Planet Collab

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Upgrading Unity Connection 9.1.2SU2 to 11.5.1SU2

By amyengineer
Prologue: This post is intended as an informative prep document for those planning to upgrade Unity Connection (in an HA setup) from 9.1.2SU2 to 11.5.1SU2 using the OS platform upgrade and not PCD (because reasons…) – your upgrade mileage may vary and likely will. These are notes from my upgrade experience and while many of … Continue reading Upgrading Unity Connection 9.1.2SU2 to 11.5.1SU2

UCCX 11.5 Tomcat and Tomcat-ECDSA certificates for Cisco Finesse CUIC and the Admin Pages

By Andres Sarmiento

I keep hearing about many engineers out there with issues related to the UCCX certificates and the ECDSA certificate used by few services on UCCX. I wanted to create this quick post to help others and Document the procedure.

The certificates Overview

I will go back a bit to give you a quick overview on the UCCX certificates, but not too far back. UCCX uses Self-Signed certificates out of the box for Secure connectivity using your browser (Nothing new here) – However, since UCCX 11.5 there is a new Tomcat Certificate called Elliptic Curve Digital Signature Algorithm, ECDSA for short. If you want to find out more about these type of certificates feel free to visit this webpage

Here is an Image with the Certificate store
NewImage

In other words these type of certificates, the ECDSA were not present before, and now they are (UCCX team thought was cool to add them some how).

The alternative if you don’t want to keep going down the road

So in case you either don’t want to keep reading, or just too cool for Signed Certificates, use the COP file for the ECDSA
The Defect is well documented under the BugID: CSCvb46250

Also go to this page to get a full explanation on the ECDSA – Check this Article
NewImage

The Scenario or the Issue (Challenge… my own words)

You are a happy engineer, and you are planning a UCCX upgrade to 11.5, that is all cool and nice but you discover about these certificates. At this point you know how the story goes:

Find the closest CA available in your Environment
Go to Certificate Authority under Administrative Tools – Go under the Templates and Select it, Right click and Go to Manage
NewImage

At this point the Certificate Templates will show up
Right click the Web Server Template and select Duplicate
NewImage

*** Note that once you select this option, Windows will ask you if you want the Windows Server 2003 or the Windows Server 2008 versions… To save you some time, here is a little hint.
2003 version is what you use to publish the template under http://CA-SERVER/certsrv (Web Enrollment) when requesting an Advanced Certificate **This is the one you use to sign the certificate for your regular Tomcat Certificate
2008 version does not let you publish the certificate template over Web Enrollment **This is what you use to sign your Tomcat-ECDSA certificate

Select 2008, name your Template and go to the Cryptography TAB
NewImage

At this point and before you move forward go to UCCX Os Administration and record all the requirements needed for the Tomcat-ECDSA certificate… in other words, this is what you will use to generate the certificate request. UCCX OS Administration –> Security –> Certificate Management
NewImage

Click on the Generate CSR –> Select Tomcat-ECDSA and record the following:
NewImage

***Make sure you Generate and Download the CSR, we will use it soon…

We will use this information to create our template, so go back to your Windows server and under the Cryptography TAB select the following:
NewImage

Now under the Extensions TAB, select Make sure that under the Application Policies you have the following:
NewImage

Click apply and go back to the Certification Authority window –> Right click the Certificate Templates and New –> Certificate Template to Issue
NewImage

This operation does not add the certificate template to the Web enrollment page, but that is fine, because we are going to use the following method

Open Powershell with Admin rights (Right Click “Run as Administrator”) and enter the following:
C:\Users\admin\Desktop>certreq.exe –submit –attrib “certificateTemplate:ECDSACiscoServers” ecdsa.csr signed-ecdsa.cer

That line assumes that you saved the CSR with the .csr extension (if not do it) – It also assumes that you saved the .csr file to your Desktop and you are loged in with the adminitrator (If not, make sure you change the PATH) – Also assumes that the Certificate will also be saved to the Desktop (if not do it, just to make your life easier)

Go to UCCX and upload the ROOT certificate, not sure where to find it? Go to http://CA-SERVER/Certsrv
NewImage

Make sure this one gets Uploaded to the Tomcats-Trust option
NewImage

The certificate is now ready to be uploaded to the Certificate Store into UCCX ** Make sure you select Tomcat-ECDSA
NewImage

Now what?

If you already did the Tomcat certificate you are good to go, (if not, watch this Post/Video)but keep reading because if you only restart the Tomcat and the Finesse Tomcat service, the CUIC and other services will not work properly.

Restart the UCCX server or Servers for the changes to work properly

Now you are ready to enjoy a Secure session with no browsers giving you issues
NewImage

Finesse
NewImage

CUIC
NewImage

What to look forward to?

I hope you have enjoyed the post and that it was helpful, if you have issues with this, please feel free to send me a quick message and I will do my best to get back with an answer

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook


Video – Setting up a CIsco Collaboration Lab – SIP Trunk from UC520 to CUCM 11.5

By Andres Sarmiento

Quick video warming up, ready to finish the UCCX series video on 10.6 – so I needed a way to test calling from my home phone to my lab

The Video

The Content

Just basic troubleshooting of a call from UC520 to CUCM using SIP protocol

What to look forward to?

Not much really on this one, just getting ready to additional videos and testing – enjoy!

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook


A Collaboration Cloud Lab vs a Collaboration Home Lab

By Andres Sarmiento

So, the question is, what is a better choice to get started with a Lab, and begin creating your own configurations? – Here is a list of the benefits from a Cloud Vs Home Lab

The difference between a Cloud lab and a Home lab

Cloud Lab (dCLoud and DevNet)

dcloudphoto

If you are one of those weird people that don’t want to run CUCM, UNITY Connection, IM & Presence, Jabber and other UC apps in your house, you are in luck. Cisco dCloud + Devnet Sandboxes are what you are in the business for.

What are the benefits of using Devnet and dCloud Options?

  • Spin up a full-scale Lab with many UC and Collaboration Labs from dCloud
  • Break and fix that infrastructure can’t fix what you just broke? no problem you can go back to 0 by just resetting your POD
  • There is no pressure, you are the customer and all you do is up to you
  • All Servers are already installed and configured with all the basics
  • Connectivity is not an issue
  • Save your configurations and keep them for future reference

Home Lab (Equipment Required)

This is my preferred option,  I like to build my things from the ground up, there is nothing like learning from trial and error, sometimes you discover new things and stuff that you can really do in real world. Now, let’s move to the benefits.

What are the benefits of running a home lab?

  • Build all your applications from ZERO
  • Build as you go, there is still not pressure, but there will be pressure 🙂
  • Run your home phone with an FXO Line or with a SIP trunk directly to different SIP providers, for cheap
  • Once your phone is operational, mess around with it, and install a phone in the kitchen, in your office or anywhere else.
  • When stuff breaks the pressure is tremendous, your family can be a very difficult client (Not different from some environments out there)
  • Need to run an upgrade for a client? need to know what to expect? spin it up in your lab, and then take the VMX, VMDK files and be a winner. (More on this one in another post)
  • Need to start a fresh installation for a client? do it from the comfort of your lab, then install the server or servers at your customer location.

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook


Licensing your UC and Collaboration Lab

By Andres Sarmiento

Building a Collaboration lab is a big decision and cost could be keeping you from getting started. Recently I received a request from a friend on FB about how to get started.

Well, there are many options and many questions, one of the questions is the licensing piece. Cisco licensing is expensive if you plan to go crazy (like me) and have your home using all the goodies you already use at work.

Let’s get to the licensing Please!

The good thing about this is that there are options, and I’m going to list them from least preferred to my personal preference.

Buy Licenses on Ebay

By just searching CUCM Licensing, you will be presented with different options. I’m not a fan of buying licensing on Ebay. but the option is there. range will be from $100 to $300 – depending on the License. More about CUCM Licensing

Buy License on a store like CDW

I’m just listing it for the pure reason that is the other place I was able to find the licenses with the SKU’s. I have never bought from them in the past but I think it will be worth giving it a shot.

Cisco Store

Here is the link to the Cisco Store. The store has these things called NFR kits, initially I though they were limited to Only Cisco Partners, later after reading a bit on the offering I found out that this is the list of people that can get it:

The following partners can order the Collaboration 11.0 Partner Bundle:

  • Cisco Advanced Collaboration Architecture Specialized Partners (ACAS)
  • Master Unified Communications Specialization Partners(MSICP )
  • Cisco Express Collaboration Specialized Partners (ECS)
  • Cisco DevNet Members
  • Cisco Learning Partners

devnet

Notice I highlighted the Cisco DevNet members because this is indeed the easiest and fastest route to get the licensing needed. Registering with DevNet and create an account with them is easy and FREE, the only thing you will pay for will be the actual NFR license, which is $315.

 

 

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook


Auto Registration CUCM 11.5 (Video)

By asarmiento85

This is a video I created, showing how auto registration works in CUCM 11.5

Not too much really, but I think I will get better as I start working more in my editing skills and being a bit less nervous

Enjoy

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook


Directory lookup not working – Unified Attendant Console Standard V11.0.2.

By asarmiento85

In some cases when you complete the installation of the Attendant Console Standard, you may notice that the Directory lookup is not working. You may ask yourself, what could be the issue.

The issue

Plain and simple, the Attendant console is not able to return any information from the Directory

The Solution

At the installation stage you will be asked to provide the IP address of the CUCM server and the User name and password of the Console User:

cuacs_intall_1

Right after this, and you have to believe me on this one, you will receive a Certificate warning, saying YES or NO, it will also give you the option to see the details of the Certificate. Please select YES to ensure that you accept the certificate.

This happens when the server is running on Self Signed Certificates, and are not trusted by your PC.

Further information to avoid unexpected issues

It is very important and I’m going to say this once, RTFM… I know that I’m one of the worst offenders here and I’m guilty of this charge. Now moving forward, I’m leaving you the link for the Installation guide from Cisco:

Find Your Version:
http://www.cisco.com/c/en/us/support/unified-communications/unified-attendant-consoles/products-maintenance-guides-list.html

Feeling Lazy and wan to get to the 11.5 Version guide:
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucmac/cuacs/11_0_1/install_admin_guide/CUACS110101GUIDE.pdf

In case you really don’t want to scroll down more, I’m giving you few pointers:

Network Requirements

This image shows you the light:
ports

Basically what this is saying is that you may need to take a look at your Firewall restrictions, in case you have a very restrictive FW. in this case, the connection is generated from the PC, so unless your FW is set to freak level, you will not find any issues.

Antivirus Requirements

Pretty straight forward, just trust the installation files related to the Attendant Console Standard and you will not get any wierd message from your AV, not trusting the application.
virus_exclusions

Further information

In the case that you are still having issues with this configuration, feel free to reach out in the comments box, I will do my best to give you any pointers to look at


Cisco CSR 11.5.1 Feature Highlights

By ben

Corporate Directory Search for MRA Clients

Cisco Mobile Remote Access (MRA) clients are now able to search the Corporate Directory Servers for contacts. Pre v11.5, MRA clients were only able to search the UDS Contact database. The UDS service within CUCM now acts as a proxy between the MRA client and the Corporate Directory server. So no configuration necessary on the Expressway Devices.

To allow this feature, the below needs to be configured on the CUCM.

- Enable ‘user search to Enterprise Directory’ under System -> LDAP -> LDAP Search.
- Complete the required details and attribute mappings under System -> LDAP ->LDAP Search
- Configured a ‘Directory’ UC Service.
- Assigned the above configured Directory UC Service under the System -> LDAP -> LDAP Search

CLI Privilege Levels

The OS Administrator can now configure additional Administrators via the CLI and give the newly created Administrators either Read-Only access or Read & Write access privileges.

Read Only access is assigned to level 0 privilege
Read and Write access is assigned to level 1 privilege

Cisco Spark Remote Device

With the growth of Cisco Spark collaboration client, CUCM v11.5 has introduced a new Device Type for the Cisco Spark Client. The device type is called ‘Cisco Spark Remote Device’.

Configuring the Spark Device does consume an enhanced License unless the Owner already has ownership over other devices, in that case a device count witll be added to a CUWL or Enhanced Plus license for the user.

This device type is for the Cloud client to register to the CUCM via the Collaboration Edge architecture (v8.8+) and allow the ability to route calls out the local corporate voice gateways. Hence creating a Spark Hybrid environment.

The Spark hybrid environment does have some costs involved. Please refer to the Product information sheet for Spark Hybrid.

Deprecated Endpoints

Cisco has announced the below devices will no longer be supported moving forward in version 11.5 and beyond.

• Cisco IP Phone 12 SP+ and related models
• Cisco IP Phone 30 VIP and related models
• Cisco Unified IP Phone 7902
• Cisco Unified IP Phone 7905
• Cisco Unified IP Phone 7910
• Cisco Unified IP Phone 7910SW
• Cisco Unified IP Phone 7912
• Cisco Unified Wireless IP Phone 7920
• Cisco Unified IP Conference Station 7935

Phone Documents in Cisco Unified Communications Manager Self Care Portal

Cisco does a great job with documentation via the Help Menu in CUCM and relating products, this simply extends to the Self Care Portal now. Allows users to gain easy access to guides and references regarding devices and user relating features and processes.

Addition of AXL Read Access Role to a User

In addition to the CLI Read Only Administrators, Cisco has also create a Read Only access role for the AXL API. This Read Only access role can be safely given to developers knowing their applications can not adversely impact on the CUCM configuration.

The new role is called ‘Standard AXL Ready Only API Access

*Additional 11.5 features can be referenced from the below document.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_5_1/cucm_b_release-notes-cucm-imp-1151/cucm_b_release-notes-cucm-imp-1151_chapter_010.html#CUCM_TK_C2C6FCAD_00

Deprecated Phone Models

I guess it had to happen eventually! The CUCM 11.5 release notes state that the following phones are no longer supported & thus won't work:

  •  Cisco IP Phone 12 S
  •  Cisco IP Phone 12 SP
  •  Cisco IP Phone 12 SP+
  • Cisco IP Phone 30 SP+
  • Cisco IP Phone 30 VIP
  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7906G
  • Cisco Unified IP Phone 7910
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7910+SW
  • Cisco Unified IP Phone 7910G+SW
  • Cisco Unified IP Phone 7912G
  • Cisco Unified Wireless IP Phone 7920
  • Cisco Unified IP Conference Station 7935

Another thing to bear in mind is that CUCM 11.5 also won't allow the installation of patches that haven't been signed with the v3 keys (i.e.  ".k3." isn't in the filename).

    Follow up - LDAP search features on UCM 11.5

    By Anonymous
    In the previous post, I've tested the new LDAP search (LDAP-UDS proxy) features on UCM 11.5:

    http://pandaeatsbamboo.blogspot.com/2016/06/new-ldap-search-function-in-ucm-115.html

    In my test, this new features only work for those video endpoints such as DX, but not IP phones such as 8861, 7975 and 9971 that were hooked up to my lab UCM.  It was confirmed that the devices that support the UDS API search will support this feature, in the case of IP phones such as 8861, it is using CCMCIP and not UDS and that's why it doesn't work.  So to summarize:

    Devices that support the UDS API such as DX:
    - when I do an user search, it will use the UCM as an UDS proxy to query the LDAP servers, and will return the results from the LDAP servers.  No UCM local users will be searched.

    Devices that do not support the UDS API, and using CCMCIP, such as 8861 IP phones
    - when I do a corporate directory search, it will return the UCM local database, it could be a mix of LDAP synchronized users and UCM local users depends on the actual environment.  UCM will return the result instead of proxy the requests to the LDAP server at the backend.

    Expressway 8.8 - Video Endpoint registration

    By Anonymous
    This is something that catches my attention in the release notes.  In the previous release, one of the major difference between VCS and Expressway is the ability to register video endpoints.  While VCS allows endpoint registrations, Expressway works together with UCM and all the endpoints are registered to UCM as single call control.  For UCM centric customers with 3rd party video endpoints, they will need to deploy a pair of VCS just for 3rd party video endpoints registration.

    Now with Expressway 8.8, it allows endpoint registrations, which means you can have your DX, SX and MX endpoints register directly to Expressway.  It also allows 3rd party endpoint registration, however for this release, only SIP endpoints are supported.  H323 will be supported in future releases.

    The licensing model for Expressway registrations will follow the UCM UCL / CUWL / Telepresence room systems licensing, instead of the VCS way.  It allows you to starts small with relatively less investment.  It also makes it easier for existing UCM customers to understand this new licensing model on Expressway.

    Can you run Expressway alone without UCM for video centric deployment?  Technically you can, however you will lose advance UCM capability such as Jabber, Extension Mobility, SNR, Shared Line, Multiline, VM/UM, etc.  If you want to have these capabilities in your environment, registering these endpoints to the UCM is suggested, with Expressway as your collaboration edge for B2B, MRA, CMR Cloud, etc.

    Release notes:
    http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/release_note/Cisco-Expressway-Release-Note-X8-8.pdf

    Page 22:


    Page 70:


    Related post:
    Collaboration Edge - Step-by-Step integration guide with UCM:
    http://pandaeatsbamboo.blogspot.com/2014/06/collaboration-edge-expressway-step-by.html

    Read-only AXL in UCM 11.5

    By Mr & Mrs Wong
    One of the improvements in UCM 11.5 is it has a new standard user roles that restrict users to have read-only AXL access.  It provides better security and reduce chance of human errors in accessing the UCM database.

    User management > User settings > Role






    Old phones will not be supported in UCM 11.5

    By Mr & Mrs Wong
    This is something that caught my attention.  Unlike the previous release, in UCM 11.5 it is going to remove some of the old phones support.

    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_5_1/cucm_b_release-notes-cucm-imp-1151/cucm_b_release-notes-cucm-imp-1151_chapter_010.html

    Deprecated Endpoints
    As of Cisco Unified Communications Manager Firmware Release 11.5, the following phones are not supported:


    • Cisco IP Phone 12 SP+ and related models
    • Cisco IP Phone 30 VIP and related models
    • Cisco Unified IP Phone 7902
    • Cisco Unified IP Phone 7905
    • Cisco Unified IP Phone 7910
    • Cisco Unified IP Phone 7910SW
    • Cisco Unified IP Phone 7912
    • Cisco Unified Wireless IP Phone 7920
    • Cisco Unified IP Conference Station 7935

    If you use any of these phone models on an older release of Cisco Unified Communications Manager and you upgrade to Release 11.5, the phone will not work after the upgrade completes.

    New LDAP search function in UCM 11.5

    By Mr & Mrs Wong
    There is a new LDAP search function available in UCM 11.5.  In the previous version, you can only search against UDS, the UCM user database.  Although with LDAP integration that means you can still search the LDAP users after they are imported to UCM, it will return the local UCM users as well.  In this release it is allowed for the endpoint to search against the LDAP through UCM.

    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/CUCM_BK_SE5DAF88_00_cucm-system-configuration-guide-1151/CUCM_BK_SE5DAF88_00_cucm-system-configuration-guide-1151_chapter_0100101.html






    In my lab the DXs are working fine.  However the 8861 corporate directory is still searching against UDS.  Still finding out the reason, will update this post once I know why is that.


    Enhanced Line Mode on the 8800 series phone

    By Mr & Mrs Wong
    Just upgrade my lab UCM to 11.5.1.10000-6 and trying out some new features.  One of them is the new Enhanced Line Mode on the 8800 series phone.  Previously you can only use the 5 keys on the left as programmable line keys, and the 5 keys on the right are session keys and not programmable.  With Enhanced Line mode, you can convert the 5 session keys into programmable line keys as well.

    Firmware version in my lab:


    This is the device specific configuration under my 8861 phone.  The list configuration item is the new Line Mode feature.



    There is a warning for you that certain features will be missing if you configured your phones in ELM.



    After that you will see all 10 keys are now programmable!



    Just to randomly configure some features there...



    And this is how the phone looks like:

    CUCM 11.5 is here and with it, deprecated phones announcement

    By asarmiento85

    Looking for more information on this one, is always good idea to look at the field notices on CCO.

    In a nutshell here is a list of the phones that will no longer be supported by CUCM on version 11.5

    Problem Description

    The following phone models are deprecated and are not supported by Cisco Unified Communications Manager Release 11.5(x). If you are using any of these phone models and you upgrade to release 11.5(x), you will be unable to use the phone after the upgrade. After you switch over to the new release, registration on the phone will be blocked.

    Cisco IP Phone 12 S
    Cisco IP Phone 12 SP
    Cisco IP Phone 12 SP+
    Cisco IP Phone 30 SP+
    Cisco IP Phone 30 VIP
    Cisco Unified IP Phone 7902G
    Cisco Unified IP Phone 7905G
    Cisco Unified IP Phone 7910
    Cisco Unified IP Phone 7910G
    Cisco Unified IP Phone 7910+SW
    Cisco Unified IP Phone 7910G+SW
    Cisco Unified IP Phone 7912G
    Cisco Unified Wireless IP Phone 7920
    Cisco Unified IP Conference Station 7935

    Background

    The legacy phone models are deprecated for the following reasons:

    • Security—since legacy phone models are not updated with critical software fixes, we have limited ability to protect customers when security issues arise.
    • New feature implementation—legacy phone usage slows down implementation of newer features.
    • Sustaining—no development support or regression testing is currently being done for these older phones.

     

    Products Affected Version
    Cisco Unified Communications Manager 11.5(x)
    Cisco Business Edition 6000 11.5(x)
    Cisco Business Edition 7000 11.5(x)

    to learn more about this Field Notice, look under CCO and hover over the downloadable ISO image and click on Field Notices.

    If Laziness is your thing, no worries, this post has all the information you need to know about this one, but if you are curious check the following link:

    ❌