Contents

• Feature Setup
• Enable Active Call Transfer Between Cisco Jabber and Desk Phone
• Add Mobile Connect and Mobile Identity
• Transfer Active VoIP Call to the Mobile Network
• Enable Active Call Handoff from VoIP to Mobile Network
• Set Up Handoff DN
• Match Caller ID with Mobile Identity
• Set Up Additional User and Device Settings for Handoff
• Enable Active Call Transfer from VoIP to Mobile Network
• Set Up Voice Dialing
• Set Up Visual Voicemail on Unified CM
• Specify Directory Search Settings
• Set Up Corporate Directory Photos on Cisco Jabber
• Integrate Corporate Directory Photos Using a Side URL
• Integrate Corporate Directory Photos from an LDAP Server
• Set Up SRST Failover
• Set Up Extension Mobility to Allow Users to Sign In and Out
• Set A Timer to Automatically Sign Users Out of Cisco Jabber
• Cross-Launch Cisco Jabber from Another Application
• Set Up SIP Digest Authentication Options
• Disable SIP Digest Authentication
• Enable SIP Digest Authentication with Automatic Password Authentication
• Enable SIP Digest Authentication with Manual Password Authentication
• Set Up Cisco AnyConnect
• Provision Application Profiles
• Provision VPN Profiles on ASA
• Provision iOS Devices Using Apple Configuration Profile and iPCU
• Provision iOS Devices Using Apple Configuration Profile and MDM
• Automate VPN Connection
• Set Up Connect On-Demand VPN
• Set Up Certificate-Based Authentication
• Set Up ASA for Certificate-Based Authentication
• Distribute Client Certificates
• Distribute Client Certificate Using SCEP
• Distribute Client Certificate Using Mobileconfig File
• Set ASA Session Parameters
• Set ASA Session Parameters
• Set Up Tunnel Policies
• Set Up Automatic VPN Access on the Unified CM

Feature Setup

---

Enable Active Call Transfer Between Cisco Jabber and Desk Phone

Before You Begin

• Make sure the desk phone (Primary DN) for the user is fully set up and can make and receive internal and external calls.
• Set up Call Park for the system. See the Call Park chapter in the Cisco Unified Communications Manager Features and Services Guide at http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Choose User Management > End User.
Step 3	Search for the user you want to associate with a desk phone.
Step 4	Select the user ID to open the User Information page. In the Device Information section, select Device Association and search for the desk phone you want to associate with the mobile device. Select the device you want to associate with the mobile device, and select Save Selected/Changes. Navigate back to the End User page. Ensure that the Allow Control of Device from CTI check box is checked. Select the primary extension for the desk phone you want to associate with the mobile device. In the Permissions Information section, add Standard CTI Enabled to the User Groups list. For 8900 and 9900 series phones, also add Standard CTI Allow Control of Phones supporting Connected Xfer and conf. Note the user ID of this user for use later in this procedure. Select Save.
Step 5	Choose Device > Phone and locate the desk phone you want to associate with the mobile device. Verify that the value for Owner User ID is the correct end user. Ensure that the Allow Control of Device from CTI check box is checked. If this option does not appear in the Device Information section of the Phone Configuration window, the phone does not support this feature. Select Save.
Step 6	Navigate to the Cisco Dual Mode Device for iPhone page. Verify that the value for Owner User ID is the correct end user. In the Product Specific Layout Configuration section, for CTI Control Username, enter the user ID from the End User page. Select Save.
Step 7	Navigate to the Directory Number Information page and verify that: The Allow Control of Device from CTI check box is checked The Associated Devices box displays the desk phone and the mobile device
Step 8	Restart the mobile device and the desk phone.

---

What to Do Next

• Enter your credentials using one of the following methods:
  • Relaunch Cisco Jabber and step through the wizard.
  • Go to Settings > Internet Calling > Desk Phone Integration (CTI).
• If you enabled end-user configuration editing, reset the Internet calling account:

  • Delete the Internet calling account for the device.
  • Set up the account again.
• Test your settings to verify that you can move active calls between the desk phone and Cisco Jabber.
  Important:

  See instructions in the user FAQs at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html.

Add Mobile Connect and Mobile Identity

Mobile Connect, formerly known as Single Number Reach (SNR), allows the native mobile phone number to ring when someone calls the office number while Cisco Jabber is not available.

When Cisco Jabber is running and connected to the corporate network, and thus available to receive VoIP calls, Mobile Connect is automatically inactivated.

The user requires a Mobile Identity to transfer Cisco Jabber VoIP calls to the mobile voice network.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Search for and delete any existing Remote Destination or Mobile Identity that is already set up with the mobile phone number.
Step 3	Navigate to the End User page for the user. In the Mobility Information section, check the Enable Mobility check box. Specify the Primary User Device. Select Save.
Step 4	Navigate to the device page for the Cisco Dual Mode mobile device settings. Enter the following information: Setting Information Softkey Template Choose a softkey template that includes the Mobility button. Mobility User ID Select the user. Rerouting Calling Search Space If your Unified CM has custom partitions and multiple calling search spaces, select a Rerouting Calling Search Space that includes the partition that applies to the mobile phone number. You will enter this mobile phone number as a Mobile Identity (described later in this procedure). Select Save.
Step 5	Add a new Mobile Identity for the mobile phone number: Navigate to the device page for the Cisco Dual Mode mobile device settings. Select Add a New Mobile Identity. Enter the mobile phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number. Enter the initial values for call timers. These values ensure that calls are not routed to the native device voicemail before they ring in the client on the mobile device. For more information, see the online help in Unified CM. Example: Setting Suggested Initial Value Answer Too Soon Timer 3000 Answer Too Late Timer 20000 Delay Before Ringing Timer 0 This value accommodates the relatively long call-setup times that are characteristic of mobile calls. Check the Enable Mobile Connect check box. Set up the schedule for routing calls to the mobile number. Select Save.

---

What to Do Next

Test your settings:

1. Exit Cisco Jabber on the mobile device. For instructions, see the FAQs for users at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html.
2. Call the Cisco Jabber extension from another phone.
3. Verify that the native mobile network phone number rings and that the call connects when you answer it.

Transfer Active VoIP Call to the Mobile Network

Users can transfer an active VoIP call from Cisco Jabber to their mobile phone number on the mobile network. This feature is useful when a user on a call leaves the Wi-Fi network (for example, leaving the building to walk out to the car), or if there are voice quality issues over the Wi-Fi network. This Cisco Jabber feature is called Use Mobile Network.

There are several ways to implement this feature. You can also disable it.

Implementation Method	Implications	Instructions
Handoff DN	The iPhone calls Unified CM using the mobile network. This method requires a Direct Inward Dial (DID) number. The service provider must deliver the DID digits exactly as configured. Alternately, for Cisco IOS gateways with H.323 or SIP communication to Unified CM, you can use Cisco IOS to manipulate the inbound called-party number at the gateway, presenting the digits to Unified CM exactly as configured on the handoff DN. If you select this implementation method and it fails, the system automatically tries the Mobility Softkey and Call Park methods, in order. This method will not work for iPod Touch or iPad devices.	See Set Up Handoff DN.
Mobility Softkey	Unified CM calls the phone number of the iPhone PSTN mobile service provider. If you select this implementation method and it fails, the system automatically tries the Call Park method.	See Enable Active Call Transfer from VoIP to Mobile Network.
Call Park	Cisco Jabber attempts this method only if attempts to use other methods fail. In the Call Park method, the iPhone makes a mobile-network call to a Call Park number to retrieve the call. This method requires a DID number. This method does not work for iPod Touch or iPad devices.	Set up Call Park for the system. See the Call Park chapter in the Unified CM Features and Services Guide at http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html. Set the Call Park number in Call Routing > Call Park to be an E.164 (DID) number. Cisco recommends changing the value in the Park Monitoring Forward No Retrieve Timer to 60 seconds if more immediate ring-back to the parker phone is required. Note    Cisco Jabber uses the "Park Monitoring Reversion Timer" in combination with the " Park Monitoring Forward No Retrieve Timer." This timer is used even if no forward target is configured. The "Call Park Reversion Timer" is not used for this product . The parked call is forwarded to a forwarding number, if one is set up. If no forwarding number is set up, the call returns to the parker.
None of the above	Disable this feature if you do not want to make it available to users.	Select Disabled for the Transfer to Mobile Network option in the "Product Specific Configuration Layout" section of the Cisco Dual Mode for iPhone device page.

• Enable Active Call Handoff from VoIP to Mobile Network
• Enable Active Call Transfer from VoIP to Mobile Network

Enable Active Call Handoff from VoIP to Mobile Network

Set Up Handoff DN

Before You BeginDetermine the required values. The values that you choose depend on the phone number that the gateway passes (for example, seven digits or ten digits).

Procedure

---

Step 1	Sign in to Unified CM Administration portal.
Step 2	Select Call Routing > Mobility > Handoff Configuration.
Step 3	Enter the Handoff Number for the Direct Inward Dial (DID) number that the device uses to hand off a VoIP call to the mobile network. The service provider must deliver the DID digits exactly as configured. Alternately, for Cisco IOS gateways with H.323 or SIP communication to Unified CM, you can use Cisco IOS to manipulate the inbound called-party number at the gateway, presenting the digits to Unified CM exactly as configured on the handoff number. Note    You cannot use translation patterns or other similar manipulations within Unified CM to match the inbound DID digits to the configured Handoff DN.
Step 4	Select the Route Partition for the handoff DID. This partition should be present in the Remote Destination inbound Calling Search Space (CSS), which points to either the Inbound CSS of the Gateway or Trunk, or the Remote Destination CSS. This feature does not use the remaining options on this page.
Step 5	Select Save.

---

Match Caller ID with Mobile Identity

To ensure that only authorized phones can initiate outbound calls, calls must originate from a phone that is set up in the system. To do this, the system attempts to match the caller ID of the requesting phone number with an existing Mobile Identity. By default, when a device initiates the Handoff feature, the caller ID that is passed from the gateway to Unified CM must exactly match the Mobile Identity number that you entered for that device.

However, your system may be set up such that these numbers do not match exactly. For example, Mobile Identity numbers may include a country code while caller ID does not. If so, you must set up the system to recognize a partial match.

Be sure to account for situations in which the same phone number may exist in different area codes or in different countries. Also, be aware that service providers may identify calls with a variable number of digits, which may affect partial matching. For example, local calls may be identified using seven digits (such as 555 0123) while out-of-area calls may be identified using ten digits (such as 408 555 0199).

Before You Begin

• Set up the Mobile Identity. See Add Mobile Connect and Mobile Identity.
• Determine whether you need to complete this procedure: Use the device to dial in to the system and compare the caller ID value with the Destination Number in the Mobile Identity. If the numbers do not match, you must perform this procedure. Repeat this procedure for devices that are issued in all expected locales and area codes.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Select System > Service Parameters.
Step 3	Select the active server.
Step 4	Select the Cisco CallManager (Active) service.
Step 5	Scroll down to the Clusterwide Parameters (System - Mobility) section.
Step 6	Select Matching Caller ID with Remote Destination and read essential information about this value.
Step 7	Select Partial Match for Matching Caller ID with Remote Destination.
Step 8	Select Number of Digits for Caller ID Partial Match and read the essential requirements for this value.
Step 9	Enter the required number of digits to ensure partial matches.
Step 10	Select Save.

---

Set Up Additional User and Device Settings for Handoff

Before You Begin

• Set up the user device on the Unified CM.
• Set up the user with a Mobile Identity.

Procedure

---

Step 1	In the Unified CM, select Use Handoff DN Feature for the Transfer to Mobile Network option on the Cisco Dual Mode for iPhone Device page. Do not assign this method for iPad and iPod Touch devices. Use the Mobility Softkey method instead.
Step 2	On the iOS device, tap Settings > Phone > Show My Caller ID to verify that Caller ID is on.
Step 3	Test this feature.

---

Enable Active Call Transfer from VoIP to Mobile Network

Procedure

---

Step 1	For system-level settings, check that the Mobility softkey appears when the phone is in the connected and on-hook call states. In Device > Device Settings > Softkey Template, select the softkey template that you selected when you configured the device for Mobile Connect. In the Related Links list box at the upper right, choose Configure Softkey Layout and select Go. Select Connected state and verify that the Mobility key is in the list of selected softkeys, and then do the same for the On Hook state.
Step 2	For the per-user and per-device settings in Unified CM, ensure that you set up a device Mobile Identity and Mobile Connect for the mobile device. After the transfer feature is working, users can enable and disable Mobile Connect at their convenience without affecting the feature. If the device is an iPad or an iPod Touch, you can configure a Mobile Identity using an alternate phone number such as the mobile phone of the user. Select the Owner User ID on the Cisco Dual Mode for iPhone device page. In the Product Specific Configuration Layout section, for the Transfer to Mobile Network option, choose Use Mobility Softkey.
Step 3	Navigate to the device page, Device > Phone, and search for the TCT device.
Step 4	In the User Locale field, choose English, United States.

---

Set Up Voice Dialing

Voice Dialing allows users to dial a number by speaking a name in the corporate directory.

If Voice Dialing is available on your network, Cisco Jabber users can always dial the Voice Dialing pilot number to access that feature as they would from any phone.

You can simplify voice dialing by enabling either of the following settings:

• Enable Voice Dialing Motion
• Add Voice Dialing to Favorites

Before You Begin

Voice dialing must be set up and working on your network.

To set up voice dialing for general use, see information about directory handlers in the System Administration Guide and the Reference Guide for Cisco Unity Connection at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	Enter voice dialing settings. Setting Description Enable Voice Dialing Motion The Voice Dialing Motion feature activates the motion and proximity sensors that automatically dial the Voice Dialing pilot number when Cisco Jabber is running and users move the device to their ear with the gesture described in the user documentation for Cisco Jabber at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html. This setting specifies whether the voice dialing motion is initially on or off for the user. Voice Dialing Phone Number The pilot phone number for the voice dialing feature. This number is not unique to Cisco Jabber. For more information, see the Cisco Unity Connection Release 7.x documentation in the section “Routing Calls to a Voice Directory Handler.” Add Voice Dialing to Favorites Specify whether or not to automatically add the Voice Dialing phone number to the Cisco Jabber favorites list of the user.
Step 4	Select Save.
Step 5	Relaunch Cisco Jabber.

---

Set Up Visual Voicemail on Unified CM

Before You Begin

Note

For users that also have the Cisco Mobile application (Cisco Unified Mobile Communicator 7.1) that runs in conjunction with Cisco Unified Mobility Advantage, do not set up Cisco Jabber for voicemail. For the best user experience, users of the other Cisco Mobile application should access voicemail using Cisco Mobile application, not Cisco Jabber.

• Verify that IMAP is enabled: See "Configuring IMAP Settings" in the System Administration Guide for Cisco Unity Connection at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.
• Collect the values for the settings that are listed in the table in this procedure.
• Consult your voicemail administrator if you have questions about the values for the settings in this section.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page for the user.
Step 3	In the Product Specific Configuration Layout section, enter voicemail settings. Setting Description Voicemail Username Unique username for voicemail access for this user. Voicemail Server (include the port) For the voicemail server, enter the hostname or IP address. Use the format Servername.YourCompany.com:portnumber Voicemail Message Store Username Enter the username for the voicemail message store. Voicemail Message Store For the voicemail message store, enter the hostname or IP address. This may be the same as the voicemail server. Use the format YourVoiceMessageStoreServer.yourcompany.com:portnumber
Step 4	Select Save.
Step 5	Restart Cisco Jabber. If you allowed end-user configuration editing, delete the voicemail account on the client and then set up the account again.
Step 6	Step through the wizard until you see an option to enable or confirm your voice messaging account.
Step 7	Select Yes.
Step 8	Enter your voice messaging password.
Step 9	Select Save.
Step 10	Complete the setup wizard.

---

What to Do Next

Test this feature.

Specify Directory Search Settings

Before You Begin

• Make sure the telephoneNumber attribute in Active Directory (or its equivalent, if you use a different attribute) is indexed.
• Identify attributes in your corporate directory schema that are different from, or additional to, the defaults in the following table. You must map changed attributes later in this procedure.

Note	Directory lookup information is not available through Unified CM.

Restriction:

In Active Directory:

• Phone numbers must be unformatted.
• Global Catalog must be enabled.

Use the following table to verify the values for your directory:

• If you use an Active Directory server, review the values in the column called "Default Active Directory Attribute." If your attributes differ from the values in the "Default Active Directory Attribute" column, make a note of your actual attribute value in the column titled "Your Value, if Different."
• If you use an LDAP server that is not an Active Directory server, review the values in the column called "Default Attribute for All Other LDAP Servers." If your attributes differ from the values in the "Default Attribute for All Other LDAP Servers" column, make a note of your actual attribute value in the column titled "Your Value, if Different."

If you have any questions about the values in the following table, consult your directory administrator.

Cisco Jabber for iPhone determines which type of directory server you use by checking whether the defaultNamingContext is defined. If the defaultNamingContext is defined, the app determines that you are using Active Directory. If this value is not defined, the app determines that the system is using another LDAP server.

Note

Some default attributes for Active Directory or other LDAP servers are different between Cisco Jabber for iPhone and other Cisco Jabber clients. If you have more than one Cisco Jabber client platform in your environment, you may need to enter different text for the LDAP field mappings for each platform.

Table 1 Directory Elements and Attributes

Element	Element Name	Default Active Directory Attribute	Default Attribute for All Other LDAP Servers	Your Value, if Different
Unique identifier	identifier	distinguishedName	distinguishedName
Display name	displayName	displayName	cn
Email address	emailAddress	mail	mail
First name	firstName	givenName	givenName
Last name	lastName	sn	sn
User ID	userid	sAMAccountName	uid
Main phone number	mainPhoneNumber	telephoneNumber	telephoneNumber
Home phone number	homePhoneNumber	—
Second home phone number	homePhoneNumber2	—
Mobile phone number	mobilePhoneNumber	mobile
Second mobile phone number	mobilePhoneNumber2	—
Direct to voicemail phone number	voicemailPhoneNumber	voicemail
Fax number	faxPhoneNumber	facsimileTelephoneNumber
Other phone number	otherPhoneNumber	—
Directory photo	photo	jpegPhoto	jpegPhoto
Jabber ID	jabberID	jabberID	jabberID
Job title	jobTitle	title	title
Employee number	employeeNumber	employeeID	employeeNumber
Manager ID	manageruid	manager	manager

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the Cisco Dual Mode device page for the user.
Step 3	In the Product Specific Configuration Layout section, enter the iPhone country code. This information helps determine Caller ID.
Step 4	Enter LDAP User Authentication settings: If credentials are not needed to access directory services, select Disabled. If users must enter credentials to access directory services, select Enabled.
Step 5	Enter LDAP username and password: Enter credentials for a single read-only account that all users use to access Active Directory. These credentials are sent in clear text in the TFTP file. Users need not enter credentials into Cisco Jabber. Enter a username with access to the directory and leave the password blank. You must give the password to each user and tell users to enter the password into the settings in Cisco Jabber. If authentication is not required, leave these settings blank. By default, the LDAP username is the userPrincipalName (UPN) and may be in the form of an email address (userid@example.com).
Step 6	Enter LDAP server address. Enter the hostname or IP address and port number for your Active Directory server. Use port 3269 for secure SSL connections or 3268 for nonsecure connections. Use the format YourDirectoryServer.YourCompany.com:portnumber. By default, if you enter no port or SSL settings, Cisco Jabber attempts an SSL connection to port 3269.
Step 7	Enter the LDAP Search Base using the format: CN=users,DC=corp,DC=yourcompany,DC=com. By default, this application uses the search base that is found in a RootDSE search on the defaultNamingContext attribute. If you need to specify a different search base, enter the Distinguished Name of the root node in your corporate directory that contains user information. Use the lowest node that includes the necessary names. Using a higher node creates a larger search base and thus reduce performance if the directory is very large. Note    To help determine the optimal search base, you can use a utility such as Active Directory Explorer (available from Microsoft) to view your data structure.
Step 8	Enter the LDAP field mappings. LDAP field mappings identify the attributes in your directory that hold the information to be searched and displayed for directory searches. Note    The manager ID and employee number entries are required for reporting structure information in directory search results. The default mappings are as follows: Active Directory: manageruid=manager; employeeNumber=employeeID. Open LDAP: servers are manageruid=manager; employeeNumber=employeeNumber. If a manager has more than 25 direct reports, Cisco Jabber for iPhone displays only the first 25 reports. Use the information in the preceding table to enter any field mappings that do not match the default as name=value pairs, separating each field with a semicolon (;). Enter the information contained in the "Element Name" column for the name. Enter the information in the "Your Value if Different" column for the value. Example:displayName=nickname;emailAddress=email
Step 9	Enter LDAP photo location. For more information, see Integrate Corporate Directory Photos from LDAP server.
Step 10	Select Save.
Step 11	Restart Cisco Jabber. If you allowed end-user configuration editing, delete the Directory account on the client and then set up the account again.
Step 12	Step through the wizard until you see the option to enable or confirm the corporate directory account settings.
Step 13	At the option to enable or confirm the corporate directory account settings, tap Yes.
Step 14	Enter the password, if not already entered.
Step 15	Select Save, even if you make no changes.
Step 16	Complete the wizard.

---

What to Do Next

Test this feature.

Set Up Corporate Directory Photos on Cisco Jabber

Use one of the following procedures to integrate corporate directory photos into Cisco Jabber. The administrator can edit photos that are acquired from either method in the COP file.

• Integrate Corporate Directory Photos Using a Side URL
• Integrate Corporate Directory Photos from an LDAP Server

• Integrate Corporate Directory Photos Using a Side URL
• Integrate Corporate Directory Photos from an LDAP Server

Integrate Corporate Directory Photos Using a Side URL

You can configure a parameterized URL string in the Photo field in the LDAP attribute map so that Cisco Jabber can retrieve pictures from a web server instead of from the LDAP server. The URL string must contain an LDAP attribute with a query value containing a piece of data that uniquely identifies the photo of the user. We recommend that you use the User ID attribute. However, you can use any LDAP attribute whose query value contains a piece of data that uniquely identifies the photo of the user.

Before You Begin

This substitution technique works only if Cisco Jabber can use the results of the query and can insert query results into the template you specify to construct a working URL that retrieves a JPG photo. If the web server that hosts the photos in a company requires a POST (for example, the name of the user is not in the URL) or uses some other cookie name for the photo instead of the username, this technique does not work.

Procedure

---

Step 1	Sign in to Cisco Jabber Administration.
Step 2	Go to Device > Phone to search for the device ID.
Step 3	Go to the Product Specific Configuration Layout field in the COP file fields.
Step 4	Go to the LDAP Photo Location field and enter the URL that stores the photo. We recommend that you use %%userID%% as the substitution string. Example: http://mycompany.cisco.com/photo/std/%%uid%%.jpg http://mycompany.cisco.com/photo/std/%%sAMAccountName%%.jpg Note    You must include the double percent symbols in this string, and they must enclose the name of the LDAP attribute to substitute. Cisco Jabber removes the percent symbols and replaces the parameter inside with the results of an LDAP query for the user whose photo it resolves. Example: If a query result contains the attribute “uid” with a value of “johndoe”, and then a template such as http://mycompany.com/photos/%%uid%%.jpg creates the URL http://mycompany.com/photos/johndoe.jpg. Cisco Jabber attempts to fetch the photo.

---

What to Do Next

Important:

After integrating corporate photos, you must reprovision or reset your device, depending on the setting for “Allow End User Configuration Editing.” For more information, see Add User Device.

Integrate Corporate Directory Photos from an LDAP Server

Use the following procedure to integrate corporate directory photos into Cisco Jabber from an LDAP server.

Note

If using Global Catalog, replicate the value in the LDAP photo field “jpegphoto” in Microsoft Active Directory to the Global Catalog. For more information, see the following link, which directs you to a third-party website that is not affiliated with Cisco: How to Modify Attributes That Replicate to the Global Catalog.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Go to Device > Phone to search for the device ID.
Step 3	Go to the Product Specific Configuration Layout field in the COP file fields.
Step 4	Go to LDAP Field Mappings. The default mapping is photo=jpegPhoto. No additional action is necessary if you do not require a custom mapping. If you require a custom mapping, you can modify the LDAP Field Mappings. The field mappings have the following format: property=ldapAttribute separated by a semi-colon, that is “userid=uid;photo=thumbnailPhoto”.

---

What to Do Next

Important:

After integrating corporate photos, you must reprovision or reset your device, depending on the setting for “Allow End User Configuration Editing.” For more information, see Add User Device.

Set Up SRST Failover

Survivable Remote Site Telephony (SRST) allows you to transfer services from the Unified CM to another Unified CM, a Unified CM Express (Unified CME), or a router running SRST.

Note	Call Park and Ad-Hoc Conferencing are not supported in SRST mode. Unified CME 8.6 is required for SIP SRST transfer functionality on Unified CME.

1. Set up the required SRST information on the Unified CM. For more information , see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmcfg/b02srst.html.
2. Set up the failover device:
   • SRST failover to a Unified CME. On Unified CME, you must configure the following parameters:
     • registrar server expires max 1200 min 660
     • sip-ua timers connection aging 12
     See http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmead.pdf for more information.

     Note	You cannot have SIP IP phone (“no mode cme”) and SIP SRST provisioned at the same time. By default, SIP SRST is enabled as opposed to SCCP SRST, which you set up using “srst mode auto-provision.”

   • SRST failover to a router set up for SRST only. For more information, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secusrst.html.

     Note	With this configuration, the router is set up for failover only, with no local SCCP or SIP IP phones provisioned.

Set Up Extension Mobility to Allow Users to Sign In and Out

Set up and activate the Cisco Extension Mobility Service to allow users to sign in and out of Cisco Jabber on devices.

Before You Begin

• The Sign In feature using Extension Mobility is disabled by default in Cisco Jabber. To enable it, select Enabled in the “Sign In Feature” drop-down list. For more information about setting up Extension Mobility, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmfeat/fsem.html.

  Note	External number masks are not displayed while Extension Mobility is enabled if the mask is not also configured for the Extension Mobility device profile.

• Extension Mobility is functional only if a single profile is listed in the Controlled Profiles field.
• If you set up Extension Mobility as an Enterprise Subscription service, all Cisco Jabber users are required to sign in and out of Cisco Jabber while Extension Mobility is enabled.
• When using Extension Mobility, choose Disabled for Allow End User Configuration Editing. For more information, see Add User Device.
• After Extension Mobility is set up, Cisco Jabber is functional only if the user is signed in.

Set A Timer to Automatically Sign Users Out of Cisco Jabber

Use this procedure to set up a timer for all Extension Mobility users in the Unified CM cluster. For more information about timers, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmfeat/fsem.html#wp1178338.

Note	If the user has an active call at the automatic sign-out time, the call is not interrupted.

Procedure

---

Step 1	Sign in to the Unified CM.
Step 2	In the Navigation field, choose Unified CM Administration.
Step 3	Choose System > Service Parameters.
Step 4	In the Server drop-down list, select the active United CM.
Step 5	In the Service drop-down list, select the “Cisco Extenstion Mobility (Active)” service.
Step 6	In the Enforce Intra-cluster Maximum Login Time field, choose True.
Step 7	In the Intra-cluster Maximum Login Time field, enter the number of hours after which the user is signed out of Cisco Jabber.
Step 8	Click Save.

---

Cross-Launch Cisco Jabber from Another Application

This feature allows developers to launch Cisco Jabber from third-party apps. Enable applications to launch Cisco Jabber by constructing and then opening a URL from within another app.

To cross-launch Cisco Jabber from your application, set up your app to open a URL with the following format:

ciscotel://<phonenumber>

Examples

• ciscotel://98258190528
• ciscotel://(506)246-4444

Note	You can add a URL in ciscotel format to a web page field. When a user taps the URL, Cisco Jabber automatically calls the number contained in the URL. You can add phone numbers in this format to applications which support opening URLs, such as "Notes".

Note	Support for various phone number formats varies depending on the application that opens the URL.

Set Up SIP Digest Authentication Options

SIP Digest Authentication is a Unified CM security feature that authenticates user devices. For more information, see the Cisco Unified Communications Manager Security Guide and the Cisco Unified Communications Manager Administration Guide, available from the maintenance guides list.

For Cisco Jabber, you have three options:

• Disable SIP Digest Authentication—Disable SIP Digest Authentication if your deployment does not use this feature. See Disable SIP Digest Authentication.
• Enable SIP Digest Authentication with automatic password authentication
  • The password is stored and sent in clear text.
  • Users do not have to manually enter this password.
  • There is less chance of entry error that prevents Cisco Jabber from registering with Unified CM.
  See Enable SIP Digest Authentication with Automatic Password Authentication.
• Enable SIP Digest Authentication with manual password authentication
  • The password is encrypted.
  • Users must manually enter this password.
  See Enable SIP Digest Authentication with Manual Password Authentication.

• Disable SIP Digest Authentication
• Enable SIP Digest Authentication with Automatic Password Authentication
• Enable SIP Digest Authentication with Manual Password Authentication

Disable SIP Digest Authentication

Follow these steps on each device page in Unified CM.

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the device page.
Step 3	In the Device Security Profile drop-down list, select “Cisco Dual Mode for iPhone - Standard SIP Non-secure profile.”
Step 4	Complete the authentication details in the Product Specific Configuration Layout section. In the Enable SIP Digest Authentication drop-down list, select “Disabled. ” Leave SIP Digest Username blank.
Step 5	If end-user configuration editing is enabled, reset the Internet calling account. Delete the Internet calling account for the device. Set up the account again.
Step 6	Restart Cisco Jabber.

---

Enable SIP Digest Authentication with Automatic Password Authentication

Procedure

---

Step 1	Create a new phone security profile for Cisco Dual Mode for iPhone under System > Security Profile > Phone Security Profile: Select Enable digest authentication. Deselect Exclude digest credentials in configuration file.
Step 2	On each End User page, in the User Information section, complete the following tasks: In the User ID field, verify that the user ID is entered. In the Digest Credentials field, enter the digest credentials. In the Confirm Digest Credentials field, reenter the digest credentials.
Step 3	On each Cisco Dual Mode for iPhone device page, complete the profile information in the Profile Specific Information section: In the Device Security Profile list, select the phone security profile you just created. In the Digest User list, select the digest user.
Step 4	On the same device page, complete the authentication details in the Product Specific Configuration Layout section: In the Enable SIP Digest Authentication drop-down list, select Disabled. Leave SIP Digest Username blank.
Step 5	If end-user configuration editing is enabled, reset the Internet calling account: Delete the Internet calling account for the device. Set up the account again.
Step 6	Restart Cisco Jabber.

---

Enable SIP Digest Authentication with Manual Password Authentication

Procedure

---

Step 1	Create a new profile for Cisco Dual Mode for iPhone under System > Security Profile > Phone Security Profile: Select Enable digest authentication. Select Exclude digest credentials in configuration file.
Step 2	On each End User page, in the User Information section, complete the following tasks: In the User ID field, verify that the user ID is entered. In the Digest Credentials field, enter the digest credentials. In the Confirm Digest Credentials field, reenter the digest credentials. Make a note of this password. You provide this password to the user later.
Step 3	On each Cisco Dual Mode for iPhone device page, enter the new profile information in the Protocol Specific Information section: In the Device Security Profile list, select the phone security profile you just created. In the Digest User list, select the digest user.
Step 4	On the same device page, complete the authentication details in the Product Specific Configuration Layout section: In the Enable SIP Digest Authentication list, select Enabled. For the SIP Digest Username, enter the digest user you just selected.
Step 5	Restart Cisco Jabber and step through the setup wizard again.
Step 6	At the option to confirm the Internet Calling settings, tap the SIP Digest Authentication password setting and enter the password you noted earlier. This password is case sensitive.
Step 7	On the Internet Calling Settings screen, enter your SIP Digest Authentication credentials. This password is case sensitive.
Step 8	If end-user configuration editing is enabled, reset the Internet calling account: Delete the Internet calling account for the device. Set up the account again.

---

Set Up Cisco AnyConnect

Cisco AnyConnect Secure Mobility Client is a VPN application that allows Cisco Jabber to securely connect to your corporate network from a remote location using Wi-Fi or mobile data networks.

Note	Cisco does not guarantee the voice quality on noncorporate Wi-Fi networks or mobile data networks.

To support the Cisco AnyConnect Secure Mobility Client, you must set up your system using the following procedures.

1. Install and set up the Cisco Adaptive Security Appliance (ASA).
   • For supported Cisco Adaptive Security Appliance models and other requirements, see the Release Notes.
   • For instructions for installing and configuring an ASA, see the Cisco ASA 5500 Series Configuration and Installation Guide list.
2. Set up the ASA to support Cisco AnyConnect. Perform the following procedures in order:
   1. Provision Application Profiles
   2. Automate VPN Connection
   3. Set Up Certificate-Based Authentication
   4. Set ASA Session Parameters
   5. Set Up Tunnel Policies
3. Set up the Unified CM for AnyConnect. See Set Up Automatic VPN Access on the Unified CM.

Note

Cisco supports Cisco Jabber for iPhone with Cisco AnyConnect Secure Mobility Client. Although other VPN clients are not officially supported, you may be able to use Cisco Jabber for iPhone with other VPN clients. If you use another VPN client, set up VPN as follows: Install and configure the VPN client using the relevant third-party documentation. Set up On-Demand VPN using the following procedure: Set Up Automatic VPN Access on the Unified CM.

• Provision Application Profiles
• Automate VPN Connection
• Set Up Certificate-Based Authentication
• Set ASA Session Parameters
• Set Up Tunnel Policies
• Set Up Automatic VPN Access on the Unified CM

Provision Application Profiles

After users download the Cisco AnyConnect client to their device, the ASA must provision a configuration profile to the application.

The configuration profile for the Cisco AnyConnect client includes VPN policy information such as the company ASA VPN gateways, the connection protocol (IPSec or SSL), and on-demand policies.

You can provision application profiles for Cisco Jabber for iPhone in one of the following ways:

• Provision VPN Profiles on ASA
• Provision iOS Devices Using Apple Configuration Profile and iPCU
• Provision iOS Devices Using Apple Configuration Profile and MDM

• Provision VPN Profiles on ASA
• Provision iOS Devices Using Apple Configuration Profile and iPCU
• Provision iOS Devices Using Apple Configuration Profile and MDM

Provision VPN Profiles on ASA

Cisco recommends that you use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect client.

When you use this method, the VPN profile is automatically downloaded to the Cisco AnyConnect client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA.

Use the following procedure to define a VPN profile.

Procedure

On the ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. For more information, see AnyConnect Administration Guide.

Provision iOS Devices Using Apple Configuration Profile and iPCU

Use the following procedure to provision iOS devices using an Apple configuration profile that you create with the iPhone Configuration Utility (iPCU). Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.

Procedure

---

Step 1	Use iPCU to create an Apple configuration profile. For more information, see the iPCU documentation.
Step 2	Export the XML profile as a .mobileconfig file.
Step 3	Email the .mobileconfig file to users. After a user opens the file, it installs the AnyConnect VPN profile and the other profile settings to the client application.

---

Provision iOS Devices Using Apple Configuration Profile and MDM

Use the following procedure to provision iOS devices using an Apple configuration profile that you create with third-party Mobile Device Management (MDM) software. Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.

Procedure

---

Step 1	Use MDM to create the Apple configuration profiles. For information on using MDM, see the Apple documentation.
Step 2	Push the Apple configuration profiles to the registered devices.

---

Automate VPN Connection

When users open Cisco Jabber from outside the corporate Wi-Fi network, Cisco Jabber needs a VPN connection to access the Cisco UC application servers. You can set up the system to allow Cisco AnyConnect Secure Mobility Client to automatically establish a VPN connection in the background, which helps ensure a seamless user experience.

• Set Up Connect On-Demand VPN

Set Up Connect On-Demand VPN

The Apple iOS Connect On Demand feature enhances the user experience by automating the VPN connection based on the user's domain.

When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco AnyConnect automatically detects if it is connected to a domain that you specify in the AnyConnect client profile. If so, the application initiates the VPN to ensure connectivity to the UC infrastructure. All applications on the device including Cisco Jabber can take advantage of this feature.

Note	Connect On Demand supports only certificate-authenticated connections.

The following options are available with this feature:

• Always Connect: Apple iOS always attempts to initiate a VPN connection for domains in this list.
• Connect If Needed: Apple iOS attempts to initiate a VPN connection to the domains in the list only if it cannot resolve the address using DNS.
• Never Connect: Apple iOS never attempts to initiate a VPN connection to domains in this list.

Procedure

---

Step 1	Use the ASDM profile editor, iPCU, or MDM software to open the AnyConnect client profile.
Step 2	In the AnyConnect client profile, under the Connect if Needed section, enter your list of on-demand domains. The domain list can include wild-card options (for example, cucm.cisco.com, cisco.com, and *.webex.com).
Step 3	In Unified CM, set up the On-Demand VPN URL field in the Cisco Jabber device settings. For detailed steps, see Set Up Automatic VPN Access on the Unified CM. When Cisco Jabber opens, it initiates a DNS query to the URL (for example, ccm-sjc-111.cisco.com). If this URL matches the On-Demand domain list entry that you defined in this procedure (for example, cisco.com), Cisco Jabber indirectly initiates the AnyConnect VPN connection.

---

Set Up Certificate-Based Authentication

The Cisco AnyConnect client supports many authentication methods including Microsoft Active Directory/LDAP password, RADIUS-based one-time tokens, and certificates. Of these methods, client certificate authentication provides the most seamless experience.

• Set Up ASA for Certificate-Based Authentication
• Distribute Client Certificates

Set Up ASA for Certificate-Based Authentication

ASA supports certificates issued by various standard Certificate Authority (CA) servers such as Cisco IOS CA, Microsoft Windows 2003, Windows 2008 R2, Entrust, VeriSign, and RSA Keon.

The following procedure outlines the high-level steps for setting up the ASA for certificate-based authentication. For detailed information, see the Configuring Digital Certificates section of Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 and 6.6.

Procedure

---

Step 1	Import a root certificate from the CA to the ASA.
Step 2	Generate an identity certificate for the ASA.
Step 3	Use the ASA identity certificate for SSL authentication.
Step 4	Configure a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP).
Step 5	Configure the ASA to request client certificates for authentication.

---

Distribute Client Certificates

You can issue certificates to Cisco Jabber for iPhone devices using one of the following methods:

• SCEP
• Mobileconfig file

• Distribute Client Certificate Using SCEP
• Distribute Client Certificate Using Mobileconfig File

Distribute Client Certificate Using SCEP

ASA supports Simple Certificate Enrollment Protocol (SCEP) to simplify certificate distribution.

The ASA can use SCEP to securely issue and renew a certificate that is used for client authentication. The following is a general overview of this process.

1. The first time a remote user opens Cisco AnyConnect, the application authenticates the user with either Active Directory credentials or a one-time token password.
2. After the client establishes the VPN, the ASA provides a client profile that includes the SCEP request.
3. The Cisco AnyConnect client sends a certificate request and the Certificate Authority (CA) automatically accepts or denies the request.
4. If the CA accepts the request:
   1. The certificate is installed in the native certificate store on the device.
   2. Cisco AnyConnect uses the certificate for authentication, and no longer prompts the user for a password when establishing subsequent VPN connections.

Procedure

For information about how to install the SCEP module on a Windows 2008 server and set up the ASA, see the ASA 8.X: AnyConnect SCEP Enrollment Configuration Example.

Distribute Client Certificate Using Mobileconfig File

Use this procedure to create an iPhone mobile configuration file that includes a certificate. You can use this file to distribute the certificate to users.

Procedure

---

Step 1	Use the iPCU software to create a mobileconfig file and include the certificate (.pfx) file.
Step 2	Forward the mobileconfig file to the user. When the user opens the file, the file installs the certificates to the device.
Step 3	Use the Cisco ISE native supplicant provisioning process to distribute user certificates.
Step 4	Use the Enterprise MDM software to provision and publish certificates to registered devices.

---

Set ASA Session Parameters

You can set session parameters on the ASA to define the user experience of Cisco AnyConnect Secure Mobility Client and Cisco Jabber after the VPN connection is established.

ASA session parameters include the following:

• DTLS: DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. DTLS allows the Cisco AnyConnect client to establish an SSL VPN connection that uses two simultaneous tunnels: an SSL tunnel and a DTLS tunnel. You can use DTLS to avoid latency and bandwidth problems, and to improve the performance of real-time applications such as Cisco Jabber that are sensitive to packet delays. If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. DTLS is enabled by default.
• Session Persistence: This parameter allows the VPN session to recover from service disruptions and re-establish the connection. For example, as the user roams from one Wi-Fi network to another Wi-Fi or mobile data network, the Cisco AnyConnect client automatically resumes the VPN session. In addition, you can set up Cisco AnyConnect to re-establish the VPN session after the device resumes from standby, sleep, or hibernation mode.
• Idle Timeout: The Idle Timeout (vpn-idle-timeout) is the time after which if there is no communication activity, the ASA terminates the VPN connection. A very short idle-timeout frequently disrupts the VPN connection and forces the user to re-establish VPN for every call. On the other hand, a large idle-timeout value results in too many concurrent sessions on the ASA. You can set up the Idle Timeout value by group policy.
• Dead-Peer Detection (DPD): This parameter ensures that the ASA gateway or the Cisco AnyConnect client can quickly detect a condition where the peer is not responding and the connection failed. Cisco recommends that you:
  • Disable server-side DPD to ensure that the device can sleep. (If you enable this parameter, it prevents the device from sleeping.)
  • Enable client-side DPD because it allows the client to determine when the tunnel is terminated due to a lack of network connectivity.

• Set ASA Session Parameters

Set ASA Session Parameters

Cisco recommends that you set up the ASA session parameters as follows to optimize the end user experience for Cisco AnyConnect Secure Mobility Client.

Procedure

---

Step 1	Set up Cisco AnyConnect to use DTLS. For information about how to set ASA session parameters, see Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections.
Step 2	Set up session persistence (auto-reconnect). Use ASDM to open the VPN client profile. Set the Auto Reconnect Behavior parameter to Reconnect After Resume. For detailed information about how to set up session persistence, see Configuring Auto-Reconnect.
Step 3	Set the idle timeout value. Create a group policy that is specific to Jabber clients. Set the idle timeout value to 30 minutes. For detailed information about how to set the idle timeout value, see vpn-idle-timeout.
Step 4	Set up Dead Peer Detection (DPD). Disable server-side DPD. Enable client-side DPD. For detailed information about how to set up DPD, see Enabling and Adjusting Dead Peer Detection.

---

Set Up Tunnel Policies

Use the following procedure to set up a tunnel policy that specifies how you want to direct traffic in the VPN tunnel.

To set up tunnel policies, you must first determine which type of tunnel policy you want to use. Tunnel policies include the following:

Full-Tunnel Policy

This is the default tunnel policy. Use this policy if you want the most secure option for Cisco Jabber and Cisco AnyConnect deployments. In case of Full-Tunnel, all the traffic from all the applications on the device is sent over the VPN tunnel to the ASA gateway. Optionally, you can enable the Local LAN Access feature to enable local printing and local network drive mapping.

Split-Tunnel Policy

Use this policy if you want to direct only Cisco Jabber-specific traffic from your phone to the corporate network. This policy directs traffic based on destination subnets. You can specify which traffic goes over VPN (encrypted) and which traffic goes in the clear (unencrypted).

An associated feature, Split-DNS, defines which DNS traffic to resolve over the VPN tunnel and which DNS traffic to handle with the endpoint DNS resolver.

Split-Include Policy with Network ACL

Use this policy if you want to:

• Limit the traffic that is sent over the VPN tunnel due to bandwidth concerns.
• Restrict the VPN session to the Cisco Jabber application.

You can use the Split-Include policy on the ASA to specify which traffic goes inside the VPN tunnel based on the destination IP address of the traffic.

You must include the IP subnets of the Cisco Unified CM Cluster, Directory Server, and TFTP Server. Cisco Jabber needs peer-to-peer media connections with any IP phone or computer phone on the corporate Wi-Fi network. Therefore, Cisco recommends that you include the corporate network IP address range in the Split-Include policy. This configuration may not be appropriate for all deployments (for example, if the IP space of your company is not contiguous because of acquisitions and other events).

This policy directs all internal traffic into the tunnel, but can prevent cloud-based services such as Facebook and YouTube from entering the tunnel.

Note

All application data that is directed to the address range specified in the split-include policy is tunneled, so applications other than Cisco Jabber also have access to the tunnel. To prevent other applications from using the corporate Wi-Fi network, you can apply a VPN filter (Network ACL) that further restricts the available ports.

Split-Exclude Policy

Use this policy if it is not practical to define the entire subnet required for Split-Include policies. You can use the Split-Exclude policy to prevent any known traffic from the VPN tunnel. For example, if you are concerned about bandwidth, you could add destination subnets for services like NetFlix, Hulu, or YouTube to your split-exclude list.

After you determine which type of tunnel policy you want to use, follow the detailed instructions for configuring the group policy with the desired tunnel policy, as outlined in Configuring Split-Tunneling Attributes.

Set Up Automatic VPN Access on the Unified CM

Cisco Jabber can automatically launch VPN if the following requirements are met:

• The corporate network is not directly available when users launch Cisco Jabber.
• The device can connect using VPN.
• You satisfy the requirements and complete the procedure in this topic.

See also information at Apple.com such as:

• Information throughout the iPhone OS Enterprise Deployment Guide at http://support.apple.com/manuals/#iphone
• The iPhone Configuration Utility, available from http://www.apple.com/downloads/macosx/apple/application_updates/iphoneconfigurationutility21forwindows.html
• A list of protocols and authentication methods that are supported on the iPhone at http://support.apple.com/kb/HT1288
• Information about setting up an iPhone to connect to VPN in the iPhone User Guide at http://www.apple.com/support/country/?dest=manuals
• General information at http://www.apple.com/support/iphone/enterprise/

Before You Begin

• The iPhone must be set up for on-demand access to VPN with certificate-based authentication. For assistance with setting up VPN access, contact the providers of your VPN client and head end.
• Cisco recommends using Cisco AnyConnect Secure Mobility Client for Apple iOS for iPhones running iOS 5.1.1. Requirements for the Cisco AnyConnect VPN solution are as follows:
  • Cisco Adaptive Security Appliance Release 8.4 or later
  • Cisco AnyConnect Secure Mobility Client Release 2.5 or later For information about setting up Cisco AnyConnect, see http://www.cisco.com/en/US/products/ps8411/prod_maintenance_guides_list.html.

Note	Not all releases of the VPN client are supported with Cisco Jabber. Check the System Requirements in the Release Notes for Cisco Jabber at http://www.cisco.com/en/US/products/ps11596/prod_release_notes_list.html.

• Identify a URL that is set up to launch VPN on demand. Enter the URL in the Cisco AnyConnect client. Cisco Jabber triggers VPN on demand if a DNS query on this domain fails.
  Use one of the following methods:

  • Configure Unified CM to be accessed through a domain name (not an IP address) and ensure that this domain name is not resolvable outside the firewall. Include this domain in the Connect If Needed list in the Connect On Demand Domain List of the AnyConnect client connection.
  • If you cannot use a domain name to access Unified CM or cannot make the DNS lookup of that domain name fail from outside the firewall, set the parameter in the following procedure to a nonexistent domain (that is, a domain that causes a DNS query to fail when the user is inside or outside the firewall). Then add that domain to the “Always Connect” list in the Connect On Demand Domain List of the AnyConnect client connection. The URL must include only the domain name. Do not include a protocol or a path. See the following example for more information:

    Table 2 Correct URL Format

    Use	Do Not Use
    "cm8ondemand.company.com"	"https://cm8ondemand.company.com/vpn"

Procedure

---

Step 1	Sign in to the Unified CM Administration portal.
Step 2	Navigate to the Cisco Dual Mode for iPhone device page for the user.
Step 3	Scroll to the Product Specific Configuration Layout section.
Step 4	In the On-Demand VPN URL field, enter the URL that you identified and used in Cisco AnyConnect in the prerequisites for this procedure. Note    The URL must be a domain name only, without a protocol or path.
Step 5	Select Save.

---

What to Do Next

• If you allowed end-user configuration editing, delete the Internet Calling account on the client and then set up the account again. Otherwise, relaunch the client.
• Test this feature.
  • Enter this URL into Safari on the iPhone and verify that VPN launches automatically. You should see a VPN icon in the status bar.
  • Verify that the iPhone can connect to the corporate network using VPN. For example, access a web page on your corporate intranet. If the iPhone cannot connect, contact the provider of your VPN technology.
  • Verify with your IT department that your VPN does not restrict access to certain types of traffic (for example, if the administrator set the system to allow only email and calendaring traffic).
• Verify that you set up Cisco Jabber to connect directly to the corporate network.