deploying cisco jabber on premise aleksander kocelj · trusted root cert distributed to client, can...

www.ciscoday.com

31. 3. 2016.

Hotel Crowne Plaza

Beograd, Srbija

Cisco dan

• Aleksander Kocelj

System engineer

• 31.3.2016

Cisco Jabber design overview

Instant Messaging

Persistent Chat Rooms

Application Integration

Video Conferencing

Remote Access

Secure Communication

Voice & Video

File Transfer

Desktop Sharing

Voice Messaging

Schedule Integration

Desk phone Control

Contact Search Presence

Single Sign-On WebEx

Meetings

Cisco

Jabber For Windows, iOS, Mac and Android platforms

Agenda

• Preparing the Server Infrastructure

• Service Discovery

• Certificates

• Contact Sources

• Group working

• Application Integration

• Summary

• Jabber deployment should focus on delivering the correct user experience

• Jabber deployment success should not be measured in technical completeness but user end adoption

• Users adoption will be poor on a badly deployed system

• We’re going to focus on deployment practises to MAXIMIZE USER ADOPTION

The REAL agenda

Your GOAL is User Experience & Adoption

Introducing the Cisco Jabber Deployment Report Card

Preparing backend Infrastructure


Jabber Architecture

Unified CM

Expressway-E Expressway-C

IM & Presence Server

LDAP AD

Conductor TelePresence Server

Unity Connection

Exchange Server

WebEx Meetings

Jabber Clients (Corporate Network)

DNS CertAuth

Internet

Home Office

Coffee Shop

Cisco Web Conferencing

B2B Federated Organizations

Telepresence

Core Infrastructure Services

Cisco Collaboration Endpoint Mobile and Remote Access

Internet Services

Federation


Jabber Core Services (UC manager 9.x+)

UC Manager IM&P AD/LDAP

• Authentication

• Configuration

• Call Control

• IM/Chat

• Presence

• Contact Lookup (Contact source)


Jabber Core Services – LDAP Sync

• Recommended approach for creating users is to sync with UC Manager.


LDAP SYNC

LDAP AUTHENTICATION

UC Manager

DB SYNC

• Jabber also provides options to use Single Sign-On using a SAML 2.0 IDP (Example: MS ADFS 2.0, Ping Identity)


Jabber Core Services – LDAP Sync

• Recommended approach for creating users is to sync with UC Manager.


[email protected] Jabber ID or “JID”

“Jabber” Domain Cluster UserID

LDAP SYNC DB SYNC


Jabber User Configuration

SIP URI

End User Group

CTI Group

IM&P UC Service

CTI UC Service

Voicemail UC Service

Conference UC Service

Directory UC Service XML File

IM&P enabled

Directory Number

Devices

User

Service Profile

Group Membership

User association to line

User association

to devices

Device association to line

Line association to SIP URI

URI association to User assigned

membership of group

membership of group

Mobile

Softphone

Desk Phone

Home Cluster

Service discovery

Users should never be prompted to enter information they don’t

understand

Jabber “Service Discovery” is designed to require a user to

just identify themselves…

Service discovery will detect

infrastructure and configuration

What is Service Discovery

• Service Discovery allows Jabber clients to……

Jabber Operating Mode (Cloud/On Premise or IM/Voice/Full UC)

Identify Operating Domain(s) (Presence/DNS)

Network Location (Inside/Outside)

Service Registration (UC service)

Deploying Jabber Service Discovery

Name and Domain…..

• Jabber will try to establish the operating domain for the presence environment, it can do this in several ways

– Prompt the user asking for their userID (email address)

– Obtain the UPN from active directory (on Windows domain only)

– Installer pre-population, Admin can pre-populate installer or provide installer parameters (Windows only)

– Population using URL configuration (Mac,iOS & Android)

– Application Wrapper (iOS & Android)

[email protected] Jabber ID or “JID”


Jabber Operating Mode

• Jabber can operate in a number of different configurations

Jabber can also operate in IM/Voice/Video or Full UC modes but this is defined later in configuration process.

WebEx Messenger

& Hybrid Mode

On Premise (CUP) UCM / IM&P 8.x

On Premise (UDS) UCM / IM&P 9.x

(Recommended for On Premise)


Lookup the Domain

• Jabber needs to establish the operating mode for presence domain

WebEx Messenger

& Hybrid Mode

On Premise (CUP) UCM / IM&P 8.x

On Premise (UDS) UCM / IM&P 9.x

Jabber will by default query all service types

• For WebEx it will issue an HTTP request (CAS) http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com

• For UDS mode it will issue a DNS SRV request DNS SRV : _cisco-uds._tcp.example.com

• For CUP mode it will issue a DNS SRV request DNS SRV: _cuplogin._tcp.<domain_name>

Jabber will also query to locate an ExpressWay Remote access service

• Remote Access (MRA) DNS SRV request DNS SRV: _collab-edge._tcp.<domain_name>

Mobile Remote Access


The results are in…..!

• Jabber will stack rank the results it

gets and select the top response for

login.

• Jabber will now CACHE the

operating mode until a login change.

• The login screen will indicate which

service you are connected to

1. WebEx Messenger

2. Mobile Remote Access

3. UDS On Premise

4. CUP On Premise


Service Discovery Flow – On-Premises

Deployment

Messenger

cpaige @ corp.example.com Central UCM

UDS

Home UCM Cluster

UCM IM/P

Unity Connection

WebEx Meetings Server

DNS SRV lookup

HTTP Request to CAS URL for corp.example.com

corp.example.com is not WebEx domain

Look for home UCM cluster

Home UCM cluster address

2

2

3 5

6

4

3

Service Profile & jabber-config from TFTP

_cisco-uds

Central UCM UDS address

7 User log in

UCM Call Control

Connect/Register 8

1

Internal DNS


The LAST resort

• This really is your last resort (you just lost all

the marks for Service Discovery on report

card)

• Should ONLY be used for testing and Lab

deployments

• Consider Install customization BEFORE

using advanced settings for end users

• Use only for Lab testing

Certificates

Jabber uses Certificates to validate connect to infrastructure services

With an incorrectly configured environment Jabber will prompt

users to accept certificates

+10%

Certificate Management – Self Signed Option

When Jabber is presented with a

new certificate it will prompt the

user to accept each certificate

(based on admin policy)

If the user is allowed to accept

the certificate it will be added to

the users device cert store

(based on OS).

On Windows, self signed certs

will be added to the Enterprise

Trust Store

UC Manager IM&P UCxn CWMS

Certificate Management – Private/Public

CA Option

• RECOMMENDED CONFIG

• With CA issued certificates in

place mean users are not

prompted to accept certificates

UC Manager IM&P UCxn CWMS Private or Public Cert Authority

Trusted Root Cert distributed to Client, can be via policy

Trusted CA issued certificates installed on each server in cluster

UC Manager

Tomcat Cert

IM & P

Tomcat and XMPP Cert

Unity Connection

Tomcat Cert

WebEx Meeting Server

Tomcat Cert

CAPF functionality uses CTL files so not affected by this change

iPhone

Contact sources

Contact Sources provide jabber with the ability to resolve contact

details.

Incorrect implementation of contact sources can affect the ability to

initiate communications, i.e. voice/video

Contact Sources

• Good contact data is required for a successful Jabber deployment.

• Poor or incorrectly configured contact sources will impact User

experience

• Example of incorrect configuration:

– Contact displaying in email style, [email protected]

– Unable to search for contacts

– Incoming calls not resolved to contact

– Unable to start voice/video calls

– UC manager unable to dial numbers

mailto:[email protected]

Understanding Jabber Contact Sources

Contact Source Types

LDAP based contact Source (EDI or BDI mode) Must be used for on premise deployments

HTTP/REST based contact Source CUCM contact source

MS Outlook Contacts Search local contacts from Jabber

Custom Contacts (Jabber Win 9.7 +) Non directory based contacts stored on IM&P server


Contact Lookup by Jabber ID – Account Name

(&(objectCategory=person)(objectClass=user)(sAMAccountName=cholland))


Contact Lookup using Predictive Search

(&(objectCategory=person)(objectClass=user)(ANR=smith*))

ANR Example


Contact Lookup by Telephone Number

(&(objectCategory=person)(objectClass=user)(telephoneNumber=+1 (408) 555 6666)) (&(objectCategory=person)(objectClass=user)(|(|(|(mobile=+14085555555))(homePhone= 14085555555))(otherTelephone= 14085555555)))


LDAP Contact Sources

• Jabber supports LDAPv3 servers

• Attributes default to Microsoft AD Scheme

• Configuration is highly customizable

• Jabber expects attributes to be index correctly and

will use optimized ANR queries by default

• Jabber has two LDAP configuration models

– Basic Directory Integration (BDI), Mac, Android & iOS

– Enhanced Directory Integration (EDI), Windows

• Windows EDI mode uses Microsoft ADSI which provide Directory auto

discovery and windows integrated authentication

Group working

Jabber provides a number of features enabling group collaboration

Implementing group chat, file transfer and conferencing extents the user

experience

Jabber Group Working

What are Persistent Chat Rooms

• A Jabber Chat room is XMPP persistent text chat function provided by the Cisco Unified IM & Presence server

• Rooms have a discussion subject i.e. “Currency trading”

• Members gather and have text conversations inside the room

• Rooms can be public or restricted (closed).

• Rooms may require a password for access.

• Rooms can be created by Admins or Users (based on policy)

• Persistent Chat rooms are supported by Windows and Mac (Mac 11.0)

"eventplanning358951823618236@conference-2-standalonecluster764bb.tme-example.com"


Jabber Hub View – Chat Room Tab

• Chat rooms can be enabled for clients

running in On Premise mode.

• The required backend infrastructure must

be in place (Database servers)

• The administrator enables the chat room

feature in the Jabber clients via the XML

configuration file

• The Chat rooms Icon will appear on

Jabber hub view.

• A Badge indicates Chat Room activity

Chat Icon with badge

All Rooms: Catalogue of all rooms defined in deployment

My Rooms: Rooms that I am a member of.

Filters: User defined filtered chat/room views.


Jabber Hub View – Chat Room Tabs


Chat Room Features


What do I need to enable Chat Rooms

• IM&P Server 10.0+ (10.5.2+ recommended)

• PostgreSQL or Oracle Database

• Linux Host with SSH v2 (for file transfer)

• Jabber for Windows 9.7+ (10.5+ recommended)

• End Users that Persistently Chat….


Infrastructure

Unified Communications Manager

Cisco IM & Presence

Database Server

External File Server (optional)

SSH

Jabber for Windows Client

ODBC



Jabber 11.0 provides new Group Chat Escalation Features


Conference Experience Enhancements

Cloud CMR Escalation Cloud CMR Support for Video(SIP) and WebEx

IM Desktop Share (Windows only) enhancement 10 parties in share

Audio/Video Bridge Conferencing Escalate call to bridge DN/URI destination

WebEx Personal Room Escalation support for WebEx Personal Rooms

Application integration

Jabber provides integration options for desktop environments

Microsoft Office integration allows users to access Jabber function directly

from applications like Outlook


Microsoft Office Integration

• Cisco Jabber for windows integrated with Outlook 2010 & 2013 & 2016


Save my Chat to Outlook / File ( Jabber 10.6+)

• Jabber for Windows now provides the option to save Chat / IM conversations to Microsoft Outlook.

• IM messages saved via Exchange server

• Feature can be enabled/disable by Jabber administrator as required (disabled by default)

• Alternatively Jabber can save chats to a local folder on local drive for used by Windows search function


Save to Outlook Configuration

• Administrator must enable save to Outlook, disabled by default for

compliance

• Enabled using EnableSaveChatHistoryToExchange in jabber-

config.xml file

• Jabber will discover Exchange server

using auto discovery by default

• Admin options to manually specify

servers and authentication method

• User also has advanced options to

specify server if required


Web Directory Integration

• Jabber provides URI

handlers that can be

incorporated into web

pages

• Using Simple HTML /

JavaScript a page can

support

• XMPP: - Chat Messages

• TEL: - Voice/Video Calls


What about other applications….?

• Jabber provides a global Hot

key which can be used to call

the contents of the clipboard

• Admin can enable/disable

and change key combination.

(disabled by default)

• Jabber-config.xml +

<MakeCallHotKey> True <MakeCallHotKey> <MakeCallHotKey> CTRL+SHIFT+B </MakeCallHotKey>

50

Closing Thoughts

What did your last Jabber

deployment score?

Did you get 100%?

GOOD USER EXPERIENCE

PLANNED DEPLOYMENT

= SUCCESS

• Detailed design video, please look at Cisco live https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=837

63&backBtn=true

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=83763&backBtn=true



deploying cisco jabber on premise aleksander kocelj · trusted root cert distributed to client, can...

Documents