- Cisco Unity Express Features
- Overview of Cisco Unity Express Voice Mail and Auto Attendant
- Entering and Exiting the Command Environment
- Configuration Tasks
- Configuring System Components
- Configuring Users and Groups
- Configuring Voice Mail
- Configure Smart Licensing
- Configuring Authentication, Authorization, and Accounting
- Configuring the Administration via Telephone Application
- Configuring Auto Attendants
- Configuring Message Notification
- Configuring VoiceView Express
- Networking Cisco Unity Express
- Configuring Distribution Lists
- Configuring Security
- Backing Up and Restoring Data
- Language Support
- Configuring Advanced Voice Mail
- Advanced Configuration
- Monitoring the System
- Configuring SNMP Monitoring
- Registering Cisco Unity Express Endpoints to Cisco Unified Messaging Gateway
- Configuring Your Cisco IOS Gateway for T.37 On-Ramp and Off-Ramp Fax Support
- Troubleshooting
- Configuring the Hostname
- Configuring the DNS Server
- Configuring NTP Servers
- Configuring a Syslog Server
- Configuring the Clock Time Zone
- Configuring Password and PIN Parameters
- Scheduling CLI Commands
Advanced Configuration
This chapter describes advanced configuration procedures for modifying application parameters after the initial installation and configuration process described in the “” section. That earlier chapter includes commands not described in this chapter.
The advanced configuration procedures include:
- Configuring the Hostname
- Configuring the DNS Server
- Configuring NTP Servers
- Configuring a Syslog Server
- Configuring the Clock Time Zone
- Configuring Password and PIN Parameters
- Cisco Unified CME Password Synchronization in Configuring Password and PIN Parameters
- PINless Voicemail in Configuring Password and PIN Parameters and in Displaying Password and PIN System Settings.
- Scheduling CLI Commands
Configuring the Hostname
During the software postinstallation process, the hostname was configured. Use this procedure to change the hostname.

Note For 10.2.1 release, once you change the hostname, perform reload to view the updated Product Instance Name in License Summary.
SUMMARY STEPS
DETAILED STEPS
Examples
The following commands configure the hostname:
The output from the show hosts command might look similar to the following:
Configuring the DNS Server
During the software postinstallation process, the DNS server and IP addresses may have been configured. Use this procedure to change the server name and IP addresses.
SUMMARY STEPS
2. ip domain-name dns-server-name
3. ip name-server ip-address [ ip-address ] [ ip-address ] [ ip-address ]
DETAILED STEPS
Examples
The following commands configure the DNS server:
The output from the show hosts command might look similar to the following:
Configuring NTP Servers
During the software postinstallation process, the Network Time Protocol (NTP) server may have been configured. Cisco Unity Express accepts a maximum of three NTP servers. Use this procedure to add or delete NTP servers.
Adding NTP Servers
You can designate an NTP server using its IP address or its hostname.
Cisco Unity Express uses the DNS server to resolve the hostname to an IP address and stores the IP address as an NTP server. If DNS resolves the hostname to more than one IP address, Cisco Unity Express randomly chooses one of the IP addresses that is not already designated as an NTP server.
To configure an NTP server with multiple IP addresses for a hostname, repeat the configuration steps using the same hostname. Each iteration assigns the NTP server to its remaining IP addresses.
SUMMARY STEPS
DETAILED STEPS
Examples
The following commands configure the NTP server:
The following shows sample output from the show ntp status command:
The following shows sample output from the show ntp servers command:
The following shows sample output from the show ntp source command:
The following shows sample output from the show ntp association command:
The following example configures an NTP server with a hostname that points to two IP addresses 172.16.10.1 and 172.16.10.2:
The following shows sample output from the show ntp status command:
Removing an NTP Server
SUMMARY STEPS
DETAILED STEPS
Displaying NTP Server Information
The following commands are available to display NTP server configuration information and status:
The following is sample output for the show ntp associations command:
The following is sample output for the show ntp servers command:
The following is sample output for the show ntp source command:
The following is sample output for the show ntp status command:
Configuring a Syslog Server
Cisco Unity Express captures messages that describe activities in the system. These messages are collected and directed to a messages.log file on the Cisco Unity Express module hard disk, the console, or an external system log (syslog) server. The messages.log file is the default destination.
This section describes the procedure for configuring an external server to collect the messages. To view the messages, see “Viewing System Activity Messages” section.
Required Data for This Procedure
You need the hostname or IP address of the designated log server.
SUMMARY STEPS
DETAILED STEPS
Examples
The output from the show running-config command might look similar to the following:
Configuring the Clock Time Zone
During the software postinstallation process, the time zone of the local Cisco Unity Express module was configured. Use this procedure to change the module’s time zone.
Cisco Unity Express automatically updates the clock for daylight savings time on the basis of the selected time zone.
SUMMARY STEPS
DETAILED STEPS
Examples
The following commands configure the clock time zone:
The output from the show clock detail command might look similar to the following:
Configuring Password and PIN Parameters
Cisco Unity Express supports the configuration of the password and personal identification number (PIN) parameters described in the following sections:
- Configuring Password and PIN Length and Expiry Time
- Configuring Enhanced PIN Validation
- Configuring Password and PIN Protection Lockout Modes
- Configuring PIN and Password History
- Configuring PIN and Password History
- Encrypting PINs in Backup Files
- Displaying Password and PIN System Settings

Note If you change a Cisco Unified CME user’s password on Cisco Unity Express with Configure --> Users, the password for that user is updated on Cisco Unified CME. However, the reverse is not true: a user password changed on Cisco Unified CME will not be updated to Cisco Unity Express.

Note For instructions on configuring PINless voicemail, see “Configuring PINless Mailbox Access” section.
Configuring Password and PIN Length and Expiry Time
Cisco Unity Express supports configuring the following two attributes of password and PIN:
To support enhanced security procedures, Cisco Unity Express has made the password and PIN length configurable. In releases prior to Cisco Unity Express 10.2, the administrator can configure the length to a value greater than or equal to 3 alphanumeric characters. From Cisco Unity Express Release 10.2 onwards, the administrator can configure the minimum length ranging from 8 through 64 characters. There is no limit on the maximum length. This is a system-wide value, so that all subscribers must have passwords and PINs of at least that many characters. Use the GUI Defaults > User option or the procedure described below to configure this length.
The password length does not have to be equal to the PIN length. The default password length is 8 alphanumeric characters. The maximum PIN length is 16 alphanumeric characters.
To set the password or PIN length to the system default values, use the no or default form of the commands.

Note If the minimum PIN length is increased, existing PINs that do not conform to the new limit will automatically expire. The subscriber must reset the PIN at the next log in to the TUI.

Note The change in the minimum password length range is applicable only when a new user is created or the password of an existing user is updated. It does not apply to passwords that are already in use.
Cisco Unity Express permits the administrator to configure the password and PIN expiry time on a system-wide basis. The expiry time is the time, in days, for which the password and PIN are valid. When this time is reached, the subscriber must enter a new password or PIN.
If this option is not configured, passwords and PINs do not expire.
Use the GUI Defaults > User option or the procedure described below to configure this time.
The password expiry time does not have to equal the PIN expiry time.
The valid range is 3 to 365 days.
To set the password or PIN expiry time to the system default values, use the no or default form of the commands.
SUMMARY STEPS
DETAILED STEPS
Examples
The following example sets the password length to 6 characters, the PIN length to 5 characters, the password expiry time to 60 days, and the PIN expiry time to 45 days.
Configuring Enhanced PIN Validation
Starting in release 8.6.4, you can configure an enhanced PIN validation feature, using the security pin trivialcheck command.
This feature enforces additional validations for a new PIN requested by a user. When the feature is not enabled, a smaller set of validations is enforced.
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
DETAILED STEPS
|
|
|
---|---|---|
|
||
security password lockout enable |
Configuring Password and PIN Protection Lockout Modes
Starting in release 3.0, you can use both temporary and permanent lockout for passwords and PINs to help prevent security breeches.
For permanent lockout mode, the user’s account is permanently locked after a specified number of incorrect passwords or PINs are entered. After the account is locked, only the administrator can unlock it and reset the password.
For temporary lockout mode, the user’s account is temporarily locked after a specified number of initial incorrect passwords or PINs are entered. This lockout lasts for a specified amount of time. If the maximum number of incorrect passwords or PINs is exceeded for a second time, the account is locked for twice the specified a mount of time. The lockout time continues to increase for each set of incorrect passwords or PINs until the total number of failed login attempts equals the number specified to lock the account permanently. To prevent denial-of-service attacks, the retry count is not incremented if a user tries to log in during the lockout period. If the user enters the correct password or PIN and logs in successfully, the lockout time is reset to zero. After the account is permanently locked, only the administrator can unlock it and reset the password. When the administrator unlocks the account, the retry count and disable time are also reset to zero.
To configure the behavior for permanent lockouts, specify:
- Lockout mode (set to permanent)
- Maximum number of failed login attempts allowed before the account is locked
To configure the behavior for temporary lockouts, specify:
- Lockout mode (set to temporary)
- Number of failed attempts that trigger the initial temporary lockout
- Duration of initial temporary lockout
- Number of failed attempts that will lock the account permanently
You have the following four options when using password and PIN protect:
The corresponding procedures are documented in the following sections:
Configuring Password Protection with Permanent Lockout
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
2. security password lockout enable
3. security password lockout policy perm-lock
4. security password perm-lock max-attempts no_of_max_attempts
DETAILED STEPS
Configuring PIN Protection with Permanent Lockout
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
2. security pin lockout enable
3. security pin lockout policy perm-lock
DETAILED STEPS
Configuring Password Protection with Temporary Lockout
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
2. security password lockout enable
3. security password lockout policy temp-lock
4. security password temp-lock max-attempts no_of_max_attempts
5. security password temp-lock init-attempts no_of_init_attempts
DETAILED STEPS
Configuring PIN Protection with Temporary Lockout
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
2. security pin lockout enable
3. security pin lockout policy temp-lock
4. security pin temp-lock max-attempts no_of_max_attempts
5. security pin temp-lock init-attempts no_of_init_attempts
DETAILED STEPS
Configuring PIN and Password History
Starting in release 3.0, this feature enables the system to track previous PINs and passwords for all users and prevent users from reusing old PINs or passwords. You can configure the depth of the PIN or the password history using either the GUI or CLI.
Configuring the Password History Depth
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
DETAILED STEPS
Configuring the PIN History Depth
Prerequisites
Required Data for This Procedure
SUMMARY STEPS
DETAILED STEPS
|
|
|
---|---|---|
|
||
security pin history depth depth |
Forces all users to choose a PIN that is not in their password history list. |
|
|
Displaying Password and PIN System Settings
Use the following Cisco Unity Express EXEC mode command to display the password and PIN settings:
The command output can look similar to the following:
The following example shows the values when password expiration and the PIN length are reset to the system default values:
To display PINless voicemail settings, use the following Cisco Unity Express EXEC mode command:
show voicemail detail mailbox [ owner ]
This command will produce output similar to the following, showing one of the three options displayed below:
Encrypting PINs in Backup Files
Before release 3.0, PINs were stored as clear text in LDAP and were therefore visible in the backup file. This is because user PINs are stored in LDAP, which is backed up in LDIF format. This feature applies SHA-1 hash encryption to PINs before storing them in the LDAP database. As a result, when a user logs in to voice mail, the PIN they submit is hashed and compared to the PIN attribute retrieved from the LDAP directory.
To migrate from earlier version, you must convert from a clear PIN to a hashed PIN in the LDAP directory. Typically, you do this immediately after a system upgrade from an earlier version or after a restore operation from an old backup. At this point, the clear PIN is removed from the database and replaced with the encrypted PIN.
Because encryption using SHA-1 is not reversible, after the conversion is complete, you cannot disable or turn off this feature to restore the encrypted PIN to its clear form.

Note This feature does not require any configuration using the GUI or CLI.
Scheduling CLI Commands
Beginning in Cisco Unity Express 8.0, you can schedule the execution of a block of CLI commands. Blocks of commands are entered interactively, using a symbol delimiter character to start and stop the execution. The execution of the block of commands begins in EXEC mode, but mode-changing commands are allowed in the command block.
The following limitations apply in Cisco Unity Express 8.0:
- The maximum size of the block of commands is 1024 characters,including new lines.
- Commands in the block cannot use the comma “,” character or the delimiter character. For example, if the delimiter character is configured to be “#”, then that character cannot be used in the command blocks.
- Only system administrators can schedule the execution of blocks of commands.
- CLI commands are executed under system super-user privileges.
- Notification for the execution of these command blocks is not available. Error messages and results are available in log files only.


Prerequisites
Required Data for This Procedure
SUMMARY STEPS
3. repeat every { number days at time |number weeks on day | number months on day date | number years on month month } at time

Note Instead of the repeat every command, you can optionally use one of the following commands:
- repeat once at time
- repeat daily at time
- repeat monthly on day date at time
- repeat weekly on day at time
- repeat yearly on month month at time
DETAILED STEPS
Examples
The following is sample output from the show kron schedules command:
The following is sample output from the show kron schedule detail job command: