BRKCOL-2239 Jabber Deployment Revisited Part 1: Deployment and Provisioning Bryan Morris Technical Marketing Engineer Cisco Jabber Team Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PART ONE PART TWO Enabling Users for Jabber Connecting Jabber to Services Users & Contacts Installing Jabber Clients Jabber IM & Presence Voice/Video Calling Conferencing Options Desktop Share Application Integration Jabber Diagnostics Jabber Modes Jabber User Authentication BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 PART ONE PART TWO Enabling Users for Jabber Connecting Jabber to Services Users & Contacts Installing Jabber Clients IM & Presence Voice/Video Calling Conferencing Options Desktop Share Application Integration Jabber Diagnostics Jabber Modes Jabber User Authentication BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 This presentation assumes 1. Jabber On-Premise 2. Jabber Client 11.9+ 3. UC Manager 11.5SU3a+ JABBER MODES EXPLAINED Jabber Operating Modes • Jabber provides multiple operating modes to meet different customer requirements. IM Only Mode Desk phone Control* Extend & Connect * Full UC Mode Mix different Cisco Jabber modes to create your end user experience Soft Phone Mode Soft Phone Mode (with Contact list) Soft Phone for VDI mode* BRKCOL-2239 * Not available on all platforms © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control BRKCOL-2239 Contact resolution (UDS) © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 NEW in Jabber 12.0 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control Contact resolution (UDS) IM & Presence Services Contact List Storage Presence Service Instant Messaging BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control Contact resolution (UDS) IM & Presence Services Contact List Storage Presence Service Instant Messaging IM ONLY MODE BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control Contact resolution (UDS) IM & Presence Services Contact List Storage Presence Service Instant Messaging SOFT PHONE Client ONLY BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 NEW in Jabber 12.0 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control Contact resolution (UDS) IM & Presence Services Contact List Storage Presence Service Instant Messaging Enable/Display IM&Presence in Messaging/Presence Settings SOFT PHONE + Contact List BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control Contact resolution (UDS) IM & Presence Services Contact List Storage Presence Service Instant Messaging FULL Unified Communications Mode BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Infrastructure Services for Jabber Required Required UC Manager Services User Management Config/Profile Management Call Control SIP CTI Control IM & Presence Services Contact resolution (UDS) Jabber 12.0 more flexibility to use services Contact List Storage Presence Service Instant Messaging Other Services Visual Voicemail Conference Bridge Mobile & Remote Access WebEx/Spark Services BRKCOL-2239 Contact resolution (LDAP) © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Building Clusters UC CLUSTER Single Node: 25,000 Users Single Cluster: Up to 6 Nodes per cluster deployed in pairs for HA 75,000 Users Single or Multi-domain configuration BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Building Clusters – Scale solution with more clusters UC CLUSTER UC CLUSTER Single or Multi-domain configuration Single or Multi-domain configuration BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Building Clusters – Voice/IM&P Clusters UDS Discovery NEW in 12.0 (11.5SU4) UDS Discovery Home Cluster VOICE/VIDEO CLUSTER VOICE/VIDEO CLUSTER 1 2 CENTRALISED IM&P CLUSTER (No Telephone Services) Note: No SIP publish trunk required for centralised IM&P Model (client based) Single node for User management BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 CREATING JABBER USERS Jabber User Structure IM & Presence Service • Example for Full UC deployment • Modify to change operating mode UC Manager UserID Address Scheme cholland@example.com DEFAULT Presence Domain (XMPP) End Users Base Config IM&P enabled Home Cluster Voice/Video Services End User Group Membership DN/URI Associations to User Jabber XML VisualVM UC Manager UserID synced from LDAP (or locally created) AND/OR Directory Soft (CSF) CTI (DeskPh) DN/URI Associations to Device Desk/CTI (SEP) Conf (WebEx) *(IM&P profile not used) SIP URI Mobile (BOT/TCT) Service Profile Associated Devices BRKCOL-2239 CTI Group Membership Directory Number © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Creating Jabber Users User Creation using LDAP Sync/Feature Template SYNC Users via LDAP + Feature template Creates the User Sets Home cluster Assigns Service profile Enables for IM&P Assigns groups Creates DN Creates SIP URI Quick User/Phone Add Creates Device Associates to Line Associates to User Associates for presence BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Creating a Service Profile on UC Manager • Service profile is a collection of UC service definitions Create voicemail if using Cisco Unity Connection Mail store is not required as Jabber uses VMREST API Create Conference on Unity server Profile is using WebEx Meetings Set Directory Profile. Uncheck UDS if using LDAP Define profiles if not using auto-discovery Technically only required for Centralized IM&P deployments but good practice to set Only required if deploying desk phone control mode Alternatively <useCUCMGroupForCti>true</useCUCMGroupForCti> BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Create User Profile on UC Manager Goto User Management>User Settings>User Profile Associate universal templates to User Profile BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Create Universal Device & Line Templates on UC Manager Universal Device and Line Templates are associated to use via User Profile Go to User Management>User/Phone Add>… BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Create Universal Device & Line Templates on UC Manager Universal Device and Line Templates are associated to use via User Profile Go to User Management>User/Phone Add>… BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Create Feature Group Template on UC Manager Goto User Management>User/Phone Add>Feature Group Template • Check Home Cluster • Enabled IM as required • Select service profile • Select user profile • Enabled CTI if using desk phone control mode BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 LDAP: UC Manager UserID • This is the UserID we will use to login to Jabber • In a single domain recommendation is sAMAccountName • In a multi-domain forest recommendation is: userPrincipalName BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Communication Addresses – XMPP (Jabber ID) • Administrator can decide what schema to use for XMPP address format Option 1: (Default JID mode) Option 2: (flexible JID mode) JID is created based on UC manager ID + admin defined presence domain JID is created based on email or MS SIP address Why choose this method: Why choose this method: • Default IM&P server configuration • UC Manager user ID <> Email ID • Presence ID = UC manager user ID • Aligns Email and IM&P Address • Doesn’t require addition directory config • Supports Multi-domain configuration Note: requires contact source configuration in jabber-config.xml file BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 LDAP: Sync • Define Sync settings • Account • Search base • Attributes Remember: this is used for UDS contact source • If using Flexible JID set Directory URI BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Communication Addresses – Flexible JID mode • Flexible JID mode needs to be configured on presence server On presence server Go to: Presence>Settings>Advanced Configuration Change the IM Address Scheme to Directory URI NOTE: LDAP config in UC manager must also be mapped (we will see this later) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 LDAP: Sync Group Settings • Group settings allow us to apply the Feature Group template and define a mask to import directory numbers from AD/LDAP Feature Template BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 User Creation process – Running Sync imports users SYNC Users via LDAP + Feature template Creates the User Sets Home cluster Assigns Service profile Enables for IM&P Assigns groups Creates DN Creates SIP URI Quick User/Phone Add Creates Device Associates to Line Associates to User Associates for presence BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Add Device to LDAP Sync'd Used • Go to User Management>User/Phone Add>Quick User/Phone Add BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Add Device to LDAP Sync'd Used • Go to User Management>User/Phone Add>Quick User/Phone Add BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Add Device to LDAP Sync'd Used • Go to User Management>User/Phone Add>Quick User/Phone Add BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 The End Result…… Device Created BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 The End Result…… Directory number associated to new device Directory URL populated User associated with Line for presence BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Summary of User Creation 1: We took the User from the directory with directory number and URI +14085551234 faskew@example.com 3: We enabled IM&P and other settings with a feature template 2: We sync'd the user including group membership and service profile 4: We auto created directory number with URI based on email 5: We created device and associated line and user with quick phone add BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 HOW JABBER CONNECTS TO UC SERVICES Understanding Jabber Configuration Store • • • • Jabber Clients maintain a local configuration store Store contains service profile, jabber-config and buddy list configuration data FAST Login 1 to 5 minutes* Store is AES-256-CBC with self-generated encryption keys Keys are stored in keychain, keystore, profile depending on platform * Config then refreshed for persistent connection every 7~9 hours On next login config & contacts restored from local storage for fast login experience BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Jabber Day Zero Login and Regular Login Day 0 Login On Day 0 client retrieves config and contacts FAST Login Contact List and client config are encrypted and saved locally 1 to 5 minutes* * Config then refreshed for persistent connection every 7~9 hours On next login config & contacts restored from local storage for fast login experience BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 DAY 0 LOGIN Day Zero Service Discovery • Day 0 Login Jabber needs to find its services…. On-Premise Deployment or Cloud Deployment? On Day 0 client retrieves config and contacts Locate Home Cluster • Jabber finds services using Service Discovery • • • • Seed = Service Domain “example.com” DNS & REST requested used to locate service UDS (REST) used to identify home cluster Configuration Store can then be populated BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 DAY 0 LOGIN How to find the Service Domain • The service domain may be identified using the client…. Ask the User Automatic (Client knew Service domain) BRKCOL-2239 Manual - AVOID!!! (Don’t discover, I’ll tell you) © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 DAY 0 LOGIN Service Domain - Automatic Discovery Methods If logged into windows domain then environment variables show UPN EMM can push configuration for mobile clients (iOS/android) (override with UPN_DISCOVERY_ENABLED) msiexec /i CiscoJabberSetup.msi SERVICES_DOMAIN=example.com ciscojabber://provision?ServicesDomain=example.com URL Provisioning MSI install switches or package management (SCCM/GP) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 DAY 0 LOGIN Cloud Discovery (WebEx Messenger) • • Jabber will also check if the Jabber domain is enabled for WebEx Messenger WebEx Messenger Client sends REST request to Cisco WebEx service to check domain http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com • If response from cloud indicates the domain is enabled for WebEx Messenger then client will automatically switch to cloud mode. • If your organisation is using on-premise mode please contact WebEx support to disable cloud. BRKCOL-2239 Jabber Client © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 DAY 0 LOGIN On Premise Discovery • • • Jabber will send a DNS request to try and locate a UC manager cluster to register to. DNS Server Admin must create DNS SRV record(s) pointing a UC manager node in a cluster UC Manager Discovery can also support multiple clusters with cluster discovery (discussed later) Corporate Network DNS SRV Request for _cisco-uds._tcp.servicedomain.com BRKCOL-2239 Jabber Client © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 DAY 0 LOGIN Service Discovery – Cluster discovery • Once Jabber has a Cisco-UDS server address from DNS SRV it will connect to UDS server • Firstly, it will check the version of UC Manager https://host:8443/cucm-uds/version • Where is my home cluster Secondly it will confirm if this is the “home cluster” for the jabber user https://host:8443/cucm-uds/clusterUser?username=asmith • If the user is provisioned on the cluster the server will respond with local server address BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 DAY 0 LOGIN Service Discovery – Cluster discovery • • • In a multi-cluster if the user doesn’t exist on the queried server a cluster discovery is performed to known clusters. Cluster 2 Cluster 1 UDS Request The UDS server will query other clusters defined in cluster ILS configuration. (UDS REST is used) UDS Request Users home cluster is defined in end user configuration Cluster 3 BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 DAY 0 LOGIN Service Discovery – Cluster discovery • In a multi-cluster if the user doesn’t exist on the queried server a cluster discovery is performed to known clusters. • The UDS server will query other clusters defined in cluster ILS configuration. (UDS REST is used) • Users home cluster is defined in end user configuration Cluster 2 Cluster 1 Home Sweet Home!!! Cluster 3 BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 DAY 0 LOGIN Service Discovery – Home Cluster • Cluster 2 Jabber will request a list of all UDS nodes in the cluster, randomize the list and connect to a UDS node in home cluster. https://host:8443/cucm-uds/servers • Jabber will now proceed to download configuration info from UDS and TFTP services on UC Manager/IM&P <XML> User Profile Service Profile Jabber-config Device List Device Config Contact List Configuration downloaded to local config store BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Jabber Diagnostics will show you all the UDS REST and TFTP requests the Jabber client made during service discovery FAST LOGIN Day Zero Login is complete……. Day 0 Login On first login client retrieves config and contacts Config and contacts refreshed from server after login FAST Login Contact List and client config are encrypted and saved locally 1 to 5 minutes* On next login config & contacts restored from local storage for fast login experience User can force early refresh using “Refresh configuration” if required * Config then refreshed every 7~9 hours BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 FAST LOGIN Edge Discovery – Always performed Jabber also performs “Edge” discovery with a 2nd SRV request Am I inside the corporate network DNS Server (external) Internet Different Servers Expressway DNS Server (internal) UC Manager Corporate Network Expressway DNS SRV Request for DNS SRV Request for _collab-edge._tcp.servicedomain.com _cisco-uds._tcp.servicedomain.com Jabber Client This DNS record ONLY exists on external DNS server BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Secure Communication - Cert Requirements • Jabber uses secure communications to connect to UC services • CA signed Certificates must be in place • Default self-signed certs will generate following error message BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Certificate Signing Request • Certificate management is performed in OS admin • “tomcat” certificate is required for UC manager TFTP/UDS services • “cup-xmpp” certificate is required for XMPP on IM&P • • If using multi-domain then all domains must be in SAN Jabber will check certificate revocation (both internally and externally) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Cisco Collaboration Cloud On-boarding Push Notifications • If using Jabber iOS clients you also need to connect your UC Manager cluster to the Cisco Collaboration Cloud. Alternative routes via Proxy or Expressway Call/Chat event for Jabber User fos-a.wbx2.com push.webexconnect.com idbroker.webex.com 443/TCP Cisco Cloud Apple Notification from 17.0.0.0/8 5223/TCP 17.0.0.0/8 443/TCP Jabber Corporate Firewall iOS BRKCOL-2239 Apple iCloud © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Cisco Collaboration Cloud On-boarding Push Notifications Advanced Features> Cisco Cloud Onboarding New configuration screen in UC manager from 11.5SU3 Process creates machine account based on UC manager license. Customer doesn’t require Spark org. Process can also install required Certificates for connection to cloud. BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 HOW JABBER AUTHORISATION WORKS Service Authorisation and Authentication ? • Jabber must authenticate to services like UDS, XMPP, Unity and expressway • Jabber will query UC manager to identify the authorisation method deployed. • SSO Discovery: https://cucm:8443/ssosp/ws/public/singleSignOn • SSO Discovery will return on of 4 responses….. BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 SSO Discovery Responses • If running UC Manager 9.x,10.x,11.0,(11.5,12.x optional) 1. 2. • Username/password no refresh token (UC or LDAP Authentication) SAML-SSO no refresh token (IDP Authentication) If running UC Manager 12.0 (incl. 11.5 SU3+) 3. 4. OAuth 2.0 with refresh token (UC or LDAP Authentication) OAuth 2.0 with SAML-SSO and refresh token (IDP Authentication) When using remote access Expressway can be hardcoded to single authentication method or can query cluster on users behalf BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 How do you know your using OAuth? • Once OAuth is enabled Jabber login screen will change. • Login screen will not be presented as webpage from UC manager BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 How does OAuth 2.0 with refresh work….. IDP User LDAP User • Jabber discovers New Authorisation flow is being used. • Authorisation Service redirects client to authentication Service before authorisation can take place. CUCM User UC Manager Authentication Jabber 11.9 Client UC Manager Authorisation IM&P Chat Service Authorised Users Only (Token required) BRKCOL-2239 Unity Connection Voicemail UC Manager UDS Service © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 How does OAuth 2.0 with refresh work….. IDP User LDAP User • Jabber will authenticate with Authentication service. • Authentication method is dependant on UC Manager configuration CUCM User UC Manager Authentication Jabber 11.9 Client UC Manager Authorisation IM&P Chat Service Authorised Users Only (Token required) BRKCOL-2239 Unity Connection Voicemail UC Manager UDS Service © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 How does OAuth 2.0 with refresh work….. • Authentication service refers Jabber back to Authorisation service • Access and Refresh tokens issued IDP User LDAP User CUCM User UC Manager Authorisation IM&P Chat Service Jabber 11.9 Client Unity Connection Voicemail UC Manager UDS Service BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 How does OAuth 2.0 with refresh work….. IDP User LDAP User • Once issued Access token used for service access • All CUCM services, IM&P services trust token • Unity Connection can also trust CUCM token CUCM User UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Client Unity Connection Voicemail UC Manager UDS Service BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 How does OAuth 2.0 with refresh work….. IDP User LDAP User CUCM User UC Manager Authentication No need To go back to Authentication • Before access token life expires Jabber will use Refresh token to request new Access token from OAuth server. UC Manager Authorisation IM&P Chat Service Jabber 11.9 Client Unity Connection Voicemail UC Manager UDS Service 60 Mins BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 How does OAuth 2.0 with refresh work….. IDP User LDAP User • When Refresh token expires full authentication required again CUCM User UC Manager Authentication Jabber 11.9 Client 60 Days UC Manager Authorisation IM&P Chat Service Authorised Users Only (Token required) BRKCOL-2239 Unity Connection Voicemail UC Manager UDS Service © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Jabber 11.9 OAuth User Experience On first login client requires full authentication If access or refresh token still valid token is used for authorisation BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Turning on OAuth 2.0 with Refresh token • OAuth with Refresh Tokens must be enabled on UC manager/IM&P • On Unity the admin must configure Authz server and then enable in enterprise parameters • OAuth must also be enabled on expressway if using MRA. BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 UNDERSTANDING USERS & CONTACTS Communication Addresses The user will have a UC manager userID cholland (typically AD userid) The user will have communication addresses XMPP Address – Chat / Presence E.164 Address – Voice/Video Calling SIP Address – Voice/Video Calling Jabber internally operates on communication addresses NOTE: If deploying phone mode with contacts you still need to plan XMPP address as contact list is store on presence server BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Jabber must be able to resolve Communication addresses!!! • Jabber must has a contact resolution service (WebEx, LDAP, UDS) • Contact service populates JIDs with Display Name (Eyeball friendly information) Communications Addresses (addresses to call) Photos / Avatar (enhances User experience) Other attributes (Job, Address etc.) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Contact Source Summary Network Contact Sources WebEx LDAP Platform Contact Sources UDS Outlook Cache (Local) Cache entry expires after 1 day + random delta Notes Custom Device • Jabber will automatically connect to contacts sources • Admin can configure sources • Jabber maintains local cache • Jabber manages duplicate contacts across multiple sources BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 On Premise Contact Sources UDS Mode UDS LDAP Proxy mode LDAP Mode SYNC LDAP LDAP LDAP • Default Configuration • New in UC Manager 11.5 • Direct LDAP v3 connection • Simple configuration • Uses UDS REST API • Most scalable • UC manager based • Proxy to LDAP server • LDAP/GC DNS SRV discovery • 80,000 contacts max • No 80,000 limit • • No Search scope (apart from LDAP sync) • On Premise + MRA support Most customizable method (Attributes map/Authentication) No Address attributes • • • On Premise + MRA • • Not supported for MRA (auto fall back to UDS source) No Address attributes Web server required for photo support • Richest Attribute set • Web server required for photo support • Global Search scopes • Full MS Office support • Reduced MS office integration • Native photo support • Per service profile scope • Reduced MS office integration BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 SYNC UDS Contact Source – Local Database • LDAP Enabled in Service profile User Management>User Setting>Service Profile Server is randomly selected node in cluster (Avoid using UdsServer setting in Jabber-config.xml as this can overload single UC Manager node) • Limited Attribute mapping configured in System>LDAP>LDAP Directory BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 UDS Contact Source - LDAP Proxy LDAP • Client is enabled using service profile as with regular UDS mode • UDS Proxy is enabled in System>LDAP>LDAP Search BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 UDS Contact Source - LDAP Proxy LDAP • Phone and Directory URI can be remapped • LDAP hosts are defined as UC services (up to 3) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 UDS Photo source Web Server • UDS doesn’t support photo objects • Photos must be loaded from web server • Photos can be JPG, PNG or BMP with a recommended size of 128x128 pixels • Jabber will resize/crop photos to fit client interface • Admin must add following lines to jabberconfig.xml for UDS photo operation (unauthenticated) <UdsPhotoUriWithToken>http://www.photo/url/path/%%uid%%.jpg</UdsPhotoUriWithToken> BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 LDAP Contact Source LDAP • Jabber 11.8+ uses LDAP integration called Cisco Directory integration(CDI) • Configuration is by Service Profile & Jabber-config.xml (if required) • CDI supports server auto-discovery • CDI support full directory attribute mapping • CDI supports a number of authentication methods: SASL-KERBEROS, SASL-EXTERNAL, Basic BIND and anonymous • Basic BIND supports admin or user defined credentials for access • CDI provides optimizations for Active Directory (ANR and Server discovery) BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Server Connection: Server Auto discovery • For Zero Configuration Jabber will try to detect LDAP servers. • Jabber will query DNS domain for LDAP server based on • Windows Environment, Admin defined domain, service domain (LdapUserDomain parameter used by admin defined domain) • Uses standard DNS SRV Records • • Automatic discovery using DNS SRV records _gc._tcp.domain.com (1st choice) _ldap._tcp.domain.com (2nd choice) • Jabber will query directory type (AD/OpenLDAP) to set base attribute mapping • Jabber will query defaultNameContext to use if search base not defined by admin (Jabber 11.8(1)) • Allows LDAP load distribution!!! BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Server Connection: Administrator defined Server Admin can define LDAP server address in service profile or config file. NOTE: Do not define server to use auto discovery Service profile allows alignment to groups of users!!! Admin defined FQDN or IP Address in Service profile BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Search: Where to Search? • Jabber will try to read the RootDSE of the directory to automatically identify search base for Zero Configuration. • Admin can also define search bases in service profile… Service profile accepts up to 3 search bases Jabber-config.xml file can accept 5 if required cn=users1,dc=example,dc=com cn=users2,dc=example,dc=com cn=users3,dc=example,dc=com <SearchBase1> … <SearchBase5> If using phone mode also add to jabber-config.xml <PresenceDomain> BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 SASL: Simple Authentication and Security Layer GSSAPI : Generic Security Services Application Program Interface LDAP CDI Authentication Kerberos GSSAPI (WIN/MAC) External (WIN/MAC) GSSAPI/SASL Methods Admin Jabber Shared UserID Credentials (Not OAUTH) Jabber User Entered SIMPLE BIND Methods Anonymous BIND Anon Method Order defined by <LdapSupportedMechanisms>GSSAPI EXTERNAL PLAIN</LdapSupportedMechanisms> • GSSAPI/SASL methods are default for Windows and Mac and managed in jabber config.xml. SASL falls back to SIMPLE if no SASL method available • SIMPLE BIND is managed using service profiles • Anonymous BIND is managed using Jabber-config.xml BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 LDAP CDI Authentication – GSSAPI GSSAPI allows Jabber to use Kerberos authentication (AD Directory) • If a Kerberos key is available for LDAP server then Jabber will attempt to a SASL/Kerberos authentication to server • Workstation must be logged into Active Directory Domain Note: SASL EXTERNAL is the alternative to GSSAPI typically used with physical card authentication • GSSAPI/EXTERNAL config can be managed using jabber-config.xml <LdapSupportedMechanisms>GSSAPI EXTERNAL PLAIN</LdapSupportedMechanisms> admin can define which authentication methods to use. BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Admin Quick TIP LDAP CDI Authentication – GSSAPI • The “klist.exe” command displays keys / tickets available • Jabber can use Kerberos is ticket exists for LDAP server domain BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 LDAP CDI Authentication – SIMPLE BIND • Service Profile…. Jabber UserID (Not OAUTH) Check “Use Logged on User Credentials” Admin Shared Credentials Admin Shared Credentials Enter on service profile NOT currently available in UC Manager 12 (workaround: set in jabber-config.xml) User enters LDAP credentials in client Leave all fields empty BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 LDAP CDI Authentication – Anonymous BIND Anonymous BIND • Not commonly used for security reasons • GSSAPI/EXTERNAL config can be managed using jabber-config.xml <UseAnonymousBinding>TRUE</UseAnonymousBinding> BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Server Optimization Tips • LDAP Server Optimization Tips for LDAP service optimization 1) DO Use Global Catalog rather than Domain controller (3268 / 3269) 2) DO Index ALL Jabber key fields. i.e. telephone numbers 3) DO Distribute load across LDAP servers with DNS/SRV records 4) Do use service profiles to create group/location based server connections BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 LDAP Photo Objects • Jabber CDI can retrieve photos directly from LDAP Server • Photos can be JPG, PNG or BMP with a recommended size of 128x128 pixels • Jabber will resize/crop photos to fit client interface LDAP Server BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 LDAP alternative photo source • If you LDAP server doesn’t hold photos they can be loaded from a web server • Photos can be JPG, PNG or BMP with a recommended size of 128x128 pixels Web Server • Jabber will resize/crop photos to fit client interface (unauthenticated) • Admin must add following lines to jabberconfig.xml for UDS photo operation <PhotoUriSubstitutionEnabled>True</PhotoUriSubstitutionEnabled> <PhotoUriSubstitutionToken>sAMAccountName</PhotoUriSubstitutionToken> <PhotoUriWithToken>http://example.com/photo/sAMAccountName.jpg</PhotoUriWithToken> BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 NOW WE INSTALL JABBER CLIENTS Getting the Jabber Client Software Windows: Cisco Jabber for Windows Install Cisco Jabber for Windows Admin (COP files, custom MST, AD proxy address tool) Cisco Jabber – JAWS Scripts DeskPhone Video Services Interface Mac : Cisco Jabber for Mac Installer Cisco Jabber for Mac App (manual) Mobile Apps only distributed on App Stores BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Installing on Windows • Jabber for Windows is installed from MSI Client • MSI can be pushed using management app (GP/SCCP) • MSI can be deployed with switches • MSI can be modified with MST msiexec /i CiscoJabberSetup.msi parameter=value Useful Settings Settings to avoid! UPN_DISCOVERY_ENABLED= Settings to be aware of CLICK2X= CLEAR=1 SERVICES_DOMAIN= CUP_ADDRESS= VOICE_SERVICE_DOMAIN= CCMCIP= EXCLUDED_SERVICES= TFTP= LANGUAGE= CTI= BRKCOL-2239 PRODUCT_MODE= © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Installing on Mobile devices (iOS/Android) App Store • Jabber Mobile Apps are only published on App Stores • NOT available on cisco.com • Can be downloaded by end user • Can be pushed onto device from public App store If Application is pushed onto device then a AppConfig compliant MDM can be used to push parameters to client. http://appconfig.org Airwatch Example BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Keeping Jabber up to date • Major Jabber release every 6 months approximately (MR every 8 Weeks) • Jabber provides a built in feature for pushing updates Add an entry to jabber-config.xml pointing at a second XML file <UpdateUrl>http://s1.example.com/Jabber.xml</UpdateUrl> Update file should contain following…. For mac add a duplicate block with “JabberMac” Force update option BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 JABBER BASIC DEPLOYMENT COMPLETE PART ONE PART TWO Enabling Users for Jabber Connecting Jabber to Services Jabber User Authentication Users & Contacts Installing Jabber Clients IM & Presence Voice/Video Calling Conferencing Options Desktop Share Application Integration Jabber Diagnostics Jabber Modes BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Session Evaluations after each session • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education • Demos in the Cisco campus • Walk-in Self-Paced Labs • Tech Circle • Meet the Engineer 1:1 meetings • Related sessions BRKCOL-2239 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 Thank you