Feedback
Contents
- Feature Setup
- Enable Active Call Transfer Between Cisco Jabber and Desk Phone
- Set Up Mobile Connect
- Enable Mobile Connect
- Add Mobility Identity
- Add Remote Destination (Optional)
- Transfer Active VoIP Call to the Mobile Network
- Enable Active Call Handoff from VoIP to Mobile Network
- Set Up Handoff DN
- Match Caller ID with Mobility Identity
- Set Up Additional User and Device Settings for Handoff
- Enable Active Call Transfer from VoIP to Mobile Network
- Set Up Dial Via Office
- Set Up Unified CM to Support DVO-R
- Set Up Enterprise Feature Access Number
- Set Up Mobility Profile
- Verify Device COP File Version
- Set Up Dial Via Office for Each Device
- Add Mobility Identity
- Enable Dial Via Office on Each Device
- Set Up Voicemail Avoidance
- Set Up Timer-Controlled Voicemail Avoidance
- Set Up User-Controlled Voicemail Avoidance
- Set Up Unified CM to Support User-Controlled Voicemail Avoidance
- Enable User-Controlled Voicemail Avoidance on Mobility Identity
- Enable User-Controlled Voicemail Avoidance on Remote Destination
- Set Up Voice Dialing
- Set Up Visual Voicemail on Unified CM
- Specify Directory Search Settings
- Set Up Corporate Directory Photos on Cisco Jabber
- Integrate Corporate Directory Photos Using a Side URL
- Integrate Corporate Directory Photos from an LDAP Server
- Set Up SRST Failover
- Set Up Extension Mobility to Allow Users to Sign In and Out
- Set Timer to Automatically Sign Users Out of Cisco Jabber
- Cross-Launch Cisco Jabber from Another Application (Optional)
- Set Up SIP Digest Authentication Options
- Disable SIP Digest Authentication
- Enable SIP Digest Authentication with Automatic Password Authentication
- Enable SIP Digest Authentication with Manual Password Authentication
- Set Up Cisco AnyConnect
- Provision Application Profiles
- Provision VPN Profiles on ASA
- Provision iOS Devices Using Apple Configuration Profile and iPCU
- Provision iOS Devices Using Apple Configuration Profile and MDM
- Automate VPN Connection
- Set Up Connect On-Demand VPN
- Set Up Certificate-Based Authentication
- Set Up ASA for Certificate-Based Authentication
- Distribute Client Certificates
- Distribute Client Certificate Using SCEP
- Distribute Client Certificate Using Mobileconfig File
- Set ASA Session Parameters
- Set ASA Session Parameters
- Set Up Tunnel Policies
- Set Up Automatic VPN Access on the Unified CM
Feature Setup
Enable Active Call Transfer Between Cisco Jabber and Desk Phone
Procedure
What to Do Next
- Enter your credentials using one of the following methods:
- Test your settings to verify that you can move active calls between the desk phone and Cisco Jabber.
Important:See instructions in the user FAQs at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html.
Set Up Mobile Connect
Mobile Connect, formerly known as Single Number Reach (SNR), allows the native mobile phone number to ring when someone calls the work number if:
- Cisco Jabber is not available. After Cisco Jabber becomes available again and connects to the corporate network, the Unified CM returns to placing VoIP calls rather than using Mobile Connect.
- The user selects the Always Use DVO Jabber calling option.
- The user selects the Automatically select Jabber calling option and the user is outside of the Wi-Fi network.
To set up Mobile Connect, perform the following procedures:
- Enable Mobile Connect
- Specify one or more remote phone numbers to which Mobile Connect connects using one or both of the following procedures:
- (Preferred) To specify the GSM number of the mobile device, see Add Mobility Identity.
- (Optional) To specify alternate phone numbers, see Add Remote Destination (Optional). Alternate numbers can be any type of phone number, such as home phone numbers, conference room numbers, desk phone numbers, or a GSM number for a second mobile device.
- Test your settings:
- Exit Cisco Jabber on the mobile device. For instructions, see the FAQs for users at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html
- Call the Cisco Jabber extension from another phone.
- Verify that the native mobile network phone number rings and that the call connects when you answer it.
Enable Mobile Connect
Procedure
Add Mobility Identity
ProcedureUse this procedure to add a Mobility Identity to specify the GSM number of the mobile device as the destination number. This destination number is used by features such as Dial via Office or Mobile Connect.
You can specify only one number when you add a mobility identity. If you want to specify an alternate number such as a second GSM number for a mobile device, you can set up a remote destination. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the Cisco Dual Mode mobile device settings. Step 3 In the Associated Mobility Identity section, select Add a New Mobility Identity. Step 4 Enter the mobile phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number.
Note If you enable the Dial via Office - Reverse feature for a user, you must enter a destination number for the user's mobility identity.
If you enable Dial via Office - Reverse and leave the destination number empty in the mobility identity:
- The phone service cannot connect if the user selects the Automatically select Jabber calling option while using a 3G network and VPN.
- The phone service cannot connect if the user selects the Always use DVO Jabber calling option on any type of network.
- The logs do not indicate why the phone service cannot connect.
When using Dial via Office - Reverse, the system does not automatically push updated destination numbers for the user's mobility identity to the client after you already entered a destination number. To work around this issue, ask the user to do one of the following:
- In the Cisco Jabber for iPhone Settings, manually update the phone number in the DVO Callback Number field.
- In the Cisco Jabber for iPhone Settings, delete the current number in the DVO Callback Number field, and then exit and restart Cisco Jabber for iPhone
For more information about using the iPhone Settings or the Cisco Jabber for iPhone Settings, see the FAQs.
Step 5 Enter the initial values for call timers. These values ensure that calls are not routed to the mobile service provider voicemail before they ring in the client on the mobile device.
For more information, see the online help in Unified CM.
Example:Step 6 Check the Enable Mobile Connect check box. Step 7 If you are setting up the Dial via Office feature, in the Mobility Profile drop-down list, select one of the following options.
Option Description Leave blank Choose this option if you want users to use the Enterprise Feature Access Number (EFAN).
Mobility Profile Choose the Mobility Profile that you just created if you want users to use a Mobility Profile instead of an EFAN.
Step 8 Set up the schedule for routing calls to the mobile number. Step 9 Select Save.
Related Tasks
Add Remote Destination (Optional)
ProcedureUse this procedure to add a Remote Destination to specify any alternate number as the destination number. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.
Alternate numbers can be any type of phone number, such as home phone numbers, conference room numbers, desk phone numbers, or multiple GSM numbers for additional mobile devices. You can add more than one remote destination.
Transfer Active VoIP Call to the Mobile Network
Users can transfer an active VoIP call from Cisco Jabber to their mobile phone number on the mobile network. This feature is useful when a user on a call leaves the Wi-Fi network (for example, leaving the building to walk out to the car), or if there are voice quality issues over the Wi-Fi network. This Cisco Jabber feature is called Use Mobile Network.
There are two ways to implement this feature. You can also disable it.
Implementation Method
Implications
Instructions
Handoff DN
The iPhone calls Unified CM using the mobile network.
This method requires a Direct Inward Dial (DID) number.
The service provider must deliver the DID digits exactly as configured. Alternately, for Cisco IOS gateways with H.323 or SIP communication to Unified CM, you can use Cisco IOS to manipulate the inbound called-party number at the gateway, presenting the digits to Unified CM exactly as configured on the handoff DN.
If you select this implementation method and it fails, the system automatically tries the Mobility Softkey.
This method will not work for iPod Touch devices.
See Set Up Handoff DN.
Mobility Softkey
Unified CM calls the phone number of the iPhone PSTN mobile service provider.
See Enable Active Call Transfer from VoIP to Mobile Network.
None of the above
Disable this feature if you do not want to make it available to users.
Select Disabled for the Transfer to Mobile Network option in the "Product Specific Configuration Layout" section of the Cisco Dual Mode for iPhone device page.
- Enable Active Call Handoff from VoIP to Mobile Network
- Enable Active Call Transfer from VoIP to Mobile Network
Enable Active Call Handoff from VoIP to Mobile Network
Set Up Handoff DN
Before You BeginDetermine the required values. The values that you choose depend on the phone number that the gateway passes (for example, seven digits or ten digits).Procedure
Match Caller ID with Mobility Identity
To ensure that only authorized phones can initiate outbound calls, calls must originate from a phone that is set up in the system. To do this, the system attempts to match the caller ID of the requesting phone number with an existing Mobility Identity. By default, when a device initiates the Handoff feature, the caller ID that is passed from the gateway to Unified CM must exactly match the Mobility Identity number that you entered for that device.
However, your system may be set up such that these numbers do not match exactly. For example, Mobility Identity numbers may include a country code while caller ID does not. If so, you must set up the system to recognize a partial match.
Be sure to account for situations in which the same phone number may exist in different area codes or in different countries. Also, be aware that service providers can identify calls with a variable number of digits, which may affect partial matching. For example, local calls may be identified using seven digits (such as 555 0123) while out-of-area calls may be identified using ten digits (such as 408 555 0199).
Before You BeginProcedure
- Set up the Mobility Identity. See Add Mobility Identity.
- Determine whether you need to complete this procedure: Use the device to dial in to the system and compare the caller ID value with the Destination Number in the Mobility Identity. If the numbers do not match, you must perform this procedure. Repeat this procedure for devices that are issued in all expected locales and area codes.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Select . Step 3 Select the active server. Step 4 Select the Cisco CallManager (Active) service. Step 5 Scroll down to the Clusterwide Parameters (System - Mobility) section. Step 6 Select Matching Caller ID with Remote Destination and read essential information about this value. Step 7 Select Partial Match for Matching Caller ID with Remote Destination. Step 8 Select Number of Digits for Caller ID Partial Match and read the essential requirements for this value. Step 9 Enter the required number of digits to ensure partial matches. Step 10 Select Save.
Set Up Additional User and Device Settings for Handoff
Procedure
Step 1 In the Unified CM, select Use Handoff DN Feature for the Transfer to Mobile Network option on the Cisco Dual Mode for iPhone Device page. Do not assign this method for iPod Touch devices. Use the Mobility Softkey method instead. Step 2 On the iOS device, tap to verify that Caller ID is on. Step 3 Test this feature.
Enable Active Call Transfer from VoIP to Mobile Network
Procedure
Step 1 For system-level settings, check that the Mobility softkey appears when the phone is in the connected and on-hook call states.
- In , select the softkey template that you selected when you configured the device for Mobile Connect.
- In the Related Links list box at the upper right, choose Configure Softkey Layout and select Go.
- Select Connected state and verify that the Mobility key is in the list of selected softkeys, and then do the same for the On Hook state.
Step 2 For the per-user and per-device settings in Unified CM, ensure that you set up a device Mobility Identity and Mobile Connect for the mobile device. After the transfer feature is working, users can enable and disable Mobile Connect at their convenience without affecting the feature.
If the device is an iPod Touch, you can configure a Mobility Identity using an alternate phone number such as the mobile phone of the user.Step 3 Navigate to the device page, , and search for the TCT device. Step 4 In the User Locale field, choose English, United States.
Set Up Dial Via Office
Important:The DVO-R feature requires:
- Cisco Jabber for iPhone client, Release 9.1(1) and later.
- Unified CM 9.1(1a), which is targeted to release at the end of February, 2013.
User-controlled voicemail avoidance, which can be used in conjunction with the Dial via Office feature, is available only on Unified CM Release 9.0 and later. Timer-controlled voicemail avoidance is available on Unified CM Release 6.0 and later.
The Dial via Office feature is not supported with the Extension Mobility feature.
The application cannot be provisioned with SIP Digest if Dial via Office is enabled.
The Dial via Office (DVO) feature allows users to initiate Cisco Jabber outgoing calls with their work number using the voice plan for the device.
There are two types of Dial via Office calls: Dial via Office-Reverse (DVO-R) and Dial via Office-Forward (DVO-F). Cisco Jabber supports Dial via Office-Reverse (DVO-R) calls. DVO-R works as follows:
- User initiates a Dial via Office-Reverse call.
- The client notifies Unified CM to call the mobile phone number.
- Unified CM calls and connects to the mobile phone number.
- Unified CM calls and connects to the number that the user dialed.
- Unified CM connects the two segments.
- The user and the called party continue as with an ordinary call.
Incoming calls use either Mobile Connect or the Internet, depending on which Jabber Calling Options the user sets on the client. Dial via Office does not require Mobile Connect to work. However, we recommend that you enable Mobile Connect to allow the native mobile number to ring when someone calls the work number. From the Unified CM user pages, users can enable and disable Mobile Connect, and adjust Mobile Connect behavior using settings (for example, the time of day routing and Delay Before Ringing Timer settings). For information about setting up Mobile Connect, see Set Up Mobile Connect.
The following table describes the calling methods used for incoming and outgoing calls. The calling method (Internet, Mobile Connect, DVO-R, or native cellular call) varies depending on the selected Jabber Calling Options and the network connection.
Table 1 Calling Methods used with Jabber Calling Options over Different Network ConnectionsConnection Call Options Always use Internet Always use DVO Auto Select Corporate Wi-Fi
Outgoing: Internet Incoming: Internet Outgoing: DVO-R Incoming: Mobile Connect Outgoing: Internet Incoming: Internet Noncorporate Wi-Fi
Mobile Network (3G, 4G)
Outgoing: DVO-R Incoming: Mobile Connect Jabber is not registered
Outgoing Native Cellular Call Incoming Mobile Connect To set up Dial via Office-Reverse (DVO-R), you must do the following:
- Set up the Unified CM to support DVO-R. See Set Up Unified CM to Support DVO-R.
- Enable DVO on each Cisco Dual Mode for iPhone device. See Set Up Dial Via Office for Each Device.
Set Up Unified CM to Support DVO-R
To set up Unified CM to support DVO-R, perform the following procedures:
- Complete one or both of the following procedures.
- Verify Device COP File Version
- If necessary, create application dial rules to allow the system to route calls to the Mobile Identity phone number to the outbound gateway. Ensure that the format of the Mobile Identity phone number matches the application dial rules. For more information, see Dial Rules.
NoteThe DVO-R feature requires:
- Cisco Jabber for iPhone client, Release 9.1(1) and later.
- Unified CM 9.1(1a), which is targeted to release at the end of February, 2013.
Set Up Enterprise Feature Access Number
Use this procedure to set up an Enterprise Feature Access Number for all Cisco Jabber calls that are made using Dial via Office-Reverse.
The Enterprise Feature Access Number is the number that Cisco Unified Communications Manager uses to call the mobile phone and the dialed number unless a different number is set up in Mobility Profile for this purpose.
Before You BeginProcedure
- Reserve a Direct Inward Dial (DID) number to use as the Enterprise Feature Access Number (EFAN). This procedure is optional if you already set up a mobility profile.
- Determine the required format for this number. The exact value you choose depends on the phone number that the gateway passes (for example, 7 digits or 10 digits). The Enterprise Feature Access Number must be a routable number.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Choose . Step 3 Select Add New. Step 4 In the Number field, enter the Enterprise Feature Access number. Enter a DID number that is unique in the system.
To support dialing internationally, you can prepend this number with \+.
Step 5 From the Route Partition drop-down list, choose the partition of the DID that is required for enterprise feature access. This partition is set under , in the Clusterwide Parameters (System - Mobility) section, in the Inbound Calling Search Space for Remote Destination setting. This setting points either to the Inbound Calling Search Space of the Gateway or Trunk, or to the Calling Search Space assigned on the Phone Configuration screen for the device.
If the user sets up the DVO Callback Number with an alternate number, ensure that you set up the trunk Calling Search Space (CSS) to route to destination of the alternate phone number.
Step 6 In the Description field, enter a description of the Mobility Enterprise Feature Access number. Step 7 (Optional) Check the Default Enterprise Feature Access Number check box if you want to make this Enterprise Feature Access number the default for this system. Step 8 Select Save.
Set Up Mobility Profile
ProcedureUse this procedure to set up a mobility profile for Cisco Jabber devices. This procedure is optional if you already set up an Enterprise Feature Access Number.
Mobility profiles allow you to set up the Dial via Office-Reverse settings for a mobile client. After you set up a mobility profile, you can assign it to a user or to a group of users, such as the users in a region or location.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Choose . Step 3 In the Mobility Profile Information section, in the Name field, enter a descriptive name for the mobility profile. Step 4 In the Dial via Office-Reverse Callback section, in the Callback Caller ID field, enter the caller ID for the callback call that the client receives from Unified CM. Step 5 Click Save.
Verify Device COP File Version
ProcedureUse the following procedure to verify that you are using the correct device COP file for this release of Cisco Jabber.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Choose . Step 3 Click Add New. Step 4 From the Phone Type drop-down list, choose Cisco Dual Mode for iPhone. Step 5 Click Next. Step 6 Scroll down to the Product Specific Configuration Layout section, and verify that you can see the Dial via Office drop-down list. If you can see the Dial via Office drop-down list, the COP file is already installed on your system.
If you cannot see the Dial via Office drop-down list, locate and download the correct COP file. For more information, see Required Files.
Set Up Dial Via Office for Each Device
Add Mobility Identity
ProcedureUse this procedure to add a Mobility Identity to specify the GSM number of the mobile device as the destination number. This destination number is used by features such as Dial via Office or Mobile Connect.
You can specify only one number when you add a mobility identity. If you want to specify an alternate number such as a second GSM number for a mobile device, you can set up a remote destination. The Mobility Identity configuration characteristics are identical to those of the Remote Destination configuration.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the Cisco Dual Mode mobile device settings. Step 3 In the Associated Mobility Identity section, select Add a New Mobility Identity. Step 4 Enter the mobile phone number as the Destination Number. This number must be routable to an outbound gateway. Generally, the number is the full E.164 number.
Note If you enable the Dial via Office - Reverse feature for a user, you must enter a destination number for the user's mobility identity.
If you enable Dial via Office - Reverse and leave the destination number empty in the mobility identity:
- The phone service cannot connect if the user selects the Automatically select Jabber calling option while using a 3G network and VPN.
- The phone service cannot connect if the user selects the Always use DVO Jabber calling option on any type of network.
- The logs do not indicate why the phone service cannot connect.
When using Dial via Office - Reverse, the system does not automatically push updated destination numbers for the user's mobility identity to the client after you already entered a destination number. To work around this issue, ask the user to do one of the following:
- In the Cisco Jabber for iPhone Settings, manually update the phone number in the DVO Callback Number field.
- In the Cisco Jabber for iPhone Settings, delete the current number in the DVO Callback Number field, and then exit and restart Cisco Jabber for iPhone
For more information about using the iPhone Settings or the Cisco Jabber for iPhone Settings, see the FAQs.
Step 5 Enter the initial values for call timers. These values ensure that calls are not routed to the mobile service provider voicemail before they ring in the client on the mobile device.
For more information, see the online help in Unified CM.
Example:Step 6 Check the Enable Mobile Connect check box. Step 7 If you are setting up the Dial via Office feature, in the Mobility Profile drop-down list, select one of the following options.
Option Description Leave blank Choose this option if you want users to use the Enterprise Feature Access Number (EFAN).
Mobility Profile Choose the Mobility Profile that you just created if you want users to use a Mobility Profile instead of an EFAN.
Step 8 Set up the schedule for routing calls to the mobile number. Step 9 Select Save.
Enable Dial Via Office on Each Device
Procedure
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the user. Step 3 In the Device Information section, check the Enable Cisco Unified Mobile Communicator check box. Step 4 On the device page for the user, in the Product Specific Configuration Layout section, set the Dial via Office drop-down list to Enabled. Important:DVO-R is supported only on Unified CM Release 9.1 and later. Cisco plans to release a service update (SU) in the near future to support Cisco Jabber with DVO-R on Unified CM 8.6. If you enable this setting on an unsupported release of Unified CM, the end user sees the DVO calling options and can attempt to make DVO-R calls, but the calls cannot connect.
Step 5 Select Save. Step 6 Select Apply Config.
What to Do NextTest this feature.
Set Up Voicemail Avoidance
Voicemail avoidance is a feature that prevents calls from being answered by the mobile service provider voice mail. This feature is useful if a user receives a Mobile Connect call from the enterprise on the mobile device. It is also useful when an incoming DVO-R call is placed to the mobile device.
You can set up Voicemail Avoidance in one of two ways:
- Timer-controlled: (Default) With this method, you set timers on the Unified CM to determine if the call is answered by the mobile user or mobile service provider voicemail.
- User-controlled: With this method, you set the Unified CM to require that a user presses any key on the keypad of the device to generate a DTMF tone before the call can proceed.
If you deploy DVO-R, Cisco recommends that you also set user-controlled Voicemail Avoidance. If you set user-controlled Voicemail Avoidance, this feature applies to both DVO-R and Mobile Connect calls.
For more information about voicemail avoidance, see the section called "Confirmed Answer and DVO VM detection" in the Unified CM Features and Services Guide.
Set Up Timer-Controlled Voicemail Avoidance
Timer-controlled voicemail avoidance is supported on Unified CM Release 6.0 and later.
Set up the timer control method by setting the Answer Too Soon Timer and Answer Too Late Timer on either the Mobility Identity or the Remote Destination. For more information, see Add Mobility Identity or Add Remote Destination (Optional).
Set Up User-Controlled Voicemail Avoidance
Important:User-controlled voicemail avoidance is available on Unified CM Release 9.0 and later.
To set up User-Controlled Voicemail Avoidance, perform the following procedures:
- Set Up Unified CM to Support User-Controlled Voicemail Avoidance
- Set up user-controlled voicemail avoidance on the device by performing one of the following procedures:
Important:Cisco does not support user-controlled voicemail avoidance when using DVO-R with alternate numbers that the end user sets up in the client. An alternate number is any phone number that the user enters in the DVO Callback Number field on the client that does not match the phone number that you set up on the user's Mobility Identity.
If you set up this feature with alternate numbers, the Unified CM connects the DVO-R calls even if the callback connects to a wrong number or a voicemail system.
Set Up Unified CM to Support User-Controlled Voicemail Avoidance
Procedure
Step 1 Sign in to the Unified CM. Step 2 In the Navigation field, choose Unified CM Administration. Step 3 Choose . Step 4 In the Server drop-down list, select the active United CM. Step 5 In the Service drop-down list, select the Cisco Call Manager (Active) service. Step 6 Configure the settings in the Clusterwide Parameters (System - Mobility Single Number Reach Voicemail) section.
Note The settings in this section are not specific to Cisco Jabber. For information about how to configure these settings, see "Confirmed Answer and DVO VM detection" section in the Cisco Unified Communication Manager Administrator Guide for your release.
Step 7 Click Save.
Enable User-Controlled Voicemail Avoidance on Mobility Identity
Use this procedure to enable user-controlled voicemail avoidance for the end user's mobility identity.
Before You BeginProcedure
- Set up the annunciator on the Unified CM. For more information, see the "Annunciator setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
- If you set up a Media Resource Group on the Unified CM, set up the annunciator on the Media Resource Group. For more information, see the "Media resource group setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the user. Step 3 In the Associated Mobility Identity section, click the link for the Mobility Identity.
Note To ensure that the Voicemail Avoidance feature works correctly, the DVO Callback Number that the end user enters in the Cisco Jabber client must match the Destination Number that you enter on the Mobility Identity Configuration screen.
Step 4 In the Single Number Reach Voicemail Policy drop-down list, select User control. Step 5 Click Save.
Enable User-Controlled Voicemail Avoidance on Remote Destination
Use this procedure to enable user-controlled voicemail avoidance for the end user's remote destination.
Before You BeginProcedure
- Set up the annunciator on the Unified CM. For more information, see the "Annunciator setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
- If you set up a Media Resource Group on the Unified CM, set up the annunciator on the Media Resource Group. For more information, see the "Media resource group setup" section in the Cisco Unified Communication Manager Administrator Guide for your release.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the user. Step 3 In the Associated Remote Destinations section, click the link for the associated remote destination. Step 4 In the Single Number Reach Voicemail Policy drop-down list, select User control. Step 5 Click Save.
Set Up Voice Dialing
Voice Dialing allows users to dial a number by speaking a name in the corporate directory.
If Voice Dialing is available on your network, Cisco Jabber users can always dial the Voice Dialing pilot number to access that feature as they do from any phone.
Before You BeginProcedureVoice dialing must be set up and working on your network.
To set up voice dialing for general use, see information about directory handlers in the System Administration Guide and the Reference Guide for Cisco Unity Connection at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the user. Step 3 Enter voice dialing settings.
Setting Description Enable Voice Dialing Motion The Voice Dialing Motion feature activates the motion and proximity sensors that automatically dial the Voice Dialing pilot number when Cisco Jabber is running and users move the device to their ear with the gesture described in the user documentation for Cisco Jabber at http://www.cisco.com/en/US/products/ps11596/products_user_guide_list.html.
This setting specifies whether the voice dialing motion is initially on or off for the user.
Voice Dialing Phone Number The pilot phone number for the voice dialing feature. This number is not unique to Cisco Jabber.
For more information, see the "Routing Calls to a Voice Directory Handler" section in the Cisco Unity Connection Release 7.x documentation.
Add Voice Dialing to Favorites Specify whether or not to automatically add the Voice Dialing phone number to the Cisco Jabber favorites list of the user.
Step 4 Select Save. Step 5 Relaunch Cisco Jabber.
Set Up Visual Voicemail on Unified CM
Before You BeginProcedure
Note
For users that also have the Cisco Mobile application (Cisco Unified Mobile Communicator 7.1) that runs in conjunction with Cisco Unified Mobility Advantage, do not set up Cisco Jabber for voicemail. For the best user experience, we recommend that users of the other Cisco Mobile application access voicemail using Cisco Mobile application, not Cisco Jabber.
- Verify that IMAP is enabled: See "Configuring IMAP Settings" in the System Administration Guide for Cisco Unity Connection at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.
- Collect the values for the settings that are listed in the table in this procedure.
- Consult your voicemail administrator if you have questions about the values for the settings in this section.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page for the user. Step 3 In the Product Specific Configuration Layout section, enter voicemail settings.
Setting Description Voicemail Username Unique username for voicemail access for this user. Voicemail Server (include the port) For the voicemail server, enter the hostname or IP address. Use the format Servername.YourCompany.com:portnumber
Voicemail Message Store Username Enter the username for the voicemail message store.
Voicemail Message Store For the voicemail message store, enter the hostname or IP address. This can be the same as the voicemail server. Use the format YourVoiceMessageStoreServer.yourcompany.com:portnumber
Step 4 Select Save. Step 5 Restart Cisco Jabber. If you allowed end-user configuration editing, delete the voicemail account on the client and then set up the account again.
Step 6 Step through the wizard until you see an option to enable or confirm your voice messaging account. Step 7 Select Yes. Step 8 Enter your voice messaging password. Step 9 Select Save. Step 10 Complete the setup wizard.
What to Do Next
Specify Directory Search Settings
Before You BeginProcedure
- Make sure the telephoneNumber attribute in Active Directory (or its equivalent, if you use a different attribute) is indexed.
- Identify attributes in your corporate directory schema that are different from, or additional to, the defaults in the following table. You must map changed attributes later in this procedure.
Note
Directory lookup information is not available through Unified CM.
Use the following table to verify the values for your directory:
- If you use an Active Directory server, review the values in the column called "Default Active Directory Attribute." If your attributes differ from the values in the "Default Active Directory Attribute" column, make a note of your actual attribute value in the column titled "Your Value, if Different."
- If you use an LDAP server that is not an Active Directory server, review the values in the column called "Default Attribute for All Other LDAP Servers." If your attributes differ from the values in the "Default Attribute for All Other LDAP Servers" column, make a note of your actual attribute value in the column titled "Your Value, if Different."
If you have any questions about the values in the following table, consult your directory administrator.
Cisco Jabber for iPhone determines which type of directory server you use by checking whether the defaultNamingContext is defined. If the defaultNamingContext is defined, the app determines that you are using Active Directory. If this value is not defined, the app determines that the system is using another LDAP server.
Note Some default attributes for Active Directory or other LDAP servers are different between Cisco Jabber for iPhone and other Cisco Jabber clients. If you have more than one Cisco Jabber client platform in your environment, you may need to enter different text for the LDAP field mappings for each platform.
Table 2 Directory Elements and AttributesElement
Element Name
Default Active Directory Attribute
Default Attribute for All Other LDAP Servers
Your Value, if Different
Unique identifier
identifier
distinguishedName
distinguishedName
Display name
displayName
displayName
cn
Email address
emailAddress
First name
firstName
givenName
givenName
Last name
lastName
sn
sn
User ID
userid
sAMAccountName
uid
Main phone number
mainPhoneNumber
telephoneNumber
telephoneNumber
Home phone number
homePhoneNumber
homeTelephoneNumber
homeTelephoneNumber
Second home phone number
homePhoneNumber2
homeTelephoneNumber
homeTelephoneNumber
Mobile phone number
mobilePhoneNumber
mobile
mobile
Second mobile phone number
mobilePhoneNumber2
mobile
mobile
Direct to voicemail phone number
voicemailPhoneNumber
voicemail
voicemail
Fax number
faxPhoneNumber
facsimileTelephoneNumber
facsimileTelephoneNumber
Other phone number
otherPhoneNumber
telexNumber
telexNumber
Directory photo
photo
jpegPhoto
jpegPhoto
Jabber ID
jabberID
jabberID
jabberID
Job title
jobTitle
title
title
Employee number
employeeNumber
employeeID
employeeNumber
Manager ID
manageruid
manager
manager
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the Cisco Dual Mode device page for the user. Step 3 In the Product Specific Configuration Layout section, enter the iPhone country code. This information helps determine the Caller ID. Step 4 Enter LDAP User Authentication settings: Step 5 Enter LDAP username and password: By default, the LDAP username is the userPrincipalName (UPN) and may be in the form of an email address (userid@example.com).
- Enter credentials for a single read-only account that all users use to access Active Directory. These credentials are sent in clear text in the TFTP file. Users need not enter credentials into Cisco Jabber.
- Enter a username with access to the directory and leave the password blank. You must give the password to each user and tell users to enter the password into the settings in Cisco Jabber.
- If authentication is not required, leave these settings blank.
Step 6 Enter LDAP server address. Use the format YourDirectoryServer.YourCompany.com:portnumber. By default, if you enter no port or SSL settings, Cisco Jabber attempts an SSL connection to port 3269.
- Enter the hostname or IP address and port number for your Active Directory server.
- Use port 3269 for secure SSL connections or 3268 for nonsecure connections.
Step 7 Enter the LDAP Search Base using the format: CN=users,DC=corp,DC=yourcompany,DC=com. By default, this application uses the search base that is found in a RootDSE search on the defaultNamingContext attribute. If you need to specify a different search base, enter the Distinguished Name of the root node in your corporate directory that contains user information. Use the lowest node that includes the necessary names. Using a higher node creates a larger search base and thus reduce performance if the directory is very large.
Note To help determine the optimal search base, you can use a utility such as Active Directory Explorer (available from Microsoft) to view your data structure. Step 8 Enter the LDAP field mappings. LDAP field mappings identify the attributes in your directory that hold the information to be searched and displayed for directory searches.
Note The manager ID and employee number entries are required for reporting structure information in directory search results. The default mappings are as follows:
- Active Directory: manageruid=manager; employeeNumber=employeeID.
- Open LDAP: servers are manageruid=manager; employeeNumber=employeeNumber.
If a manager has more than 25 direct reports, Cisco Jabber for iPhone displays only the first 25 reports.
Step 9 Enter the LDAP photo location. For more information, see Integrate Corporate Directory Photos from LDAP server. Step 10 Select Save. Step 11 On the mobile device, restart Cisco Jabber. If you allowed end-user configuration editing, delete the Directory account on the client and then set up the account again.
Step 12 Step through the wizard until you see the option to enable or confirm the corporate directory account settings. Step 13 At the option to enable or confirm the corporate directory account settings, tap Yes. Step 14 Enter the password, if it is not already entered. Step 15 Select Save, even if you make no changes. Step 16 Complete the wizard.
What to Do Next
Test this feature.
Set Up Corporate Directory Photos on Cisco Jabber
Use one of the following procedures to integrate corporate directory photos into Cisco Jabber.
- Integrate Corporate Directory Photos Using a Side URL
- Integrate Corporate Directory Photos from an LDAP Server
Integrate Corporate Directory Photos Using a Side URL
You can configure a parameterized URL string in the Photo field in the LDAP attribute map so that Cisco Jabber can retrieve pictures from a web server instead of from the LDAP server. The URL string must contain an LDAP attribute with a query value containing a piece of data that uniquely identifies the photo of the user. We recommend that you use the User ID attribute. However, you can use any LDAP attribute whose query value contains a piece of data that uniquely identifies the photo of the user.
Before You BeginProcedureThis substitution technique works only if Cisco Jabber can use the results of the query and can insert query results into the template that you specify to construct a working URL that retrieves a JPG photo. If the web server that hosts the photos in a company requires a POST (for example, the name of the user is not in the URL) or uses some other cookie name for the photo instead of the username, this technique does not work.
Step 1 Sign in to Unified CM Administration. Step 2 Go to to search for the device ID. Step 3 Go to the Product Specific Configuration Layout field in the COP file fields. Step 4 Go to the LDAP Photo Location field and enter the URL that stores the photo. We recommend that you use the variable %%LDAP Attribute %% to represent the LDAP attribute.
Example:
- http://mycompany.cisco.com/photo/std/%%uid%%.jpg
- http://mycompany.cisco.com/photo/std/%%sAMAccountName%%.jpg
Note You must include the double percent symbols in this string, and they must enclose the name of the LDAP attribute to substitute.
Cisco Jabber removes the percent symbols and replaces the parameter inside with the results of an LDAP query for the user whose photo it resolves.
Example:If a query result contains the attribute “uid” with a value of “johndoe”, and then a template such as http://mycompany.com/photos/%%uid%%.jpg creates the URL http://mycompany.com/photos/johndoe.jpg. Cisco Jabber attempts to fetch the photo.
What to Do Next
Important:After integrating corporate photos, you must reprovision or reset your device, depending on the setting for “Allow End User Configuration Editing.” For more information, see Add User Device.
Integrate Corporate Directory Photos from an LDAP Server
Use the following procedure to integrate corporate directory photos into Cisco Jabber from an LDAP server.Procedure
NoteIf using Global Catalog, replicate the value in the LDAP photo field “jpegphoto” in Microsoft Active Directory to the Global Catalog. For more information, see the following link, which directs you to a third-party website that is not affiliated with Cisco: How to Modify Attributes That Replicate to the Global Catalog.
Step 1 Sign in to the Unified CM Administration portal. Step 2 Go to to search for the device ID. Step 3 Go to the Product Specific Configuration Layout field in the COP file fields. Step 4 Go to LDAP Field Mappings. The default mapping is photo=jpegPhoto. No additional action is necessary if you do not require a custom mapping.
If you require a custom mapping, you can modify the LDAP Field Mappings. The field mappings have the following format: property=ldapAttribute separated by a semi-colon, (for example, “userid=uid;photo=thumbnailPhoto”).
What to Do Next
Important:After integrating corporate photos, you must reprovision or reset your device, depending on the setting for “Allow End User Configuration Editing.” For more information, see Add User Device.
Set Up SRST Failover
Survivable Remote Site Telephony (SRST) allows you to transfer services from the Unified CM to another Unified CM, a Unified CM Express (Unified CME), or a router running SRST.
Note
- Call Park and Ad-Hoc Conferencing are not supported in SRST mode.
- Unified CME 8.6 is required for SIP SRST transfer functionality on Unified CME.
- Set up the required SRST information on the Unified CM. See http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html. Select the Administration Guide appropriate to version of Cisco Unified Communications Manager in use.
- Set up the failover device using one of the following methods:
- SRST failover to a Unified CME. On Unified CME, you must configure the following parameters: For more information, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmead.pdf.
NoteYou cannot have SIP IP phone (“no mode cme”) and SIP SRST provisioned at the same time. By default, SIP SRST is enabled as opposed to SCCP SRST, which you set up using “srst mode auto-provision.”
- SRST failover to a router set up for SRST only. See http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html. Select the Administration Guide appropriate to version of Cisco Unified Communications Manager in use.
NoteWith this configuration, the router is set up for failover only, with no local SCCP or SIP IP phones provisioned.
Set Up Extension Mobility to Allow Users to Sign In and Out
Set up and activate the Cisco Extension Mobility Service to allow users to sign in and out of Cisco Jabber on devices.
NoteThe Extension Mobility feature is not supported with the Dial via Office feature.
Before You Begin
- The Sign In feature using Extension Mobility is disabled by default in Cisco Jabber. To enable it, select Enabled in the “Sign In Feature” drop-down list. For more information about setting up Extension Mobility, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmfeat/fsem.html.
NoteExternal number masks are not displayed while Extension Mobility is enabled if the mask is not also configured for the Extension Mobility device profile.
- Extension Mobility is functional only if a single profile is listed in the Controlled Profiles field.
- If you set up Extension Mobility as an Enterprise Subscription service, all Cisco Jabber users are required to sign in and out of Cisco Jabber while Extension Mobility is enabled.
- When using Extension Mobility, choose Disabled for Allow End User Configuration Editing. For more information, see Add User Device.
- After Extension Mobility is set up, Cisco Jabber is functional only if the user is signed in.
Set Timer to Automatically Sign Users Out of Cisco Jabber
ProcedureUse this procedure to set up a timer for all Extension Mobility users in the Unified CM cluster. For more information about timers, see http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmfeat/fsem.html#wp1178338.
NoteIf the user has an active call at the automatic sign-out time, the call is not interrupted.
Step 1 Sign in to the Unified CM. Step 2 In the Navigation field, choose Unified CM Administration. Step 3 Choose . Step 4 In the Server drop-down list, select the active Unified CM. Step 5 In the Service drop-down list, select the “Cisco Extenstion Mobility (Active)” service. Step 6 In the Enforce Intra-cluster Maximum Login Time field, choose True. Step 7 In the Intra-cluster Maximum Login Time field, enter the number of hours after which the user is signed out of Cisco Jabber. Step 8 Click Save.
Cross-Launch Cisco Jabber from Another Application (Optional)
This feature allows developers to launch Cisco Jabber from third-party apps. Enable applications to launch Cisco Jabber by constructing and then opening a URL from within another app.
To cross-launch Cisco Jabber from your application, set up your app to open a URL with the following format:
ciscotel://<phonenumber>Examples
NoteYou can add a URL in ciscotel format to a web page field. When a user taps the URL, Cisco Jabber automatically calls the number contained in the URL. You can add phone numbers in this format to applications that support opening URLs, such as "Notes".
NoteSupport for various phone number formats varies depending on the application that opens the URL.
Set Up SIP Digest Authentication Options
SIP Digest Authentication is a Unified CM security feature that authenticates user devices. For more information, see the Cisco Unified Communications Manager Security Guide and the Cisco Unified Communications Manager Administration Guide, available from the maintenance guides list.
NoteCisco Jabber does not support SIP Digest Authentication feature with the Dial via Office - Reverse feature.
For Cisco Jabber, you have three options:
- Disable SIP Digest Authentication—Disable SIP Digest Authentication if your deployment does not use this feature. See Disable SIP Digest Authentication.
- Enable SIP Digest Authentication with automatic password authentication
See Enable SIP Digest Authentication with Automatic Password Authentication.
- The password is stored and sent in clear text.
- Users do not have to manually enter this password.
- There is less chance of entry error that prevents Cisco Jabber from registering with Unified CM.
- Enable SIP Digest Authentication with manual password authentication See Enable SIP Digest Authentication with Manual Password Authentication.
- Disable SIP Digest Authentication
- Enable SIP Digest Authentication with Automatic Password Authentication
- Enable SIP Digest Authentication with Manual Password Authentication
Disable SIP Digest Authentication
Procedure
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the device page. Step 3 In the Device Security Profile drop-down list, select “Cisco Dual Mode for iPhone - Standard SIP Non-secure profile.” Step 4 Complete the authentication details in the Product Specific Configuration Layout section. Step 5 If end-user configuration editing is enabled, reset the Phone Services account. Step 6 Restart Cisco Jabber.
Enable SIP Digest Authentication with Automatic Password Authentication
Procedure
Step 1 Create a new phone security profile for Cisco Dual Mode for iPhone under : Step 2 On each End User page, in the User Information section, complete the following tasks: Step 3 On each Cisco Dual Mode for iPhone device page, complete the profile information in the Profile Specific Information section: Step 4 On the same device page, complete the authentication details in the Product Specific Configuration Layout section: Step 5 If end-user configuration editing is enabled, reset the Phone Services account: Step 6 Restart Cisco Jabber.
Enable SIP Digest Authentication with Manual Password Authentication
Procedure
Step 1 Create a new profile for Cisco Dual Mode for iPhone under : Step 2 On each End User page, in the User Information section, complete the following tasks: Make a note of this password. You provide this password to the user later. Step 3 On each Cisco Dual Mode for iPhone device page, enter the new profile information in the Protocol Specific Information section: Step 4 On the same device page, complete the authentication details in the Product Specific Configuration Layout section: Step 5 Restart Cisco Jabber and step through the setup wizard again. Step 6 At the option to confirm the Phone Services settings, tap the SIP Digest Authentication password setting and enter the password you noted earlier. This password is case sensitive.
Step 7 On the Phone Services Settings screen, enter your SIP Digest Authentication credentials. This password is case sensitive.
Step 8 If end-user configuration editing is enabled, reset the Phone Services account:
Set Up Cisco AnyConnect
Cisco AnyConnect Secure Mobility Client is a VPN application that allows Cisco Jabber to securely connect to your corporate network from a remote location using Wi-Fi or mobile data networks.
NoteCisco does not guarantee the voice quality on noncorporate Wi-Fi networks or mobile data networks.
To support the Cisco AnyConnect Secure Mobility Client, you must set up your system using the following procedures.
- Install and set up the Cisco Adaptive Security Appliance (ASA).
- For supported Cisco Adaptive Security Appliance models and other requirements, see the Release Notes.
- For instructions for installing and configuring an ASA, see the Cisco ASA 5500 Series Configuration and Installation Guide list.
- Set up the ASA to support Cisco AnyConnect. Perform the following procedures in order:
- Set up the Unified CM for AnyConnect. See Set Up Automatic VPN Access on the Unified CM.
NoteCisco supports Cisco Jabber for iPhone with Cisco AnyConnect Secure Mobility Client. Although other VPN clients are not officially supported, you may be able to use Cisco Jabber for iPhone with other VPN clients. If you use another VPN client, set up VPN as follows:
- Install and configure the VPN client using the relevant third-party documentation.
- Set up On-Demand VPN using the following procedure: Set Up Automatic VPN Access on the Unified CM.
- Provision Application Profiles
- Automate VPN Connection
- Set Up Certificate-Based Authentication
- Set ASA Session Parameters
- Set Up Tunnel Policies
- Set Up Automatic VPN Access on the Unified CM
Provision Application Profiles
After users download the Cisco AnyConnect client to their device, the ASA must provision a configuration profile to the application.
The configuration profile for the Cisco AnyConnect client includes VPN policy information such as the company ASA VPN gateways, the connection protocol (IPSec or SSL), and on-demand policies.
You can provision application profiles for Cisco Jabber for iPhone in one of the following ways:
- Provision VPN Profiles on ASA
- Provision iOS Devices Using Apple Configuration Profile and iPCU
- Provision iOS Devices Using Apple Configuration Profile and MDM
Provision VPN Profiles on ASA
ProcedureCisco recommends that you use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect client.
When you use this method, the VPN profile is automatically downloaded to the Cisco AnyConnect client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA.
Use the following procedure to define a VPN profile.
Provision iOS Devices Using Apple Configuration Profile and iPCU
ProcedureUse the following procedure to provision iOS devices using an Apple configuration profile that you create with the iPhone Configuration Utility (iPCU). Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.
Step 1 Use iPCU to create an Apple configuration profile. For more information, see the iPCU documentation.
Step 2 Export the XML profile as a .mobileconfig file. Step 3 Email the .mobileconfig file to users. After a user opens the file, it installs the AnyConnect VPN profile and the other profile settings to the client application.
Provision iOS Devices Using Apple Configuration Profile and MDM
ProcedureUse the following procedure to provision iOS devices using an Apple configuration profile that you create with third-party Mobile Device Management (MDM) software. Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.
Automate VPN Connection
When users open Cisco Jabber from outside the corporate Wi-Fi network, Cisco Jabber needs a VPN connection to access the Cisco UC application servers. You can set up the system to allow Cisco AnyConnect Secure Mobility Client to automatically establish a VPN connection in the background, which helps ensure a seamless user experience.
Set Up Connect On-Demand VPN
ProcedureThe Apple iOS Connect On Demand feature enhances the user experience by automating the VPN connection based on the user's domain.
When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco AnyConnect automatically detects if it is connected to a domain that you specify in the AnyConnect client profile. If so, the application initiates the VPN to ensure connectivity to the UC infrastructure. All applications on the device including Cisco Jabber can take advantage of this feature.
NoteConnect On Demand supports only certificate-authenticated connections.
The following options are available with this feature:
- Always Connect: Apple iOS always attempts to initiate a VPN connection for domains in this list.
- Connect If Needed: Apple iOS attempts to initiate a VPN connection to the domains in the list only if it cannot resolve the address using DNS.
- Never Connect: Apple iOS never attempts to initiate a VPN connection to domains in this list.
Step 1 Use the ASDM profile editor, iPCU, or MDM software to open the AnyConnect client profile. Step 2 In the AnyConnect client profile, under the Connect if Needed section, enter your list of on-demand domains. The domain list can include wild-card options (for example, cucm.cisco.com, cisco.com, and *.webex.com).
Step 3 In Unified CM, set up the On-Demand VPN URL field in the Cisco Jabber device settings. For detailed steps, see Set Up Automatic VPN Access on the Unified CM.
When Cisco Jabber opens, it initiates a DNS query to the URL (for example, ccm-sjc-111.cisco.com). If this URL matches the On-Demand domain list entry that you defined in this procedure (for example, cisco.com), Cisco Jabber indirectly initiates the AnyConnect VPN connection.
Set Up Certificate-Based Authentication
The Cisco AnyConnect client supports many authentication methods including Microsoft Active Directory/LDAP password, RADIUS-based one-time tokens, and certificates. Of these methods, client certificate authentication provides the most seamless experience.
Set Up ASA for Certificate-Based Authentication
ProcedureASA supports certificates issued by various standard Certificate Authority (CA) servers such as Cisco IOS CA, Microsoft Windows 2003, Windows 2008 R2, Entrust, VeriSign, and RSA Keon.
The following procedure outlines the high-level steps for setting up the ASA for certificate-based authentication. For detailed information, see the "Configuring Digital Certificates" section of the "Configuring Access Control" chapter of the Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 and 6.6. This document can be found at the following location: http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html.
Step 1 Import a root certificate from the CA to the ASA. Step 2 Generate an identity certificate for the ASA. Step 3 Use the ASA identity certificate for SSL authentication. Step 4 Configure a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP). Step 5 Configure the ASA to request client certificates for authentication.
Distribute Client Certificates
You can issue certificates to Cisco Jabber for iPhone devices using one of the following methods:
Distribute Client Certificate Using SCEP
ProcedureASA supports Simple Certificate Enrollment Protocol (SCEP) to simplify certificate distribution.
The ASA can use SCEP to securely issue and renew a certificate that is used for client authentication. The following is a general overview of this process.
- The first time a remote user opens Cisco AnyConnect, the application authenticates the user with either Active Directory credentials or a one-time token password.
- After the client establishes the VPN, the ASA provides a client profile that includes the SCEP request.
- The Cisco AnyConnect client sends a certificate request and the Certificate Authority (CA) automatically accepts or denies the request.
- If the CA accepts the request:
Distribute Client Certificate Using Mobileconfig File
ProcedureUse this procedure to create an iPhone mobile configuration file that includes a certificate. You can use this file to distribute the certificate to users.
Step 1 Use the iPCU software to create a mobileconfig file and include the certificate (.pfx) file. Step 2 Forward the mobileconfig file to the user. When the user opens the file, the file installs the certificates to the device.
Step 3 Use the Cisco ISE native supplicant provisioning process to distribute user certificates. Step 4 Use the Enterprise MDM software to provision and publish certificates to registered devices.
Set ASA Session Parameters
You can set session parameters on the ASA to define the user experience of Cisco AnyConnect Secure Mobility Client and Cisco Jabber after the VPN connection is established.
ASA session parameters include the following:
- DTLS: DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. DTLS allows the Cisco AnyConnect client to establish an SSL VPN connection that uses two simultaneous tunnels: an SSL tunnel and a DTLS tunnel. You can use DTLS to avoid latency and bandwidth problems, and to improve the performance of real-time applications such as Cisco Jabber that are sensitive to packet delays. If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. DTLS is enabled by default.
- Session Persistence: This parameter allows the VPN session to recover from service disruptions and re-establish the connection. For example, as the user roams from one Wi-Fi network to another Wi-Fi or mobile data network, the Cisco AnyConnect client automatically resumes the VPN session. In addition, you can set up Cisco AnyConnect to re-establish the VPN session after the device resumes from standby, sleep, or hibernation mode.
- Idle Timeout: The Idle Timeout (vpn-idle-timeout) is the time after which if there is no communication activity, the ASA terminates the VPN connection. A very short idle-timeout frequently disrupts the VPN connection and forces the user to re-establish VPN for every call. On the other hand, a large idle-timeout value results in too many concurrent sessions on the ASA. You can set up the Idle Timeout value by group policy.
- Dead-Peer Detection (DPD): This parameter ensures that the ASA gateway or the Cisco AnyConnect client can quickly detect a condition where the peer is not responding and the connection failed. Cisco recommends that you:
Set ASA Session Parameters
Cisco recommends that you set up the ASA session parameters as follows to optimize the end user experience for Cisco AnyConnect Secure Mobility Client.Procedure
Step 1 Set up Cisco AnyConnect to use DTLS. For information about how to set ASA session parameters, see the "Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections" section of the "Configuring AnyConnect Features Using ASDM" chapter of Cisco AnyConnect VPN Client Administrator Guide, Version 2.0. This document can be found at the following location: http://www.cisco.com/en/US/products/ps10884/prod_maintenance_guides_list.html.
Step 2 Set up session persistence (auto-reconnect).
- Use ASDM to open the VPN client profile.
- Set the Auto Reconnect Behavior parameter to Reconnect After Resume.
For detailed information about how to set up session persistence, see the "Configuring Auto Reconnect" section in the "Configuring AnyConnect Features" chapter (Release 2.5) or "Configuring VPN Access" (Releases 3.0 or 3.1) of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release. The document for your release can be found at the following location: http://www.cisco.com/en/US/products/ps10884/products_installation_and_configuration_guides_list.html.
Step 3 Set the idle timeout value. For detailed information about how to set the idle timeout value, see the "vpn-idle-timeout" section of the Cisco ASA 5580 Adaptive Security Appliance Command Reference for your release. The document for your release can be found at the following location: http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html.
Step 4 Set up Dead Peer Detection (DPD). For detailed information about how to set up DPD, see the "Enabling and Adjusting Dead Peer Detection" subsection of the "Configuring VPN" chapter of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6. This document can be found in the following location: http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html.
Set Up Tunnel Policies
Use the following procedure to set up a tunnel policy that specifies how you want to direct traffic in the VPN tunnel.
To set up tunnel policies, you must first determine which type of tunnel policy you want to use. Tunnel policies include the following:
- Full-Tunnel Policy
This is the default tunnel policy. Use this policy if you want the most secure option for Cisco Jabber and Cisco AnyConnect deployments. In case of Full-Tunnel, all the traffic from all the applications on the device is sent over the VPN tunnel to the ASA gateway. Optionally, you can enable the Local LAN Access feature to enable local printing and local network drive mapping.
- Split-Tunnel Policy
Use this policy if you want to direct only Cisco Jabber-specific traffic from your phone to the corporate network. This policy directs traffic based on destination subnets. You can specify which traffic goes over VPN (encrypted) and which traffic goes in the clear (unencrypted).
An associated feature, Split-DNS, defines which DNS traffic to resolve over the VPN tunnel and which DNS traffic to handle with the endpoint DNS resolver.
- Split-Include Policy with Network ACL
Use this policy if you want to:
- Limit the traffic that is sent over the VPN tunnel due to bandwidth concerns.
- Restrict the VPN session to the Cisco Jabber application.
You can use the Split-Include policy on the ASA to specify which traffic goes inside the VPN tunnel based on the destination IP address of the traffic.
You must include the IP subnets of the Cisco Unified CM Cluster, Directory Server, and TFTP Server. Cisco Jabber needs peer-to-peer media connections with any IP phone or computer phone on the corporate Wi-Fi network. Therefore, Cisco recommends that you include the corporate network IP address range in the Split-Include policy. This configuration may not be appropriate for all deployments (for example, if the IP space of your company is not contiguous because of acquisitions and other events).
This policy directs all internal traffic into the tunnel, but can prevent cloud-based services such as Facebook and YouTube from entering the tunnel.
NoteAll application data that is directed to the address range specified in the split-include policy is tunneled, so applications other than Cisco Jabber also have access to the tunnel. To prevent other applications from using the corporate Wi-Fi network, you can apply a VPN filter (Network ACL) that further restricts the available ports.
- Split-Exclude Policy
Use this policy if it is not practical to define the entire subnet required for Split-Include policies. You can use the Split-Exclude policy to prevent any known traffic from the VPN tunnel. For example, if you are concerned about bandwidth, you can add destination subnets for services like NetFlix, Hulu, or YouTube to your split-exclude list.
After you determine which type of tunnel policy you want to use, see the "Configuring Split-Tunneling Attributes" section in the "Configuring Tunnel Groups, Group Policies, and Users" chapter of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6. This document can be found at the following location: http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html.
Set Up Automatic VPN Access on the Unified CM
Cisco Jabber can automatically launch VPN if the following requirements are met:
- The corporate network is not directly available when users launch Cisco Jabber.
- The device can connect using VPN.
- You satisfy the requirements and complete the procedure in this topic.
See also information at Apple.com such as:
- Information throughout the iPhone OS Enterprise Deployment Guide at http://support.apple.com/manuals/#iphone
- The iPhone Configuration Utility, available from http://www.apple.com/downloads/macosx/apple/application_updates/iphoneconfigurationutility21forwindows.html
- A list of protocols and authentication methods that are supported on the iPhone at http://support.apple.com/kb/HT1288
- Information about setting up an iPhone to connect to VPN in the iPhone User Guide at http://www.apple.com/support/country/?dest=manuals
- General information at http://www.apple.com/support/iphone/enterprise/
Before You BeginProcedure
- The iPhone must be set up for on-demand access to VPN with certificate-based authentication. For assistance with setting up VPN access, contact the providers of your VPN client and head end.
- Cisco recommends using Cisco AnyConnect Secure Mobility Client for Apple iOS for iPhones running iOS 5.1.1. Requirements for the Cisco AnyConnect VPN solution are as follows:
- Cisco Adaptive Security Appliance Release 8.4 or later
- Cisco AnyConnect Secure Mobility Client Release 2.5 or later For information about setting up Cisco AnyConnect, see http://www.cisco.com/en/US/products/ps8411/prod_maintenance_guides_list.html.
NoteNot all releases of the VPN client are supported with Cisco Jabber. Check the System Requirements in the Release Notes for Cisco Jabber at http://www.cisco.com/en/US/products/ps11596/prod_release_notes_list.html.
- Identify a URL that is set up to launch VPN on demand. Enter the URL in the Cisco AnyConnect client. Cisco Jabber triggers VPN on demand if a DNS query on this domain fails.
Use one of the following methods:
- Configure Unified CM to be accessed through a domain name (not an IP address) and ensure that this domain name is not resolvable outside the firewall. Include this domain in the Connect If Needed list in the Connect On Demand Domain List of the AnyConnect client connection.
- If you cannot use a domain name to access Unified CM or cannot make the DNS lookup of that domain name fail from outside the firewall, set the parameter in the following procedure to a nonexistent domain (that is, a domain that causes a DNS query to fail when the user is inside or outside the firewall). Then add that domain to the “Always Connect” list in the Connect On Demand Domain List of the AnyConnect client connection. The URL must include only the domain name. Do not include a protocol or a path. See the following example for more information:
Step 1 Sign in to the Unified CM Administration portal. Step 2 Navigate to the Cisco Dual Mode for iPhone device page for the user. Step 3 Scroll to the Product Specific Configuration Layout section. Step 4 In the On-Demand VPN URL field, enter the URL that you identified and used in Cisco AnyConnect in the prerequisites for this procedure.
Note The URL must be a domain name only, without a protocol or path.
Step 5 Select Save.
What to Do Next
- If you allowed end-user configuration editing, delete the Phone Services account on the client and then set up the account again. Otherwise, relaunch the client.
- Test this feature.
- Enter this URL into Safari on the iPhone and verify that VPN launches automatically. You should see a VPN icon in the status bar.
- Verify that the iPhone can connect to the corporate network using VPN. For example, access a web page on your corporate intranet. If the iPhone cannot connect, contact the provider of your VPN technology.
- Verify with your IT department that your VPN does not restrict access to certain types of traffic (for example, if the administrator set the system to allow only email and calendaring traffic).
- Verify that you set up Cisco Jabber to connect directly to the corporate network.
