Webex for Cisco BroadWorks Solution Guide

Deployment Overview

The following diagrams represent the typical order of your deployment tasks for the different user provisioning modes. Many of the tasks are common to all provisioning modes.

Shows the order of tasks required for deploying Webex for BroadWorks with flow-through provisioning and trusted emails — Figure 1. Tasks required for deploying flow-through provisioning

Shows the order of tasks required for deploying Webex for BroadWorks with flow-through provisioning without emails — Figure 2. Tasks required for deploying flowthrough provisioning without trusted emails

Shows the order of tasks required for deploying Webex for BroadWorks with self-activation — Figure 3. Tasks required for deploying user self-provisioning

Partner Onboarding for Webex for Cisco BroadWorks

Each Webex for Cisco BroadWorks Service Provider or Reseller needs a to be setup as a Partner Organization for Webex for Cisco BroadWorks. If you have an existing Webex Partner Organization, this can be used.

In order to complete the necessary onboarding, you must execute your Webex Cisco BroadWorks paperwork and new partners must accept the online Indirect Channel Partner Agreement (ICPA). When these steps are completed, Cisco Compliance will create a new Partner Org in Partner Hub (if needed) and send an email with authentication details to the Admin of Record in your paperwork. At the same time, your Partner Activation and/or Customer Success Program Manager will contact you to start your onboarding.

Configure Services on Your Webex for Cisco BroadWorks XSPs

We require that the NPS application be run on a different XSP. Requirements for that XSP are described in Configure Call Notifications from your Network.

You need the following applications / services on your XSPs.


Service/Application	Authentication required	Service/application purpose
Xsi-Events	TLS (server authenticates itself to clients)	Call control, service notifications
Xsi-Actions	TLS (server authenticates itself to clients)	Call control, actions
Device management	TLS (server authenticates itself to clients)	Calling configuration download
Authentication Service	TLS (server authenticates itself to clients)	User authentication
Computer Telephony Integration	mTLS (client and server authenticate each other)	Telephony presence
Call Settings Webview application	TLS (server authenticates itself to clients)	Exposes user call settings in the selfcare portal within the Webex app

This section describes how to apply the required configurations for TLS and mTLS on these interfaces, but you should reference existing documentation to get the applications installed on your XSPs.

Co-Residency Requirements

Authentication Service must be co-resident with Xsi applications, because those interfaces must accept long-lived tokens for service authorization. The authentication service is required to validate those tokens.
Authentication service and Xsi can run on the same port if required.
You may separate the other services/applications as required for your scale (dedicated device management XSP farm, for example).
You may co-locate the Xsi, CTI, Authentication Service, and DMS applications.
Do not install other applications or services on the XSPs that are used for integrating BroadWorks with Webex.
Do not co-locate the NPS application with any other applications.

Xsi Interfaces

Install and configure the Xsi-Actions and Xsi-Events applications as described in Cisco BroadWorks Xtended Services Interface Configuration Guide.

Configure Authentication Service (with CI Token Validation)

Use this procedure to configure the Authentication Service to use CI Token Validation with TLS. This authentication method is recommended if you are running R22 or higher and your system supports it.

Note

Mutual TLS (mTLS) is also supported as an alternative authentication method for the Auth Service. If you have multiple Webex organizations running off the same XSP server, you must use mTLS authentication because CI Token Validation does not support multiple connections to the same XSP Auth Service.

To configure mTLS authentication for the Auth Service instead of CI Token Validation, refer to the Appendix for Configure Services (with mTLS for the Auth Service).

Note

If you currently use mTLS for the Auth Service, it's not mandatory that you reconfigure to use CI Token Validation with TLS.

Obtaining OAuth credentials for your Webex for Cisco BroadWorks.
Install the following patches on each XSP server. Install the patches that are appropriate to your release:
- For R22:
  
  AP.platform.22.0.1123.ap376508
  
  AP.xsp.22.0.1123.ap376508
  
  AP.xsp.22.0.1123.ap368601
- For R23:
  
  AP.xsp.23.0.1075.ap376509
  
  AP.platform.23.0.1075.ap376509
- For R24—no patch required
Install the AuthenticationService application on each XSP service.
1. Run the following command to activate the AuthenticationService application on the XSP to the /authService context path.
  XSP_CLI/Maintenance/ManagedObjects> activate application AuthenticationService 22.0_1.1123/authService
2. Run this command to deploy the AuthenticationService on the XSP:
  XSP_CLI/Maintenance/ManagedObjects> deploy application /authServiceBroadWorks SW Manager deploying /authService...

Configure the Identity Providers by running the following commands on each XSP server:

XSP_CLI/Applications/AuthenticationService/IdentityProviders/Cisco> get

set clientId client-Id-From-Step1
set enabled true
set clientSecret client-Secret-From-Step1
set ciResponseBodyMaxSizeInBytes 65536
set issuerName <URL>—For the URL, enter the IssuerName URL that applies to your CI Cluster. See following table.
set issuerUrl <URL>—For the URL, enter the IssuerUrl that applies to your CI Cluster. See the following table.
set tokenInfoUrl <IdPProxy URL>—Enter the IdP Proxy URL that applies to your Teams Cluster. See the second table that follows.

Table 1. Set issuerName and issuerURL

If CI Cluster is...

Set issuerName and issuerURL to...

US-A

https://idbroker.webex.com/idb

EU

https://idbroker-eu.webex.com/idb

US-B

https://idbroker-b-us.webex.com/idb

Note

If you don't know your CI Cluster, you can obtain the information from the Customer details in Help Desk view of Control Hub.

If Teams Cluster is...

Set tokenInfoURL to...(IdP Proxy URL)

ACHM

https://broadworks-idp-proxy-a.wbx2.com/broadworks-idp-proxy/api/v1/idp/authenticate

AFRA

https://broadworks-idp-proxy-k.wbx2.com/broadworks-idp-proxy/api/v1/idp/authenticate

AORE

https://broadworks-idp-proxy-r.wbx2.com/broadworks-idp-proxy/api/v1/idp/authenticate

Note

If you don't know your Teams Cluster, you can obtain the information from the Customer details in the Help Desk view of Control Hub.
For testing, you can verify that the tokenInfoURL is valid by replacing the "idp/authenticate" portion of the URL with "ping".

Specify the Webex entitlement that must be present in the user profile in Webex by running the following command:

XSP_CLI/Applications/AuthenticationService/IdentityProviders/Cisco/Scopes> set scope broadworks-connector:user
Configure Identity Providers for Cisco Federation using the following commands on each XSP server:

XSP_CLI/Applications/AuthenticationService/IdentityProviders/Cisco/Federation> get
- set flsUrl https://cifls.webex.com/federation
- set refreshPeriodInMinutes 60
- set refreshToken refresh-Token-From-Step1
Run the following command to validate that your FLS configuration is working. This command will return the list of Identity Providers:

XSP_CLI/Applications/AuthService/IdentityProviders/Cisco/Federation/ClusterMap> Get
Configure Token Management using the following commands on each XSP server:
- XSP_CLI/Applications/AuthenticationService/TokenManagement>
- set tokenIssuer BroadWorks
- set tokenDurationInHours 720

Generate and Share RSA Keys. You must generate keys on one XSP then copy them to all other XSPs. This is due to the following factors:

You must use the same public/private key pairs for token encryption/decryption across all instances of the authentication service.
The key pair is generated by the authentication service when it is first required to issue a token.

Note

If you cycle keys or change the key length, you need to repeat the following configuration and restart all the XSPs.

Select one XSP to use for generating a key pair.
Use a client to request an encrypted token from that XSP, by requesting the following URL from the client’s browser:

https://<XSP-IPAddress>/authService/token?key=BASE64URL(clientPublicKey)

(This generates a private / public key pair on the XSP, if there wasn’t one already)
The key store location is not configurable. Export the keys:

XSP_CLI/Applications/authenticationService/KeyManagement> exportKeys
Copy the exported file /var/broadworks/tmp/authService.keys to the same location on the other XSPs, overwriting an older .keys file if necessary.
Import the keys on each of the other XSPs:

XSP_CLI/Applications/authenticationService/KeyManagement> importKeys /var/broadworks/tmp/authService.keys

Provide the authService URL to the web container. The XSP’s web container needs the authService URL so it can validate tokens. On each of the XSPs:
1. Add the authentication service URL as an external authentication service for the BroadWorks Communications Utility:
  
  XSP_CLI/System/CommunicationUtility/DefaultSettings/ExternalAuthentication/AuthService> set url http://127.0.0.1/authService
2. Add the authentication service URL to the container:
  
  XSP_CLI/Maintenance/ContainerOptions> add tomcat bw.authservice.authServiceUrl http://127.0.0.1/authService
  
  This enables Webex to use the Authentication Service to validate tokens presented as credentials.
3. Check the parameter with get.
4. Restart the XSP.

Remove Client Authentication Requirement for Auth Service (R24 only)

If you have the Authentication Service configured with CI Token validation on R24, you also need to remove the Client Authentication Requirement for the Authentication Service. Run the following CLI command:

ADP_CLI/Interface/Http/SSLCommonSettings/ClientAuthentication/WebApps> set <interfaceIp> <port> AuthenticationService clientAuthReq false

Configuring TLS and Ciphers on the HTTP Interfaces (for XSI and Authentication Service)

The Authentication Service, Xsi-Actions, and Xsi-Events applications use HTTP server interfaces. Levels of TLS configurability for these applications are as follows:

Most general = System > Transport > HTTP > HTTP Server interface = Most specific

The CLI contexts you use to view or modify the different SSL settings are:


Specificity	CLI context
System (global)	`XSP_CLI/System/SSLCommonSettings/JSSE/Ciphers>` `XSP_CLI/System/SSLCommonSettings/JSSE/Protocols>`
Transport protocols for this system	`XSP_CLI/System/SSLCommonSettings/OpenSSL/Ciphers>` `XSP_CLI/System/SSLCommonSettings/OpenSSL/Protocols>`
HTTP on this system	`XSP_CLI/Interface/Http/SSLCommonSettings/Ciphers>` `XSP_CLI/Interface/Http/SSLCommonSettings/Protocols>`
Specific HTTP server interfaces on this system	`XSP_CLI/Interface/Http/HttpServer/SSLSettings/Ciphers>` `XSP_CLI/Interface/Http/HttpServer/SSLSettings/Protocols>`

Reading HTTP Server TLS Interface Configuration on the XSP

Sign in to the XSP and navigate to XSP_CLI/Interface/Http/HttpServer>
Enter the get command and read the results. You should see the interfaces (IP addresses) and, for each, whether they are secure and whether they require client authentication.

Apache tomcat mandates a certificate for each secure interface; the system generates a self-signed certificate if it needs one.

XSP_CLI/Interface/Http/HttpServer> get

Adding TLS 1.2 Protocol to the HTTP Server Interface

The HTTP interface that is interacting with the Webex Cloud must be configured for TLSv1.2. The cloud does not negotiate earlier versions of the TLS protocol.

To configure the TLSv1.2 protocol on the HTTP Server interface:

Sign in to the XSP and navigate to XSP_CLI/Interface/Http/HttpServer/SSLSettings/Protocols>
Enter the command get <interfaceIp> 443 to see which protocols are already used on this interface.
Enter the command add <interfaceIp> 443 TLSv1.2 to ensure that interface can use TLS 1.2 when communicating with the cloud.

Editing TLS Ciphers Configuration on the HTTP Server Interface

To configure the required ciphers:

Sign in to the XSP and navigate to XSP_CLI/Interface/Http/HttpServer/SSLSettings/Ciphers>
Enter the command get <interfaceIp> 443 to see which ciphers are already used on this interface. There must be at least one from the Cisco recommended suites (see XSP Identity and Security Requirements in the Overview section).

Enter the command add <interfaceIp> 443 <cipherName> to add a cipher to the HTTP Server interface.

Note

The XSP CLI requires the IANA standard cipher suite name, not the openSSL cipher suite name. For example, to add the openSSL cipher ECDHE-ECDSA-CHACHA20-POLY1305 to the HTTP server interface, you would use: XSP_CLI/Interface/Http/HttpServer/SSLSettings/Ciphers>add 192.0.2.7 443 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

See https://ciphersuite.info/ to find the suite by either name.

Configure Device Management on XSP, Application Server, and Profile Server

Profile Server and XSP are mandatory for Device Management. They must be configured according to instructions in the BroadWorks Device Management Configuration Guide.

CTI Interface and Related Configuration

The “inmost to outmost” configuration order is listed below. Following this order is not mandatory.

Configure Application Server for CTI Subscriptions
Configure XSPs for mTLS Authenticated CTI Subscriptions
Open Inbound Ports for Secure CTI Interface
Subscribe Your Webex Organization to BroadWorks CTI Events

Configure Application Server for CTI Subscriptions

Update the ClientIdentity on Application Server with the common name (CN) of the Webex for Cisco BroadWorks CTI client certificate.

For each Application Server you are using with Webex, add the certificate identity to the ClientIdentity as follows:

AS_CLI/System/ClientIdentity> add bwcticlient.webex.com

Note

The common name of the Webex for Cisco BroadWorks client certificate is bwcticlient.webex.com.

Configure TLS and Ciphers on the CTI Interface

The levels of configurability for the XSP CTI interface are as follows:

Most general = System > Transport > CTI Interfaces > CTI interface = Most specific

The CLI contexts you use to view or modify the different SSL settings are:


Specificity	CLI Context
System (global) (R22 and later)	XSP_CLI/System/SSLCommonSettings/JSSE/Ciphers> XSP_CLI/System/SSLCommonSettings/JSSE/Protocols>
Transport protocols for this system (R22 and later)	XSP_CLI/System/SSLCommonSettings/OpenSSL/Ciphers> XSP_CLI/System/SSLCommonSettings/OpenSSL/Protocols>
All CTI interfaces on this system (R22 and later)	XSP_CLI/Interface/CTI/SSLCommonSettings/Ciphers> XSP_CLI/Interface/CTI/SSLCommonSettings/Protocols>
A specific CTI interface on this system (R22 and later)	XSP_CLI/Interface/CTI/CTIServer/SSLSettings/Ciphers> XSP_CLI/Interface/CTI/CTIServerSSLSettings/Protocols>

Note

On a fresh install, the following ciphers are installed by default at the system level. If nothing is configured at the interface level (for example, at the CTI interface or HTTP interface), this cipher list applies. Note that this list may change over time:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

Reading CTI TLS Interface Configuration on the XSP

Sign in to the XSP and navigate to XSP_CLI/Interface/CTI/CTIServer>

Enter the get command and read the results. You should see the interfaces (IP addresses) and, for each, whether they require a server certificate and whether they require client authentication.

XSP_CLI/Interface/CTI/CTIServer> get
  Interface IP  Port  Secure  Server Certificate  Client Auth Req
=================================================================
  10.155.6.175  8012    true                true             true

Adding TLS 1.2 Protocol to the CTI Interface

The XSP CTI interface that is interacting with the Webex Cloud must be configured for TLS v1.2. The cloud does not negotiate earlier versions of the TLS protocol.

To configure the TLSv1.2 protocol on the CTI interface:

Sign in to the XSP and navigate to XSP_CLI/Interface/CTI/CTIServer/SSLSettings/Protocols>
Enter the command get <interfaceIp> to see which protocols are already used on this interface.
Enter the command add <interfaceIp> TLSv1.2 to ensure that interface can use TLS 1.2 when communicating with the cloud.

Editing TLS Ciphers Configuration on the CTI Interface

To configure the required ciphers on the CTI interface:

Sign in to the XSP and navigate to XSP_CLI/Interface/CTI/CTIServer/SSLSettings/Ciphers>
Enter the get command to see which ciphers are already used on this interface. There must be at least one from the Cisco recommended suites (see XSP Identity and Security Requirements in the Overview section).

Enter the command add <interfaceIp> <cipherName> to add a cipher to the CTI interface.

Note

The XSP CLI requires the IANA standard cipher suite name, not the openSSL cipher suite name. For example, to add the openSSL cipher ECDHE-ECDSA-CHACHA20-POLY1305 to the CTI interface, you would use: XSP_CLI/Interface/CTI/CTIServer/SSLSettings/Ciphers> add 192.0.2.7 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

See https://ciphersuite.info/ to find the suite by either name.

Update Trust Anchors for CTI Interface (R22 and later)

This procedure assumes the XSPs are either internet-facing or face the internet via pass-through proxy. The certificate configuration is different for a bridging proxy (see TLS Certificate Requirements for TLS-bridge Proxy).

For each XSP in your infrastructure that is publishing CTI events to Webex, do the following:

Sign in to Partner Hub.

Go to Settings > BroadWorks Calling and click Download Webex CA Certificate to get CombinedCertChain.txt on your local computer.

Note

This file contains two certificates. You need to split the file before you upload it to the XSPs.

Split the certificate chain into two certificates:
1. Open combinedcertchain.txt in a text editor.
2. Select and cut the first block of text, including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste the text block into a new file.
3. Save the new file as broadcloudroot.txt.
4. Save the original file as broadcloudissuing.txt.
  
  The original file should now only have one block of text, surrounded by the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Copy both text files to a temporary location on the XSP you are securing, e.g. /tmp/broadcloudroot.txt and /tmp/broadcloudissuing.txt.
Sign in to the XSP and navigate to /XSP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts>
(Optional) Run help updateTrust to see the parameters and command format.

Upload the certificate files to new trust anchors:

XSP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> updateTrust webexroot /tmp/broadcloudroot.txt

XSP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> updateTrust webexissuing /tmp/broadcloudissuing.txt

Note

webexroot and webexissuing are example aliases for the trust anchors; you can use your own.

Confirm the anchors are updated:

XSP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> get

  Alias   Owner                                   Issuer
=============================================================================
webexissuing    BroadCloud Commercial Issuing CA – DA3     BroadCloud Commercial Trusted Root CA
webexroot       BroadCloud Commercial Trusted Root CA      BroadCloud Commercial Trusted Root CA[self-signed]

Allow clients to authenticate with certificates:

XSP_CLI/System/CommunicationUtility/DefaultSettings/ExternalAuthentication/CertificateAuthentication> set allowClientApp true

Add CTI Interface and Enable mTLS

Add the CTI SSL interface.

The CLI context depends on your BroadWorks version. The command creates a self-signed server certificate on the interface, and forces the interface to require a client certificate.
- On BroadWorks R22 and R23:
  
  XSP_CLI/Interface/CTI/CTIServer> add <Interface IP> 8012 true true true
Replace the server certificate and key on the XSP's CTI interfaces. You need the IP address of the CTI interface for this; you can read it from the following context:
- On BroadWorks R22 and R23:
  
  XSP_CLI/Interface/CTI/CTIServer> get
  
  Then run the following commands to replace the interface’s self-signed certificate with your own certificate and private key:
  
  XSP_CLI/Interface/CTI/CTIServer/SSLSettings/Certificates> sslUpdate <interface IP> keyFile</path/to/certificate key file> certificateFile </path/to/server certificate> chainFile</path/to/chain file>
Restart the XSP.

Enable Access to BroadWorks CTI Events on Webex

You need to add and validate the CTI interface when you configure your clusters in Partner Hub. See Configure Your Partner Organization in Partner Hub for detailed instructions.

Specify the CTI address by which Webex can subscribe to BroadWorks CTI Events.
CTI subscriptions are on a per-subscriber basis and are only established and maintained while that subscriber is provisioned for Webex for Cisco BroadWorks.

Call Settings Webview

Call Settings Webview (CSWV) is an application hosted on XSP (or ADP) to enable users to modify their BroadWorks call settings through a webview that they see in the soft client. See the Cisco BroadWorks Call Settings Webview Solution Guide.

Webex makes use of this feature to provide users with access to common BroadWorks call settings that are not native to the Webex App.

If you want your Webex for Cisco BroadWorks subscribers to access call settings beyond the defaults available in the Webex app, you need to deploy Call Settings Webview feature.

Call Settings Webview has two components:

Call Settings Webview application, hosted on a Cisco BroadWorks XSP (or ADP).
The Webex App, which renders the call settings in a Webview.

User Experience

Windows users: Click Call Settings and then click Open Call Preferences > Advanced Call Settings.
Mac users: Click profile picture, then Preferences > Advanced Call Settings.

Deploy CSWV on BroadWorks

Install Call Settings Webview on XSPs

CSWV application must be on the same XSP(s) that host the Xsi-Actions interface in your environment. It is an unmanaged application on XSP, so you need to install and deploy a web archive file.

Sign in to Xchange and search for "BWCallSettingsWeb" in the software download section.
Find and download the most recent version of the file.

For example, BWCallSettingsWeb_1.8.2_1.war (https://software.cisco.com/download/home/286326302/type/286326345/release/RI.2022.04) was the most recent at the time of writing.
Install, activate, and deploy the web archive according to the Cisco BroadWorks Xtended Service Platform Configuration Guide for your XSP version. (R24 version is https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/broadworks/Design/XSP/BW-XtendedServicesInterfaceConfigGuide.pdf).
1. Copy the .war file to a temporary location on the XSP, such as /tmp/.
2. Navigate to the following CLI context and run the install command:
  
  XSP_CLI/Maintenance/ManagedObjects> install application /tmp/BWCallSettingsWeb_1.7.5_1.war
  
  The BroadWorks software manager validates and installs the file.
3. [Optional] Delete /tmp/BWCallSettingsWeb_1.7.5_1.war (this file is no longer required).
4. Activate the application:
  
  XSP_CLI/Maintenance/ManagedObjects> activate application BWCallSettingsWeb 1.7.5 /callsettings
  
  The name and version are mandatory for any application, but for CSWV you must also provide a contextPath because it is an unmanaged application. You can use any value that is not used by another application, for example, /callsettings.
5. Deploy the Call Settings application on the selected context path:
  
  XSP_CLI/Maintenance/ManagedObjects> deploy application /callsettings
You can now predict the call settings URL that you will specify for clients, as follows:

https://<XSP-FQDN>/callsettings/

Notes:
- You must supply the trailing slash on this URL when you enter it in the client configuration file.
- The XSP-FQDN must match the Xsi-Actions FQDN, because CSWV needs to use Xsi-Actions, and CORS is not supported.
Repeat this procedure for other XSPs in your Webex for Cisco BroadWorks environment (if necessary).

The Call Settings Webview application is now active on the XSPs.

Configure the Webex App to use Call Settings Webview

For more detail on client configuration, see Webex for Cisco BroadWorks Configuration Guide.

There's a custom tag in the Webex app configuration file that you can use to set the CSWV URL. This URL shows the call settings to the users through the application interface.

<config>
    <services>
        <web-call-settings target="%WEB_CALL_SETTINGS_TARGET_WXT%">
            <url>%WEB_CALL_SETTINGS_URL_WXT%</url>
        </web-call-settings>

In the Webex app configuration template on BroadWorks, configure the CSWV URL in the %WEB_CALL_SETTINGS_URL_WXT% tag.

If you don't explicitly specify the URL, the default is empty and the call settings page isn't visible to the users.

Make sure you have the latest configuration templates for the Webex app (see Device Profiles).
Set the Web Call Settings Target to csw:

%WEB_CALL_SETTINGS_TARGET_WXT% csw
Set the Web Call Settings URL for your environment, for example:

%WEB_CALL_SETTINGS_URL_WXT% https://yourxsp.example.com/callsettings/

You derived this value when deploying the CSWV application.

The resulting client configuration file should have an entry as follows:

<web-call-settings target="csw">
    <url>https://yourxsp.example.com/callsettings/</url>
</web-call-settings>

Configure Call Push Notifications in Webex for Cisco BroadWorks

In this document we use the term Call Notifications Push Server (CNPS) to describe an XSP-hosted, or ADP-hosted application that runs in your environment. Your CNPS works with your BroadWorks system to be aware of incoming calls to your users, and pushes notifications of those to the Google Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs) notification services.

Those services notify the mobile devices of Webex for Cisco BroadWorks subscribers that they have incoming calls on Webex.

For more information about NPS, see the Notification Push Server Feature Description.

A similar mechanism in Webex works with Webex messaging and presence services to push notifications to the Google (FCM) or Apple (APNS) notification services. Those services in turn notify the mobile Webex users of incoming messages or presence changes.

Note

This section describes how to configure NPS for authentication proxy when the NPS does not already support other apps. If you need to migrate a shared NPS to use NPS proxy, see Updating Cisco BroadWorks NPS to Use NPS Proxy https://help.webex.com/nl5rir2/.

NPS Proxy Overview

For compatibility with Webex for Cisco BroadWorks, your CNPS must be patched to support the NPS Proxy feature, Push Server for VoIP in UCaaS.

The feature implements a new design in the Notification Push Server to resolve the security vulnerability of sharing push notification certificate private keys with service providers for mobile clients. Instead of sharing push notification certificates and keys with the service provider, the NPS uses a new API to obtain a short-lived push notification token from Webex for Cisco BroadWorks backend, and uses this token for authentication with the Apple APNs and Google FCM services.

The feature also enhances the capability of the Notification Push Server to push notifications to Android devices through the new Google Firebase Cloud Messaging (FCM) HTTPv1 API.

For more information, see the Push Server for VoIP in UCaaS Feature Description.

The BroadWorks patches for the feature are available on: https://software.cisco.com/download/home/286326302/type/286326345/release/RI.2022.04.

For NPS software and patches, see the section Prepare Your NPS for Webex for Cisco BroadWorks.

Note

Search and download the patch from the software download page.

More information on the ADP server can be found at https://www.cisco.com/c/en/us/support/unified-communications/broadworks-application-delivery-platform/model.html.

APNS Considerations

Apple will no longer support the HTTP/1-based binary protocol on the Apple Push Notification service after March 31, 2021. We recommend that you configure your XSP to use the HTTP/2-based interface for APNs. This update requires that your XSP hosting the NPS be running R22 or later.

Prepare Your NPS for Webex for Cisco BroadWorks

Procedure

Step 1	Install and configure a dedicated XSP (minimum version R22), or Application Delivery Platform (ADP).
Step 2	Install the NPS Authentication Proxy patches: XSP R22 patches: AP.xsp.22.0.1123.ap369607 AP.platform.22.0.1123.ap369607 AP.xsp.22.0.1123.ap374677 AP.xsp.22.0.1123.ap375206 AP.xsp.22.0.1123.ap354313 AP.platform.22.0.1123.ap354313 XSP R23 patches: AP.xsp.23.0.1075.ap369607 AP.platform.23.0.1075.ap369607 AP.xsp.23.0.1075.ap374677 AP.xsp.23.0.1075.ap375206
Step 3	Activate the Notification Push Server application.
Step 4	(For Android notifications) Enable the FCM v1 API on the NPS. `XSP_CLI/Applications/NotificationPushServer/FCM> set V1Enabled true`
Step 5	(For Apple iOS notifications) Enable HTTP/2 on the NPS. `XSP_CLI/Applications/NotificationPushServer/APNS/GeneralSettings> set HTTP2Enabled true`
Step 6	Attach a techsupport from the NPS XSP/ADP.

What to do next

For fresh installs of an NPS, go to Configure NPS to Use Authentication Proxy

To migrate an existing Android deployment to FCMv1, go to Migrate NPS to FCMv1

Configure NPS to Use Authentication Proxy

This task applies to a new installation of NPS, dedicated to Webex for Cisco BroadWorks.

If you want to configure the authentication proxy on an NPS that is shared with other mobile apps, see Updating Cisco BroadWorks NPS to Use NPS Proxy (https://help.webex.com/nl5rir2).

Procedure

Step 1

Obtaining OAuth credentials for your Webex for Cisco BroadWorks.

Step 2

Create the client account on the NPS:

XSP_CLI/Applications/NotificationPushServer/CiscoCI/Client> set clientId client-Id-From-Step1

XSP_CLI/Applications/NotificationPushServer/CiscoCI/Client> set clientSecret
New Password: client-Secret-From-Step1

XSP_CLI/Applications/NotificationPushServer/CiscoCI/Client> set RefreshToken
New Password: Refresh-Token-From-Step1

To verify the values you entered match with what you were given, run XSP_CLI/Applications/NotificationPushServer/CiscoCI/Client> get

Note

The CiscoCI issuerUrl should ALWAYS be US CI cluster irrespective of your location and the default should be:

XSP_CLI/Applications/NotificationPushServer/CiscoCI> get issuerUrl = https://idbroker.webex.com/idb

Step 3

Enter the NPS Proxy URL, and set the token refresh interval (30 minutes recommended):

XSP_CLI/Applications/NotificationPushServer/CloudNPSService> set url https://nps.uc-one.broadsoft.com/nps/

XSP_CLI/Applications/NotificationPushServer/CloudNPSService> set VOIPTokenRefreshInterval 1800

Step 4

(For Android notifications) Add the Android application ID to the FCM applications context on the NPS.

XSP_CLI/Applications/NotificationPushServer/FCM/Applications> add com.cisco.wx2.android

Step 5

(For Apple iOS notifications) Add the application ID to the APNS applications context, making sure to omit the Auth key – set it to empty.

XSP_CLI/Applications/NotificationPushServer/APNS/Production/Tokens> add com.cisco.squared

Step 6

Configure the following NPS URLs:


XSP CLI Context	Parameter	Value
`XSP_CLI/Applications/` `NotificationPushServer/FCM>`	`authURL`	https://www.googleapis.com/oauth2/v4/token
	`pushURL`	https://fcm.googleapis.com/v1/projects/PROJECT-ID/messages:send
	`scope`	https://www.googleapis.com/auth/firebase.messaging
`XSP_CLI/Applications/NotificationPushServer` `/APNS/Production>`	`url`	https://api.push.apple.com/3/device

Step 7

Configure the following NPS connection parameters to the recommended values shown:


XSP CLI Context	Parameter	Value
`XSP_CLI/Applications/` `NotificationPushServer/FCM>`	`tokenTimeToLiveInSeconds`	3600
	`connectionPoolSize`	10
	`connectionTimeoutInMilliseconds`	3600
	`connectionIdleTimeoutInSeconds`	600
`XSP_CLI/Applications/NotificationPushServer/` `APNS/Production>`	`connectionTimeout`	300
	`connectionPoolSize`	2
	`connectionIdleTimeoutInSeconds`	600

Step 8

Check if the Application Server is screening application IDs, because you may need to add the Webex apps to the allow list:

Run AS_CLI/System/PushNotification> get and check the value of enforceAllowedApplicationList. If it is true, you need to complete this sub task. Otherwise, skip the rest of the sub task.
AS_CLI/System/PushNotification/AllowedApplications> add com.cisco.wx2.android “Webex Android”
AS_CLI/System/PushNotification/AllowedApplications> add com.cisco.squared “Webex iOS”

Step 9

Restart the XSP: bwrestart

Step 10

Test call notifications by making calls from a BroadWorks subscriber to two Webex mobile users. Verify that call notification appears on iOS and Android devices.

Migrate NPS to FCMv1

This topic contains optional procedures that you can use in Google FCM Console when you have an existing NPS deployment that you need to migrate to FCMv1. There are three procedures:

Migrate UC-One clients to FCMv1—When you have existing UCaaS clients and need to migrate them to use FCMv1.
Migrate SaaS Clients to FCMv1—When you have existing SaaS clients and need to migrate them to use FCMv1.
Update ADP Server—When you are migrating the NPS to an ADP server.

Migrate UC-One Clients to FCMv1

Use the below steps in Google FCM Console to migrate UC-One clients to Google FCM HTTPv1.

Note

If branding is applied to the client, the client must have the Sender ID. In the FCM Console, see Project Settings > Cloud Messaging. The setting appears in the Project credentials table.

For details, see the Connect Mobile Branding Guide at https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/UC-One/UC-One-Collaborate/Connect/Mobile/IandO/ConnectBrandingGuideMobile-R3_8_3.pdf?. Refer to the gcm_defaultSenderId parameter, which is located in the Branding Kit, Resource folder, branding.xml file with the below syntax:

<string name="gcm_defaultSenderId">xxxxxxxxxxxxx</string>

Log into FCM Admin SDK at http://console.firebase.google.com.
Select the appropriate Android application.
In the General tab, record the project ID
Navigate to the service accounts tab to configure a service account. You can create a new service account or configure an existing one.

To create a new Service Account:
1. Click the blue button for create new service account
2. Click on the blue button to generate a new private key
3. Download key to a secure location
To reuse an existing service account:
1. Click on the blue text to view existing service accounts.
2. Identify the service account to use. Service account needs permission firebaseadmin-sdk.
3. On the very right, click the hamburger menu and create a new private key.
4. Download the json file that contains the key and save to a secure location.
Copy the json file onto the XSP.

Configure the project ID and :

XSP_CLI/Applications/NotificationPushServer/FCM/Projects> add <project id> <path/to/json-key-file>
...Done

XSP_CLI/Applications/NotificationPushServer/FCM/Projects> get
  Project ID  Accountkey
========================
  my_project    ********

Configure the application:

XSP_CLI/Applications/NotificationPushServer/FCM/Applications> add <app id> projectId <project id>
...Done

XSP_CLI/Applications/NotificationPushServer/FCM/Applications> get
  Application ID    Project ID
==============================
          my_app    my_project

Enable FCMv1:

XSP_CLI/Applications/NotificationPushServer/FCM> set V1Enabled true
...Done

Run the bwrestart command to restart the XSP.

Migrate SaaS Clients to FCMv1

Use the below steps on Google FCM Console if you want to migrate SaaS clients to FCMv1.

Note

Make sure that you have already completed the procedure "Configure NPS to Use Authentication Proxy".

Disable FCM:

XSP_CLI/Applications/NotificationPushServer/FCM> set V1Enabled false
...Done

Run the bwrestart command to restart the XSP.

Enable FCM:

XSP_CLI/Applications/NotificationPushServer/FCM> set V1Enabled true
...Done

Run the bwrestart command to restart the XSP.

Update ADP Server

Use the below steps in Google FCM Console if you are migrating the NPS to use an ADP server.

Get the JSON file from the Google Cloud Console:
1. On the Google Cloud Console, go to the Service Accounts page.
2. Click Select a project, choose your project and click Open.
3. Find the row of the service account that you want to create a key for, click the More vertical button, then click Create key.
4. Select a Key type and click Create
  
  The file downloads.
Add FCM to the ADP server:
1. Import the JSON file to the ADP server using the /bw/install command.
2. Login to the ADP CLI and add Project and API key:
  
  ADP_CLI/Applications/NotificationPushServer/FCM/Projects> add connect /bw/install/google JSON :
3. Next, add the Application and key:
  
  ADP_CLI/Applications/NotificationPushServer/FCM/Applications> add com.broadsoft.ucaas.connect projectId connect-ucaas...Done
4. Verify the configuration:
```
ADP_CLI/Applications/NotificationPushServer/FCM/Projects> g
Project ID Accountkey
========================
connect-ucaas ********

ADP_CLI/Applications/NotificationPushServer/FCM/Applications> g
Application ID Project ID
===================================
com.broadsoft.ucaas.connect connect-ucaas
```

Configure Your Partner Organization in Partner Hub

Configure Your BroadWorks Clusters

[once per cluster]

This is done for the following reasons:

To enable Webex cloud to authenticate your users against BroadWorks (via XSP-hosted authentication service).
To enable Webex apps to use Xsi interface for call control.
To enable Webex to listen for CTI events published by BroadWorks (telephony presence and call history).

Note

The cluster wizard automatically validates the interfaces as you add them. You can continue editing the cluster if any of the interfaces do not validate successfully, but you cannot save a cluster if there are invalid entries.

We prevent this because a misconfigured cluster could cause issues that are difficult to solve.

What you need to do:

Sign in to Partner Hub (admin.webex.com) with your partner administrator credentials.
Open Settings page from the side menu, and find BroadWorks Calling settings.
Click Add Cluster.

This launches a wizard where you supply your XSP interfaces (URLs). You can add a port to the interface URL if you are using a non-standard port.
Name this cluster and click Next.

The cluster concept here is simply a collection of interfaces, typically collocated on an XSP server or farm, that enable Webex to read information from your Application Server (AS). You may have one XSP per AS cluster, or multiple XSPs per cluster, or multiple AS clusters per XSP. Scale requirements for your BroadWorks system are out of scope here.
(Optional) Enter a BroadWorks user Account Name and Password that you know is within the BroadWorks system you are connecting to Webex, then click Next.

The validation tests can use this account to validate the connections to the interfaces in the cluster.
Add your XSI Actions and XSI Events URLs.
Optional. Update the DAS URL with the URL of the Device Activation Service.
Optional. Check the Enable direct BroadWorks authentication check box if you want logins to BroadWorks to be direct to BroadWorks. Otherwise, authentication to BroadWorks is proxied through the Webex-hosted IdP proxy service.

This check box affects these login situations:
- User Activation Portal login—Users must enter their BroadWorks credentials when logging in to the portal. The above setting determines if the login is direct to BroadWorks or is through the IdP Proxy.
- Client Login—If BroadWorks Authentication is configured in the Customer Template, the above setting determines if client login to the Webex App is direct to BroadWorks or is proxied through the IdP Proxy.
Click Next.
On the CTI Interface page, do the following:
1. Add the CTI URL and Port for the CTI interface to which you want to connect.
2. Optional. Enable the Call History toggle and then enter your BroadWorks user ID. When this option is selected, BroadWorks call history events get synced to the Webex cloud. Users can view their call history on the Webex App.
3. Optional. Enable the Do not disturb (DND) sync toggle and then enter your BroadWorks user ID. This option syncs DND events between Webex and BroadWorks, ensuring that the feature works the same on both platforms.
4. Click Next.
Add your Authentication Service URL.
Select Auth Service with CI token validation.

This option does not require mTLS to protect the connection from Webex, because the Authentication Service properly validates the user token against the Webex identity service before it issues the long-lived token to the user.
Review your entries on the final screen, and then click Create. You should see a success message.

Partner Hub passes the URLs to various Webex microservices that test the connections to the supplied interfaces.
Click View Clusters and you should see your new cluster, and whether the validation succeeded.
The Create button may be disabled on the final (preview) screen of the wizard. If you cannot save the template, it indicates a problem with one of the integrations you just configured.

We implemented this check to prevent errors in subsequent tasks. You can go back through the wizard as you configure your deployment, which may require modifications to your infrastructure (e.g. XSP, load balancer, or firewall) as documented in this guide, before you can save the template.

Checking the Connections to Your BroadWorks Interfaces

Sign in to Partner Hub (admin.webex.com) with your partner administrator credentials.
Open Settings page from the side menu, and find BroadWorks Calling settings.
Click View Clusters.
Partner Hub initiates connectivity tests from the various microservices towards the interfaces in the clusters.

After the tests complete, the cluster list page shows status message next to each cluster.

You should see green Success messages. If you see a red Error message, click the affected cluster name to see which setting is causing the problem.
Optional. Select a cluster if you want to see existing settings for that cluster, such as XSI-Actions, XSI-Events, DAS URL and the CTI interface settings.

Configure your Customer Templates

Customer templates are the way that you will apply shared configuration to one or more customers as you onboard them via the provisioning methods. You must associate each template with a cluster (that you created in previous section).

You can create as many templates as you need, but only one template can be associated with a customer.

Sign in to Partner Hub (admin.webex.com) with your partner administrator credentials.
Open Settings page from the side menu, and find BroadWorks Calling settings.
Click Add Template.

This launches a wizard where you can supply configuration for customers that will use this template.
Use the Cluster dropdown to choose the cluster you want to use with this template.
Enter a Template Name, then click Next.

Configure your provisioning mode, using these recommended settings:

Table 3. Recommended Provisioning Settings for Different Provisioning Modes
Setting Name	Flowthrough provisioning with trusted emails	Flowthrough provisioning without emails	User self-provisioning
Enable BroadWorks Flow Through Provisioning (include provisioning account credentials if On**)	On Supply the provisioning Account Name and Password as per BroadWorks configuration.	On Supply the provisioning Account Name and Password as per BroadWorks configuration.	Off
Automatically Create New Organizations in Control Hub	On^†	On^†	On^†
Service Provider Email Address	Select an email address from the dropdown (you can type some characters, to find the address if it's a long list). This email address identifies the administrator within your Partner organization who will be granted delegated admin access to any new customer organizations created with the customer template.
Country	Choose which country you use for this template. The country you choose matches customer organizations that are created with this template to a particular region. At present, the region could be (EMEAR) or (North America and rest of world). See the country to region mappings in this spreadsheet.
BroadWorks Enterprise Mode Active	Enable this if the customers you provision with this template are enterprises in BroadWorks. If they are groups, leave this switch off. If you have a mix of enterprises and groups in your BroadWorks, you should create different templates for those different cases.

Notes from the table:

† This switch ensures that a new customer organization is created if a subscriber’s email domain does not match an existing Webex organization.

This should always be on, unless you are using a manual ordering and fulfilment process (via Cisco Commerce Workspace) to create customer organizations in Webex (before you start provisioning users in those organizations). That option is often referred to as the "Hybrid Provisioning" model, and is out of the scope of this document.
** "Provisioning account" refers to the BroadWorks system-level admin account. On BroadWorks, you need an admin account with these attributes: Administrator Type=Provisioning, Read-only=Off.

Select the default services package for customers using this template (see Packages in the Overview section); either Basic, Standard, Premium or Softphone.

You can override this setting for individual users via Partner Hub.
Optional. Check Disable Cisco Webex Free Calling if you want to disable Webex Calls,.
For Meeting Join Configuration, select one of the following options:
- Cisco Call-in Numbers (PSTN)
- Partner-provided Call-in Numbers (BYoPSTN)—If you select this option, refer the Bring Your Own PSTN Solution Guide for Webex for Cisco BroadWorks for detailed information on how to configure this option.
Click Next.

Configure the way users verify their identies to Webex. The settings on this page correspond with your chosen user provisioning mode as shown in the table:

Table 4. Recommended User Verification Settings for Different Provisioning Modes
Setting Name	Flowthrough provisioning with trusted emails	Flowthrough provisioning without emails	User self-provisioning
User Verification	Trust BroadWorks emails	Untrusted Emails	Untrusted Emails
First user provisioned is admin	Recommended*	Recommended*	Not applicable
Allow users to self activate	Not applicable	Not applicable	Required

Notes from the table:
* The first user to whom you assign Integrated IM&P in BroadWorks takes the customer administrator role if a new customer organization is created in Webex. Choose this setting to give you some control over who takes the role. If you uncheck this setting, then the first user to become active in the new organization becomes the customer administrator.

You can modify the customer user roles in Partner Hub after provisioning, if necessary.

Click Next.

Select the default authentication mode (either BroadWorks Authentication or Webex Authentication) for user login to Webex.

Note

This setting has no effect on user login to the User Activation Portal. Users must use their BroadWorks user ID and password when logging in to the portal, irrespective of how the Customer Template is configured.

Note

This setting will be applied to newly created customer organizations only. If partner administrators try to apply a new authentication setting to existing customer organizations, the existing settings apply so that existing users don't lose access. To change the authentication mode for existing customer organizations, you must open a ticket with Cisco TAC.

(See Authentication Mode in the Prepare your Environment section).

Click Next.
For Preferences, configure the following:
1. Choose whether you want to Prefill user email addresses in login page.
  
  You should only use this option if you selected BroadWorks Authentication and have also have put the users’ email addresses in the Alternate ID attribute in BroadWorks. Otherwise, they will need to use their BroadWorks username. The login page gives an option to change user, if necessary, but this may lead to login issues.
2. If you want to enable directory sync, set the Enable phone directory sync for all new customer organizations toggle to On.
  
  This option enables Webex to read BroadWorks contacts into the customer organization, so that users can find and call them from the Webex app.
3. Enter a Partner Admin.
  
  This name is used in the automated email message from Webex, that invites users to validate their email addresses.
4. Make sure the Provisioning Existing Organizations toggle is On (the default setting is On).
5. Click Next.
Review your entries on the final screen. You can click the navigation controls at the top of the wizard to go back and change any details. Click Create.

You should see a success message.
Click View Templates and you should see your new template listed with any other templates.
Click the template name to modify or delete the template, if necessary.

You do not need to re-enter the provisioning account details. The empty password/password confirm fields are there to change the credentials if you need to, but leave them empty to keep the values you gave to the wizard.

Add more templates if you have different shared configurations you want to provide to customers.

Note

Keep the View Templates page open, as you may need template details for a following task.

Configure Application Server with Provisioning Service URL

Note

This task is only required for flow through provisioning.

Patch Application Server (R22 and R23 only)

If you haven't yet done so, apply the ap373197 patch that applies to your release:.

For R22: AP.as.22.0.1123.ap373197
For R23: AP.as.23.0.1075.ap373197

Note

For R24, no specific patch is required to be able to reach the provisioning service URL.

Note

For a complete list of BroadWorks patches that form the requirement for deploying Webex for Cisco BroadWorks, See BroadWorks Software Requirements in the Reference section.

Change to the Maintenance/ContainerOptions context.
Enable the provisioning URL parameter:

/AS_CLI/Maintenance/ContainerOptions> add provisioning bw.imp.useProvisioningUrl true

Get the Provisioning URL(s) from Partner Hub

Refer to the Cisco BroadWorks Application Server Command Line Interface Administration Guide for details (Interface > Messaging and Service > Integrated IM&P) of the AS commands.

Sign in to Partner Hub and go to Settings > BroadWorks Calling.
Click View Templates.
Select the template you’re using to provision this enterprise/group’s subscribers in Webex.

The template details display in a flyout pane on the right. If you haven’t yet created a template, you need to do that before you can get the provisioning URL.
Copy the Provisioning Adapter URL.

Repeat this for other templates if you have more than one.

(Option) Configure System-Wide Provisioning Parameters on Application Server

Note

You may not want to set system-wide provisioning and service domain if you are using UC-One SaaS. See Decision Points in the Prepare your Environment section.

Sign in to the Application Server and configure the messaging interface.
1. AS_CLI/Interface/Messaging> set provisioningUrl provisioningURL
2. AS_CLI/Interface/Messaging> set provisioningUserId provisioning_account_name
3. AS_CLI/Interface/Messaging> set provisioningPassword provisioning_account_password
4. AS_CLI/Interface/Messaging> set enableSynchronization true
Activate the Integrated IMP interface:
1. /AS_CLI/Service/IntegratedIMP> set serviceDomain example.com
2. /AS_CLI/Service/IntegratedIMP/DefaultAttribute> set userAttrIsActive true

Note

You must enter the fully qualified name for the provisioningURL parameter, as it was given in Control Hub. If your Application Server cannot access DNS to resolve the hostname, then you must create the mapping in the /etc/hosts file on the AS.

(Option) Configure Per-Enterprise Provisioning Parameters on Application Server

In BroadWorks UI, open the enterprise you want to configure, and go to Services > Integrated IM&P.
Select Use service domain and enter a dummy value (Webex ignores this parameter. You could use example.com).
Select Use Messaging Server.

In the URL field, paste the provisioning URL you copied from your template in Partner Hub.

Note

You must enter the fully qualified name for the provisioningURL parameter, as it was given in Partner Hub. If your Application Server cannot access DNS to resolve the hostname, then you must create the mapping in the /etc/hosts file on the AS.

In the Username field, enter a name for the provisioning administrator. This must match the value on the template in Partner Hub.
Enter a password for the provisioning administrator. This must match the value on the template in Partner Hub.
For Default User Identity for IM&P ID, select Primary.
Click Apply.
Repeat for other enterprises you want to configure for flow through provisioning.

User Provisioning Data

For information on the user data that gets exchanged between BroadWorks and Webex during user provisioning, see Service Provider User Provisioning.

Partner Pre-Provisioning Check API

The Pre-Provisioning Check API helps administrators and sales teams by checking for errors before you provision a customer or subscriber for a package. Users or Integrations authorised by a User with the Partner Full Administrator role can use this API to ensure that there are no conflicts or errors with package provisioning for a given customer or subscriber.

The API checks to see if there are conflicts between this customer/subscriber and existing customers/subscribers on Webex. For example, the API may throw errors if the subscriber is already provisioned to a different customer or partner, if the email address exists already for another subscriber, or if there are conflicts between the provisioning parameters and what exists already on Webex. This gives you the opportunity to fix those errors before you provision, increasing the likelihood of successful provisioning.

For more information on the API, see: Webex for BroadWorks Developer Guide

To use the API, go to: Precheck a BroadWorks Subscriber Provisioning

Note

To access Precheck a BroadWorks Subscriber Provisioning document you need to log in to https://developer.webex.com/ portal.

Partner SSO

Partner SSO makes it easy for partner administrators to configure SAML SSO for newly created customer organizations. Partners can configure a single pre-defined SSO relationship and apply that configuration to the customer organizations that they manage, as well as to their own employees.

Note

The below Partner SSO steps apply to newly-created customer organizations only. If partner administrators try to add Partner SSO to an existing customer organization, the existing authentication method is retained in order to prevent existing users from losing access. To add Partner SSO to an existing organization, you must open a ticket with Cisco TAC.

Verify that the third-party Identity Provider provider meets the requirements listed in the Requirements for Identity Providers section of Single Sign-On Integration in Control Hub.

Open a Service Request with Cisco TAC. TAC must establish a trust relationship between the third-party identity provider and Cisco Common Identity service. .

Note

If your IdP requires the passEmailInRequest feature to be enabled, make sure to include this requirement in the service request. Check with your IdP if you are unsure of whether this feature is required.

Upload the CI metadata file that TAC provided to your Identity Provider.
Configure a Customer Template. For the Authentication Mode setting, select Partner Authentication. For the IDP Entity ID, enter the EntityID from the SAML metadata XML of the third-party identity provider.
Create a new user in a new customer organization that uses the template.
Very that the user can log in.

Enable Call Correlation Identifier

To run Webex for Cisco BroadWorks, it's required that you enable the Call Correlation Identifier. This setting is required for many calling features, including Call Recording, Group Call Pickup, Executive and Executive-Assistant.

Use the CLI to enable the feature on all AS and XSP interfaces.

Run the following commands on AS interfaces. This will enable the AS to send the X-BroadWorks-Correlation-Info SIP header:

AS_CLI/Interface/SIP> set sendCallCorrelationIDNetwork true

AS_CLI/Interface/SIP> set sendCallCorrelationIDAccess true
Run the following command on XSP interfaces:

XSP_CLI/Applications/Xsi-Actions/GeneralSettings>set enableCallCorrelationID true

For additional information on the Call Correlation Identifier, see Cisco BroadWorks Call Correlation Identifier Feature Description.

Directory Sync

Directory sync ensures that Webex for Cisco BroadWorks users can use the Webex directory to call any calling entity from the BroadWorks server. When this feature is enabled, the full calling directory from the BroadWorks server gets synced to the Webex directory. Users can access the directory from the Webex App and place a call to any calling entity from the BroadWorks server.

To turn Directory Sync on, go to Directory Sync in Webex for Cisco BroadWorks.

Note

Webex for Cisco BroadWorks flowthrough provisioning adds messaging users and associated calling information from the BroadWorks server to the Webex platform. However, phone lists, non-messaging users, and non-user entities are not included (for example, a conference room phone, fax machine or hunt group number). Turning on Directory sync ensures that all calling entities get added to the Webex platform.

Unified Call History

When Unified Call History is enabled, BroadWorks call events get synced to the Webex cloud and become part of the Webex Unified Call and Meetings History that displays on the Webex App. Users can view their own detailed Call history and Meeting history from the Webex App.

Unified Call History can be enabled by partner-level administrators in Partner Hub on a cluster-by-cluster basis. When this feature is turned on, the BroadWorks deployment syncs the following call events to the Webex cloud:

Call History events—these events get used to build a detailed Unified Call History
Hook Status events—Unified Call History includes hook status optimizations that decrease the amount of network bandwidth for Telephony Presence updates

Unified Call History Requirements

Before you can configure Unified Call History, make sure that you have patched your system. This feature is dependent on the following BroadWorks patches being installed:

For R22:

AP.xsp.22.0.1123.ap378585
AP.as.22.0.1123.ap378585—after patch installation, you must activate feature 25433. For example: AS_CLI/System/ActivatableFeature> activate 25433
AP.platform.22.0.1123.ap378585
AP.ps.22.0.1123.ap378585

For R23:

AP.as.23.0.1075.ap378585—after patch installation, you must activate feature 25433. For example: AS_CLI/System/ActivatableFeature> activate 25433
AP.platform.23.0.1075.ap378585
If using XSP—AP.xsp.23.0.1075.ap378585
If using ADP—Xsi-Events-23_2021.05_1.251.bwar

For R24:

AP.as.24.0.944.ap378585—after patch installation, you must activate feature 25433. For example: AS_CLI/System/ActivatableFeature> activate 25433
Xsi-Events-24_2021.05_1.251.bwar

Note

For the full list of BroadWorks patches that you must install as a prerequisite to running Webex for Cisco BroadWorks, See BroadWorks Software Requirements in the Reference section.

In addition to patching your system, the client config file (config-wxt.xml) must have the following tag set: <call-history enable-unified-history=”%ENABLE_UNIFIED_CALL_HISTORY_WXT%”/>

To have Hunt Group, Call Center and other redirection info in Unified Call History, the following Broadworks patches must be installed and active:

For R23:

AP.as.23.0.1075.ap383346
AP.as.23.0.1075.ap383994

For R24:

AP.as.24.0.944.ap383346
AP.as.24.0.944.ap383994

To have Executive-Assistant info in Unified Call History, the following Broadworks patches must be installed and active:

For R24:

AP.as.24.0.944.ap380052
AP.as.24.0.944.ap384239
ADP running Xsi-Events-24_2022.06 or later

In addition to the Broadworks patches, Directory Sync must also be enabled for the Executive-Assistant Unified Call History.

Note

When you enable Call History or DND Sync, Webex will send CTI subscription refresh requests for all users under the cluster. Depending on the number of users, this may last up to a few hours. It is recommended to not perform any Broadworks maintenance activity during the same maintenance window.

Enable Call History (New Cluster)

To enable Call History on a new cluster, see the steps for adding a cluster in Configure Your Partner Organization in Partner Hub.

Enable Call History (Existing Cluster)

To enable Call History on an existing cluster, follow the below steps:

Sign in to Partner Hub at admin.webex.com.
Go to Settings and select an existing cluster.
Verify the cluster connection is good. The right panel should display a green check mark with Connection established.

If this doesn't appear, under Check Connnections (Optional), enter BroadWorks User Id and BroadWorks Password and click Check to verify the connection is good.
Check the Enable call history check box.
Click Save.

Feature Interactions

The following feature interactions exist for Unified Call History:

Unified Call History is not supported for users who are configured in BroadWorks with Route Lists or Direct Routes. When this situation exists, Call History and Hook Status events do not get sent to the Webex App.
Unified Call History is not supported with extension dialing. Calls that are placed using extension dialing may not be reflected correctly in the Call History.

View Call History on Webex App

End users can access and view their Unified Call History from the Webex App. For details, see: Webex | View Call and Meeting History.

Disable Unified Call History

Once you enable Unified Call History on a cluster, you cannot disable the feature on your own. If you need to disable the feature, contact Cisco Technical Assistance Center (TAC).

Caller Identification and Call Redirection

Caller Identification

When the Webex App receives a call, it will attempt to identify who the caller is and display this information in the incoming call notification, the in-call window, and after the call is complete, in the call history and voicemail.

The Webex App will attempt to find the caller ID by matching the incoming phone number with the phone numbers of contacts found in various sources. The Webex App will use the following sources in this order. Once it finds it in one source it will not attempt to search anywhere else.

Note

If it finds multiple instances of a number in one source, it will not try to choose one of them, in this case, it will not display any caller ID.

Webex Common Identity (CI) which contains your organization users.
Personal and Organization Contacts. Personal Contacts are visible under the Contacts tab.
Local Address Book. In Windows - Outlook application, in Mac - Mac Contacts, in iOS - iPhone contacts, in Android - Android contacts.

If there is no match found with the incoming phone number, then the app will use the display name in the SIP FROM header if available. Otherwise, it will use the username part of the SIP URI from the SIP From header as a last resort.

For remote call control (i.e., Deskphone Control Mode) XSI info is used, where BWKS ID or extension is used, extracted from remote-party-info in the XSI event. If remote-party-info is not available, then P-Asserted Identity (PAI) (if configured) will be used.

Call Redirection

In the case where a call has been redirected or forwarded, then the app will attempt to show who the caller is and how it was forwarded in the call notification and call history.

Call Forwarded: Shows number that forwarded the call.
Hunt Group: Shows name of the hunt group that forwarded the call.
Call Center Queue: Shows name of the queue that forwarded the call.
Executive-Assistant: Shows name of Executive the call is coming in for.

Exceptions:

For internal call queue calls, where an agent calls back an internal party, the remote party will not see the name of the call queue but will see the name of the agent calling them.

Call Answered Elsewhere:

For Hunt Groups or Call Queues that are set up with simultaneous routing, agents will see a call answered elsewhere in call history if another agent picks up the call. For Hunt Groups or Call Queues with sequential routing, or in an overflow, calls will show as missed call in call history if answered by another agent.

Shared line appearance

Shared line appearance is the ability to provision other users' lines as shared lines on the end-user device. The shared line configuration for the Webex App is similar to the shared line configuration for desk phones. This specific feature allows you to assign shared line appearances to the end user's Webex App.

This feature benefits the users to handle calls on other user's extension directly from the Webex App.

You can configure shared line appearance only for the desktop version of a Webex App.
You can add a maximum of 10 lines including the primary line to Webex App.
You can't assign workspace line as shared line.
A user cannot be provisioned with Executive-Assistant service at the same time as having Shared Lines.
A user's primary line port should not be changed to a Shared Line.

Requirements

To deploy this feature on Webex for Cisco BroadWorks, you must deploy the following BroadWorks patches:

Patch 1: Owner Flag in Device List to Support Webex Client Shared Lines

R23 without ADP:

AP.as.23.0.1075.ap384179
AP.xsp.23.0.1075.ap384179

R23 with ADP:

AP.as.23.0.1075.ap384179
Xsi-Actions-23_2022.10

R24:

AS: AP.as.24.0.944.ap384179
Xsi-Actions-24_2022.10

R25:

AS: RI release Rel_2022.10_1.310
Xsi-Actions-25_2022.10

Patch 2: Patches for increasing port count on device profile types (in this case for the desktop client: Business Communicator).

RI release Rel_2022.10_1.310

Do Not Disturb (DND) Sync

Do Not Disturb (DND) Sync aligns DND settings between Webex and BroadWorks by synchronizing DND status between the two platforms. For example, if a user turns on DND from the Webex App, that status syncs to BroadWorks calling devices. As a result, the user’s BroadWorks-registered desk phone does not ring when someone attempts to call it. Similarly, if a user sets DND from a desk phone, the status syncs to the Webex App. Without this feature, DND updates from one platform don't get recognized by the other platform.

DND Sync gets applied at the BroadWorks cluster level and can be enabled in Partner Hub by a partner administrator.

Prerequisites

Make sure that the following patches are applied to the AS and XSP/ADP. Apply only the patches for your BroadWorks version.

For Release 22:

AS patch: AP.as.22.0.1123.ap382615, AP.as.22.0.1123.ap382838
XSP patch: AP.xsp.22.0.1123.ap382615, AP.xsp.22.0.1123.ap382838

For Release 23:

AS patch: AP.as.23.0.1075.ap382615, AP.as.23.0.1075.ap382838
XSP patch: AP.xsp.23.0.1075.ap382615, AP.xsp.23.0.1075.ap382838
ADP apps: Xsi-Actions-23_2022.03_1.220.bwar, Xsi-Events-23_2022.03_1.220.bwar

For Release 24:

AS patch: AP.as.24.0.944.ap382615, AP.as.24.0.944.ap382838
ADP apps: Xsi-Actions-24_2022.03_1.220.bwar, Xsi-Events-24_2022.03_1.220.bwar

After you apply the patches, activate feature 25433 on the AS:

AS_CLI/System/ActivatableFeature> activate 25433

Configure Device Feature Key Synchronization on BroadWorks. Make sure that the phone supports SIP SUBSCRIBE/NOTIFY for the “as-feature-event” event package. For details, see Cisco BroadWorks Device Feature Key Synchronization.

Enable DND Sync (Existing cluster)

Sign in to Partner Hub
Click Settings.
Click View Cluster and select the appropriate BroadWorks cluster.
Enable the Do not disturb (DND) sync toggle.
Enter your BroadWorks user ID and click Enable.

The system validates that the BroadWorks cluster has the appropriate patches to support DND Sync. If validation fails, the Save button gets disabled.
If validation succeeds, click Save.

Note

Once DND Sync gets enabled, Webex refreshes all user subscriptions to include the Do not disturb event package. Depending on the number of users, this process may take a few hours to complete.
Enabling DND Sync is a one-way toggle. Once the feature is enabled, you can’t disable it on your own.

Enable DND Sync (New cluster)

You can also enable the feature during cluster creation. For details, see “Configure Your BroadWorks Clusters” in Configure Your Partner Organization in Partner Hub.

Disable DND Sync

You can’t disable DND Sync on your own. To disable the feature, create an engineering BEMS case with the following information:

Family: Spark Service
Product: Calling in Webex (Webex for BroadWorks)
Component: WxBW- Provisioning
The BEMS case must state that Do Not Disturb Sync is to be disabled for a partner. The case must contain partnerId and BroadWorks clusterId.

Use Cases

Figure 4. Setting and Clearing DND in Relation to Work Status

Call Recording

Webex for Cisco BroadWorks supports four modes of call recording.

Table 5. Recording Modes
Recording Modes	Description	Controls/Indicators that display on Webex app
Always	Recording is initiated automatically when the call is established. The user has no ability to start or stop recording.	Visual indicator that recording is in progress
Always with Pause/Resume	Recording is initiated automatically when the call is established. User can pause and resume recording.	Visual indicator that recording is in progress Pause Recording button Resume Recording button
OnDemand	Recording is initiated automatically when call is established, but the recording is deleted unless the user presses Start Recording. If user starts recording, the full recording from call setup is retained. After starting the recording, user can also pause and resume recording	Start Recording button Pause Recording button Resume Recording button
OnDemand with User-Initiated Start	Recording does not initiate unless the user selects the Start Recording option on the Webex app. The user has the option to start and stop recording multiple times during a call.	Start Recording button Stop Recording button Pause Recording button

Requirements

To deploy this feature on Webex for Cisco BroadWorks, you must deploy the following BroadWorks patches:

The Call Correlation Identifier must be turned on. For details, see Enable Call Correlation Identifier.

The following configuration tag must be enabled in order to use this feature: %ENABLE_CALL_RECORDING_WXT%.

This feature requires an integration with a third-party call recording platform.

To configure call recording on BroadWorks, go to the Cisco BroadWorks Call Recording Interface Guide.

Additional Information

For user information on how to use the Recording feature, go to the help.webex.com article Webex | Record Your Calls.

To replay a recording, users or administrators must go to their third-party call recording platform.

Group Call Park and Retrieve

Webex for Cisco BroadWorks supports Group Call Park and Retrieve. This feature provides a way for users within a group to park calls, which can then be retrieved by other users in the group. For example, retail employees in a store setting could use the feature to park a call that can then be picked up by someone in another department.

Feature Operation

Once the feature is configured

While in a call, a user clicks the Park option on their Webex app to park the call at an extension that the system selects automatically. The system displays the extension to the user for a period of 10 seconds.
Another user in the group clicks the Retrieve call option on their Webex app. The user then enters the extension of the parked call in order to continue the call.

Requirements

For this feature to work, make sure of the following:

The client config file must have the following tags set:

<call-park enabled="%ENABLE_CALL_PARK_WXT%"
        timer="%CALL_PARK_AUTO_CLOSE_DIALOG_TIMER_WXT%"/>

The Call Correlation Identifier must be enabled on the AS and XSP. For details, see Enable Call Correlation Identifier.
Your SBC must be configured to pass the ‘x-broadworks-correlation-in' SIP attribute to and from the Application Server.

Configuration

For information on how to configure Group Call Park on BroadWorks, see “Add Call Park Group” in the Cisco BroadWorks Application Server Group Web Interface Administration Guide – Part 2. You must create a group and add users to the group.

For information on how to configure the Call Correlation Identifier on BroadWorks, see Cisco BroadWorks Call Correlation Identifier Feature Description.

Additional Information

For user information on how to use Group Call Park, see Webex | Park and Retrieve Calls.

Call Park/Directed Call Park

Regular or directed call park is not supported in the Webex app UI, but provisioned users can deploy the feature using Feature Access Codes:

Enter *68 to park a call
Enter *88 to retrieve a call

E911 Emergency Calling

Webex for Cisco BroadWorks supports E911 emergency services calling. With this feature, emergency calls get routed to a Public Safety Answering Point (PSAP) who can then direct emergency services to the caller’s location. To use this feature, you must integrate Webex for Cisco BroadWorks with an E911 emergency call provider.

Use the following Webex articles to configure support for E911 emergency calling services:

E911 Emergency Calling in Webex for BroadWorks—Use this article to configure E911 emergency calling in Webex for Cisco BroadWorks using one of the following supported E911 providers:
- Bandwidth
- Intrado
- RedSky
Emergency Call Disclaimer—If you have a location service, you can configure the Emergency Services Disclaimer window on the Webex App to include an option for users to update their location when logging in.

Customize and Provision Clients

Users download and install their generic Webex apps, for desktop or mobile (for download links, see Webex App Platforms). Once the user authenticates, the client registers against theWebex Cloud for messaging and meetings, retrieves its branding info, discovers its BroadWorks service info and downloads its calling configuration from BroadWorks Application Server (via DMS on XSP).

You configure the calling parameters for Webex apps in BroadWorks (as normal). You configure branding, messaging, and meeting parameters for the clients in Control Hub. You do not directly modify a configuration file.

These two sets of configurations can overlap, in which case the Webex configuration supersedes the BroadWorks configuration.

Add Webex Apps Configuration Templates to BroadWorks Application Server

Webex apps are configured with DTAF files. The clients download a configuration XML file from the Application Server, via the Device Management service on the XSP.

Get the required DTAF files (see Device Profiles in the Prepare Your Environment section).
Check that you have the right tag sets in BroadWorks System > Resources > Device Management Tag Sets.

For each client you're provisioning:

Download and extract the DTAF zip file for the particular client.
Import DTAF files to BroadWorks at System > Resources > Identity/Device Profile Types

Open the newly added device profile for editing and:

Enter the XSP farm FQDN and Device Access Protocol.

Check the Support Remote Party Info check box. This support is required for desktop sharing to work.

Note

You can also enable Remote Party support by running the following CLI command on the Application Server: AS_CLI/System/DeviceType/SIP> set <device_profile_type> supportRemotePartyInfo true

Modify the templates according to your environment (see table below).
Save the profile.

Click Files and Authentication and then select the option to rebuild all system files.


Name	Description
Codec Priority	Configure priority order for the audio and video codecs for VoIP calls
TCP, UDP and TLS	Configure the protocols used for SIP signaling and media
RTP Audio and Video Ports	Configure port ranges for RTP audio and video
SIP options	Configure various options related to SIP (SIP INFO, use rport, SIP proxy discovery, refresh intervals for registration and subscription, etc.)

Customize Branding for Webex App

Partner customizations—Partner administrators can apply advanced branding customizations that apply to the partner organization and/or customers that the partner manages. See Configure Advanced Branding Customizations.
Customer customizations—If the partner allows customers to apply their own Branding customizations, customer administrators can follow the procedures at Add Your Company Branding to Webex.

Note

The User Activation Portal uses the same logo that you add for client Branding.

Customize Problem Reporting and Help URLs

To customize these options, administators can follow the procedure "Add Feedback and Help Site URLs", which can be found in both of the above Branding articles.

Configure Your Test Organization for Webex for Cisco BroadWorks

Before you begin

With Flowthrough Provisioning

You must configure all the XSP services, and the partner organization in Control Hub, before you can perform this task.

Procedure

Step 1

Assign Service in BroadWorks:

Create a test enterprise under your service provider enterprise in BroadWorks, or create a test group under your Service Provider (depends on your BroadWorks setup).
Configure the IM&P service for that enterprise, to point to the template you are testing (retrieve the provisioning adapter URL and credentials from Control Hub customer template).
Create test subscribers in that enterprise / group.
Give the users unique email addresses in the email field in BroadWorks. Copy those into the Alternate ID attribute as well.

Assign the Integrated IM&P service to those subscribers.

Note

This triggers the creation of the customer organization and the first users, which takes several minutes. Please wait a little while before trying to sign in with your new users.

Step 2

Verify Customer Organization and Users in Control Hub:

Sign in to Control Hub with your partner administrator account.
Go to Customers and verify that your new customer organization is in the list (name follows the group name or enterprise name, from BroadWorks).
Open the customer organization and verify that the subscribers are users in that organization.
Verify that the first subscriber to whom you assigned the Integrated IM&P service has become the customer administrator of that organization.

User Testing

Procedure

Step 1	Download the Webex app on two different machines.
Step 2	Sign in as your test users on the two machines.
Step 3	Make test calls.

Bias-Free Language

Results

Chapter: Deploy Webex for Cisco BroadWorks

Deploy Webex for Cisco BroadWorks

Deployment Overview

Partner Onboarding for Webex for Cisco BroadWorks

Configure Services on Your Webex for Cisco BroadWorks XSPs

Co-Residency Requirements

Xsi Interfaces

Configure Authentication Service (with CI Token Validation)

Remove Client Authentication Requirement for Auth Service (R24 only)

Configuring TLS and Ciphers on the HTTP Interfaces (for XSI and Authentication Service)

Configure Device Management on XSP, Application Server, and Profile Server

CTI Interface and Related Configuration

Configure Application Server for CTI Subscriptions

Configure TLS and Ciphers on the CTI Interface

Update Trust Anchors for CTI Interface (R22 and later)

Add CTI Interface and Enable mTLS

Enable Access to BroadWorks CTI Events on Webex

Call Settings Webview

User Experience

Deploy CSWV on BroadWorks

Install Call Settings Webview on XSPs

Configure the Webex App to use Call Settings Webview

Configure Call Push Notifications in Webex for Cisco BroadWorks

NPS Proxy Overview

APNS Considerations

Prepare Your NPS for Webex for Cisco BroadWorks

Procedure

What to do next

Configure NPS to Use Authentication Proxy

Procedure

Migrate NPS to FCMv1

Migrate UC-One Clients to FCMv1

Migrate SaaS Clients to FCMv1

Update ADP Server

Configure Your Partner Organization in Partner Hub

Configure Your BroadWorks Clusters

Checking the Connections to Your BroadWorks Interfaces

Configure your Customer Templates

Configure Application Server with Provisioning Service URL

Patch Application Server (R22 and R23 only)

Get the Provisioning URL(s) from Partner Hub

(Option) Configure System-Wide Provisioning Parameters on Application Server

(Option) Configure Per-Enterprise Provisioning Parameters on Application Server

User Provisioning Data

Partner Pre-Provisioning Check API

Partner SSO

Enable Call Correlation Identifier

Directory Sync

Unified Call History

Unified Call History Requirements

Enable Call History (New Cluster)

Enable Call History (Existing Cluster)

Feature Interactions

View Call History on Webex App

Disable Unified Call History

Caller Identification and Call Redirection

Shared line appearance

Do Not Disturb (DND) Sync

Prerequisites

Enable DND Sync (Existing cluster)

Enable DND Sync (New cluster)

Disable DND Sync

Use Cases

Call Recording

Requirements

Additional Information

Group Call Park and Retrieve

Feature Operation

Requirements

Configuration

Additional Information

Call Park/Directed Call Park

E911 Emergency Calling

Customize and Provision Clients

Add Webex Apps Configuration Templates to BroadWorks Application Server

Customize Branding for Webex App

Customize Problem Reporting and Help URLs