The Ultimate Cisco Jabber Specialist 2 Lab Guide_Part1

The Ultimate Cisco Jabber Specialist 2 Lab PART 01

The Ultimate Cisco Jabber Specialist 2 Lab Table of Contents Section 1: About The Lab.................................................................................................................... 3 What is Cisco Jabber ................................................................................................................................. 4 Related Links ............................................................................................................................................. 7 Lab Overview ....................................................................................................................................... 8 Jabber Specialist I 2013 Edition Video Walk Through............................................................................. 13 Task 1: Accessing the Lab Equipment ......................................................................................... 14 Task 2: Connecting to Remote Workstations & Servers ....................................................... 16 Section 2: System Preparation ....................................................................................................... 20 Sys Prep: CUCM Server Name to FQDN .................................................................................. 21 Section 3: Jabber Specialist Features .......................................................................................... 22 JST Features Task 1: Service Discovery Configuration ..................................................... 23 JST Features Task 2: Jabber Client Win Install WS01 ....................................................... 27 JST Features Task 3: Certificate Management ..................................................................... 33 JST Features Task 4: Jabber Client Win Install WS02 ....................................................... 64 JST Features Task 5: MRA with Cisco ExpressWay ............................................................. 68 Short Video on Cisco ExpressWay Virtual Machine Deployment ........................................................... 68 JST Features Task 6: Adding User Photos to Web Server.............................................. 141 Section 4: Appendix......................................................................................................................... 150 Appendix A: ExpressWay Options Keys for JSTII Lab ..................................................... 151 Appendix B: CUCM Server Name change to FQDN ........................................................... 152 Appendix C: Bootstrap Jabber for Windows Install........................................................... 154 End Of Lab ............................................................................................................................................ 166

Lab Guide Version 3.5

Presented by The Solutions Readiness Engineers

Page 2 of 166

The Ultimate Cisco Jabber Specialist 2 Lab

Section 1: About the Lab

Welcome To The Jabber Specialist II Lab



Page 3 of 166

The Ultimate Cisco Jabber Specialist 2 Lab What is Cisco Jabber Cisco Jabber™ is a unified communications application that enables you to be more productive from anywhere on any device. Find the right people, see if and how they are available, and collaborate using your preferred method. Today’s global, distributed work environment has resulted in significant challenges for workers, making it harder to connect with the right people and significantly increasing the quantity and modes of communications. Organizations of all sizes are striving to improve communications in order to retain customers, compete for new business, control costs, and grow their business globally. Cisco Jabber for Windows streamlines communications and enhances productivity by unifying presence, instant messaging, video, voice, voice messaging, desktop sharing, and conferencing capabilities securely into one client on your desktop. Cisco Jabber for Windows delivers highly secure, clear, and reliable communications. It offers flexible deployment models, is built on open standards, and integrates with commonly used desktop applications. You can communicate and collaborate effectively from anywhere you have an Internet connection (Figure 1). Figure 1. Cisco Jabber for Windows



Page 4 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Features and Benefits ● Reduce communication delays with presence and contact information: The Cisco Jabber application enables you to see the availability of co-workers and colleagues within and outside your organization. You can immediately see who is offline, available, busy, on the phone, in a meeting, presenting, or in a do-not-disturb state. You can create customized availability states such as “Gone to lunch. Back at 1 p.m.” to provide added context. These capabilities help reduce communication delays and result in faster decision making and enhanced productivity. ● Quickly communicate with borderless enterprise-class instant messaging: Instant messaging is an important communication option that lets you efficiently interact in today’s multitasking business environment. The Cisco Jabber application delivers enterprise-class instant messaging capabilities that are based on the Extensible Messaging and Presence Protocol (XMPP). The solution provides personal and group chat so you can quickly connect with your business colleagues. Chat history and server-based logging capabilities allow you to view the content of prior chats and to store messages for convenience, compliance, and regulatory purposes. Instant messaging is integrated with other communication capabilities so you can simply move between chats, audio conversations, and web conferences. You can even share presence and send instant messages to people outside your organization who may not be using Cisco Jabber. The enterprise-class instant messaging capabilities of this application provide more efficient, highly secure, flexible, and borderless collaboration. ● Bring business-class IP telephony and video to the desktop: Cisco Jabber delivers business-quality voice and video to your desktop. Powered by the market-leading Cisco® Unified Communications Manager call-control solution, Cisco Jabber is a soft phone with wideband and high-fidelity audio, standards-based high-definition video (720p), and desk phone control features. These features mean that high-quality and high-availability voice and video telephony is available at all locations and to your desk phones, soft clients, and mobile devices. Cisco Jabber for Windows makes voice communications simple, clear, and reliable (Figure2). Figure 2. High-Definition Video with Integrated Audio Controls



Page 5 of 166

The Ultimate Cisco Jabber Specialist 2 Lab ● Accelerate team performance with multiparty conferencing and collaboration: The Cisco Jabber application provides for smooth escalation to desktop sharing or Cisco’s marketleading collaboration solution, Cisco WebEx® conferencing. You can instantly share documents and expand chats and conversations to multiparty voice, video, and web conferencing. ● Collaborate from common business applications: You can access the capabilities of the Cisco Jabber application from common desktop applications such as Microsoft Outlook, including lighting up presence and click-to-communicate (instant message and audio and video calling) capabilities. For Microsoft Outlook 2010, you can use the Microsoft contact card click-to-communicate icons directly from within the application to save time and streamline workflows because you can view user availability and initiate communications such as personal and group voice, video, and chat sessions without having to switch between applications.



Page 6 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Related Links Expressway 

Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment Guide



Expressway Cluster Creation and Maintenance Deployment Guide



Certificate Creation and Use With Expressway Deployment Guide



Expressway Administrator Guide



Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager Communications Manager



Cisco Collaboration Edge Architecture



Cisco Expressway Series



Cisco Expressway Series Data Sheet

Jabber Clients 

Cisco Jabber for Windows



Cisco Jabber for iPad



Cisco Jabber Android



Cisco Jabber MAC

Certificate Management 

Security configuration on IM and Presence



Security Certificate management on CUCM



Security Certificate management on VCS/Expressway

Persistent Chat 

External Database Setup for IM and Presence Service



PostgreSQL Database Software Download

Jabber Guest 

Cisco Jabber Guest



Page 7 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Lab Overview Audience and Prerequisites This document is intended to assist solution architects, sales engineers, field engineers, and consultants in learning many of the features of Cisco Unified Communications 10.x System, and Cisco Jabber. This document assumes the reader has an architectural and administrative understanding of the CUCM and has reviewed the latest CUCM SRND. Basic knowledge of how to install and administer CUCM and IM&P is recommended however not necessary. This is a complex lab with many servers and devices interacting with each other. It is strongly recommended that a dedicated and undisturbed six hour window be committed to when completing this lab.

About The Lab The Ultimate Cisco Jabber Specialist Lab 2014 Edition is completely self-paced and virtualized. Although great lengths are taken to make all labs as true to real world as possible, this lab is a virtual lab where pods are cloned, unconventional techniques are utilized that would not typically be done in a production environment. In the lab, we will be using Remote Desktop Protocol (RDP), Jabber softphones as well as other software applications. The goal of the lab is for the attendee to become familiar with the setup, implementation and usage of CUCM/IMP and Jabber. This lab was upgraded from a previous UC 9.x Jabber lab and many of the old host names have not been changed to save on development time. All CUCM/IM&P/CUC servers have been upgraded to 10.x but many of the host names have remained the same, so the student will see for example SiteA-CUCM911 host name but the server is really running 10.0.1 code.

Disclaimer This lab is primarily intended to be a learning tool. In order to convey specific information, the lab may not necessarily follow best practice recommendation at all times. This exercise is intended to demonstrate one way to configure the network, servers and applications to meet specified requirements for the lab environment. There are various ways that this can be accomplished, depending on the situation and the customer’s goals/requirements. Please ensure that you consult all current official Cisco documentation before proceeding with a production/lab design or installation. By enrolling in this class or having access to this document you acknowledge you are aware of this disclaimer and its implications. Lab Guide Version 3.5


Page 8 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Lab Guide Key The following is a description of the conventions, colors, and notation used through this document: Sections with this background color and this icon touch on the business benefits of the step or task with items and talking points highlighting a value proposition of a Solution. Sections with this background color and this icon cover the technical description of the step or task, with items and talking points of interest to technical audiences. Sections with this background color and this icon provide a lab tip for the step or task. Sections with this background color and this icon are for scenario description: Provides background information for performing a step or task. Sections with this background color and this icon represent a warning: read this section for special instructions and considerations.

Pods There are 20 pods in this lab environment; each pod contains the following server configurations:  CUCM 10.5.1.10000-7 Server – Providing local device registration and call control  Cisco Unified CM IM & Presence Server 10.5.1.10000-9 – Providing Presence and Instant Messaging  Cisco Unity Connection 10.5.1.10000-7 – Providing Unified Messaging & Voice Mail  Two Windows 7 Workstations – Student pod access and call clients  Expressway Version Collab-Edge – 8.1.1  Expressway Version Jabber Guest – 8.2.0  Jabber Guest Server – Drop9 10.0.1.216



Page 9 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Lab Topology In this lab topology each device is a virtual machine (VM). This lab is operating on Unified Computer System (UCS) B-Series or C-Series systems. VMware ESXi 5.1 is the operating system and hypervisor running on each lab host computer. The lab UCS host computers are oversubscribed and are not following Cisco’s best practices for UC on UCS. Please follow the best practices outlined on the uc-virtualized web site, this web site can be found here. http://cisco.com/go/uc-virtualized

This topology shows one pod of equipment (Not all parts in this TOPO will be used in this class since there are two parts to this class)



Page 10 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Lab Addressing Tables – Internal and External Addresses  Domain  SiteB.com  Subnet Masks  /24

 X  pod number  50 total pods

 Cisc0123 (C – i – s –c – zero – 1 – 2 - 3) in most cases is the password used in this lab for all workstations and systems  C1sc0123 (C – 1 – s – c – zero – 1 – 2 – 3) is used for SiteB-CUCM02, SiteB-IMP02 platform/OS web page and CLI Host Name SiteB SiteB-CUCM911 SiteB-CUCM02 OS Admin & CLI SiteB-IMP911 SiteB-IMP02 OS Admin & CLI SiteB-CUC911 SiteB-AD SiteB-WS01 StieB-WS02 SiteB-ExpC01 SiteB-ExpC02 Mock Internet Mock-Inet-DNS SiteB-ExpE01 SiteB-ExpE02 SiteB-WS01 StieB-WS02

IP Address External

IP Address Internal (Use from Student WS)

172.19.X.110

10.1.2.110 10.1.2.111

172.19.X.112

10.1.2.112 10.1.2.113

172.19.X.115 172.19.X.120 172.19.X.201 172.19.X.202 172.19.X.142 172.19.X.143

172.19.X.220 172.19.X.242 172.19.X.243 172.19.X.240 172.19.X.241

Domain\User

Password

10.1.2.115 10.1.2.120 10.1.2.201 10.1.2.202 10.1.2.142 10.1.2.143

Administrator Administrator Administrator Administrator Administrator Administrator Administrator Administrator SiteB\aace SiteB\bbad admin admin

Cisc0123 Cisc0123 C1sc0123 Cisc0123 Cisc0123 C1sc0123 Cisc0123 Cisc0123 Cisc0123 Cisc0123 Cisc0123 Cisc0123

10.1.3.20 10.1.3.142 10.1.3.143 10.1.3.101 10.1.3.102

Administrator admin admin SiteB\aace SiteB\bbad

Cisc0123 Cisc0123 Cisc0123 Cisc0123 Cisc0123

If you use the VM Workstations to access the UC Servers web admin you will need to use the INTERNAL addresses to gain access to the servers. If you use your local computers browsers to access the UC servers web admin you will need to use the NAT addresses



Page 11 of 166

The Ultimate Cisco Jabber Specialist 2 Lab System Version Table Description Cisco Unified Communication Manager Cisco Unified CM IM & Presence Cisco Unity Connection Student Remote Work Stations MS Active Directory Server Jabber for Windows ExpressWay Collab Edge

Version 10.5.1.10000-7 10.5.1.10000-9 10.5.1.10000-7 Windows 7 Windows 2008 R2 64 10.5.0 Build 33957 8.1.1

Connectivity to the Lab Environment Detailed instructions will be given at the beginning of Task 1, on how to access the lab. Connectivity to the lab will be achieved through a VPN connection via Cisco AnyConnect and thereafter Remote Desktop Procedure (RDP) to the workstations.

Lab Pre-configuration There are many parts of the lab that are prebuilt and preconfigured before the start of class. Namely:        

CUCM/IM&P/CUC/Expressway/Windows Server & Workstation VM Installations Basic Dial Plan User, Passwords, & PINs in Active Directory Voice Mail Configuration CIPC devices added to CUCM database 2 Windows 7 workstations per site, two sites per pod with CIPC running at startup and registered to CUCM Microsoft Windows 2008 & 2012 R2 server with AD, DNS, DHCP, NTP, FTP installed in the central HQ. All users and DNS entries configured in advance Site B is completely pre-configured except for Cisco Expressway



Page 12 of 166

The Ultimate Cisco Jabber Specialist 2 Lab This lab is a follow along to last year’s wildly successful Jabber Specialist 2013 Edition. In the 2013 edition lab the student performed a full Cisco CUCM/Presence/CUC/Jabber deployment based on UC version 9.1.1 and Jabber Windows 9.2. This video is a walkthrough of the 2013 edition of the Jabber Specialist Lab.

Jabber Specialist I 2013 Edition Video Walk Through Watch this video in HD here - http://youtu.be/S6eoeQsH9ds The lab guide for this lab can be found at - https://db.tt/TMSpQ4g3



Page 13 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Task 1: Accessing the Lab Equipment This section of the lab walks the student through the process of setting up a VPN connection to the Solutions Readiness Engineer’s (SRE) lab Activity Objective In this activity, you will learn the methods to access the lab equipment remotely. Required Resources Student PC connected to the internet.

This section is for students that have Cisco AnyConnect installed on their computer.

Cisco AnyConnect Pre-Installed

This section is for students that DO NOT have Cisco AnyConnect installed on their computer.

Install and Connect with Cisco AnyConnect SSL VPN Client

The ASA might require an upgrade of the AnyConnect client on the student computer if an older version is in use Step 1 Launch the Cisco AnyConnect VPN client

Step 1 Open a web browser and connect to http://tinyurl.com/CiscoAC31

Step 2 Enter uctraining.cisco.com/jabber

Step 2 Download and install Cisco AnyConnect

Step 3 Click Connect

Step 3 Continue to left side of this table and use the Cisco AnyConnect PreInstalled steps to VPN into the SRE Lab after you have installed AnyConnect on your computer



Page 14 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 4 Enter the lab Username & Password (username = stu5xy (xy=pod#), for example stu501 for pod01, and stu522 for pod22). The password will be assigned by the instructor at the start of the lab

Step 5 Click OK to login Step 6 Click Accept on the connection banner

Step 7 Continue to Task 2



Page 15 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Task 2: Connecting to Remote Workstations & Servers Each pod will connect to 4 RDP connections in this section of the lab Step 8

Click Start  All Programs  Accessories  Remote Desktop Connection, from the student’s personal computer

Step 9

Click Options

Step 10

Select Local Resource Tab

Step 11

Click Settings, under remote audio

Step 12

Select Play on this computer & Do Not Record

Step 13

Click OK



Page 16 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 14

Select the General tab and fill in the next two steps in the chart X = you pod number (for example pod 5 = 172.19.5.220) 1nd RDP Session

2nd RDP Session

3rd RDP Session

4th RDP Session

Step 15

172.19.x.220

172.19.x.120

172.19.x.201

172.19.x.202

Step 16

siteb\Administrator

siteb\Administrator

siteb\aace

siteb\bbad

The 172.19 addresses in the chart below are for students to access their pods various Web Admin pages from their own computers browser, while a VPN connection is established to the lab. Pod # Users Pod 01 Pod 02 Pod 03 Pod 04 Pod 05 Pod 06 Pod 07 Pod 08 Pod 09 Pod 10 Pod 11 Pod 12 Pod 13 Pod 14 Pod 15 Pod 16 Pod 17 Pod 18 Pod 19 Pod 20 Pod 21 Pod 22 Pod 23 Pod 24 Pod 25 Pod 26 Pod 27 Pod 28 Pod 29 Pod 30

SiteB-InetDns siteb\Administrator 172.19.1.220 172.19.2.220 172.19.3.220 172.19.4.220 172.19.5.220 172.19.6.220 172.19.7.220 172.19.8.220 172.19.9.220 172.19.10.220 172.19.11.220 172.19.12.220 172.19.13.220 172.19.14.220 172.19.15.220 172.19.16.220 172.19.17.220 172.19.18.220 172.19.19.220 172.19.20.220 172.19.21.220 172.19.22.220 172.19.23.220 172.19.24.220 172.19.25.220 172.19.26.220 172.19.27.220 172.19.28.220 172.19.29.220 172.19.30.220


SiteB-AD siteb\Administrator 172.19.1.120 172.19.2.120 172.19.3.120 172.19.4.120 172.19.5.120 172.19.6.120 172.19.7.120 172.19.8.120 172.19.9.120 172.19.10.120 172.19.11.120 172.19.12.120 172.19.13.120 172.19.14.120 172.19.15.120 172.19.19.120 172.19.17.120 172.19.18.120 172.19.19.120 172.19.20.120 172.19.21.120 172.19.22.120 172.19.23.120 172.19.24.120 172.19.25.120 172.19.26.120 172.19.27.120 172.19.28.120 172.19.29.120 172.19.30.120

SiteB-WS01 siteb\aace 172.19.1.201 172.19.2.201 172.19.3.201 172.19.4.201 172.19.5.201 172.19.6.201 172.19.7.201 172.19.8.201 172.19.9.201 172.19.10.201 172.19.11.201 172.19.12.201 172.19.13.201 172.19.14.201 172.19.15.201 172.19.19.201 172.19.17.201 172.19.18.201 172.19.19.201 172.19.20.201 172.19.21.201 172.19.22.201 172.19.23.201 172.19.24.201 172.19.25.201 172.19.26.201 172.19.27.201 172.19.28.201 172.19.29.201 172.19.30.201


SiteB-WS02 siteb\bbad 172.19.1.202 172.19.2.202 172.19.3.202 172.19.4.202 172.19.5.202 172.19.6.202 172.19.7.202 172.19.8.202 172.19.9.202 172.19.10.202 172.19.11.202 172.19.12.202 172.19.13.202 172.19.14.202 172.19.15.202 172.19.19.202 172.19.17.202 172.19.18.202 172.19.19.202 172.19.20.202 172.19.21.202 172.19.22.202 172.19.23.202 172.19.24.202 172.19.25.202 172.19.26.202 172.19.27.202 172.19.28.202 172.19.29.202 172.19.30.202

Page 17 of 166


Enter IP Address for your pod in the computer field

Step 18

Enter Domain\User Name, in the User Name field (see chart above)

Step 19

Click Connect

Step 20

Enter Cisc0123 in the password field

Step 21

Click OK

Step 22

Click Yes for the remote verification warning



Page 18 of 166


Your Remote Desktop should look something like this

Step 24

Repeat steps 8 - 23 three more times to open the all four RDP sessions

If you accidentally close CIPC during this lab or it was closed when you started the workstation you will get a “No compatible sound devices: error if you try to open it. The workstation must be rebooted to start CIPC again. Do the following to reboot the workstation Double click on the WorkStation Reboot icon on the desktop of the affected workstation.

Wait for 2 minutes and RDP back into the rebooted workstation.



Page 19 of 166


Section 2: System Preparation



Page 20 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Sys Prep: CUCM Server Name to FQDN In this section the student will explore changes that are necessary on Cisco Unified Communications Manager (CUCM). During the installation of Cisco Unified Communications Manager the server name is configured with host-name. The hostname format needs to be changed to the Fully Qualified Domain Name (FQDN) format. The reason for changing the CUCM server names from hostname or IP address to FQDN, is so they can be resolved by the different services on the UC network. Also during the certificate validation process for Jabber Windows the FQDN is usually called out in the CA signed certs. The use of alternate names could be used in creating the certificates but is not supported by Cisco. Activity Objective In this activity, you will learn the methods to:  Exploration only as this task has already been done for the student Required Resources 

None

Changing the CUCM Server Name The lab network has already been changed for the student due to certificate issues that would arise later in the lab. The steps to change the CUCM server name have been posted to the appendix of this lab guide. Please CLICK HERE to review the steps. Observe below in the first screen shot on the left that the server names are only host names, and on the screen shot on the right they have been changed to the FQDN. All UC Servers in this lab are upgraded from 9.1.1 to version 10.5. Due to time constraints the server hostnames and DNS entries have been left as 9.11



Page 21 of 166


Section 3: Jabber Specialist Features



Page 22 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 1: Service Discovery Configuration Service discovery enables clients to automatically detect and locate services on your enterprise network. Clients query domain name servers (DNS) to retrieve service (SRV) records that provide the location of servers. The primary benefits to using service discovery are: • Speeds time to deployment. • Allows you to centrally manage server locations. Activity Objective In this activity, you will learn the methods to: 

Access Microsoft DNS Administrator



Configure DNS Service Records on a Microsoft Windows 2008 R2 server



Use NSLookUp to confirm the accuracy and operation of configured SRV records

Required Resources To complete this section of the lab the student will need a computer that is connected to the lab via VPN and an RDP connection to your pod’s SiteB-AD (172.19.X.120).

Configure DNS Service Records Creating DNS SRV records for Presence server discovery allows the Administrator to streamline the user experience when first logging into Jabber. If the Jabber client is configured for “On Premise” operation the client will automatically connect to the Presence server infrastructure within an organization without prompting the user for server information. This can even be configured to work in a multi-cluster environment where servers will redirect Jabber clients to their correct home cluster.

Cisco would recommend this method of configuration a best practice.



Page 23 of 166


Switch to SiteB-AD (172.19.X.120) RDP session opened earlier

Step 26

Click Start  Administrative Tools  DNS to open the DNS Manager tool

Step 27

Click the + (plus sign) next to SITEB-AD  Forward Lookup Zone  siteb.com

Step 28

Select siteb.com to highlight it

Step 29

Right click siteb.com

Step 30

Select Other New Records, from the pop-up menu

Step 31

Scroll down and select Service Location (SRV) from the resource record types pop up window

Due to time constraints during the development of this lab the upgraded CUCM and IMP server did not get renamed with a new host name, therefore both the CUCM and IMP publishers have 911 in their name. These server have been upgraded to 10.5.1 although their name remains the same.

Step 32

Click Create Record

Step 33

Fill in the following information: a. Domain  siteb.com (pre-filled-in) b. Service  _cisco-uds (underscore cisco) c. Protocol  _tcp (underscore tcp) d. Priority  0 (default) e. Weight  0 (default) f.

Port Number  8443

g. Host offering this service = siteb-cucm911.siteb.com Step 34

Click OK



Page 24 of 166


Click Create Record (again)

Step 36

Fill in the following information: h. Domain  siteb.com (pre-filled-in) i.

Service  _cisco-uds (underscore cisco)

j.

Protocol  _tcp (underscore tcp)

k. Priority  0 (default) l.

Weight  0 (default)

m. Port Number  8443 n. Host offering this service = siteb-cucm02.siteb.com Step 37

Click OK

Step 38

Click Done

Step 39

Select _tcp, under siteb.com in the DNS Manager

Jabber will query DNS for SRV records based on user domain in parallel The highest priority returned record will be used for service Priority

Service

HTTPRequest/DNS SRV

1

WebEx Messenger

HTTP CAS lookup

2

UC Manager 9.x/10.x

_cisco-uds._tcp.example.com

3

Cisco Presence 8.x

_cuplogin._tcp.example.com

4

Collaboration Edge

_collab-edge._tls.example.com

Step 40

Observe that both _cisco-uds and _cuplogin are both present in the _tcp section of siteb.com DNS records. The _cuplogin was left over from a previous install of Jabber version 9.2, _cisco-uds takes priority

Step 41

Close DNS Manager



Page 25 of 166

The Ultimate Cisco Jabber Specialist 2 Lab FYI – The reason the sitea-cucm911.sitea.com FQDN has 911 in it is because this lab was upgraded from a CUCM 9.11 to CUCM 10.5 but the host names have not been changed. Sorry for the confusion, this will be changed in the future with time permitting.

Verify _cisco-uds DNS Service Records Step 42

Switch to SiteB-WS01 (172.19.X.201 Alex Ace RDP Session)

Step 43

Click Yes to the Revocation Security Alert (if presented)

Step 44

Click the Command Prompt icon on the task bar

Step 45

Type nslookup

Step 46

Press Enter to enter into nslookup mode

Step 47

Type set type=srv (in all lower case)

Step 48

Type _cisco-uds._tcp.siteb.com

Step 49

Press Enter

Note the output displays the appropriate information for the _cisco-uds SRV record that was built in the previous section.

If an error such as the one pictured below is returned check the command entered in above or confirm your _cisco-uds service record has been configured properly on SiteB’s AD. Do not continue until a positive result is obtained.

Step 50

Close the Command Prompt window

Step 51

Do not close the RDP sessions



Page 26 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 2: Jabber Client Win Install WS01 In this section the students will do install Jabber client for Windows. Activity Objective In this activity the student will install the Cisco Jabber Client for Windows. 

two standard installs

Required Resources A personal computer VPN’ed into the lab environment and a RDP session into the lab’s workstations.

Logging into Student Remote Workstations If you have not logged into the student workstations please return to the logging into the student remote workstations section to login to the student workstations

Checking Windows Certificate Manager Later in this lab guide the student will work with certificate management to conceal the invalid certificate messages from the end users. This section is to start becoming familiar with certificate interaction. Observe that before the Windows Jabber Client is installed there are no Jabber related certificates in the certificate manager on windows.

Step 52

Open the Command Prompt window form the task bar on SiteB-WS01

Step 53

Enter certmgr

Step 54

Press Enter

Step 55

Select Enterprise Trust  Certificates (there might not be a certificate subfolder for enterprise trust if there are no certificates)

Step 56

Observe that there are no trusted certificates in the right panel of Certificate manager

Step 57

Do not close Certificate Manager This is how it will look if no Enterprise Certs have been entered. This is the default for the lab workstations.



Page 27 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Installing Jabber on Remote SiteB-WS01 In this section Jabber will be installed on the SiteB-WS01. Jabber for Windows ships as a MSI installer files. Cisco provides a single MSI file for both on premise and cloud configurations.

Step 58

Switch to Siteb-WS01 (172.19.x.201 – Alex Ace) RDP Session (if not already there)

Step 59

Launch the Firefox browser, on SiteB-WS01

DO NOT use any of the FireFox favorites on the tool bar to install this version of Jabber, otherwise you will install an old version of Jabber. Step 60

Browse to the following URL from SiteB-WS01 Firefox app to download Jabber  http://tinyurl.com/JST2JabInst

Step 61

Click OK, on warning (if any)

Step 62

Click Download Jabber from the Dropbox web site

Step 63

Click Save File

Step 64

Click CiscoJabberSetup.msi in the Downloads window or folder (wait for it, kind of slow to start install)

Step 65

Click Run



Page 28 of 166


Click Accept and Install

Step 67

Click Yes, when asked to allow changes to be made to this computer (wait For it)

Step 68

Keep Launch Cisco Jabber checked

Step 69

Click Finish



Page 29 of 166


Click Accept to verify the non-valid CUCM certificate (The certificates might come up in a different order depending on the SRV Record round robin state)

Step 71

Click Accept to verify the non-valid CUCM certificate again for the 2nd server

In Jabber 10.5 the Windows client is collecting the Username of the person logged into the workstation from Windows and the domain name and automatically adding those to the login so the user only has to put in the user password at initial login. Step 72

Enter Cisc0123 for the users password

Step 73

Select Sign me in when Cisco Jabber Starts

Step 74

Click Sign In



Page 30 of 166


Click Accept to verify the non-valid IMP certificate (one of the certificates but just show up as SiteB instead of a host name that is OK)

Step 76

Click Accept to verify the non-valid IMP certificate again for the 2nd server

Step 77

Click Accept to verify the non-valid CUC certificate

Step 78

Close all Firefox windows

Step 79

Observe Alex Ace is logged in to her Windows Jabber Client



Page 31 of 166

The Ultimate Cisco Jabber Specialist 2 Lab If the Cisco Jabber client fails to discover the network service, this is most likely an issue with the SRV record created in the first section of this lab guide. Use NSLOOKUP in the command prompt from this workstation to troubleshoot this issue. CLICK HERE to return to the DNS configuration section.

Checking Certificates After signing into Cisco Jabber Client for Windows observe the certificate that was added to the certificate manager. During the certificate management section of this lab, the student will learn how to avoid invalid certificate warning messages to be presented to the end user the first time they login to Cisco Jabber Client for Windows.

Step 80

Open the Command Prompt window form the task bar on SiteB-WS01 (if not already open)

Step 81

Enter certmgr

Step 82

Press Enter

Step 83

Select Enterprise Trust  Certificates (there might not be a certificate subfolder for enterprise trust if there are no certificates)

Step 84

Observe that there are no trusted certificates in the right panel of Certificate manager (Sometimes F5 needs to be pressed to get screen to update)

Before Jabber Client Login Step 85

Close Certificate Manager

Step 86

Close DOS Box


After Cisco Jabber Client Login


Page 32 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 3: Certificate Management In this section of the lab the self-signed certificates that are on the UC servers at the time of install will be replaced by Certificate Authority (CA) signed certificates. Cisco Jabber uses certificate validation to establish secure connections with servers. When attempting to establish secure connections, servers present Cisco Jabber with certificates. Cisco Jabber validates those certificates against certificates in the Microsoft Windows certificate store. If the client cannot validate a certificate, it prompts the user to confirm if they want to accept the certificate.

Activity Objective In this activity, you will learn the methods to: 

Access Microsoft Certificate Manager



Create CA signed certificates using Microsoft Certificate Authority (CA)



Deploy CA signed certificates to CUCM/IM&P/CUC

Required Resources To complete this section of the lab the student will need a computer that is connected to the lab via VPN, and an RDP connection to your pod’s SiteB-AD (172.19.X.120).



Page 33 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Installing Certificate Authority Role on Windows 2008 R2 Server Although installing MS Certificate Authority (CA) Role is not part of the Cisco Unified Communication solution, it is necessary to have access to a 3rd party CA server to create signed certificates. For simplicity, the MS CA Role was chosen for this lab since an MS Windows 2008 R2 (Win2K8R2) server running as the Active Directory and Exchange server already exists. This quick video will show the steps completed to prepare the Win2K8R2 server to be a CA.

Short Video on Installing Microsoft Certificate Authority Role on Win2K8R2 Watch this video in HD here - http://youtu.be/pr-mJrJSfV8

Download CA Root Certificate from CA Server In this section the Certificate Authority (CA) Root Certificate will be downloaded from the CA server, and uploaded to SiteB-CUCM911 tomcat-trust. As part of the building of this lab the developers already uploaded the CA Root Certificate to the publishers, and subsequently replicated to the rest of the servers in the cluster. Although the CA Root certificate has been uploaded the student is going to do it again to learn the process.

Step 87

Switch to the SiteB-AD (172.19.X.120 – x=pod#) RDP session

Step 88

Launch Firefox by clicking the icon on the task bar at the bottom of the desktop

Step 89

Click Certificate Services on Firefox’s favorite bar

Step 90

a:

Log in to Certificate Services with:Username  Administrator

b:

Password  Cisc0123

Click Download a CA certificate, certificate



Page 34 of 166

The Ultimate Cisco Jabber Specialist 2 Lab chain, or CRL

Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. Why 64? Because you can generally rely on the same 64 characters being present in many character sets, and you can be reasonably confident that your data's going to end up on the other side of the wire uncorrupted. Step 91

Select Base 64 under Encoding Method

Step 92

Click Download CA Certificate

Step 93

Click Save File (should be the default)

Step 94

Click OK to save the CA certificate

Step 95

Click the Firefox Download Arrow in the upper left corner



Page 35 of 166


Click the File Folder next to certnew.cer

Step 97

Right click certnew.cer in the Explorer window

Step 98

Click Rename from the pop-up menu

During the course of this lab the student will create many certificates, it is much easier to track which certificates are which by but renaming each one as you create them. Step 99

Rename the file to CARootCert.cer

Step 100 Close File Explorer window



Page 36 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Upload CA Root Certificate to CUCM In this section the CA root certificate will be uploaded to SiteB-CUCM911 (publisher) and it will be replicated to the other three servers in the clusters (SiteB-CUCM02, SiteB-IMP911, and SiteB-IMP02). Step 101 Return to the Firefox browser on SiteB-AD (172.19.X.120 – x=pod#) RDP Session Step 102 Click + to open another browser tab

Step 103 Click SiteB-CUCM911 favorite in the SiteB-UC Favorite folder

Step 104 Click Cisco Unified Communications Manager

Step 105 Click I Understand the Risks on the untrusted connection warning (If presented) Step 106 Click Add Exception on the untrusted connection warning (If presented) Step 107 Click Confirm Security Exception on the add security exception pop-up (If presented) Step 108 Select Cisco Unified OS Administration from the top left Navigation dropdown menu Step 109 Click Go



Page 37 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 110 Log in using the following credentials: a. Username  Administrator (Case Sensitive) b. Password  Cisc0123 (Case Sensitive) c. Click Login Step 111 Click Security  Certificate Management

Step 112 Click Find Step 113 Observe the self-signed certificates that exist on CUCM by default at install The CA Root Certificate was uploaded to the Tomcat-trust of the publisher during lab development, and has been replicated to the subscribers in the cluster. Observe the tomcat-trust has a certificate from siteb-SITEB-AD-CA.pem, that is the root certificate that was replicated from the publisher to this subscriber. Previous to the upload of the CA Root Cert the tomcat-trust on the publisher and this subscriber was the self-signed certificate generated by the CUCM server installer during the server install. In this section the student will upload the CA Root to SiteB-CUCM911 (publisher) so the student understands what was done to the publisher, although this step could be skipped due to the fact that it was done prior to the start of the lab.



Page 38 of 166


Step 114 Click Upload Certificate/Certificate Chain Step 115 Select tomcat-trust, (careful here) Step 116 Click Browse… Step 117 Click Downloads, on the left side navigation pane Step 118 Click and Select CARootCert.cer from the list of files and folders Step 119 Click Open

Step 120 Click Upload File, on the upload pop-up window Step 121 Verify the file uploaded successfully

Step 122 Click Close, to close the file upload pop-up window Step 123 Click Find, to refresh the certificate list



Page 39 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 124 Observe that the SiteB-AD CA Root Certificate is now listed (notice no real change due to the CA Root Cert being replicated form the publisher, also in some cases the description will not change that is a version issue and has not effect on the operation)

Generate and Download Certificate Signing Request (CSR) In this section the student will generate a Certificate Signing Request which in turn will be used on the MS CA to generate a self-signed certificate for each service on each server. In CUCM 10.0 and lower a certificate would have been generated by the CA root for each node in the cluster, and uploaded to each of the servers in the cluster. This would have been repeated in the IMP clusters and the CUC clusters. In 10.5 CUCM and IMP are in the same cluster so only one CA root certificate and one CA signed certificate needs to be created and uploaded to the CUCM publisher and both the root and the CA signed certificate will be replicated to all servers in the CUCM and IMP cluster. Step 125 Click Generate CSR form the OS Administrator web page

Step 126 Fill in the following information in the Generate Certificate Signing Request pop-up windows: a. b. c. d. e.

Certificate Name  tomcat Distribution  Multi-Server(San) Key Length  2048 Hash Algorithm  SHA256 Click Generate

After the Generate button is clicked a few moments later a pop-up screen will appear and ask for the Admin Username and Password for both of the subscribers since they both have different passwords than the publishers. f. g. h. i. j. k.


Enter UserName  Administrator (twice) Enter Password  C1sc0123 (twice) Click  Login Click  Never Remember Password For This Site (firefox pop-up) Observe Success message Click  Close to close the CSR pop-up window


Page 40 of 166


Step 127 Verify Success of CSR generation

Step 128 Click Close, on the Generate CSR pop-up window Step 129 Click Download CSR

Step 130 Confirm tomcat, is selected Step 131 Click Download CSR Lab Guide Version 3.5


Page 41 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 132 Select Save File Step 133 Click OK to save the CSR

Step 134 Click Close on the Download Certificate Signing Request pop-up window Step 135 Click the Download Arrow in the upper right corner of Firefox Step 136 Click the File Folder

Step 137 Right click tomcat.csr in Explorer window Step 138 Click Rename from the pop-up menu

It is good practice to rename each certificate file as you download them to your local computer, so the certificates do not get mixed up. Step 139 Rename the file to SiteB-CUCM911_tomcat.csr (2nd time use SiteBIMP02_tomcate.csr) Step 140 Double click SiteB-CUCM911_tomcat.csr, in Windows File Explorer



Page 42 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 141 Pick Select a program from a list of installed programs Step 142 Click OK Step 143 Select Notepad Step 144 Click OK Step 145 Select Format  Word Wrap, from the Notepad menus Step 146 Press CTRL-A, to highlight everything in the CSR file Step 147 Press CTRL-C, to copy highlighted data into the computer buffer Be careful to not change anything in this test file, this is also a difficult troubleshoot.

Step 148 Close NotePad Step 149 Close the Windows File Explorer window

Submit and Download SiteB-CUCM02 Tomcat Signed CA Certificate Step 150 Return to Firefox on SiteA-AD RDP session Step 151 Switch back to the MS AD Certificate Services Web Page tab



Page 43 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 152 Click Certificate Services favorite link to return to the CA Services home page

Step 153 Click Request A Certificate

Step 154 Click Advanced Certificate Request

Step 155 Click in the Saved Request field to make it active Step 156 Press CTRL-V to past the data saved to the computer buffer Step 157 Select Web Server for the Certificate Template Step 158 Click Submit Step 159 Select Base 64 encoded Step 160 Click Download Certificate (careful here)



Page 44 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 161 Select Save File (default) Step 162 Click OK to save the certificate Step 163 Click the Download Arrow in the upper right corner of Firefox Step 164 Click the File Folder

Step 165 Right click certnew.cer in Explorer window Step 166 Click Rename on the pop-up menu Step 167 Enter SiteB-CUCM911_CASignedTomCat.cer to rename the file Step 168 Close the File Explorer window

Upload SiteB-CUCM02 CA Signed Tomcat Certificate to CUCM Step 169 Click the 2nd Firefox tab to switch to SiteB-CUCM911 Cisco Unified Operating System Administration web page Step 170 Login a: b: c:

with the following information if the previous session logged out Username  Administrator Password  Cisc0123 Click Login

Step 171 Click Security  Certificate Management (if not all ready there) Step 172 Click Upload Certificate/Certificate Chain Step 173 Select a: b: c: d: e: f: g:

h: i:


the following Certificate upload information Certificate Name  tomcat Description  Self-signed Certificate (default) Upload File  Click Browse Upload file  Downloads\SiteB-CUCM911_CASignedTomCat.cer Click Open Click Upload file Enter the 02 server credentials a. Enter UserName  Administrator (twice) b. Enter Password  C1sc0123 (twice) Click  Login Click  Never Remember Password For This Site (if presented)


Page 45 of 166


Notice that unlike previous version of UC products where you had to generate a CSR for each node in the cluster, create a CA signed certificate for each node in the cluster, and upload a CA signed certificate for each node in the cluster, in UC 10.5 software you only have only to generate one CSR per cluster (CUCM/IMP considered in same cluster now), create one CA signed certificate per cluster and upload one CA signed certificate per cluster. In previous versions of UC software the following was the method of configuring certificates  Upload root certificate to the publisher of the CUCM Cluster  Upload root certificate to the publisher of the IMP Cluster  Upload root certificate to the publisher of the CUC Cluster  Generate CSRs for each node in the CUCM cluster  Generate CSRs for each node in the IMP cluster  Generate CSRs for each node in the CUC cluster  Create CA signed certificates for each node in the CUCM Cluster  Create CA signed certificates for each node in the IMP Cluster  Create CA signed certificates for each node in the CUC Cluster  Upload CA signed certificates for each node in the CUCM Cluster  Upload CA signed certificates for each node in the IMP Cluster  Upload CA signed certificates for each node in the CUC Cluster Assuming three servers in each of the three clusters listed above, the following would be true  Generate 27 CSRs (3 CUCM + 3 IMPs + 3 CUC) x 3 = 27 Servers  Create 27 CA signed certificates  Upload 27 CS signed certificates



Page 46 of 166

The Ultimate Cisco Jabber Specialist 2 Lab In UC        

10.5 software the following is the new method of configuring certificates Upload root certificate to the publisher of the CUCM/IMP Cluster Upload root certificate to the publisher of the CUC Cluster Generate one CSRs for the whole CUCM/IMP cluster Generate one CSRs for the whole CUC cluster Create one CA signed certificates for the whole CUCM/IMP Cluster Create one CA signed certificates for the whole CUC Cluster Upload one CA signed certificates for the whole CUCM/IMP Cluster Upload one CA signed certificates for the whole CUC Cluster

Assuming three servers in each of the three clusters listed above, the following would be true  Generate 2 CSRs (1 for CUCM/IMP + 1 for CUC)  Create 2 CA signed certificates  Upload 2 CS signed certificates And as you can see with the 10.5 upgrades to certificates there is much less work! Step 174 Verify Successful certificate upload

Step 175 Click Close, to close the certificate upload pop-up window Step 176 Click Find, to update the Certificate List Step 177 Observe the updated tomcat and tomcat-trust certificates. Tomcat-trust has a siteb-SITEB-AD-CA.pem file, and tomcat has a siteb-SITEB-AD-CA in the description field

Step 178 Click the PuTTy icon on the task bar at the bottom of the SiteB-AD RDP session Step 25

Select SiteB-CUCM911 (repeat 3 more times so all 4 listed UC servers have had their Tom Cat service restarted), from the saved sessions

SiteBCUCM01 Cisc0123

SiteBCUCM02 C1sc0123

SiteBIMP911 Cisc0123

SiteB-IMP02 C1sc0123

To open more than one PuTTy session at a time do the following Lab Guide Version 3.5


Page 47 of 166

The Ultimate Cisco Jabber Specialist 2 Lab  

Right click the PuTTy icon on the bottom task bar of SiteB-AD Select SSH, Telnet and Rlogin client

Step 26

Click Open

Step 27

Login With a:

Login as  Administrator (Case Sensitive)

b:

Password  Cisc0123 (Case Sensitive) See password chart above for each server

Step 28

Enter utils service restart Cisco Tomcat, (Case Sensitive)

Step 29

Observe and wait for the Tomcat service to fully stop and restart (takes about 1 minute – You can leave PuTTy open and repeat this section 3 more times for SiteB-CUCM02, SiteB-IMP911, and SiteB-IMP02

Step 30

Repeat steps 178 – 184, three more time – Go ahead and do the repeat while the service restarts

Step 31

Close all PuTTy windows once the Tomcat service has restarted on each servers

Step 32

Click OK to confirm PuTTy window close



Page 48 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Adding CA Signed XMPP Certificate to SiteB-IMP02 In this section the student will upload the CA signed XMPP certificate to SiteB-IMP02 server. The CA Root Certificate was uploaded to the CUCM911 publisher server during the previous section of the lab. Here the CA Root certificate will be uploaded for the cup-xmpp-trust. A cup-xmpp CSR will be generated and certificate created from this CSR. Step 33

Switch to SiteB-AD (172.19.X.120) RDP Session (if not already there)

Step 34

Click + to open a 3rd Firefox tab

Step 35

Click SiteB-UC from the favorites tool bar

Step 36

Select SiteB-IMP911 from the SiteB-UC favorites drop down menu

Step 37

Click Cisco Unified Communications Manager IM andpresence

Step 38

Click I understand the Risks

Step 39

Click Add Exception

Step 40

Click Confirm Security Exception

Step 41

Select Cisco Unified IM and Presence OS Administrator from the Navigation drop down menu in the upper right hand corner of the IM&P administration web page

Step 42

Click Go to navigate to the OS Administrator

Step 43

Log in using the following credentials: a. Username  Administrator (Case Sensitive) b. Password  Cisc0123 (Case Sensitive) c. Click Login



Page 49 of 166


Click Security  Certificate Management

Step 45

Click Find

Step 46

Click Upload Certificate/Certificate Chain

Step 47

Select a. b. c. d.

Step 48

Observe the Successful Upload

Step 49

Click Close to close the file upload pop-up window

Step 50

Click Find to refresh the certificate list

Step 51

Observe that the SiteB-AD CA Root Certificate is now listed for cup-xmpptrust


the following Certificate upload information Certificate Name  cup-xmpp-trust Upload File Click Browse  Downloads\CARootCert.cer Click  Open Click  Upload File


Page 50 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Generate and Download Certificate Signing Request (CSR) In this section the student will generate and download the CSR for the xmpp service on SiteB-IMP02. Step 52 Click Generate CSR Step 53

Fill in the following in the Generate Certificate Signing Request pop-up windows: a. b. c. d. e.

Step 54

information

Certificate Name  cup-xmpp Distribution  Multi-Server(SAN) Key Length  2048 (Default) Hash Algorithm  SHA256 (Default) Click Generate CSR

Enter the following credentials for SiteB-IMP02 a. Username  Administrator b. Password  C1sc0123 c. Click  Login d. Click  Never Remember Password for this site (on Firefox popup)



Page 51 of 166


Verify Success of CSR generation

Step 56

Click Close on the Generate CSR pop-up window

Step 57

Click Download CSR

Step 58

Select cup-xmpp, from the Certificate name filed

Step 59

Click Download CSR

Step 60

Select Save File

Step 61

Click OK to save the CSR

Step 62

Click Close on the Download Certificate Signing Request pop-up window

Step 63

Click the Download Arrow in the upper right corner of Firefox

Step 64

Click the File Folder

Step 65

Right click cup-xmpp.csr in File Explorer window

Step 66

Click Rename from the pop-up menu



Page 52 of 166

The Ultimate Cisco Jabber Specialist 2 Lab It is good practice to rename the certificates as you download them to your local computer so they do not get mixed up or overwritten with the same name form a different server.

Step 67

Rename the file to SiteB-IMP911_XMPP.csr

Step 68

Double click the newly renamed file SiteB-IMP911_XMPP.csr

Step 69

Choose Select a program from a list of installed programs (skip step if not presented)

Step 70

Click OK (skip step if not presented)

Step 71

Select Notepad (skip step if not presented)

Step 72

Click OK (skip step if not presented)

Step 73

Select Format  Word Wrap from the Notepad menus (skip step if already done)

Step 74

Press CTRL-A to highlight everything in the CSR file

Step 75

Press CTRL-C to copy highlighted data into the computer buffer

Step 76

Close Notepad

Step 77

Close the File Explorer window



Page 53 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Submit and Download Signed CA Certificate Step 78

Return to Firefox, on SiteA-AD RDP session

Step 79

Switch back to the first Firefox Tab, with MS AD Certificate Services Web Page

Step 80

Click Certificate Services, favorite in Firefox to return to the CA Services home page

Step 81

Click Request A Certificate

Step 82

Click Advanced Certificate Request

Step 83

Click Saved Request field to make it active

Step 84

Press CTRL-V to past the data saved to the computer buffer

Step 85

Select Web Server for the Certificate Template

Step 86

Click Submit



Page 54 of 166


Select Base 64 encoded

Step 88

Click Download Certificate (careful here)

Step 89

Select Save File (default)

Step 90

Click OK to save the certificate

Step 91

Click the Download Arrow in the upper right corner of Firefox

Step 92

Click the File Folder

Step 93

Right click certnew.cer in Windows File Explorer

Step 94

Click Rename on the pop-up menu

Step 95

Enter SiteB-IMP911_CASignedXMPP.cer to rename the file

Step 96

Close the File Explorer window

Upload CA Signed Certificate to IMP02 Step 97

Click 3rd Firefox Tab, to switch to SiteB-IMP911 Operating System Console web page

Step 98

Login with the following information if the previous session logged out a. Username  Administrator b. Password  C1sc0123 c. Click Login

Step 99

Click Security  Certificate Management (if not all ready there)

Step 100 Click Upload Certificate/Certificate Chain Lab Guide Version 3.5


Page 55 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 101 Select the following Certificate upload information a.

Certificate Purpose  cup-xmpp

b.

Description  Self-signed Certificate (default)

c.

Upload File  Click Browse

d.

Upload file  Downloads\SiteB-IMP911_CASignedXMPP.cer

e.

Click  Open

f.

Click  Upload file

g.

Username  Administrator (pop-up window)

h.

Password  C1sc0123

i.

Click  Login

j.

Click  OK, service restart (if presented)

Step 102 Verify the Successful certificate upload

Step 103 Click Close, to close the certificate upload pop-up window Step 104 Click Find, to update the Certificate List Step 105 Observe the updated cup-xmpp and cup-xmpp-trust



Page 56 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 106 Click PuTTy icon on the task bar at the bottom of the SiteB-AD RDP session Step 107 Select SiteB-IMP911 (repeat Step 108 Click Open Step 109 Enter Administrator login as name Step 110 Enter Cisc0123 as the password Step 111 Enter utils service restart Cisco XCP Router, (Case Sensitive) Step 112 Observe and wait for the XCP RouterAd service to fully stop and restart (takes about 2 to 5 minutes – You can leave PuTTy open and continue on to next step, to restart XCP router on SiteB-IMP02)

Step 113 Right click the PuTTy icon Step 114 Click SSH, Telnet and Rlogin client from the pop-up window to open another instance of PuTTy Step 115 Select SiteB-IMP02 Step 116 Click Open Step 117 Enter Administrator login as name Step 118 Enter C1sc0123 as the

password

Step 119 Enter utils service restart Cisco XCP Router, (Case Sensitive) Step 120 Observe and wait for the XCP RouterAd service to fully stop and restart (takes about 2 to 5 minutes Step 121 Close both PuTTy windows Step 122 Click OK to confirm closing the PuTTy window



Page 57 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Accept new certificates for Pidgin In this section the new CUP-XMPP certificates will be accepted for Pidgin to light up the mock user’s presence indicators. In this lab a third party IM client called Pidgin is used to light up all the mock users presence indicators when looking at the Jabber clients on the virtual workstations. This is purely cosmetic and is only to help make the lab more fun. When the CUP-XMPP certificate was upgraded in the previous section the certificates that Pidgin was using became invalid and need to be updated to continue to light up the presence indicators for our mock users in Jabber. Step 123 Switch to SiteB-AD (172.19.X.120 RDP Session) if not all ready there Step 124 Minimize Firefox Step 125 Observe there are multiple SSL Certificate Verification messages

Step 126 Click Accept on all the Pidgin SSL Certificate Verification messages Step 127 Switch to SiteB-WS01 (172.19.X.201 RDP Session) Step 128 Accept any and all In-Valid certificates for Jabber (if presented) Step 129 Click Gear  File  Exit to close the Jabber client on SiteB-WS01 Step 130 Double click the Jabber Client icon on the desktop to open jabber on SiteBWS01 Step 131 Click Accept the invalid certification (if any)

Step 132 Enter Cisc0123 in the password field of the Jabber client Lab Guide Version 3.5


Page 58 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 133 Click Sign In Step 134 Accept any In-Valid certificates Step 135 Observe Alex Ace’s Jabber client becomes active again

When you are done with this section you will have done certificate management on 2 of the 5 UC servers in the SiteB pod. SiteB-CUCM01, SiteB-IMP911, witch in turn the Root certificate and CA signed certificates where automatically propagated to the rest of the servers in the clusters. The SiteB-CUC911 server certificates were configured by the lab developer. In the next section the CA Root Certificate will be installed on the workstation before the install of the Jabber client and the end user will not have to accept any certificates.



Page 59 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Adding the CA Root Certificate to SiteB-WS02 In this section the CA Root Certificate will be manually installed to the SiteB-WS02. The CA Signed Root Certificate can be manually installed on to the workstation or can be pushed down to the workstations using the group polices on the Active Directory server.

Step 136 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP session Step 137 Click Command icon on the bottom task bar Step 138 Enter certmgr

Step 139 Press Enter Step 140 Click the Arrow next to Trusted Root Certification Authority Step 141 Click and highlight Certificates Step 142 Observe there is no SiteB-AD certifications in the Trusted Root CAs Step 143 Launch Firefox on SiteB-WS02 Step 144 Click Certificate Services on the Firefox favorites bar

Step 145 Login with: a. Username  Administrator b. Password  Cisc0123 Step 146 Click login Step 147 Click Download a CA certificate, certificate chain, or CRL Step 148 Select Base 64



Page 60 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 149 Click Download CA Certificate

Step 150 Select Save File Step 151 Click OK Step 152 Click the Download Arrow in the upper right corner Step 153 Click the File Folder, next to the latest downloaded file Step 154 Right Click certnew.cer Step 155 Click Rename Step 156 Rename the file CARootCert.cer Step 157 Double click CARootCert.cer Step 158 Observe that the certificate is from the sitebSiteB-AD-CA Step 159 Click Install Certificate Step 160 Click Next, on the certificate import wizard welcome screen Step 161 Select Place all certificates in the following store



Page 61 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 162 Click Browse

Step 163 Select Trusted Root Certification Authorities, from the select certificate store Step 164 Click OK

Step 165 Click Next on the certificate import wizard Step 166 Click Finish Step 167 Click Yes on the security warning Step 168 Click OK on the import was successful message Step 169 Click OK to close the certificate window Step 170 Close the File Explorer windows Step 171 Return to Certificate Manager Step 172 Select Trusted Root Certification Authorities (if not all ready there) Step 173 Press F5 to refresh the list of issued trusts



Page 62 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 174 Observe there is now a siteb-SITEB-AD-CA certificate in the trusted root certs (sometimes CertMgr needs to be closed and reopened to see the CA Cert)

Step 175 Close Certificate Manager



Page 63 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 4: Jabber Client Win Install WS02 In this section the students will install the Jabber client for Windows on SiteA-WS02, after certificate management has been performed on the UC servers. This will eliminate the invalid certificate errors the end user saw during the initial login of Cisco Jabber Client for Windows, in section 2 of the lab. Activity Objective In this activity the student will install the Cisco Jabber Client for Windows. 

standard installs

Required Resources A personal computer VPN’ed into the lab environment and a RDP session into the lab’s workstations.

Logging into Student Remote Workstations If you have not logged into the student workstations please return to the logging into the student remote workstations section to login to the student workstations

Checking Windows Certificate Manager Later in this lab guide the student will work with certificate management to conceal the invalid certificate messages from the end users. This section is to start becoming familiar with certificate interaction. Observe that before the Windows Jabber Client is installed there are no Jabber related certificates in the certificate manager on windows.

Installing Jabber on Remote SiteB-WS02 In this section Jabber will be installed on the SiteB-WS02 Jabber for Windows ships as a MSI installer files. Cisco provides a single MSI file for both on premise and cloud configurations.

Step 176 Switch to Siteb-WS02 (172.19.x.202 – Black Bad) RDP Session (if not already there)



Page 64 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 177 Launch the Firefox browser, on SiteB-WS02 (if not all ready open) DO NOT use any of the FireFox favorites on the tool bar to install this version of Jabber, otherwise you will install an old version of Jabber. Step 178 Browse to the following URL from SiteB-WS02 Firefox app to download Jabber  http://tinyurl.com/JST2JabInst Step 179 Click OK, on warning (if any) Step 180 Click Download Jabber from the Dropbox web site Step 181 Click Save File

Step 182 Click CiscoJabberSetup.msi in the Downloads window or folder Step 183 Click Run (wait for it this will take 10 to 15 seconds for the pop-up window to appear) Step 184 Click Accept and Install

Step 185 Click Yes, when asked to allow changes to be made to this computer (wait For it) Step 186 Keep Launch Cisco Jabber checked



Page 65 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 187 Click Finish

Observe that NO invalid certificate warning messages popped up before the log in screen. This is because the CA signed certificates were uploaded to the UC servers and the CA root certificate was deployed to the workstation. The root certificate can be distributed to the workstations using group policies.

Step 188 Observe the username bbad is already filled in. Jabber 10.5 gathers the username from the domain login of the workstation Step 189 Enter Cisc0123 for the users password Step 190 Select Sign me in when Cisco Jabber Starts Step 191 Click Sign In



Page 66 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 192 Observe the jabber client for Blake Bad logins in with no user intervention for invalid certificates

If the Cisco Jabber client fails to discover the network service, this is most likely an issue with the SRV record created in the first section of this lab guide. Use NSLOOKUP in the command prompt from this workstation to troubleshoot this issue. CLICK HERE to return to the DNS configuration section.



Page 67 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 5: MRA with Cisco ExpressWay In this section the students will configure a Cisco Expressway E and C cluster as well as test access from a remote workstation traversing the Expressway pair using the Mobile Remote Access feature (MRA) of expressway. This lab consists of two Expressway Es and two Expressway Cs that have already been deployed for the student to save time. Also with each deployment of an Expressway server the serial number is different, which would pose issues with applying option keys in the lab. The following video will demonstrate how the Expressways were deployed on the ESXi hosts in the lab.

Short Video on Cisco ExpressWay Virtual Machine Deployment Watch this video in HD here - http://youtu.be/Uoi3hosvygs

Activity Objective In this activity, you will learn the methods to:  Configure Service Records (SRV) on public and internal DNS Servers  Performing the initial configuration of the Expressway E and C Initial Config as well as configure Traversal zones, Domains, and Certificate Management

Required Resources To complete this section of the lab the student will need a computer that is connected to the lab via VPN, a compatible browser on the student’s computer, and RDP sessions to the five devices in the lab.

About the Cisco Expressway Cisco Expressway is designed specifically for comprehensive collaboration services provided through Cisco Unified Communications Manager. It features established firewall-traversal technology and helps redefine traditional enterprise collaboration boundaries, supporting our vision of any-to-any collaboration. As its primary features and benefits, Cisco Expressway:  Offers proven and highly secure firewall-traversal technology to extend your organizational reach.  Helps enable business-to-business, business-to-consumer, and business-to-cloudservice-provider connections.  Provides session-based access to comprehensive collaboration for remote workers, without the need for a separate VPN client. Lab Guide Version 3.5


Page 68 of 166

The Ultimate Cisco Jabber Specialist 2 Lab  

Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and desktops. Complements bring-your-own-device (BYOD) strategies and policies for remote and mobile workers.

The Expressway is deployed as a pair: an Expressway-C with a trunk and line-side connection to Unified CM, and an Expressway-E deployed in the DMZ and configured with a traversal zone to an Expressway-C.

The Expressway runs on VMware on a range of Cisco UCS servers. See Expressway on Virtual Machine Installation

Expressway-C Expressway-C delivers any-to-any enterprise wide conference and session management and interworking capabilities. It extends the reach of Telepresence conferences by enabling interworking between Session Initiation Protocol (SIP)- and H.323-compliant endpoints, interworking with third-party endpoints; it integrates with Unified CM and supports thirdparty IP private branch exchange (IP PBX) solutions. Expressway-C implements the tools required for creative session management, including definition of aspects such as routing, dial plans, and bandwidth usage, while allowing organizations to define call-management applications, customized to their requirements.

Expressway-E The Expressway-E deployed with the Expressway-C enables smooth video communications easily and securely outside the enterprise. It enables business-to-business video collaboration, improves the productivity of remote and home-based workers, and enables service providers to provide video communications to customers. The application performs securely through standards-based and secure firewall traversal for all SIP and H.323 devices. As a result, organizations benefit from increased employee productivity and enhanced communication with partners and customers. It uses an intelligent framework that allows endpoints behind firewalls to discover paths through which they can pass media, verify peer-to-peer connectivity through each of Lab Guide Version 3.5


Page 69 of 166

The Ultimate Cisco Jabber Specialist 2 Lab these paths, and then select the optimum media connection path, eliminating the need to reconfigure enterprise firewalls. The Expressway-E is built for high reliability and scalability, supporting multivendor firewalls, and it can traverse any number of firewalls regardless of SIP or H.323 protocol.

Standard features The primary purpose of the Expressway is to provide secure firewall traversal and sessionbased access to Cisco Unified Communications Manager for remote workers, without the need for a separate VPN client. Rich media session features The following features are available when rich media session licenses are installed on the Expressway:                   

SIP Proxy SIP / H.323 interworking IPv4 and IPv6 support, including IPv4 / IPv6 interworking QoS tagging Bandwidth management on both a per-call and a total usage basis Automatic downspeeding option for calls that exceed the available bandwidth URI and ENUM dialing via DNS, enabling global connectivity Up to 100 rich media sessions on Small/Medium VM server deployments and 500 rich media sessions on Large VM server deployments 1000 external zones with up to 2000 matches Flexible zone configuration with prefix, suffix and regex support Can be neighbored with other systems such as a Cisco VCS or other gatekeepers and SIP proxies n+1 redundancy, can be part of a cluster of up to 6 Expressways for increased capacity and redundancy Intelligent Route Director for single number dialing and network failover facilities Call Policy (also known as Administrator Policy) including support for CPL Support for external policy servers AD authentication for administrators of the Expressway Embedded setup wizard using a serial port for initial configuration System administration using a web interface or RS-232, SSH, and HTTPS Intrusion protection

Mobile and remote access Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations. The overall solution provides:  Off-premises access: a consistent experience outside the network for Jabber and EX/MX/SX Series clients  Security: secure business-to-business communications  Cloud services: enterprise grade flexibility and scalable solutions providing rich WebEx integration and Service Provider offerings. Lab Guide Version 3.5


Page 70 of 166

The Ultimate Cisco Jabber Specialist 2 Lab 

Gateway and interoperability services: media and signaling normalization, and support for non-standard endpoints

Figure 1: Unified Communications: mobile and remote access

Figure 2: Typical call flow: signaling and media paths

  

Unified CM provides call control for both mobile and on-premises endpoints. Signaling traverses the Expressway solution between the mobile endpoint and Unified CM. Media traverses the Expressway solution and is relayed between endpoints directly; all media is encrypted between the Expressway-C and the mobile endpoint.

Jabber client connectivity without VPN The mobile and remote access solution supports a hybrid on-premises and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms. It allows Jabber clients that are outside the enterprise to:  use instant messaging and presence services  make voice and video calls  search the corporate directory  share content  launch a web conference  access visual voicemail



Page 71 of 166




Page 72 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Public & Local DNS Requirements for Expressway The local internal DNS has been configured for SRV records in previous sections of this lab, in the next section the student will enter needed SRV records into the public DNS, as well as needed A type DNS records in both the public and local DNS. Public DNS The public (external) DNS must be configured with _collab-edge._tls. SRV records so that endpoints can discover the Expressway-Es to use for mobile and remote access. SIP service records are also required. That Is for general deployment and not specifically for mobile and remote access. For example, for a cluster of 2 Expressway-E systems:

Local DNS The local (internal) DNS requires _cisco-uds._tcp., cuplogin._tcp., _cisco-phone-http. and standard SIP service SRV records. For example:

Ensure that the cisco-uds, _cuplogin and cisco-phone-http SRV records are NOT resolvable outside of the internal network, otherwise the Jabber client will not start mobile and remote access negotiation via the Expressway-E.



Page 73 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Entering Local DNS A Records For Expressway Step 193 Return to the SiteB-AD (172.19.X.120) RDP session opened earlier Step 194 Click Start  Administrative Tools  DNS to open the DNS Manager tool Step 195 Click the + (plus sign’s) next to SITEB-AD  Forward Lookup Zone siteb.com Step 196 Select siteb.com to highlight it Step 197 Right click siteb.com Step 198 Select New Host (A or AAAA)… from the popup menu Step 199 Enter the following in the New Host pop-up window: a.

Name  siteb-expc01

b.

IP Address  10.1.2.142

c.

Check  Create associated pointer (PTR) record

d.

Click Add Host

e.

Click OK on the success message

Step 200 Repeat step 352 seven more times. In total eight entries should be created.

Name (Expressway-C) siteb-expc02

IP Address

IP Address

10.1.2.143

Name (Expressway-E) siteb-expe01

10.1.3.142

siteb-expc-cluster01

10.1.2.142

siteb-expe02

10.1.3.143


10.1.2.143

siteb-expe-cluster01

10.1.3.142


10.1.3.143

Step 201 Click Done on the New Host pop-up windows after entering the last New Host



Page 74 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 202 Review the DNS entries to make sure all eight new entries are correct Step 203 Close the DNS Manager

An Expressway can be part of a cluster of up to six Expressways. Each Expressway in the cluster is a peer of every other Expressway in the cluster. When creating a cluster, you define a cluster name and nominate one peer as the master from which all relevant configurations is replicated to the other peers in the cluster. Clusters are used to:  

Increase the capacity of your Expressway deployment compared with a single Expressway. Provide redundancy in the rare case that an Expressway becomes inaccessible (for example, due to a network or power outage) or while it is in maintenance mode (for example, during a software upgrade).

Entering Public DNS A & SRV Records for Expressway In this section working in the Mock Internet DNS server, the student will add the necessary A records and SRV records to allow clients to find the Expressway E device from the Internet (or in this lab case the Mock Internet). Step 204 Switch to the SiteB-InetDNS (172.19.X.220 – x=pod#) RDP session Step 205 Login in with the following credentials if not already logged in: a.

Username  Administrator

b.


Step 206 Click the DNS Manager icon on the bottom task bar



Page 75 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 207 Click the Arrow next to SITEB-INETDNS  Forward Lookup Zone siteb.com Step 208 Select siteb.com to highlight it Step 209 Right click siteb.com Step 210 Select New Host (A or AAAA)… from the pop-up menu Step 211 Enter the following in the New Host pop-up window a. Name  siteb-expc01 b. IP Address  10.1.2.142 c. Check Marked  Create associated pointer (PTR) record d. Click Add Host e. Click OK on the success message

Step 212 Repeat step 396 to add the following entries. In total there should be eight entries created Name (Expressway-C) siteb-expc02

IP Address

IP Address

10.1.2.143

Name (Expressway-E) siteb-expe01

10.1.3.142


10.1.2.142

siteb-expe02

10.1.3.143


10.1.2.143


10.1.3.142


10.1.3.143



Page 76 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 213 Click Done on the new host pop-up windows Step 214 Review the DNS entries to make sure all eight are correct Step 215 Right click SiteB.com in DNS Manager on SiteB-InetDNS Step 216 Select Other New Records from the popup menu

Step 217 Scroll down and select Service Location (SRV) from the Resource Record Type pop up window

Step 218 Click Create Record Step 219 Create the following record: a.

Domain  siteb.com (pre-filled-in)

b.

Service  _collab-edge (underscore collab)

c.

Protocol  _tls (underscore tls)

d.

Priority  0 (default)

e.


f.


g.

Host Offering This Service =

h.

siteb-expe01.siteb.com

Step 220 Click OK Lab Guide Version 3.5


Page 77 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 221 Click Create Record (again) Step 222 Create the following record: a.

Domain  siteb.com (pre-filled-in)

b.

Service  _collab-edge (underscore collab)

c.

Protocol  _tls (underscore tls)

d.

Priority  0 (default)

e.


f.


g.

Host Offering This Service =

h.

siteb-expe02.siteb.com

Step 223 Click OK Step 224 Click Done Step 225 Select _tls, under siteb.com in the DNS Manager Step 226 Observe that both _collab-edge are in the _tls folder and have the correct addresses

Step 227 Close DNS Manager



Page 78 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Initial Expressway Configuration for Expressway C and E These Expressways have been deployed and locked down for this lab. No initial administration was done on these devices. The student will make all configuration changes to the Expressways.

There are 4 Expressways in this lab for Collab Edge, two Cs and two Es. The student will configure the first C and the first E of a two clustered pairs. SiteBExpC02 and SiteB-ExpE02 have already had this configure done before class started. The following Video shows the deployment of an Cisco Expressway Watch this video in HD here - http://youtu.be/Uoi3hosvygs

Step 228 Switch to the SiteB-AD (172.19.X.120 – x=pod#) RDP Session Step 229 Launch Firefox from the task bar at the bottom of the desktop (if not already open) Step 230 Click + sign to open a new tab if Firefox was already open This section will be done twice, once for Siteb-ExpC01 and once for SiteB-ExpE01 Follow from here down and when you get to a table take the left side the first time through for SiteB-ExpC01, and take the right side when doing the second pass for SiteB-ExpE01



Page 79 of 166

The Ultimate Cisco Jabber Specialist 2 Lab SiteB-Expressway C 01

SiteB-Expressway E 01

Use Left Column First Pass of Section

Do this step when repeating

Step 231 Click Expressway  SiteBExpC01 from the Firefox favorite bar

Open a new tab in Firefox and browse to Expressway  SiteB-ExpE01 from the Firefox favorite bar

Step 232 Click I Understand the Risks (if presented) Step 233 Click Add Exception (if presented) Step 234 Click Confirm Security Exception (if presented) Step 235 Login in with the following credentials a.

Username  admin (all lower case)

b.

Password  TANDBERG (all upper case)

c.

Click Login

Step 236 Observe the Expressway/VSC Web Administration page Step 237 Click the Red Box that indicates “This system has 5 alarms”



Page 80 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 238 Review the five system alarms listed

Step 239 Click the time link on the first alarm under the Action heading. Alternatively, Click System  Time Step 240 Observe that the first three NTP servers have place holders in the address field

Step 241 Delete and clear all the default entries in the address fields

Step 242 Enter 128.107.212.175 in the first NTP Server Address space Step 243 Select US/Pacific for the time Zone



Page 81 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 245 Click Save

Step 246 Observe the bottom of the time page for a minute or so. Eventually the status will go from Starting, to Rejected, to Synchronized. (There is no need to manually refresh as it will do so automatically).

Step 247 Click the Red Alarms box again in the upper right corner. Notice the number of alarms has changed from five to three. If not enough time has passed clicking on the red box again should update it to reflect the new number of alarms. Step 248 Click Change the admin password link under Action on the alarm page. Alternatively click Users  Administrator Accounts Step 249 Click admin to open the admin configuration page Step 250 Enter Cisc0123 in the password field Step 251 Enter Cisc0123 in the confirm password field Step 252 Click Save



Page 82 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 253 Click the Red Alarms box again in the upper right corner. Notice it has dropped from 5 alarms to 2 alarms.

Step 254 Click View Instruction on changing the root password under the Action column heading Step 255 Review the Using the Root Account Help page pop-up Step 256 Close the Help Page when finished reading it Step 257 Click the PuTTy icon on the bottom tool bar SiteB-Expressway C 01



Do this section when repeating

Step 258 Click SiteB-ExpC01 from the saved sessions list in PuTTy

Click SiteB-ExpE01 from the saved session list in PuTTy

Step 259 Click Open Step 260 Click Yes on PuTTy Security Alert (if presented) Step 261 Login as  root (all lower case) Step 262 Enter the password TANDBERG (all uppercase) Step 263 Type the UNIX command passwd at the # prompt Step 264 Press Enter Step 265 Type in  Cisc0123 as the new UNIX password (It will not look like you are typing.) Step 266 Press Enter Step 267 Retype  Cisc0123 to confirm the new password Step 268 Press Enter Step 269 Close the PuTTy window Step 270 Click OK to confirm closing PuTTy



Page 83 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 271 Click the Red Alarms box again in the upper right corner. Notice it has dropped from three alarms to one alarm.

Option keys are used to add additional features to the Expressway. Option keys can either be valid for a fixed time period or have an unlimited duration. Your Expressway may have been shipped with one or more optional features preinstalled. To purchase further options, contact your Cisco representative. The Option keys page (Maintenance  Option keys) lists all the existing options currently installed on the Expressway, and allows you to add new options. The System information section summarizes the existing features installed on the Expressway and displays the Validity period of each installed key. The options that you may see here include:       



Traversal Server: enables the Expressway to work as a firewall traversal server. H.323 to SIP Interworking gateway: enables H.323 calls to be translated to SIP and vice versa. Advanced Networking: enables static NAT functionality and the LAN 2 port on an Expressway-E. Rich media sessions: determines the number of non-Unified Communications calls allowed on the Expressway (or Expressway cluster) at any one time. See the Call types and licensing [p.264] section for more information. TURN Relays: the number of concurrent TURN relays that can be allocated by this Expressway (or Expressway cluster). See About ICE and TURN services [p.49] for more information. Encryption: indicates that AES (and DES) encryption is supported by this software build. Microsoft Interoperability: enables encrypted calls to and from Microsoft Lync 2010 Server (for both native SIP calls and calls interworked from H.323). It is also required by the Lync B2BUA when establishing ICE calls to Lync 2010 clients. It is required for all types of communication with Lync 2013. Expressway Series: identifies and configures the product for Expressway Series system functionality.

Step 272 Click Add a Release Key under the Action heading Alternatively click Maintenance  Option Keys



Page 84 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 273 Observe the Option Keys admin page and take note of the active options

Notice the Serial Number (S/N) in the lower right hand corner of the admin page. This is the serial number that is used to generate licenses and options keys

The Release Keys and Options keys have already been installed into SiteB-ExpC02 and SiteB-ExpE02 (the cluster pair of expressway servers) Step 274 Observe the server model name at the top of the admin page, this will change once all the option keys are installed Step 275 Observe the Active Options This key is the Service Contract Release Key: SiteB-Expressway C 01 Use Left Column First Pass of Section Step 276

Copy and Paste this license number into the Release Key field


Do this section when repeating Copy and Paste this license number into the Release key field

4360497995181665

7176023658098439

into the Release Key field Careful to make sure you have the Release Key field and not the Software Option key field. This key validates the service contract on the server.

into the Release Key field

Ignore the two new alarms that appear for an invalid key, these will clear after a restart that will be performed later in this section.



Page 85 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 277 Click Set Release Key

Step 278 Observe the Yellow message at the top of the screen (Do not restart as that will be completed in a later step)

This Software option key is the Expressway Series key: SiteB-Expressway C 01 SiteB-Expressway E 01 Use Left Column First Pass of Section Step 279


Copy and Paste this license number (Must Be All Caps)


116341E00-1-096C2A6F

116341E00-1-745E2397

into the Software Option Field

into the Software Option Field Notice that although this will ultimately be an Expressway-E server, at this point it is an Expressway-C server. This role will change when a later option key is installed.

Step 280 Click Add Option

Step 281 Observe the server model name at the top has change to Expressway-C. This will change to Expressway-E later in this section.



Page 86 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 282 Observe the Yellow message at the top of the screen. Do not restart as this will be done later in this section.

This Software option key is the H323 SIP – Interworking key: SiteB-Expressway C 01 SiteB-ExpressWay E 01 Use Left Column First Pass of Section


Step 283 Copy and Paste this license number (Must Be All Caps)


116341G00-1-87EACCFB

116341G00-1-A7FB3D03



Step 284 Click Add Option

Step 285 Observe the Interworking Active Options has been added



Page 87 of 166

The Ultimate Cisco Jabber Specialist 2 Lab SiteB-Expressway C 01

SiteB-ExpressWay E 01



No configuration required here for the Expressway-C Move on to the next step below if this is the first pass through this section of the lab

Step 286 Copy and Paste this license number (Must Be All Caps)

116341I1800-1-8F82AD62 into the Software Option Field (this option key is for the E expressway only). This option key is the Turn Relay 1800 Step 287 Click Add Option Step 288 Copy and Paste this license number (Must Be All Caps)

116341T00-1-F768D3DC into the Software Option Field (this option key is for the E expressway only). This option key is the Traversal Service for E option key Step 289 Click Add Options Step 290 Observe the updated model name at the top of the page change from C to E

Step 291 Observe the options added to the Expressway-E



Page 88 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 292 Click System  DNS, in the Expressway web admin Step 293 Enter the following information for each Expressways: SiteB-Expressway C 01 SiteB-ExpressWay E 01 Use Left Column First Pass of Section a. b. c. d.

System Host Name  siteb-expc01 Domain Name  siteb.com Address 1  10.1.2.120 Click Save

Do this section when repeating a. b. c. d.

System Host Name  siteb-expe01 Domain Name  siteb.com Address 1  10.1.3.20 Click Save

Step 294 Scroll down and click DNS Lookup Utility Step 295 Enter siteb-expc02.siteb.com (use same address for ping on both servers) Step 296 Click Lookup

Step 297 Observe the successful DNS Lookup. (Keep going the restart will take place later in the lab)



Page 89 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configuring the Expressway Cluster

About clusters An Expressway can be part of a cluster of up to six Expressways. Each Expressway in the cluster is a peer of every other Expressway in the cluster. When creating a cluster, you define a cluster name and nominate one peer as the master from which all relevant configurations is replicated to the other peers in the cluster. Clusters are used to:  

Increase the capacity of your Expressway deployment compared with a single Expressway. Provide redundancy in the rare case that an Expressway becomes inaccessible (for example, due to a network or power outage) or while it is in maintenance mode (for example, during a software upgrade).

About the configuration master All peers in a cluster must have identical configuration for subzones, zones, links, pipes, authentication, bandwidth control and Call Policy. To achieve this, you define a cluster name and nominate one peer as the configuration master. Any configuration changes made to the master peer are then automatically replicated across all the other peers in the cluster. You should only make configuration changes on the master Expressway. Any changes made on other peers are not reflected across the cluster, and will be overwritten the next time the master’s configuration is replicated across the peers. The only exceptions to this are some peer-specific configuration items. You may need to wait up to one minute before changes are updated across all peers in the cluster.



Page 90 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Click System  Clustering on the Expressway Admin web page SiteB-Expressway C 01

SiteB-ExpressWay E 01



Step 298 Enter the following a: Cluster Name FQDN  siteb-expc-cluster01.siteb.com b: Configuration Master  1 c: Cluster pre-shared key  Cisc0123 d: Peer 1 IP Address  10.1.2.142 e: Peer 1 IP Address  10.1.2.143 f: Click Save

Enter the following: a: Cluster Name FQDN  siteb-expe-cluster01.siteb.com b: Configuration Master  1 c: Cluster pre-shared key  Cisc0123 d: Peer 1 IP Address  10.1.3.142 e: Peer 1 IP Address  10.1.3.143 f: Click Save

After the restart it might take a few min to sync up the databases. Ignore the errors as they should clear after a few min. However, DO NOT restart now! They will be restarted later in this section.) The clustering page should look something like this once in sync:

Step 299 Click Maintenance  Restart Options Step 300 Click Restart (Be careful to not click shutdown!)



Page 91 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 301 Click OK to restart the system Step 302 Observe the system restarting

Step 303 Repeat Steps 386 – 460 for SiteB-EXPE01 while siteb-expc01 is restarting STOP - make sure to go back and do SiteB-ExpE01! Step 304 Switch to the Firefox tab with SiteB-expC01 Web admin in it

Step 305 Log in with: a. Username  admin (all lower case) b. Password  Cisc0123 (case sensitive) Step 306 Click Login Step 307 Click System  Clustering Step 308 Observe that clustering is now active



Page 92 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configuring the Expressway-E Unified Communications This section sets the SiteB-ExpE01 Mobile and Remote Access to ON. This will automatically turn this option on for the SiteB-ExpE02 Expressway since it is clustered with SiteB-ExpE01. Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network. The Expressway provides secure firewall traversal and line-side support for Unified CM registrations. The overall solution provides:  Off-premise access: a consistent experience outside the network for Jabber and EX/MX/SX Series clients  Security: secure business-to-business communications  Cloud services: enterprise grade flexibility and scalable solutions providing rich WebEx integration and Service Provider offerings.  Gateway and interoperability services: media and signaling normalization, and support for non-standard endpoints Unified Communications: mobile and remote access

Jabber client connectivity without VPN The mobile and remote access solution supports a hybrid on-premise and cloud-based service model, providing a consistent experience inside and outside the enterprise. It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN. It is a device and operating system agnostic solution for Cisco Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms. It allows Jabber clients that are outside the enterprise to:  Use instant messaging and presence services  Make voice and video calls  Search the corporate directory  Share content  Launch a web conference  Access visual voicemail



Page 93 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 309 Switch to the Firefox tab connected to SiteB-expE01 web admin Step 310 Wait for the SiteB-ExpE01 to restart if not already restarted (about 1 to 3 minutes)

Step 311 Login with: a.

Username  admin (all lower case)

b.


Step 312 Click Login Step 313 Click Configuration  Unified Communications  Configuration Step 314 Select Mobile and Remote Access from the Unified Communications mode drop down menu Step 315 Click Save

Step 316 Click System  Clustering Step 317 Observe that clustering is active on the Expressway-E servers.



Page 94 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configuring the Expressway-C for Unified Communications In this section the student will configure the Expressway-C to communicate with CUCM and IM&P servers Caution! This section is only for Expressway-C

Step 318 Switch to the Firefox Tab with SiteB-ExpC01 web admin web page Step 319 Login with the following credentials (if Logged out): a:

Username  admin (lower case)

b:

Password  Cisc0123 (CaSe SeNsAtIvE)

c:

Click  Login

Step 320 Click Configuration  Unified Communications  Configuration Step 321 Select Mobile and Remote Access from the Unified Communications Mode drop down menu Step 322 Click Save



Page 95 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configuring the domains to route to Unified CM You must configure the domains for which registration, call control, provisioning, messaging, and presence services are to be routed to Unified CM for. 

SIP registrations and provisioning on Unified CM: endpoint registration, call control and provisioning for this SIP domain is serviced by Unified CM. The Expressway acts as a Unified Communications gateway to provide secure firewall traversal and line-side support for Unified CM registrations.



IM and Presence services on Unified CM: instant messaging and presence services for this SIP domain are provided by the Unified CM IM and Presence service.

Step 323 Click Configuration  Domains Step 324 Click New Step 325 Enter siteb.com in the Domain Name field Step 326 Set On for the SIP registration and provisioning on Unified CM Step 327 Set On for the IM and Presence services on Unified CM Step 328 Click Create Domain Step 329 Observe that the domain was created



Page 96 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Discovering IM&P and Unified CM servers The Expressway-C must be configured with the address details of the IM&P servers and Unified CM servers that are to provide registration call control, provisioning, messaging and presence services. To have TLS verify mode set to On (the default and recommended setting) when discovering the IM&P and Unified CM servers, the Expressway-C must be configured to trust the tomcat certificate presented by those IM&P and Unified CM servers. Determine the relevant CA certificates to upload: 

If the servers are using self-signed certificates, the Expressway-C's trusted CA list must include a copy of the tomcat certificate from every IM&P / Unified CM server.



If the servers are using CA-signed certificates, the Expressway-C's trusted CA list must include the root CA of the issuer of the tomcat certificates.



TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the Expressway-C will verify the CallManager certificate for subsequent SIP communications. Note that secure profiles are downgraded to use TCP if Unified CM is not in mixed mode.

Step 330 Click Configuration  Unified Communications  IM and Presence Servers Step 331 Click New Step 332 Enter the following IM&P information a:

IM&P Publisher Address  siteb-imp911.siteb.com

b:

Username  AXLuserCUP

c:


d:

TLS Verify Mode  Off

e:

Click  Add Address



Page 97 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 333 Observe the IM&P Server Discovery was successful

Step 334 Click Configuration  Unified Communications  Unified CM Server Step 335 Click New Step 336 Enter the following CUCM information a:

CUCM Publisher Address  siteb-CUCM911.siteb.com

b:

Username  AXLuserCUP

c:


d:

TLS Verify Mode  Off

e:

Click  Add Address

Step 337 Observe the successful discovery message for the CUCM servers.



Page 98 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Uploading CA Root Certification to Expressway Just like all other PKI certificate security based systems the CA Root Certificate must be downloaded from the CA and uploaded to the Expressways. In this section the student will obtain the CA Root certificate from the CA and upload it to two of the Expressways. Step 338 Open a new Firefox Tab

Step 339 Click Certificate Services, on the Firefox favorites bar

Step 340 If requested to, login with: a.

Username  Administrator

b.


Step 341 Click Login (if login pop-up is presented) Step 342 Click Download a CA certificate, certificate chain, or CRL



Page 99 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 343 Select Base 64, Encoding Method

Step 344 Click Download CA Certificate Step 345 Click OK to save the file to the students computer Step 346 Click the Download Arrow in the upper left corner of Firefox Step 347 Click the Folder next to certnew.cer file to browse the folder where the new CA Root Certificate was downloaded to

In the Certificate Management section in this lab, a CA Root Certificate was already downloaded to the SiteB-AD server. The original CA Root Certificate that was previously downloaded may be used for this section of the lab as well. The reason the CA is being downloaded again is in the event a student wishes to only perform the Expressway section of the lab. Step 348 Rename the file to CARoot2Cert.cer

Step 349 Close the File Explorer window Step 350 Return to the Firefox tab for the SitebB-ExpC01 Expressway Web Admin Lab Guide Version 3.5


Page 100 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 351 Click Maintenance  Security Certificates  Trusted CA Certificates Step 352 Click Browse Step 353 Click Downloads on the left side navigation pane Step 354 Select the CARoot2Cert.cer file Step 355 Click Open on the file upload screen Step 356 Click Append CA Certificate Step 357 Observe at the top of the page that the certificate was uploaded



Page 101 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Add Client Server Template to MS CA Server In this section the student will make the necessary changes to the Microsoft Certificate Authority server, to prepare it to create CA Signed certificates for Expressway. This next section although not part of the Cisco UC solution and is not a function of the Microsoft CA server. This section was included because it is mandatory to create a new CA template in MS CA server to create server certificates for Expressway. This template only needs to be created once on the MS CA server and can be reused each time you need to create CA Signed certificates for the Expressway servers. The new Client Server Template will be used again later in this lab for the Jabber Guest Expressways Step 358 Click Start  All Programs  Administrative Tools  Certification Authority on the SiteB-AD RDP session (Should already be on this server) Step 359 Click the + (plus sign) next to siteb-SITEB-AD-CA to open the sub-folders Step 360 Click and highlight Certificate Templates Step 361 Right click certificate templates and select Manage from the pop-up menu

Step 362 Click and highlight Web Server from the Certificate Templates Console Step 363 Right click Web Server



Page 102 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 364 Click Duplicate Templates from the pop-up menu

Step 365 Select Windows Server 2003 Enterprise. It must be 2003 or this new template, that is being created, will not show up when requesting a certificate. Step 366 Click OK Step 367 Enter ClientServer in the Template Display Name field



Page 103 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 525 Click the Request Handling, Tab Step 526 Select Allow private key to be exported Step 527 Click the Extensions tab Step 528 Select Application Policies Step 529 Click Edit

Step 530 Click Add on the Edit Application Policies Extension pop-up window

Step 531 Click Client Authentication Step 532 Click OK



Page 104 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 533 Click OK to confirm the addition of Client Authentication

Step 534 Click Apply Step 535 Click OK to close the properties of New Template Step 536 Close the Certificate Templates Console Step 537 Right Click Certificate Templates in the Certification Authority console Step 538 Click New Step 539 Click Certificate Template to Issue Step 540 Select ClientServer from the list of Certificate Templates Step 541 Click OK

Step 542 Close the Certification Authority console



Page 105 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configuration of Certificates to prepare for Implementing Traversal Zones In this section the student will generate and upload the appropriate certificates on the Expressways and create a Traversal Zone between the E’s and C’s so they can communicate with each other. Configuring traversal server zones An Expressway-E can act as a traversal server, providing firewall traversal on behalf of traversal clients (such as an Expressway-C). To act as a traversal server, the Expressway-E must have a special type of twoway relationship with each traversal client. To create this connection, you create a traversal server zone on your local Expressway-E and configure it with the details of the corresponding zone on the traversal client. (The client must also be configured with details of the Expressway-E.) After you have neighbored with the traversal client you can:  Provide firewall traversal services to the traversal client  Query the traversal client about its endpoints  Apply transforms to any queries before they are sent to the traversal client  Control the bandwidth used for calls between your local Expressway and the traversal client Note: traversal client-server zone relationships must be two-way. For firewall traversal to work, the traversal server and the traversal client must each be configured with the other’s details. The client and server will then be able to communicate over the firewall and query each other. CLICK HERE to find the Expressway documentation on Cisco.com Step 543 Open FireFox on SiteB-AD (if not already open Step 544 Switch to the first Tab on Firefox, to return to the MS Certificate Server Web Page Step 545 Click Certificate Services, on the IE Favorite bar

Step 546 Enter Administrator in the Field of the pop-up login window (if presented) Step 547 Enter Cisc0123 in the Password field of the pop-up login window (if presented) Lab Guide Version 3.5


Page 106 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 548 Click OK (if presented) Step 549 Click Download a CA Certificate, Certificate chain, or CRL Step 550 Click Yes if presented with a Web Access Warning Step 551 Select Base 64 Step 552 Click Download Latest Base CRL

Step 553 Click Save in the pop-up window at the bottom of the IE Screen Step 554 Click the Download Arrow in the upper left corner of Firefox Step 555 Click the Folder next to certnew.cer file to browse the folder where the new CA Root Certificate was downloaded to

Step 556 Right click certcrl.crl Step 557 Click Rename on the pop-up menu Step 558 Enter CARootCRL.crl to rename the file



Page 107 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 559 Close Windows File Explorer Step 560 Switch to the SiteB-ExpC01 web admin Firefox tab Step 561 Login a. b. c.

in to SiteB-ExpC01 with the following credentials (if needed) Username  admin (lower case) Password  Cisc0123 (case sensitive) Click Login

Step 562 Click Maintenance  Security Certificates  CRL Management Step 563 Click Browse in the Manual CRL Update section Step 564 Click Downloads in the left navigation pane Step 565 Select CARootCRL.crl Step 566 Click Open Step 567 Click Upload CRL File Step 568 Confirm the successful upload of CRL

Step 569 Click Maintenance  Security Certificates  Server Certificate Step 570 Click Generate CSR



Page 108 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 571 Enter the following information a. Common Name  FQDN of Expressway b. Subject Alternative Names  FQDN of Expressway Cluster Plus FQDNs of all peers in the cluster c. IM and Presence chat note aliases  delete entry d. Key Length (in bits)  2048 e. Country  US f. Sate or province  CA g. Locality (town name)  San Jose h. Organization (company name)  Cisco i. Organizational Unit  Cisco j. Click Generate CSR

Step 572 Click Download to download CSR file

Step 573 Select Open Step 574 Click OK to open the CSR in a notepad Step 575 Click Format  Word Wrap in Notepad to see the whole file (might already be done) Step 576 Click CTRL-A to highlight the whole text in notepad Step 577 Click CTRL-C to copy the text into your computer buffer



Page 109 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Be careful not to change anything in this certificate while you have it open in Notepad. It is not easy to troubleshoot if something changes in this file.

Step 578 Close Notepad Step 579 Switch to the MS Certificate Server web admin page tab in Firefox Step 580 Click on the Favorite link Certificate Service to bring the CA server web admin to the home page



Page 110 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 581 Click Request a Certificate

Step 582 Click Advanced Certificate Request

Step 583 Click inside the Saved Request field Step 584 Press CTRL-V to paste the CRS test into the saved request field Step 585 Select ClientServer from the Certificate Template field (this is the template crated in the previous section) Step 586 Click Submit Step 587 Select Base 64 Encode Step 588 Click Download Certificate



Page 111 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 589 Select Save File Step 590 Click OK

Step 591 Click the Download Arrow in the upper right corner or Firefox Step 592 Click the File Folder

Step 593 Right Click certnew.cer Step 594 Select Rename from the pop-up windows Step 595 Rename the file to SiteB-ExpC01Cert.cer Step 596 Click Yes to confirm name extension change

Step 597 Close the File Explorer window Step 598 Switch to the SiteB-ExpC01 tab in the Firefox browser on SiteB-AD RDP session Step 599 Click Browse at the bottom of the server certificate screen to upload a new certificate Step 600 Click Downloads in the left navigation pane Step 601 Find and select the SiteB-ExpC01Cert.cer from the downloads directory Step 602 Click Open Lab Guide Version 3.5


Page 112 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 603 Click Upload Server Certificate Data

The browser will reinitialize and ask to accept the certificate again. Step 604 Click I Understand The Risk Step 605 Click Add Exception Step 606 Click Confirm Security Exception Step 607 Observe the certificate was uploaded but the system needs a restart Step 608 Click Restart from the yellow warning message at the top of the Server Certificate page

Step 609 Click Restart again on the Restart Options window Step 610 Click OK to confirm the restart

Add CA Signed Certificate on SiteB-ExpE01 Step 611 Switch to the SiteB-ExpE01 web admin tab in Firefox Step 612 Login a. b. c. d.

with the following credentials (if logged out) Click Home Username  admin Password  Cisc0123 Click Login

Step 613 Click Maintenance  Security Certificates  Trusted CA Certificate Step 614 Click Browse Step 615 Click Downloads in the left side navigation pane Step 616 Select CARoot2Cert.cer Step 617 Click Open Lab Guide Version 3.5


Page 113 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 618 Click Append CA Certificate Step 619 Observe and confirm that CA Root Certificate has been uploaded

Step 620 Click Maintenance  Security Certificates  CRL Management Step 621 Click Browse Step 622 Click Downloads in the left side navigation pane Step 623 Select CARootCRL.crl Step 624 Click Open Step 625 Click Upload CRL File Step 626 Observe and confirm the CRL was uploaded successfully

Step 627 Click Maintenance  Security Certificates  Server Certificate Step 628 Click Generate CSR



Page 114 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 629 Enter the following information a. Common Name  FQDN of Expressway b. Subject Alternative Names  FQDN of Expressway Cluster Plus FQDNs of all peers in the cluster c. IM and Presence chat note aliases  delete entry (if any) d. Key Length (in bits)  2048 e. Country  US f. Sate or province  CA g. Locality (town name)  San Jose h. Organization (company name)  Cisco i. Organizational Unit  Cisco j. Click Generate CSR



Page 115 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 630 Click Download, to download CSR file

Step 631 Select Open Step 632 Click OK to open the CSR in a Notepad

Step 633 Click Format  Word Wrap in Notepad to see the whole file (if needed) Step 634 Click CTRL-A to highlight the whole text in Notepad Step 635 Click CTRL-C to copy the text into your computer buffer

Step 636 Close Notepad Step 637 Switch to the MS CA Server web admin tab in Firefox Step 638 Click Certificate Services on the Firefox favorite bar to return to the CA home page Step 639 Click Request a Certificate



Page 116 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 640 Click Advanced Certificate Request

Step 641 Select and make active the Saved Request field Step 642 Select ClientServer from the Certificate Template field Step 643 Click Submit Step 644 Select Base 64 Encode Step 645 Click Download Certificate

Step 646 Select Save File Step 647 Click OK

Step 648 Click the Download Arrow in the upper right corner or Firefox



Page 117 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 649 Click the File Folder

Step 650 Right Click certnew.cer Step 651 Select Rename from the pop-up windows Step 652 Rename the file to SiteB-ExpE01Cert.cer Step 653 Click Yes to confirm name extension change

Step 654 Close File Explorer window Step 655 Switch to the SiteB-ExpE01 tab in the Firefox browser on SiteB-AD RDP session Step 656 Click Browse at the bottom of the server certificate screen to upload a new certificate Step 657 Find and select the SiteB-ExpE01Cert.cer file from the Downloads directory Step 658 Click Open Step 659 Click Upload Server Certificate Data

The browser will reinitialize and ask to accept the certificate again Step 660 Click I Understand the Risks Step 661 Click Add Exception Step 662 Click Confirm Security Exception Step 663 Observe the certificate has been uploaded but the system needs a restart



Page 118 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 664 Click Restart from the yellow warning message at the top of the Server Certificate page

Step 665 Click Restart again on the Restart Options window Step 666 Click OK to confirm the restart

Configuring Traversal Zones In this section the student will configure the Traversal zones between the E’s and C’s so they can communicate across the firewalls. Step 667 Switch to the SiteB-ExpE01 web admin Firefox tab (if not all ready there) on the SiteB-AD RDP session Step 668 Wait for SiteB-ExpE01 to finish restarting Step 669 Login a. b. c.

as Username  admin (lower case) Password  Cisc0123 Click Login

Step 670 Click Configuration  Zones  Zones Step 671 Click New Step 672 Enter the following information a. Name  TraversalZoneSiteB b. Type  Traversal Server

Step 673 Click Add/Edit Local Authentication Database Step 674 Click New Step 675 Enter TraversalAdmin in the Name field Lab Guide Version 3.5


Page 119 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 676 Enter Cisc0123 in the password field Step 677 Click Create Credential

Step 678 Close the Local Authentication Database pop-up window Step 679 Fill in the following information (leaveing all un-mentioned fields at default): a. Username  TraversalAdmin b. H323 Mode  Off c. Unified Communications Service  Yes d. TLS Verify Mode  On e. TLS Verify Subject Name  SiteB-ExpC-Cluster01.siteb.com f. Media Encryption Mode  Forced Encrypted g. Authentication Policy  Treat As Authenticated h. Click Create Zone



Page 120 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 680 Switch to SiteB-ExpC01 tab in Firefox on SiteB-AD RDP Session Step 681 Login a. b. c.

as: Username  admin (lower case) Password  Cisc0123 Click Login

Step 682 Click configuration  Zones  Zones Step 683 Click New Step 684 Enter the following information: a. Name  TraversalZoneSiteB b. Type  Traversal Client



Page 121 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 685 Fill in the following information: a. Username  TraversalAdmin b. Password  Cisc0123 c. H323 Mode  Off d. Port  7001 e. Unified Communications Service  Yes f. TLS Verify Mode  On g. Media Encryption Mode  Forced Encrypted h. Authentication Policy  Treat As Authenticated i. Peer 1 Address  siteb-expe01.siteb.com j. Peer 2 Address  siteb-expe02.siteb.com k. Click Create Zone



Page 122 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Observe that SiteB-ExpC01 show active traversal zone Step 686 Click Configuration  Zones  Zones Step 687 Click TraversalZoneSiteB Step 688 Scroll to the bottom and observe that the State status is Active If there is a warning or a connection has failed, wait a min and try to go back in again. Sometimes it takes a minute or so to update and connect.

Observe that the SiteB-ExpE01 show active traversal zone Step 689 Switch to SiteB-ExpE01, Firefox tab admin web page Step 690 Click Configuration  Zones  Zones Step 691 Click TraversalZoneSiteB Step 692 Scroll to the bottom and observe that SIP Reachable and the State status is Active



Page 123 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Validate Internal and External Jabber Client Usage In this section the Cisco Jabber client on the workstations well be logged into both the Internal and External UC services. By connecting to the Expressway-E while on the Internet the Cisco Jabber client is able to register with CUCM without having to create a VPN connection first. Both SiteB-WS01 and SiteB-WS02 have Cisco IP Communicator (CIPC) install, open, and registered with CUCM. Although you will not have CIPC and Jabber running on the same computer in a production network, the CIPC phone serves a purpose in the lab environment. The CIPC is there to represent the users physical desk phone, so the student can see what changes would be happening on the desk phone as the Cisco Jabber client is being used.

During this simulated internet, the CIPC client will remain connected while on the Mock internet but in real life it would not connect without VPN from the internet. Jabber Client Internal Validation Test In this section the student will test the preconfigured system with the Jabber Clients connected to the local internal network. Step 693 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP Session Step 694 Open Cisco Jabber if not already open Step 695 Use the following login credentials (if login is needed) a. Username  aace b. Password  Cisc0123 c. Click Login Step 696 Click Line One, on the CIPC phone



Page 124 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 697 Observe when the CIPC (desk phone) goes off hook the Jabber Presence changes to “On a call” Step 698 Click EndCall on CIPC

Step 699 Set Alex Ace’s presence to away

Step 700 Click Away to set a custom presence Step 701 Type Gone To The Beach Step 702 Press Enter Step 703 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP Session Step 704 Observe that Alex Ace, in the contacts list, has a presence indicator of amber that reads “Gone To The Beach” Step 705 Hover your mouse over Alex Ace in Blake’s contact list. The Icon of a phone handset on the right side of Alex’s name appears. Step 706 Click the Call Icon Step 707 Click Alex’s Work Number, to call Alex

Step 708 Quickly switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP session Step 709 Click Answer on the Incoming Call pop-up window in the lower right hand corner of Alex’s desktop



Page 125 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 710 Observe on Alex’s Jabber Client that the status is still “Gone to the beach”. This is because she manually set it. On Blake Bad’s Jabber client, however, it indicates “On A Call”. Step 711 Click the Red Hand Set on the Blake Bad’s conversation window to disconnect the call

Observe this call came up as a video call, Both workstations are virtual machines in our lab, and there for do not have a video camera attached to the workstation. e2eSoft VCam virtual video driver has been installed on both workstations. Although video was not needed for this lab, A video driver was required for the Jabber Guest part of this calls.



Page 126 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Jabber Client Internal Voice Mail Validation Test In this section the student will validate that both workstations are connected to Unity Connection voice mail Step 712 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP Session Step 713 Switch Alex’s presence indicator back to Available Step 714 Click the Voice Mail tab on Alex Ace’s Jabber client Step 715 Observe that it indicates that she does not have any VM at this time, but is connected to voicemail Step 716 Click Help  Show Connection Status, on Alex’s Jabber client Step 717 Observe that the Jabber client is connected to the following services (the server names might be different during your lab) a. Softphone  SiteB-CUCM02.siteb.com (CCMCIP) b. VoiceMail  Siteb-cuc911.siteb.com c. Presence  SiteB-IMP911.siteb.com d. Outlook  Yes e. Directory  LDAP f. Close Connection Status, when done observing

Step 718 Switch to SiteB-WS02 (172.19.X.201 Blake Bad) RDP Session Step 719 Click Help  Show Connection Status, on Blake’s Jabber client



Page 127 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 720 Observe Blake’s Jabber Connection status

Step 721 Close Connection Status, on Blake’s desktop when done observing Step 722 Click the Voice Mail tab on Blake’s Jabber client Step 723 Observe that it indicates that he has voice mail



Page 128 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Moving SiteB-WS02 From The Internal To The External (internet) Network In previous sections of the lab the SiteB-WS01 & SiteB-WS02 workstations have been connected to the internal corporate network. In this section SiteBWS02 workstations will be moved out of the corporate office and connect Jabber to the CUCM via the Expressways without a VPN connection. To demonstrate the Expressway functions workstations02 will be moved from the internal corporate network, out on to the public internet. For this lab we have create a MOCK INTERNET by using two vlans. The 5xx series vlans are for the internal network, and the 6xx vlans are the DMZ or our external MOCK internet. The workstations have two network cards in them. To simulate moving the computer from internal to external, the student will turn off the internal network card and turn on the external network card. The following series of lab steps will not only switch the network cards but prove to the student that the workstation is now on a different network.

Step 724 Switch to siteB-WS02 (172.19.X.202 Blake Bad) RDP Session (if not already there) Step 725 Click the DOS Prompt icon on the task bar at the bottom of the desktop Step 726 Enter ipconfig Lab Guide Version 3.5


Page 129 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 727 Observe that the workstation is on the .2 network (3rd Octet), the .2 network is the internal corporate network

Step 728 Type nslookup and press Enter to enter into nslookup mode Step 729 Type set type=srv (in all lower case) Step 730 Type _cisco-uds._tcp.siteb.com Step 731 Press Enter Step 732 Type _collab-edge._tls.siteb.com As a reminder don’t forget two DNS servers were previously configured:  Internal with _cisco-uds SRV records for the Jabber Clients to find the CUCM  External with _collab-edge SRV records for the Jabber Client to find the Expressway E while it is outside on the Internet.

Step 733 Observe that the _cisco-uds is able to be resolved and that _collab-edge was not able to be resolved since we are still internal

Step 734 Close the DOS Prompt Step 735 Navigate to 172.19.X.110 (x=pod#) in a browser from the students computer Step 736 Click Cisco Unified Communications Manager Lab Guide Version 3.5


Page 130 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 737 Login in with the following credentials a. Username  Administrator b. Password  Cisc0123 c. Click Login Step 738 Click Device  Phone Step 739 Click Find Step 740 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab developer, CFS should be CSF). Notice that both CSF devices are registered on the .2 network

Step 741 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP Session Step 742 Click File  Exit on SiteB-WS02 Jabber Client to exit the app The External Network On bat file turns off the internal network card and turns on the external network card. The Internal Network On bat file does the oppsit it turns off the external network card and turns on the internal network card. The two bat files move the SiteB workstations between the internal network and the mock lab internet. Step 743 Right Click External Network ON icon on SiteB-WS02’s desktop



Page 131 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 744 Click Run as Administrator from the pop-up menu

Step 745 Click Yes to allow the application to make changes to the computer When you click YES in the previous step, the RDP session will drop. In the following steps an RDP connection will be created to the new workstation address Step 746 Click Start  All Programs  Accessories  Remote Desktop Connection, from the student’s personal computer Step 747 Enter 172.19.X.241, (x=pod#) in the Computer filed (workstations outside address) Step 748 Click Connect If the new RDP connection to .241 does not connect at first wait 30 seconds and try again. It takes a little time for the network to converge.

Step 749 Click Use Another Account Step 750 Enter siteb\bbad Step 751 Password Cisc0123 Step 752 Click OK Step 753 Click Yes to the invalid certificate warning Lab Guide Version 3.5


Page 132 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 754 Click Accept on the SiteB-ExpE01.siteb.com invalid certificate (If jabber is open it will reconnect and an invalid certificate will be presented.) Step 755 Click Accept on the SiteB-ExpE02.siteb.com invalid certificate (If jabber is open it will reconnect and an invalid certificate will be presented.)

Validate SiteB-WS02 Is Connected To The External Network The student should now be RDP’ed to SiteB-WS02 via the external address. This section will validate that connection. Step 756 Click the Command Prompt icon on the task bar at the bottom of the desktop Step 757 Enter ipconfig Step 758 Observe that the workstation is on the .3 network (3rd Octet), the .3 network in our lab is the MOCK internet which confirms the network change

Step 759 Type nslookup and press Enter to enter into nslookup mode Step 760 Type set type=srv (in all lower case) Step 761 Enter _cisco-uds._tcp.siteb.com Step 762 Press Enter Step 763 Enter _collab-edge._tls.siteb.com



Page 133 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 764 Observe that the _cisco-uds is NOT able to be resolved and that _collab-edge IS able to be resolved, which is opposite form the previous section

Step 765 Close the Command Prompt Step 766 Navigate to 172.19.X.110 (x=pod#) in a browser from the students computer Step 767 Click Cisco Unified Communications Manager Step 768 Login in with the following credentials a. Username  Administrator b. Password  Cisc0123 c. Click Login Step 769 Click Device  Phone Step 770 Click Find Step 771 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab developer, CFS should be CSF). Notice that one CSF devices is registered on the .201 which is SiteB-WS01 and is still connected to the internal network. But the CFSUSER02 is connected to .143 which is the address of ExpresswayC

Step 772 Switch back to SiteB-WS02 (172.19.X.241 Blake Bad) RDP Session Step 773 Double click the Jabber Icon on the desktop to open Jabber (If not all ready open) Lab Guide Version 3.5


Page 134 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 774 Accept any and all Invalid Certificates Step 775 Click Help  Show Connection Status, on the Jabber client Step 776 Observe that softphone is connected to Expressway, also notice that the Voicemail is not connected. If Directory is not connect try search for a user with at least 3 charters in the search and it should connect

Step 777 Click the VoiceMail tab on the Jabber Client Step 778 Observe that voice mail is not connected



Page 135 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Creating a White List entry for VoiceMail on Expressway-C In this section the student will create a white list entry for the voicemail server that will allow the Jabber clients to access voicemail services. Jabber client endpoints may need to access additional web services inside the enterprise. This requires an "allow list" of servers to be configured to which the Expressway will grant access for HTTP traffic originating from outside the enterprise. The features and services that may be required, and would need whitelisting, include:  Visual Voicemail  Jabber Update Server  Custom HTML tabs / icons  Directory Photo Host The IP addresses of all discovered Unified CM nodes (that are running the CallManager or TFTP service) and IM&P nodes are added automatically to the allow list and cannot be deleted . Note, however, that they are not displayed on the HTTP server allow list page. Step 779 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session Step 780 Open Firefox, if not already open Step 781 Click Expressway  SiteB-ExpC01, or switch to the tab that already has SiteB-ExpC01 open in it Step 782 Enter the following credentials to login in a. Username  admin (lower case) b. Password  Cisc0123 (case sensitive) c. Click Login Step 783 Click Configurations  Unified Communications  Configuration Step 784 Click Configure HTTP Server Allow List

Step 785 Click New Step 786 Enter siteb-cuc911.siteb.com, in the Server Hostname Step 787 Enter Visual VoiceMail White List, in the description field



Page 136 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 788 Click Create Entry

Step 789 Switch to SiteB-WS02 (172.19.X.241 Blake Bad) RDP Session Step 790 Click Gear  File  Exit, to exit Jabber

Step 791 Double click the Jabber icon Step 792 Enter Cisc0123 in the password field (if prompted) Step 793 Click Sign In (if prompted) Step 794 Click the VoiceMail tab on the Jabber Client Step 795 Observe that voice mail is now connected



Page 137 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 796 Press the Triangle Play button on some of the VMs to test if they play. The audio if any will be garbbled due to lab issues, but you should see the play status bar moving across the VM if you can’t hear it.

Step 797 Click the Contact tab in the Jabber client Step 798 Hover the mouse over Alex Ace, in Blake’s contact list Step 799 Click the Call button Step 800 Select Alex’s Work (+14085552001) number Step 801 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP session Step 802 Click Answer, on the Incoming Call pop-up window in the lower left corner The call that is active right now is a call between Blake Bad (SiteB-WS02) external and connected via the Expressway, and Alex Ace (SiteB-WS01) connected on the internal network.

Step 803 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session Step 804 Open Firefox, if not already open Step 805 Click Expressway  SiteB-ExpC01, or open Firefox tab with SiteB-ExpC01 already open in it Lab Guide Version 3.5


Page 138 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 806 Enter the following credentials to login in a. Username  admin (lower case) b. Password  Cisc0123 (case sensitive) c. Click Login Step 807 Observe that on the main Status  Overview status page there is one current call. At this time the Expressway-C shows this as a video call

Step 808 Click Status  Calls  Calls Step 809 Observe there is one call active Step 810 Click the Start Time link for this call

Step 811 Observe the call information

Step 812 Click Status  Calls  History Step 813 Observe the call history log (there might not be any calls here till you end the first call)

Step 814 Switch to SiteB-WS02 (172.19.X.241 Blake Bad) RDP Session



Page 139 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Step 815 Click the Red Phone Handset, to disconnect the call



Page 140 of 166

The Ultimate Cisco Jabber Specialist 2 Lab JST Features Task 6: Adding User Photos to Web Server In this section the student will configure the jabber-config.xml file to point to our network web server for the Jabber Clients to obtain the user photos at login. In previous sections of the lab the Jabber Clients used EDI to obtain the photos from the Active Directory.

Activity Objective In this activity, you will learn the methods to: 

Configure jabber-config.xml to allow for web based photos



Configure Expressway C to white list the photo web server

Required Resources To complete this section of the lab the student will need a computer that is connected to the lab via VPN, and an RDP connection to your pod’s SiteB-AD (172.19.X.120).

Contact Photo Retrieval with UDS UDS dynamically builds a URL for contact photos with a directory attribute and a URL template. To resolve contact photos with UDS, you specify the format of the contact photo URL as the value of the UdsPhotoUriWithToken parameter. You also include a %%uid%% token to replace the contact username in the URL, for example, http://server_name/%%uid%%.jpg UDS substitutes the %%uid%% token with the value of the userName attribute in UDS. For example, a user named Mary Smith exists in your directory. The value of the userName attribute for Mary Smith is msmith. To resolve the contact photo for Mary Smith, Cisco Jabber takes the value of the userName attribute and replaces the %%uid%% token to build the following URL: http://staffphoto.example.com/msmith.jpg



Page 141 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Configure jabber-config.xml The photos for our lab are stored on the external/DNS/webserver at C:\inetpub\wwwroot\userphotos directory. Step 816

Switch to SiteB-AD, (172.19.X.120) RDP Session

Step 817

Double click the Jabber Config folder on the desktop

Step 818

Double click the 03_Video_Case_Num_CFg folder

Step 819

Right click Jabber-config.xml

Step 820

Click Edit from the pop-up menu

Step 821

Add the following line of code in the directory section of the jabberconfig.xml. You should be able to copy and paste the line below

http://10.1.3.20/userphotos/%%uid%%.jpg

The whole file should look like this when the one line is added just in the directory section:



Page 142 of 166


Click File  Save on notepad

Step 824

Click File  Exit to close notepad

Step 825

Open Firefox, on SiteB-AD (172.19.X.120) RDP session, or create a new tab in the session of Firefox that is already open

Step 826

Click SiteB-UC  SiteB-CUCM911 from the Firefox favorite bar

Step 827

Click Cisco Unified Communications Manager

Step 828

Select Cisco Unified OS Administrator, from the navigation drop-down in the upper right corner of the login page

Step 829

Click I Understand The risk (if presented)

Step 830

Click Add Exception (if presented)

Step 831

Click Confirm Security Exception (if presented)

Step 832

Select Cisco Unified OS Administration, from the navigation drop-down menu

Step 833

Click Go

Step 834

Login with the following credentials a. Username  Administrator b. Password  Cisc0123 c. Click Login

Step 835

Click Software Upgrades  TFTP File Management

Step 836

Click Upload file

Step 837

Click Browse



Page 143 of 166


Select Desktop from the left side navigation pane

Step 839

Double click the Jabber Config file folder

Step 840

Double click 03_Video_Case_Num_CFG

Step 841

Select jabber-config.xml

Step 842

Click Open

Step 843

Click Upload File

Step 844

Verify File Uploaded Successfully, at the top of the upload pop-up window

Step 845

Click Close, to close the upload pop-up window

Step 846

Select Cisco Unified Serviceability, form the Navigation drop-down window

Step 847

Click GO

Step 848

Login with the following credentials a. Username  Administrator (Case Sensitive) b. Password  Cisc0123 (Case Sensitive) c. Click Login

Step 849

Click Tools  Control Center – Feature Services

Step 850

Select SiteB-CUCM911.siteb.come—CUCM Voice/Video, from the Select Server drop-down menu

Step 851

Click Go

Step 852

Select Cisco Tftp

Step 853

Click Restart

Step 854

Click OK, on the page refresh warning



Page 144 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Testing jabber-config.xml In this section the student will point a browser to the URL below and it should retrieve the jabber-config.xml from the CUCM TFTP server. All changes should be reflected in the output. Step 855

Open Firefox, on SiteB-AD (if not already open), or open a new tab in Firefox

Step 856

Navigate to http://10.1.2.110:6970/jabber-config.xml

The browser should present the output that is shown below, with the edit that was made to the Directory section



Page 145 of 166

The Ultimate Cisco Jabber Specialist 2 Lab White List Web Server The student will add the web server with the photos on to the allow list on expressway, so the Jabber client is permitted to access the web server. Step 857

Switch to SiteB-AD (172.19.X.120) RDP session

Step 858

Open Firefox, if not already open

Step 859

Click Expressway  SiteB-ExpC01, on the Firefox favorites bar Or switch to the tab that already has SiteB-ExpC01 already open in it Login with the following credentials (if not already logged in) a.  admin (lower case) b. Password  Cisc0123 (case sensitive)

Step 860

Click Configuration  Unified Communications  Configuration, in the SiteB-ExpC01 administration web page

Step 861

Click Configure HTTP Server Allow List

Step 862

Click New

Step 863

Enter 10.1.3.20, in the Server hostname field

Step 864

Description Internet Web Server

Step 865

Click Create Entry

Step 866

Switch to SiteB-WS02, (172.19.X.241 Blake Bad) this workstation should still be connected to the external network from a previous section



Page 146 of 166

The Ultimate Cisco Jabber Specialist 2 Lab If you are not sure if the workstation is connected to the external network confirm that SiteB-WS02 is connected to the external network do the following    

Click Help  Show Connection Status Observe that the Address in the first section says (CCMCIP – Expressway) Close the Jabber Connection status screen If it does say Expressway move on to the next step (outside of this aqua box)

If the system does not say Expressway do the follow to switch SiteB-WS02 to the external network. 

Right Click External Network On icon on the desktop of SiteB-WS02



Click Run As Administrator, from the pop-up menu



Click Yes to the warning, at this point you will loose connectivity to the RDP session. Close the RDP window Open a new RDP window and login to the following Computer = 172.19.X.241 Username = siteb\bbad Password = Cisc0123 Click Help  Show Connection Status Observe that the Address in the first section says (CCMCIP – Expressway) Close the Jabber Connection status screen

      

Step 867


Click the Contacts tab on the left side of Cisco Jabber


Page 147 of 166


Observe that the Cisco Jabber contacts for Blake Bad do not have any pictures (due to lab variations sometimes the pictures are still showing form AD, this is OK keep going)

Step 869

Click Gear  File  Exit, on the Cisco Jabber client to close it on SiteBWS02

Due to issues in the lab, the two Jabber directories on the workstation will need to be erase so they will be recreated when Jabber Client is turned on again. The issue is that if the Jabber Client has pictures already in the local photo directory the ones on the new web server will not overwrite the photos previously downloaded from the internal AD server. In a product network one or the other type of photo source will exist not both as we demonstrated in the lab. The bat file erases the Jabber directory and all sub directories below it in two location on the local workstation. C:\Users\bbad\AppData\Roaming\Cisco\Unified Communications C:\Users\bbad\AppData\Local\Cisco\Unified Communications

Step 870

Right Click EraseJabber_WS02.bat, bat file on the SiteB-WS02 desktop

Step 871

Click Run as Administrator, from the pop-up menu



Page 148 of 166


Click Yes to allow the app to change the computer

Step 873

Double click the Jabber Client icon to open Jabber

Step 874

Enter the following credentials to login to the Jabber client a. Email Address  [email protected] b. Click  Continue c. Username  [email protected] (pre-filled in) d. password  Cisc0123 e. Sign me in when Cisco Jabber start  Checked f. Click Sign In

Step 875

Accept any invalid certificates (if needed)

In the next step when the Jabber client obtains the user photos from the Mock Internet Web server, notice that the pictures look WEIRD. They have intentionally changed with a special effect so they look different then the pictures in the internal Active Directory to help the student very quickly realize this is a different set of pictures. In most production network there will usually only be one source for the photo’s unlike the experience we have just stepped through in the lab. The altered user photos were copied into a directory (C:\inetpub\wwwroot\userphotos) on the Mock Internet Web Server before the class started. Also the IIS role has been installed and started on this server, to enable it to be a web server.

Step 876

Observe that the Jabber Client now has pictures that were retrieved from the web server (notice the pictures have been made to look weird to prove the difference in source of the photos)

This Concludes the official lab Guide steps, please feel free to continue to explore the lab



Page 149 of 166


Section 4: Appendix



Page 150 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Appendix A: ExpressWay Options Keys for JSTII Lab The option keys in this lab only apply to the server deployed in this lab due to the automatically generated serial number on each Expressway at the time of deployment. Collab Edge Lab Option Keys SiteB-ExpC01 – Serial Number - 049491D5 Valid Software contract - Release Key: 4360497995181665 H323 SIP – Interworking Gateway Key: 116341G00-1-87EACCFB Expressway Series Key: 116341E00-1-096C2A6F SiteB-ExpC02 – Serial Number – 06126E24 Valid Software contract – Release Key: 1194266643158189 H323 SIP – Interworking Gateway Key: 116341G00-1-C3DE9277 Expressway Series Key: 116341E00-1-B57F3034 SiteB-ExpE01 – Serial Number – 03118224 Valid Software contract – Release Key: 7176023658098439 H323 SIP – Interworking Gateway Key: 116341G00-1-A7FB3D03 Expressway Series Key: 116341E00-1-745E2397 Traversal service for E – VSC (T) Boarder Controller Key: 116341T00-1-F768D3DC Turn Relay 1800 Turns Key: 116341I1800-1-8F82AD62 SiteB-ExpE02 – Serial Number - 023393F5 Valid Software contract – Release Key: 6917141609111101 H323 SIP – Interworking Gateway Key: 116341G00-1-CF24D548 Expressway Series Key: 116341E00-1-1D400744 Traversal service for E – VSC (T) Boarder Controller Key: 116341T00-1-AF35A121 Turn Relay 1800 Turns Key: 116341I1800-1-A7C4DC9D

Options keys for JSTII Jabber Guest on 8.2.0 SiteB-JabGstC01 - Serial Number - 0280C83C Valid Software contract - Release Key:4871176275042305 Expressway Series Key:116341E00-1-8AD9AE82

Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-6D415BF0 SiteB-JabGstE01 - Serial Number - 0912E2FD Valid Software contract - Release Key:4288141040879898 Expressway Series Key:116341E00-1-A14E7789 Turn Relay 1800 Turns Key:116341I1800-1-EC92C886 Traversal service for E – VSC (T) Boarder Controller Key:116341T00-1-DE3F1423

Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-5B0DD1B0



Page 151 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Appendix B: CUCM Server Name change to FQDN

Changing the CUCM Server Name Open a browser on your desktop and navigate to 172.19.X.110, where X = your pod number (for example 172.19.22.110 = pod 22) Step 1

Browse to SiteB-CUCM911 (172.19.X.110 – X=pod#) from the students desktop

Step 2

Click Continue to Website

Step 3

Click Yes or accept to any security warnings, if any

Step 4

Log in using the following credentials:  Username  Administrator  Password  Cisc0123

Step 5

Click System  Server

Step 6

Click Find

Step 7

Observe that the CUCM and IMP servers are only entered into the database as hostnames, this is the default install configuration

All UC Servers in this lab are upgraded from 9.1.1 to version 10.0.1. Due to time constraints the server hostnames and DNS entries have been left as 9.11

Step 8

Select SiteB-CUCM911 (2nd pass SiteB-CUCM02, 3rd pass SiteBIMP911, 4th pass SiteB-IMP02)

Step 9

Enter SiteB-CUCM911.siteb.com, in the hostname/IP address field

Step 10

Click Save

Step 11

Click OK, on the certificate regeneration warning



Page 152 of 166


Click Go, on related links to go back to Find/List

Step 13

Click SiteB-IMP911

Step 14

Enter SiteB-IMP911.siteB.com, in the hostname/IP address field

Step 15

Click Save

Step 16

Click OK, on the certificate regeneration warning

Step 17

Click Go, on related links to go back to Find/List

Step 18

Repeat steps 6 – 18 for SiteB-CUCM02, SiteB-IMP911 & SiteB-IMP02

Step 19

Observe that four servers are listed as FQDN format



Page 153 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Appendix C: Bootstrap Jabber for Windows Install The CiscoJabberProperties.mst is used to modify the CiscoJabberSetup.msi to create custom installers. When installing the custom Jabber Install MSI file, edited by Orca, it is now referred to as a Bootstrap install. The CiscoJabber-Admin-ffr.9-6 will be downloaded to the SiteB-AD server for use with this lab. There are only a few entries that are different between the 9.6 and the 9.7 Admin file, and the additional settings are not needed for this lab. (The 9.7 admin file was not ready for the we released of this lab) The Microsoft Orca program from the Microsoft Windows SDK has been installed on the SiteB-AD server for use with this lab. The Jabber admin might need to edit the Cisco JabberSetup.msi Installer package (.msi) files directly to customize the installer for their particular deployment needs. The Orca database editor is a table-editing tool available in the Windows Installer SDK and can be used to edit your .msi files. This lab discusses how to use the Orca editor to modify the lab .msi files. Warning Editing an MSI file can cause serious problems that may leave your system in an unstable state. Cisco Systems cannot guarantee that problems resulting from the incorrect use of the MSI file editor can be solved. Modifications of the MSI file of a shipping product should only be attempted under direct instruction from the product's vendor. Always make a copy of the file(s) being modified. An Administrator can create a customized Jabber installer for their organization. In this section a customized Jabber installer will be built using the Microsoft Orca tool. The Orca tool allows an Administrator to apply an MST transformation file to an MSI. Cisco provides an MST file in the Jabber admin pack downloadable on cisco.com In this section we are going to edit a Jabber MSI install file which is hardcoded to install with additional parameters to make the end user first login experience shorter and less frustrating. This configuration also means the Jabber client will look for a CUCM server by default using the _cisco-uds SRV Record created earlier in the lab.

Activity Objective In this activity the student will edit and repackage the CiscoJabberSetup.msi with the Microsoft Orca app as well as perform a bootstrap install, configure, and operate the Cisco Jabber Client for Windows.



Page 154 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Required Resources A personal computer VPN’ed into the lab environment and two RDP sessions into the lab. On to the SiteB workstations and the second to the SiteB-AD server.

Logging into the Student Remote Workstations If you have not logged into the student workstations please return to the logging into the student remote workstations section to login to the student workstations

Editing and Repackaging the CiscoJabberSetup.msi install file In this section the student is going to download TWO files from Dropbox, one MSI and one MST file. These two files will be downloaded to Siteb-AD, and used to create a Jabber Client Bootstrap install. Step 1

Return to or Open SiteB-AD server (172.19.X.120), RDP session

Step 2

Launch Firefox on SiteB-AD

Step 3

Browse to the following URL  http://tinyurl.com/CiscoJabberSetup to download the Jabber MSI Install file

Or use the Favorite in the Jabber Install folder

Step 4

Click Download

Step 5

Click Save File



Page 155 of 166


Browse to the following URL http://tinyurl.com/CiscoJabberMST to download the CiscoJabber MST Properties file

Or use the quick link on the Bookmarks Toolbar under Jabber Install

Step 7

Click Download

Step 8

Select to Save File and Click OK

Step 9

Close all Firefox browser windows

Step 10

Start Microsoft Orca by clicking the Killer Whale icon on the task bar on of the SiteA-AD server (172.19.x.120)

Step 11

Click File  Open

Step 12

Browse to C:\Users\Administrator\Downloads

Step 13

Select CiscoJabberSetup.msi

Step 14

Click Open

Step 15

Click View  Summary Information

Step 16

Locate the Languages field

Step 17

Remove all language codes except for 1033

Step 18

Click OK

Step 19

Click Transform  Apply Transform



Page 156 of 166


Browse to C:\Users\Administrator\Downloads (should already be here)

Step 21

Select Installer Transforms (*.MST) for the files of type

Step 22

Select CiscoJabberProperties.mst

Step 23

Click Open (Wait for it – it’s a little slow to open)

Step 24

Scroll down in the list of Tables in the left pane

Step 25

Select the Property table

Step 26

In the Property window scroll down to the green outlined properties (right pane)



Page 157 of 166

The Ultimate Cisco Jabber Specialist 2 Lab There are many different customizable fields in the MSI file. In this lab we will change two: Service_Domain and Clear. By setting Clear to 1 you enable Jabber directories to be deleted during upgrade or uninstall. To see more about the different fields Click Here

SERVICES_DOMAIN

Domain

Sets the value of the domain where the DNS SRV records for Service Discovery reside. This argument can be set to a domain where no DNS SRV records reside if you want the client to use installer settings or manual configuration for this information. If this argument is not specified and Service Discovery fails, the user will be prompted for services domain information.

Step 27

Enter siteb.com in the Value for the SERVICE DOMAIN property field

Step 28

Enter 1 (number one) in the CLEAR property field

Step 29

Now select and highlight USE FT GATEWAY, 3rd from the top of the green bordered list

Step 30

Hold the SHIFT key

Step 31

Select EXCLUDE SERVICES, while holding shift key it should highlight all the fields except the two that were edited



Page 158 of 166


Click Table  Drop Rows from the Orca menus. Only two green outlined rows should remain as seen below Caution! Do not to click Drop Table

Step 33

Click OK to confirm the dropped rows

Step 34

Click Tools  Options

Step 35

Select the Database Tab

Step 36

Select Copy embedded streams during ‘Save As’

Step 37

Click Apply

Step 38

Click OK

Step 39

Click File  Save Transformed As

Step 40

Browse to C:\Users\Public\Jabber

Step 41

Type SiteBJabberInstall in the name field



Page 159 of 166


Click Save

Step 43

Click OK to the Orca copy error message, if one pops up

Step 44

Close Orca

Step 45

Click NO on the save changes to CiscoJabberSetup.msi pop-up warning



Page 160 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Bootstrap Jabber Install on Remote SiteB-WS02 Using the Custom MSI File Default Configuration In most environments, Cisco Jabber for Windows does not require any configuration to connect to the CUCM server and perform directory queries. In on-premises deployments, Cisco Jabber for Windows uses the _cisco-uds SRV record to automatically discover Cisco Unified Communications Manager. If you add a DNS SRV record for the _cisco-uds service name in the DNS server on the CUCM server domain, Cisco Jabber for Windows can automatically connect to that CUCM server. For directory integration in on-premises deployments, Cisco Jabber for Windows uses Enhanced Directory Integration by default. If you install Cisco Jabber for Windows on a workstation that is registered to an Active Directory domain, Cisco Jabber for Windows automatically discovers the directory service and connects to a Global Catalog in the domain. In cloud-based deployments, Cisco WebEx Messenger provides Cisco Jabber for Windows with presence capabilities and contact resolution. You perform all configurations for Cisco Jabber for Windows using the Cisco WebEx Administration Tool. However, you can configure Cisco Jabber for Windows in hybrid cloud-based deployments with additional options. Custom Configuration You should configure Cisco Jabber for Windows if: 

You do not install Cisco Jabber for Windows on a workstation that is registered to an Active Directory domain.



You plan to connect to Cisco Unified Communications Manager User Data Service or another supported LDAP directory instead of EDI.



You need to specify custom settings so that Cisco Jabber for Windows can correctly use your directory service. Custom directory settings include the following:



o

Attribute mappings

o

Connection settings

o

Contact photo retrieval settings

o

Directory search settings

o

Intradomain federation settings

You plan to deploy with custom content such as the following: o

Scripts that allow users to submit problem reports

o

Files that enable automatic updates

o

Custom embedded tabs for displaying HTML content

o

URLs that enable users to reset or retrieve forgotten passwords



Page 161 of 166

The Ultimate Cisco Jabber Specialist 2 Lab 



You plan to deploy with custom policy configuration such as the following: o

Disabling screen captures

o

Disabling file transfers

o

Disabling video calls

You plan to specify a credentials configuration in your deployment. In the previous section we used Microsoft ORCA to customize the MSI file, in this section of the lab we are going to use the newly created MSI file to install our second student workstation with Jabber. The end result is the end user will skip the email section of sign-in and go right to logging in. The same result could be achieved by using the command line install that follows, from the directory that the MSI directory exists in.

Bootstrap Jabber Install for Jabber for Windows Step 46

Switch to SiteB-WS02 (172.19.X.202 Black Bad) RDP session

Step 47

Click the button formally known as Start

Step 48

Type \\10.1.2.120\Users\Public\Jabber in the Run field just above the Start button Press Enter. An Explorer window should open to the mapped drive

Step 49

Double Click SiteBJabberInstall to start the Jabber installation (wait for it)

Step 50

Click Run on the security warning (if any). Be patient as this takes some time



Page 162 of 166


Click Accept and Install

Step 52

Click Yes, to allow the following program to make changes to this computer (This window takes a min to pop up)

Step 53

Keep Launch Cisco Jabber Checked

Step 54

Click Finish

Step 55

Minimize the windows Explorer window



Page 163 of 166


If the remote desktop screen is minimized (not full screen) Jabber will most likely open to the far right on the screen. If this happens scroll to the right to see Jabber on the screen.

In the previous section the student did a standard install with no customization to the CiscoJabberSetup.msi file. When Jabber started for the first time the student was presented with a login screen that asked for the users email address. In this second Jabber install the student installed the customized CiscoJabberSetup.msi file that was edited with the MS Orca tool. The follow two parameters were added to the MSI file.

When Jabber starts for the first time with the customized install Jabber should skip the email address screen and go directly to the user name and password screen. Jabber uses the _cisco-uds service record in DNS to locate the Cisco Unified Communications Manager to login using TCP on port 8334. Another way to see if the bootstrap values made it to the computer running Jabber is to look at the Jabber bootstrap file on the workstation. The file exist on the workstation that Jabber Client is installed. Located in the C:\ProgramData\Cisco Systems\Cisco Jabber - In the case of our lab it is on SiteB-WS02. ProgramData is a hidden folder so it will need to be un-hidden, or programdata can be typed in manually at the top of the file explorer even when it is hidden. Notice in the screen shot the entries that were added to the MSI install file are in the jabber-bootstrap file Lab Guide Version 3.5


Page 164 of 166


DO NOT login to SiteB-WS02’s Jabber client at this time

In a previous section of this lab the student installed Cisco Jabber default MSI install file on SiteB-WS01. After the install the student logged in the Jabber client as Alex Ace. During the login process the Jabber client presented five invalid certificates.

The next task focuses on Certificate Management. At the end of the task SiteB-WS02 Jabber client we be logged in as Blake Bad and the Jabber client should NOT present any invalid certificates.



Page 165 of 166

The Ultimate Cisco Jabber Specialist 2 Lab End Of Lab This concludes the lab. On behalf of the Americas Partners Organization – Solutions Readiness Engineers we thank you for taking the time to complete this lab. We hope that this lab surpassed your goals and expectation and was a very useful and positive learning experience for increasing your knowledge of Cisco’s Collaboration products. Please don’t forget to complete your survey for today’s session. The Solutions Readiness Engineers have a YouTube channel that has step-by-step videos for each of our lab offerings. You can find our YouTube Channel here: Http://tinyurl.com/CollabVideos Thank you for taking our lab and as always thank you for using Cisco products.



Page 166 of 166

The Ultimate Cisco Jabber Specialist 2 Lab Guide_Part1

Recommend Documents