Saturday, November 22, 2014

Binding SIP on a per dial-peer basis:

Hi Guys!

Very Cool and I had no idea you could do this, I am sure your all familiar with binding to SIP:

voice service voip
  bind all lo0

What I just found out and wish I had known sooner, is you can actually change this binding on a per dial-peer basis:

dial-peer voice 100 voip
 session target
session protocol sipv2
 voice-class sip bind control source-interface Loopback0
 voice-class sip bind media source-interface Loopback0


Pretty cool hey?

Thursday, November 6, 2014

How to troubleshoot call recording with AQM

Quick note: This blog post shouldn't be considered "finished" at this point, right now it's just a collection of useful tibids I found when configuring advanced quality manager or AQM on cisco. I found there was not a lot of good documentation so this is my attempt to capture some good information.
AQM can be very tricky, it's the second way of doing call recording. I have already spoken in a previous blog post on some of the native call recording options you have, but AQM can provide a bit more advanced methods.

There are several recording methods, the two most common:

Server-based recording:
Uses a SPAN port that you point towards the server, and uses desktop recording as backup.

Network-based recording
This uses the built-in-bridge on the Phone to allow the audio to be mixed and then sent out to a SIP trunk of your choosing. Screen recording is actually done in a VERY clever way by sending a msg to the phone which in turn sends a msg to the PC which tells the screen recording client on the PC to start recording. I found this whole process it went through quite interesting.

Here are some hints to troubleshoot, first of all your AQM user you specify when configuring your CTI JTAPI user under System Configuration -> Telephony Groups needs to be a user who has access to all the phones (since it will use JTAPI to tell the bridge to dial in a certain number) but you must also have a few extra CTI permissions enabled, the screenshot below illustrates this:
Second of all, to help you troubleshoot the log directory contains lots of useful files, I tend to look for the ones that have been modified recently but the most helpful one is the CTI Service, you can use this to tell that the calls are actually being recorded:

2014-11-06 19:11:45,349 DEBUG  [PipelineThread-1|SipStackLogger#logMessage:55] SIP: IN|ACK sip:recording@172.1X.X.X5060;transport=tcp SIP/2.0|2396e9d4|172.16X.X.X57810->172.16X.X.X:5060|Call-ID: c55bac80-45c10cc6-13-70510ac@|From: "Temp" X>X>X;x-farend;x-refci=23795895;x-nearendclusterid=StandAloneCluster;x-nearenddevice=SEPAAAAFEA34743;x-nearendaddr=2606;x-farendrefci=23795896;x-farendclusterid=StandAloneCluster;x-farenddevice=CiscoUM2-VI1;x-farendaddr=2100>;tag=22~a1a6a549-e138-4c78-bd07-3a3cd137f07d-23795903|To: ;tag=c8af6c20|null|Content-Type: application/sdp|

You can see here that the recorded call is a call to voicemail.

Here is where the system tries to send a msg to the client application running on the users PC to tell it to start recording:

2014-11-06 19:11:44,956 DEBUG  [(P1-1X.X.X.X) EventThread|BasicSocketProtocolClient#sendMessage:59] MSG: Sent to X:49276]>: Head[48,292,1]AgentId=247;MAC=SEPAAAEA34743;RecordingIP=172.16.X.X;Type=NETWORK_RECORDING;State=RECORDING_SCREEN_FAILURE;Cause=recording_no_connected_client;<

In this case I didn't have the client installed on that PC. But for this message to go from the phone to the PC means you need to enable the phone to pass that traffic on:

More Help Troubleshooting AQM
You can get some more helpful info troubleshooting AQM but enabling event-viewer notifications like this one:
This will put useful messages in your event viewer so you know when you have misconfigured something:

More helpful troubleshooting steps:
You can always see what the heck is going on and if your screen is actually being recorded by checknig out the encoding directories, these store the actual screenrecordings, on my machine they are configured for:

C:\Program Files (x86)\Common Files\QM\recordings

You can also find them on your server (both the enconding and recording directory) in the postinstall.exe tool (which, incidentally, is another great way to troubleshoot and configure AQM)

When it comes to screen recording, you might notice messages about screen success in your JTAPI log file, but you can also find it in your client logfiles:
C:\Program Files (x86)\Cisco\WFO_QM\log\DesktopRecordServer0001


note however your lovely screencapture won't actually be uploaded until the network is not busy OR you set the workflow to say immediate upload (see screenshot below)

Live monitoring is.. pretty damn sick, you can watch an agents screen live and see what they are up to, check out a screenshot below:

The desktop view (the little picture of an eye) is quite impressive:

It's important to check your workflows to make sure you are actually going to record the event and then match it with an appropriate workflow rule (such as record all calls from user XYZ.) It is far too easy to not notice the calls because you don't have the right workflow rules.

Useful URLS:

These two are decent overviews:

Wednesday, October 29, 2014

COBRAS for importing Unity Connection/exporting unity connection

 Hey Guys

I found a better way to do Unity Connection upgrades, it's called Cobra, the link below has a great tutorial on how to use it:

This page below is the help file with lots of useful info, "Briefcase mode" is most likely going to be the way you and me do our upgrades. It contains lots of useful info such as what to do when your version is unrestricted.

Thursday, October 23, 2014

A great command from ethereal mind

Finally! An etherealmind blogpost not about flying unicorn SDN's!

Great command!

Wednesday, September 24, 2014

How to navigate around the CUCM Database using run sql, show tech systables and more tips

Hi Guys

so you may already know about the run sql command, but when it comes to finding what you need... sometimes it's tricky to  work out the structure of the table, or even what table you might want to look at.

Here is how to see a list of tables:

admin:show tech systables
------------------------Show tech system tables-----------------------


Here is how to see all the entries for that table:

admin:show tech table srst
------------------------ Show tech table -------------------

Output is in /cm/trace/dbl/srst_table1411574818655.out
Use "file view activelog /cm/trace/dbl/srst_table1411574818655.out" command to see output

admin:file view activelog /cm/trace/dbl/srst_table1411574818655.out
2014-09-24 12:07:21,271 INFO  [ClassExecutionThread] cli.CliSettings - VMware = false

pkid                                 name                ipaddr1       port1 ipaddr2 port2 ipaddr3 port3 usermodifiable tksrstoption certificate issecure certificateproviderport sipipaddr1 sipipaddr2 sipipaddr3 sipport1 sipport2 sipport3 resettoggle tkreset
==================================== =================== ============= ===== ======= ===== ======= ===== ============== ============ =========== ======== ======================= ========== ========== ========== ======== ======== ======== =========== =======
c80cafe0-af65-43d6-a1f1-435ad998bd26 Use Default Gateway               2000          2000          2000  f              2                        f        2445                                                     5060     5060     5060     f           2

So now I know what the columns are, I can run sql queries:

admin:run sql select pkid, ipaddr1, name from SRST
pkid                                 ipaddr1       name
==================================== ============= ===================
c80cafe0-af65-43d6-a1f1-435ad998bd26               Use Default Gateway
cd241e11-4a58-4d3d-9661-f06c912a18a3               Disable
3bc40e86-e06f-4e4a-9679-a6ef5d7f6d05 MIKE_SRST
65cd53b4-3c1a-413f-acc9-c92f0eff9a52  DAVE_SRST
f5ad268e-7a37-8d6e-9783-f415ca3c9629 PETE SRST

Full shout out to ucguerrilla for this (How to get a list of fast dials and speed dials using SQL)

Hi Guys!

First of all full props to ucguerrilla for what i am about to post, His website:

Is AWESOME for UC Engineers and has some great great stuff

Anyway he has two entries about extracting fast dials and speed dials from CUCM using sql queries that I found very useful, here is the sql query to extract fast dials:

select uid.userid,  fd.personalfastdialindex, fd.phonenumber as fastdialdest,        pab.firstname as AddressBookFirstName, pab.lastname as AddressBookLastName from personalphonebook as fd inner join enduser as uid on fd.fkenduser=uid.pkid      inner join typepersonalphonenumber as tppn on fd.tkpersonalphonenumber=tppn.enum      left outer join personaladdressbook as pab on fd.fkpersonaladdressbook=pab.pkid order by uid.userid, fd.personalfastdialindex

Here is his relevant blog posts:


Tuesday, September 9, 2014

vSwitch Updates

vSwitch Updates:

vMotion support for networks with less than 100ms RTT, vMotion between "Data Centers" (not literal data centers, just the VMWare construct called "Data center") and "officially" supporting vMotion over routed networks (which has been happening for a while but was never officially supported.)

Monday, August 18, 2014

Cisco CUCM - Self Provisioning, Feature Groups, User Device Templates, User Profiles - What it all means and how to use it to get zero-touch deployment! - Part 2

CUCM Self Provisioning

Hi Guys

In part 1 of CUCM provisioning we talked about the new features available in CUCM 9 to make life easier for adding users, in continuation of this theme we are going to look at Self-provisioning, which allows the user to provision their own phone. LDAP is used to provide this information.

The feature is available in CUCM 10 and is quite nifty.

If you have not read part 1 of this blog, I strongly recommend you do so before continuing.


The basic premise of this feature is very similar to a technology many of you will already be familiar with: Cisco TAPS. Cisco TAPS allowed you to bulk insert phones and then, using a UCCX script have users phone a number in order to self-provision their phones. This is like TAPS but with a few important differences:

- You don't need UCCX
- You don't bulk insert the phones.


The first thing you will need to do (other than setting up the universal device template and user line template that I already outlined in blog post 1) is configure a CTI route point and assign it a number, this CTI route point doesn't have to be anything special but you should assign it a DN that is reachable by phones configured for auto-registration

Second thing, is to enable auto registration with a CSS that can reach the number you assigned to your CTI Route point

Next, you must create an application user, ensure it is enabled for "Standard CTI Enabled" access control group and also ensure that it controls this CTI device you just created

Once this is done, go to the self-provision section under User Management -> Self provisioning

 Once this is done, you will be prompted to reset the service, obviously this is a good idea.

The final step is to configure our LDAP directory:

Go to your LDAP directory page after configuring your LDAP system and specify a directory containing the users, note you could use filters here to control which users from which area in your business are imported into LDAP, so for example, if you had users in NJ who should receive a CSS that is allowed to call international, you would create a seperate LDAP directory entry for these groups that uses a custom LDAP filter that looks for membership in a particular Windows Group. Or you could place them into a separate OU, the point is that you will need to create multiple LDAP directories.
 In the example below I have just pointed to the default AD CN for simplicity

 Next, you will assign the "Feature group" that controls what universal device template and what user line template are assigned to users contained in this LDAP directory.

It's important to select "Apply mask to Synched Telephone numbers to create a new line for the inserted users" also, and enter the mask as you want it to appear based on the imported telephone number field.

Once this is done. Sync the directory, what should happen is that every entry in your LDAP directory with a phone number assigned in LDAP will now create a DN in CUCM that has not yet been associated with a phone:

 When a user first plugs in a phone, and then dials the CTI Route point number (in our case, 9999) they will be prompted to enter the extension of the phone they wish to provision. Once this is done, the phone will be created based on the settings in the line and device template!!

See below an example:

 There you have it!!! Now all you have to do to create a user is simply create it in LDAP, grab a phone, dial 9999 and enter your extension, you could even have the users do this, and the phone will be provisioned!

Finally LDAP integration worth configuring!!

I hope this helps someone out there

Cisco CUCM - Self Provisioning, Feature Groups, User Device Templates, User Profiles - What it all means and how to use it to get zero-touch deployment!

How to enable self-provisioning for CUCM 10.5

The problem

A customer once asked me to enable LDAP integration for their CUCM deployment.

"How long will it take?" they asked, "maybe an hour max" I replied. The customer was suprised it was so easy and I found it funny they thought it would take a while!

I enabled it for them, and the disconnect quickly became apparent: They thought enabling LDAP sync would have it so their phone info was automatically pulled from LDAP! Back then this was note the case.

CUCM 10.0 finally gives us this ability! In combination with a feature that has been available since CUCM 9 that allows you to add phones/lines in a template-like configuration. The feature can still be useful for those of you not using LDAP integration.

Building Blocks

Let's look at the parts involved so we can work out what all these new options are and what they do for us. When you create these "building blocks" you would basically create one for each separate set of discreet users, in my example I live in New Jersey, so I have created a collection of these building blocks to represent the settings of the New Jersey site users.

Universal Line Template
The universal line template is where we configure the settings for the line such as partition, call forward settings etc. You can access this via User Management -> User/Phone Add -> Universal Line Template. The settings are shown below

As you can see you can edit the call forward settings, calling search spaces etc. You will also notice the #FirstName# and #LastName#, these are called tags and allow you to have these fields filled in by information pulled down about the user from LDAP or entered by you manually when you create the user in the quick phone/add page (if you don't use LDAP.) I personally feel not enough "tags" exist, for example there is no DirectoryNumber Tag which would be useful, I personally like to put the directory number into the description of each device and each line.

Once you have saved this, it's onto the next building block

 Universal Device Template
Here is where you configure the device itself's CSS, MRGL, Device pool etc. These settings can be customized to what KIND of device your adding (example, you would have a separate universal device template for soft phones and remote destination profiles as an example)

These settings can be found under:
 User Management -> User/Phone Add -> Universal Device Template

User Profile
The user profile can be found under User Management -> User Settings -> User Profile. This links together the device and line template as well as controlling if the user is allowed to self provision or not. As you will see in the screenshot below, you can specify a separate user template for each type of device.
Feature Group Template
Finally, a feature group is used to set some restrictions for the user and to tie their user profile to us

Non-LDAP Users Quick Phone/User add

Let's assume for a minute that your either not using LDAP, not interested in self-provisioning OR your stuck on CUCM 9. All the settings you just configured where not in vain, you can still get great use out of the templates you just created

You can either create a new user with a new username and details:

Or click on either a non-LDAP integrated user or an LDAP integrated user (as per the screenshot below)
Once you have clicked on an existing user and/or created a new user, you can assign that user an extension

Once an extension is assigned you can then click "manage devices" and either move an existing phone over to them (cool! Great for changes) or add a new phone:

Part 2 of the blog will cover how to integrate this with LDAP 

Sources: I got some really good information from the following blog Entry

Wednesday, August 13, 2014

Cisco Unity Connection Call back feature

Hi Guys!

This was a feature a customer of mine wanted quite a bit, but I could not find it anywhere!

Main reason is, it's not always called "call back", infact the "Feature" call back on unity connection is some crazy feature in unity connection where if you hang up before a message is finished when you ring back within a certain timeframe it automatically resumes the call from where you left off. I think that's a solution looking for a problem.

Anyway let's talk about traditional callback, so what I specifically mean here is, a user gets a voicemail left for them, they want to call back that caller who the left the message by pressing a button on the phone.

The button they need to press is:


This is NOT an option presented to you unless you select "more options" for the message, it's not a default option so it was a PITA to find out this option exists

Here is the user guide showing all the options users can press during a call

OK, a few things you might want to check if this does not work, first of all the user must have the ability to "reply" enabled in their Class of Service:

If you still get a voicemail greeting instead of transferring to someone who left you a message, if they are an internal user, check that users transfer rules:

If it's an external person, think about how the number is being presented to Cisco Unity, are you dropping the leading 0 or leading 9 for an outside line before sending it to unity? if so you will need to prefix it when unity sends the call back out to CUCM using any method of your choosing.

It can also be the restriction table within unity itself, the table used is the Default Transfer restriction table, be sure to look at that and make sure the number is allowed to be dialled:

Tuesday, July 29, 2014

How to configure Call monitoring for UCCX

Hi Guys!

UCCX is a great contact center. The supervisor desktop, which I always dismissed as not being that good, actually has some great new features that we will cover off later. For now I am going to talk about how to configure UCCX Call monitoring.

Call monitoring allows you to listen in on an agents conversation, it plays through your PC speakers. The call does NOT have to be an ACD calls because it basically works via SPAN.

The way it works is that the agent software sends the RTP stream to the supervisors PC, it does this because the phone has "SPAN to PC" option configured.

This is found under the phone itself:

Next, you simply select an recording server for the user. This is found under the Desktop administration drop box in the corner of UCCX (top right hand corner)

On the side menu, expand out multiline, monitoring and recording and select VoIP monitoring device

We are done! Setup is ready to go, you will need to relogin to the agent and supervsior and don't forget to reset the phone.

From here you simply go to the supervisor desktop, highlight the user and click "voice monitor"
That's it! Easy as that

Friday, July 25, 2014

Retrieve MOH files

  1. Connect (using SSH) to the CUCM node that has the MoH audio server role or the publisher node.
  2. To list the music files use the command: file list activelog mohprep.
  3. You will see a list of MoH files in various formats (ulaw, alaw, g729, etc.). Identify the file(s) you would like to download.
  4. Retrieve the file using the command: file get activelog mohprep/
    1. You can use specific filename: e.g. mohprep/mymohfile.ulaw.wav
    2. You can use a mask: e.g. mohprep/*.ulaw.wav

Thursday, July 24, 2014

Disabling specific log messages on the ASA to help troubleshoot

The ASA logging gives you lots of great info but it tends to have loads of info coming up all at once. I tend to do a trick where I know the IP address I am looking for, so I constantly type:

show log | inc

then I try and generate the traffic and capture the entry in the log.

However, someone else has a great way to disable specific logs

Great stuff!

Wednesday, July 16, 2014

Good looking CDR reporting tool for CUCM

Hi Guys

I just saw this CDR reporting tool for CUCM and it actually looks really good

Also please find below a really good Erlang B calculator for working out trunk sizes

Sunday, July 13, 2014

Mini UCS is finally here

Mini UCS is finally here, it has been long rumoured but has finally arrived. Data sheet does a better job of explaining it than me

Tuesday, July 8, 2014

JTAPI Testing

Hi Guys

Super useful app is available from cisco to test JTAPI and make sure that your JTAPI setup username/password etc is 100 percent correct. It's available here:

Monday, July 7, 2014

(Random collection) Random collection of bugs I uncovered during an upgrade from 8.5 to 10.5

- WORKFLOW does not get copied over with a DRS (no reason codes etc)
- Bug with headsets and 79XX handsets means transfers will not work correctly
- ITL will have issues  (show itl in the console)
-  watch out for JTAPI IPv6 issues causing problems with RMCM logging in
- there is an issue when doing UCCX switch version from 8.5 to 10.5
(shared memory on UCS server look for bug with that mentioned)
- CUIC login fails
- database sync has failed when going from SU3 to SU4 for 8.5

Cisco Workflow for Cisco Agent Desktop (CAD) does not get copied during DRS restore or upgrade with UCCX

Hi Guys

as per the post title, Cisco Workflow information does not get copied across with a DRS restore or a UCCX Upgrade, totally crap so be careful when your doing a UCCX upgrade

Hit this bug during a UCCX upgrade from 8.5 to 10.5

Basically you need to be sure when using JTAPI that your common device phone profile does not have IPv6 Addressing enabled, otherwise JTAPI will try and use IPv6 by default. This can cause error messages such as:

"Login failed due to a configuration error. Please ask your system administrator to associate your phone with the RM JTAPI Provider user ID according to the instructions in the administrators guide"

Another thing that can cause this issue is extension mobility, so if your sure your phone is associated to the user etc, check your common device profile for IPv6 addressing mode as well as checking for Extension mobility

Full shoutout to Amy Engineer Blog

Great Blog!

Tuesday, June 24, 2014

Deny TCP (no connection)

Hi Guys

If you ever see the error message Deny TCP (No connection), it's the ASA's way of saying that a flow attempting to go through it, doesn't seem to be following the correct TCP session flow (SYN, SYN ACK etc.)

This is 99 percent caused by aysmetric routing, consider this example (Note: this is a terrible topology and deliberately so, that's what causes the problem, bad topology and bad design)

Ok lets just quickly go over things, Server1 has an ip address, FW is and the router in this subnet is

Server1 needs to talk to which is a device hanging off the router, we can see it in our diagram.

If the server is incorrectly configured to point to the firewall as its default gateway in this instance, something bad will happen:

The server will send a frame to its default gateway, the firewall will see this packet and forward it to the router, the router will then receive the packet and forward it to, so far so good right? will then reply via the router, the router is directly connected to, so it sends the reply packet straight to server1.

Server1 then sends the next packet in the TCP session.. the packet arrives at the firewall, the firewall says "Wait a minute!!! I never saw the reply packet come back! This is an invalid TCP session!"

You will then see the message

"Deny TCP (No Connection)"

Hopefully that clears up this error in your ASA and what (normally) causes it, having two exit points on a network that a server exists on is often a bad design, note that things like ICMP redirect and some other tricks could be used to mitigate this, but ultimately if you have your server on a subnet with multiple exits out of that subnet (and not in some sort of redundancy configuration i.e. two routers with HSRP), you should ask yourself if there is a better way.

Thursday, May 8, 2014

Cool new N7k feature

It's a built in load balancer! Wish I had a 7k to try it on!

Monday, May 5, 2014

Cisco Jabber: Huge Improvements, Part 1 of 6 - Initial Jabber Setup

Hi  Guys!

I am pleased to finally be able to say I would be happy to recommend and deploy Cisco Jabber for customers ahead of Microsoft Lync.

I may bleed Cisco Green/Blue but even I could not defend Cisco Jabber over Microsoft Lync, the list of features were simply too much in Microsoft's Favour.

However with the most recent releases, Cisco have added some major features each of which we will cover in these blog posts.

  • Collaboration Edge, which is basically a repurposed VCS Express that allows external users of jabber to use jabber without having to VPN in first. This is an absolute boon: Although Anyconnect for PC's and mobile devices tried doing some fancy tricks like seeing what local domain name you had and launching VPN's based on this, it would often not work that well. Collaboration edge is a far superior method and we will be covering it later in this 5 part series.
  • Jabber SDK, which allows you to integrate Jabber into your webpages, think of things like live chats on your website that could go straight to your corporate IM platform (perhaps to people who run your cold-call campaigns etc.)
  • A universal directory service, which we will go into in more detail but essentially means there's no need to configure a complicated LDAP setup in order to get good directory support: Directory information can be pulled from outlook and other locations as well as CUCM itself
  • Instant Message logging for compliance purposes, so you can log instant messaging just like you would email which could be important for your organisation.
  • Finally, Jabber integration amongst organisations via XMPP allowing you to federate with other organisations, this is also possible with SIP.
Jabber is worth checking out: you are entitled to it as part of your CUCM installation completely for free so why not!

This first entry will look at Jabber setup and configuration, which is actually very simple and straightforward.

Let's get into it!

In this article I have assumed that you have already got the basics of IM and Presence, FYI incase you have been away from jabber for a long time (like I had been, having almost given up on it since it looked like a windows 3.11 app). Cisco are trying very hard to integrate Jabber into the core product. It is not unreasonable at all to assume that the Cisco IM and Presence server will eventually disappear completely and all tasks will be undertaken within the CUCM app. For now to add presence you simply install the IM and Presence server as another server like you would add a subscriber:

Once this is done, install the CUCM IM & Presence Server (hence forth referred to as  IMP) just like you would a CUCM subscriber. There is very little you have to configure on the IMP server.  

To make a user a jabber user, you just enable it for the user by selecting the service profile and enabling it for the user:

It's really quite straightforward! Technically your user is now 100 percent enabled for Instant messaging, of course without a good directory and some infrastructure setup etc. it won't be a great experience but this could certainly get you off the ground.

Jabber now relies heavily on good certificates and good DNS information. These are two technologies that I find a lot of System Administrators struggling with, How many of you are still using the default self-signed CUCM Certificate? Start getting used to certificates, they are going to be the defacto security method within a very short period of time (for an example of how useful certificates can be, check out my blog post: which describes securing routers with SSH keys.

OK, so with all of this in mind, let's take the next step, Install the latest jabber client which is actually pretty nice on MAC and try to sign in, you will be presented with the option for manual setup, since we have not setup any DNS we can't have jabber just sign in for us by automatically discovering the server but we will take a look at that later.

When you go to sign into the server, you will be presented with an invalid certificate error like the following:
This can be annoying for your users, so I recommend that you install a proper certificate. 

Assuming you don't ever want to go into this trouble, you can configure a DNS entry for your clients that points straight to your server, this way when the clients initially try and connect they will perform a DNS lookup.

The following document from Cisco: is a ridiculously good document describing the DNS implications for Jabber, I won't go into every detail but suffice to say you need to know if your running split DNS or two separate domains (for example, ccierants.local vs 

The first two SRV DNS records that are looked for and should ONLY be discoverable for your internal domain are: _cisco-uds or _cuplogin, if these are not available jabber assumes that it's not in the internal domain and looks for _collab-edge SRV records.

So you can see with some good DNS setup you would be able to have this automatically sign in.

Your probably asking at this point wait a minute I thought this whole article was about federation: I promise it still is, but before you get into federation you need to be aware of how important DNS is to getting federation working correctly, and this provides a gentle introduction to DNS so you can see the idea's and benefits behind it.

Next, let's take a quick look at how to do your certificates properly so we can avoid those nasty error messages from appearing on end users desktops which I am sure we all want to avoid.

You have three options of dealing with Cert's as per the great cisco document here:
Method 1: Users simply click Accept to all certificate popups. This might be the most ideal solution for smaller environments. If you click Accept, certificates are placed into the Enterprise Trust store on the device. After certificates are placed in the Enterprise Trust store, users are no longer prompted when they log into the Jabber Client on that local device.

Method 2: The required certificates (Table 2) are downloaded from the individual servers (by default, these are self-signed certificates) and installed into the Enterprise Trust store of the user device. This might be the ideal solution if your environment does not have access to a Private or Public CA for certificate signing.

Method 3: A Public or Private CA (Table 2) signs all of the required certificates. This is the Cisco recommended method. This method requires that a Certificate Signing Request (CSR) is generated for each of the certificates, is signed, re-uploaded to the server, and then imported to the Trusted Root Certificate Authorities Store on user devices. See the Generate a CSR and the How do I get certificates to user devices certificate stores? sections of this document for more information.

The first method is the least desirable but sometimes the Windows Administrator will not have setup his Certificate Authority correctly or he may not have set one up at all! If he is worth his salt, he will have installed and correctly configured a CA enviroment as they are critically important in most major windows applications these days.

Assuming this is the case, when the user goes to sign into jabber they will be prompted to accept the cert:

If the cert is accepted, it will be added to the enterprise trust store as shown in the screenshot below:

Incidentally, this is where you need to go if you need to delete a certificate from the trust store for some reason for Cisco Jabber.

Method 2 is a bit better as basically you use group policy to automatically install the certificate into the users enterprise trust store so that they do not have to accept the cert, and they will not ever receive the popup box. But this will only work for Windows devices or devices that can accept a group policy update.

The best method is method 3, using a proper CA to present the certificate. You could do this with a private or public CA, Private CA is a good option if you mostly have windows and mac clients as you can get them to trust your root CA, if you have a lot of iphones and Ipad's it can be a bit more troublesome as you will need a method to get the root CA's generated by your private CA onto the devices which can be labour-intensive unless you have good mobile device management. So for those kind of deployments you might consider using a public CA, but be warned this can cost money.

I am going to assume that your going with Method 3, Private CA for the rest of this tutorial.

So, if you decide to go with the Private CA method, you need to login to Jabber and go to OS administration, from here you should go to Security -> Certificate Management

From here you want to click on the generate CSR button:
 Enter 2048 for the encryption but continue to use tomcat as the CSR method

 Once this is done, click "Download CSR" on the previous page.

This is the Certificate Signing request that (hopefully) your Windows System admin will know how to enroll into his CA and with any luck he should send you back a shiney certificate, ask him to export it as BASE64 if possible. Ask him to also export the trusted root CA cert so we can import this into jabber too.

Once this is done, you need to import the certificate, click on "Upload/Download" Certificate.

The first thing you need to do is import the trusted root CA, select tomcat-trust from the dropdown:

Upload the file, once this is done, click upload certificate again but this time select "tomcat" only from the drop down list.

Once you have uploaded this, you will need to restart tomcat:

admin:utils service restart Cisco Tomcat
 Don't press Ctrl-c while the service is getting RESTARTED.If Service has not Restarted Properly, execute the same Command Again
Service Manager is running
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTED]

Once this is done, you should be able to test if your certificate has installed correctly and is trusted correctly by simply logging into your CUCM IM & P webpage and ensuring a valid certificate is presented. you will need to ensure you are visting the page via it's DOMAIN NAME as the certificate will be signed against the domain name: Remember: it's important to get used to using DNS from now on, Jabber and IM really relies on it, and once IPv6 is more widely deployed all us network engineers are going to be relying on DNS a lot more!

Once this is done, you should be able to login to Jabber without any error messages or any extra configuration required for users, just login and start enjoying!

It's important to note that if your integrating with CUCM or Webex or Unity Connection, all of these applications will ALSO present certificates to your jabber client, thus you will have to perform the exact same actions with these applications.

I hope you have enjoyed this blog post and look forward to writing the next one for you. Jabber is finally good!

Monday, April 28, 2014

How to configure ASA SSL VPN + IPhone

Hi Guys

I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)

Few things to note:

- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below

- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself

- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert

- Works on both ASA and SSLVPN on a router as far as I can tell.

OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR

So the first thing is of course, a working SSL VPN config, mine looks something like this:

 crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
 ip interface Dialer1 port 443
 ssl trustpoint TP-self-signed-4216080960
webvpn context SSL_Gateway
 ssl authenticate verify all
 no inservice

webvpn context SSL_gateway
 gateway SSLVPN
 ssl authenticate verify all
 policy group default
   functions svc-enabled
   svc address-pool "VPN" netmask
   svc keep-client-installed
   svc split include
   svc split include
 default-group-policy default

This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:

1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN

Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.

Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.

The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.

Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.

Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.

For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.

Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.

The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile

You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.

Ok Almost there! Last step is to just associate this VPN profile to a common phone profile,  a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:

Device -> Device Settings -> Common Phone Profile

As you can see I have selected the VPN Profile and VPN Group at the bottom.

Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots

On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.

Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!

I hope this helps someone out there.

Tuesday, April 15, 2014

Useful URL Filtering command

Hi Guys

Learnt something new today that there is an option to easily filter with Cisco + Websense, you can point Cisco to a websense server and the Cisco Router will use Websense to decide which URL's are allowed/not allowed!

Does a better job of explaining than I can.

Saturday, April 12, 2014

New Cisco 2700 Access Points

Hi Guys!

Been ages since I have done a blog but after finishing CCIE DC and moving myself to New Jersey USA I have been super busy.

Anyway I found something I really wanted to blog about which is the new Cisco 2700 Access Points. I love Wireless I find it super interesting.

The NSA Show (A great podcast that you should listen to) does a great job of going over the benefits of the new Cisco 2700 access point, which has First Customer Ship (FCS) in May.

Let's start with the basics.

The Cisco 2700 AP is the latest access point supporting 802.11ac. It has 3x4 spatial streams and a very good receive sensitivity. It is available as external/internal antenna design as you would expect.

Obviously 802.11ac has it's own advantages, but this new AP has several extra advantages over the 2600.

First of all is that this AP does support Cisco Cleanair, all the same Cisco Cleanair functionality available in the Cisco 3700 AP is available in this device.

This AP actually also comes with two ethernet ports, but NOT to meet speed requirements for 802.11ac because, as discussed by people much smarter than me: there is no need for more than a 1 gig link from the AP's because the Physical data rate is 1.3 but the actual throughput that can be pushed through 802.11ac is much less. The ethernet port is used so that devices such as printers etc can be easily bridged onto the wired network.

By far my favorite new feature of this AP is a single, unified software image. So no more will you have to remember to order the correct image: (Autonomous, Controller-based or mesh based) but instead you order one part, which comes as controlled based by default and if you need to move it to autonomous you simply plug into the console port and issue a single command. I am sure that you could also change it to autonomous via the CLI once it had actually booted if you wanted as well.

Cisco are offering a trade in program, 12 percent list price credit for replacing existing cisco access points (REGARDLESS of how old the access points are! Even 1140's etc!) and 18 percent off list price credit for replacing competitor access points.

All in all this is the CHEAPEST 802.11ac access point with 3 spatial streams out there. Go out and buy my friends!