Set Up Shared Architecture

Set Up Shared Architecture

Prerequisites

Review Cisco HCS Solution Reference Networking Design guide for Shared Architecture design, VMs and Clusters OVA specifications for the required apps, security options for Shared Architecture Data Center Deployments, and other prerequisites.

Review Cisco HCS End to End Planning guide for the Shared Architecture deployment planning consideration.

Review Cisco HCS License Management guide for the Shared Architecture deployment license consideration.

Install Third-Party Apps for Directory Separation

For the detailed steps, refer to the third-party website.

Configure Management Application

Configure Unified CDM

Create the HCM-F Device

After you create the HCM-F device, data synchronization begins if there is a network connection and the NBI REST service is running on the HCM-F server.

Before you begin
  • Install and configure HCM-F. For more information, see the Cisco Hosted Collaboration Mediation Fulfillment Install and Configure Guide.
  • Verify that the NBI REST SDR Web Service is running:

    1. Sign in to the HCM-F CLI as the user administrator.

    2. Run the utils service list command. Verify that the Cisco HCS NBI REST SDR Web Service is running.

    3. If not running, start it with the utils service start Cisco HCS NBI REST SDR Web Service command.

Procedure
Step 1

Sign in to Cisco Unified Communications Domain Manager (Unified CDM) as hcsadmin@sys.hcs.

Step 2

Create a new HCM-F instance:

  1. Select Device Management > HCM-F and click Add.

  2. Enter the HCM-F hostname.

  3. Enter the HCM-F administrator Username.

  4. Enter the HCM-F administrator Password.

  5. Select the HCM-F Version from the drop-down list.

    Note 
    Once the HCM-F Version is set to a new version, it cannot be changed to an older one.

  6. Click Save.

Step 3

If the previous step fails:

  • Verify that HCM-F Hostname is correct
  • Verify that HCM-F administrator Username and administrator Password are correct
  • Verify that HCM-F Version is correct
  • Verify that the domain is set correctly using the Unified CDM CLI:
    1. ssh platform@<cucdm hostname>
    2. network domain
Step 4

After a couple of minutes, verify that the initial synchronization between Unified CDM and HCM-F is successful:

  1. Select Provider Management > Advanced > SDR Service Provider.

  2. The sync is successful if the default entry, "Service Provider Name", appears.

What to do next

If the initial sync is not working after following the previous steps, verify that the HCM-F REST API is working by browsing to the following: http://<hcmf_app_node_host>/sdr/rest/<hcmf_version>/entity/ServiceProvider. This command returns the JSON representation of the predefined service provider instance in the HCM-F Shared Data Repository (SDR). If you get an error, log in as the administrator on the HCM-F app node CLI and verify that the REST service is running:

To display the services, run the command: utils service list.

In the output, you see Cisco HCS NBI REST SDR Web Service[STARTED].

If this service is not started, start it with the command: utils service start Cisco HCS NBI REST SDR Web Service

For data sync failures, try importing the new HCM-F:

  1. Select Device Management > HCM-F and click the HCM-F device.

  2. Update the Hostname and click Save.

  3. Import the new HCM-F:

    1. Select Device Management > Advanced > Perform Actions.

    2. In the Action field, select Import.

    3. In the Device field, select the HCM-F server.

    4. Click Save and wait a few minutes.

  4. Check the provider under Provider Management > Advanced > SDR Service Provider.

Configure LDAP
LDAP Integration
Procedure
Step 1

Top-Down LDAP Management

See Top-Down User Management

Step 2

Sync and Authentication Options for LDAP

See Sync and Authentication Options for LDAP and SSO in Dedicated Cisco Unified Communications Manager

Step 3

Set up LDAP Servers

See Set Up an LDAP Server

Step 4

Set up LDAP for User Sync

See Set up LDAP for User Synchronization

Step 5

Sync Users

See Synchronize Users from LDAP

Step 6

Set up LDAP for Authentication Only

See Set Up LDAP for Authentication Only

Step 7

View LDAP Authentication Users

See View and Update LDAP Authentication Users

Step 8

Enable LDAP Authentication for Cisco Unified CM Users Synced from LDAP to Cisco Unified CDM

See Enable LDAP Authentication in Unified CM for Users Synced from LDAP to Cisco Unified CDM

Configure CUCM LDAP Directory Name in the LDAP Server on Unified CDM
Procedure
Step 1

In Unified CDM, navigate to LDAP Management > LDAP Server.

Step 2

Select the appropriate server.
Step 3

Update the AD Sync Mode field with the LDAP Directory name from Unified CM (found in the Unified CM System), and click Save.

Step 4

Add/update users in Unified CM.
Step 5

In Unified CDM, select the site hierarchy, and navigate to User Management > Manage Users..

Step 6

Select Add or update users to CUCM from the Action.

Step 7

Select the Network Device List and select all users, and the Click Save.

Step 8

Repeat this procedure for other sites.

Configure HCM-F

Configure Prime Collaboration Assurance

Review Service Assurance Configuration chapter in the Cisco Hosted Collaboration Solution Onboarding Guide for the Prime Collaboration Assurance configuration details.


Note

In Shared Architecture deployment, only devices are pushed to PCA. Access to PCA is limited to provider and reseller level.

Configure UC Application

Configure Unified CM

Set Up Cisco Unified Communications Manager Servers

Use this procedure to configure Cisco Unified Communications Manager servers within a Unified CM cluster.

Procedure
Step 1

Log in as the appropriate hierarchy administrator.

Only a provider or reseller administrator can create a shared architecture deployment. A customer, provider, or reseller administrator can create a dedicated instance.

Step 2

Set the hierarchy path to the correct level. Create a shared architecture at the provider or reseller level. Create a dedicated instance at the customer level.

Step 3

Click Device Management > CUCM > Servers.

Step 4

Click Add.

Step 5

Enter the Unified CM server name in the CUCM Server Name field.

Note 
A Unified CM server that has been configured in HCM-F and synced into Cisco Unified Communications Domain Manager may exist at the sys.hcs hierarchy. If the server name you enter matches this server, the Migrate from HCM-F to CUCDM check box is displayed. Click Save to migrate this server to the current hierarchy level. The fields are populated with the values that were configured in HCM-F. If you do not want to migrate the server, enter a different server name.
Step 6

Select Voice/Video in the Server Type field.

Step 7

To configure a publisher node, check Publisher.

On the Publisher tab, you can specify the following information:

Field Description
Prime Collaboration

Select the Prime Collaboration management application monitoring this cluster.

To unassociate Prime Collaboration for this cluster, select None.

Call Processing ID

The Call Processing ID of this cluster

Cluster ID

The Cluster ID of this cluster.

Multi-Tenant

Read-only field. If creating at provider or reseller level, this field is set to Shared. If creating at customer level, this field is set to Dedicated.

Version

Select the version of the Unified CM Servers in this cluster. The available versions depend on the version of the HCM-F device that has been configured.

Enable Change Notification Sync Check this checkbox to enable Change Notification. By enabling this, a Change Notification data sync and corresponding Schedule are created. The Schedule is initially created as Disabled and needs to be manually enabled from the Scheduling menu. The Change Notification Sync interval is set to 14 days, by default.
Port

The port on the Unified CM server to connect to. Default is 8443.

User Move Mode

Set to Automatic to automatically move synced in users to sites, based on the filters and filter order defined in User Management > Manage Filters. Set to Manual if you want an Administrator to manually move synced in users to a Site.

User Entitlement Profile
Select the Entitlement Profile that specifies which devices and services users synced from this Unified CM are entitled to.
Note 

A violation of the Entitlement Profile does not prevent a user from being synced to Unified CDM from Unified CM. However, subsequent updates to the user fail until the user's configuration satisfies the restrictions set in the Entitlement Profile.

Enable Change Notification Sync

Check this checkbox to enable Change Notification. By enabling this, a Change Notification data sync and corresponding Schedule are created. The Schedule is initially created as Disabled and needs to be manually enabled from the Scheduling menu. The Change Notification Sync interval is set to 14 days, by default.

See the Change Notification Sync in Unified CDM section in Cisco Unified Communications Manager Configuration in Cisco Unified CDM for detailed information.

Step 8

For a Unified CM Publisher node, fill in the Cluster Name field with the name you want for this cluster. A new cluster is created with this name. This field is required.

For Unified CM Subscribers, select the Unified CM cluster from the Cluster Name drop down menu.
Step 9

Expand Network Addresses.

  1. Select the SERVICE_PROVIDER_SPACE address space.

  2. The Hostname field is automatically populated with the Unified CM Server Name. Edit it if necessary.

  3. Enter the IP address of the Cisco Unified Communications Manager Server in the IPv4 Address field.

    Note 
    Either the hostname or the IP address is required. Ensure that the hostname or IP address does not contain a trailing blank space. Unified CDM cannot validate an entry that contains a blank space at the end of the hostname or IP address.

  4. Fill in the domain of the Unified CM application.

  5. Provide an optional description for the network address.

If NAT is used, also configure an APPLICATION_SPACE network address.

Step 10

Expand Credentials.

  1. Add credentials for PLATFORM, ADMIN, HTTP, and SNMP_Vx credential types. Click + to add more credentials.

  2. Fill in the user ID and password that you configured when you installed the Unified CM.

  3. Select RO (Read-only) or RW (Read or Write) for the Access Type. The default is RO.

  4. Provide an optional description for the credential.

ADMIN, HTTP, PLATFORM, and SNMP are required for PCA to manage Unified CM. PLATFORM and ADMIN are also required for Service Inventory to generate reports for UC applications.
Note 

Expiration of the ADMIN account results in failed data syncs between Unified CM and Unified CDM

Step 11

On the Field Mappings tab, complete field mappings as desired. Hard-coded mappings appear in gray and cannot be modified.

Step 12

Click Save.

A Unified CM network device is created in Unified CDM. A cluster and Unified CM are created in the SDR.
Step 13

Test the connection between Unified CM and Unified CDM.

  1. Select Device Management > Advanced > CUCM Network Device.

  2. Click the Unified CM you just added.

  3. Select Action > Test Connection.

If the test fails, and you used a hostname, make sure Unified CDM has the correct DNS and Domain set.

  1. Log in to the platform CLI.

  2. Query the current DNS setting: network dns

  3. Set the DNS if needed: network dns <dns_server_ip_address>

  4. Query the current domain setting: network domain

  5. Set the domain if needed: network domain <domain>

Note 

Use the CUCM Network Device page only for testing the connection. Do not edit Unified CM from this page. To change any configuration of the Unified CM, edit it from the Device Management > CUCM > Servers page in Unified CDM.

Configure Unified CM for Call Routing
Configure Unified CM to receive calls directly from Expressway-E through Expressway-C and assist with Mobile Remote Access (MRA).
Procedure
Step 1

Log in to the Shared Architecture Unified CM.
Step 2

Navigate to System > Enterprise Parameters.

Step 3

Search (CTRL+F) for fully which bring you to the setting Cluster Fully Qualified Domain Name.

Step 4

Enter the public domain name created for MRA followed by the FQDN of the Shared architecture Unified CM, and Click Save.

[Example: collabedge-161.dc-01.com cucm-shared@dcloud.cisco.com]
Step 5

Create a SIP Profile.
Step 6

Toward the bottom of the page, for the Early Offer support for voice and video calls setting in the Trunk Specific Configuration section choose the option Best Effort (no MTP inserted).

Step 7

Create a Non Secure SIP Trunk Profile.
Step 8

Add a new SIP trunk. Set the following parameters:

  • Calling and Connected Party Info Format (Outbound Calls section) to Deliver URI and DN in connected party, if available.

  • Destination Address (SIP Information section) to IP Address of Expressway-C used for B2B/MRA.
Step 9

Choose the newly created SIP Trunk Security Profile and SIP Profile.
Step 10

Add New SIP route pattern that matches the cloud URI IPv4 pattern to be sent out through the new SIP trunk to the Expressway-C.
Configure Directory Search

There are two options for directory search in Cisco HCS:

  1. Use the CUCM native contact search, with the configuration described in Configure Directory Search for Shared Architecture.
  2. Continue to use a third party vendor for directory search. Configure according to the following sections:
Configure Directory Search for Shared Architecture

You can enhance Directory Search for Shared Architecture deployments by configuring the following parameters. All of them are required fields that are configured through the AXL interface.

Parameter Name Default Setting Description
Directory Search Scope All Users in the System Allows you to determine whether user data service (UDS) user searches are limited to users mapped to the same customer, or to all users in the system. When the scope is set to “Only Users within the Same Customer,” the UDS search requires authentication and UDS will limit search results to users with the same customer.
Search Behavior for Users with No Customer Mapping Only Search within Users with No Customer Mapping Allows you to determine the behavior for UDS user searches by an end user that is not mapped to any customer.
User Customer Map Audit Time 0000-00-00 00:00

Allows you to schedule a user customer mapping audit. When this parameter is set, the audit for the user customer mapping between CUCM and the configured LDAP directory will be performed at the configured time. After the audit is completed, you can generate a report with the Real-Time Monitoring Tool (RTMT) under the "Cisco DirSync" to view the results.

Important 

Note: the value you enter for this parameter must not be in the past.

Note

There is no need to change the Corporate directory and other service URL.

CE platform phones may require that you modify the alternate phone book server address in CUCM's Device page. Use the updatePhone AXL API to add a query parameter in the alternate phone book server URL to limit the contact search scope to a specific customer (for example, “?customer=[customerName]”).

Configure Directory Search in Jabber
The procedure in this topic makes directory searches in Jabber only show the users in their own customer base instead of all the users in the Shared Unified CM.
Procedure
Step 1

Create XML File. Change the UdsServer to the appropriate customer domain from the following template and save it as jabber-config-<customer-name>. 

<?xml version="1.0" encoding="UTF-8"?>
<config version="1.0">
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
<UdsPhotoUriWithToken>http://c1.<app name>.dcloud.cisco.com/JabberPhotos/%%uid%%.png </UdsPhotoUriWithToken>
<BDIUriPrefix>sip:</BDIUriPrefix>
<UdsServer>c1.<app name>.dcloud.cisco.com</UdsServer>
</Directory>
</config>

Line related to photos is optional. It provides you the possibility to serve a .png image of each user from the third-party app (used for directory seperation), located in the folder C:\inetpub\wwwroot\JabberPhotos\.

Step 2

Upload XML File to Unified CM TFTP.

  1. Log in to Unified CM, and navigate to Cisco Unified OS Administration.

  2. Navigate to Software Upgrades and TFTP File Management.

  3. Click Upload File to select and upload the XML file.

Step 3

Restart the TFTP Service.

  1. In Unified CM GUI, navigate to Cisco Unified Serviceability.

  2. Navigate to Tools and Control Center – Feature Services.

  3. Select Cisco Unified Communications Manager Server.

  4. Select Cisco TFTP.

  5. Click Restart.

Step 4

Add Customer Entry into Exp-C Allow List.

  1. Log in to Expressway-C with admin user.

  2. Navigate to Configuration > Unified Communications > Configuration.

  3. Click Configure HTTP server allow list.

  4. Click New.

    1. For Expressway version 8.8 or earlier, enter the customer domain with third-party app in the Name field (ex c2.<third-party app>.dcloud.cisco.com).

    2. For Expressway version 8.9 or later, enter in the URL field https://<customer-name>.<third-party app name>.<domain.com>:8443/cucm-uds/ while replacing the customer-name and domain.com with the appropriate entry. Ensure to select Prefix match for the match type.

      An HTTPS entry per customer is required. There also needs to be one HTTP entry shared for all the customers which is https://<customer-name>.<third-party app name>.<domain.com>:8443/cucm-uds/ while replacing the customer-name with any customer name (the DNS entries all resolve to the same third-party IP) and the domain.com with the appropriate entry. Ensure to select Prefix match for the match type, and select Choose methods for allowed methods, and then select all the available options.

  5. Click Create entry.

Step 5

Fill in the Cisco Support Field with XML Config file name.

  1. In Unified CM, locate the desired device configuration page for the associated Jabber device.

  2. Complete the Cisco Support Field with configurationfile=jabber-config-c2.xml and replace the xml file name with the appropriate file name.

  3. If you don't see the Cisco Support Field for mobile devices, then install the following Cisco Options Packages for your release of Cisco Unified Communications Manager:

    • cmterm-android-install-XXX.cop.sgn

    • mterm-jabbertablet-install-XXX.cop.sgn

    • cmterm-iphone-install-XXX.cop.sgn
Configure Directory Search in Desk Phones
The following steps make directory searches in Desk Phones only.
Before you begin
For the Corporate directories to work on Desk Phones, ensure that you've added the following under <configuration> in the C:\Program Files(x86)\StoneVoiceAS\Apps\Speedy\Settings and open SpeedyPhoneService.config.xml file in the third-part app box:
<preference key="Speedy.AuthLevel.ShowLocalContacts" value="2" />
<preference key="Speedy.directories.ShowLocalDirs" value="false" />
<preference key="Speedy.directories.ShowDirectoryType" value="false" />
Procedure
Step 1

Log in to Unified CM, and navigate to Go to Device > Device Settings > Phone Services.

Step 2

Search for Corporate Directory and select the directory.
Step 3

In the Service URL field, enter http://1.1.1.1/fw/Apps/Speedy/xml/directories/default.aspx?name=#DEVICENAME# with the IP of the <third-party app> server replacing 1.1.1.1.

Use any DNS name which resolves to the third-party app server IP.
Step 4

Click Save.

Step 5

Reboot any phones already registered.

Note 

Another option for some devices is to modify the Alternate phone book server address in the device page with https://customer-name.<third-party app>.domain.com:8443/cucm-uds/users. Ensure to replace customer-name.<third-party app>.domain.com with the DNS entry which resolves to the third-party app IP in the HCS SA domain.

Configure IM and P

Add LDAP Server and Authentication in Unified CM
Use this procedure to enable LDAP Authentication on Cisco Unified CM in the following situation, sometimes referred to as "top-down" deployment:

  • You plan to sync users from LDAP to Cisco Unified CDM.

  • You do not plan to sync those users from LDAP to Cisco Unified CM.

  • You plan to push those users from Cisco Unified CDM to Cisco Unified CM.

  • You want to use LDAP to authenticate those users' access to Cisco Unified CM.

Procedure
Step 1

On Unified CM, disable dirsync.

  1. Log in to Unified CM as an administrator.

  2. Navigate to Cisco Unified Serviceability, and click Go.

  3. Navigate to Tools > Service Activation.

  4. Scroll down to Directory Services and uncheck Cisco DirSync.

  5. Click Save.

Step 2

On Cisco Unified CM, enable LDAP.

  1. In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

  2. Navigate to System > LDAP > LDAP System.

  3. Check Enable Synchronizing from LDAP Server.

  4. Select the LDAP Server Type.

    Note 

    This value must match the LDAP Server Type you choose in Cisco Unified CDM.

  5. Select the LDAP Attribute for User ID.

    Note 

    This value must match the LDAP attribute you choose in Cisco Unified CDM.

  6. Click Save.

Step 3

On Cisco Unified CM, configure LDAP Directory.

  1. In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

  2. Navigate to System > LDAP > LDAP System.

  3. Configure fields in the LDAP Directory Information section:

    Field

    Description

    LDAP Configuration Name

    Enter a unique name (up to 40 characters) for the LDAP directory. Important: You use the LDAP Configuration Name when you configure the LDAP Server in Cisco Unified CDM.

    LDAP Manager Distinguished Name

    Enter the user ID (up to 128 characters) of the LDAP Manager who is an administrative user that has access rights to the LDAP directory.

    LDAP Password

    Enter a password (up to 128 characters) for the LDAP Manager.

    Confirm Password

    Re-enter the password that you provided in the LDAP Password field.

    LDAP User Search Base

    Enter the location (up to 256 characters) where all LDAP users exist. This location acts as a container or a directory. This information varies depending on your customer setup.

    LDAP Custom Filter
    Select an LDAP custom filter to filter the results of LDAP searches. LDAP users that match the filter are imported into the Unified CM database. LDAP users that do not match the filter do not get imported. The default value is <None>. This value applies a default LDAP filter that is specific to the LDAP server type. The available default LDAP filters are:

    • Microsoft Active Directory (AD):(&(objectclass=user)(!(objectclass=Computer)) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

    • iPlanet or Sun One LDAP Server:(objectclass=inetOrgPerson)

    • OpenLDAP:(objectclass=inetOrgPerson)

    • Microsoft Active Directory Application Mode (ADAM):(&(objectclass=user) (!(objectclass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

  4. Configure fields in the LDAP Server Information section:

    Field

    Description

    Hostname or IP Address for Server

    Enter the hostname or IP address of the server where the data for this LDAP directory resides.

    LDAP Port

    Enter the port number on which the corporate directory receives the LDAP requests. You can access this field only if LDAP authentication for users is enabled.

    The default LDAP port for Microsoft Active Directory and for Netscape Directory specifies 389. The default LDAP port for Secured Sockets Layer (SSL) specifies 636.

    How your corporate directory is configured determines which port number to enter in this field. For example, before you configure the LDAP Port field, determine whether your LDAP server acts as a Global Catalog server and whether your configuration requires LDAP over SSL. Consider entering one of the following port numbers:

    LDAP Port when the LDAP server is not a Global Catalog server:

    • 389 – When SSL is not required. (This port number specifies the default that displays in the LDAP Port field.)

    • 636 – When SSL is required. (If you enter this port number, make sure that you check the Use SSL check box.)

    LDAP Port when the LDAP server Is a Global Catalog server:

    • 3268 – When SSL is not required.

    • 3269 – When SSL is required. (If you enter this port number, make sure that you check the Use SSL check box.)

    Tip 
    Your configuration may require that you enter a different port number than the options that are listed in the preceding bullets. Before you configure the LDAP Port field, contact the administrator of your directory server to determine the correct port number to enter.

    Use SSL

    Check this checkbox to use Secured Sockets Layer (SSL) encryption for security purposes.

    Note 
    If LDAP over SSL is required, the corporate directory SSL certificate must be loaded into Cisco Unified CM. The Cisco Unified Communications Operating System Administration Guide documents the certificate upload procedure in the Security chapter.

    Add Another Redundant LDAP Server

    Click this button to add another row to provide information about another LDAP server.

  5. Click Save.

Step 4

On Cisco Unified CM, configure LDAP Authentication.

  1. In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

  2. Navigate to System > LDAP > LDAP System.

  3. Check Use LDAP Authentication for End Users.

  4. Enter the LDAP Manager Distinguished Name who is an administrative user that has access rights to the LDAP directory.

  5. Enter the LDAP Password for the user ID in previous step.

  6. Enter the LDAP User Search Base.

    Important 

    This value must match the LDAP User Search Base you configured for the LDAP Directory in Unified CM. It must also match the LDAP Server you configure in Unified CDM.

  7. Click Save.

Step 5

On Cisco Unified CDM, sync Cisco Unified CM data to Cisco Unified CDM.

  1. Log in to Unified CDM as a customer admin, and navigate to Device Management > Advanced > Perform Publisher Actions.

  2. Select Action > Import.

  3. Select the App Type and CUCM Device.

  4. Select an Available CUCM device to be synced.

  5. Click Save.

Step 6

On Cisco Unified CDM, configure the LDAP Server.

Note 
Be sure to set CUCM LDAP Directory Name to the LDAP Configuration Name you used to configure LDAP Directory on Cisco Unified CM.
Step 7

On Cisco Unified CDM, set up LDAP for user synchronization.
Step 8

On Cisco Unified CDM, sync users from LDAP to Cisco Unified CDM.
Step 9

On Cisco Unified CDM, push users to Cisco Unified CM, either by Manage Users or by Subscriber Management.

When users are pushed to Cisco Unified CM, the ldapDirectoryName field in the device/cucm/User is populated with the CUCM LDAP Directory Name. Cisco Unified CM treats the users as LDAP integrated, instead of local. The users appear as LDAP Active Users and use LDAP bind for authentication. From now on, the users are authenticated in Cisco Unified CM against the LDAP directory.

Add LDAP Server in Unified CDM and Define the CUCM LDAP Directory Name
Procedure
Step 1

In Unified CDM, navigate to LDAP Management > LDAP Server, and select the appropriate LDAP server.

Step 2

Fill in the AD Sync Mode with the LDAP Directory name from Unified CM (LDAP > LDAP Directory), and click Save.

Step 3

Add/update users in Unified CM.
Step 4

In Unified CDM, select the site in hierarchy and navigate to User Management > Manage users.

Step 5

Select Add or update users to CUCM from the Action drop-down list.

Step 6

Select a Network Device List that contains the target Unified CM server.
Step 7

Click Select All.

Step 8

Click Save to move the selected users to Unified CM.

Step 9

Repeat for other sites.
Configure Managed File Transfer in Cisco Unified CM IM and Presence

Managed File Transfer (MFT) is a server-side file transfer solution. It allows an IM and Presence service client, such as Cisco Jabber to transfer files to other users, ad hoc group chats and persistent chats. It allows file sharing between users in one-to-one, ad hoc group, and persistent chat. The file repository is on a customer-provided external file server. Audit logging of all uploads and downloads are in external database.

This topic covers the procedure for configuring Managed File Transfer in Cisco Unified CM IM and Presence.

Prerequisites for Managed File Transfer in IM and P

  • Jabber 10.6

  • Unified CM IM & Presence 10.5.2 or above

  • PostgreSQL 8.3.x or above

While transferring files between Jabber clients has been a supported feature for quite a while, this was limited to peer-peer transaction until now, which eliminated the possibility to transfer files in a group chats, chat rooms.

Starting with Jabber 10.6 and Unified CM IM & Presence 10.5.2, a new method to transfer files between clients has been introduced with the following features:

  • Group chat support of File transfer

  • Chat room support of File transfer

  • Admin can define a file size for Jabber users when transferring files

  • File transfer compliance and screen captures are transferred for audit and policy control

  • File transfer inline status message

This refers to "Managed File transfer". While the peer-peer option does not involve any central instance, the Managed File transfer does rely on central database instance.

External Database Setup Requirements
General Requirements

Cisco recommends having a certified PostgreSQL and Oracle or Microsoft SQL Server administrator to maintain and retrieve information from the external database.

Hardware Requirements

A remote server on which you install the PostgreSQL or Oracle database.

Software Requirements

  • IM and Presence Service, current release

  • External Database:

    Database

    Supported Versions

    PostgreSQL

    Versions 8.3.x through 9.4.x are supported, and in IM and Presence Service Release, 11.0(1) versions: 9.1.9, 9.2.6, 9.3.6, 9.4.1 have been tested.

    Note 

    You can also use version 8.1.x of the PostgreSQL database, but the configuration of these versions may be different to the PostgreSQL database configuration described in this section. See the PostgreSQL documentation for details on how to configure these PostgreSQL database versions. If you use Version 8.1.x of the PostgreSQL database, the database configuration on IM and Presence Service is the same as described in this section.

    Oracle

    Versions 9g, 10g, 11g, and 12c are supported, and in IM and Presence Service Release, 11.0(1) versions: 11.2.0.1.0 and 12.1.0.1.0 have been tested.

External Database Requirements for IM and Presence Service

The external database requirements depend on the features you need to deploy on IM and Presence Service.

Features

Requirements

Persistent Group Chat feature

A minimum of one unique logical external database instance (tablespace) is required for the entire IM and Presence Service intercluster. A unique logical external database instance for each IM and Presence Service node or redundancy group in an IM and Presence Service cluster provides optimum performance and scalability, but is not mandatory.

High Availability for Persistent Chat feature

You must enable High Availability and Persistent Chat. Make sure that both presence redundancy group nodes are assigned to the same unique logical external database instance.

Oracle and PostgreSQL can be used with High Availability for Persistent Chat. However, PostgreSQL has some significant challenges it trying to make it a High Availability database with automatic redundancy.

Message Archiver (compliance) feature

We recommend that you configure at least one external database for each IM and Presence Service cluster; however, you may require more than one external database for a cluster depending on your database server capacity.

Managed File Transfer feature

You require one unique logical external database instance for each IM and Presence Service node in an IM and Presence Service cluster.

Note 

Database table space can be shared across multiple nodes or clusters provided capacity and performance isn't overloaded.
Set Up External Database Connection

IM and Presence Service does not establish a connection to the external database when you configure an external database entry. The external database has not created the database schema at this point. It is only when you assign an external database entry to a node that IM and Presence Service establishes an ODBC (Open Database Connectivity) connection with the external database. Once IM and Presence Service establishes a connection, the external database creates the database tables for the IM and Presence Service features.

Once you assign an external database entry to a node, you can validate the connection using the System Troubleshooter in the Cisco Unified CM IM and Presence Service Administration user interface.


Note

If your IM and Presence Service node connects to an external database server using IPv6, ensure that the enterprise parameter is configured for IPv6 and that Eth0 is set for IPv6 on each node in the deployment; otherwise, the connection to the external database server fails. The Message Archiver and Cisco XCP Text Conference Manager are unable to connect to the external database and fail. For information about configuring IPv6 on IM and Presence Service, see Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager guide available at https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-im-presence-service-version-11-5/model.html.

Before you begin

  • Install and configure the external database.

  • Obtain the hostname or IP address of the external database.

Procedure
Step 1

Log in to the Cisco Unified CM IM and Presence Administration user interface.
Step 2

Navigate to Messaging > External Server Setup > External Databases.

Step 3

Click Add New.

Step 4

Enter the name of the database that you defined at external database installation, for example, tcmadb.
Step 5

Choose the database type from the drop-down list, Postgres or Oracle.

If you chose Oracle as the database type, enter the tablespace value.
Step 6

Enter the username for the database user (owner) that you defined at external database installation, for example, tcuser.
Step 7

Enter and confirm the password for the database user, for example, mypassword.
Step 8

Enter the hostname or IP address for the external database.
Step 9

Enter a port number for the external database.

The default port numbers for Postgres (5432), Oracle (1521), and Oracle with SSL enabled (2484) are prepopulated in the Port Number field. You can choose to enter a different port number, if required.

Step 10

If you chose Oracle as the Database Type, the Enable SSL checkbox becomes active. Check the checkbox to enable SSL. The Certificate Name drop-down list becomes active. Choose a certificate from the drop-down list.

Note 

  • When the Enable SSL check box or the Certificate drop-down field is modified, a notification to restart the corresponding service assigned to the external database is sent. A message concerning either Cisco XCP Message Archiver or Cisco XCP Text Conference Manager is generated.

  • The certificate you need to enable SSL must be uploaded to the cup-xmpp-trust store. You must upload this certificate before you enable SSL.

  • Once the certificate is uploaded to the cup-xmpp-trust store, you must wait 15 minutes for the certificate to propagate to all the nodes of the IM and Presence Service cluster. If you do not wait, the SSL connection on nodes where the certificate has not propagated fails.

  • If the certificate is missing or has been deleted from the cup-xmpp-trust store, an alarm XCPExternalDatabaseCertificateNotFound is raised in the Cisco Unified Communications Manager Real Time Monitoring Tool (RTMT).

Step 11

Click Save.

Step 12

If you make a configuration change in the install_dir/data/pg_hba.conf file or the install_dir/data/postgresql.conf file after you assign the external database, perform these steps:

  1. Unassign and reassign the external database to the IM and Presence Service node.

  2. Restart the Cisco XCP Router service. Log in to the Cisco Unified IM and Presence Serviceability user interface.

  3. Navigate to Tools > Control Center - Network Services to restart this service.

Accessing IM and Presence Service Status Information on an external database
IM and Presence Service provides the following status information on an external database:

  • Database reachability — Verifies that the IM and Presence Service can ping an external database.

  • Database connectivity — Verifies that the IM and Presence Service has successfully established an Open Database Connectivity (ODBC) connection with the external database.

  • Database schema verification — Verifies that the external database schema is valid.


Caution

If your IM and Presence Service node connects to an external database server using IPv6, ensure that the enterprise parameter is configured for IPv6 and that Eth0 is set for IPv6 on each node in the deployment; otherwise, the connection to the external database server fails. The message archiver (compliance) and Cisco XCP Text Conference Manager is unable to connect to the external database and fails. For information about configuring IPv6 on IM and Presence Service, see Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager guide available at https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-im-presence-service-version-11-5/model.html.

Procedure
Step 1

Log in to the Cisco Unified CM IM and Presence Administration user interface.
Step 2

Navigate to Messaging > External Server Setup > External Databases.

Step 3

Click Find.

Step 4

Choose the external database entry that you want to view.
Step 5

Verify that there are check marks beside each of the result entries for the external database in the External Database Status section.

Step 6

In the Cisco Unified CM IM and Presence Administration user interface, navigate to Diagnostics > System Troubleshooter.

Step 7

Verify that there are check marks beside the status of each of the external database connection entries in the External Database Troubleshooter section.

Set Up an External File Server
Before you enable managed file transfer on an IM and Presence Service node consider these points:

  • If you deploy any combination of the persistent group chat, message archiver, or managed file transfer features on an IM and Presence Service node, you can assign the same physical external database installation and external file server to all these features. However, you should consider the potential IM traffic, the number of file transfers, and the file size when you determine the server capacity.

  • Ensure that all clients can resolve the full FQDN of the IM and Presence Service node to which they are assigned. For the managed file transfer feature to work, it is not enough for the clients to resolve the hostname; they must be able to resolve the FQDN.

  • The node public key is invalidated if the node's assignment is removed. If the node is reassigned, a new node public key is automatically generated and the key must be reconfigured on the external file server.

  • The Cisco XCP File Transfer Manager service must be active on each node where managed file transfer is enabled.

You can configure one of the following options on the File Transfer window:

  • Disabled: file transfer is disabled for the cluster.

  • Peer-to-Peer: one-to-one file transfers are allowed, but files are not archived or stored on a server. Group chat file transfer is not supported.

  • Managed File Transfer: one-to-one and group file transfers are allowed. File transfers are logged to a database and the transferred files are stored on a server. The client must also support managed file transfer, otherwise no file transfers are allowed.

  • Managed and Peer-to-Peer File Transfer: one-to-one and group file transfers are allowed. File transfers are logged to a database and the transferred files are stored on a server only if the client supports managed file transfer. If the client does not support managed file transfer, this option is equivalent to the Peer-to-Peer option.


Note

If managed file transfer is configured on a node and you change the File Transfer Type to Disabled or Peer-to-Peer, be aware that the mapped settings to the external database and to the external file server for that node are deleted. The database and file server remain configured but you must reassign them if you re-enable managed file transfer for the node.

Depending on your pre-upgrade setting, after an upgrade to IM and Presence Service Release 10.5(2) or later, either Disabled or Peer-to-Peer is selected.

Prerequisites for External File Server
Before you begin
Tasks to complete before you begin to set up an external file server:

Before setting up the users, directories, ownership, permissions, and other tasks on the file server, complete these steps.

Procedure
Step 1

Install a supported version of Linux.
Step 2

Verify the file server supports SSHv2 and OpenSSH 4.9 or later by entering one of the following commands as root:

# telnet localhost 22
Trying ::1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3
Or
# ssh -v localhost
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /root/.ssh/config ...
...debug1: Local version string SSH-2.0-OpenSSH_5.3
...
Step 3

To allow private/public key authentication, make sure that you have the following fields in the /etc/ssh/sshd_config file, set to yes.

  • Set RSAAuthentication to yes

  • Set PubkeyAuthentication to yes

If these are commented out in the file, the setting can be left alone.

Tip 

To enhance security, you can also disable password login for the file transfer user (for example, mftuser). This forces logging in only by SSH public/private key authentication.

Step 4

We recommend creating one or more separate partitions that are dedicated to file transfer storage so that other applications that run on the server do not write to it. All file storage directories must be created on these partitions.

Set Up a User
Procedure
Step 1

On the file server as root, create a user who owns the file storage directory structure (our example uses mftuser) and force creation of the home directory (-m). 

# useradd -m mftuser
# passwd mftuser
Step 2

Switch to the mftuser.

# su mftuser
Step 3

Create a .ssh directory under the ~mftuser home directory that is used as a key store.

$ mkdir ~mftuser/.ssh/
Step 4

Create an authorized_keys file under the .ssh directory that is used to hold the public key text for each managed file transfer enabled node. 

$ touch ~mftuser/.ssh/authorized_keys
Step 5

Set the correct permissions for passwordless SSH to function.

$ chmod 700 ~mftuser (directory)
$ chmod 700 ~/.ssh (directory)
$ chmod 700 ~/.ssh/authorized_keys (file)
Note 

Depending on your SSH configuration, these permissions may vary on some Linux systems.
Set Up Directories
Procedure
Step 1

Switch back to the root user.

$ exit
Step 2

Create a top-level directory structure (for example, /opt/mftFileStore/) to hold directories for all the IM and Presence Service nodes that have managed file transfer enabled. 

# mkdir -p /opt/mftFileStore/
Step 3

Provide the mftuser sole ownership of the /opt/mftFileStore/ directory. 

# chown mftuser:mftuser /opt/mftFileStore/
Step 4

Provide the mftuser sole permissions to the mftFileStore directory. 

# chmod 700 /opt/mftFileStore/
Step 5

Switch to the mftuser.

# su mftuser
Step 6

Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node (Later, when you enable managed file transfer, you assign each directory to a node). 

$ mkdir /opt/mftFileStore/{node_1,node_2,node_3}
Note 

  • These directories and paths are used in the External File Server Directory field that you enter in the Deploy an External File Server on IM and Presence Service task.

  • If you have multiple IM and Presence Service nodes writing to this file server, you must define a target directory for each node, for example, {node_1, node_2, node_3}.

  • Within each node's directory, the transfer type subdirectories (im, groupchat, and persistent) are automatically created by IM and Presence Service, and are all subsequent directories.

Obtain the Public Key
Procedure
Step 1

To retrieve the file server's public key, enter:

$ ssh-keyscan -t rsa host

Where host is the hostname, FQDN, or IP address of the file server.

Warning 

  • To avoid a man-in-the-middle attack, where the file server public key is spoofed, you must verify that the public key value that is returned by the ssh-keyscan -t rsa host command is the real public key of the file server.

  • On the file server, go to the location of the ssh_host_rsa_key.pub file (under /etc/ssh/ ) and confirm the contents of the public key file, minus the host (the host is absent in the ssh_host_rsa_key.pub file on the file server), matches the public key value returned by the command ssh-keyscan -t rsa host.

Step 2

Copy the result of the ssh-keyscan -t rsa host command, not what is in the ssh_host_rsa_key.pub file. Ensure to copy the entire key value, from the server hostname, FQDN, or IP address to the end.

Note 
Usually the server key begins with the hostname or FQDN, although it may begin with an IP address. For example, copy:
hostname ssh-rsa AAAQEAzRevlQCH1KFAnXwhd5UvEFzJs...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4rQUy3rp/sdug+/+N9MQ==
(ellipses added).
Step 3

Save the result of the ssh-keyscan -t rsa host command to a .text file. It is needed when you configure the file server during the Deploy an External File Server on IM and Presence Service procedure.

Step 4

Open the authorized_keys file you created and leave it open. It is used in the Enable Managed File Transfer on IM and Presence Service procedure.

Configure an External File Server Instance on IM and Presence Service
The procedure describes how to configure an external file server instance on IM and Presence Service. You must configure one external file server instance for each node in your cluster that has managed file transfer enabled. The external file server instances do not need to be physical instances of the external file server. However, for a given hostname, specify a unique external file server directory path for each external file server instance. You can configure all the external file server instances from the same node.
Before you begin
Procedure
Step 1

Log in to the Cisco Unified CM IM and Presence Administration user interface. Navigate to Messaging > External Server Setup > External File Servers.

Step 2

Click Add New. The External File Servers window appears.

Step 3

Enter the server details.

Field

Description

Name

Enter the name of the file server. Ideally the server name should be descriptive enough to be instantly recognized.

Maximum characters: 128. Allowed values are alphanumeric, dash, and underscore.

Host/IP Address

 Enter the hostname or IP address of the file server.
Note 

  • The value entered for the Host/IP Address field must match the beginning of the key that is entered for the External File Server Public Key field (follows).

  • If you change this setting, you must restart the Cisco XCP Router service.

External File Server Public Key

Paste the file server's public key (the key you were instructed to save to a text file) in to this field.

If you did not save the key it can be retrieved from the file server by running the command:

$ ssh-keyscan -t rsa host on the file server. Where host is the IP address, hostname, or FQDN of the file server.

You must copy and paste the entire key text starting with the hostname, FQDN, or IP address to the end. For example, copy:
extFileServer.cisco.com ssh-rsa AAAQEAzRevlQCH1KFAnXwhd5UvEFzJs...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4rQUy3rp/sdug+/+N9MQ==
(ellipses added).
Important 

This value must begin with the hostname, FQDN, or IP address that you entered for the Host/IP Address field. For example, if extFileServer is used in the Host/IP Address field, then this field must begin with extFileServer followed by the entire rsa key.

External File Server Directory

The path to the top of the file server directory hierarchy. For example, /opt/mftFileStore/node_1/

User Name

The user name of the external file server administrator.
Step 4

Repeat these steps to create an external file server instance for each node in the cluster that has managed file transfer enabled.

Step 5

Click Save.

Enable Managed File Transfer on IM and Presence Service
Before you begin

  • Set up an external database

  • Configure an External Database Instance on IM and Presence Service

  • Set Up an External File Server

  • Configure an External File Server Instance on IM and Presence Service

Procedure
Step 1

Log in to Cisco Unified CM IM and Presence Administration.
Step 2

Navigate to Messaging > File Transfer.

Step 3

In the File Transfer Configuration area of the The File Transfer window, choose either Managed File Transfer or Managed and Peer-to-Peer File Transfer, depending on your deployment.

Step 4

Enter the Maximum File Size. If you enter 0, the maximum size (4GB) applies.

Note 

You must restart the Cisco XCP Router service for this change to take effect.
Step 5

In the Managed File Transfer Assignment area, assign the external database and the external file server for each node in the cluster.

  1. External Database: From the drop-down list, choose the name of the external database.

  2. External File Server: From the drop-down list, choose the name of the external file server.

Step 6

Click Save. After clicking Save a Node Public Key link, for each assignment, appears.

Step 7

For each node in the cluster that has managed file transfer enabled, you must copy the node's entire public key to the external file server's authorized_keys file.

  1. To display a node's public key, scroll down to the Managed File Transfer Assignment area and click the Node Public Key link. Copy the entire contents of the dialog box including the node's IP address, hostname, or FQDN. 

    ssh-rsa yc2EAAAABIwAAAQEAp2g+S2XDEzptN11S5h5nwVleKBnfG2pdW6KiLfzu/sFLegioIIqA8jBguNY/...
...5s+tusrtBBuciCkH5gfXwrsFS0O0AlfFvwnfq1xmKmIS9W2rf0Qp+A+G4MVpTxHgaonw== imp@imp_node
(ellipses added).
    Note 

    • If the managed file transfer feature is configured and the File Transfer Type is changed to eitherDisabled or Peer-to-Peer, all managed file transfer settings are deleted.

    • A node’s keys are invalidated if the node is unassigned from the external database and file server.

  2. On the external file server, if it was not left open, open the ~mftuser/.ssh/authorized_keys file that you created under the mftuser's home directory and (on a new line) append each node's public key.

    Note 
    The authorized_keys file must contain a public key for each managed file transfer enabled IM and Presence Service node that is assigned to the file server.

  3. Save and close the authorized_keys file.

Step 8

Ensure that the Cisco XCP File Transfer Manager service is active on all nodes where managed file transfer is enabled.

This service only starts if an external database and an external file server have been assigned, and if the service can connect to the database and mount the file server. Complete the following steps to check that the Cisco XCP File Transfer Manager service is active on all managed file transfer enabled nodes:

  1. On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.

  2. Navigate to Tools > Service Activation.

  3. Choose a server (node) and click Go.

  4. Ensure the check box next to Cisco XCP File Transfer Manager is checked and that the Activation Status is Activated.

    Note 

    If the above conditions are not met, click Refresh. If the Activation Status remains the same after a Refresh, go to Step 8.

  5. Repeat steps d on all nodes where managed file transfer is enabled.
Step 9

If you are configuring the managed file transfer feature on a node for the first time, you must manually start the Cisco XCP File Transfer Manager service, as follows:

  1. On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.

  2. Navigate to Tools > Control Center - Feature Activation.

  3. Choose a server (node) and click Go.

  4. In the IM and Presence Services area, click the radio button next to Cisco XCP File Transfer Manager.

  5. Click Start.

  6. Repeat steps c-e for all nodes where managed file transfer is enabled. This should be the same as step 6) in step 10 below.
Step 10

Restart the Cisco XCP Router service.

  1. On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.

  2. Navigate to Tools > Control Center - Network Services.

  3. Choose a server (node) and click Go.

  4. In the IM and Presence Services area, click the radio button next to Cisco XCP Router.

  5. Click Restart.

  6. Repeat steps c-e for all nodes where managed file transfer is enabled.
Step 11

Verify that there are no problems with the external database setup and with the external file server setup.

  • For the external database:

  1. Log in to the node's Cisco Unified CM IM and Presence Administration user interface.

  2. Navigate to Messaging > External Server Setup > External Databases.

  3. Check the information provided in the External Database Status area.

  • On the node where you need to verify that the external file server is assigned:

  1. Log in to the node's Cisco Unified CM IM and Presence Administration user interface.

  2. Navigate to Messaging > External Server Setup > External File Servers.

  3. Check the information provided in the External File Server Status area.

Configure Unity Connection

Configure Voice Mail in Unified CDM

For a detailed procedure on configuring voice mail, see Cisco Unified Communications Domain Manager Maintain and Operate Guide.

Manual Set Up: Cisco Unity Connection
Procedure
Step 1

In Expressway-C, navigate to Configuration > Unified Communications > Unity Connection Servers, and add the entries for unity connection server:

  • Enter your username

  • Enter password

  • Set the TLS verify mode to Off.
Step 2

If the Unified CM Cluster has two or more servers, complete the following manual configuration in Unity Connection:

  1. In Unity Connection, navigate to Telephony Integrations > Port Group, and then go to Edit > Servers.

  2. Add the other CUCM Server (SIP Servers) IP Address/Hostname and Port details.
Step 3

If the Unity Connection Cluster has Active-Active publishers, complete the following configuration: in Unity Connection:

When Unified CDM provision the Voicemail service, the ports are created only for Publisher1 of Unity Cluster. You need to manually add the ports for Publisher2.

  1. In Unity Connection, navigate to Telephony Integrations > Port Group.

  2. Select the desired Port Group

  3. For the second publisher, navigate to Related Links > Add Ports

  4. Navigate to Devices > Trunks, and add the remaining unity server IP Address and Destination Ports in the Destination Addresses.

Step 4

Complete the following configuration for Cisco Jabber client to retrieve the voicemail server information:

Cisco Jabber does not read Voicemail UC Service Profile when it is deployed only in the Phone mode.

  1. Update the jabber-config.xml file with the following voicemail parameters. 

    <Voicemail>
<VoicemailService_UseCredentialsFrom>phone</VoicemailService_UseCredentialsFrom>
<VoicemailPrimaryServer>X.X.X.X</VoicemailPrimaryServer>
</Voicemail>

    Where X.X.X.X is the FQDN or Hostname of Unity Connection server.

  2. Upload the jabber-config.xml to all the CUCM TFTP servers, and then restart the TFTP service on TFTP server nodes.

  3. Reset the Jabber client.
Step 5

Complete the following configuration for Cisco Jabber client in IM and Presence server:

Jabber client's IM Address is in <UserID>@<DefaultDomain> format which will not be same as the user's e-mail address. Update the IM Address Scheme configuration to display the proper e-mail address of user.

  1. In Unified CM IM and Presence Administration, navigate to Presence > Settings > Advanced Configuration.

  2. Set the IM Address Scheme to Directory URI.

    Note 
    Default Domain or IM Address Scheme cannot be changed until the following services are stopped on all the nodes. Ensure that HA is disabled before stopping these services.

    • Cisco Presence Engine

    • Cisco SIP Proxy

    • Cisco XCP Router

    • Cisco Sync Agent

    • Cisco Client Profile Agent
Step 6

Complete the following configuration for Exchange Integration in Unity Connection:

  1. In Unity Connection, navigate to Unified Messaging > Unified Messaging Services.

  2. Add a service with exchange server details
Step 7

In Unity Connection, navigate to Users > Users, and change the Class of Service from the Default Class of Service to Customer Specific Class of Service (for example, Voice Mail User COS to Cu7-C0003vmService_COS_1).

Step 8

In Unity Connection, navigate to Users > Users.

  1. Navigate to Edit > Password Settings.

  2. Uncheck the User Must Change at Next Sing-In checkbox.

Step 9

In Microsoft Exchange Server, enable Impersonation Account for the User.
Step 10

In Unity Connection, navigate to Users > Users.

  1. Navigate to Edit > Unified Messaging Accounts.

  2. Add a new account for the user.

  3. Click Test to perform a test and check for any issues with User's exchange integration.

    Tip 

    Connection notifier service must be up and running in active Unity Connection node for MWI to work.
Configure Call Screening
Procedure
Step 1

Complete the following steps in Unified CM:

  1. Create a DN and then associate the DN to a CTI route point.

  2. In the newly created DN, set Call Forward All to Voice mail and associate VM profile to DN.

  3. Associate the VM profile to the number that needs to be screened.

  4. In the SIP trunk to Voice Mail, check the Redirection header Inbound and outbound checkbox, select Cux-ISR-CSS, and reset the sip trunk.

Step 2

Complete the following steps in Unity Connection:

  1. Create a call handler (Call Management > System Call Handlers) with a display name. Associate the right Phone system and partition.

  2. Edit Transfer rules and uncheck Alternate and Closed rules.

  3. Open Standard rule, and set Transfer calls to Extension or URI to the DN which needs to be screened.

  4. Check Ask Me If I want to Take a Call and Ask for Caller's Name, and save the settings.

  5. Navigate to Call Management > Call Routing > Forwarded Routing Rules and create a new rule.

  6. Provide the display name of the new rule, and click the radio button Call Handler. Select the call handler which was created.

  7. Click radio button Attempt Transfer.

  8. Add a new routing rule condition, with Forwarding station "equals" to the DN which was associated to CTI route point.

Configure Cisco Expressway

Configure Expressway-C for Unified Communications

Discover Unified CM Servers
Procedure
Step 1

On Expressway-C, navigate to Configuration > Unified Communications > Unified CM servers.

The page lists any Unified CM nodes that have already been discovered.
Step 2

Add the details of a Unified CM publisher node:

  1. Click New.

  2. Enter the Unified CM publisher address.

    Note 

    You must enter an FQDN when TLS verify mode is On.

  3. Enter the Username and Password of an account that can access this server

    Note 

    These credentials are stored permanently in the Expressway database. The corresponding Unified CM user must have the Standard AXL API Access role

  4. [Recommended] Leave TLS verify mode switched On to ensure Expressway verifies the node's certificates.

    The Unified CM node presents its tomcat certificate for AXL and UDS queries, and its CallManager certificate for subsequent SIP traffic. If the Unified CM server is using self-signed certificates, the Expressway-C's trusted CA list must include a copy of the tomcat certificate and the CallManager certificate from every Unified CM server.

  5. [Optional] Select which deployment this node/cluster belong to.

    The Deployment field does not show if you have not created multiple deployments. All nodes belong to the default deployment if you choose not to use multiple deployments.

  6. Click Addresses.

    If you enabled TLS verify mode, then the Expressway tests whether a secure connection can be established. It does this so you can find any TLS configuration errors before it continues the discovery process.

    If the secure connection test was successful, or if you did not enable TLS verify mode, then the system attempts to contact the publisher and retrieve details of its associated nodes.

Step 3

Repeat the discovery procedure for other Unified CM nodes/clusters, if required.
Step 4

Click Refresh servers to refresh all the node details after configuring multiple publisher addresses.

Edit the HTTP Allow List on Expressway-C
Procedure
Step 1

On Expressway-C, navigate to Configuration > Unified Communications > HTTP allow list > Editable inbound rules.

The page has two areas; one for controlling the default HTTP methods, and the other showing the editable rules.
Step 2

[Optional] Use the checkboxes to modify the set of default HTTP methods, then click Save.

You can override the defaults while you're editing individual rules. If you want to be as secure as possible, clear all methods from the default set and specify methods on a per rule basis.

Note 

When you change the default methods, all rules that you previously created with the default methods use the new defaults.
Step 3

[Recommended] Delete any rules you don't need by checking the boxes in the left column, then clicking Delete.

Step 4

Click New to create a rule.

Step 5

Complete the fields to create the rule to your requirements:

Fields

Description

Description

Enter a meaningful description for this rule, to help you recognize its purpose.

Url

Specify a URL that MRA clients are allowed to access. For example, to allow access to https://www.example.com:8080/resource/path type it in exactly like that.

  1. The protocol the clients are using to access the host must be http:// or https://

  2. Specify a port when using a non-default port, for example, :8080

    (Default ports are 80 (http) and 443 (https))

  3. Specify the path to limit the rule scope (more secure), for example, /resource/path

    If you select Prefix match for this rule, you can use a partial path or omit the path. This could be a security risk if the target resources are not resilient to malformed URLs.

Allowed methods

Select Use defaults or Choose methods.

If you choose specific HTTP methods for this rule, they override the defaults you chose for all rules

Match type

Select Exact match or Prefix match.

Your decision here depends on your environment. It is more secure to use exact matches, but you may need more rules. It is more convenient to use prefix matches, but there is some risk of unintentionally exposing server resources.

Deployment

If you are using multiple deployments for your MRA environment, you also need to choose which deployment uses the new rule. You won't see this field unless you have more than one deployment.

Step 6

Click Create Entry to save the rule and return to the editable allow list.

Step 7

[Optional] Click View/Edit to change the rule.

What to do next
Upload Rules to the HTTP Allow List. For detailed information, see Mobile and Remote Access Through Cisco Expressway.
Configure Domains to Route to Unified CM
You must configure the domains for which registration, call control, provisioning, messaging and presence services are to be routed to Unified CM.
Procedure
Step 1

On Expressway-C, navigate to Configuration > Domains.

Step 2

Select the domains (or create a new domain, if not already configured) for which services are to be routed to Unified CM.
Step 3

For each domain, turn On the services (for example, Unified CM registration, IM and Presence Service, XMPP Federation) that Expressway is to support.

Enabling Shared Line / Multiple Lines for MRA Endpoints

If you want MRA endpoints to be able to register multiple lines, or to share lines with other endpoints, then you must enable SIP Path headers on the Expressway-C.

The default behavior is for the Expressway-C to rewrite the Contact header in REGISTER messages. When you turn SIP Path headers on, the Expressway-C does not rewrite the Contact header, but adds its address into the Path header instead.

Before you begin
Requires Unified CM 11.5(1)SU2 or later.
Procedure
Step 1

On Expressway-C, navigate to Configuration > Unified Communications > Configuration.

Step 2

Change SIP Path headers to On.

Step 3

Click Save.

The Expressway-C puts its address in the Path headers of registrations from now on, and preserves the Contact header.
Step 4

Refresh your Unified CM servers (Configuration > Unified Communications > Unified CM server, click Refresh servers).

Note 
This feature is disabled by default, because it impacts some features on earlier versions of Unified CM.
If you are using a Unified CM version before 11.5(1)SU2, and you enable SIP Path headers on Expressway-C, the following Unified CM features will report the MRA devices' IP addresses instead of the Expressway's IP address:

  • Device Mobility

  • Real-Time Monitoring Tool (RTMT)

  • Cisco Emergency Responder (CER)

Other features may also be affected by this change. The devices' IP addresses are not useful for determining their location, as they are typically from reserved private ranges and could overlap with your organization's internal range.

Configure SIP
Procedure
Step 1

On Expressway-C, navigate to Configuration > Protocol > SIP.

Step 2

Complete the SIP configuration:

Fields

Description

SIP mode

Set to On

UDP mode

Set to Off

UDP port

TCP mode

Set to On

TCP port

TLS mode

TLS port

Mutual TSL mode

Set to Off

Mutual TSL port

TCP outbound port start

TCP outbound port end

TLS handshake timeout (seconds)
Configure SIP Domains
The Expressway acts as a SIP Registrar for configured SIP domains, accepting registration requests for any SIP endpoints attempting to register with an alias that includes these domains.

  • Registration restriction (Allow or Deny) rules can be configured to limit acceptable registrations. See Configure Registration Restriction Policy (Optional).

    If authentication is enabled, only devices that can properly authenticate themselves will be allowed to register.

Procedure
Step 1

On Expressway-C and Expressway-E, navigate to Configuration > Domains.

Step 2

Click New.

Step 3

Enter the domain name into the Name field (on both Expressway-C and Expressway-E):
Step 4

Click Create domain.

The Domains page displays all configured SIP domain names.

Configure Registration Restriction Policy (Optional)
You can limit the aliases that endpoints can register, using either an Allow list or a Deny list. This is an example of how to configure Allow list registration restrictions:
Procedure
Step 1

On Expressway-C, navigate to Configuration > Registration > Allow List.

Step 2

Click New.

Step 3

Create an allow pattern by configuring the following fields. This example limits registrations to endpoints which register with an identity that contains “@example.com”.

Fields

Description

Description

Enter Only allow registrations containing “@example.com”

Pattern type

Regex

Pattern string

Enter .*@example\.com
Step 4

Click Add Allow List pattern. Fill in the Description, Pattern type, Pattern string fields.

What to do next
Activate the registration restriction. For the detail configuration, see Cisco Expressway-E and Expressway-C - Basic Configuration.
Configure Unified CM Servers on Expressway-C
Procedure
Step 1

On Expressway-C, navigate to Configuration > Unified Communications > Unified CM servers. The page displays any existing servers that have been configured.

Step 2

Add the details of a Unified CM publisher.

  1. Click New.

  2. Enter the Unified CM publisher address, and the Username and Password credentials of an application user account that can access the server. The address can be specified as an FQDN or as an IP address. The Unified CM user must have the Standard AXL API Access role.

  3. Set the TLS Verify Mode to OFF. The system then attempts to contact the publisher and retrieve details of its associated nodes.

  4. Repeat for every Unified CM cluster.

Configure Unified Communications Traversal Zone to Expressway-C

Procedure
Step 1

Log in to Cisco Expressway-E.
Step 2

Navigate to Configuration > Zones > Zones.

Step 3

Complete the fields to create a Unified Communications traversal zone to the Expressway-C.
Step 4

Configure the SIP Settings.

Field

Description

Port

Enter the port number.

TLS verify subject name

Select Allow from the drop-down.

Accept proxied registrations

Select Allow from the drop-down.

ICE support

Select Off from the drop-down.

SIP poison mode

Select Off from the drop-down.

Preloaded SIP routes support

Select Off from the drop-down.

SIP parameter preservation

Select Off from the drop-down.

Step 5

Configure the Authentication Settings.

  • Select Do not check credentials from the Authentication policy drop-down list.

Note 

  • Ensure that the connection credentials on the expressway pair are matching.

  • Ensure that the Peer 1 address reflects the FQDN of Expressway-E and it is reachable.

  • Once added, ensure that the Status of the Zone is Active.
Step 6

Navigate to Configuration > Dial Plan > Search rules and click New.

Step 7

Create Search rules to route traffic from Expressway-E to Unified CM and from Unified CM to Expressway-E.

For more information on creating Secure Traversal Zones, refer to the Cisco Expressway Administrator guide.

Configure Expressway-E for MRA

Ensure that Expressway-E is publicly accessible and can be reached via a browser by using the domain address [example: vcse.collabedge-XXX.dc-YY.com]. For additional troubleshooting requirement, see DNS Records.

Configure DNS, NTP, and IP Settings
Procedure
Step 1

Log in to Expressway-C.
Step 2

Navigate to System > DNS.

  1. Ensure that the System host name and Domain name are specified.

  2. Ensure that the Public DNS servers are specified.
Step 3

Navigate to System > Time.

  1. Ensure that all Expressway systems are synchronized to a reliable NTP service.

    Note 
    Use an Authentication method in accordance with your local policy.
Step 4

Navigate to System > Network interfaces > IP, and ensure the following settings:

  • The LAN settings are in IPv4 mode.

  • The dual network interfaces are configured properly if needed.

  • The IPv4 address/gateway/subnet mask is correct.

  • The IPv4 static NAT mode is on for the external LAN.

  • The IPv4 static NAT address is the correct public IP.
Enable Mobile and Remote Access
Procedure
Step 1

On Expressway-C, navigate to Configuration > Unified Communications > Configuration.

Step 2

Set Mobile and remote access to ON.

Step 3

Click Save.

Configure SIP
Procedure
Step 1

On Expressway-E, navigate to Configuration > Protocol > SIP.

Step 2

Complete the SIP configuration:

Fields

Description

SIP mode

Set to On

UDP mode

Set to Off

UDP port

TCP mode

Set to On

TCP port

TLS mode

TLS port

Mutual TSL mode

Set to Off

Mutual TSL port

TCP outbound port start

TCP outbound port end

TLS handshake timeout (seconds)
Configure DNS Zone
The DNS zone is used to search for externally hosted systems (such as for business to business calling). Destination aliases are searched for by a name using a DNS lookup. Configure a new DNS Zone that allows your Expressway-E to identify and route OTT calls.
Procedure
Step 1

On the Expressway-E, navigate to Configuration > Zones > Zones.

Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

Description

Name

Enter name, for example, DNSZone.

Type

DNS

H.323 Mode

On

SIP Mode

On

Fallback transport protocol

TCP

Include address record

Off

TLS Verify Mode

Off
Step 4

Click Create Zone.

DNS Records

This section summarizes the public (external) and local (internal) DNS requirements. For more information, see the Cisco Jabber Planning Guide on the Jabber Install and Upgrade Guides page.

DNS Configuration on Host Server
The following records are required in the external DNS which hosts the externally routable domain (example.com). This allows:

  • External endpoints registration messages to be routed to the Expressway-E.

  • Calls from non-registered endpoints (or other infrastructure devices) to be routed to the Expressway-E.

Host DNS A Record

Host

Host IP address

expe.example.com

192.0.2.2
DNS SRV Records

Name

Service

Protocol

Priority

Weight

Port

Target host

example.com.

h323cs

tcp

10

10

1720

expe.example.com.

example.com.

h323ls

udp

10

10

1719

expe.example.com.

example.com.

sip

tcp

10

10

5060

expe.example.com.

example.com.

sip

udp*

10

10

5060

expe.example.com.

example.com.

sips

tcp

10

10

5061

expe.example.com.

example.com.

turn

udp

10

10

3478**

expe.example.com.

example.com.

collab-edge

tls

10

10

8443

expe1.example.com

example.com.

collab-edge

tls

10

10

8443

expe2.example.com

example.com.

sips

tcp

10

10

5061

expe1.example.com

example.com.

sips

tcp

10

10

5061

expe2.example.com

* SIP UDP is disabled on Expressway by default.

** On Large Expressway deployments you should configure multiple records for the range 3478 – 3483.


Note

The public (external) DNS must be configured with _collab-edge._tls. SRV records so that endpoints can discover the Expressway-Es to use for Mobile and Remote Access. SIP service records are also required (for general deployment, not specifically for Mobile and Remote Access). For example, for a cluster of 2 Expressway-E systems.

For example, the DNS records would be:
_h323cs._tcp.example.com. 86400 IN SRV 10 10 1720 expe.example.com.
_h323ls._udp.example.com.           86400 IN SRV 10 10 1719 expe.example.com.
_sip._tcp.example.com.              86400 IN SRV 10 10 5060 expe.example.com.
_sip._udp.example.com.              86400 IN SRV 10 10 5060 expe.example.com.
_sips._tcp.example.com.             86400 IN SRV 10 10 5061 expe.example.com.
_turn._udp.example.com.             86400 IN SRV 10 10 3478 expe.example.com.
expe.example.com.                   86400 IN A 192.0.2.2

If you have a cluster of Expressway-Es, you must set up DNS A and SRV records for each peer/host in the cluster. See Expressway Cluster Creation and Maintenance Deployment Guide for more information.

DNS Configuration (internal DNS server)

The following records are required in the local DNS which hosts the internally routable domain: internal-domain.net to allow internal messages to be routed to the Expressway-C.

Local DNS A Record

Host

Host IP address

expc.internal-domain.net

10.0.0.2
Local DNS SRV Records

Name

Service

Protocol

Priority

Weight

Port

Target host

internal-domain.net.

h323cs

tcp

10

10

1720

expc.internal-domain.net.

internal-domain.net.

h323ls

udp

10

10

1719

expc.internal-domain.net.

internal-domain.net.

h323rs

udp

10

10

1719

expc.internal-domain.net.

internal-domain.net.

sip

tcp

10

10

5060

expc.internal-domain.net.

internal-domain.net.

sip

upd*

10

10

5060

expc.internal-domain.net.

internal-domain.net.

sips

tcp

10

10

5061

expc.internal-domain.net.

example.com

cisco-uds

tcp

10

10

8443

cucmserver1.example.com

example.com

cisco-uds

tcp

10

10

8443

cucmserver2.example.com

* SIP UDP is disabled on Expressway by default.

For example, the DNS records would be:
_h323cs._tcp.internal-domain.net. 86400 IN SRV 10 10 1720 expc.internal-domain.net.
_h323ls._udp.internal-domain.net.           86400 IN SRV 10 10 1719 expc.internal-domain.net.
_h323rs._udp.internal-domain.net.           86400 IN SRV 10 10 1719 expc.internal-domain.net.
_sip._tcp.internal-domain.net.              86400 IN SRV 10 10 5060 expc.internal-domain.net.
_sip._udp.internal-domain.net.              86400 IN SRV 10 10 5060 expc.internal-domain.net.
_sips._tcp.internal-domain.net.             86400 IN SRV 10 10 5061 expc.internal-domain.net.
expc.internal-domain.net.                   86400 IN A 10.0.0.2

If you have a cluster of Expressway-Cs, you must set up DNS A and SRV records for each peer/host in the cluster. See Expressway Cluster Creation and Maintenance Deployment Guide for more information.


Note

  • From version X8.8 onward, you must create forward and reverse DNS entries for all Expressway-E systems, so that systems making TLS connections to them can resolve their FQDNs and validate their certificates

  • Ensure that the cisco-uds SRV records are NOT resolvable outside of the internal network, otherwise the Jabber client will not start Mobile and Remote Access negotiation via the Expressway-E.

  • You must create internal DNS records, for both forward and reverse lookups, for all Unified Communications nodes used with Mobile and Remote Access. This allows Expressway-C to find the nodes when IP addresses or hostnames are used instead of FQDNs.

Routing Configuration

Pre-search Transforms

Pre-search transform configuration allows the destination alias (called address) in an incoming search request to be modified. The Expressway applies the transformation before any searches are sent to external zones.

The pre-search transform configuration described in this document is used to standardize destination aliases originating from both H.323 and SIP devices. This means that the same call searches work for calls from both H.323 and SIP endpoints.

For example, if the called address is an H.323 E.164 alias “01234”, the Expressway automatically appends the configured domain name (in this case example.com) to the called address (that is, 01234@example.com making it into a URI), before attempting to set up the call.

  • Use pre-search transforms with care, because they apply to all signaling messages. If they match, they will affect the routing of Unified Communications messages, provisioning and presence requests as well as call requests.

  • Transformations can also be carried out in search rules. Consider whether it's best to use a pre-search transform or a search rule to modify the called address to be looked up.

Search Rules

Search rules define how the Expressway routes calls (to destination zones, such as to Unified CM, or another Expressway, or Meeting Server) in specific call scenarios. When a search rule is matched, the destination alias can be modified according to the conditions defined in the search rule.

The search rules described in this document are used to ensure that endpoints can dial H.323 devices that have registered E.164 numbers or H.323 IDs without a domain portion. The search rules first search for received destination aliases without the domain portion of the URI, and then search with the full URI.

The search rules described here are used to enable the following routing combinations:

Calling party

Called party

Registered devices (Expressway-C)

Registered devices (Expressway-C)

Registered devices (Expressway-C)

External domains and un-registered devices (via Expressway-E using DNS zone)

Registered devices (Expressway-C)

Public external IP addresses (via Expressway-E)

External domains and un-registered devices

Registered devices (Expressway-C)

The routing configuration in this document searches for destination aliases that have valid SIP URIs. That is, using a valid SIP domain, such as id@domain.

You can configure routing which enables calls to unregistered devices on an internal network (routing to the addresses of IP of the devices) by configuring a search rule with a mode of Any IP address with target Local Zone. However, this is not recommended (and not described in this document). The best practice is to register all devices and route using destination aliases.

Configure Transforms
The pre-search transform configuration described in this document is used to standardize destination aliases originating from both H.323 and SIP devices.

The following transform modifies the destination alias of all call attempts made to destination aliases which do not contain an ‘@’. The old destination alias has @example.com appended to it, thus standardizing all called destination aliases into a SIP URI format.

Procedure
Step 1

On Expressway-C and Expressway-E, navigate to Configuration > Dial plan > Transforms.

Step 2

Click New.

Step 3

Configure the transform fields as follows:

Fields

On Expressway-C

On Expressway-E

Priority

Enter 1

Same as Expressway-C

Description

Enter Transform destination aliases to URI format

Same as Expressway-C

Pattern type

Regex

Same as Expressway-C

Pattern string

Enter ([^@]*)

Same as Expressway-C

Pattern behavior

Replace

Same as Expressway-C

Replace string

Enter \1@example.com

 Same as Expressway-C

State

Enabled

Same as Expressway-C
Step 4

Click Create transform.

Configure Local Zone Search Rules
Configure the search rules to route calls to the Local Zone (to locally registered endpoint aliases).
Procedure
Step 1

On Expressway-C and Expressway-E, navigate to Configuration > Dial plan > Search rules.

Step 2

First disable the supplied default search rule (LocalZoneMatch), as follows:
Step 3

Click New.

Step 4

Configure the search rule fields as follows:

Fields

On Expressway-C

On Expressway-E

Rule name

Enter Local zone – full URI

Same as Expressway-C

Description

Enter Search local zone for SIP devices with a domain

Same as Expressway-C

Priority

Enter 50

Same as Expressway-C

Protocol

Any

Same as Expressway-C

Source

Any

Same as Expressway-C

Request must be authenticated

No

Same as Expressway-C

Mode

Alias pattern match

Same as Expressway-C

Pattern type

Regex

Same as Expressway-C

Pattern string

Enter (.+)@example.com.*

Same as Expressway-C

Pattern behavior

Leave

Same as Expressway-C

On successful match

Continue

Same as Expressway-C

Target

LocaZone

Same as Expressway-C

State

Enabled

Same as Expressway-C
Step 5

Click Create search rule.

Configure Traversal Zone
The traversal zone configuration defines a connection between the Expressway-C and Expressway-E platforms. A traversal zone connection allows firewall traversal for signaling and media between the two platforms. Expressway-C is configured with a traversal client zone. Expressway-E is configured with a traversal server zone.
Procedure
Step 1

In Expressway-C and Expressway-E, navigate to Configuration > Zones > Zones
Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

On Expressway-C

On Expressway-E

Name

Enter name, for example, TraversalZone

Enter name, for example, TraversalZone

Type

Traversal client

Traversal client

Username

Enter exampleauth

Enter exampleauth

Password

Enter ex4mpl3.c0m

Not Applicable

H.323 Mode

On

On

H.323 Protocol

Assent

Assent

H.323 Port

Enter 6001

Enter 6001

H.323 H.460.19 demultiplexing mode

Not applicable

Off

SIP Mode

On

On

SIP Port

Enter 7001

Enter 7001

SIP Transport

TLS

TLS

SIP TLS verify mode

Off

Off

SIP Accept proxied registrations

Allow

Off

Location Peer 1 address

Enter 192.0.2.2

Not applicable
Step 4

Click Create zone.

What to do next
Configure authentication credentials in Expressway-E.
Configure Authentication Credentials in Expressway-E

Configure the authentication credentials in the Local authentication database (configured in the Expressway-E only).

Procedure
Step 1

In Expressway-E, navigate to Configuration > Authentication > Devices > Local database.

Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

On Expressway-C

On Expressway-E

Name

Not applicable

Enter exampleauth

Password

Not applicable

Enter ex4mpl3.c0m
Step 4

Click Create credential.

Neighboring Between Expressway Clusters
You can neighbor your local Expressway (or Expressway cluster) to a remote Expressway cluster; this remote cluster could be a neighbor, traversal client, or traversal server to your local Expressway. In this case, when a call is received on your local Expressway and is passed via the relevant zone to the remote cluster, it is routed to whichever peer in that neighboring cluster has the lowest resource usage. That peer then forward the call as appropriate to one of its:

  • locally registered endpoints (if the endpoint is registered to that peer)

  • peers (if the endpoint is registered to another peer in that cluster)

  • external zones (if the endpoint has been located elsewhere)

For Expressway: Lowest resource usage is determined by comparing the number of available media sessions (maximum - current use) on the peers, and choosing the peer with the highest number. Peers that are in maintenance mode are not considered.

For VCS: Lowest resource usage is determined by comparing the number of available traversal calls (maximum - current use) on the peers, and choosing the peer with the highest number. Peers that are in maintenance mode are not considered.

When configuring a connection to a remote cluster, you create a single zone and configure it with details of all the peers in the cluster. Adding this information to the zone ensures that the call is passed to that cluster regardless of the status of the individual peers.

You also need to enter the IP address of all peers in the remote cluster when the connection is via a neighbor or traversal client zone. You do not do this for traversal server zones, as these connections are not configured by specifying the remote system's IP address.


Note

Systems that are configured as peers must not also be configured as neighbors to each other, and vice versa.

Neighboring your clusters

To neighbor your local Expressway (or Expressway cluster) to a remote Expressway cluster, you create a single zone to represent the cluster and configure it with the details of all the peers in that cluster:

Procedure
Step 1

On your local Expressway (or, if the local Expressway is a cluster, on the primary peer), create a zone of the appropriate type. This zone will represent the connection to the cluster.

Step 2

In the Location section, enter the IP address or FQDN of each peer in the remote cluster in the Peer 1 to Peer 6 address fields.

Note 

  • Ideally you should use FQDNs in these fields. Each FQDN must be different and must resolve to a single IP address for each peer. With IP addresses, you may not be able to use TLS verification, because many CAs will not supply certificates to authenticate an IP address.

  • The order in which the peers in the remote Expressway cluster are listed here does not matter.

  • Whenever you add an extra Expressway to a cluster (to increase capacity or improve redundancy, for example) you will need to modify any Expressways which neighbor to that cluster to let them know about the new cluster peer.

Configure Traversal Zone Search Rules
Create the search rules to route calls via the traversal zone.
Procedure
Step 1

On Expressway-C and Expressway-E, navigate to Configuration > Dial plan > Search rules.

Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

On Expressway-C

On Expressway-E

Rule name

"Traversal zone search rule" for example

"Traversal zone search rule" for example

Description

"Search traversal zone - EXPe" for example

"Search traversal zone - EXPc" for example

Priority

100

100

Protocol

Any

Any

Source

Any

Any

Request must be authenticated

No

No

Mode

Any alias

Any alias*

On successful match

Continue

Continue

Target

Traversal zone

Traversal zone

State

Enabled

Enabled
This example routes any alias across the traversal zone towards the Expressway-C. You can be more selective by adding search rules or configuring call policy.
Step 4

Click Create search rule.

Configure DNS Zone Search Rules

The DNS search rule defines when the DNS zone should be searched.

A specific regular expression is configured which prevent searches being made using the DNS zone (that is, on the public internet) for destination addresses (URIs) using any SIP domains which are configured on the local network (local domains).

To create the search rules to route via DNS:

Procedure
Step 1

In Expressway-E, navigate to Configuration > Dial plan > Search rules
Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

Description

Rule name

Enter rule name, for example, DNS zone search rule.

Description

Enter description, for example, Search DNS zone (external calling)

Priority

Enter 150

Protocol

Any

Source

All zones

Request must be authenticated

No

Mode

Alias pattern match

Pattern type

Regex

Pattern String

 Enter (?!.*@example\.com.*$).*

Pattern behavior

Leave

On successful match

Continue

Target

Local Zone

State

Enabled
Step 4

Click Create search rule.

Note 
The regular expression used to prevent local domains being searched via the DNS zone can be broken down into the following components:

  • (.*) = match all pattern strings

  • (?!.*@example\.com.*$).* = do not match any pattern strings ending in @example.com

  • Calls destined for @cisco.com would be searched via the DNS zone, whereas calls destined for @example.com would not.
Configure External (Unknown) IP Address Routing

The following configuration defines how an Expressway routes calls (and other requests) to external (unknown) IP addresses. An external IP address is an IP address which is not known to the Expressway and therefore assumed to be a publicly routable address.

Known IP addresses are addresses defined in a subzone (using a subzone membership subnet rule).

  • All requests destined for external IP addresses, originating at the Expressway-C are routed to the Expressway-E using a search rule.

  • The Expressway-E then attempts to open a connection directly to the IP address.

Procedure
Step 1

In Expressway-C and Expressway-E, navigate to Configuration > Dial plan > Configuration.

Step 2

Complete the following fields:

Field

Description

Calls to unknown IP addresses

  1. In Expressway-C, set to Indirect.

  2. In Expressway-E, set to Direct.
Step 3

Click Save.

What to do next
Create the search rules to route calls to IP addresses to the Expressway-E.
Create Search Rules to Route Calls to IP addresses to the Expressway-E
Before you begin
Ensure you've configured how the Expressway handles calls to unknown IP addresses. For detail configuration, see Configure External (Unknown) IP Address Routing.
Procedure
Step 1

In Expressway-E, navigate to Configuration > Dial plan > Search rules
Step 2

Click New.

Step 3

Configure the fields as follows:

Fields

On Expressway-C

On Expressway-E

Rule name

Enter External IP address search rule

Not applicable

Description

Enter Route external IP address

Not applicable

Priority

Enter 100

Not applicable

Protocol

Any

Not applicable

Source

Any

Not applicable

Request must be authenticated

No

Not applicable

Mode

Any IP address

Not applicable

On successful match

Continue

Not applicable

Target

TraversalZone

Not applicable

State

Enabled

Not applicable
Step 4

Click Create search rule.

Create Static Routes Towards the Internal Network

With a deployment like Dual Network Interfaces Deployment, you would typically configure the private address of the external firewall as the default gateway of the Expressway-E. Traffic that has no more specific route is sent out from either Expressway-E interface to he external firewall.

  • If the internal firewall (B) is doing NAT for traffic from the internal network (subnet 10.0.30.0 in diagram) to LAN1 of the Expressway-E (for example traversal client traffic from Expressway-C), that traffic is recognized as being from the same subnet (10.0.20.0 in diagram) as it reaches LAN1 of the Expressway-E. The Expressway-E will therefore be able to reply to this traffic through its LAN1 interface.

  • If the internal firewall (B) is not doing NAT for traffic from the internal network (subnet 10.0.30.0 in diagram) to LAN1 of the Expressway-E (for example traversal client traffic from Expressway-C), that traffic still has the originating IP address (for example, 10.0.30.2 for traffic from Expressway-C in the diagram). You must create a static route towards that source from LAN1 on the Expressway-E, or the return traffic goes to the default gateway (10.0.10.1). You can do this on the web UI (System > Network interfaces > Static routes) or using xCommand RouteAdd at the CLI.

    If the Expressway-E needs to communicate with other devices behind the internal firewall (e.g., for reaching network services such as NTP, DNS, LDAP/AD and syslog servers), you also need to add static routes from Expressway-E LAN1 to those devices/subnets.

In this particular example, we want to tell the Expressway-E that it can reach the 10.0.30.0/24 subnet behind the 10.0.20.1 firewall (router), which is reachable via the LAN1 interface. This is accomplished using the following xCommand RouteAdd syntax:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1 Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gateway address (10.0.20.1) is only reachable via LAN1.

Note

The xCommand RouteAdd command and the equivalent web UI, are detailed in the Expressway help and the Expressway Administrator Guide.

Procedure
Step 1

In Expressway-E, navigate to System > Network interfaces > Static routes.

Step 2

Complete the following fields to create a static route:

Fields

Description

IP address

Internal network subnet

Prefix length

Address range

Gateway

Firewall (router)

Interface

LAN of the Expressway-E

Logging in to MRA

Prerequisite

  • Ensure that the Expressway-E is reachable from your desk phone after the network configuration is done. See the Cisco Expressway Basic Configuration Deployment Guide for detailed information.

  • Sync the users with the Top Down approach.

  • Create Jabber Config file for each customer for user separation and voice mail.

    For more information, see Manage User Separation and Manual Set Up: Cisco Unity Connection.

  • Configure the following services for the end-users:

    • Configure home cluster.

    • Add mobility services.

    • Add jabber/Iphone/Ipad/Android devices as required.

    • Associate the user with the corresponding devices.

    • Add owner user id.

Table 1. MRA login using devices

Device

Login

Features

Using Jabber

Log in to Windows Jabber as a customer user with username (for example, C1L1AutNcUser001@c1sa.com) and password (Hcs@1234).

  • Start chat with users of same customer.

  • Make call (Audio/Video) between users within the customer.

  • Share desktop.

  • Start group chat.

  • Use Call Forward and Call Transfer.

Using Iphone

Log in to Iphone as a customer user with username (for example, C1L1AutNcUser002@c1sa.com) and password (Hcs@1234).

Using Ipad

Log in to Ipad as a customer user with username (for example, C1L1AutNcUser003@c5sa.com) and password (Hcs@1234).

Using Andriod

Log in to Andriod phone a customer user with username (for example, C1L1AutNcUser002@c5sa.com) and password (for example, Hcs@1234).

Manage User Separation

Before you begin
Ensure you have configured the third-party app for user seperation.
Procedure
Step 1

Log in to Unified CDM. In the Service Provider Active Directory, add users with Telephone Number, Email Address, and Department.
Step 2

Log in to third-party app and complete the steps to configure user/contact seperation.
Step 3

Log in to Cisco Jabber, and create Jabber Config file for each customer.

Jabber Config file example for Customer 1:
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
<UdsPhotoUriWithToken>http://c1sa.hcssa.com/JabberPhotos/uid.png</UdsPhotoUriWithToken>
<BDIUriPrefix>sip:</BDIUriPrefix>
<UdsServer>c1sa.hcssa.com</UdsServer>
</Directory>
Note 

For details on how to hide service domain for Jabber, see Hide Service Domain for Jabber.

Step 4

Log in to Unified CDM. In the Service Provider DNS, add DNS entries for each customer and point to third-party app server used for user seperation.

Step 5

Log in to Expressway-C, and complete the following steps to configure HTTP Allow List for each customer:

  1. Navigate to Configuration > Unified Communications > HTTP allow list > Editable inbound rules.

  2. Click New.

  3. Complete the fields to configure the rule to your requirements.

    Fields

    Description

    Description

    Enter a description for the rule.

    Url

    		 Specify a URL that MRA clients are allowed to access. For example, to allow access to https://www.example.com:8080/resource/path, enter the path address exactly like that.

    1. The protocol the clients are using to access the host must be http:// or https://

    2. Specify a port when using a non-default port e.g., :8080. (Default ports are 80 (http) and 443 (https))

    3. Specify the path to limit the rule scope (more secure), e.g., /resource/path.

      If you select Prefix match for this rule, you can use a partial path or omit the path. This could be a security risk if the target resources are not resilient to malformed URLs.

    Allowed methods

    Select Use defaults or Choose methods.

    If you choose specific HTTP methods for this rule, they override the defaults you chose for all rules.

    Match type

    Select Exact match or Prefix match.

    Your decision here depends on your environment. It is more secure to use exact matches, but you may need more rules. It is more convenient to use prefix matches, but there is some risk of unintentionally exposing server resources.

    Deployment

    If you are using multiple deployments for your MRA environment, you also need to choose which deployment uses the new rule. You won't see this field unless you have more than one deployment.

  4. Click Create Entry to save the rule and return to the editable allow list.

Step 6

Log in to Unified CM, and complete the following steps:

  1. Upload the Jabber Config files to TFTP Management (All servers in cluster).

  2. Restart the TFTP Service (All servers in cluster).

  3. Set the Cisco Support Field with Jabber Config file name (for example, configurationfile=<filename>.xml).

  4. Create new Phone Service or update the existing Corporate Directory Phone Service with URL http://c1sa.hcssa.com/fw/Apps/Speedy/xml/directories/default.aspx?name=#DEVICENAME.

Hide Service Domain for Jabber

The service domain can be hidden in the Jabber configuration files to present a better end-user experience.

For Windows applications modify the Jabber installer with the following:

  • msiexec /i CiscoJabberSetup.msi VOICE_SERVICES_DOMAIN=<service-domain> SERVICES_DOMAIN=<service-domain> CLEAR=1

For Mobile applications, provide the following link to launch Cisco Jabber on the first launch:

  • ciscojabber://provision?ServicesDomain=<service-domain>


Note

For more information, see Deployment and Installation Guide for Cisco Jabber available at https://www.cisco.com/c/en/us/support/unified-communications/jabber-windows/products-installation-guides-list.html.