Deployment guide for Serviceability Connector

March 21, 2024 | 337 view(s) | 0 people thought this was helpful

In this article

Change history

Serviceability Connector Overview

Use in Service Request Cases

Deployment Architecture for TAC Case

Use in Cloud-Connected UC Deployments

Deployment Architecture for Cloud-Connected UC

Serviceability Connector Limitations

People and Roles

Accounts Required for Serviceability Service

People and Roles

Accounts and Scope Required for Each

Data Movement

Data Transfer Summary

Security

Serviceability Connections

Serviceability Connector Ports

Prepare Your Environment

Requirements for Serviceability Connector

Complete Managed Device Prerequisites

Complete the ECP Connector Host Prerequisites

Create a VM for the ECP Connector Host

Complete the Expressway Connector Host Prerequisites

Deploy Serviceability Connector

Serviceability Connector Deployment Task Flow

Configure the Serviceability Connector on ECP

Configure the Serviceability Connector on Expressway

(Optional) Import Devices from Hosted Collaboration Mediation Fulfillment

Create Accounts on Managed Devices

(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs

(Optional) Configure Serviceability Connector with Locally Managed Devices

(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters

(Optional) Configure Serviceability Connector with Locally Managed Clusters

(Optional) Configure local logging and problem report collection

Configure Upload Settings

Configure remote collections on this Connector

Start the Serviceability Connector

Validate the Serviceability Connector Configuration

Manage Serviceability Service

Access the Serviceability Connector web interface

Access the Serviceability application on the host node

Manage local logs

Collect problem reports

Deployment guide for Serviceability Connector

In this article

Change history

Table 1. Changes made to this document
Date	Change	Section
March 2024	Added topics to help you access the web interface of the host node or application.	In Manage Serviceability Service: New task Access the Serviceability Connector web interface New task Access the Serviceability application on the host node
September 2023	Added local logging and problem report collection.	New deployment task (Optional) Configure local logging and problem report collection. Added new chapter Manage Serviceability Service. New task Manage local logs. New task Collect problem reports.
April 2022	Changed the way that you add Unified publishers and subscribers on an ECP connector host.	(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs (Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters
November 2021	You can now use the Serviceability Connector to collect logs from your Cloud-Connected UC deployment. This capability enables you, rather than TAC, to gather logs for your Unified CM clusters.	Throughout
September 2021	Removed mentions of the deprecated Customer Service Central upload option.	Configure Upload Settings
March 2021	You can now collect logs from Broadworks XSP nodes.	Throughout
December 2020	Added information on using an ECP node for the Serviceability Connector.	Throughout
December 2020	Clarified connectivity requirements for registering Expressway connector host.	Register the Expressway Connector Host to Cisco Webex
September 2020	Use of Cisco account with Serviceability Connector deprecated. Only CXD supported now.	Throughout
November 2017	Initial Publication

Serviceability Connector Overview

You can ease the collection of logs with the Webex Serviceability service. The service automates the tasks of finding, retrieving, and storing diagnostic logs and information.

This capability uses the Serviceability Connector deployed on your premises. Serviceability Connector runs on a dedicated host in your network ('connector host'). You can install the connector on either of these components:

Enterprise Compute Platform (ECP)—Recommended

ECP uses Docker containers to isolate, secure, and manage its services. The host and the Serviceability Connector application install from the cloud. You don’t need to manually upgrade them to stay current and secure.

We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.

Cisco Expressway

You can use the Servicability Connector for these purposes:

Automated log and system information retrieval for service requests
Log collection of your Unified CM clusters in a Cloud-Connected UC deployment

You can use the same Serviceability Connector for both use cases.

Use in Service Request Cases

You can use the Webex Serviceability service to aid Cisco technical assistance staff in diagnosing issues with your infrastructure. The service automates the tasks of finding, retrieving, and storing diagnostic logs and information into an SR case. The service also triggers analysis against diagnostic signatures so that TAC can identify problems and resolve cases faster.

When you open a case with TAC, TAC engineers can retrieve relevant logs as they perform the diagnosis of the problem. We can collect the needed logs without coming back to you each time. The engineer sends requests to the Serviceability Connector. The connector collects the information and securely transfers it to the Customer eXperience Drive (CXD). The sytem then appends the information to your SR.

When we have the information, we can use the Collaboration Solution Analyzer and its database of diagnostic signatures. The system automatically analyses logs, identifies known issues, and recommends known fixes or workarounds.

You deploy and manage Serviceability Connectors through Control Hub like other Hybrid Services, such as Hybrid Calendar Service and Hybrid Call Service. You can use it along with other Hybrid Services, but they aren't required.

If you already have your organization configured in Control Hub, you can enable the service through your existing organization administrator account.

In this deployment, the Serviceability Connector is always available, so that TAC can collect data when necessary. But, it doesn’t have a steady load over time. The TAC engineers manually initiate data collection. They negotiate an appropriate time for the collection to minimize the impact on other services provided by the same infrastructure.

How it works

You work with Cisco TAC to deploy the Serviceability service. See Deployment Architecture for TAC Case.
You open a case to alert TAC to a problem with one of your Cisco devices.
TAC representative uses the Collaborations Solution Analyzer (CSA) web interface to request Serviceability Connector to collect data from relevant devices.
Your Serviceability Connector translates the request into API commands to collect the requested data from the managed devices.
Your Serviceability Connector collects, encrypts, and uploads that data over an encrypted link to Customer eXperience Drive (CXD). CXD then associates the data with your Service Request.
The system analyes the data against the TAC database of more than 1000 diagnostic signatures.
The TAC representative reviews the results, checking the original logs if necessary.

Deployment Architecture for TAC Case

***Deployment with Service Connector on Expressway***

Element	Description
Managed devices	Includes any devices that you want to supply logs from to Serviceability Service. You can add up to 150 locally managed devices with one Serviceability connector. You can import information from HCM-F (Hosted Collaboration Mediation Fulfillment) about HCS customers' managed devices and clusters (with larger numbers of devices, see https://help.webex.com/en-us/142g9e/Limits-and-Bounds-of-Serviceability-Service). The service currently works with the following devices: Hosted Collaboration Mediation Fulfillment (HCM-F) Cisco Unified Communications Manager Cisco Unified CM IM and Presence Service Cisco Expressway Series Cisco TelePresence Video Communication Server (VCS) Cisco Unified Contact Center Express (UCCX) Cisco Unified Border Element (CUBE) Cisco BroadWorks Application Server (AS) Cisco BroadWorks Profile Server (PS) Cisco BroadWorks Messaging Server (UMS) Cisco BroadWorks Execution Server (XS) Cisco Broadworks Xtended Services Platform (XSP)
Your administrator	Uses Control Hub to register a connector host and enable Serviceability Service. The URL is https://admin.webex.com and you need your “organization administrator” credentials.
Connector host	An Enterprise Compute Platform (ECP) or Expressway that hosts the Management connector and the Serviceability Connector. Management Connector (on ECP or Expressway) and the corresponding Management Service (in Webex) manage your registration. They persist the connection, update connectors when required, and report status and alarms. Serviceability Connector—A small application that the connector host (ECP or Expressway) downloads from Webex after you enable your organization for Serviceability service.
Proxy	(Optional) If you change the proxy configuration after starting Serviceability Connector, then also restart the Serviceability Connector.
Webex cloud	Hosts Webex, Webex calling, Webex meetings, and Webex Hybrid Services.
Technical Assistance Center	Contains: TAC representative using CSA to communicate with your Serviceability Connectors through Webex cloud. TAC case management system with your case and associated logs that Serviceability Connector collected and uploaded to Customer eXperience Drive.

Use in Cloud-Connected UC Deployments

You can use the Serviceability service through Control Hub to monitor your Unified CM clusters in a Cloud-Connected UC deployment.

How it works

You deploy a Serviceability Connector instance for your Unified CM clusters.
To troubleshoot a Unified CM call signalling issue, you trigger a data collection request in Control Hub.
Your Serviceability Connector translates the request into API commands to collect the requested data from the managed devices.
Your Serviceability Connector collects, encrypts, and uploads that data over an encrypted link to Customer eXperience Drive (CXD).

Deployment Architecture for Cloud-Connected UC

Element	Description
Managed devices	Includes any devices from which you want to supply logs to Serviceability Service. You can add up to 150 locally managed devices with one Serviceability connector. You can import information from HCM-F (Hosted Collaboration Mediation Fulfillment) about HCS customers' managed devices and clusters (with larger numbers of devices, see https://help.webex.com/en-us/142g9e/Limits-and-Bounds-of-Serviceability-Service). With Cloud-Connected UC, the service works with the following devices: Cisco Unified Communications Manager
Your administrator	Uses Control Hub to register a connector host and enable Serviceability Service. The URL is https://admin.webex.com and you need your “organization administrator” credentials.
Connector host	An Enterprise Compute Platform (ECP) or Expressway that hosts the Management connector and the Serviceability Connector. Management Connector (on ECP or Expressway) and the corresponding Management Service (in Webex) manage your registration. They persist the connection, update connectors when required, and report status and alarms. Serviceability Connector—A small application that the connector host (ECP or Expressway) downloads from Webex after you enable your organization for Serviceability service.
Proxy	(Optional) If you change the proxy configuration after starting Serviceability Connector, then also restart the Serviceability Connector.
Webex cloud	Hosts Webex, Webex calling, Webex meetings, and Webex Hybrid Services.

Serviceability Connector Limitations

For a current list of limitations, see the Known Issues with Serviceability Service article.

People and Roles

***Accounts Required for Serviceability Service***

The diagram shows the required accounts to deliver Serviceability Service. Many of these accounts aren’t for users. The Serviceability Connector needs permission to retrieve data from several devices.

The following tables lists people and accounts, and their roles in deploying and using the service:

Table 1. People and Roles
Person / Device	Roles in delivering Serviceability Service
Your network administrator	(Once) Configure HTTP proxy if required (Once) Open required firewall ports to allow HTTPS access from the connector host (ECP or Expressway) to Customer eXperience Drive.
Cisco Technical Assistance Center representatives	Only for the TAC use case. (Ongoing) Initiate requests, when necessary, for data from the managed devices (Ongoing) Analysis of log data, when necessary, towards case resolution (outside scope of this document)
Your administrator of managed devices, such as Unified CM, IM & Presence Service, and BW Application Server	(Once) Create accounts on all monitored devices, so that the service can securely connect to them and retrieve data.
Your Connector host administrator	(Once) Prepare ECP or Expressway for Hybrid Services (Periodically) Configure Serviceability Connector with managed device addresses and credentials (Once) Start the connector and authorize it to collect data.
“Organization administrator” This account could be your Connector host administrator or network admin, or a Cisco partner. That person uses this account to sign in to Control Hub and manage your organization’s cloud configuration.	(Once) Create your organization and account in Cisco Webex (if not done already) (Once) Register your Connector host to Cisco Collaboration Cloud (Once) Onboard the Serviceability connector to the Connector host
Serviceability Connector	Access-managed devices using pre-configured API or SSH accounts Access CXD to save diagnostic data to the associated service request (no credentials required on Connector host)

Table 2. Accounts and Scope Required for Each
Account type	Scope / specific privileges	Notes
Cisco Connector Host Administrator	Access level = Read-write API access = Yes (Expressway only) Web access = Yes (Expressway only)	This account on the Connector Host reads the Serviceability Connector configuration.
Managed device API and SSH accounts (all of the following rows)	Send API calls to, or perform SSH commands on, the managed device. For example, to collect logs.	These accounts reside on the managed devices. You enter their credentials in the Serviceability Connector configuration on the Connector host.
API account for HCM-F API	Read	This account authenticates the connector when it polls HCM-F for information about customers, their clusters and devices, and credentials to access them.
Application User for Voice Operating System (VOS) Products	Standard AXL API Access Standard CCM Admin Users Standard CCMADMIN Read Only Standard Serviceability	VOS products include Unified CM, IM and Presence, and UCCX. If the SSH account is different to the Application User account, enter credentials for both accounts in the Serviceability Connector UI.
SSH user for Voice Operating System (VOS) Products		If the Application User account is different to the SSH account, enter credentials for both accounts in the Serviceability Connector UI.
Cisco Expressway or VCS Administrator	Access level = Read-write API access = Yes Web access = Yes	Only for TAC use case. This account for the managed VCS or Expressway, rather than for the connector host.
CUBE SSH user account	Privilege Level 15	Only for TAC use case.
BroadWorks CLI user account		Only for TAC use case. Ensure that the CLI account has privileges to run commands on the managed BroadWorks device; that is, Xtended Services Platform, Application Server, Profile Server, Execution Server, or Messaging Server.

Data Movement

Table 3. Data Transfer Summary
Data Operation	Transport Mechanism	Account Used
Read data from managed devices	HTTPS	API access or SSH account on the managed device
Write to case management system	HTTPS	Service Request number and associated unique token

When a command is entered, Webex sends the request to the Serviceability Connector, which acts on it to collect the required data.

This request has no directly identifiable data about the managed device. It has a device ID or cluster ID, so it knows from which devices to get the data. The Serviceability Connector translates this device/cluster ID. The ID can't by itself identify your infrastructure. Also, the connection between the cloud and the connector uses HTTPS transport.

The Serviceability Connector translates the request as follows:

It finds the devices for the device/cluster ID in its list of managed devices and clusters and obtains the addresses.
It recreates the request and parameters as API or SSH calls to the addresses, using the appropriate API or command for the devices.
To authorize the commands, the connector uses the pre-configured device credentials for the target devices.

The connector temporarily stores the resulting data files on the connector host (Expressway or ECP).

The connector chunks the temporary file, encrypts the chunks, and transmits them over HTTPS to the Customer eXperience Drive. If the request came from TAC, the TAC case file store reassembles the log data and stores it against your Service Request.

Serviceability Connector writes the following data about the transaction to the command history on the Connector host:

Unique identifiers for the command issued and the issuer of the command. You can trace the ID of the issuer back to the person who issued the command, but not on the connector host.
The issued command and parameters (not the resulting data).
The connector-generated alias of the devices to which the command was issued (not the address or hostname).
The status of the requested command (success/failure).

TAC case

TAC representatives use their own accounts to access Collaboration Solutions Analyzer (CSA), a web application that interacts with Cisco Webex to communicate requests to Serviceability Connector.

In CSA, the TAC person selects a particular Serviceability Connector from those that are in your organization, and then scopes the command with the following:

The ID of the TAC case in which to store the logs(service request number).
The target device (known by an alias that Serviceability Connector created when the device was first added as a managed device) or a cluster of devices.
A data collection command and any necessary parameters.

CSA determines the type of device from the Serviceability Connector and is aware of the capabilities of each type of managed device. For example, it knows that to collect service logs from Unified CM, the TAC user should provide start and end date/times.

Cloud-Connected UC case

In LogAdvisor, your administrator selects a particular Serviceability Connector from those that are in your organization, and then scopes the command with the following:

The target device (known by an alias that Serviceability Connector created when the device was first added as a managed device) or a cluster of devices.
A data collection command and any necessary parameters.

LogAdvisor prompts for the appropriate parameters.

Security

Managed devices:

You keep the data at rest on your managed devices secure by using the measures available on those devices and your own policies.
You create and maintain the API or SSH access accounts on those devices. You enter the credentials on the connector host; Cisco personnel and third parties don't need to and can't access those credentials.
The accounts might not need full administrative privileges, but do need authorization for typical logging APIs (See People and Roles). The Serviceability Service uses the minimum permissions required to retrieve log information.

Connector host:

Management Connector creates a TLS connection with Webex when you first register the Connector host (ECP or Expressway). To do this, the Management Connector needs to trust the certificates that Webex presents. You can opt to manage the host trust list yourself, or allow the host to download and install the required root CA list from Cisco.
The Management Connector maintains a connection to Webex, for reporting and alarms. The Serviceability Connector uses a similar persistent connection for receiving serviceability requests.
Only your administrators need to access the host to configure the Serviceability Connector. Cisco personnel don't need to access the host.

Serviceability Connector (on connector host):

Makes HTTPS or SSH connections to your managed devices, to execute API commands.
You can configure the Serviceability Connector to request and verify server certificates from the managed devices.
Makes outbound HTTPS connections to the Cisco TAC case management system storage.

Doesn't log any of your personally identifiable information (PII).

The connector itself doesn't log any PII. However, the connector doesn't inspect or clean the data that it transfers from the managed devices.

Doesn't permanently store any of your diagnostic data.
Keeps a record of the transactions that it makes in the connector’s command history (Applications > Hybrid Services > Serviceability > Command History). The records don't directly identify any of your devices.
Only stores the addresses of devices and the credentials to their API accounts in the Connector configuration store.
Encrypts data for transfer to the Customer eXprerience Drive using a dynamically generated 128-bit AES key.

Proxy:

If you use a proxy to go out to the internet, the Serviceability Connector needs credentials to use the proxy. The Connector host supports basic authentication.
If you deploy a TLS inspecting device, then it must present a certificate that the Connector host trusts. You may need to add a CA certificate to the host trust list.

Firewalls:

Open TCP port 443 outbound from the connector host to a number of Cisco service URLs. See External Connections Made by the Serviceability Connector ( https://help.webex.com/article/xbcr37/).
Open the required ports into protected networks that contain the managed devices. See Serviceability Connector Ports which lists ports required by the managed devices. For example, open TCP 443 into your DMZ to collect logs through an Expressway-E's inward facing address.
Don't open any additional ports inbound to the connector host.

Webex:

Doesn't make unsolicited inbound calls to your on-premises equipment. The Management Connector on the connector host persists the TLS connection.
All traffic between your connector host and Webex is HTTPS or secure web sockets.

Technical Assistance Center:

When you enable the Serviceability Service for the TAC use case:

Has developed comprehensive and secure data storage tools and protocols to safeguard customer device data.
Employees are bound by Code of Business Conduct not to share customer data unnecessarily.
Stores diagnostic data in encrypted form in the TAC case management system.
Only the personnel who are working on the resolution of your case may access that data.
You can access your own cases and see what data was collected.

Serviceability Connections

Serviceability Connector Ports

This table includes the ports that are used between the Serviceability Connector and managed devices. If there are firewalls protecting your managed devices, open the listed ports towards those devices. Internal firewalls aren’t required for successful deployment and aren’t shown in the preceding diagram.

Purpose	Src. IP	Src. Ports	Protocol	Dst. IP	Dst. Ports
Persistent HTTPS registration	VMware host	30000-35999	TLS	Webex hosts See External Connections made by the Serviceability Connector ( https://help.webex.com/article/xbcr37)	443
Log data upload	VMware host	30000-35999	TLS	Cisco TAC SR datastore See External Connections made by the Serviceability Connector ( https://help.webex.com/article/xbcr37)	443
API requests to HCM-F	VMware host	30000-35999	TLS	HCM-F Northbound interface (NBI)	8443
AXL (Administrative XML Layer) for log collection	VMware host	30000-35999	TLS	VOS devices (Unified CM, IM and Presence, UCCX)	8443
SSH access	VMware host	30000-35999	TCP	VOS devices (Unified CM, IM and Presence, UCCX)	22
SSH access, log collection	VMware host	30000-35999	TCP	CUBE	22
SSH access, log collection	VMware host	30000-35999	TCP	BroadWorks Servers (AS, PS, UMS, XS, XSP)	22
Log collection	VMware host	30000-35999	TLS	ECP or Expressway or VCS	443
Log collection	VMware host	30000-35999	TLS	DMZ Expressway-E (or VCS Expressway)	443

Prepare Your Environment

Requirements for Serviceability Connector

Table 1. Supported Product Integrations
On-Premises Servers	Version
Cisco Hosted Collaboration Media Fulfillment (HCM-F)	HCM-F 10.6(3) and later
Cisco Unified Communications Manager	10.x and later
Cisco Unified Communications Manager IM and Presence Service	10.x and later
Cisco Unified Border Element	15.x and later
Cisco TelePresence Video Communication Server or Cisco Expressway Series	X8.9 and later
Cisco Unified Contact Center Express (UCCX)	10.x and later
Cisco BroadWorks Application Server (AS)	Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later.
Cisco BroadWorks Profile Server (PS)	Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later.
Cisco BroadWorks Messaging Server (UMS)	Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later.
Cisco BroadWorks Execution Server (XS)	Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later.
Cisco BroadWorks Xtended Services Platform (XSP)	Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later.

Unified CM is the only server that you can monitor in the Cloud-Connected UC case.

Table 2. Connector Host Details

Requirements

Version

Enterprise Compute Platform (ECP)

Use VMware vSphere client 6.0 or later to host the ECP VM.

Deploy ECP on a dedicated virtual machine of either specification:

4 CPU, 8GB RAM, 20GB HDD
2 CPU, 4GB RAM, 20GB HDD

You can download the software image from https://binaries.webex.com/serabecpaws/serab_ecp.ova. If you don't install and configure the VM first, the registration wizard prompts you to do so.

Always download a fresh copy of the OVA to install or reinstall the Serviceability Connector VM. An outdated OVA can lead to problems.

We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.

Cisco Expressway Connector Host

If you host the Connector on Expressway, use a virtual Expressway. Provide the virtual machine with enough resources to support at least the Medium Expressway. Don't use a Small Expressway. See the Cisco Expressway on Virtual Machine Installation Guide at https://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-guides-list.html.

You can download the software image from https://software.cisco.com/download/home/286255326/type/280886992 at no charge.

We recommend the latest released version of Expressway for connector host purposes. See Expressway Connector Host Support for Cisco Webex Hybrid Services for more information.

For Cloud-Connect UC, you can deploy the Serviceability Connector on an Expressway. But, you can't monitor the Expressway through the connector.

Complete Managed Device Prerequisites

The devices listed here are not prerequisites for the Serviceability Service. These configuration steps are only required if you want Serviceability Connector to manage these devices.

Ensure that these services are running to enable the connector to manage Voice Operating System (VOS) products like Unified CM, IM and Presence Service, and UCCX:

SOAP - Log Collection APIs
SOAP - Performance Monitoring APIs
SOAP - Real-Time Service APIs
SOAP - Diagnostic Portal Database Service
Cisco AXL Web Service

These services are enabled by default. If you stopped any of them, restart the services by using Cisco Unified Serviceability.

Make these configurations to enable Serviceability Connector to manage CUBE:

You don't need to do this for the Cloud-Connected UC case.

Enable Secure Shell (SSH) to provide a secure remote access connection for network devices, as covered in Configuring Secure Shell on Routers and Switches Running Cisco IOS.
Enable Secure Copy (SCP) to provide a secure and authenticated method for copying router configuration or router image files, as covered in Secure Shell Configuration Guide.
Enable Smart Call Home (call-home reporting contact-email-addr <email addr>). You can find instructions in either the Integrated Services Router guide or the Cloud Services Router guide.

(You must enable Smart Call Home if you want to enable Diagnostic Signatures on CUBE.)

Complete the ECP Connector Host Prerequisites

Complete these tasks before you deploy the Serviceability service:

Before you begin

If you choose to use ECP for the Connector host, we require that you deploy the Serviceability Connector on a dedicated ECP.

We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.

As an administrator of hybrid services, you retain control over the software running on your on-premises equipment. You’re responsible for all necessary security measures to protect your servers from physical and electronic attacks.

Obtain full organization administrator rights to access the customer view in Control Hub ( https://admin.webex.com).

Create a VM for the new ECP node. See Create a VM for the ECP Connector Host.

Open the required ports on your firewall. See Serviceability Connections and Serviceability Connector Ports.

The Serviceability Connector on ECP uses port 8443 outbound to the Cisco Webex cloud. See https://help.webex.com/article/WBX000028782/ for details of the cloud domains that ECP requests. The Serviceability Connector also makes the outbound connections listed in https://help.webex.com/article/xbcr37/.

If your deployment uses a proxy to access the internet, get the address and port for the proxy. If the proxy uses basic authentication, you also need those credentials.

If your organization uses a TLS proxy, the ECP node must trust the TLS proxy. The proxy's CA root certificate must be in the trust store of the node. You can check if you need to add it at Maintenance > Security > Trusted CA certificate .

Review these points about certificate trust. You can choose the type of secure connection when you begin the main setup steps.

Hybrid Services requires a secure connection between the connector host and Webex.

You can let Webex manage the root CA certificates for you. If you choose to manage them yourself, be aware of certificate authorities and trust chains. You must have authorization to change to the trust list.

Create a VM for the ECP Connector Host

Create a VM for the ECP node.

When you first sign in to a new ECP node, use the default credentials. The username is "admin" and the password is "cisco". Change the credentials after signing on for the first time.

Download the OVA from https://binaries.webex.com/serabecpaws/serab_ecp.ova to your local computer.

Choose Actions > Deploy OVF Template in the VMware vCenter.

On the Select template page, choose Local File, select your serab_ecp.ova, and click Next.

On the Select name and location page, enter a name for your VM, such as, Webex-Serviceability-Connector-1.

Select the datacenter or folder to host the VM and click Next.

(Optional) You might need to select a resource, such as a host, that the VM can use and click Next.

The VM installer runs a validation check and displays the template details.

Review the template details and make any necessary changes, then click Next.

Choose which configuration to use for the VM and click Next.

We recommend the larger option with 4 CPU, 8GB RAM, and 20GB HDD. If you have limited resources, you can choose the smaller option.

On the Select storage page, choose these settings:

VM Property	Value
Select virtual disk format	Thick provision lazy zeroed
VM storage policy	Datastore default

On the Select networks page, choose the target network for the VM and click Next.

The connector needs to make outbound connections to Webex. For these connections, the VM requires a static IPv4 address.

On the Customize template page, edit the network properties for the VM, as follows:

VM Property	Recommendation
Hostname	Enter the FQDN (hostname and domain) or a single word hostname for the node. Don't use capitals in the hostname or FQDN. FQDN is 64 characters maximum.
Domain	Required. Must be valid and resolvable. Don't use capitals.
IP Address	A static IPv4 address. DHCP isn’t supported.
Mask	Use dot-decimal notation, for example, `255.255.255.0`
Gateway	The IP address of the network gateway for this VM.
DNS Servers	Comma-separated list of up to four DNS servers, accessible from this network.
NTP Servers	Comma-separated list of NTP servers, accessible from this network. The Serviceability Connector must be time synchronized.

Click Next.

The Ready to Complete page displays the details of the OVF template.

Review the configuration and click Finish.

The VM installs and then appears in your list of VMs.

Power on your new VM.

The ECP software installs as a guest on the VM host. Expect a delay of a few minutes while the containers start on the node.

What to do next

If your site proxies outbound traffic, integrate the ECP node with the proxy.

After you configure the network settings and you can reach the node, you can access it through secure shell (SSH).

(Optional) Configure ECP Node for Proxy Integration

If your deployment proxies outbound traffic, use this procedure to specify the type of proxy to integrate with your ECP node. For a transparent inspecting proxy or an explicit proxy, you can use the node interface to do the following:

Upload and install the root certificate.
Check the proxy connection.
Troubleshoot issues.

Go to the web interface of your Serviceability Connector at https://<IP or FQDN>:443/setup and sign in.

Go to Trust Store & Proxy, and then choose an option:

No Proxy—The default option before you integrate a proxy. Requires no certificate update.
Transparent Non-Inspecting Proxy—ECP nodes don't use a specific proxy server address and don't require any changes to work with a non-inspecting proxy. This option requires no certificate update.
Transparent Inspecting Proxy—ECP nodes don't use a specific proxy server address. No http(s) configuration changes are necessary on ECP. However, the ECP nodes need a root certificate to trust the proxy. Typically, IT uses inspecting proxies to enforce policies on allowing visits to websites and permitting types of content. This type of proxy decrypts all your traffic (even https).

Explicit Proxy—With explicit proxy, you tell the client (ECP nodes) which proxy server to use. This option supports several authentication types. After you choose this option, enter the following information:

Proxy IP/FQDN—Address to reach the proxy machine.
Proxy Port—A port number that the proxy uses to listen for proxied traffic.
Proxy Protocol—Choose http (ECP tunnels its https traffic through the http proxy) or https (traffic from the ECP node to the proxy uses the https protocol). Choose an option based on what your proxy server supports.

Choose from among the following authentication types, depending on your proxy environment:

Option	Usage

None	Choose for HTTP or HTTPS explicit proxies where there's no authentication method.
Basic	Available for HTTP or HTTPS explicit proxies Used for an HTTP user agent to provide a username and password when making a request, and uses Base64 encoding.
Digest	Available for HTTPS explicit proxies only Used to confirm the account before sending sensitive information. This type applies a hash function on the user name and password before sending it over the network.

For a transparent inspecting or explicit proxy, click Upload a Root Certificate or End Entity Certificate. Then, choose the root certificate for the explicit or transparent inspecting proxy.

The client uploads the certificate but doesn't install it yet. The node installs the certificate after its next reboot. Click the arrow by the certificate issuer name to get more details. Click Delete if you want to reupload the file.

For a transparent inspecting or explicit proxy, click Check Proxy Connection to test the network connectivity between the ECP node and the proxy.

If the connection test fails, you see an error message with the reason and how to correct the issue.

For an explicit proxy, after the connection test passes, select Route all port 443/444 https requests from this node through the explicit proxy. This setting requires 15 seconds to take effect.

Click Install All Certificates Into the Trust Store (appears whenever the proxy setup adds a root certificate) or Reboot (appears if the setup doesn't add a root certificate). Read the prompt and then click Install if you're ready.

The node reboots within a few minutes.

After the node reboots, sign in again if needed and open the Overview page. Review the connectivity checks to ensure that they are all in green status.

The proxy connection check only tests a subdomain of webex.com. If there are connectivity problems, a common issue is that the proxy blocks some of the cloud domains listed in the install instructions.

Complete the Expressway Connector Host Prerequisites

Use this checklist to prepare an Expressway for hosting connectors, before you register it to the Webex.

Before you begin

If you choose to use Expressway to host the Serviceability Connector, we require that you use a dedicated Expressway for the host.

We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.

Obtain full organization administrator rights before you register any Expressways, and use these credentials when you access the customer view in Control Hub ( https://admin.webex.com).

Follow these requirements for the Expressway-C connector host.

Install the minimum supported Expressway software version. See the version support statement for more information.

Install the virtual Expressway OVA file according to the Cisco Expressway Virtual Machine Installation Guide. You can then access the user interface by browsing to its IP address.

The Expressway install wizard asks you to change the default root and admin passwords. Use different, strong passwords for these accounts.
The serial number of a virtual Expressway is based on the MAC address of the VM. We use the serial number to identify Expressways that are registered to the Cisco Webex cloud. Don’t change the MAC address of the Expressway VM when using VMware tools, or you risk losing service.

You don’t require a release key, or an Expressway series key, or any other license, to use the virtual Expressway-C for Hybrid Services. You may see an alarm about the release key. You can acknowledge it to remove it from the interface.
Although most Expressway applications require SIP or H.232, you don’t need to enable SIP or H.323 services on this Expressway. They are disabled by default on new installs. Leave them disabled. If you see an alarm warning you about misconfiguration, you can safely clear it.

If this is your first time running Expressway, you get a first-time setup wizard to help you configure it for Hybrid Services. If you previously skipped the wizard, you can run it from the Status > Overview page.

Select Expressway series.
Select Expressway-C.
Select Cisco Webex Hybrid Services.

Selecting this service ensures that you don't require a release key.

Don’t select any other services. The Serviceability Connector requires a dedicated Expressway.
Click Continue.

The wizard doesn’t show the licensing page, as for other Expressway deployment types. This Expressway doesn't need any keys or licenses for hosting connectors. (The wizard skips to the configuration review page).
Review the Expressway configuration (IP, DNS, NTP) and reconfigure if necessary.

You would have entered these details, and changed the relevant passwords, when you installed the virtual Expressway.
Click Finish.

If you haven’t checked already, check the following configuration of the Expressway-C connector host. You normally check during installation. You can also confirm the configuration when you use Service Setup wizard.

Basic IP configuration (System > Network interfaces > IP)
System name (System > Administration settings)
DNS settings (System > DNS) especially the System host name and the Domain, as these properties form the FQDN that you need to register the Expressway to Cisco Webex.
NTP settings (System > Time)

Synchronize the Expressway with an NTP server. Use the same NTP server as the VM's host.
Desired password for admin account (Users > Administrator accounts, click Admin user then Change password link)
Desired password for root account, which should be different to the Admin account password. (Log on to CLI as root and run the passwd command.)

Expressway-C connector hosts don’t support dual NIC deployments.

Your Expressway is now ready to register to Cisco Webex. The remaining steps in this task are about the network conditions and items to be aware of before you attempt to register the Expressway.

If you haven’t already done so, open required ports on your firewall.

All traffic between Expressway and the Webex cloud is HTTPS or secure web sockets.
TCP port 443 must be open outbound from the Expressway-C. See https://help.webex.com/article/WBX000028782/ for details of the cloud domains that are requested by the Expressway-C.
The Serviceability Connector also makes the outbound connections listed in https://help.webex.com/article/xbcr37/.

Get the details of your HTTP proxy (address, port) if your organization uses one to access the internet. You also need a username and password for the proxy if it requires basic authentication. The Expressway can’t use other methods to authenticate with the proxy.

If your organization uses a TLS proxy, the Expressway-C must trust the TLS proxy. The proxy's CA root certificate must be in the trust store of the Expressway. You can check if you need to add it at Maintenance > Security > Trusted CA certificate .

Review these points about certificate trust. You can choose the type of secure connection when you begin the main setup steps.

Hybrid Services requires a secure connection between the connector host Expressway and Webex.

You can let Webex manage the root CA certificates for you. If you choose to manage them yourself, be aware of certificate authorities and trust chains. You must also be authorized to make changes to the Expressway-C trust list.

Deploy Serviceability Connector

Serviceability Connector Deployment Task Flow

(Recommended) If you deploy the Serviceability Connector on ECP, Register the ECP Connector Host to Cisco Webex.

After you complete the registration steps, the connector software automatically deploys on your on-premises connector host.

(Alternate) If you deploy the Serviceability Connector on Expressway, Register the Expressway Connector Host to Cisco Webex.

After you complete the registration steps, the connector software automatically deploys on your on-premises connector host.

Configure the Serviceability Connector on ECP or Configure the Serviceability Connector on Expressway, as appropriate.

Name your Serviceability Connector.

Create Accounts on Managed Devices

Configure accounts on each product that the Connector can manage. The connector uses these accounts to authenticate data requests to the managed devices.

If you import all your managed devices and clusters from HCM-F, you don't need to do this task. You must do it if the Connector manages devices that aren't in the HCM-F database.

(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs or (Optional) Configure Serviceability Connector with Locally Managed Devices

If you import all your managed devices and clusters from HCM-F, you don't need to do this task. You must do it if the Connector manages devices that aren't in the HCM-F database.

If your connector host is an Expressway, we strongly recommend that you configure the connector host as a locally managed device for the TAC use case. But, an ECP connector host has no logs that TAC would request through the Serviceability Service.

(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters or (Optional) Configure Serviceability Connector with Locally Managed Clusters

You can associate locally managed devices of the same type as a managed cluster on the Connector configuration. Clusters enable data collection from multiple devices with one request.

(Optional) Import Devices from Hosted Collaboration Mediation Fulfillment

We recommend importing from the Connector to automatically maintain a list of customer devices and clusters from HCM-F. You could manually add the devices, but integrating with HCM-F saves you time.

Configure Upload Settings.

This task is only needed for the TAC case.

Customer eXperience Drive (CXD) is the default and only option.

Start the Serviceability Connector

Expressway only task

Validate the Serviceability Connector Configuration

Expressway only task. Use this procedure to test the data collection and transfer to your service request.

Register the ECP Connector Host to Cisco Webex

Hybrid Services use software connectors to securely connect your organization's environment to Webex. Use this procedure to register your ECP connector host.

After you complete the registration steps, the connector software automatically deploys on your on-premises connector host.

Before you begin

You must be on the enterprise network where you installed the Serviceability Connector node when you run the registration wizard. That network requires access to the Connector and to the admin.webex.com cloud. (See Prepare Your Environment for links to the relevant addresses and ports). You're opening browser windows to both sides to establish a more permanent connection between them.
If your deployment proxies outbound traffic, enter the details of your proxy. See (Optional) Configure ECP Node for Proxy Integration.
If the registration process times out or fails for some reason, you can restart registration in Control Hub.

In Control Hub ( https://admin.webex.com), select Customers > My Organization.

Choose Services > Hybrid.

Click View All on the Serviceability Service card.

If you haven't deployed a Serviceability Connector before, scroll to the bottom of the page to find the card. Click Set Up to launch the wizard.

Click Add Resource.

Select Enterprise Compute Platform and click Next.

The wizard shows the Register Serviceability Service on ECP Node page.

If you haven’t installed and configured the VM, you can download the software from this page. You must install and configure the ECP VM before continuing with this wizard. (See Create a VM for the ECP Connector Host.)

Enter a cluster name (arbitrary, and only used by Webex) and the FQDN or IP Address of the ECP node, then click Next.

If you use an FQDN, enter a domain that the DNS can resolve. To be useable, an FQDN must resolve directly to the IP address. We validate the FQDN to rule out any typo or configuration mismatch.
If you use an IP address, enter the same internal IP address that you configured for the Serviceability Connector from the console.

Define an upgrade schedule.

When we release an upgrade to the Serviceability Connector software, your node waits until the defined time before it upgrades. To avoid interrupting TAC’s work on your issues, choose a day and time when TAC is unlikely to use the connector. When an upgrade is available, you can intervene to Upgrade Now or Postpone (defers until the next scheduled time).

Select a release channel and click Next.

Choose the stable release channel unless you’re working with the Cisco trials team.

Review the node details and click Go to Node to register the node to the Cisco Webex cloud.

Your browser tries to open the node in a new tab; add the IP address for the node to your organization’s allow list.

Review the notice about allowing access to this node.

Check the box that allows Webex to access this node, then click Continue.

The Registration Complete window appears when the node finishes registering.

Go back to the Control Hub window.

Click View All on the Serviceability Services page.

You should see your new cluster in the list of Enterprise Compute Platform Clusters. The Service Status is "Not Operational" because the node needs to upgrade itself.

Click Open nodes list.

You should see the available upgrade for your node.

Click Install now....

Review the release notes and click Upgrade Now.

The upgrade can take a few minutes. The cluster status switches to operational after the upgrade completes.

Register the Expressway Connector Host to Cisco Webex

Hybrid Services use software connectors to securely connect your organization's environment to Webex. Use this procedure to register your connector host Expressway.

After you complete the registration steps, the connector software automatically deploys on your on-premises Expressway connector host.

Before you begin

Sign out of any other connections to this Expressway.
If your on-premises environment proxies the outbound traffic, enter the details of the proxy server on Applications > Hybrid Services > Connector Proxy before completing this procedure. For a TLS proxy, add the root CA certificate that is signed by the proxy server certificate to the CA trust store on the Expressway. Doing so is necessary for successful registration.
Webex rejects any attempt at registration from the Expressway web interface. Register your Expressway through Control Hub.
If the registration process times out or fails for some reason, you can restart registration in Control Hub.

In Control Hub ( https://admin.webex.com), select Customers > My Organization.

Choose Services > Hybrid.

Click View All on the Serviceability Service card.

If you haven't deployed a Serviceability Connector before, scroll to the bottom of the page to find the card. Click Set Up to launch the wizard.

For new registrations, choose the first radio button and click Next.

Enter your connector host's IP address or FQDN.

Webex creates a record of that Expressway and establishes trust.

Enter a meaningful display name for the connector host and click Next.

Click the link to open your Expressway web interface.

This link uses the FQDN from Control Hub. Make sure that the PC that you use for the registration can access the Expressway interface using that FQDN.

Decide how you want to update the Expressway trust list:

Check the box if you want Webex to add the required CA certificates to the Expressway trust list.

When you register, the root certificates for the authorities that signed the Webex certificates are installed automatically on the Expressway. This method means that the Expressway should automatically trust the certificates and can set up the secure connection.

If you change your mind, you can use the Connector Management window to remove the Webex CA root certificates and manually install root certificates.

Uncheck the box if you want to update the Expressway trust list manually. See the Expressway online help for the procedure.

Click Register.

Control Hub launches. Read the on-screen text to verify that Webex identified the correct Expressway.

Click Allow to register the Expressway for Hybrid Services.

After the Expressway registers successfully, the Hybrid Services window on the Expressway shows the connectors downloading and installing. If there’s a newer version available, the management connector automatically upgrades. It then installs any other connectors that you selected for this Expressway connector host.
The connectors install their interface pages on the Expressway connector host. Use these new pages to configure and activate the connectors. The new pages are in the Applications > Hybrid Services menu on your Expressway connector host.

If registration fails and your on-premises environment proxies the outbound traffic, review the prerequisites of this procedure.

Configure the Serviceability Connector on ECP

Before you begin

You must register the ECP node to Cisco Webex before you can configure the Serviceability Connector.

When you first sign in to a new ECP node, use the default credentials. The username is "admin" and the password is "cisco". Change the credentials after signing on for the first time.

1	Sign in to the connector host and go to Config Settings.
2	Enter a name for this connector. Choose a meaningful name for the connector that helps you discuss it.
3	Click Save.

Configure the Serviceability Connector on Expressway

Before you begin

You must register the Expressway to Cisco Webex before you can configure the Serviceability Connector.

1	Sign in to the Expressway connector host and go to Applications > Hybrid Services > Connector Management.
2	Check that Serviceability Connector is listed, it should not be running. Do not start it yet.
3	Go to Applications > Hybrid Services > Serviceability > Serviceability Configuration.
4	Enter a name for this connector. Choose a name that is meaningful to you and represents the Expressway's purpose.
5	Click Save.

(Optional) Import Devices from Hosted Collaboration Mediation Fulfillment

If you use the Serviceability Service with Cisco Hosted Collaboration Solution (HCS), we recommend importing the devices from HCM-F. Then, you can avoid manually adding all those customers, clusters, and devices from the HCM-F inventory.

If your deployment isn't an HCS environment, you can ignore this task.

Integrate each Serviceability Connector with one HCM-F inventory. If you have multiple inventories, you need multiple connectors.

Before you begin

Create an administrative account on Hosted Collaboration Mediation Fulfillment (HCM-F) to use with Serviceability Service. You need the address of HCM-F and it must be reachable from the Serviceability host.

1	Sign into your connector host and go to Managed Devices, as follows: On an ECP connector host, go to the web interface of your Serviceability Connector at `https://<FQDN or IP address>:8443/home`. Sign in and click Managed Devices. On an Expressway connector host, sign in and go to Applications > Hybrid Services > Serviceability > Managed Devices.
2	Click New.
3	Select Hosted Collaboration Mediation Fulfillment from the Type dropdown. The interface generates a unique Device Name, based on the selected Type.
4	Edit the Device Name. The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device.
5	Enter the Address, FQDN or IP address, of the HCM-F northbound API interface (NBI).
6	Enter the Username and Password of the HCM-F administrative account.
7	Choose a Polling Frequency, between 1 hour and 24 hours. This setting governs how often the service checks your inventory for changes to the imported devices. We recommend one day unless you make frequent changes to your inventory. You can choose Never to disable the import from HCM-F. The setting takes effect when you save the page. This setting removes from the serviceability connector the data that was previously imported from HCM-F.
8	Click Verify to test that the account can authenticate itself with HCM-F.
9	Click Add to save your changes.

The Serviceability connector connects to HCM-F, and populates the Customers, Managed Devices, and Managed Clusters pages with read-only copies of that information.

You can click Update Now to force an immediate refresh of the data from HCM-F.

What to do next

The Customers page is always visible in the connector UI, even in non-HCM-F deployments. The page is empty unless you import data from HCM-F.

Create Accounts on Managed Devices

Configure an account on each device so that Serviceability Connector can authenticate itself to the devices when requesting data.

1	For Cisco Unified Communications Manager, IM and Presence Service, UCCX, and other VOS (Voice Operating System) products: From Cisco Unified CM Administration on your publisher node, go to User Managment > User Settings > Access Control Group, click Add New, enter a name (for example, Serviceability Connector Group), and then click Save. From the Related Links, click Assign Role to Access Control Group, and then click Go. Click Assign Role to Group, choose the following roles, and then click Add Selected: Standard AXL API Access Standard CCM Admin Users Standard CCMADMIN Read Only Standard ServiceAbility Configure an application user by going to User Management > Application User and then clicking Add New. Enter a username and password for the new account. Click Add to Access Control Group, choose your new Access Control Group, click Add Selected, and then click Save.
2	For Cisco TelePresence Video Communication Server, or Cisco Expressway Series: Go to Users > Administrator Accounts, and then click New. In the Configuration section, configure these settings: Name—Enter a name for the account. Emergency Account—Set to No. Access Level—Set to Read-write. Enter a Password and re-enter it in Confirm password. Web Access—Set to Yes. API Access—Set to Yes. Force password reset—Set to No. State—Set to Enabled. Under Authorize, enter Your current password (of the account that you used to access the Expressway interface) to authorize creation of this account. Click Save.
3	For Cisco Unified Border Element: From the CUBE CLI, configure a user with privilege level 15: `username <myuser> privilege 15 secret 0 <mypassword>`
4	For Cisco BroadWorks Application Server, Profile Server, Messaging Server, Xtended Services Platform, and Execution Server: Use the system administrator account that you created when you installed the server.

(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs

If your connector host is an Expressway, you add each Unified CM publisher and subscriber separately. But, the ECP connector host automates adding the subscribers for each Unified CM publisher.

Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.

Before you begin

This task doesn't apply if you:

Run the connector host on an Expressway.
Use the HCM-F inventory to add devices to an ECP connector host.

On an ECP connector host, go to the web interface of your Serviceability Connector at https://<FQDN or IP address>:8443/home. Sign in and click Managed Devices.

After you install the Serviceability Connector, it prompts you to change your password when you first sign in. Change the default password, cisco, to a secure value.

Click New.

Select the Unified CM Type.

You can only add a Unified CM publisher.

The interface generates a unique Device Name using the selected type.

Edit the Device Name.

The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device.

Enter the following information for the Unified CM publisher:

Property	Value
Address	The FQDN or IP address of the publisher
Role	(Optional) Roles help you differentiate devices from each other when viewing the list or arranging a cluster.
TLS verify mode	If you leave this mode On (default), then the connector requires a valid certificate from this managed device. The certificate must contain the address that you entered earlier as subject alternative name (SAN). The certificate must be valid and trusted by this connector host. If you’re using self-signed certificates on the managed devices, copy them to the connector host CA trust store.
Username	For the Unified CM account
Password	For the Unified CM account
Do SSH Credentials differ from those of Application User	If your managed device has a separate account for SSH access, change the value to Yes, and then enter the SSH account credentials.

Click Verify to test that the account can authenticate itself to the managed device.

Click Add.

Repeat this task to add other Unified CM publishers to the Serviceability Connector configuration.

You can now create a managed cluster for the publisher. That cluster automatically populates with the subscribers for the publisher. You can then add any of the subscribers from the cluster.

If you previously configured Unified CM subscribers on the connector, the Managed Devices page still lists them. But, the Alarms displays an alarm for each subscriber. Delete the old subscriber entries and then add the subscribers back through the managed cluster.

What to do next

(Optional) Configure Serviceability Connector with Locally Managed Devices
(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters

(Optional) Configure Serviceability Connector with Locally Managed Devices

To get logs from your managed devices, you first specify the devices in the Serviceability Connector.

If your connector host is an Expressway, we strongly recommend that you configure the connector host as a locally managed device in the TAC use case. Then, TAC can help if your Serviceability Connector isn’t working as expected. But, an ECP connector host has no logs that TAC would request through the Serviceability Service.

When you add devices, include both the publisher and all subscribers for each Unified CM cluster.

Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.

Sign into your connector host and go to Managed Devices, as follows:

On an ECP connector host, go to the web interface of your Serviceability Connector at https://<FQDN or IP address>:8443/home. Sign in and click Managed Devices.
On an Expressway connector host, sign in and go to Applications > Hybrid Services > Serviceability > Managed Devices.

After you install the Serviceability Connector, it prompts you to change your password when you first sign in. Change the default password, cisco, to a secure value.

Click New.

Select the device Type.

The interface generates a unique Device Name, based on the selected Type.

Edit the Device Name.

The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device.

Enter the Address, FQDN or IP address, of the managed device.

The remaining fields on the configuration page change depending on the type of device. Skip to the step that is relevant for your device, as follows:

Cisco Unified Communications Manager ( Step 6)
Cisco Unified CM IM and Presence ( Step 6)
Cisco Unified Contact Center Express ( Step 6)
Cisco Expressway or VCS ( Step 8)
Cisco Unified Border Element ( Step 9)
Cisco BroadWorks server types ( Step 10)

[VOS devices] Enter the details of the VOS device:

Select a Role for this device.

The roles depend on the Type. Roles help you differentiate devices from each other when viewing the list or arranging a cluster. For example, you could select the Publisher role for a particular IM and Presence Service node.
Change the TLS verify mode if necessary.

If you leave this mode On (default), then the connector requires a valid certificate from this managed device.

The certificate must contain the address that you entered above as subject alternative name (SAN). The certificate must be valid and trusted by this connector host.

If you’re using self-signed certificates on the managed devices, copy them to the connector host CA trust store.
Enter the Username and Password of the application account for this device.
If your managed device has a separate account for SSH access, change Do SSH Credentials differ from those of Application User to Yes, and then enter the SSH account credentials.
Go to Step 11.

[Expressway/VCS] Enter the details of an Expressway or VCS:

Select a Role for this Expressway, either C (Expressway-C) or E (Expressway-E).
Change the TLS verify mode if necessary.

If you leave this mode On (default), then the connector requires a valid certificate from this managed device.

The certificate must contain the address that you entered above as subject alternative name (SAN). The certificate must be valid and trusted by this connector host.
Enter the Username and Password of the account for this device.
Go to Step 11.

[CUBE] Enter the details of a CUBE:

Select a Role for this CUBE, either Active or Standby.
Enter the Username and Password of the SSH account for the CUBE.
Go to Step 11.

[BroadWorks] Enter the details of a BroadWorks Server:

Enter the Username and Password of the BWCLI account for the BroadWorks server.
Go to Step 11.

Click Verify to test that the account can authenticate itself to the managed device.

Click Add.

Repeat this task to add other devices to the Serviceability Connector configuration.

What to do next

(Optional) Configure Serviceability Connector with Locally Managed Clusters.
Configure Upload Settings.

(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters

Locally managed clusters in the connector configuration are groups of locally managed devices of the same type. When you configure a cluster on the Serviceability Connector, it doesn't create connections between the devices. The clusters only aid in sending a single command to a group of similar devices.

If your connector host is an Expressway, you create a cluster and add each Unified CM publisher and subscriber to it separately. But, the ECP connector host automates adding the subscribers to the cluster for each Unified CM publisher.

Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.

Before you begin

This task doesn't apply if you:

Run the connector host on an Expressway.
Use the HCM-F inventory to add devices to an ECP connector host.

On an ECP connector host, go to the web interface of your Serviceability Connector at https://<FQDN or IP address>:8443/home. Sign in and click Managed Clusters.

Create a cluster for each Unified CM publisher:

Click New.
Enter a cluster Name.

Use a name that distinguishes this cluster from other clusters. You can change the name later, if necessary.
Choose the Unified CM Product type, and then click Add.
Choose the publisher.
Click Save.

The connector polls the publisher and populates a list of its subscribers in the cluster.

Toggle the check box for each subscriber to add or remove it in the Managed Devices.

For security reasons, the connector can't retrieve the sign-in credentials for the subscribers when it polls the publisher. When it creates the record for each subscriber, it defaults to the username and password for the publisher instead. If your subscribers have different sign-in credentials from your publisher, you must update the subscriber records.

Unchecking the subscriber in the cluster automatically removes its record from the Managed Devices page.

If necessary, change the default username and password for each subscriber on the Managed Devices page.

Repeat this procedure for each managed cluster that you want to add.

(Optional) Configure Serviceability Connector with Locally Managed Clusters

You don't need to arrange locally managed devices into clusters.

If you’re importing clusters from HCM-F, the Clusters page shows read-only information about those clusters.

Before you begin

(Optional) Configure Serviceability Connector with Locally Managed Devices

Sign into your connector host and go to Managed Clusters, as follows:

On an ECP connector host, go to the web interface of your Serviceability Connector at https://<FQDN or IP address>:8443/home. Sign in and click Managed Clusters.
On an Expressway connector host, sign in and go to Applications > Hybrid Services > Serviceability > Managed Clusters.

For each cluster of managed devices:

Click New.
Enter a cluster Name.

Use a name that distinguishes this cluster from other clusters. You can change the name later, if necessary.
Choose a Product type, and then click Add.
Choose the managed devices to include in this cluster.
Click Save.

The page shows the list of clusters, including your new cluster.

Repeat this procedure for each managed cluster that you want to add.

(Optional) Configure local logging and problem report collection

This is how you enable local logging and problem report collection. When these settings are on, the data is kept locally on the service connector host. You can read about managing this data in Manage local logs and Collect problem reports.

1	Sign in to the Serviceability node and click Config Settings.
2	(Optional) Set Keep a copy of collected logs locally to Allow and select the number of files to save. This allows the node to keep local copies of the logs that were remotely collected through it.
3	(Optional) Change Enable endpoint prt log collection to Allow and select the number of files to save.
4	(Optional) Change Restrict prt log collection from configured subnets to True if you want to restrict the networks this connector can see for collecting problem reports. You must enter the subnets you want to use. Use commas to separate multiple ranges.
5	Click Save.

Configure Upload Settings

To upload files to a case, use "Customer eXperience Drive" (CXD). This setting is the default when you configure Upload Settings for the first time.

If you need further assistance, call the Cisco Technical Assistance Center.

This task is only for the TAC use case.

In Cloud-Connected UC, the destination is preset. See the Cisco TAC Delivery Services Privacy Data Sheet for information on where this feature processes and stores data.

Sign into your connector host and go to Upload Settings, as follows:

On an ECP connector host, go to the web interface of your Serviceability Connector at https://<FQDN or IP address>:8443/home. Sign in and click Upload Settings.
On an Expressway connector host, sign in and go to Applications > Hybrid Services > Serviceability > Upload Settings.

For the TAC use case, check that the connector's Upload authentication method is Customer eXperience Drive. This setting is the default selection for new installations.

Click Save.

Configure remote collections on this Connector

The Service Connector allows remote collections by default. You can check to ensure that TAC has your permission to collect logs from your managed devices:

1	Sign into your connector host and go to Configuration, as follows: On an ECP connector host, go to the web interface of your Serviceability Connector at `https://<FQDN or IP address>:8443/home`. Sign in and click Configuration. On an Expressway connector host, sign in and go to Applications > Hybrid Services > Serviceability > Configuration.
2	For the TAC use case, change Collect data to store with Service Requests to Allow. This switch is set to Allow by default. If you change it to Deny, then you no longer receive the benefits of the Serviceability Connector.
3	For the Cloud-Connected UC use case, ensure that Collect data for CCUC troubleshooting is Allow (the default).
4	Click Save.

What to do next

Start the Serviceability Connector

If your Connector Host is an Expressway, this task turns on the Serviceability Connector to enable sending log collection requests to your managed devices. You should only need to do this task once, then the Serviceability Connector is active and waiting for a request.

Before you begin

(Optional) Configure Serviceability Connector with Locally Managed Devices
Configure Upload Settings

1	On an Expressway connector host, sign in and go to Applications > Hybrid Services > Connector Management and click Serviceability.
2	Click Serviceability Connector.
3	Change the Active field to Enabled.
4	Click Save. The connector starts and the status changes to Running on the Connector Management page.

What to do next

Validate the Serviceability Connector Configuration

Validate the Serviceability Connector Configuration

If your Connector Host is an Expressway, this task validates the configuration of your connector.

On an Expressway connector host, sign in and go to Applications > Hybrid Services > Connector Management and click Serviceability.

Check that Serviceability Connector is Running with No alarms.

Check that managed device accounts can connect:

Go to the Managed Devices page.
For each of the devices listed, click View/Edit.
On the device configuration page, click Verify to test the account against the device. You should see a Success banner.

Manage Serviceability Service

Access the Serviceability Connector web interface

To access the web interface of your Serviceability Connector host, then you need one of:

A full administrator account for your organization in Control Hub
The address of the host node and the administrator account on that node

1	Sign in to your organization in Control Hub. If you are a partner administrator, you'll see Partner Hub instead. Open the customer's organization.
2	Go to Services > Hybrid and find the Serviceability Service card.
3	Under Resources, click View all.
4	Select the host node and click Go to node. The browser opens the interface of the Serviceability Connector host.

What to do next

If you can't use Control Hub to manage the node, then browse to https://<host node address>/setup and sign in with the admin credentials for that node.

Access the Serviceability application on the host node

You need the address of the Serviceability Connector host.

Browse to http://<host IP address>:8443

The browser opens the web interface of the Serviceability application.

Manage local logs

This page lists logs that have been collected by this serviceability node. The list shows where the log came from (which managed device or cluster), the date and time it was collected, and the service that requested the log.

(Optional) Sort or filter the logs using the controls in the column headers.

Select the log that interests you and choose:

Delete removes the local copy of this log. This does not affect the copy that was collected by the upstream service.
Download puts a copy of the collected log (.zip file) on your local computer.
Analyse opens the Collaboration Solutions Analyzer, where you can upload and analyze your copy of the log.

What to do next

When you are finished analyzing or archiving your logs, you should delete them from the Serviceability node. This reduces the local disk usage, so there is enough storage to collect future logs.

We added a disk usage monitor to protect the Serviceability node from becoming too full. The monitor raises an alarm when a log is collected but the disk does not have enough space to keep a copy. The monitor is configured to raise the alarm if utilization reaches 80%.

When this threshold is reached, the monitor also deletes all previously collected logs, to ensure there is enough capacity to store the next log collected by this node.

Collect problem reports

This page lists problem reports previously collected by this node. The list shows the device name and the date of the problem report. You can search, sort, and filter the reports.

Click Generate to collect a report from a specific device. Supply the device name or MAC address, then click Generate.

The device name must match the value as registered on the Unified CM. The serviceability connector queries its list of Unified CM nodes for the given device name.

The dialog box shows progress and then a success message. The new problem report appears in the list.

Select the report and choose:

Delete removes the local copy of this problem report.
Download puts a copy of the problem report (.zip file) on your local computer.
Analyse opens the Collaboration Solutions Analyzer, where you can upload and analyze the problem report.