screen for the BOTXXXX device.
Step 3	In the Device Information section, note the value of the Mobility User ID.
Step 4	Navigate to the Phone Configuration screen for the associated desk phone.
Step 5	In the Device Information section, ensure that the value of the Owner User ID of the desk phone matches the value for the Mobility User ID of the BOTXXXX device.
Step 6	In the Device Information section, from the Softkey Template drop-down list, choose Mobility. Note    If you do not see the Mobility option, you must configure the Mobility softkey. See the "Mobility Softkey Configuration" section in the "Cisco Unified Mobility" chapter of Cisco Unified Communications Manager Features and Services Guide, Release 7.0(1).

---

What to Do Next

Test your settings. The procedure for moving the call to your mobile device can vary depending on your desk phone model. A sample procedure is as follows:

1. Press the Mobility softkey on your desk phone. In some cases, you need to press More a few times before you see the Mobility softkey.
2. Select Send call to Mobile.
3. Answer your call on your mobile device.

Related Tasks

Related Information

Set Up Mobile Connect

Set Up Dial Via Office

Important:

The DVO-R feature requires:

• Cisco Jabber for Android client, Release 9.1(1) and later.
• Unified CM 9.1(1a).

User-controlled voicemail avoidance, which can be used in conjunction with the Dial via Office feature, is available only on Unified CM Release 9.0 and later. Timer-controlled voicemail avoidance is available on Unified CM Release 6.0 and later.

The application cannot be provisioned with SIP Digest if Dial via Office is enabled.

The Dial via Office (DVO) feature allows users to initiate Cisco Jabber outgoing calls with their work number using the voice plan for the device.

There are two types of Dial via Office calls: Dial via Office-Reverse (DVO-R) and Dial via Office-Forward (DVO-F). Cisco Jabber supports Dial via Office-Reverse (DVO-R) calls. DVO-R works as follows:

1. User initiates a Dial via Office-Reverse call.
2. The client notifies Unified CM to call the mobile phone number.
3. Unified CM calls and connects to the mobile phone number.
4. Unified CM calls and connects to the number that the user dialed.
5. Unified CM connects the two segments.
6. The user and the called party continue as with an ordinary call.

Incoming calls use either Mobile Connect or the Internet, depending on which Jabber Calling Options the user sets on the client. Dial via Office does not require Mobile Connect to work. However, we recommend that you enable Mobile Connect to allow the native mobile number to ring when someone calls the work number. From the Unified CM user pages, users can enable and disable Mobile Connect, and adjust Mobile Connect behavior using settings (for example, the time of day routing and Delay Before Ringing Timer settings). For information about setting up Mobile Connect, see Set Up Mobile Connect.

The following table describes the calling methods used for incoming and outgoing calls. The calling method (Internet, Mobile Connect, DVO-R, or native cellular call) varies depending on the selected Jabber Calling Options and the network connection.

Table 1 Calling Methods used with Jabber Calling Options over Different Network Connections

Connection	Call Options
	Always use Internet		Always use DVO		Auto Select
Corporate Wi-Fi	Outgoing: Internet	Incoming: Internet	Outgoing: DVO-R	Incoming: Mobile Connect	Outgoing: Internet	Incoming: Internet
Noncorporate Wi-Fi
Mobile Network (3G, 4G)					Outgoing: DVO-R	Incoming: Mobile Connect
Jabber is not registered	Outgoing Native Cellular Call
	Incoming Mobile Connect

To set up Dial via Office-Reverse (DVO-R), you must do the following:

1. Set up the Unified CM to support DVO-R. See Set Up Unified CM to Support DVO-R.
2. Enable DVO on each Cisco Dual Mode for Android device. See Set Up Dial Via Office for Each Device.

• Set Up Unified CM to Support DVO-R
• Set Up Dial Via Office for Each Device

Set Up Unified CM to Support DVO-R

To set up Unified CM to support DVO-R, perform the following procedures:

1. Complete one or both of the following procedures.
   • Set Up Enterprise Feature Access Number
   • Set Up Mobility Profile
2. Verify Device COP File Version
3. If necessary, create application dial rules to allow the system to route calls to the Mobile Identity phone number to the outbound gateway. Ensure that the format of the Mobile Identity phone number matches the application dial rules. For more information, see Application Dial Rules.

Note	The DVO-R feature requires: Cisco Jabber for Android client, Release 9.1(1) and later. Unified CM 9.1(1a).

Set Up Enterprise Feature Access Number

Use this procedure to set up an Enterprise Feature Access Number for all Cisco Jabber calls that are made using Dial via Office-Reverse.

The Enterprise Feature Access Number is the number that Cisco Unified Communications Manager uses to call the mobile phone and the dialed number unless a different number is set up in Mobility Profile for this purpose.

Before You Begin

• Reserve a Direct Inward Dial (DID) number to use as the Enterprise Feature Access Number (EFAN). This procedure is optional if you already set up a mobility profile.
• Determine the required format for this number. The exact value you choose depends on the phone number that the gateway passes (for example, 7 digits or 10 digits). The Enterprise Feature Access Number must be a routable number.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Choose Call Routing > Mobility > Enterprise Feature Access Number Configuration.
Step 3	Select Add New.
Step 4	In the Number field, enter the Enterprise Feature Access number. Enter a DID number that is unique in the system. To support dialing internationally, you can prepend this number with \+.
Step 5	From the Route Partition drop-down list, choose the partition of the DID that is required for enterprise feature access. This partition is set under System > Service Parameters, in the Clusterwide Parameters (System - Mobility) section, in the Inbound Calling Search Space for Remote Destination setting. This setting points either to the Inbound Calling Search Space of the Gateway or Trunk, or to the Calling Search Space assigned on the Phone Configuration screen for the device. If the user sets up the DVO Callback Number with an alternate number, ensure that you set up the trunk Calling Search Space (CSS) to route to destination of the alternate phone number.
Step 6	In the Description field, enter a description of the Mobility Enterprise Feature Access number.
Step 7	(Optional) Check the Default Enterprise Feature Access Number check box if you want to make this Enterprise Feature Access number the default for this system.
Step 8	Select Save.

---

Set Up Mobility Profile

Use this procedure to set up a mobility profile for Cisco Jabber devices. This procedure is optional if you already set up an Enterprise Feature Access Number.

Mobility profiles allow you to set up the Dial via Office-Reverse settings for a mobile client. After you set up a mobility profile, you can assign it to a user or to a group of users, such as the users in a region or location.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Choose Call Routing > Mobility > Mobility Profile.
Step 3	In the Mobility Profile Information section, in the Name field, enter a descriptive name for the mobility profile.
Step 4	In the Dial via Office-Reverse Callback section, in the Callback Caller ID field, enter the caller ID for the callback call that the client receives from Unified CM.
Step 5	Click Save.

---

Verify Device COP File Version

Use the following procedure to verify that you are using the correct device COP file for this release of Cisco Jabber.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Choose Device > Phone.
Step 3	Click Add New.
Step 4	From the Phone Type drop-down list, choose Cisco Dual Mode for Android.
Step 5	Click Next.
Step 6	Scroll down to the Product Specific Configuration Layout section, and verify that you can see the Dial via Office drop-down list. If you can see the Dial via Office drop-down list, the COP file is already installed on your system. If you cannot see the Dial via Office drop-down list, locate and download the correct COP file. For more information, see Required Files.

---

Set Up Dial Via Office for Each Device

Use the following procedures to set up Dial via Office - Reverse for each Cisco Jabber device.

1. Add a Mobility Identity for each user.
2. Enable Dial via Office on each device.
3. If you enabled Mobile Connect, verify that Mobile Connect works. If you dial the desk phone extension, the phone number that is specified in the associated Mobile Identity should ring.

Add Mobility Identity

Use this procedure to add a Mobility Identity to specify the GSM number of the mobile device as the destination number. This destination number is used by features such as Dial via Office or Mobile Connect.

You can specify only one number when you add a mobility identity. If you want to specify an alternate number such as a second GSM number for a mobile device, you can set up a remote destination. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the Cisco Dual Mode mobile device settings.
Step 3	In the Associated Mobility Identity section, select Add a New Mobility Identity.
Step 4	Enter the mobile phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number. Note    If you enable the Dial via Office - Reverse feature for a user, you must enter a destination number for the user's mobility identity. If you enable Dial via Office - Reverse and leave the destination number empty in the mobility identity: The phone service cannot connect if the user selects the Automatically select Jabber calling option while using a 3G network and VPN. The phone service cannot connect if the user selects the Always use DVO Jabber calling option on any type of network. The logs do not indicate why the phone service cannot connect. When using Dial via Office - Reverse, the system does not automatically push updated destination numbers for the user's mobility identity to the client after you already entered a destination number. To work around this issue, ask the user to do one of the following: In the Cisco Jabber for Android Settings, manually update the phone number in the DVO Callback Number field. In the Cisco Jabber for Android Settings, delete the current number in the DVO Callback Number field, and then exit and restart Cisco Jabber for Android. Use the Android Settings to clear the Cisco Jabber for Android application data, and then reprovision Cisco Jabber for Android. For more information about using the Android Settings or the Cisco Jabber for Android Settings, see the FAQs.
Step 5	Enter the initial values for call timers. These values ensure that calls are not routed to the mobile service provider voicemail before they ring in the client on the mobile device. For more information, see the online help in Unified CM. Example: Setting Suggested Initial Value Answer Too Soon Timer 3000 Answer Too Late Timer 20000 Delay Before Ringing Timer 0 Note    This setting does not apply to DVO-R calls.
Step 6	Check the Enable Mobile Connect check box.
Step 7	If you are setting up the Dial via Office feature, in the Mobility Profile drop-down list, select one of the following options. Option Description Leave blank Choose this option if you want users to use the Enterprise Feature Access Number (EFAN). Mobility Profile Choose the Mobility Profile that you just created if you want users to use a Mobility Profile instead of an EFAN.
Step 8	Set up the schedule for routing calls to the mobile number.
Step 9	Select Save.

---

Enable Dial Via Office on Each Device

Use this procedure to enable Dial via Office on each device.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	In the Device Information section, check the Enable Cisco Unified Mobile Communicator check box.
Step 4	On the device page for the user, in the Product Specific Configuration Layout section, set the Dial via Office drop-down list to Enabled. Important: DVO-R is supported only on Unified CM Release 9.1 and later. Cisco plans to release a service update (SU) in the near future to support Cisco Jabber with DVO-R on Unified CM 8.6. If you enable this setting on an unsupported release of Unified CM, the end user sees the DVO calling options and can attempt to make DVO-R calls, but the calls cannot connect.
Step 5	Select Save.
Step 6	Select Apply Config.

---

What to Do Next

Test this feature.

Set Up Voicemail Avoidance

Voicemail avoidance is a feature that prevents calls from being answered by the mobile service provider voice mail. This feature is useful if a user receives a Mobile Connect call from the enterprise on the mobile device. It is also useful when an incoming DVO-R call is placed to the mobile device.

You can set up Voicemail Avoidance in one of two ways:

• Timer-controlled: (Default) With this method, you set timers on the Unified CM to determine if the call is answered by the mobile user or mobile service provider voicemail.
• User-controlled: With this method, you set the Unified CM to require that a user presses any key on the keypad of the device to generate a DTMF tone before the call can proceed.

If you deploy DVO-R, Cisco recommends that you also set user-controlled Voicemail Avoidance. If you set user-controlled Voicemail Avoidance, this feature applies to both DVO-R and Mobile Connect calls.

For more information about voicemail avoidance, see the section called "Confirmed Answer and DVO VM detection" in the Unified CM Features and Services Guide.

• Set Up Timer-Controlled Voicemail Avoidance
• Set Up User-Controlled Voicemail Avoidance

Set Up Timer-Controlled Voicemail Avoidance

Timer-controlled voicemail avoidance is supported on Unified CM Release 6.0 and later.

Set up the timer control method by setting the Answer Too Soon Timer and Answer Too Late Timer on either the Mobility Identity or the Remote Destination. For more information, see Add Mobility Identity or Add Remote Destination (Optional).

Set Up User-Controlled Voicemail Avoidance

Important:

User-controlled voicemail avoidance is available on Unified CM Release 9.0 and later.

To set up User-Controlled Voicemail Avoidance, perform the following procedures:

1. Set Up Unified CM to Support User-Controlled Voicemail Avoidance
2. Set up user-controlled voicemail avoidance on the device by performing one of the following procedures:
   • Enable User-Controlled Voicemail Avoidance on Mobility Identity
   • Enable User-Controlled Voicemail Avoidance on Remote Destination

Important:

Cisco does not support user-controlled voicemail avoidance when using DVO-R with alternate numbers that the end user sets up in the client. An alternate number is any phone number that the user enters in the DVO Callback Number field on the client that does not match the phone number that you set up on the user's Mobility Identity.

If you set up this feature with alternate numbers, the Unified CM connects the DVO-R calls even if the callback connects to a wrong number or a voicemail system.

Set Up Unified CM to Support User-Controlled Voicemail Avoidance

Use this procedure to set up the Unified CM to support user-controlled Voicemail Avoidance.

Procedure

---

Step 1	Sign in to the Unified CM.
Step 2	In the Navigation field, choose Unified CM Administration.
Step 3	Choose System > Service Parameters.
Step 4	In the Server drop-down list, select the active United CM.
Step 5	In the Service drop-down list, select the Cisco Call Manager (Active) service.
Step 6	Configure the settings in the Clusterwide Parameters (System - Mobility Single Number Reach Voicemail) section. Note    The settings in this section are not specific to Cisco Jabber. For information about how to configure these settings, see "Confirmed Answer and DVO VM detection" section in the Cisco Unified Communication Manager Administrator Guide for your release.
Step 7	Click Save.

---

Enable User-Controlled Voicemail Avoidance on Mobility Identity

Use this procedure to enable user-controlled voicemail avoidance for the end user's mobility identity.

Before You Begin

• Set up the annunciator on the Unified CM. For more information, see the "Annunciator setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
• If you set up a Media Resource Group on the Unified CM, set up the annunciator on the Media Resource Group. For more information, see the "Media resource group setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	In the Associated Mobility Identity section, click the link for the Mobility Identity. Note    To ensure that the Voicemail Avoidance feature works correctly, the DVO Callback Number that the end user enters in the Cisco Jabber client must match the Destination Number that you enter on the Mobility Identity Configuration screen.
Step 4	In the Single Number Reach Voicemail Policy drop-down list, select User control.
Step 5	Click Save.

---

Enable User-Controlled Voicemail Avoidance on Remote Destination

Use this procedure to enable user-controlled voicemail avoidance for the end user's remote destination.

Before You Begin

• Set up the annunciator on the Unified CM. For more information, see the "Annunciator setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
• If you set up a Media Resource Group on the Unified CM, set up the annunciator on the Media Resource Group. For more information, see the "Media resource group setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	In the Associated Remote Destinations section, click the link for the associated remote destination.
Step 4	In the Single Number Reach Voicemail Policy drop-down list, select User control.
Step 5	Click Save.

---

Set Up Visual Voicemail

The visual voicemail feature is an alternative to the basic voicemail service.

With visual voicemail, you can see a list of your messages without having to dial in to your voice mailbox. From this list, you can:

• Play or pause your messages
• See a transcription of your messages (if available)
• Delete messages
• Call back the contact who sent the message
• Add contacts

Set up visual voicemail with the following procedures:

1. Verify that Voicemail Representational State Transfer (VMREST) services are set up on Cisco Unity Connection. See Verify VMREST Services.
2. Enable settings for secure messaging on Cisco Unity Connection. See Enable Settings for Secure Messaging.
3. Set up visual voicemail on Unified CM. See Set Up Visual Voicemail on Unified CM.

Verify VMREST Services

Use this procedure to verify that your Cisco Unity Connection is set up with the correct VMREST services to support visual voicemail on Cisco Jabber for Android.

Procedure

---

Step 1	Sign in to Cisco Unity Connection Administration.
Step 2	In the Navigation drop-down list, choose Cisco Unity Connection Serviceability.
Step 3	Select Go.
Step 4	Choose Tools > Service Management.
Step 5	In the Optional Services section, verify that the following services are active and running: Connection Jetty Connection REST Service

---

Enable Settings for Secure Messaging

Use this procedure if you want to set up the Cisco Unity Connection to support playback of secure voice messages on Cisco Jabber for Android.

Procedure

---

Step 1	Sign in to Cisco Unity Connection Administration.
Step 2	In the Navigation drop-down list, choose Cisco Unity Connection Administration.
Step 3	Select Go.
Step 4	In the left pane, navigate to System Settings > Advanced > API Settings.
Step 5	Check the following three check boxes: Allow Access to Secure Message Recordings through CUMI Display Message Header Information of Secure Messages through CUMI Allow Message Attachments through CUMI
Step 6	Select Save.

---

Set Up Visual Voicemail on Unified CM

Before You Begin

• Collect the values for the settings that are listed in the table in this procedure.
• Consult your voicemail administrator if you have questions about the values for the settings in this section.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	In the Product Specific Configuration Layout section, enter voicemail settings. Setting Description Voicemail Username Unique username for voicemail access for this user. Voicemail Server (include the port) For the voicemail server, enter the fully qualified domain name or IP address. Use the format Servername.YourCompany.com:portnumber Voicemail Message Store Username Leave this field blank. Cisco Jabber for Android does not use this field. This field is used for devices that support Cisco Unity. Voicemail Message Store Leave this field blank. Cisco Jabber for Android does not use this field. This field is used for devices that support Cisco Unity.
Step 4	Select Save.
Step 5	Select Apply Config.
Step 6	Select Reset.
Step 7	Restart Cisco Jabber.
Step 8	Step through the setup wizard until you see the Voicemail screen.
Step 9	Enter your voicemail password.
Step 10	Select Verify.
Step 11	Complete the setup wizard.

---

What to Do Next

Test this feature.

Enable Enhanced Message Waiting Indicator

A Message Waiting Indicator alerts users to the presence of new voice messages. Enhanced Message Waiting Indicator provides a count of unheard messages on systems that support this feature. Users can call the voice messaging system to retrieve the messages.

Note	To enable the basic Message Waiting Indicator, follow the instructions in the Cisco Unified Communications Manager documentation for your release. There are no unique configurations for this client.

If your deployment supports Enhanced Message Waiting Indicator, enable this option in the Cisco Unity Connection Administration portal.

Procedure

---

Step 1	Sign in to Cisco Unity Connection Administration.
Step 2	In the left pane, navigate to Telephony Integrations > Phone System.
Step 3	Select the link for the desired phone system.
Step 4	In the Message Waiting Indicators section, select the Send Message Counts check.
Step 5	Select Save.

---

Specify Directory Search Settings

Use this procedure to specify the settings that Cisco Jabber uses to connect to the directory server. When the user sets up Cisco Jabber, these settings are automatically configured.

Note

Cisco Jabber for Android does not support the Reporting Structure feature with Open LDAP. This feature is supported only with Microsoft Active Directory. If you want to set up the Reporting Structure, Cisco Jabber for Android uses the following elements: Manager, Direct reports, Title, and Department.

Before You Begin

Identify attributes in your corporate directory schema that are different from, or additional to, the application defaults. You must map changed attributes later in this procedure.

Using the following table, verify the values for your directory:

• If you use an Active Directory server, review the values in the column called "Default Active Directory Attribute." If your attributes differ from the values in the "Default Active Directory Attribute" column, make a note of your actual attribute name in the column titled "Your Value, if Different."
• If you use an LDAP server that is not an Active Directory server, review the values in the column called "Default Attribute for All Other LDAP Servers." If your attributes differ from the values in the "Default Attribute for All Other LDAP Servers" column, make a note of your actual attribute name in the column titled "Your Value, if Different."

Table 2 Directory Elements and Attributes

Element	Element Name	Default Active Directory Attribute	Default Attribute for All Other LDAP Servers	Your Value, if Different
Unique identifier	identifier	distinguishedName	distinguishedName
Display name	displayName	displayName	cn
Email address	emailAddress	mail	mail
First name	firstName	givenName	givenName
Last name	lastName	sn	sn
User ID	userid	sAMAccountName	uid
Main phone number	mainPhoneNumber	telephoneNumber	telephoneNumber
Home phone number	homePhoneNumber	homeTelephoneNumber	homeTelephoneNumber
Second home phone number	homePhoneNumber2	homeTelephoneNumber	homeTelephoneNumber
Mobile phone number	mobilePhoneNumber	mobile	mobile
Second mobile phone number	mobilePhoneNumber2	mobile	mobile
Direct to voicemail phone number	voicemailPhoneNumber	voicemai	voicemail
Fax number	faxPhoneNumber	facsimileTelephoneNumber	facsimileTelephoneNumber
Other phone number	otherPhoneNumber	telexNumber	telexNumber
Manager	manager	manager
Direct reports	directReports	directReports
Title	title	title
Department	department	department

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the Cisco Dual Mode device page for the user.
Step 3	In the Product Specific Configuration Layout section, set the Enable LDAP User Authentication setting. If users do not need to enter credentials to access directory services, select Disabled. If users must enter credentials to access directory services, select Enabled.
Step 4	In the LDAP Server field, enter the IP address or hostname of the LDAP server. If you do not want to deploy Directory Search in Cisco Jabber for Android, leave this field blank. Otherwise, enter the IP address or hostname, and port number of your directory server. Use the format YourDirectoryServer.YourCompany.com:portnumber. If you enter an IP address or hostname but do not enter a port, the client tries to connect to port 389.
Step 5	The Enable LDAP SSL drop-down list appears. Because there is no support for SSL with LDAP, SSL is disabled by default. Choosing Enabled or Disabled has no effect.
Step 6	Enter the LDAP Search Base using one of the following formats. OU=organization,DC=corp,DC=yourcompany,DC=com CN=users,DC=corp,DC=yourcompany,DC=com By default, this application uses the search base found in a RootDSE search on the defaultNamingContext attribute. To specify a different search base, enter the Distinguished Name of the root node in your corporate directory that contains user information. Use the lowest node that includes the necessary names. Using a higher node creates a larger search base and thus reduces performance if the directory is very large. Note    To help determine the optimal search base, use a utility such as Active Directory Explorer (available from Microsoft) to view your data structure.
Step 7	Enter the LDAP field mappings. LDAP field mappings identify the attributes in your directory that hold the information to search and display for directory searches. Using the Directory Elements and Attributes table, enter any field mappings that do not match the default as name=value pairs, separating each field with a semicolon (;). Enter the information that is contained in the "Element Name" column for the name. Enter the information in the "Your Value if Different" column for the value. Example:displayName=nickname;emailAddress=email
Step 8	Enter the LDAP photo location. Enter the pathname to the image files on your HTTP server. Be sure to specify the correct graphics file type (for example, jpg or png). Use the variable %%LDAP Attribute %% to represent the LDAP attribute. Example:http://yourcompany.cisco.com/photo/std/%%userID%%.jpg You must include the double percent symbols in the string. Cisco Jabber for Android automatically resizes the images as needed, but it processes smaller images faster. You must store your photos on an HTTP server, with filenames that are identical to the values in an LDAP directory attribute (excluding the filename extension). By default, Cisco Jabber for Android uses the attribute that is mapped to the userid element in the Directory Elements and Attributes table that precedes this procedure. You can specify a different attribute in the LDAP Field Mappings field. Example:If an image file from your directory is named jsmith.jpg, and the value in the cn attribute is jsmith, then you can use the LDAP Field Mappings field to map the userid element to the cn attribute in your LDAP directory.
Step 9	Select Save.
Step 10	Restart Cisco Jabber for Android.

---

What to Do Next

Test the directory search feature.

Set Up SIP Digest Authentication Options

SIP Digest Authentication is a Unified CM security feature that authenticates user devices. For more information, see the Cisco Unified Communications Manager Security Guide and the Cisco Unified Communications Manager Administration Guide, available from the maintenance guides list.

Note	Cisco Jabber does not support SIP Digest Authentication feature with the Dial via Office - Reverse feature.

For Cisco Jabber, you have three options:

• Disable SIP Digest Authentication—Disable SIP Digest Authentication if your deployment does not use this feature. See Disable SIP Digest Authentication.
• Enable SIP Digest Authentication with automatic password authentication
  • The password is not stored. It is sent from the TFTP server in clear text.
  • Users do not have to manually enter this password.
  • There is less chance of entry error that prevents Cisco Jabber from registering with Unified CM.
  See Enable SIP Digest Authentication with Automatic Password Authentication.
• Enable SIP Digest Authentication with manual password authentication
  • The password is encrypted.
  • Users must manually enter this password.
  See Enable SIP Digest Authentication with Manual Password Authentication.

• Disable SIP Digest Authentication
• Enable SIP Digest Authentication with Automatic Password Authentication
• Enable SIP Digest Authentication with Manual Password Authentication

Disable SIP Digest Authentication

Follow these steps on each device page in Unified CM.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page.
Step 3	In the Protocol Specific Information section, in the Device Security Profile drop-down list, select “Cisco Dual Mode for Android - Standard SIP Non-Secure Profile.”
Step 4	Complete the authentication details in the Product Specific Configuration Layout section. In the Enable SIP Digest Authentication drop-down list, select “Disabled.” Leave SIP Digest Username blank.
Step 5	Select Save.
Step 6	Select Apply Config.
Step 7	Restart Cisco Jabber.

---

Enable SIP Digest Authentication with Automatic Password Authentication

Procedure

---

Step 1	Create a new profile for Cisco Dual Mode for Android under System > Security Profile > Phone Security Profile: Select Add New. In the Phone Security Profile Type drop-down list, select Cisco Dual Mode for Android. Select Next. Enter a name for your new phone security profile. Check Enable digest authentication. Uncheck Exclude digest credentials in configuration file. Select Save.
Step 2	On each End User page, in the User Information section, complete the following tasks: In the User ID field, verify that the user ID is entered. In the Digest Credentials field, enter the digest credentials. In the Confirm Digest Credentials field, reenter the digest credentials.
Step 3	On each Cisco Dual Mode for Android device page, complete the profile information in the Protocol Specific Information section: In the Device Security Profile drop-down list, select the new secure profile you just created. In the Digest User drop-down list, select the digest user.
Step 4	On the same device page, complete the authentication details in the Product Specific Configuration Layout section: In the Enable SIP Digest Authentication drop-down list, select Enabled. Leave SIP Digest Username blank.
Step 5	Select Save.
Step 6	Select Apply Config.
Step 7	Restart Cisco Jabber.

---

Enable SIP Digest Authentication with Manual Password Authentication

Procedure

---

Step 1	Create a new profile for Cisco Dual Mode for Android under System > Security Profile > Phone Security Profile: Select Add New. In the Phone Security Profile Type drop-down list, select Cisco Dual Mode for Android. Select Next. Enter a name for your new phone security profile. Check Enable digest authentication. Check Exclude digest credentials in configuration file. Select Save.
Step 2	On each End User page, in the User Information section, complete the following tasks: In the User ID field, verify that the user ID is entered. In the Digest Credentials field, enter the digest credentials. In the Confirm Digest Credentials field, reenter the digest credentials. Make a note of this password. You provide this password to the user later.
Step 3	On each Cisco Dual Mode for Android device page, enter the new profile information in the Protocol Specific Information section: In the Device Security Profile list, select the new secure profile you just created. In the Digest User list, select the digest user.
Step 4	On the same device page, complete the authentication details in the Product Specific Configuration Layout section: In the Enable SIP Digest Authentication list, select Enabled. Important: To enable SIP Digest Authentication, you must also select a custom device security profile in which you enable SIP Digest Authentication (as outlined in the previous step). If you enable SIP Digest Authentication without first selecting this custom device security profile: Cisco Jabber prompts the end user to enter SIP Digest Authentication credentials. Cisco Jabber accepts any credentials. Unified CM does not authenticate the device using SIP Digest Authentication. For the SIP Digest Username, enter the digest user you just selected.
Step 5	Select Save.
Step 6	Select Apply Config.
Step 7	Restart Cisco Jabber and step through the setup wizard again.
Step 8	On the Phone Services Settings screen, enter your SIP Digest Authentication credentials. This password is case sensitive.

---

Set Up Cisco AnyConnect

Cisco AnyConnect Secure Mobility Client is a VPN application that allows Cisco Jabber to securely connect to your corporate network from a remote location using Wi-Fi or mobile data networks.

If you deployed Cisco Jabber for Android with secure connect previously, see the "What's New" section of the Release Notes for Cisco Jabber for Android, Release 9.0(1), which can be found in the Release Notes list.

Note	Cisco does not guarantee the voice quality on noncorporate Wi-Fi networks or mobile data networks.

To support the Cisco AnyConnect Secure Mobility Client, you must set up your system using the following procedures.

1. Install and set up the Cisco Adaptive Security Appliance (ASA).
   • For supported Cisco Adaptive Security Appliance models and other requirements, see the Release Notes.
   • For instructions for installing and configuring an ASA, see the Cisco ASA 5500 Series Configuration and Installation Guide list.
2. Set up the ASA to support Cisco AnyConnect. Perform the following procedures in order:
   1. Provision Application Profiles
   2. Automate VPN Connection
   3. Set Up Certificate-Based Authentication
   4. Set ASA Session Parameters
   5. Set Up Tunnel Policies
3. Set up the Unified CM to support Cisco AnyConnect by setting the Preset Wi-Fi Networks field. See Add User Device.

Note

Cisco supports Cisco Jabber for Android with Cisco AnyConnect Secure Mobility Client. Although other VPN clients are not officially supported, you may be able to use Cisco Jabber for Android with other VPN clients. If you use another VPN client, set up VPN as follows: Install and configure the VPN client using the relevant third-party documentation. Configure the Preset Wi-Fi Networks using the following procedure: Add User Device.

• Provision Application Profiles
• Automate VPN Connection
• Set Up Certificate-Based Authentication
• Set ASA Session Parameters
• Set Up Tunnel Policies

Provision Application Profiles

After users download the Cisco AnyConnect client to their device, the ASA must provision a configuration profile to the application.

The configuration profile for the Cisco AnyConnect client includes VPN policy information such as the company ASA VPN gateways, the connection protocol (IPSec or SSL), and on-demand policies.

• Provision VPN Profiles on ASA

Provision VPN Profiles on ASA

Cisco recommends that you use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect client.

When you use this method, the VPN profile is automatically downloaded to the Cisco AnyConnect client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA.

Use the following procedure to define a VPN profile.

Procedure

On the ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. For more information, see the "Creating and Editing an AnyConnect Client Profile Using the Integrated AnyConnect Profile Editor" procedure in the "Deploying the AnyConnect Secure Mobility Client" chapter of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release. A list of document versions can be found at http:/​/​www.cisco.com/​en/​US/​products/​ps10884.

Automate VPN Connection

When users open Cisco Jabber from outside the corporate Wi-Fi network, Cisco Jabber needs a VPN connection to access the Cisco UC application servers. You can set up the system to allow Cisco AnyConnect Secure Mobility Client to automatically establish a VPN connection in the background, which helps ensure a seamless user experience.

• Set Up Trusted Network Detection

Set Up Trusted Network Detection

The Trusted Network Detection feature enhances the user experience by automating the VPN connection based on the user's location. When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco Jabber automatically detects that it is outside the trusted network, and then indirectly initiates the VPN to ensure connectivity to the UC infrastructure.

Note	The Trusted Network Detection feature works with both certificate- and password-based authentication. However, certificate-based authentication provides the most seamless user experience.

Procedure

---

Step 1

Using ASDM, open the Cisco AnyConnect client profile.

Step 2

Enter the list of Trusted DNS Servers and Trusted DNS Domain Suffixes that an interface can receive when the client is within a corporate Wi-Fi network. The Cisco AnyConnect client compares the current interface DNS servers and domain suffix with the settings in this profile. Note    You must specify all your DNS servers to ensure that the Trusted Network Detection feature works properly. If you set up both the TrustedDNSDomains and TrustedDNSServers, sessions must match both settings to be defined as a trusted network. For detailed steps for setting up Trusted Network Detection, see the "Trusted Network Detection" section in the "Configuring AnyConnect Features" chapter (Release 2.5) or "Configuring VPN Access" (Releases 3.0 or 3.1) of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release. A list of guides can be found here: http:/​/​www.cisco.com/​en/​US/​products/​ps10884/​products_​installation_​and_​configuration_​guides_​list.html.

---

What to Do Next

Set up the Unified CM to support Cisco AnyConnect by setting the Preset Wi-Fi Networks field. See Add User Device.

Set Up Certificate-Based Authentication

The Cisco AnyConnect client supports many authentication methods including Microsoft Active Directory/LDAP password, RADIUS-based one-time tokens, and certificates. Of these methods, client certificate authentication provides the most seamless experience.

• Set Up ASA for Certificate-Based Authentication
• Distribute Client Certificates

Set Up ASA for Certificate-Based Authentication

ASA supports certificates issued by various standard Certificate Authority (CA) servers such as Cisco IOS CA, Microsoft Windows 2003, Windows 2008 R2, Entrust, VeriSign, and RSA Keon.

The following procedure outlines the high-level steps for setting up the ASA for certificate-based authentication. For detailed information, see the "Configuring Digital Certificates" section of the "Configuring Access Control" chapter of the Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 and 6.6. This document can be found at the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps6120/​products_​installation_​and_​configuration_​guides_​list.html.

Procedure

---

Step 1	Import a root certificate from the CA to the ASA.
Step 2	Generate an identity certificate for the ASA.
Step 3	Use the ASA identity certificate for SSL authentication.
Step 4	Configure a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP).
Step 5	Configure the ASA to request client certificates for authentication.

---

Distribute Client Certificates

You must set up the system to ensure that you can issue certificates to users.

• Distribute Client Certificate Using SCEP

Distribute Client Certificate Using SCEP

ASA supports Simple Certificate Enrollment Protocol (SCEP) to simplify certificate distribution.

The ASA can use SCEP to securely issue and renew a certificate that is used for client authentication. The following is a general overview of this process.

1. The first time a remote user opens Cisco AnyConnect, the application authenticates the user with either Active Directory credentials or a one-time token password.
2. After the client establishes the VPN, the ASA provides a client profile that includes the SCEP request.
3. The Cisco AnyConnect client sends a certificate request and the Certificate Authority (CA) automatically accepts or denies the request.
4. If the CA accepts the request:
   1. The certificate is installed in the native certificate store on the device.
   2. Cisco AnyConnect uses the certificate for authentication, and no longer prompts the user for a password when establishing subsequent VPN connections.

Procedure

For information about how to install the SCEP module on a Windows 2008 server and set up the ASA, see the ASA 8.X: AnyConnect SCEP Enrollment Configuration Example.

Set ASA Session Parameters

You can set session parameters on the ASA to define the user experience of Cisco AnyConnect Secure Mobility Client and Cisco Jabber after the VPN connection is established.

ASA session parameters include the following:

• DTLS: DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. DTLS allows the Cisco AnyConnect client to establish an SSL VPN connection that uses two simultaneous tunnels: an SSL tunnel and a DTLS tunnel. You can use DTLS to avoid latency and bandwidth problems, and to improve the performance of real-time applications such as Cisco Jabber that are sensitive to packet delays. If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. DTLS is enabled by default.
• Session Persistence: This parameter allows the VPN session to recover from service disruptions and re-establish the connection. For example, as the user roams from one Wi-Fi network to another Wi-Fi or mobile data network, the Cisco AnyConnect client automatically resumes the VPN session. In addition, you can set up Cisco AnyConnect to re-establish the VPN session after the device resumes from standby, sleep, or hibernation mode.
• Idle Timeout: The Idle Timeout (vpn-idle-timeout) is the time after which if there is no communication activity, the ASA terminates the VPN connection. A very short idle-timeout frequently disrupts the VPN connection and forces the user to re-establish VPN for every call. On the other hand, a large idle-timeout value results in too many concurrent sessions on the ASA. You can set up the Idle Timeout value by group policy.
• Dead-Peer Detection (DPD): This parameter ensures that the ASA gateway or the Cisco AnyConnect client can quickly detect a condition where the peer is not responding and the connection failed. Cisco recommends that you:
  • Disable server-side DPD to ensure that the device can sleep. (If you enable this parameter, it prevents the device from sleeping.)
  • Enable client-side DPD because it allows the client to determine when the tunnel is terminated due to a lack of network connectivity.

• Set ASA Session Parameters

Set ASA Session Parameters

Cisco recommends that you set up the ASA session parameters as follows to optimize the end user experience for Cisco AnyConnect Secure Mobility Client.

Procedure

---

Step 1	Set up Cisco AnyConnect to use DTLS. For information about how to set ASA session parameters, see the "Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections" section of the "Configuring AnyConnect Features Using ASDM" chapter of Cisco AnyConnect VPN Client Administrator Guide, Version 2.0. This document can be found at the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps10884/​prod_​maintenance_​guides_​list.html.
Step 2	Set up session persistence (auto-reconnect). Use ASDM to open the VPN client profile. Set the Auto Reconnect Behavior parameter to Reconnect After Resume. For detailed information about how to set up session persistence, see the "Configuring Auto Reconnect" section in the "Configuring AnyConnect Features" chapter (Release 2.5) or "Configuring VPN Access" (Releases 3.0 or 3.1) of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release. The document for your release can be found at the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps10884/​products_​installation_​and_​configuration_​guides_​list.html.
Step 3	Set the idle timeout value. Create a group policy that is specific to Jabber clients. Set the idle timeout value to 30 minutes. For detailed information about how to set the idle timeout value, see the "vpn-idle-timeout" section of the Cisco ASA 5580 Adaptive Security Appliance Command Reference for your release. The document for your release can be found at the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps6120/​prod_​command_​reference_​list.html.
Step 4	Set up Dead Peer Detection (DPD). Disable server-side DPD. Enable client-side DPD. For detailed information about how to set up DPD, see the "Enabling and Adjusting Dead Peer Detection" subsection of the "Configuring VPN" chapter of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6. This document can be found in the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps6120/​products_​installation_​and_​configuration_​guides_​list.html.

---

Set Up Tunnel Policies

Use the following procedure to set up a tunnel policy that specifies how you want to direct traffic in the VPN tunnel.

To set up tunnel policies, you must first determine which type of tunnel policy you want to use. Tunnel policies include the following:

Full-Tunnel Policy

This is the default tunnel policy. Use this policy if you want the most secure option for Cisco Jabber and Cisco AnyConnect deployments. In case of Full-Tunnel, all the traffic from all the applications on the device is sent over the VPN tunnel to the ASA gateway. Optionally, you can enable the Local LAN Access feature to enable local printing and local network drive mapping.

Split-Tunnel Policy

Use this policy if you want to direct only Cisco Jabber-specific traffic from your phone to the corporate network. This policy directs traffic based on destination subnets. You can specify which traffic goes over VPN (encrypted) and which traffic goes in the clear (unencrypted).

An associated feature, Split-DNS, defines which DNS traffic to resolve over the VPN tunnel and which DNS traffic to handle with the endpoint DNS resolver.

Split-Include Policy with Network ACL

Use this policy if you want to:

• Limit the traffic that is sent over the VPN tunnel due to bandwidth concerns.
• Restrict the VPN session to the Cisco Jabber application.

You can use the Split-Include policy on the ASA to specify which traffic goes inside the VPN tunnel based on the destination IP address of the traffic.

You must include the IP subnets of the Cisco Unified CM Cluster, Directory Server, and TFTP Server. Cisco Jabber needs peer-to-peer media connections with any IP phone or computer phone on the corporate Wi-Fi network. Therefore, Cisco recommends that you include the corporate network IP address range in the Split-Include policy. This configuration may not be appropriate for all deployments (for example, if the IP space of your company is not contiguous because of acquisitions and other events).

This policy directs all internal traffic into the tunnel, but can prevent cloud-based services such as Facebook and YouTube from entering the tunnel.

Note

All application data that is directed to the address range specified in the split-include policy is tunneled, so applications other than Cisco Jabber also have access to the tunnel. To prevent other applications from using the corporate Wi-Fi network, you can apply a VPN filter (Network ACL) that further restricts the available ports.

Split-Exclude Policy

Use this policy if it is not practical to define the entire subnet required for Split-Include policies. You can use the Split-Exclude policy to prevent any known traffic from the VPN tunnel. For example, if you are concerned about bandwidth, you can add destination subnets for services like NetFlix, Hulu, or YouTube to your split-exclude list.

After you determine which type of tunnel policy you want to use, see the "Configuring Split-Tunneling Attributes" section in the "Configuring Tunnel Groups, Group Policies, and Users" chapter of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6. This document can be found at the following location: http:/​/​www.cisco.com/​en/​US/​products/​ps6120/​products_​installation_​and_​configuration_​guides_​list.html.