The Ultimate Cisco Jabber Specialist 2 Lab Guide - NoVideo

The Ultimate Cisco Jabber Specialist 2 Lab
2014 Edition


Lab Guide Version 2.8 Presented by The Solutions Readiness Engineers Page 2 of 274

Table of Contents
Section 1: About The Lab .................................................................................................................. 3
What is Cisco Jabber ................................................................................................................................. 4
Related Links ............................................................................................................................................. 7
Lab Overview ....................................................................................................................................... 8
Jabber Specialist I 2013 Edition Video Walk Through ............................................................................. 13
Task 1: Accessing the Lab Equipment ......................................................................................... 14
Task 2: Connecting to Remote Workstations & Servers ....................................................... 16
Section 2: System Preparation ...................................................................................................... 20
Sys Prep: CUCM Server Name to FQDN .................................................................................. 21
Section 3: Jabber Specialist Features ......................................................................................... 22
JST Features Task 1: Service Discovery Configuration ..................................................... 23
JST Features Task 2: Jabber Client Win Standard Install ................................................ 27
JST Features Task 3: Bootstrap Jabber for Windows Install ........................................... 32
JST Features Task 4: Certificate Management ..................................................................... 43
JST Features Task 5: Collab Edge with Cisco ExpressWay .............................................. 68
Short Video on Cisco ExpressWay Virtual Machine Deployment ........................................................... 68
JST Features Task 6: Adding User Photos to Web Server .............................................. 139
JST Features Task 7: URI Dialing ............................................................................................ 148
JST Features Task 8: Persistent Chat .................................................................................... 164
Short video on PostresSQL database install ......................................................................................... 165
JST Features Task 9: Jabber Guest ......................................................................................... 202
Short Video on deploying the Expressway Virtual Machines ............................................................... 205
Short video on deploying Jabber Guest Server Virtual Machine .......................................................... 205
Section 4: Appendix ......................................................................................................................... 270
Appendix A: ExpressWay Options Keys for JSTII Lab ..................................................... 271
Appendix B: CUCM Server Name change to FQDN ........................................................... 272
End Of Lab ............................................................................................................................................ 274



Section 1: About The Lab

Welcome To The
Jabber Specialist II Lab


What is Cisco Jabber
Cisco Jabber is a unified communications application that enables you to be more
productive from anywhere on any device. Find the right people, see if and how they are
available, and collaborate using your preferred method.
Todays global, distributed work environment has resulted in significant challenges for
workers, making it harder to connect with the right people and significantly increasing the
quantity and modes of communications. Organizations of all sizes are striving to improve
communications in order to retain customers, compete for new business, control costs, and
grow their business globally.
Cisco Jabber for Windows streamlines communications and enhances productivity by
unifying presence, instant messaging, video, voice, voice messaging, desktop sharing, and
conferencing capabilities securely into one client on your desktop. Cisco Jabber for Windows
delivers highly secure, clear, and reliable communications. It offers flexible deployment
models, is built on open standards, and integrates with commonly used desktop
applications. You can communicate and collaborate effectively from anywhere you have an
Internet connection (Figure 1).
Figure 1. Cisco Jabber for Windows



Features and Benefits
Reduce communication delays with presence and contact information: The Cisco Jabber
application enables you to see the availability of co-workers and colleagues within and
outside your organization. You can immediately see who is offline, available, busy, on the
phone, in a meeting, presenting, or in a do-not-disturb state. You can create customized
availability states such as Gone to lunch. Back at 1 p.m. to provide added context. These
capabilities help reduce communication delays and result in faster decision making and
enhanced productivity.
Quickly communicate with borderless enterprise-class instant messaging: Instant
messaging is an important communication option that lets you efficiently interact in todays
multitasking business environment. The Cisco Jabber application delivers enterprise-class
instant messaging capabilities that are based on the Extensible Messaging and Presence
Protocol (XMPP). The solution provides personal and group chat so you can quickly connect
with your business colleagues. Chat history and server-based logging capabilities allow you
to view the content of prior chats and to store messages for convenience, compliance, and
regulatory purposes. Instant messaging is integrated with other communication capabilities
so you can simply move between chats, audio conversations, and web conferences. You can
even share presence and send instant messages to people outside your organization who
may not be using Cisco Jabber. The enterprise-class instant messaging capabilities of this
application provide more efficient, highly secure, flexible, and borderless collaboration.
Bring business-class IP telephony and video to the desktop: Cisco Jabber delivers
business-quality voice and video to your desktop. Powered by the market-leading Cisco
Unified Communications Manager call-control solution, Cisco Jabber is a soft phone with
wideband and high-fidelity audio, standards-based high-definition video (720p), and desk
phone control features. These features mean that high-quality and high-availability voice
and video telephony is available at all locations and to your desk phones, soft clients, and
mobile devices. Cisco Jabber for Windows makes voice communications simple, clear, and
reliable (Figure2).
Figure 2. High-Definition Video with Integrated Audio Controls



Accelerate team performance with multiparty conferencing and collaboration: The Cisco
Jabber application provides for smooth escalation to desktop sharing or Ciscos market-
leading collaboration solution, Cisco WebEx conferencing. You can instantly share
documents and expand chats and conversations to multiparty voice, video, and web
conferencing.
Collaborate from common business applications: You can access the capabilities of the
Cisco Jabber application from common desktop applications such as Microsoft Outlook,
including lighting up presence and click-to-communicate (instant message and audio and
video calling) capabilities. For Microsoft Outlook 2010, you can use the Microsoft contact
card click-to-communicate icons directly from within the application to save time and
streamline workflows because you can view user availability and initiate communications
such as personal and group voice, video, and chat sessions without having to switch
between applications.



Related Links

Expressway
Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment
Guide

Expressway Cluster Creation and Maintenance Deployment Guide

Certificate Creation and Use With Expressway Deployment Guide

Expressway Administrator Guide

Deployment Guide for IM and Presence Service on Cisco Unified Communications
Manager Communications Manager

Cisco Collaboration Edge Architecture

Cisco Expressway Series

Cisco Expressway Series Data Sheet

Jabber Clients
Cisco Jabber for Windows

Cisco Jabber for iPad

Cisco Jabber Android

Cisco Jabber MAC

Certificate Management
Security configuration on IM and Presence

Security Certificate management on CUCM

Security Certificate management on VCS/Expressway

Persistent Chat
External Database Setup for IM and Presence Service

PostgreSQL Database Software Download

Jabber Guest
Cisco Jabber Guest


Lab Overview

Audience and Prerequisites
This document is intended to assist solution architects, sales engineers, field engineers, and
consultants in learning many of the features of Cisco Unified Communications 10.x System,
and Cisco Jabber. This document assumes the reader has an architectural and
administrative understanding of the CUCM and has reviewed the latest CUCM SRND.
Basic knowledge of how to install and administer CUCM and IM&P is recommended however
not necessary.

This is a complex lab with many servers and devices interacting with each
other. It is strongly recommended that a dedicated and undisturbed six
hour window be committed to when completing this lab.

About The Lab
The Ultimate Cisco Jabber Specialist Lab 2014 Edition is completely self-paced and
virtualized. Although great lengths are taken to make all labs as true to real world as
possible, this lab is a virtual lab where pods are cloned, unconventional techniques are
utilized that would not typically be done in a production environment.
In the lab, we will be using Remote Desktop Protocol (RDP), Jabber softphones as well as
other software applications. The goal of the lab is for the attendee to become familiar with
the setup, implementation and usage of CUCM/IMP and Jabber.
This lab was upgraded from a previous UC 9.x Jabber lab and many of the old host names
have not been changed to save on development time. All CUCM/IM&P/CUC servers have
been upgraded to 10.x but many of the host names have remained the same, so the
student will see for example SiteA-CUCM911 host name but the server is really running
10.0.1 code.

Disclaimer
This lab is primarily intended to be a learning tool. In order to convey specific information,
the lab may not necessarily follow best practice recommendation at all times. This exercise
is intended to demonstrate one way to configure the network, servers and applications to
meet specified requirements for the lab environment. There are various ways that this can
be accomplished, depending on the situation and the customers goals/requirements. Please
ensure that you consult all current official Cisco documentation before proceeding with a
production/lab design or installation. By enrolling in this class or having access to this
document you acknowledge you are aware of this disclaimer and its implications.


Lab Guide Key
The following is a description of the conventions, colors, and notation used through this
document:

Sections with this background color and this icon cover the technical description of the
step or task, with items and talking points of interest to technical audiences.

Sections with this background color and this icon provide a lab tip for the step or task.

Sections with this background color and this icon are for scenario description: Provides
background information for performing a step or task.

Sections with this background color and this icon represent a warning: read this section for
special instructions and considerations.

Pods
There are 50 pods in this lab environment; each pod contains the following server
configurations:
CUCM 10.0.1.10000-24 Server Providing local device registration and call
control
Cisco Unified CM IM & Presence Server 10.0.1.10000-24 Providing
Presence and Instant Messaging
Cisco Unity Connection 10.0.1.10000-26 Providing Unified Messaging &
Voice Mail
Two Windows 7 Workstations Student pod access and call clients
Expressway Version Collab-Edge 8.1.1
Expressway Version Jabber Guest 8.2.0
Jabber Guest Server Drop9 10.0.1.216

Sections with this background color and this icon touch on the business benefits of the
step or task with items and talking points highlighting a value proposition of a Solution.


Lab Topology
In this lab topology each device is a virtual machine (VM). This lab is operating on Unified
Computer System (UCS) B-Series or C-Series systems. VMware ESXi 5.1 is the operating
system and hypervisor running on each lab host computer.

The lab UCS host computers are oversubscribed and are not following
Ciscos best practices for UC on UCS. Please follow the best practices
outlined on the uc-virtualized web site, this web site can be found here.
http://cisco.com/go/uc-virtualized

This topology shows one pod of equipment



Lab Addressing Tables Internal and External Addresses
Domain SiteB.com X pod number
Subnet Masks /24 50 total pods

Cisc0123 (C i s c zero 1 2 - 3) in most cases is the password used
in this lab for all workstations and systems
C1sc0123 (C 1 s c zero 1 2 3) is used for SiteB-CUCM02,
SiteB-IMP02 platform/OS web page and CLI

Host
Name
IP Address
External
IP Address Internal
(Use from Student
WS)
Domain\User Password

SiteB
SiteB-CUCM911 172.19.X.110 10.1.2.110 Administrator Cisc0123
SiteB-CUCM02 10.1.2.111 Administrator Cisc0123
OS Admin & CLI Administrator C1sc0123
SiteB-IMP911 172.19.X.112 10.1.2.112 Administrator Cisc0123
SiteB-IMP02 10.1.2.113 Administrator Cisc0123
OS Admin & CLI Administrator C1sc0123
SiteB-CUC911 172.19.X.115 10.1.2.115 Administrator Cisc0123
SiteB-AD 172.19.X.120 10.1.2.120 Administrator Cisc0123
SiteB-WS01 172.19.X.201 10.1.2.201 SiteB\aace Cisc0123
StieB-WS02 172.19.X.202 10.1.2.202 SiteB\bbad Cisc0123
SiteB-ExpC01 172.19.X.142 10.1.2.142 admin Cisc0123
SiteB-ExpC02 172.19.X.143 10.1.2.143 admin Cisc0123
SiteB-JabGstC01 172.19.X.42 10.1.2.42 admin Cisc0123
SiteB-JabGstSrv01 172.19.X.43 10.1.2.43 admin Cisc0123

Mock Internet
Mock-Inet-DNS 172.19.X.220 10.1.3.20 Administrator Cisc0123
SiteB-ExpE01 172.19.X.242 10.1.3.142 admin Cisc0123
SiteB-ExpE02 172.19.X.243 10.1.3.143 admin Cisc0123
SiteB-JabGstE01 172.19.X.225 10.1.3.42 admin Cisc0123
SiteB-WS01 172.19.X.240 10.1.3.101 SiteB\aace Cisc0123
StieB-WS02 172.19.X.241 10.1.3.102 SiteB\bbad Cisc0123

If you use the VM Workstations to access the UC Servers web
admin you will need to use the INTERNAL addresses to gain
access to the servers.

If you use your local computers browsers to access the UC
servers web admin you will need to use the NAT addresses



System Version Table
Description Version
Cisco Unified Communication Manager 10.0.1.10000-24
Cisco Unified CM IM & Presence 10.0.1.10000-24
Cisco Unity Connection 10.0.1.10000-26
Student Remote Work Stations Windows 7
MS Active Directory Server Windows 2008 R2 64
Jabber for Windows Version 9.7.0.18474
ExpressWay Collab Edge 8.1.1
ExpressWay Jabber Guest 8.2.0
Jabber Guest Server Drop 9 10.0.1.216

Connectivity to the Lab Environment
Detailed instructions will be given at the beginning of Task 1, on how to access the lab.
Connectivity to the lab will be achieved through a VPN connection via Cisco AnyConnect and
thereafter Remote Desktop Procedure (RDP) to the workstations.

Lab Pre-configuration
There are many parts of the lab that are prebuilt and preconfigured before the start of class.
Namely:
CUCM/IM&P/CUC/Expressway/Windows Server & Workstation VM Installations
Basic Dial Plan
User, Passwords, & PINs in Active Directory
Voice Mail Configuration
CIPC devices added to CUCM database
2 Windows 7 workstations per site, two sites per pod with CIPC running at startup
and registered to CUCM
Microsoft Windows 2008 & 2012 R2 server with AD, DNS, DHCP, NTP, FTP installed in
the central HQ. All users and DNS entries configured in advance
Site B is completely pre-configured except for Cisco Expressway



This lab is a follow along to last years wildly successful Jabber Specialist 2013 Edition. In
the 2013 edition lab the student performed a full Cisco CUCM/Presence/CUC/Jabber
deployment based on UC version 9.1.1 and Jabber Windows 9.2. This video is a walkthrough
of the 2013 edition of the Jabber Specialist Lab.

Jabber Specialist I 2013 Edition Video Walk Through
Watch this video in HD here - http://youtu.be/S6eoeQsH9ds
The lab guide for this lab can be found at - https://db.tt/TMSpQ4g3


Task 1: Accessing the Lab Equipment
This section of the lab walks the student through the process of setting up a VPN connection
to the Solutions Readiness Engineers (SRE) lab

Activity Objective
In this activity, you will learn the methods to access the lab equipment remotely.

Required Resources
Student PC connected to the internet.

Cisco AnyConnect Pre-Installed Install and Connect with Cisco
AnyConnect SSL VPN Client

The ASA might require an upgrade of
the AnyConnect client on the student
computer if an older version is in use

Step 1 Launch the Cisco AnyConnect VPN client

Step 2 Enter uctraining.cisco.com/jabber
Step 3 Click Connect

Step 1 Open a web browser and connect to
http://tinyurl.com/CiscoAC31

Step 2 Download and install Cisco AnyConnect

Step 3 Continue to left side of
this table and use the
Cisco AnyConnect Pre-
Installed steps to VPN
into the SRE Lab after
you have installed AnyConnect on your
computer

This section is for students
that have Cisco AnyConnect
installed on their computer.
This section is for students that
DO NOT have Cisco AnyConnect
installed on their computer.


Step 4 Enter the lab Username & Password
(username = stu5xy (xy=pod#), for
example stu501 for pod01, and stu522 for
pod22).
The password will be assigned by the
instructor at the start of the lab

Step 5 Click OK to login
Step 6 Click Accept on the connection banner

Step 7 Continue to Task 2



Task 2: Connecting to Remote Workstations & Servers
Each pod will connect to 4 RDP connections in this section of the lab

Step 8 Click Start All Programs Accessories Remote Desktop
Connection, from the students personal computer
Step 9 Click Options
Step 10 Select Local Resource Tab
Step 11 Click Settings, under remote audio

Step 12 Select Play on this computer & Do Not Record
Step 13 Click OK



Step 14 Select the General tab and fill in the next two steps in the chart
X = you pod number (for example pod 5 = 172.19.5.220)
1
nd
RDP Session 2
nd
RDP Session 3
rd
RDP
Session
4
th
RDP
Session
Step 15 172.19.x.220 172.19.x.120 172.19.x.201 172.19.x.202
Step 16 siteb\Administrator siteb\Administrator siteb\aace siteb\bbad

The 172.19 addresses in the chart below are for students to access their pods various Web
Admin pages from their own computers browser, while a VPN connection is established to
the lab.
Pod # SiteB-InetDns SiteB-AD SiteB-WS01 SiteB-WS02
Users siteb\Administrator siteb\Administrator siteb\aace siteb\bbad
Pod 01 172.19.1.220 172.19.1.120 172.19.1.201 172.19.1.202
Pod 02 172.19.2.220 172.19.2.120 172.19.2.201 172.19.2.202
Pod 03 172.19.3.220 172.19.3.120 172.19.3.201 172.19.3.202
Pod 04 172.19.4.220 172.19.4.120 172.19.4.201 172.19.4.202
Pod 05 172.19.5.220 172.19.5.120 172.19.5.201 172.19.5.202
Pod 06 172.19.6.220 172.19.6.120 172.19.6.201 172.19.6.202
Pod 07 172.19.7.220 172.19.7.120 172.19.7.201 172.19.7.202
Pod 08 172.19.8.220 172.19.8.120 172.19.8.201 172.19.8.202
Pod 09 172.19.9.220 172.19.9.120 172.19.9.201 172.19.9.202
Pod 10 172.19.10.220 172.19.10.120 172.19.10.201 172.19.10.202
Pod 11 172.19.11.220 172.19.11.120 172.19.11.201 172.19.11.202
Pod 12 172.19.12.220 172.19.12.120 172.19.12.201 172.19.12.202
Pod 13 172.19.13.220 172.19.13.120 172.19.13.201 172.19.13.202
Pod 14 172.19.14.220 172.19.14.120 172.19.14.201 172.19.14.202
Pod 15 172.19.15.220 172.19.15.120 172.19.15.201 172.19.15.202
Pod 16 172.19.16.220 172.19.19.120 172.19.19.201 172.19.19.202
Pod 17 172.19.17.220 172.19.17.120 172.19.17.201 172.19.17.202
Pod 18 172.19.18.220 172.19.18.120 172.19.18.201 172.19.18.202
Pod 19 172.19.19.220 172.19.19.120 172.19.19.201 172.19.19.202
Pod 20 172.19.20.220 172.19.20.120 172.19.20.201 172.19.20.202
Pod 21 172.19.21.220 172.19.21.120 172.19.21.201 172.19.21.202
Pod 22 172.19.22.220 172.19.22.120 172.19.22.201 172.19.22.202
Pod 23 172.19.23.220 172.19.23.120 172.19.23.201 172.19.23.202
Pod 24 172.19.24.220 172.19.24.120 172.19.24.201 172.19.24.202
Pod 25 172.19.25.220 172.19.25.120 172.19.25.201 172.19.25.202
Pod 26 172.19.26.220 172.19.26.120 172.19.26.201 172.19.26.202
Pod 27 172.19.27.220 172.19.27.120 172.19.27.201 172.19.27.202
Pod 28 172.19.28.220 172.19.28.120 172.19.28.201 172.19.28.202
Pod 29 172.19.29.220 172.19.29.120 172.19.29.201 172.19.29.202
Pod 30 172.19.30.220 172.19.30.120 172.19.30.201 172.19.30.202



Step 17 Enter IP Address for your pod in the computer field
Step 18 Enter Domain\User Name, in the User Name field (see chart above)
Step 20 Enter Cisc0123 in the password field
Step 21 Click OK
Step 22 Click Yes for the remote verification warning



Step 23 Your Remote Desktop should look something
like this

Step 24 Repeat steps 8 - 23 three more times to
open the all four RDP sessions

If you accidentally close CIPC during this lab or it was closed
when you started the workstation you will get a No
compatible sound devices: error if you try to open it. The
workstation must be rebooted to start CIPC again. Do the
following to reboot the workstation

Double click on the WorkStation Reboot icon on the desktop of the
affected workstation.

Wait for 2 minutes and RDP back into the rebooted workstation.



Section 2: System Preparation



Sys Prep: CUCM Server Name to FQDN
In this section the student will explore changes that are necessary on Cisco Unified
Communications Manager (CUCM). During the installation of Cisco Unified Communications
Manager the server name is configured with host-name. The hostname format needs to be
changed to the Fully Qualified Domain Name (FQDN) format.

The reason for changing the CUCM server names from hostname or IP address
to FQDN, is so they can be resolved by the different services on the UC network.
Also during the certificate validation process for Jabber Windows the FQDN is
usually called out in the CA signed certs.

The use of alternate names could be used in creating the certificates but is not
supported by Cisco.

Activity Objective
In this activity, you will learn the methods to:
Exploration only as this task has already been done for the student
Required Resources
None
Changing the CUCM Server Name
The lab network has already been changed for the student due to certificate issues that
would arise later in the lab. The steps to change the CUCM server name have been posted
to the appendix of this lab guide. Please CLICK HERE to review the steps.

Observe below in the first screen shot on the left that the server names are only host
names, and on the screen shot on the right they have been changed to the FQDN.

All UC Servers in this lab are upgraded from 9.1.1 to version 10.0.1. Due to time
constraints the server hostnames and DNS entries have been left as 9.11



Section 3: Jabber Specialist Features



JST Features Task 1: Service Discovery Configuration
Service discovery enables clients to automatically detect and locate services on your
enterprise network. Clients query domain name servers (DNS) to retrieve service (SRV)
records that provide the location of servers.

The primary benefits to using service discovery are:
Speeds time to deployment.
Allows you to centrally manage server locations.

Activity Objective
Access Microsoft DNS Administrator
Configure DNS Service Records on a Microsoft Windows 2008 R2 server
Use NSLookUp to confirm the accuracy and operation of configured SRV records

Required Resources
To complete this section of the lab the student will need a computer that is connected to the
lab via VPN and an RDP connection to your pods SiteB-AD (172.19.X.120).

Configure DNS Service Records

Creating DNS SRV records for Presence server discovery allows the
Administrator to streamline the user experience when first logging into
Jabber. If the Jabber client is configured for On Premise operation
the client will automatically connect to the Presence server
infrastructure within an organization without prompting the user for
server information. This can even be configured to work in a multi-
cluster environment where servers will redirect Jabber clients to their
correct home cluster.

Cisco would recommend this method of configuration a best practice.


Step 25 Switch to SiteB-AD (172.19.X.120) RDP session
opened earlier
Step 26 Click Start Administrative Tools DNS to open
the DNS Manager tool
Step 27 Click the + (plus sign) next to SITEB-AD
Forward Lookup Zone siteb.com
Step 28 Select siteb.com to highlight it
Step 29 Right click siteb.com
Step 30 Select Other New Records, from the pop-up menu
Step 31 Scroll down and select Service Location (SRV)
from the resource record types pop up window

Due to time constraints during the
development of this lab the upgraded CUCM
and IMP server did not get renamed with a
new host name, therefore both the CUCM
and IMP publishers have 911 in their name.
These server have been upgraded to 10.0.1
although their name remains the same.

Step 32 Click Create Record
Step 33 Fill in the following information:
a. Domain siteb.com (pre-filled-in)
b. Service _cisco-uds (underscore cisco)
c. Protocol _tcp (underscore tcp)
d. Priority 0 (default)
e. Weight 0 (default)
f. Port Number 8443
g. Host offering this service =
siteb-cucm911.siteb.com
Step 34 Click OK



Step 35 Click Create Record (again)
h. Domain siteb.com (pre-filled-in)
i. Service _cisco-uds (underscore cisco)
j. Protocol _tcp (underscore tcp)
k. Priority 0 (default)
l. Weight 0 (default)
m. Port Number 8443
n. Host offering this service =
siteb-cucm02.siteb.com
Step 37 Click OK
Step 38 Click Done
Step 39 Select _tcp, under siteb.com in the DNS Manager

Jabber will query DNS for SRV records based on user domain in parallel
The highest priority returned record will be used for service

Priority Service HTTPRequest/DNS SRV
1 WebEx Messenger HTTP CAS lookup
2 UC Manager 9.x/10.x _cisco-uds._tcp.example.com
3 Cisco Presence 8.x _cuplogin._tcp.example.com
4 Collaboration Edge _collab-edge._tls.example.com

Step 40 Observe that both _cisco-uds and _cuplogin are both present in the _tcp
section of siteb.com DNS records. The _cuplogin was left over from a
previous install of Jabber version 9.2, _cisco-uds takes priority

Step 41 Close DNS Manager


FYI The reason the sitea-cucm911.sitea.com FQDN has 911 in it is because this
lab was upgraded from a CUCM 9.11 to CUCM 10.0.1 but the host names have not
been changed. Sorry for the confusion, this will be changed in the future with time
permitting.

Verify _cisco-uds DNS Service Records
Step 42 Switch to SiteB-WS01 (172.19.X.201 Alex Ace RDP Session)
Step 43 Click the Command Prompt icon on the task bar
Step 44 Type nslookup
Step 45 Press Enter to enter into nslookup mode
Step 46 Type set type=srv (in all lower case)
Step 47 Type _cisco-uds._tcp.siteb.com
Step 48 Press Enter
Note the output displays the appropriate
information for the _cisco-uds SRV record
that was built in the previous section.

If an error such as the one pictured below is returned check the command entered in above
or confirm your _cisco-uds service record has been configured properly on SiteBs AD.
Do not continue until a positive result is obtained.
Step 49 Close the Command Prompt window
Step 50 Do not close the RDP sessions



JST Features Task 2: Jabber Client Win Standard Install
In this section the students will do two different types of installations of the Jabber client for
Windows. The first will be a standard install from the Jabber Windows MSI file. The second
install will use the Jabber Windows MST file. To complete the second install of Jabber a
Microsoft App called Orca will be used to edit the Jabber Windows MSI install file. The use of
the modified MSI file is called a BootStrap install.

Activity Objective
In this activity the student will install the Cisco Jabber Client for Windows.
One standard install
One bootstrap install
Required Resources
A personal computer VPNed into the lab environment and a RDP session into the labs
workstations.

Logging into Student Remote Workstations
If you have not logged into the student workstations please return to the logging into the
student remote workstations section to login to the student workstations

Installing Jabber on Remote SiteB-WS01
In this section Jabber will be installed on the SiteB-WS01 without any changes to the MSI
file. In the next section the MSI file will be edited.

Jabber for Windows ships as a MSI installer files. Cisco provides a single
MSI file for both on premise and cloud configurations. In its default mode
the MSI will prompt the user for configuration data. Later in the lab you
will see how this file can be customized to avoid asking an end user for this
information.

Step 51 Switch to Siteb-WS01 (172.19.x.201 Alex Ace) RDP Session (if not already
there)
Step 52 Launch the Firefox browser, on SiteB-WS01
Step 53 Browse to the following URL from SiteB-WS01 Firefox
app to download Jabber
http://tinyurl.com/CiscoJabberSetup

Or use the Firefox Favorites Bar on SiteB-WS01, in the
Jabber Install folder
Step 54 Click OK, on warning (if any)


Step 55 Click Download Jabber from the Dropbox web site
Step 56 Click Save File

Step 57 Click CiscoJabberSetup.msi in the
Downloads window or folder
Step 58 Click Run
Step 59 Click Accept and Install

Step 60 Click Yes, when asked to allow changes to be
made to this computer (wait For it)
Step 61 Keep Launch Cisco Jabber checked
Step 62 Click Finish

Step 63 Close all Firefox windows



Step 64 If the remote desktop screen is minimized (not full screen) Jabber will most
likely open to the far right on the screen. If this happens scroll to the right
to see Jabber on the screen
Step 65 Login to Cisco Jabber will occur in a later section

Checking Certificates
Later in this lab guide the student will work with certificate management. This section is to
start becoming familiar with certificate interaction.
Step 66 Open the Command
Prompt window form the
task bar on SiteB-WS01
Step 67 Enter certmgr
Step 68 Press Enter
Step 69 Select Enterprise Trust Certificates (there might not be a certificate
subfolder for enterprise trust if there are no certificates)
Step 70 Observe there are no trusted certificates in the right panel of Certificate
manager
Step 71 Do not close Certificate Manager



This is how it will look if no Enterprise Certs have been entered. This is the
default for the lab workstations.

Step 72 Log in to Jabber with on SiteB-WS01:
a. Username aace@siteb.com
b. Click Continue

If the Cisco Jabber client fails to discover the
network service, this is most likely an issue with the
SRV record created in the first section of this lab
guide. Use NSLOOKUP in the command prompt from
this workstation to troubleshoot this issue. CLICK
HERE to return to the DNS configuration section.



c. Click Manual setup and sign-in
d. Observe Automatic, is the default install
account type
e. Click Cancel
f. Password Cisc0123
g. Select Sign me in when Cisco Jabber
Starts
h. Click Sign In

Step 73 Observe Certificate Manager with each
certificate you accept, Press F5, to refresh the certificate manager after each
accepted certificate or wait until all certificates and only press F5 once

The certificates presented here are the self-signed certificates that are installed
with CUCM/CUP/CUC

Step 74 Click Accept, to all warning messages to
accept the certificates that are not valid.
(There will be four or five certificate
warnings, sometimes it takes a few minutes
for timers to pop to get all 5)

Step 75 Notice, once logged in, that Alice Adams has a User Photo.
Photos were added to Active Directory during the building
of this lab
Step 76 Close Certificate Manager
Step 77 Close DOS Box


JST Features Task 3: Bootstrap Jabber for Windows Install
The CiscoJabberProperties.mst is used to modify the CiscoJabberSetup.msi to create
custom installers. When installing the custom Jabber Install MSI file, edited by Orca, it is
now referred to as a Bootstrap install.
The CiscoJabber-Admin-ffr.9-6 will be downloaded to the SiteB-AD server for use with
this lab. There are only a few entries that are different between the 9.6 and the 9.7 Admin
file, and the additional settings are not needed for this lab. (The 9.7 admin file was not
ready for the we released of this lab)
The Microsoft Orca program from the Microsoft Windows SDK has been installed on the
SiteB-AD server for use with this lab. The Jabber admin might need to edit the Cisco
JabberSetup.msi Installer package (.msi) files directly to customize the installer for their
particular deployment needs. The Orca database editor is a table-editing tool available in
the Windows Installer SDK and can be used to edit your .msi files. This lab discusses how to
use the Orca editor to modify the lab .msi files.

Warning Editing an MSI file can cause serious problems that may leave your
system in an unstable state. Cisco Systems cannot guarantee that problems
resulting from the incorrect use of the MSI file editor can be solved. Modifications
of the MSI file of a shipping product should only be attempted under direct
instruction from the product's vendor. Always make a copy of the file(s) being
modified.

An Administrator can create a customized Jabber installer for their
organization.

In this section a customized Jabber installer will be built using the
Microsoft Orca tool. The Orca tool allows an Administrator to apply an
MST transformation file to an MSI. Cisco provides an MST file in the
Jabber admin pack downloadable on cisco.com

In this section we are going to edit a Jabber MSI install file which is hardcoded to
install with additional parameters to make the end user first login experience
shorter and less frustrating.

This configuration also means the Jabber client will look for a CUCM server by
default using the _cisco-uds SRV Record created earlier in the lab.

Activity Objective
In this activity the student will edit and repackage the CiscoJabberSetup.msi with the
Microsoft Orca app as well as perform a bootstrap install, configure, and operate the Cisco
Jabber Client for Windows.



Required Resources
A personal computer VPNed into the lab environment and two RDP sessions into the lab.
On to the SiteB workstations and the second to the SiteB-AD server.
Logging into the Student Remote Workstations
If you have not logged into the student workstations please return to the logging into the
student remote workstations section to login to the student workstations
Editing and Repackaging the CiscoJabberSetup.msi install file
In this section the student is going to download TWO files from Dropbox, one MSI and one
MST file. These two files will be downloaded to Siteb-AD, and used to create a Jabber Client
Bootstrap install.
Step 78 Return to or Open SiteB-AD server (172.19.X.120), RDP session
Step 79 Launch Firefox on SiteB-AD
Step 80 Browse to the following URL http://tinyurl.com/CiscoJabberSetup to
download the Jabber MSI Install file

Or use the Favorite in the Jabber Install folder

Step 81 Click Download



Step 83 Browse to the following URL http://tinyurl.com/CiscoJabberMST to
download the CiscoJabber MST Properties file

Or use the quick link on the Bookmarks Toolbar under
Jabber Install

Step 84 Click Download
Step 85 Select to Save File and Click OK

Step 86 Close all Firefox browser windows
Step 87 Start Microsoft Orca by clicking the Killer Whale icon on the task bar on of
the SiteA-AD server (172.19.x.120)

Step 88 Click File Open
Step 89 Browse to C:\Users\Administrator\Downloads
Step 90 Select CiscoJabberSetup.msi
Step 91 Click Open
Step 92 Click View Summary Information
Step 93 Locate the Languages field
Step 94 Remove all language codes except for 1033

Step 95 Click OK
Step 96 Click Transform Apply Transform


Step 97 Browse to C:\Users\Administrator\Downloads (should already be here)
Step 98 Select Installer Transforms (*.MST) for the files of type
Step 99 Select CiscoJabberProperties.mst

Step 100 Click Open (Wait for it its a little slow to open)
Step 101 Scroll down in the list of Tables in the left pane
Step 102 Select the Property table
Step 103 In the Property window scroll down to the green outlined properties (right
pane)



Step 104 Enter siteb.com in the Value for the SERVICE DOMAIN property field
Step 105 Enter 1 (number one) in the CLEAR property field

Step 106 Now select and highlight USE FT GATEWAY, 3
rd
from the top of the green
bordered list
Step 107 Hold the SHIFT key
Step 108 Select EXCLUDE SERVICES, while holding shift key it should highlight all the
fields except the two that were edited

There are many different customizable fields in the MSI file. In this lab we
will change two: Service_Domain and Clear. By setting Clear to 1 you
enable Jabber directories to be deleted during upgrade or uninstall. To see
more about the different fields Click Here

SERVICES_DOMAIN Domain Sets the value of the domain where the
DNS SRV records for Service
Discovery reside.
This argument can be set to a domain
where no DNS SRV records reside if
you want the client to use installer
settings or manual configuration for this
information. If this argument is not
specified and Service Discovery fails,
the user will be prompted for services
domain information.



Step 109 Click Table Drop Rows from the Orca menus. Only two green outlined
rows should remain as seen below
Caution! Do not to click Drop Table
Step 110 Click OK to confirm the dropped rows

Step 111 Click Tools Options
Step 112 Select the Database Tab
Step 113 Select Copy embedded streams
during Save As
Step 114 Click Apply
Step 115 Click OK
Step 116 Click File Save Transformed As
Step 117 Browse to C:\Users\Public\Jabber
Step 118 Type SiteBJabberInstall in the name
field



Step 119 Click Save
Step 120 Click OK to the Orca copy error message, if
one pops up
Step 121 Close Orca
Step 122 Click NO on the save changes to CiscoJabberSetup.msi pop-up warning

Bootstrap Jabber Install on Remote SiteB-WS02 Using the Custom MSI File
Default Configuration
In most environments, Cisco Jabber for Windows does not require any configuration to
connect to the CUCM server and perform directory queries.
In on-premises deployments, Cisco Jabber for Windows uses the _cisco-uds SRV record to
automatically discover Cisco Unified Communications Manager. If you add a DNS SRV record
for the _cisco-uds service name in the DNS server on the CUCM server domain, Cisco
Jabber for Windows can automatically connect to that CUCM server.
For directory integration in on-premises deployments, Cisco Jabber for Windows uses
Enhanced Directory Integration by default. If you install Cisco Jabber for Windows on a
workstation that is registered to an Active Directory domain, Cisco Jabber for Windows
automatically discovers the directory service and connects to a Global Catalog in the
domain.
In cloud-based deployments, Cisco WebEx Messenger provides Cisco Jabber for Windows
with presence capabilities and contact resolution. You perform all configurations for Cisco
Jabber for Windows using the Cisco WebEx Administration Tool. However, you can configure
Cisco Jabber for Windows in hybrid cloud-based deployments with additional options.
Custom Configuration
You should configure Cisco Jabber for Windows if:
You do not install Cisco Jabber for Windows on a workstation that is registered to an
Active Directory domain.
You plan to connect to Cisco Unified Communications Manager User Data Service or
another supported LDAP directory instead of EDI.
You need to specify custom settings so that Cisco Jabber for Windows can correctly
use your directory service. Custom directory settings include the following:


o Attribute mappings
o Connection settings
o Contact photo retrieval settings
o Directory search settings
o Intradomain federation settings
You plan to deploy with custom content such as the following:
o Scripts that allow users to submit problem reports
o Files that enable automatic updates
o Custom embedded tabs for displaying HTML content
o URLs that enable users to reset or retrieve forgotten passwords
You plan to deploy with custom policy configuration such as the following:
o Disabling screen captures
o Disabling file transfers
o Disabling video calls
You plan to specify a credentials configuration in your deployment.

In the previous section we used Microsoft ORCA to customize the MSI file, in this
section of the lab we are going to use the newly created MSI file to install our
second student workstation with Jabber. The end result is the end user will skip
the email section of sign-in and go right to logging in.
The same result could be achieved by using the command line install that follows,
from the directory that the MSI directory exists in.

Bootstrap Jabber Install for Jabber for Windows
Step 123 Switch to SiteB-WS02 (172.19.X.202 Black Bad) RDP session
Step 124 Click the button formally known as Start
Step 125 Type \\10.1.2.120\Users\Public\Jabber in the Run
field just above the Start button
Press Enter. An Explorer window should open to the
mapped drive



Step 127 Double Click SiteBJabberInstall to start the Jabber installation (wait for it)

Step 128 Click Run on the security warning (if any). Be
patient as this takes some time
Step 129 Click Accept and Install

Step 130 Click Yes, to allow the following program to make changes to this computer
(This window takes a min to pop up)

Step 131 Keep Launch Cisco Jabber Checked
Step 133 Minimize the windows Explorer window



Step 134 If the remote desktop screen is minimized (not full screen) Jabber will most
likely open to the far right on the screen. If this happens scroll to the right
to see Jabber on the screen.

In the previous section the student did a standard install with no
customization to the CiscoJabberSetup.msi file. When Jabber started
for the first time the student was presented with a login screen that
asked for the users email address.

In this second Jabber install the student installed
the customized CiscoJabberSetup.msi file that
was edited with the MS Orca tool. The follow two
parameters were added to the MSI file.

When Jabber starts for the first
time with the customized install Jabber should skip the
email address screen and go directly to the user name
and password screen. Jabber uses the _cisco-uds
service record in DNS to locate the Cisco Unified Communications Manager to login using TCP
on port 8334.

Another way to see if the bootstrap values made it to the computer
running Jabber is to look at the Jabber bootstrap file on the
workstation.

The file exist on the workstation that Jabber Client is installed.
Located in the C:\ProgramData\Cisco Systems\Cisco Jabber - In the
case of our lab it is on SiteB-WS02. ProgramData is a hidden folder
so it will need to be un-hidden, or programdata can be typed in
manually at the top of the file explorer even when it is hidden.

Notice in the screen shot the entries that were added to the MSI
install file are in the jabber-bootstrap file



Step 135 DO NOT login to SiteB-WS02s Jabber client at this time

In a previous section of this lab the student installed Cisco Jabber default MSI
install file on SiteB-WS01. After the install the student logged in the Jabber client
as Alex Ace. During the login process the Jabber client presented five invalid
certificates.

The next task focuses on Certificate Management. At the end of the task
SiteB-WS02 Jabber client we be logged in as Blake Bad and the Jabber
client should NOT present any invalid certificates.



JST Features Task 4: Certificate Management
In this section of the lab the self-signed certificates that are on the UC servers at the time
of install will be replaced by Certificate Authority (CA) signed certificates.

The certificates for SiteB-CUCM911, SiteB-CUC911 & SiteB-IMP911 have already been
uploaded with CA signed certificates. The student will replace the self-signed certificates on
SiteB-CUCM02 and SiteB-IMP02 with CA signed certificates.

Cisco Jabber uses certificate validation to establish secure connections with servers.
When attempting to establish secure connections, servers present Cisco Jabber with
certificates. Cisco Jabber validates those certificates against certificates in the
Microsoft Windows certificate store. If the client cannot validate a certificate, it
prompts the user to confirm if they want to accept the certificate.

Activity Objective
Access Microsoft Certificate Manager
Create CA signed certificates using Microsoft Certificate Authority (CA)
Deploy CA signed certificates to CUCM/IM&P/CUC
Required Resources
To complete this section of the lab the student will need a computer that is connected to
the lab via VPN, and an RDP connection to your pods SiteB-AD (172.19.X.120).
Installing Certificate Authority Role on Windows 2008 R2 Server
Although installing MS Certificate Authority (CA) Role is not part of the Cisco Unified
Communication solution, it is necessary to have access to a 3
rd
party CA server to create
signed certificates. For simplicity, the MS CA Role was chosen for this lab since an MS
Windows 2008 R2 (Win2K8R2) server running as the Active Directory and Exchange server
already exists. This quick video will show the steps completed to prepare the Win2K8R2
server to be a CA.

Short Video on Installing Microsoft Certificate Authority Role on Win2K8R2
Watch this video in HD here - http://youtu.be/pr-mJrJSfV8



Download CA Root Certificate from CA Server
In this section the Certificate Authority (CA) Root Certificate will be downloaded from the CA
server, and uploaded to SiteB-CUCM02, and SiteB-IMP02 tomcat-trust.

As part of the building of this lab the developers already uploaded
the CA Root Certificate to the publishers, or SiteB-CUCM911, and
SiteB-IMP911 servers. This section does not need to be done in the
lab due to the fact that the CS Root Cert will be replicated from the
publisher to all servers in the cluster. You will notice when you look
at the subscribers in the lab the CA Root Cert will already be on the
servers. We are going to go ahead and add the CA Root Cert to the
subscribers so the student understands what process was taken on
the publishers to add the CA Root cert to the UC Servers.

Step 136 Switch to the SiteB-AD (172.19.X.120 x=pod#) RDP session

Step 137 Launch Firefox by clicking the icon on the task bar at the bottom of the
desktop

Step 138 Click Certificate Services on Firefoxs favorite bar

a: Log in to Certificate Services
with:Username Administrator
b: Password Cisc0123
Step 139 Click Download a CA certificate, certificate
chain, or CRL

Step 140 Select Base 64 under Encoding Method



Step 141 Click Save File (should be the default)

Step 142 Click Download CA Certificate
Step 143 Click OK to save the CA certificate
Step 144 Click the Firefox Download Arrow in the
upper left corner
Step 145 Click the File Folder next to certnew.cer
Step 146 Click Download CA certificate

Step 147 Right click certnew.cer in the Explorer window

Step 148 Click Rename from the pop-up menu

During the course of this lab the student will create many certificates, it is much
easier to track which certificates are which but renaming each one as you create
them.

Step 149 Rename the file to CARootCert.cer

Step 150 Close File Explorer window



Upload CA Root Certificate to CUCM
This section is going to be repeated two times, to gain an understanding of certificate
management. Notice that the first part of certificate management is not being repeated
because the same CA Root certificate download file can be reused on all devices that need a
copy of the CA Root certificate.

Step 151 Return to the Firefox browser on SiteB-AD (172.19.X.120 x=pod#) RDP
Session

Step 152 Click + to open another browser
tab

This section of the lab will be done two times so that the certificates for 2 UC
servers will get their CA signed certificates. The server OS passwords are different,
notice the i is really a 1 (one) on these servers. (this section will repeat at step 253)

SiteB-CUCM02 SiteB-IMP02
OS Pass = C1sc0123 OS Pass = C1sc0123

SiteB-CUCM02
First Pass
SiteB-IMP02
Second Pass
Step 153 Click SiteB-CUCM02 favorite
in the SiteB-UC Favorite folder
Click SiteB-IMP02 favorite in the SiteB-UC
Firefox Favorite folder

Step 154 Click Cisco Unified Communications Manager (2
nd
time click Cisco
Unified Communications Manager IM and Presence)

Step 155 Click I Understand the Risks on the untrusted connection warning (If
presented)

Step 156 Click Add Exception on the untrusted connection warning (If presented)

Step 157 Click Confirm Security Exception on the add security exception pop-up (If
presented)


Step 158 Select Cisco Unified OS Administration from the top left Navigation drop-
down menu (IM and Presence OS Administrator on the 2
nd
pass)
Step 159 Click Go

Step 160 Log in using the following credentials:
a. Username Administrator (Case Sensitive)
b. Password C1sc0123 (Case Sensitive)
c. Click Login
Step 161 Click Security Certificate Management

Step 162 Click Find
Step 163 Observe the self-signed certificates that exist on CUCM by default at install

The CA Root Certificate was uploaded to the Tomcat-trust of the publisher during
lab development, and has been replicated to the subscribers in the cluster.

Observe the tomcat-trust has a certificate from siteb-STITEB-AD-CA.pem, that is
the root certificate that was replicated from the publisher to this subscriber.
Previous to the upload of the CA Root Cert the tomcat-trust on the publisher and
this subscriber was the self-signed certificate generated by the CUCM server
installer during the server install.

In this section the student will upload the CA Root to the subscriber so the student
understands what was done to the publisher, although this step could be skipped
due to the replication of the CA Root Certificate form the publisher to the
Subscribers.



Step 164 Click Upload Certificate/Certificate Chain

Step 165 Select tomcat-trust, (careful here)

Step 166 Enter SiteB-AD CA Root Certificate, in the description

Step 167 Click Browse

Step 168 Click Downloads, on the left side navigation pane

Step 169 Click and Select CARootCert.cer from the list of files and folders

Step 170 Click Open

Step 171 Click Upload File, on the upload pop-up
window

Step 172 Verify the file uploaded successfully

Step 173 Click Close, to close the file upload pop-up window

Step 174 Click Find, to refresh the certificate list


Step 175 Observe that the SiteB-AD CA Root Certificate is now listed (notice no real
change due to the CA Root Cert being replicated form the publisher, also in
some cases the description will not change that is a version issue and has not
effect on the operation)

Generate and Download Certificate Signing Request (CSR)
In this section the student will generate a Certificate Signing Request which in turn will be
used on the MS CA to generate a self-signed certificate for each service on each server.

The following Certificate Management sections will always be done to all of the
servers in the cluster. Each server will have its own CA signed certificate.

Step 176 Click Generate CSR form the OS Administrator web page

Step 177 Fill in the following information in the Generate Certificate Signing Request
pop-up windows:

a. Certificate Name tomcat
b. Key Length 2048
c. Hash Algorithm SHA1
d. Click Generate CSR (will warn you of overwrite and will proceed)

Step 178 Verify Success of CSR generation

Step 179 Click Close, on the Generate CSR pop-up window

Step 180 Click Download CSR

Step 181 Confirm tomcat, is selected



Step 183 Select Save File
Step 184 Click OK to save the CSR

Step 185 Click Close on the Download Certificate Signing Request pop-up window

Step 186 Click the Download Arrow in the upper right corner of Firefox

Step 187 Click the File Folder

Step 188 Right click tomcat.csr in Explorer window


It is good practice to rename each certificate file as you download them to your
local computer, so the certificates do not get mixed up.

Step 190 Rename the file to SiteB-CUCM02_tomcat.csr (2
nd
time use SiteB-
IMP02_tomcate.csr)
The following are the file names for each server you create a cert for (remember this
section is repeated for SiteB-IMP02)
SiteB-CUCM02_tomcat.csr SiteB-IMP02_tomcat.csr


Step 191 Double click SiteB-CUCM02_tomcat.csr, in Windows File Explorer (2
nd
pass
SiteB-IMP02_tomcat.csr)

Step 192 Pick Select a program from a list of installed programs (by passed the
2
nd
time)

Step 193 Click OK (bypassed the 2
nd
time)
Step 194 Select Notepad

Step 195 Click OK

Step 196 Select Format Word Wrap, from the
Notepad menus

Step 197 Press CTRL-A, to highlight everything in the CSR file

Step 198 Press CTRL-C, to copy highlighted data into the computer buffer

Be careful to not change anything in this test file, this is also a difficult
troubleshoot.

Step 199 Close NotePad

Step 200 Close the Windows File Explorer window

Submit and Download SiteB-CUCM02 Tomcat Signed CA Certificate

Step 201 Return to Firefox on SiteA-AD RDP session

Step 202 Switch back to the MS AD Certificate Services Web Page tab



Step 203 Click Certificate Services favorite link to return to the CA Services home
page

Step 204 Click Request A Certificate

Step 205 Click Advanced Certificate Request

Step 206 Click in the Saved Request field to make it
active

Step 207 Press CTRL-V to past the data saved to the
computer buffer

Step 208 Select Web Server for the Certificate
Template

Step 209 Click Submit

Step 210 Select Base 64 encoded

Step 211 Click Download Certificate (careful here)



Step 212 Select Save File (default)

Step 213 Click OK to save the certificate



Step 216 Right click certnew.cer in Explorer window

Step 217 Click Rename on the pop-up menu

Step 218 Enter SiteB-CUCM02_CAtomcat.cer to rename the file (2
nd
pass SiteB-
IMP02_CAtomcat.cer)

SiteB-CUCM02_CAtomcat.cer SiteB-IMP02_CAtomcat.cer

Step 219 Close the File Explorer window

Upload SiteB-CUCM02 CA Signed Tomcat Certificate to CUCM
Step 220 Click the 2
nd
Firefox tab to switch to SiteB-CUCM02 Cisco Unified Operating
System Administration web page (2
nd
pass select the 3
rd
Firefox tab for
SiteB-IMP02)

Step 221 Login with the following information if the previous session logged out
a: Username Administrator
b: Password Cisc0123
c: Click Login

Step 222 Click Security Certificate Management (if not all ready there)




Step 224 Select the following Certificate upload information
a: Certificate Name tomcat
b: Description Self-signed Certificate (default)
c: Upload File Click Browse
d: Upload file Downloads\SiteB-CUCM02_CAtomcat.cer
2nd pass = SiteB-IMP02_CAtomcat.cer

SiteB-CUCM02_CAtomcat.cer SiteB-IMP02_CAtomcat.cer

e: Click Open
f: Click Upload file
g: Click OK, to acknowledge that the Tomcat service needs to be
restarted (if presented with a pop-up box)

Step 225 Verify Successful certificate upload

Step 226 Click Close, to close the certificate upload pop-up window

Step 227 Click Find, to update the Certificate List

Step 228 Observe the updated tomcat and tomcat-trust certificates. Tomcat-trust has a
siteb-SITEB-AD-CA.pem file, and tomcat has a siteb-SITEB-AD-CA in the
description field



Step 229 Click the PuTTy icon on the task bar at the bottom of the SiteB- AD
RDP session

Step 230 Select SiteB-CUCM02 (2
nd
pass select SiteB-
IMP02), from the saved sessions

To open two PuTTy session at a time do the following

Right click the PuTTy icon on the bottom task bar of SiteB-AD
Select SSH, Telnet and Rlogin client

Step 231 Click Open
Step 232 Login With
a: Login as
Administrator (Case
Sensitive)
b: Password C1sc0123
(Case Sensitive)
Step 233 Enter utils service restart
Cisco Tomcat, (Case
Sensitive)
Step 234 Observe and wait for the
Tomcat service to fully stop
and restart (takes about 1
minute You can leave PuTTy open and repeat this section for SiteB-IMP02,
while you wait for SiteB-CUCM02 Tomcat service to restart)
Step 235 Repeat steps 152 235, one more time for SiteB-IMP02 Go ahead and do
the repeat while the service restarts, Close both PuTTy screens when you are
done with both servers
Step 236 Close both PuTTy windows once the Tomcat service has restarted on both
servers
Step 237 Click OK to confirm PuTTy window close



Adding CA Signed XMPP Certificate to SiteB-IMP02
In this section the student will upload the CA signed XMPP certificate to SiteB-IMP02 server.

The CA Root Certificate was uploaded to the publisher IMP server during the
development of this lab, and was replicated to the subscribers. The students are
simply doing this section to ensure their understanding of uploaded the CA Root
Cert to the Tomcat-trust before you generate a CSR form each server.

Step 238 Switch to SiteB-AD (172.19.X.120) RDP Session (if not already there)

Step 239 Switch to the 3
rd
Firefox tab pointing to SiteB-IMP02 OS Administration Web
Page

Step 240 Click Security Certificate Management Do this step even if you are
already there. Force the new certificate to be accepted by Firefox.

Step 241 Accept the invalid certificates

a. Username Administrator
b. Password C1sc0123
c. Click Login


a. Certificate Name cup-xmpp-trust
b. Description SiteB-AD CA Root Cert
c. Upload File Click Browse Downloads\CARootCert.cer
d. Click Upload File

Step 245 Observe the Successful Upload

Step 246 Click Close to close the file upload pop-up
window
Step 247 Click Find to refresh the certificate list
Step 248 Observe that the SiteB-AD CA Root Certificate is now listed for cup-xmpp-
trust



Generate and Download Certificate Signing Request (CSR)
In this section the student will generate and download the CSR for the xmpp service on
SiteB-IMP02.
Step 249 Click Generate CSR

Step 250 Fill in the following information
in the Generate Certificate Signing Request pop-up windows:

a. Certificate Name cup-xmpp
b. Key Length 2048
c. Hash Algorithm SHA1
d. Click Generate CSR (will warn you of
overwrite and will proceed)

Step 251 Verify Success of CSR generation

Step 252 Click Close on the Generate CSR pop-up window


Step 254 Select cup-xmpp, from the Certificate name filed



Step 257 Click OK to save the CSR

Step 258 Click Close on the Download Certificate Signing Request pop-up window





Step 261 Right click cup-xmpp.csr in File Explorer window


It is good practice to rename the certificates as you download them to your local
computer so they do not get mixed up or overwritten with the same name form a
different server.

Step 263 Rename the file to SiteB-IMP02_XMPP.csr
Step 264 Double click the newly renamed file SiteB-IMP02_XMPP.csr
Step 265 Choose Select a program from a list of installed
programs (bypassed the 2
nd
time)
Step 266 Click OK (bypassed the 2
nd
time)
Step 268 Click OK
Step 269 Select Format Word Wrap from the Notepad
menus
Step 270 Press CTRL-A to highlight everything in the CSR file
Step 271 Press CTRL-C to copy highlighted data into the computer buffer

Step 272 Close Notepad




Submit and Download Signed CA Certificate

Step 274 Return to Firefox, on SiteA-AD RDP session

Step 275 Switch back to the first Firefox Tab, with MS AD Certificate Services Web Page

Step 276 Click Certificate Services, favorite in Firefox to return to the CA Services
home page

Step 277 Click Request A Certificate


Step 279 Click Saved Request field to make it active

Step 280 Press CTRL-V to past the data saved to the
computer buffer

Step 281 Select Web Server for the Certificate
Template




Step 284 Click Download Certificate (careful here)


Step 286 Click OK to save the certificate



Step 289 Right click certnew.cer in Windows File Explorer


Step 291 Enter SiteB-IMP02_CAxmpp.cer to rename the file


Upload CA Signed Certificate to IMP02

Step 293 Click 3
rd
Firefox Tab, to switch to SiteB-IMP02 Operating System Console
web page

b. Password C1sc0123
c. Click Login

Step 295 Click Security Certificate Management (if not all ready there)




a. Certificate Name cup-xmpp
b. Description Self-signed Certificate (default)
c. Upload File Click Browse
d. Upload file Downloads\SiteB-IMP02_CAxmpp.cer
e. Click Open
f. Click Upload file
g. Click OK, service restart (if presented)

Step 298 Verify the Successful certificate upload

Step 299 Click Close, to close the certificate upload pop-up window

Step 300 Click Find, to update the Certificate List

Step 301 Observe the updated cup-xmpp and cup-xmpp-trust

Step 302 Click PuTTy icon on the task bar at the bottom of the SiteB-AD
RDP session

Step 303 Select SiteB-IMP02

Step 304 Click Open

Step 305 Enter Administrator login as name

Step 306 Enter C1sc0123 as the password


Step 307 Enter utils service restart Cisco XCP Router, (Case Sensitive)

Step 308 Observe and wait for the Tomcat service to fully stop and restart (takes about
2 to 5 minutes You can leave PuTTy open and continue on and come back in
a few min to finish this section

Step 309 Close the PuTTy window

Step 310 Click OK to confirm closing the PuTTy window

When you are done with this section you will have done certificate management on
2 of the 5 UC servers in the SiteB pod. The other 3 servers certifications were
deployed during lab development.

SiteB-CUCM02
SiteB-IMP02



Adding the CA Root Certificate to SiteB-WS02
In this section the CA Root Certificate will be manually installed to the SiteB-WS02.

The CA Signed Root Certificate can be manually installed on to the workstation or
can be pushed down to the workstations using the group polices on the Active
Directory server.

Step 311 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP session
Step 312 Click Command icon on the bottom task bar

Step 313 Enter certmgr

Step 314 Press Enter

Step 315 Click the Arrow next to Trusted Root Certification
Authority

Step 316 Click and highlight Certificates

Step 317 Observe there is no SiteB-AD certifications in the
Trusted Root CAs

Step 318 Launch Firefox on SiteB-WS02

Step 319 Click Certificate Services on the Firefox favorites bar

Step 320 Login with:
b. Password Cisc0123

Step 321 Click login
Step 322 Click Download a CA certificate, certificate chain, or CRL

Step 323 Select Base 64





Step 326 Click OK

Step 327 Click the Download Arrow in the upper right
corner

Step 328 Click the File Folder, next to the latest
downloaded file

Step 329 Right Click certnew.cer

Step 330 Click Rename

Step 331 Rename the file CARootCert.cer

Step 332 Double click CARootCert.cer
Step 333 Observe that the certificate is from the siteb-
SiteB-AD-CA

Step 334 Click Install Certificate

Step 335 Click Next, on the certificate import wizard welcome screen

Step 336 Select Place all certificates in the following store




Step 338 Select Trusted Root Certification Authorities, from the select certificate
store

Step 339 Click OK

Step 340 Click Next on the certificate import wizard


Step 342 Click Yes on the security warning

Step 343 Click OK on the import was successful message

Step 344 Click OK to close the certificate window

Step 345 Close the File Explorer windows

Step 346 Close Firefox

Step 347 Return to Certificate Manager

Step 348 Select Trusted Root Certification
Authorities (if not all ready there)

Step 349 Press F5 to refresh the list of issued trusts



Step 350 Observe there is now a siteb-SITEB-AD-CA certificate in the trusted root certs
(sometimes CertMgr needs to be closed and reopened to see the CA Cert)

Step 351 Keep Certificate Manager open it will be used in the next section

Testing the CA Signed Certificates

Step 352 Switch to SiteB-WS02 (172.19.X.202) RDP session (if
not already there)

Step 353 Double click Cisco Jabber, if Jabber is not open (Jabber
was left at login screen after the Jabber Bootstrap install)

Step 354 Enter bbad, in the username field

Step 355 Enter Cisc0123, in the password field

Step 356 Click Sign me in when Cisco Jabber Starts

Step 357 Click Sign In

Step 358 Observe that the Jabber client Opens with no prompts to
accept invalid certificates

On the previous section the student had to login to SiteB-
WS01 and five invalid certificates had to be accepted


If for some reason you have to accept one or two invalid certificate but
not all five that means something went wrong with the certificate
uploads on the service in question. If an invalid certificate warning
message appears, note the name of the service that is issuing the
invalid certificate and return to that server and check the certificates.

For example during this certificate management session one certificate
did not get placed on the SiteB-IMP911.siteb.com server

If you go back to fix the certificate on the server, you will need to delete the
accepted certificate on the workstation in the certificate manager, under Enterprise
Certificates.

Step 359 If a certificate gets missed and the invalid certificate has to be accepted to
login. You can troubleshoot the issue, or move on to the next section. Invalid
certificates will not impede progress going forward in this lab



JST Features Task 5: Collab Edge with Cisco ExpressWay
In this section the students will configure a Cisco Expressway E and C cluster as well as test
access from a remote workstation traversing the Expressway pair.

This lab consists of two Expressway Es and two Expressway Cs that have
already been deployed for the student to save time. Also with each deployment
of an Expressway server the serial number is different, which would pose
issues with applying option keys in the lab.

The following video will demonstrate how the Expressways were deployed on
the ESXi hosts in the lab.
Short Video on Cisco ExpressWay Virtual Machine Deployment
Watch this video in HD here - http://youtu.be/Uoi3hosvygs

Activity Objective
Configure Service Records (SRV) on public and internal DNS Servers
Performing the initial configuration of the Expressway E and C Initial Config as well
as configure Traversal zones, Domains, and Certificate Management

Required Resources
lab via VPN, a compatible browser on the students computer, and RDP sessions to the five
devices in the lab.


About the Cisco Expressway
Cisco Expressway is designed specifically for comprehensive collaboration
services provided through Cisco Unified Communications Manager. It features
established firewall-traversal technology and helps redefine traditional enterprise
collaboration boundaries, supporting our vision of any-to-any collaboration.

As its primary features and benefits, Cisco Expressway:
Offers proven and highly secure firewall-traversal technology to extend your
organizational reach.
Helps enable business-to-business, business-to-consumer, and business-to-cloud-
service-provider connections.
Provides session-based access to comprehensive collaboration for remote workers,
without the need for a separate VPN client.
Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and
desktops.
Complements bring-your-own-device (BYOD) strategies and policies for remote and
mobile workers.

The Expressway is deployed as a pair: an Expressway-C with a trunk and line-side
connection to Unified CM, and an Expressway-E deployed in the DMZ and configured with a
traversal zone to an Expressway-C.

The Expressway runs on VMware on a range of Cisco UCS servers. See Expressway on
Virtual Machine Installation

Expressway-C
Expressway-C delivers any-to-any enterprise wide conference and session management and
interworking capabilities. It extends the reach of Telepresence conferences by enabling
interworking between Session Initiation Protocol (SIP)- and H.323-compliant endpoints,
interworking with third-party endpoints; it integrates with Unified CM and supports third-
party IP private branch exchange (IP PBX) solutions. Expressway-C implements the tools
required for creative session management, including definition of aspects such as routing,
dial plans, and bandwidth usage, while allowing organizations to define call-management


applications, customized to their requirements.

Expressway-E
The Expressway-E deployed with the Expressway-C enables smooth video communications
easily and securely outside the enterprise. It enables business-to-business video
collaboration, improves the productivity of remote and home-based workers, and
enables service providers to provide video communications to customers. The
application performs securely through standards-based and secure firewall
traversal for all SIP and H.323 devices. As a result, organizations benefit from
increased employee productivity and enhanced communication with partners and
customers.
It uses an intelligent framework that allows endpoints behind firewalls to discover
paths through which they can pass media, verify peer-to-peer connectivity through each of
these paths, and then select the optimum media connection path, eliminating the need to
reconfigure enterprise firewalls.
The Expressway-E is built for high reliability and scalability, supporting multivendor firewalls,
and it can traverse any number of firewalls regardless of SIP or H.323 protocol.

Standard features
The primary purpose of the Expressway is to provide secure firewall traversal and session-
based access to Cisco Unified Communications Manager for remote workers, without the
need for a separate VPN client.

Rich media session features
The following features are available when rich media session licenses are installed on the
Expressway:

SIP Proxy
SIP / H.323 interworking
IPv4 and IPv6 support, including IPv4 / IPv6 interworking
QoS tagging
Bandwidth management on both a per-call and a total usage basis
Automatic downspeeding option for calls that exceed the available bandwidth
URI and ENUM dialing via DNS, enabling global connectivity
Up to 100 rich media sessions on Small/Medium VM server deployments and 500 rich
media sessions on Large VM server deployments
1000 external zones with up to 2000 matches
Flexible zone configuration with prefix, suffix and regex support
Can be neighbored with other systems such as a Cisco VCS or other gatekeepers and
SIP proxies
n+1 redundancy, can be part of a cluster of up to 6 Expressways for increased
capacity and redundancy
Intelligent Route Director for single number dialing and network failover facilities
Call Policy (also known as Administrator Policy) including support for CPL
Support for external policy servers
AD authentication for administrators of the Expressway
Embedded setup wizard using a serial port for initial configuration
System administration using a web interface or RS-232, SSH, and HTTPS
Intrusion protection



Mobile and remote access
Cisco Unified Communications mobile and remote access is a core part of the Cisco
Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their
registration, call control, provisioning, messaging and presence services provided by Cisco
Unified Communications Manager when the endpoint is not within the enterprise network.
The Expressway provides secure firewall traversal and line-side support for Unified CM
registrations.

The overall solution provides:
Off-premises access: a consistent experience outside the network
for Jabber and EX/MX/SX Series clients
Security: secure business-to-business communications
Cloud services: enterprise grade flexibility and scalable solutions
providing rich WebEx integration and Service Provider offerings.
Gateway and interoperability services: media and signaling
normalization, and support for non-standard endpoints

Figure 1: Unified Communications: mobile and remote access

Figure 2: Typical call flow: signaling and media paths

Unified CM provides call control for both mobile and on-premises endpoints.
Signaling traverses the Expressway solution between the mobile endpoint and Unified
CM.
Media traverses the Expressway solution and is relayed between endpoints directly;
all media is encrypted between the Expressway-C and the mobile endpoint.



Jabber client connectivity without VPN
The mobile and remote access solution supports a hybrid on-premises and cloud-based
service model, providing a consistent experience inside and outside the enterprise. It
provides a secure connection for Jabber application traffic without having to connect to the
corporate network over a VPN. It is a device and operating system agnostic solution for Cisco
Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms.

It allows Jabber clients that are outside the enterprise to:
use instant messaging and presence services
make voice and video calls
search the corporate directory
share content
launch a web conference
access visual voicemail



Public & Local DNS Requirements for Expressway
The local internal DNS has been configured for SRV records in previous sections of this lab,
in the next section the student will enter needed SRV records into the public DNS, as well as
needed A type DNS records in both the public and local DNS.

Public DNS
The public (external) DNS must be configured with _collab-edge._tls.<domain> SRV records
so that endpoints can discover the Expressway-Es to use for mobile and remote access. SIP
service records are also required. That Is for general deployment and not specifically for mobile
and remote access. For example, for a cluster of 2 Expressway-E systems:

Local DNS
The local (internal) DNS requires _cisco-uds._tcp.<domain>,
cuplogin._tcp.<domain>, _cisco-phone-http.<domain> and standard SIP service SRV
records. For example:

Ensure that the cisco-uds, _cuplogin and cisco-phone-http SRV records are NOT resolvable outside
of the internal network, otherwise the Jabber client will not start mobile and remote access negotiation via the
Expressway-E.



Entering Local DNS A Records For Expressway
Step 360 Return to the SiteB-AD (172.19.X.120) RDP session
opened earlier
Step 361 Click Start Administrative Tools DNS to open the
DNS Manager tool
Step 362 Click the + (plus signs) next to SITEB-AD Forward
Lookup Zone siteb.com
Step 365 Select New Host (A or AAAA) from the pop-
up menu
Step 366 Enter the following in the New Host pop-up
window:
a. Name siteb-expc01
b. IP Address 10.1.2.142
c. Check Create associated pointer
(PTR) record
d. Click Add Host
e. Click OK on the success message

Step 367 Repeat step 384 seven more times. In total eight entries should be created.

Step 368 Click Done on the New Host pop-up windows after entering the last New Host

Name
(Expressway-C)
IP Address Name
(Expressway-E)
IP Address
siteb-expc02 10.1.2.143 siteb-expe01 10.1.3.142
siteb-expc-cluster01 10.1.2.142 siteb-expe02 10.1.3.143
siteb-expc-cluster01 10.1.2.143 siteb-expe-cluster01 10.1.3.142
siteb-expe-cluster01 10.1.3.143


Step 369 Review the DNS entries to make sure all eight new entries are correct
Step 370 Close the DNS Manager

An Expressway can be part of a cluster of up to six Expressways. Each
Expressway in the cluster is a peer of every other Expressway in the cluster.
When creating a cluster, you define a cluster name and nominate one peer as
the master from which all relevant configurations is replicated to the other peers
in the cluster. Clusters are used to:

Increase the capacity of your Expressway deployment compared with a
single Expressway.
Provide redundancy in the rare case that an Expressway becomes inaccessible (for
example, due to a network or power outage) or while it is in maintenance mode (for
example, during a software upgrade).

Entering Public DNS A & SRV Records for Expressway
In this section working in the Mock Internet DNS server, the student will add the necessary
A records and SRV records to allow clients to find the Expressway E device from the
Internet (or in this lab case the Mock Internet).

Step 371 Switch to the SiteB-InetDNS (172.19.X.220 x=pod#) RDP session
Step 372 Login in with the following credentials if not already logged in:
Step 373 Click the DNS Manager icon on the bottom task bar
Step 374 Click the Arrow next to SITEB-INETDNS Forward Lookup Zone
siteb.com


Step 377 Select New Host (A or AAAA) from the pop-up menu
Step 378 Enter the following in the New Host pop-up window
a. Name siteb-expc01
b. IP Address 10.1.2.142
c. Check Marked Create associated pointer (PTR) record
d. Click Add Host
e. Click OK on the success message

Step 379 Repeat step 396 to add the following entries. In total there should be eight
entries created
Name
(Expressway-C)
IP Address Name
(Expressway-E)
IP Address
siteb-expc02 10.1.2.143 siteb-expe01 10.1.3.142
siteb-expc-cluster01 10.1.2.142 siteb-expe02 10.1.3.143
siteb-expc-cluster01 10.1.2.143 siteb-expe-cluster01 10.1.3.142
siteb-expe-cluster01 10.1.3.143



Step 380 Click Done on the new host pop-up windows
Step 381 Review the DNS entries
to make sure all eight
are correct
Step 382 Right click SiteB.com
in DNS Manager on
SiteB-InetDNS

Step 383 Select Other New
Records from the pop-
up menu

For SRV record type lookups, multiple DNS queries are performed. An SRV query
is made for each of the following _service._protocol combinations:
_h323ls._udp.<domain>
_h323rs._udp.<domain>
_h323cs._tcp.<domain>
_sips._tcp.<domain>
_sip._tcp.<domain>
_sip._udp.<domain>
_collab-edge._tls
_collab-edge._tcp
_cuplogin._tcp
_cisco-uds._tcp
_cisco-phone-http._tcp
_xmpp-client._tcp
_turn._udp.<domain>

Step 384 Scroll down and select Service Location (SRV) from the Resource Record
Type pop up window

Step 385 Click Create Record
Step 386 Create the following record:


b. Service _collab-edge (underscore
collab)
c. Protocol _tls (underscore tls)
f. Port Number 8443
g. Host Offering This Service =
h. siteb-expe01.siteb.com
Step 387 Click OK
Step 388 Click Create Record (again)
Step 389 Create the following record:
b. Service _collab-edge (underscore
collab)
c. Protocol _tls (underscore tls)
f. Port Number 8443
g. Host Offering This Service =
h. siteb-expe02.siteb.com
Step 390 Click OK
Step 391 Click Done
Step 392 Select _tls, under siteb.com in the DNS Manager
Step 393 Observe that both _collab-edge are in the _tls folder and have the correct
addresses

Step 394 Close DNS Manager



Initial Expressway Configuration for Expressway C and E
These Expressways have been deployed and locked down for this lab. No initial
administration was done on these devices. The student will make all configuration changes
to the Expressways.

There are 4 Expressways in this lab for Collab Edge, two Cs and two Es. The
student will configure the first C and the first E of a two clustered pairs. SiteB-
ExpC02 and SiteB-ExpE02 have already had this configure done before class
started.

The following Video shows the deployment of an Cisco Expressway

Step 395 Switch to the SiteB-AD (172.19.X.120 x=pod#) RDP Session
Step 396 Launch Firefox from the task bar at the bottom of the desktop (if not already
open)

This section will be done twice, once for Siteb-ExpC01 and once for SiteB-ExpE01
Follow from here down and when you get to a table take the left side the first time
through for SiteB-ExpC01, and take the right side when doing the second pass for
SiteB-ExpE01



SiteB-Expressway C 01
Use Left Column First Pass of Section
SiteB-Expressway E 01
Do this step when repeating
Step 397 Click Expressway SiteB-
ExpC01 from the Firefox
favorite bar

Open a new tab in Firefox and browse to
Expressway SiteB-ExpE01 from the Firefox
favorite bar

Step 398 Click I Understand the Risks (if presented)

Step 399 Click Add Exception (if presented)

Step 400 Click Confirm Security Exception (if presented)

Step 401 Login in with the following credentials
a. Username admin (all lower case)
b. Password TANDBERG (all upper case)
c. Click Login

Step 402 Observe the Expressway/VSC Web Administration page
Step 403 Click the Red Box that indicates This system has 5 alarms



Step 404 Review the five system alarms listed

Step 405 Click the time link on the first alarm under the Action heading. Alternatively,
Click System Time

Step 406 Observe that the first three NTP servers have place holders in the address
field

Step 407 Delete and clear all the default entries in the address fields

Step 408 Enter 128.107.212.175 in the first NTP Server Address space

Step 409 Select US/Pacific for the time Zone



Step 411 Click Save

Step 412 Observe the bottom of the time page for a minute or so. Eventually the status
will go from Starting, to Rejected, to Synchronized. (There is no need to
manually refresh as it will do so automatically).

Step 413 Click the Red Alarms box again in the upper right corner.
Notice the number of alarms has changed from five to
three. If not enough time has passed clicking on the red
box again should update it to reflect the new number of
alarms.
Step 414 Click Change the admin password link under Action on the alarm page.
Alternatively click Users Administrator Accounts

Step 415 Click admin to open the admin
configuration page

Step 416 Enter Cisc0123 in the password
field

Step 417 Enter Cisc0123 in the confirm
password field

Step 418 Click Save



Step 419 Click the Red Alarms box again in the upper right corner. Notice it has
dropped from 5 alarms to 2 alarms.

Step 420 Click View Instruction on changing the root password under the Action
column heading

Step 421 Review the Using the Root Account Help page pop-up

Step 422 Close the Help Page when finished reading it
Step 423 Click the PuTTy icon on the bottom tool bar

Do this section when repeating
Step 424 Click SiteB-ExpC01 from the
saved sessions list in PuTTy

Click SiteB-ExpE01 from the saved session
list in PuTTy

Step 425 Click Open

Step 426 Click Yes on PuTTy Security Alert (if presented)

Step 427 Login as root (all lower case)

Step 428 Enter the password TANDBERG (all uppercase)

Step 429 Type the UNIX command passwd at the # prompt


Step 431 Type in Cisc0123 as the new
UNIX password (It will not look
like you are typing.)

Step 433 Retype Cisc0123 to confirm
the new password


Step 436 Click OK to confirm closing PuTTy



dropped from three alarms to one alarm.

Option keys are used to add additional features to the Expressway. Option keys
can either be valid for a fixed time period or have an unlimited duration. Your
Expressway may have been shipped with one or more optional features pre-
installed. To purchase further options, contact your Cisco representative.

The Option keys page (Maintenance Option keys) lists all the existing
options currently installed on the Expressway, and allows you to add new
options.

The System information section summarizes the existing features installed on the
Expressway and displays the Validity period of each installed key. The options that you
may see here include:

Traversal Server: enables the Expressway to work as a firewall traversal server.
H.323 to SIP Interworking gateway: enables H.323 calls to be translated to SIP
and vice versa.
Advanced Networking: enables static NAT functionality and the LAN 2 port on an
Expressway-E.
Rich media sessions: determines the number of non-Unified Communications calls
allowed on the Expressway (or Expressway cluster) at any one time. See the Call
types and licensing [p.264] section for more information.
TURN Relays: the number of concurrent TURN relays that can be allocated by this
Expressway (or Expressway cluster). See About ICE and TURN services [p.49] for
more information.
Encryption: indicates that AES (and DES) encryption is supported by this software
build.
Microsoft Interoperability: enables encrypted calls to and from Microsoft Lync
2010 Server (for both native SIP calls and calls interworked from H.323). It is also
required by the Lync B2BUA when establishing ICE calls to Lync 2010 clients. It is
required for all types of communication with Lync 2013.
Expressway Series: identifies and configures the product for Expressway Series
system functionality.

Step 438 Click Add a Release Key under the Action heading

Alternatively click Maintenance Option Keys



Step 439 Observe the Option Keys admin page and take note of the active options

Notice the Serial Number (S/N) in the lower right hand corner of the admin page.
This is the serial number that is used to generate licenses and options keys

The Release Keys and Options keys have already been installed
into SiteB-ExpC02 and SiteB-ExpE02 (the cluster pair of
expressway servers)

Step 440 Observe the server model name at the
top of the admin page, this will change
once all the option keys are installed

Step 441 Observe the Active Options

This key is the Service Contract Release Key:
Step 442 Copy and Paste this license number into
the Release Key field

4360497995181665

into the Release Key field
Careful to make sure you have the Release Key
field and not the Software Option key field. This
key validates the service contract on the server.
Ignore the two new alarms that appear for an
invalid key, these will clear after a restart that
will be performed later in this section.
Copy and Paste this license number into
the Release key field

7176023658098439

into the Release Key field



Step 443 Click Set Release Key

Step 444 Observe the Yellow message at the top of the screen (Do not restart as
that will be completed in a later step)

This Software option key is the Expressway Series key:
Step 445 Copy and Paste this license
number (Must Be All Caps)

116341E00-1-096C2A6F

into the Software Option Field

Copy and Paste this license number (Must Be
All Caps)

116341E00-1-745E2397


Notice that although this will ultimately be
an Expressway-E server, at this point it is an
Expressway-C server. This role will change
when a later option key is installed.
Step 446 Click Add Option

Step 447 Observe the server model name at the top has change to Expressway-C. This
will change to Expressway-E later in this section.



Step 448 Observe the Yellow message at the top of the screen. Do not restart as
this will be done later in this section.

This Software option key is the H323 SIP Interworking key:
SiteB-ExpressWay E 01
Step 449 Copy and Paste this license

116341G00-1-87EACCFB


Copy and Paste this license number (Must Be
All Caps)

116341G00-1-A7FB3D03



Step 451 Observe the Interworking Active Options has been added



Use Left Column First
Pass of Section
No configuration required
here for the Expressway-C

Move on to the next step
below if this is the first pass
through this section of the
lab
Step 452 Copy and Paste this license number (Must Be All
Caps)

116341I1800-1-8F82AD62

into the Software Option Field (this option key is for the
E expressway only). This option key is the Turn Relay 1800


Step 454 Copy and Paste this license number (Must Be All
Caps)

116341T00-1-F768D3DC

into the Software Option Field (this option key is for the E
expressway only). This option key is the Traversal Service for E
option key

Step 455 Click Add Options

Step 456 Observe the updated model name at the top of
the page change from C to E

Step 457 Observe the options added to the Expressway-E



Step 458 Click System DNS, in the Expressway web admin

Step 459 Enter the following information for each Expressways:
a. System Host Name siteb-expc01
b. Domain Name siteb.com
c. Address 1 10.1.2.120
d. Click Save

a. System Host Name siteb-expe01
b. Domain Name siteb.com
c. Address 1 10.1.3.20
d. Click Save

Step 460 Scroll down and click DNS Lookup Utility

Step 461 Enter siteb-expc02.siteb.com

Step 462 Click Lookup

Step 463 Observe the successful DNS Lookup. (Keep going the restart will take place
later in the lab)



Configuring the Expressway Cluster

About clusters
An Expressway can be part of a cluster of up to six Expressways. Each
Expressway in the cluster is a peer of every other Expressway in the cluster.
When creating a cluster, you define a cluster name and nominate one peer as
the master from which all relevant configurations is replicated to the other peers
in the cluster. Clusters are used to:

Increase the capacity of your Expressway deployment compared with a single
Expressway.
Provide redundancy in the rare case that an Expressway becomes inaccessible (for
example, due to a network or power outage) or while it is in maintenance mode (for
example, during a software upgrade).

About the configuration master
All peers in a cluster must have identical configuration for subzones, zones, links, pipes,
authentication, bandwidth control and Call Policy. To achieve this, you define a cluster name
and nominate one peer as the configuration master. Any configuration changes made to the
master peer are then automatically replicated across all the other peers in the cluster.

You should only make configuration changes on the master Expressway. Any
changes made on other peers are not reflected across the cluster, and will be
overwritten the next time the masters configuration is replicated across the peers.

The only exceptions to this are some peer-specific configuration items.

You may need to wait up to one minute before changes are updated across all peers in the
cluster.



Step 464 Click System Clustering on the Expressway Admin web page

Step 465 Enter the following
a: Cluster Name FQDN
siteb-expc-cluster01.siteb.com
b: Configuration Master 1
c: Cluster pre-shared key
Cisc0123
d: Peer 1 IP Address 10.1.2.142
e: Peer 1 IP Address 10.1.2.143
f: Click Save

After the restart it might take a few min to
sync up the databases. Ignore the errors
as they should clear after a few min.
However, DO NOT restart now! They
will be restarted later in this section.)

The clustering page should look something
like this once in sync:

Enter the following:
a: Cluster Name FQDN
siteb-expe-cluster01.siteb.com
b: Configuration Master 1
c: Cluster pre-shared key Cisc0123
d: Peer 1 IP Address 10.1.3.142
e: Peer 1 IP Address 10.1.3.143
f: Click Save

Step 466 Click Maintenance Restart Options

Step 467 Click Restart (Be careful to not click shutdown!)



Step 468 Click OK to restart the system

Step 469 Observe the system restarting

Step 470 Repeat Steps 397 469 for SiteB-EXPE01 while siteb-expc01 is restarting
STOP - make sure to go back and do SiteB-ExpE01!

Step 471 Switch to the Firefox tab with SiteB-expC01 Web admin in it

Step 472 Log in with:
(case sensitive)

Step 473 Click Login

Step 474 Click System Clustering

Step 475 Observe that clustering is
now active



Configuring the Expressway-E Unified Communications
This section sets the SiteB-ExpE01 Mobile and Remote Access to ON. This will automatically
turn this option on for the SiteB-ExpE02 Expressway since it is clustered with SiteB-ExpE01.

Cisco Unified Communications mobile and remote access is a core part of the
Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber
to have their registration, call control, provisioning, messaging and presence
services provided by Cisco Unified Communications Manager (Unified CM) when
the endpoint is not within the enterprise network. The Expressway provides
secure firewall traversal and line-side support for Unified CM registrations.

The overall solution provides:
Off-premise access: a consistent experience outside the network for Jabber and
EX/MX/SX Series clients
Security: secure business-to-business communications
Cloud services: enterprise grade flexibility and scalable solutions providing rich
WebEx integration and Service Provider offerings.
Gateway and interoperability services: media and signaling normalization, and
support for non-standard endpoints

Unified Communications: mobile and remote access

Jabber client connectivity without VPN
The mobile and remote access solution supports a hybrid on-premise and cloud-based
service model, providing a consistent experience inside and outside the enterprise. It
provides a secure connection for Jabber application traffic without having to connect to the
corporate network over a VPN. It is a device and operating system agnostic solution for Cisco
Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms.

It allows Jabber clients that are outside the enterprise to:
Use instant messaging and presence services
Make voice and video calls
Search the corporate directory
Share content
Launch a web conference
Access visual voicemail



Step 476 Switch to the Firefox tab connected to SiteB-expE01 web admin

Step 477 Wait for the SiteB-ExpE01 to restart if not already restarted (about 1 to 3
minutes)

Step 478 Login with:

Step 480 Click Configuration Unified Communications Configuration

Step 481 Select Mobile and Remote Access from the Unified Communications mode
drop down menu

Step 482 Click Save

Step 483 Click System Clustering

Step 484 Observe that clustering is active on the Expressway-E servers.



Configuring the Expressway-C for Unified Communications
In this section the student will configure the Expressway-C to communicate with CUCM and
IM&P servers

Caution! This section is only for Expressway-C

Step 485 Switch to the Firefox Tab with SiteB-ExpC01 web admin web page

Step 486 Login with the following credentials (if Logged out):
a: Username admin (lower case)
b: Password Cisc0123 (CaSe SeNsAtIvE)

Step 489 Select Mobile and Remote Access from the Unified Communications Mode
drop down menu

Step 490 Click Save



Configuring the domains to route to Unified CM
You must configure the domains for which registration, call control, provisioning,
messaging, and presence services are to be routed to Unified CM for.

SIP registrations and provisioning on Unified CM: endpoint
registration, call control and provisioning for this SIP domain is serviced by
Unified CM. The Expressway acts as a Unified Communications gateway to provide
secure firewall traversal and line-side support for Unified CM registrations.

IM and Presence services on Unified CM: instant messaging and presence
services for this SIP domain are provided by the Unified CM IM and Presence service.

Step 491 Click Configuration Domains

Step 492 Click New

Step 493 Enter siteb.com in the Domain
Name field
Step 494 Set On for the SIP registration and
provisioning on Unified CM
Step 495 Set On for the IM and Presence
services on Unified CM

Step 496 Click Create Domain

Step 497 Observe that the domain was created

Discovering IM&P and Unified CM servers
The Expressway-C must be configured with the address details of the IM&P
servers and Unified CM servers that are to provide registration, call control,
provisioning, messaging and presence services.

To have TLS verify mode set to On (the default and recommended setting) when
discovering the IM&P and Unified CM servers, the Expressway-C must be configured to trust
the tomcat certificate presented by those IM&P and Unified CM servers.

Determine the relevant CA certificates to upload:

If the servers are using self-signed certificates, the Expressway-C's trusted CA list must include a
copy of the tomcat certificate from every IM&P / Unified CM server.

If the servers are using CA-signed certificates, the Expressway-C's trusted CA list must include
the root CA of the issuer of the tomcat certificates.


Step 498 Click Configuration Unified Communications IM and Presence
Servers

Step 499 Click New

Step 500 Enter the following IM&P information
a: IM&P Publisher Address siteb-imp911.siteb.com
b: Username AXLuserCUP
c: Password Cisc0123
d: TLS Verify Mode ON
Step 501 Click Add Address
Step 502 Observe the IM&P Server Discovery failed due to TLS Certificate

Uploading CA Root Certification to Expressway
Just like all other PKI certificate security based systems the CA Root Certificate must be
downloaded from the CA and uploaded to the Expressways. In this section the student will
obtain the CA Root certificate from the CA and upload it to two of the Expressways.

Step 503 Open a new Firefox Tab

Step 504 Click Certificate Services, on the Firefox favorites bar

Step 505 If requested to, login with:
Step 506 Click Login (if login pop-up is presented)




Step 508 Select Base 64, Encoding Method


Step 510 Click OK to save the file to the students computer

Step 511 Click the Download Arrow in the upper left corner of Firefox

Step 512 Click the Folder next to certnew.cer file to browse the folder where the new
CA Root Certificate was downloaded to



In the Certificate Management section in this lab, a CA Root
Certificate was already downloaded to the SiteB-AD server. The
original CA Root Certificate that was previously downloaded may be
used for this section of the lab as well.

The reason the CA is being downloaded again is in the event a student
wishes to only perform the Expressway section of the lab.

Step 513 Rename the file to SiteB-CARoot2Cert.cer


Step 515 Return to the Firefox tab for the SitebB-ExpC01 Expressway Web Admin

Step 516 Click Maintenance Security Certificates Trusted CA Certificates


Step 518 Click Downloads on the left side
navigation pane

Step 519 Select the SiteB-CARoot2Cert.cer
file

Step 520 Click Open on the file upload screen

Step 521 Click Append CA Certificate

Step 522 Observe at the top of the page that the certificate was uploaded

Step 523 Click Configuration Unified Communications IM and Presence
Servers

Step 524 Click New



Step 526 Enter the following IM&P information
a: IM&P Publisher Address siteb-imp911.siteb.com

Step 527 Click Save

Step 528 Observe the IM&P Server Discoverys successful discovery. (Notice that it
found both SiteB-IMP911 and SiteB-IMP02.) Remember that without the Root
CA Certificate and TLS verify mode set to ON the system would not connect to
IM&P server.

Step 529 Click Configuration Unified Communications Unified CM Server

Step 530 Click New

Step 531 Enter the following CUCM information
a: CUCM Publisher Address siteb-CUCM911.siteb.com



Step 533 Click Add Address
Step 534 Observe the successful discovery message for the CUCM servers.

Add Client Server Template to MS CA Server
In this section the student will make the necessary changes to the Microsoft Certificate
Authority server, to prepare it to create CA Signed certificates for Expressway.

This next section although not part of the Cisco UC solution and is not a function
of the Microsoft CA server. This section was included because it is mandatory to
create a new CA template in MS CA server to create server certificates for
Expressway.

This template only needs to be created once on the MS CA server and can be reused each
time you need to create CA Signed certificates for the Expressway servers.

The new Client Server Template will be used again later in this lab for the Jabber Guest
Expressways
Step 535 Click Start All Programs Administrative Tools Certification
Authority on the SiteB-AD RDP session (Should already be on this server)
Step 536 Click the + (plus sign) next to siteb-SITEB-AD-CA to open the sub-folders
Step 537 Click and highlight Certificate Templates



Step 538 Right click certificate templates and select Manage from the pop-up menu

Step 539 Click and highlight Web Server from the Certificate Templates Console
Step 540 Right click Web Server
Step 541 Click Duplicate Templates from the pop-up menu

Step 542 Select Windows Server 2003 Enterprise. It
must be 2003 or this new template, that is
being created, will not show up when
requesting a certificate.
Step 543 Click OK



Step 544 Enter ClientServer in the Template Display Name field



Step 546 Click the Request Handling, Tab

Step 547 Select Allow private key to be
exported

Step 548 Click the Extensions tab

Step 549 Select Application Policies

Step 550 Click Edit

Step 551 Click Add on the Edit Application Policies Extension pop-up window

Step 552 Click Client Authentication

Step 553 Click OK



Step 554 Click OK to confirm the addition of Client Authentication

Step 555 Click Apply

Step 556 Click OK to close the properties of
New Template

Step 557 Close the Certificate Templates
Console
Step 558 Right Click Certificate Templates in
the Certification Authority console
Step 559 Click New

Step 560 Click Certificate Template to Issue

Step 561 Select ClientServer from the list of
Certificate Templates

Step 562 Click OK

Step 563 Close the Certification Authority console



Configuration of Certificates to prepare for Implementing Traversal Zones
In this section the student will generate and upload the appropriate certificates on the
Expressways and create a Traversal Zone between the Es and Cs so they can communicate
with each other.

Configuring traversal server zones
An Expressway-E can act as a traversal server, providing firewall traversal on
behalf of traversal clients (such as an Expressway-C).
To act as a traversal server, the Expressway-E must have a special type of two-
way relationship with each traversal client. To create this connection, you create
a traversal server zone on your local Expressway-E and configure it with the
details of the corresponding zone on the traversal client. (The client must also be
configured with details of the Expressway-E.)

After you have neighbored with the traversal client you can:
Provide firewall traversal services to the traversal client
Query the traversal client about its endpoints
Apply transforms to any queries before they are sent to the traversal client
Control the bandwidth used for calls between your local Expressway and the traversal
client

Note: traversal client-server zone relationships must be two-way. For firewall traversal to
work, the traversal server and the traversal client must each be configured with the others
details. The client and server will then be able to communicate over the firewall and query
each other.

CLICK HERE to find the Expressway documentation on Cisco.com

Step 564 Open Internet Explorer on SiteB-AD. This one server certificate will only
download from IE and not in Firefox

Step 565 In IE browse to http://siteb-ad.siteb.com/certsrv/
or click Certificate Services, on the IE Favorite bar

Step 566 Enter Administrator in the Field of the pop-up login window

Step 567 Enter Cisc0123 in the Password field of the pop-up login window

Step 568 Click OK

Step 569 Click Download a CA Certificate, Certificate chain, or CRL

Step 570 Click Yes if presented with a Web Access Warning

Step 571 Select Base 64



Step 572 Click Download Latest Base CRL

Step 573 Click Save in the pop-up window at the bottom of the IE Screen

Step 574 Click Open Folder

Step 575 Right click certcrl.crl


Step 577 Enter CARootCRL.crl to rename the file

Step 578 Close Windows File Explorer

Step 579 Close Internet Explorer (IE)

Step 580 Switch to the SiteB-ExpC01 web admin Firefox tab



Step 582 Login in to SiteB-ExpC01 with the following credentials (if needed)
a. Username admin (lower case)
b. Password Cisc0123 (case sensitive)
c. Click Login

Step 583 Click Maintenance Security Certificates CRL Management
Step 584 Click Browse in the Manual CRL Update section

Step 585 Click Downloads in the left
navigation pane

Step 586 Select CARootCRL.crl

Step 587 Click Open

Step 588 Click Upload CRL File

Step 589 Confirm the successful upload of CRL

Step 590 Click Maintenance Security Certificates Server Certificate




Step 593 Enter the following information
a. Common Name FQDN of Expressway
b. Subject Alternative Names FQDN of Expressway Cluster Plus
FQDNs of all peers in the cluster
c. IM and Presence chat note aliases delete entry
d. Key Length (in bits) 2048
e. Country US
f. Sate or province CA
g. Locality (town name) San Jose
h. Organization (company name) Cisco
i. Organizational Unit Cisco
j. Click Generate CSR

Step 594 Click Download to download CSR file

Step 595 Select Open

Step 596 Click OK to open the CSR in a notepad
Step 597 Click Format Word Wrap in Notepad to see the
whole file (might already be done)

Step 598 Click CTRL-A to highlight the whole text in notepad

Step 599 Click CTRL-C to copy the text into your computer buffer


Be careful not to change anything in this certificate while you have it open in
Notepad. It is not easy to troubleshoot if something changes in this file.


Step 601 Switch to the MS Certificate Server web admin page tab in Firefox

Step 602 Click on the Favorite link Certificate Service to bring the CA server web
admin to the home page

Step 603 Click Request a Certificate




Step 606 Click inside the Saved Request field

Step 607 Press CTRL-V to paste the CRS test into the
saved request field

Step 608 Select ClientServer from the Certificate
Template field (this is the template crated in
the previous section)


Step 610 Select Base 64 Encode

Step 611 Click Download Certificate


Step 613 Click OK

Step 614 Click the Download Arrow in the upper right corner or Firefox





Step 617 Select Rename from the pop-up windows

Step 618 Rename the file to SiteB-ExpC01Cert.pem (Caution! Make sure to change
the extension to PEM when renaming the file.)

Step 619 Click Yes to confirm name extension change


Step 621 Switch to the SiteB-ExpC01 tab in the Firefox browser on SiteB-AD RDP
session

Step 622 Click Browse at the bottom of the server certificate screen to upload a new
certificate

Step 623 Click Downloads in the left navigation pane

Step 624 Find and select the SiteB-ExpC01Cert.pem from the downloads directory

Step 625 Click Open

Step 626 Click Upload Server Certificate Data

The browser will reinitialize and ask to accept the certificate again.

Step 627 Click I Understand The Risk

Step 628 Click Add Exception

Step 629 Click Confirm Security Exception



Step 630 Observe the certificate was uploaded but the system needs a restart

Step 631 Click Restart from the yellow warning message at the top of the Server
Certificate page

Step 632 Click Restart again on the Restart Options window

Step 633 Click OK to confirm the restart

Add CA Signed Certificate on SiteB-ExpE01

Step 634 Switch to the SiteB-ExpE01 web admin tab in Firefox

Step 635 Login with the following credentials (if logged out)
a. Click Home
b. Username admin
c. Password Cisc0123
d. Click Login

Step 636 Click Maintenance Security
Certificates Trusted CA Certificate


Step 638 Click Downloads in the left side
navigation pane

Step 639 Select SiteB_CARoot2Cert.cer

Step 640 Click Open


Step 642 Observe and confirm that CA Root Certificate has
been uploaded





Step 645 Click Downloads in
the left side
navigation pane

Step 646 Select CARootCRL.crl

Step 647 Click Open


Step 649 Observe and confirm the CRL was uploaded successfully



a. Common Name FQDN of Expressway
b. Subject Alternative Names FQDN of Expressway Cluster Plus
FQDNs of all peers in the cluster
c. IM and Presence chat note aliases delete entry (if any)
d. Key Length (in bits) 2048
e. Country US
f. Sate or province CA
g. Locality (town name)
San Jose
h. Organization (company
name) Cisco
i. Organizational Unit
Cisco
j. Click Generate CSR



Step 653 Click Download, to download CSR file


Step 655 Click OK to open the CSR in a Notepad

Step 656 Click Format Word Wrap in Notepad to see the whole file (if needed)

Step 657 Click CTRL-A to highlight the whole text in Notepad

Step 658 Click CTRL-C to copy the text into your computer buffer


Step 660 Switch to the MS CA Server web admin tab in
Firefox

Step 661 Click Certificate Services on the Firefox favorite
bar to return to the CA home page




Step 664 Select and make active the Saved
Request field

Step 665 Select ClientServer from the Certificate
Template field







Step 670 Click OK

Step 671 Click the Download Arrow in the upper right corner or Firefox



Step 674 Select Rename from the pop-up windows

Step 675 Rename the file to SiteB-ExpE01Cert.pem

Step 676 Click Yes to confirm name extension change




Step 678 Switch to the SiteB-ExpE01 tab in the Firefox browser on SiteB-AD RDP
session

Step 679 Click Browse at the bottom of the server certificate screen to upload a new
certificate

Step 680 Find and select the SiteB-ExpE01Cert.pem file from the Downloads
directory

Step 681 Click Open


The browser will reinitialize and ask to accept the certificate again

Step 683 Click I Understand the Risks



Step 686 Observe the certificate has been uploaded but the system needs a restart

Step 687 Click Restart from the yellow warning message at the top of the Server
Certificate page

Step 688 Click Restart again on the Restart Options window

Step 689 Click OK to confirm the restart



Configuring Traversal Zones
In this section the student will configure the Traversal zones between the Es and Cs so
they can communicate across the firewalls.

Step 690 Switch to the SiteB-ExpE01 web admin Firefox tab (if not all ready there) on
the SiteB-AD RDP session

Step 691 Wait for SiteB-ExpE01 to finish restarting

Step 692 Login as
c. Click Login

Step 693 Click Configuration Zones Zones

Step 694 Click New

a. Name TraversalZoneSiteB
b. Type Traversal Server

Step 696 Click Add/Edit Local Authentication Database

Step 697 Click New

Step 698 Enter TraversalAdmin in the Name field


Step 700 Click Create Credential



Step 701 Close the Local Authentication Database pop-up window

Step 702 Fill in the following information (leaveing all un-mentioned fields at default):
a. Username TraversalAdmin
b. H323 Mode Off
c. Unified Communications Service Yes
d. TLS Verify Mode On
e. TLS Verify Subject Name SiteB-ExpC-Cluster01.siteb.com
f. Media Encryption Mode Forced Encrypted
g. Authentication Policy Treat As Authenticated
h. Click Create Zone

Step 703 Switch to SiteB-ExpC01 tab in Firefox on SiteB-AD RDP Session

Step 704 Login as:
c. Click Login

Step 705 Click configuration Zones Zones

Step 706 Click New


Step 707 Enter the following information:
b. Type Traversal Client

a. Username TraversalAdmin
c. H323 Mode Off
d. Port 7001
e. Unified Communications Service Yes
f. TLS Verify Mode On
g. Media Encryption Mode Forced Encrypted
h. Authentication Policy Treat As Authenticated
i. Peer 1 Address siteb-expe01.siteb.com
j. Peer 2 Address siteb-expe02.siteb.com
k. Click Create Zone



Observe that SiteB-ExpC01 show active traversal zone
Step 710 Click TraversalZoneSiteB
Step 711 Scroll to the bottom and observe that the State status is Active

If there is a warning or a connection has failed, wait a min and try to go back
in again. Sometimes it takes a minute or so to update and connect.



Observe that the SiteB-ExpE01 show active traversal zone
Step 712 Switch to SiteB-ExpE01, Firefox tab admin web page
Step 714 Click TraversalZoneSiteB
Step 715 Scroll to the bottom and observe that SIP Reachable and the State status is
Active

Validate Internal and External Jabber Client Usage
In this section the Cisco Jabber client on the workstations well be logged into both the
Internal and External UC services. By connecting to the Expressway-E while on the Internet
the Cisco Jabber client is able to register with CUCM without having to create a VPN
connection first.

Both SiteB-WS01 and SiteB-WS02 have Cisco IP Communicator
(CIPC) install, open, and registered with CUCM. Although you will
not have CIPC and Jabber running on the same computer in a
production network, the CIPC phone serves a purpose in the lab
environment. The CIPC is there to represent the users physical desk
phone, so the student can see what changes would be happening on
the desk phone as the Cisco Jabber client is being used.

CIPC is an EOL Cisco Product and should not be used in production.

Jabber Client Internal Validation Test
In this section the student will test the preconfigured system with the Jabber Clients
connected to the local internal network.

Step 716 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP Session

Step 717 Open Cisco Jabber if not already open

Step 718 Use the following login credentials (if login is needed)
a. Username aace
c. Click Login



Step 719 Click Line One, on the CIPC phone

Step 720 Observe when the CIPC (desk phone) goes off hook
the Jabber Presence changes to On a call

Step 721 Click EndCall on CIPC

Step 722 Set Alex Aces presence to away

Step 723 Click Away to set a custom presence

Step 724 Type Gone To The Beach


Step 726 Switch to SiteB-WS02 (172.19.X.202 Blake Bad)
RDP Session

Step 727 Observe that Alex Ace, in the contacts list, has a
presence indicator of amber that reads Gone To
The Beach

Step 728 Hover your mouse over Alex Ace in Blakes contact list. The Icon of a phone
handset on the right side of Alexs name appears.
Step 729 Click the Call Icon


Step 730 Click Alexs Work Number, to call Alex

Step 731 Quickly switch to SiteB-WS01 (172.19.X.201 Alex Ace)
RDP session
Step 732 Click Answer on the Incoming Call pop-up window in the lower right hand
corner of Alexs desktop
Step 733 Observe on Alexs Jabber Client that the status is still Gone
to the beach. This is because she manually set it. On
Blake Bads Jabber client, however, it indicates On A Call.
Step 734 Click the Red Hand Set on the Blake Bads conversation
window to disconnect the call

Observe this call came up as a video call, and both users have the world
VCAM as their video feed in place of where their video should be.

Both workstations are virtual machines in our lab, and there for do not have
a video camera attached to the workstation. e2eSoft VCam virtual video
driver has been installed on both workstations.

Although video was not needed for this lab, A video driver was required for
the Jabber Guest part of this calls.



Jabber Client Internal Voice Mail Validation Test
In this section the student will validate that both workstations are connected to Unity
Connection voice mail


Step 736 Switch Alexs presence indicator back to
Available

Step 737 Click the Voice Mail tab on Alex Aces
Jabber client

Step 738 Observe that it indicates that she does not
have any VM at this time, but is connected
to voicemail

Step 739 Click Help Show Connection Status,
on Alexs Jabber client

Step 740 Observe that the Jabber client is connected to the following services (the
server names might be different during your lab)
a. Softphone SiteB-CUCM02.siteb.com (CCMCIP)
b. VoiceMail Siteb-cuc911.siteb.com
c. Presence SiteB-IMP911.siteb.com
d. Outlook Yes
e. Directory LDAP
f. Close Connection Status, when done observing

Step 741 Switch to SiteB-WS02 (172.19.X.201 Blake Bad) RDP Session

Step 742 Click Help Show Connection Status, on Blakes Jabber client



Step 743 Observe Blakes Jabber Connection status

Step 744 Close Connection Status, on Blakes desktop when done observing

Step 745 Click the Voice Mail tab on Blakes Jabber client

Step 746 Observe that it indicates that he has voice mail



Moving SiteB-WS02 From The Internal To The External (internet) Network
In previous sections of the lab the SiteB-WS01 & SiteB-WS02 workstations have been
connected to the internal corporate network. In this section SiteBWS02 workstations will be
moved out of the corporate office and connect Jabber to the CUCM via the Expressways
without a VPN connection.

To demonstrate the Expressway functions the two workstations will
be moved from the internal corporate network, out on to the public
internet. For this lab we have create a MOCK INTERNET by using two
vlans. The 5xx series vlans are for the internal network, and the 6xx
vlans are the DMZ or our external MOCK internet.

The workstations have two network cards in them. To simulate
moving the computer from internal to external, the student will turn off the
internal network card and turn on the external network card. The following series
of lab steps will not only switch the network cards but prove to the student that
the workstation is now on a different network.

Step 747 Switch to siteB-WS02 (172.19.X.202 Blake Bad) RDP Session (if not already
there)

Step 748 Click the DOS Prompt icon on the task bar at the bottom of the desktop

Step 749 Enter ipconfig



Step 750 Observe that the workstation is on the .2 network (3
rd
Octet), the .2 network
is the internal corporate network

Step 751 Type nslookup and press Enter to enter into nslookup mode
Step 753 Type _cisco-uds._tcp.siteb.com
Step 755 Type _collab-edge._tls.siteb.com

As a reminder dont forget two DNS servers were previously configured:
Internal with _cisco-uds SRV records for the Jabber Clients to find the CUCM
External with _collab-edge SRV records for the Jabber Client to find the
Expressway E while it is outside on the Internet.

Step 756 Observe that the _cisco-uds is able to be resolved and that _collab-edge was
not able to be resolved

Step 757 Close the DOS Prompt

Step 758 Navigate to 172.19.X.110 (x=pod#) in a browser from the students
computer

Step 759 Click Cisco Unified Communications Manager


c. Click Login

Step 761 Click Device Phone

Step 762 Click Find

Step 763 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab
developer, CFS should be CSF). Notice that both CSF devices are registered
on the .2 network

Step 765 Click File Exit on SiteB-WS02 Jabber Client to exit the app

The External Network On bat file turns off the internal network card
and turns on the external network card.

The Internal Network On bat file does the oppsit it turns off the
external network card and turns on the internal network card.

The two bat files move the SiteB workstations between the internal
network and the mock lab internet.

Step 766 Right Click External Network ON icon on SiteB-WS02s desktop



Step 768 Click Run as Administrator from the pop-up menu

Step 769 Click Yes to allow the application to make changes to the computer

When you click YES in the previous step, the RDP session will drop. In the
following steps an RDP connection will be created to the new workstation address

Step 770 Click Start All Programs Accessories Remote Desktop
Connection, from the students personal computer
Step 771 Enter 172.19.X.241, (x=pod#) in the Computer filed


If the new RDP connection to .241 does not connect at first wait 30 seconds and
try again. Due to lab issues it takes a little time for the network to converge.

Step 773 Click Use Another Account

Step 774 Enter siteb\bbad

Step 775 Password Cisc0123

Step 776 Click OK

Step 777 Click Yes to the invalid certificate warning



Step 778 Click Accept on the SiteB-ExpE01.siteb.com invalid certificate (If jabber is
open it will reconnect and an invalid certificate will be presented.)

Step 779 Click Accept on the SiteB-ExpE02.siteb.com invalid certificate (If jabber is
open it will reconnect and an invalid certificate will be presented.)

Validate SiteB-WS02 Is Connected To The External Network
The student should now be RDPed to SiteB-WS02 via the external address. This section will
validate that connection.

Step 780 Click the Command Prompt icon on the task bar at the bottom of the
desktop

Step 781 Enter ipconfig

Step 782 Observe that the workstation is on the .3 network (3
rd
Octet), the .3 network
in our lab is the MOCK internet which confirms the network change

Step 783 Type nslookup and press Enter to enter into nslookup mode
Step 785 Enter _cisco-uds._tcp.siteb.com
Step 787 Enter _collab-edge._tls.siteb.com



Step 788 Observe that the _cisco-uds is NOT able to be resolved and that _collab-edge
IS able to be resolved, which is opposite form the previous section

Step 789 Close the Command Prompt

Step 790 Navigate to 172.19.X.110 (x=pod#) in a browser from the students
computer


c. Click Login


Step 794 Click Find

Step 795 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab
developer, CFS should be CSF). Notice that one CSF devices is registered on
the .201 which is SiteB-WS01 and is still connected to the internal network.
But the CFSUSER02 is connected to .143 which is the address of
Expressway-C

Step 796 Switch back to SiteB-WS02 (172.19.X.241 Blake Bad) RDP Session

Step 797 Double click the Jabber Icon on the desktop to open Jabber



Step 798 Accept any and all Invalid Certificates

Step 799 Click Help Show Connection Status, on the Jabber client

Step 800 Observe that softphone is connected to Expressway, also notice that the
Voicemail is not connected

Step 801 Click the VoiceMail tab on the Jabber Client

Step 802 Observe that voice mail is not connected



Creating a White List entry for VoiceMail on Expressway-C
In this section the student will create a white list entry for the voicemail server that will
allow the Jabber clients to access voicemail services.

Jabber client endpoints may need to access additional web services inside the
enterprise. This requires an "allow list" of servers to be configured to which the
Expressway will grant access for HTTP traffic originating from outside the
enterprise.

The features and services that may be required, and would need whitelisting,
include:
Visual Voicemail
Jabber Update Server
Custom HTML tabs / icons
Directory Photo Host

The IP addresses of all discovered Unified CM nodes (that are running the CallManager or
TFTP service) and IM&P nodes are added automatically to the allow list and cannot be
deleted . Note, however, that they are not displayed on the HTTP server allow list page.

Step 803 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session

Step 804 Open Firefox, if not already open

Step 805 Click Expressway SiteB-ExpC01, or switch to the tab that already has
SiteB-ExpC01 open in it

Step 806 Enter the following credentials to login in
c. Click Login

Step 807 Click Configurations Unified Communications Configuration

Step 808 Click Configure HTTP Server Allow List

Step 809 Click New

Step 810 Enter siteb-cuc911.siteb.com, in the Server Hostname

Step 811 Enter Visual VoiceMail White List, in the description field



Step 812 Click Create Entry

Step 813 Switch to SiteB-WS02 (172.19.X.241 Blake Bad)
RDP Session

Step 814 Click File Exit, to exit Jabber

Step 815 Double click the Jabber icon

Step 816 Click the VoiceMail tab on the Jabber Client

Step 817 Observe that voice mail is now connected

Step 818 Press the Triangle Play button on some of the
VMs to test if they play. The audio if any will be
garbbled due to lab issues, but you should see the play status bar moving
across the VM if you cant hear it.

Step 819 Click the Contact tab in the Jabber client

Step 820 Hover the mouse over Alex Ace, in Blakes contact list

Step 821 Click the Call button

Step 822 Select Alexs Work
(+14085552001) number

Step 823 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP session



Step 824 Click Answer, on the Incoming Call pop-up window in the lower left corner

The call that is active right now is a call between Blake Bad (SiteB-WS02) external
and connected via the Expressway, and Alex Ace (SiteB-WS01) connected on the
internal network.

Step 825 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session


Step 827 Click Expressway SiteB-ExpC01, or open Firefox tab with SiteB-ExpC01
already open in it

Step 828 Enter the following credentials to login in
c. Click Login

Step 829 Observe that on the main Status Overview status page there is one
current call. At this time the Expressway-C shows this as a video call

Step 830 Click Status Calls Calls

Step 831 Observe there is one call active

Step 832 Click the Start Time link for this call



Step 833 Observe the call information

Step 834 Click Status Calls History

Step 835 Observe the call history log (there might not be any calls here till you end the
first call)


Step 837 Click the Red Phone Handset, to disconnect the call



JST Features Task 6: Adding User Photos to Web Server
In this section the student will configure the jabber-config.xml file to point to our network
web server for the Jabber Clients to obtain the user photos at login. In previous sections of
the lab the Jabber Clients used EDI to obtain the photos from the Active Directory.

Activity Objective
Configure jabber-config.xml to allow for web based photos
Configure Expressway C to white list the photo web server

Required Resources
lab via VPN, and an RDP connection to your pods SiteB-AD (172.19.X.120).

Contact Photo Retrieval with UDS
UDS dynamically builds a URL for contact photos with a directory attribute and a
URL template.

To resolve contact photos with UDS, you specify the format of the contact photo
URL as the value of the
UdsPhotoUriWithToken parameter. You also include a %%uid%% token to
replace the contact username in
the URL, for example,
<UdsPhotoUriWithToken>http://server_name/%%uid%%.jpg</UdsPhotoUriWithToken>

UDS substitutes the %%uid%% token with the value of the userName attribute in UDS. For
example, a user
named Mary Smith exists in your directory. The value of the userName attribute for Mary
Smith is msmith.

To resolve the contact photo for Mary Smith, Cisco Jabber takes the value of the userName
attribute and
replaces the %%uid%% token to build the following URL:
http://staffphoto.example.com/msmith.jpg



Configure jabber-config.xml
The photos for our lab are stored on the external/DNS/webserver at
C:\inetpub\wwwroot\userphotos directory.

Step 838 Switch to SiteB-AD, (172.19.X.120) RDP Session

Step 839 Double click the Jabber Config folder on the desktop

Step 840 Double click the 03_Video_Case_Num_CFg folder

Step 841 Right click Jabber-config.xml

Step 842 Click Edit from the pop-up menu

Step 843 Add the following line of code in the directory section of the jabber-
config.xml. You should be able to copy and paste the line below

<UDSPhotoURIWithToken>http://10.1.3.20/userphotos/%%uid%%.jpg</UDSPhotoURIWithToken>

The whole file should look like this when the one line is added just in
the directory section:



Step 845 Click File Save on notepad

Step 846 Click File Exit to close notepad

Step 847 Open Firefox, on SiteB-AD (172.19.X.120) RDP session, or create a new
tab in the session of Firefox that is already open

Step 848 Click SiteB-UC SiteB-CUCM911 from the Firefox favorite bar

Step 849 Click Cisco Unified Communications
Manager

Step 850 Select Cisco Unified OS Administrator, from the navigation drop-down in
the upper right corner of the login page

Step 851 Click I Understand The risk



Step 854 Select Cisco Unified OS Administration, from the navigation drop-down
menu

Step 855 Click Go

Step 856 Login with the following credentials
c. Click Login

Step 857 Click Software Upgrades TFTP File Management

Step 858 Click Upload file




Step 860 Select Desktop from the left side navigation pane

Step 861 Double click the Jabber Config file folder

Step 862 Double click 03_Video_Case_Num_CFG

Step 863 Select jabber-config.xml

Step 864 Click Open

Step 865 Click Upload File

Step 866 Verify File Uploaded Successfully, at
the top of the upload pop-up window

Step 867 Click Close, to close the upload pop-up
window

Step 868 Select Cisco Unified Serviceability, form the Navigation drop-down
window

Step 869 Click GO

a. Username Administrator (Case Sensitive)
b. Password Cisc0123 (Case Sensitive)
c. Click Login

Step 871 Click Tools Control Center Feature Services

Step 872 Select SiteB-CUCM911.siteb.comeCUCM Voice/Video, from the Select
Server drop-down menu

Step 873 Click Go

Step 874 Select Cisco Tftp

Step 875 Click Restart

Step 876 Click OK, on the page refresh warning



Testing jabber-config.xml
In this section the student will point a browser to the URL below and it should retrieve the
jabber-config.xml from the CUCM TFTP server. All changes should be reflected in the output.

Step 877 Open Firefox, on SiteB-AD (if not already open), or open a new tab in
Firefox

Step 878 Navigate to http://10.1.2.110:6970/jabber-config.xml

The browser should present the output that is shown below, with the edit
that was made to the Directory section



White List Web Server
The student will add the web server with the photos on to the allow list on expressway, so
the Jabber client is permitted to access the web server.

Step 879 Switch to SiteB-AD (172.19.X.120) RDP
session


Step 881 Click Expressway SiteB-ExpC01, on
the Firefox favorites bar
Or switch to the tab that already has
SiteB-ExpC01 already open in it

Login with the following credentials (if not
already logged in)
a. admin (lower case)

Step 882 Click Configuration Unified Communications Configuration, in the
SiteB-ExpC01 administration web page

Step 883 Click Configure HTTP Server Allow List

Step 884 Click New

Step 885 Enter 10.1.3.20, in the Server hostname field

Step 886 Description Internet Web Server

Step 887 Click Create Entry

Step 888 Switch to SiteB-WS02, (172.19.X.241 Blake Bad) this workstation should
still be connected to the external network from a previous section


If you are not sure if the workstation is connected to the external
network confirm that SiteB-WS02 is connected to the external
network do the following

Click Help Show Connection Status
Observe that the Address in the first section says (CCMCIP
Expressway)
Close the Jabber Connection status screen
If it does say Expressway move on to the next step (outside
of this aqua box)

If the system does not say Expressway do the follow to switch SiteB-WS02 to the
external network.

Right Click External Network On icon on the desktop of
SiteB-WS02

Click Run As Administrator, from the pop-up menu

Click Yes to the warning, at this point you will loose
connectivity to the RDP session. Close the RDP window
Open a new RDP window and login to the following
Computer = 172.19.X.241
Username = siteb\bbad
Password = Cisc0123
Click Help Show Connection Status
Observe that the Address in the first section says
(CCMCIP Expressway)
Close the Jabber Connection status screen

Step 889 Click the Contacts tab on the left side of Cisco Jabber



Step 890 Observe that the Cisco Jabber contacts for Blake Bad do not have any
pictures (due to lab variations sometimes the pictures are still showing form
AD, this is OK keep going)

Step 891 Click File Exit, on the Cisco Jabber client to close it on SiteB-WS02

Due to issues in the lab, the two Jabber directories on the
workstation will need to be erase so they will be recreated when
Jabber Client is turned on again. The issue is that if the Jabber Client
has pictures already in the local photo directory the ones on the new
web server will not overwrite the photos previously downloaded from
the internal AD server. In a product network one or the other type of
photo source will exist not both as we demonstrated in the lab.

The bat file erases the Jabber directory and all sub directories below it in two
location on the local workstation.

C:\Users\bbad\AppData\Roaming\Cisco\Unified Communications
C:\Users\bbad\AppData\Local\Cisco\Unified Communications

Step 892 Right Click EraseJabber_02.bat, bat file on the SiteB-WS02 desktop

Step 893 Click Run as Administrator, from the pop-up menu

Step 894 Click Yes to allow the app to change the computer


Step 895 Double click the Jabber Client icon to open Jabber

Step 896 Enter the following credentials to login to the Jabber client
a. Username bbad
b. password Cisc0123
c. Sign me in when Cisco Jabber start Checked
d. Click Sign In

Step 897 Accept any invalid certificates (if needed)

In the next step when the Jabber client obtains the user photos
from the Mock Internet Web server, notice that the pictures look
WEIRD. They have intentionally changed with a special effect so
they look different then the pictures in the internal Active
Directory to help the student very quickly realize this is a
different set of pictures.

In most production network there will usually only be one source
for the photos unlike the experience we have just stepped through in the lab.

The altered user photos were copied into a directory
(C:\inetpub\wwwroot\userphotos) on the Mock Internet Web Server before the
class started. Also the IIS role has been installed and started on this server, to
enable it to be a web server.

Step 898 Observe that the Jabber Client now has pictures that were
retrieved from the web server (notice the pictures have been
made to look weird to prove the difference in source of the
photos)



JST Features Task 7: URI Dialing
In this section the students will configure CUCM to allow the Jabber Client to dial via URI.

Activity Objective
Configure CUCM to allow for URI dialing on the Jabber Clients
Configure jabber-config.xml and push to the TFTP server

Required Resources

Confirm URI Dialing Is Not Configured Form the Jabber Clients


Step 900 Click Blake Bad from Alexs contact list

Step 901 Click the Calling Hand Set Icon

Step 902 Observe the list of phone numbers available to call Blake with, notice none of
them are a Directory URI



LDAP Sync Directory URI

Step 903 Navigate to 172.19.X.110 (x=pod#), from the students computer browser

Step 904 Accept any invalid certificate warnings


c. Click Login

Step 907 Click User Management End User

Step 908 Click Find

Step 909 Click aace (Alex Ace), to open and edit her
user profile

Step 910 Observe that Directory URI is not filled in,
but mail ID is filled in via LDAP sync



Step 911 Click System LDAP LDAP Directory

Step 912 Click Find

Step 913 Click cucmLDAP

When you synchronize your LDAP directory server with Cisco Unified
Communications Manager, you can populate the end user configuration tables in
both the Cisco Unified Communications Manager and the Cisco Unified
Communications Manager IM and Presence databases with attributes that
contain values for the following:

User ID
You must specify a value for the user ID on Cisco Unified Communications
Manager. This value is required for the default IM address scheme and for users to log in.
The default value is sAMAccountName.

Directory URI
You should specify a value for the directory URI if you plan to:
Enable URI dialing in Cisco Jabber.
Use the directory URI address scheme on Cisco Unified Communications Manager IM and
Presence version 10 and higher.

When Cisco Unified Communications Manager synchronizes with the directory source, it
retrieves the values for the directory URI and user ID and populates them in the end user
configuration table in the Cisco Unified Communications Manager database.
The Cisco Unified Communications Manager database then synchronizes with the Cisco
Unified Communications Manager IM and Presence database. As a result, the values for the
directory URI and user ID are populated in the end user configuration table in the Cisco
Unified Communications Manager IM and Presence database.



The following two pictures show the changes made to the LDAP Directory sync on CUCM, to
allow the Directory URI field to be populated on the CUCM.

Step 914 Set Directory URI to Mail

Step 915 Click Save

Step 916 Verify a successful result at the top of the page



Step 917 Click Perform Full sync Now, at the top of the page

Step 918 Click OK, on the LDAP sync warning message


Step 920 Click Find

Step 921 Click aace (Alex Ace), to open and edit her user profile

Step 922 Observe that Directory URI is filled in, by the mail ID via LDAP sync

Creating Partition and Calling Search Space for URI Dialing
In this section Calling Search Spaces and Partitions will be configured for use with URI
dialing configuration.

Step 923 Click Call Routing Class of Control Partitions

Step 924 Click Add New

Step 925 Type URIDialing-PRT, in the name field

Step 926 Click Save

Step 927 Click Call Routing Class of Control
Calling Search Space


Step 929 Enter Unlimited-CSS

Step 930 Type URI Dialing Testing, in the description field


Step 931 Select ALL Available Partitions, by using the shift key

Step 932 Select the Down Arrow, to move all partitions to the Selected partitions

Step 933 Click Save

Setting Directory URI Alias Partition

Step 934 Click System Enterprise Parameters

Step 935 Press CTRL-F, to bring up the browser search field

Step 936 Enter Directory URI (case sensitive) in the browser search field

Step 937 Select URIDialing-PRT

Step 938 Click Save

Setting SIP Profile Configuration

Step 939 Click Device Device Settings Sip Profile

Step 940 Click find



Step 941 Select Standard SIP Profile (a new SIP profile is best practice for this, but
since we are in the lab lets just use the default SIP profile)

Step 942 Confirm Phone number consists of characters 0-9, *, #, and + (others
treated as URI addresses), is selected for Dial String Interpretation

Step 943 Check Use Fully qualified Domain Name in SIP Request

Step 944 Select Allow Presentation Sharing using BFCP is checked at the bottom of
the page

Step 945 Select Allow iX Application Media, is checked at the bottom of the page

Step 946 Click Apply Config

Step 947 Click OK

Configure Partition and Calling Search on CSF Device
In this section the CSF Phone devices will be associated with the new CSS and Partition
created previously.

Step 948 Click Bulk Administrator Phones Add Update Lines Update Lines

Step 949 Click Find


Step 950 Click Next, (disregard the Dyslexic lab developer, CFS should be CSF)

Step 951 Click and check Route Partition

Step 952 Select URIDialing-PRT as the Route Partition

Step 953 Click and check Calling Search Space

Step 954 Select Unlimited_CSS as the Calling Search Space

Step 955 Click and select Run Immediately, at the bottom of
the screen (scroll to bottom)


Step 957 Click Bulk Administration Job Scheduler

Step 958 Click Find

Step 959 Click the latest Job to view its status

Step 960 Observe that 4 records have been successfully updated



Setting End User Primary Extension


Step 962 Click Find

Step 963 Click aace (Alex Ace), to open and edit her user profile

Step 964 Select \+14085552001 in URIDialing-PRT (might already be set)

Step 965 Click Save

Step 966 Click Go, next to related links

Step 967 Select bbad, to edit Blake Bads user profile

Step 968 Select \+14085552002 in URIDialing-PRT (might already be set)

Step 969 Click Save


Step 971 Click Find

Step 972 Click CFSUSER01, (disregard the Dyslexic lab developer, CFS should be CSF)



Step 974 Click Line [1] on the left side association panel

Step 975 Observe that the Directory URI synced up from LDAP is now one of the lines
Directory URIs

Edit and Upload the Jabber-Config.xml to Activate URI Dialing
In this section the jabber-config.xml will be updated to enable the Jabber client to use URI
dialing.

Step 976 Switch to SiteB-AD, (172.19.X.120) RDP Session

Step 977 Double click the Jabber Config folder on the desktop

Step 978 Double click the 03_Video_Case_Num_CFg folder

Step 979 Right click Jabber-config.xml


Step 981 Add the following 3 lines of code just above the </config> line at the bottom.
The text below can be copy and pasted for ease of use

<Policies>
<EnableSIPURIDialling>True</EnableSIPURIDialling>
</Policies>



The whole file should look like this when the three lines are added
just above </config> at the bottom of the file

Step 982 Click File Save on notepad

Step 983 Click File Exit to close notepad

Step 984 Open Firefox on SiteB-Ad (172.19.X.120) RDP session (if not already open)

Step 985 Click SiteB-UC SiteB-CUCM911 from the Firefox favorite bar, or open
the tab that already has SiteB-CUCM911 already open in it

Step 986 Click Cisco Unified Communications
Manager

Step 987 Select Cisco Unified OS Administrator from the navigation drop-down in
the upper right corner of the login page

Step 988 Click Go



c. Click Login

Step 990 Click Software Upgrades TFTP File
Management

Step 991 Click Upload file


Step 993 Select Desktop from the left side navigation pane

Step 994 Double click the Jabber Config file folder

Step 995 Double click 03_Video_Case_Num_CFG

Step 996 Select jabber-config.xml

Step 997 Click Open


Step 999 Verify File Uploaded Successfully at the top of the upload pop-up window

Step 1000 Click Close, to close the upload pop-up window

Step 1001 Select Cisco Unified Serviceability form the Navigation drop-down
window

Step 1002 Click GO

c. Click Login


Step 1004 Click Tools Control Center Feature Services

Step 1005 Select SiteB-CUCM911.siteb.comeCUCM Voice/Video from the Select
Server drop-down menu

Step 1006 Click Go



Step 1009 Click OK on the page refresh warning

Testing URI Dialing


Step 1011 Open Windows File Explorer, by clicking the icon on the
task bar at the bottom of SiteB-WS01s desktop

Step 1012 Browse to (AppData is hidden you have to type it in or unhide hidden
directories)

C:\Users\aace\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config

Step 1013 Right click jabber-config




In the following step the EnableSIPURIDialling (2 Ls is due to British spelling,
and Jabber is developed across the pond) is not included in the SiteB-WS01 local
copy of jabber-config.xml. Although in the previous steps the student edited the
jabber-config.xml and uploaded it to the CUCM TFTP server, the Jabber client
only gets a fresh copy of the jabber-config.xml at startup time.

In subsequent steps the Jabber client will be restarted and will download the new
version of jabber-config.xml, which will enable URI dialing.

Step 1015 Observe that the following text is not included in this version of the jabber-
config.xml

<Policies>
<EnableSIPURIDialling>True</EnableSIPURIDialling>
</Policies>

Step 1016 Click File Exit to close the jabber-config.xml file in notepad

Step 1017 Click File Exit to close the Jabber Client

Due to issues in the lab, the two Jabber directories on the workstation will need to
be erased, they will be recreated when Jabber Client is turned on again. The issue
is the jabber-config.xml is not being downloaded while one already exist in the
workstations.

The bat file erases the Jabber directory and all sub directories below it in two
location on the local workstation.

C:\Users\bbad\AppData\Roaming\Cisco\Unified Communications
C:\Users\bbad\AppData\Local\Cisco\Unified Communications

Step 1018 Right Click EraseJabber_ws01.bat bat file on the SiteB-WS01 desktop

Step 1019 Click Run as Administrator from the pop-up menu

Step 1020 Click Yes, to allow the app to change the computer

Step 1021 Double click the Jabber Client icon on the SiteB-WS01 desktop

Step 1022 Enter aace@siteb.com in the email field

Step 1023 Click Continue



Step 1025 Click and Check sign me in when Cisco Jabber Starts

Step 1026 Click Sign in

Step 1027 Accept any Invalid Certificates, that might pop up
Step 1028 Open Windows File Explorer, by clicking the icon on the task bar at the
bottom of SiteB-WS01s desktop

Step 1029 Browse to (AppData is hidden you have to type it in or unhide hidden
directories)

C:\Users\aace\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config

Step 1030 Right click jabber-config

Step 1031 Click Edit, from the pop-up menu

Step 1032 Observe now the URIDialling Enable is now included in this version of the
jabber-config.xml, proving the new jabber-config file was downloaded at
startup of the Jabber Client

Step 1033 Click File Exit, to close the jabber-config.xml file in notepad

Step 1034 Close Window File Explorer

Step 1035 Click and Highlight Blake Bad, in Alexs contact list

Step 1036 Click the Call Handset

Step 1037 Observe the new URI entry in the list of numbers pop-up window

Step 1038 Select bbad@siteb.com, to call Blake via URI dialing



Step 1039 Switch to SiteB-WS02 (172.19.X.202 or .241)
RDP Session depending on if WS 2 is internal or
external

Step 1040 Click Answer on the incoming call pop-up
window in the lower right hand corner

Step 1041 Click Red Hand Set on either workstations conversation window to end the
call



JST Features Task 8: Persistent Chat
In this section persistent chat rooms will be enabled on the Jabber client

Activity Objective
PostgreSQL Database configuration
Configure the IM & P server to connect to the PostgreSQL external databse
Persistent Chat end user usage

Required Resources

Enterprise Instant Messaging
Feature-rich enterprise IM is an important real-time communications medium for
customers; it introduces another mode of communication among users,
customers, and suppliers.
Instant messaging is an important communication option that lets you efficiently
interact in today's multitasking business environment. Cisco Unified Presence
provides personal chat, group chat, and persistent chat capabilities so you can quickly
connect with individuals and groups and conduct ongoing conversations.
Group chat allows you to create a temporary IM enterprise chat room and invite internal
and external colleagues to the chat room to join an IM conference.
Persistent chat is a permanent chat room that offers your ongoing access to a discussion
thread. It is available even if no one is currently in the chat and remains available until
explicitly removed from the system. It allows workers in different locations, countries, and
time zones to participate with fellow team members, customers, partners, and suppliers to
communicate, quickly gain context to ongoing conversations, and easily collaborate in real
time.

Database Setup for IM and Presence Service on Cisco Unified Communications Manager,
Release 10.0(1)
Click Here



Configuring the PostgreSQL Database

For sake of time and ease of use the PostgreSQL database has already been
installed for the students on the Mock Internet DNS/Web server
Short video on PostresSQL database install
Watch this video in HD here - http://youtu.be/VIFrOeNbRWE

Step 1042 Switch to Mock Internet DNS (172.19.X.220 x=pod#) RDP Session

Step 1043 Click Start All Programs PostgreSQL 9.1 pgAdmin III, in the
lower right corner

Step 1044 Double Click PostgreSQL 9.1 (localhost:5432), from the left hand
navigation pane in pgAdmin III

Step 1045 Enter Cisc0123, for the
PostgreSQL password

Step 1046 Click and Mark Store Password

Step 1047 Click OK

Step 1048 Click OK, for the save password
warning. This is not recommended
in a production network since the
password is saved in clear text



Step 1049 Right Click Login Roles, from the left hand side object browser

Step 1050 Click New Login Role, from the pop-up role

Step 1051 Enter tcuser, in the Role Name on the properties tab

Step 1052 Click Role Privileges tab

Step 1053 Select Inherits rights from parent roles (on by default)

Step 1054 Select Superuser

Step 1055 Select Can Create Database Objects

Step 1056 Select Can Modify Catalog Directly (auto check when Superuser is
checked)

Step 1057 Click OK, to finish creating role

Step 1058 Click and Highlight Databases (1), in the object browser navigation pane
on the left side of pgAdmin



Step 1059 Click the Create a New Object, blue arrow Icon on the pgAmin tool bar to
create a new database

Step 1060 Enter tcmadb, in the Name field of the new database pop-up window

Step 1061 Select tcuser, form in the Owner field drop down menu

Step 1062 Click Definition tab

Step 1063 Select SQL_ASCII, from the Encoding drop down menu

Step 1064 Select Template0, from the template drop down menu

Step 1065 Click OK, to finish creating the new database

Step 1066 Click Command Prompt, icon on the task bar at the bottom of the desktop

Step 1067 Enter cd C:\Program Files\PostgreSQL\9.1\bin, at the DOS prompt



Step 1068 Enter psql.exe tcmadb postgres, at the DOS prompt

Step 1069 Copy and paste the following commands in the DOS prompt, one at a time
if you get an error that one of these items already exists move on to the
next item

CREATE FUNCTION plpgsql_call_handler () RETURNS LANGUAGE_HANDLER AS '$libdir/plpgsql'LANGUAGE C;

CREATE TRUSTED PROCEDURAL LANGUAGE plpgsql HANDLER plpgsql_call_handler;

ALTER ROLE tcuser WITH PASSWORD 'Cisc0123';

ALTER ROLE tcuser WITH SUPERUSER;

\q (to end session)

Step 1070 Close the Command Prompt

Step 1071 Click Tools Server Configuration postgresql.conf, from the
pgAdmin III tool menu

Step 1072 Double click Escape_string_Warning, (to find it just type es and the
backend config editor should scroll right to the setting)

Step 1073 Click and check enabled


Step 1074 Type off, in the value field

Step 1075 Click OK

Step 1076 Observe the escape_string_warning is now checked and value = off

Step 1077 Double click Standard_conforming_strings, (to find it just type stand
and the backend config editor should scroll right to the setting)

Step 1078 Click and check enabled

Step 1079 Type off, in the value field

Step 1080 Click OK

Step 1081 Click Save, (blue disk in tool bar) on the Backend
Config Editor

Step 1082 Click Yes, to confirm the save
Step 1083 Click Reload, (green right facing arrow) on the
Backend Config Editor
Step 1084 Click Yes, to confirm reload
Step 1085 Close Backend Configuration Editor



Step 1086 Click Tools Server Configuration
pg_hba.conf

Step 1087 Double click the Blank Line at the bottom of the
Backend Access Config Editor

Step 1088 Click and check Enabled (default)

Step 1089 Select Host, from the type drop-down menu

Step 1090 Select tcmadb, form the database drop-
down menu

Step 1091 Select tcuser, form the user drop-down
menu

Step 1092 Enter 10.0.0.0/8 in the IP Address field

Step 1093 Select Password, form the method

Step 1094 Click OK

Step 1095 Observe the Backend Access Config Editor
should look something like this. The entry just created is like a access list
for who is allow to access the database and from what network

Step 1096 Click Save, (blue disk in tool bar) on the Backend Config Editor

Step 1097 Click Yes, to confirm the save
Step 1098 Click Reload, (green right facing arrow) on the Backend Config Editor
Step 1099 Click Yes, to confirm reload

Step 1100 Close the Backend Access Config Editor

Step 1101 Open File Explorer window by clicking the Folder icon on the
bottom tool bar

Step 1102 Navigate to C:\Program Files\PostgreSQL\9.1\data, in Windows File
Explorer



Step 1103 Double click pg_hba.conf

Step 1104 Click Select a program from a list of installed programs

Step 1105 Click OK


Step 1107 Click OK

Step 1108 Scroll to the bottom of the pg_hba.conf file

Step 1109 Remove the bottom line that says
host tcmadb tcuser 10.0.0.0/8 crypt

Step 1110 Copy and paste the following two lines to the bottom of the pg_hba.conf file
in Notepad

host all tcuser 10.0.0.0/8 password
host tcmadb all 0.0.0.0 0.0.0.0 password

Step 1111 Click File Save, in Notepad to save the pg_hba.conf file


Step 1113 Click and Highlight PostgreSQL 9.1 (localhost:5432), in the pgAmin III

Step 1114 Right click PostgreSQL 9.1 (localhost:5432)



Step 1115 Click Stop Service, from the pop-up menu

Step 1116 Click Yes, to confirm shutdown

Step 1117 Right click PostgreSQL 9.1 (localhost:5432)

Step 1118 Click Start Service, from the pop-up menu

Step 1119 Double click PostgreSQL 9.1 (localhost:5432) to login

Configuring the IM&P Sever
In this section the IM&P server will be configured to communicate with the external
PostgreSQL server.

Step 1120 Navigate to 172.19.X.112 (x=pod#), from the students computer browser

Step 1121 Click Cisco Unified Communications Manager IM and Presences

Step 1122 Accept any and all invalid certificates if any

Step 1123 Enter the following credentials to login in to IM&P
c. Click Login

Step 1124 Click Messaging External Server Setup External Databases




Step 1126 Enter tcmadb, in the Database Name field

Step 1127 Select Postgres, from the Database Type drop-down field
(default)

Step 1128 Enter Persistent Chat DB, in the Description field

Step 1129 Enter tcuser, in the User Name field

Step 1130 Enter Cisc0123, in the Password field

Step 1131 Enter Cisco123, in the Confirm Password field

Step 1132 Enter 10.1.3.20, in the Hostname field

Step 1133 Enter 5432, in the Port Number field (default)

Step 1134 Click Save

Step 1135 Observe that after the Database information is saved the status at the
bottom of the page should look like this

Step 1136 Click Messaging Group Chat and Persistent Chat

Step 1137 Click and check Enable Persistent Chat



Step 1138 Select tomadb (10.1.3.20), for the node of SiteB-IMP911.siteB.com (only
use one node the system will only let one node be connected to the external
database)

Step 1139 Scroll down and click and check Users can add themselves to rooms
and as members


Step 1141 Select Cisco Unified IM and Presence Serviceability, form the
Navigation drop-down menu in the upper right corner of the IM&P web
admin

Step 1142 Click Go

Step 1143 Click Tools Control Center Network Services

Step 1144 Select SiteB-IMP911.siteb.com-CUCM IM and Presence, from the
server drop-down menu



Step 1145 Click GO

Step 1146 Scroll down and select Cisco XCP Router

Step 1147 Click Restart (this will take a minute or so, please be patient)

Step 1148 Click OK, to confirm the restart

Step 1149 Wait for the loading pop-up to go away and the screen to refresh

Step 1150 Select Cisco Unified CM IM and Presence Administration, from the
navigation drop-down menu

Step 1151 Click Go

Step 1152 Click Messaging External Server Setup External Databases

Step 1153 Click Find

Step 1154 Click tcmadb, to open and edit the database connection

Step 1155 Observe the status of the external database

Update jabber-config.xml
In this section the jabber-config.xml will be updated to include turning on Persistent Chat

Step 1156 Switch to SiteB-Ad (172.19.X.120) RDP Session

Step 1157 Double Click Jabber Config, folder on the desktop of SiteB-AD

Step 1158 Double Click 03_Video_Case_Num_Cfg, folder



Step 1159 Right click jabber-config.xml

Step 1160 Click Edit, from the pop-up menu

Step 1161 Add the following line to the policies section of the Jabber-config.xml

<Persistent_Chat_Enabled>true</Persistent_Chat_Enabled>

The whole jabber-config.xml file should look like the following at
this point in the lab

Step 1162 Click File Save, to save the jabber-config.xml

Step 1163 Click File Exit, to close the notepad

Step 1164 Open or switch to Firefox, on the SiteB-AD RDP session, or bring to focus
the Firefox that is already open

Step 1165 Click SiteB-UC SiteB-CUCM911, or open tab with SiteB-CUCM911
admin already open
Step 1166 Click Cisco Unified Communications Manager (if requested)

Step 1167 Select Cisco Unified OS Administration, form the Navigation drop-down

Step 1168 Click Go

c. Click Login


Step 1170 Click Software Upgrades TFTP File Management



Step 1173 Click Desktop, in the left side navigation pane

Step 1174 Double Click Jabber Config, file folder

Step 1175 Double Click 03_Video_Case_Num_CFG

Step 1176 Select Jabber-config.xml

Step 1177 Click Open


Step 1179 Verify a Successful Upload

Step 1180 Click Close

Step 1181 Select Cisco Unified Serviceability, from the navigation drop-down menu



Step 1182 Click Go

c. Click Login

Step 1184 Click Tools Control Center Features Services

Step 1185 Select SiteB-CUCM911.siteb.comCUCM Voice/Video, from the select
server drop-down menu

Step 1186 Click Go




Step 1190 Wait for the Loading pop-up windows goes away and the page refreshes

Step 1191 Open a new tab in Firefox, or to the tab that was used to test the jabber-
config.xml previously if it is still open

Step 1192 Navigate to http://10.1.2.110:6970/jabber-config.xml



Step 1193 Observe and confirm that the new jabber-config.xml is active on the TFTP
server, with the persistent chat enabled in it



Configuring Persistent Chat (P Chat) Conference Rooms
In this section the students will create, manage, administer and destroy conference room
for Persistent Chat

What are Conference Rooms?
Conference rooms enable you to chat with a number of people within a
conference room. People typically set up conference rooms to gather a specific
group together, or to talk about a specific subject. Once you enter a conference
room, you can see the presence of everyone in the conference room and can
participate in the ongoing conversation.

The different type of conference rooms
Room Type Description
Permanent
Rooms
If the purpose of a conference room is long-standing (for example, a meeting
place for discussing an ongoing project), it is usually created as a permanent
room. That is, the conference room continues to exist, even when all members
have left. Members come and go, as they want. Depending on the configuration
of your environment, you may not have the option to create permanent rooms.
The server can be configured so that only occupants with administrator's rights
have this capability.
Temporary
Rooms
If the purpose of a conference room is short-term (for example, a quick decision
on where to go for lunch), it is usually created as a Temporary room. When
everyone leaves the conference room, it ceases to exist. That is, the conference
room exists only for as long as there are people in it.
Moderated
Rooms
Moderators manage the moderated room. If you are not a member of a
moderated room, you enter the moderated room without the ability to speak in
the conference room until the moderator grants you voice.
Open Rooms
This is a conference room that anyone can join without being on the members
list.
Members Only
Rooms
The owner or administrator adds you to the members list in order for you to join
the conference room.
Anonymous
Rooms
In Anonymous rooms, the occupant's ID is hidden to everyone. You can send
private chats to occupants in an Anonymous room.
Non-
Anonymous
Rooms
In Non-Anonymous rooms, the occupant's ID is shown to everyone in the
conference room. You can send one-to-one chats to occupants in Non-
Anonymous room.
Password
Protected
Rooms
A password is required in order to join a password protected conference room.



Roles within a conference room
Your role within a conference room is temporary, and does not persist
once you leave the conference room, unless you have an affiliation with
that conference room. Also, a role within a conference room depends on
whether a conference room is moderated or non-moderated.
In moderated rooms, unaffiliated occupants do not have voice
initially. Moderators can grant or revoke voice to occupants of that
conference room. If the occupant was granted voice and then the occupant leaves the
conference room, the next time the occupant joins the conference room, the unaffiliated
occupant will not have voice.
In non-moderated rooms, occupants have voice within that conference room. However,
Owner or Administrator can revoke voice to occupants of that conference room. If the
occupant's voice was revoked and then the occupant leaves the conference room, the next
time the occupant joins the conference room, the occupant has voice.
The following table describes the roles within a conference room.
Role Description
Observers
Observers in moderated rooms are not able to speak (voice) within the moderated
room unless the Moderator grants them voice. For example, you might want to set
up a conference room for a debate between three individuals. While many people
would be able to view the debate, only the three visitors will be granted voice
within that moderated room and can enter messages.
Participants Participants are able to speak (voice) within the conference room.
Moderators
If room moderation has been enabled for a conference room, the conference room's
owners and administrators can grant moderator privileges. In addition to basic
conference room activities, such as chatting, inviting, and changing the subject,
moderators can grant and revoke voice, which is the ability for a conference room
occupant to send messages within the conference room (voice). If a conference
room occupant has no voice, he or she cannot chat in the conference room.

Affiliations within a conference room
Affiliations have a permanent association with a conference room. Affiliation
includes owner, administrator, member, unaffiliated, and banned. The following
table describes the conference room affiliations:
Affiliation Description
Owner
These occupants can modify conference room options, grant and revoke
administrator privileges, grant and revoke voice, add and remove membership,
grant and revoke moderator privileges, remove and ban occupants, and delete


conference rooms. When you create a conference room, you are the owner of the
conference room and a moderator in a moderated or non-moderated room. You
may also become the owner of a conference room if the current owner grants you
ownership.
Administrator
These occupants can grant and revoke voice, add and remove membership, grant
and revoke moderator privileges, and remove and ban occupants. In addition to
being administrator in a conference room, an administrator is also a moderator in
a moderated or non-moderated room.
Member
These occupants are members of an open conference room or members-only
room.
Unaffiliated
These occupants can join open conference rooms, but they do not have an
affiliation within the conference room.
Banned These occupants are banned from joining the conference room.

Configuring Conference Rooms with MomentIM
In this section the students will configure MomentIM to connect with Cisco IM&P server, and
administer conference rooms

Due to feature limitation, that should be available in future releases of Cisco Jabber
Client, the lab will use MomentIM a 3
rd
party client to administer conference rooms

Step 1194 Switch to Internet_DNS_Srv, (172.19.X.220 x=pod#) RDP Session

Step 1195 Click on the MomentIM icon on the bottom task bar

Step 1196 Click Yes, to remove plug-in list warning

Step 1197 Click Create a new Profile, at the bottom of the main
screen

Step 1198 Enter Alex Ace, in the
New Profile name pop-up
window

Step 1199 Click OK



Step 1200 Enter the following information on the Account Details page
a. Username aace
b. server siteb.com
c. password Cisc0123
d. Save password Checked
e. This is a new account Un-Checked
f. Click Connection on the left hand side

Step 1201 Enter the following on the Connection page
a. Select Specify host and port:
b. Enter 10.1.2.113
c. Port 5222 (default)
d. Secure connection Encrypt the connection whenever possible
(default)
e. Click OK

Step 1202 Click Alex Ace, on the main screen to connect

Step 1203 Select Always allow this SSL certificate (if presented)



Step 1204 Click OK

Step 1205 Observe that Alex logs in and has all her contacts as she does on her Cisco
Jabber client on WorkStation 01

Step 1206 Click the Join a conference, button (Brown Door Icon) on the top tool bar

Step 1207 Select Join or Create the following
conference room

Step 1208 Select conference-X-
standalonecluster from the drop
down conference room name

Step 1209 Enter Alex Ace Tech Talk - Persistent


Step 1211 Click and check Make the room persistent



Step 1212 Click OK

Step 1213 Observe the main MomentIM conversation window




Step 1215 Observe what tabs are on the Jabber client before exit and restart

Step 1216 Click File Exit, on the Jabber client to close the client

Step 1217 Right click Erase Jabber.bat, on the desktop of SiteB-WS01

Step 1218 Click Run as administrator, from the pop up menu

Step 1219 Click on Yes, to allow the bat file to make changes to the computer

Step 1220 Double Click the Jabber Client icon to open Jabber

Step 1221 Enter aace@siteb.com in the email address field



Step 1224 Click and check Sign me in when Cisco Jabber Starts




Step 1226 Click the new P-Chat Tab

Step 1227 Click the All Rooms Tab

Step 1228 Click Refresh, if the Alex Ace tech talk room does not show up

Step 1229 Switch to SiteB-WS02 (172.19.X.202 Black Bad) RDP Session

Step 1230 Click File Exit, on the Jabber client to close the client

Step 1231 Right click Erase Jabber.bat, on the desktop of SiteB-WS01



Step 1232 Click Run as administrator, from the pop up menu

Step 1233 Click on Yes, to allow the bat file to make changes to the computer

Step 1234 Double Click the Jabber Client icon to open Jabber

Step 1235 Enter bbad@siteb.com in the email address field



Step 1238 Click and check Sign me in when Cisco Jabber Starts


Step 1240 Click the new P-Chat Tab

Step 1241 Click the All Rooms Tab



Step 1242 Click Refresh, if the Alex Ace tech talk room does not show up

Step 1243 Click Join, on Blake Bads Jabber Client

Step 1244 Observe the Check Mark, that is replace for the green join button
indicating Black has just joined this room

Step 1245 Observe the new conversation window that just opened with the persistant
chat room in it

Step 1246 Enter Hello Alex, do you have time for a question
Step 1247 Press Enter to submit the text to the chat room


Step 1249 Click the Green Join, button from the All Rooms tab on Alexs Jabber client



Step 1250 Observe that Alex can see the past messages to her in the text area

Configuring Conference Rooms Filters

Step 1251 Click the Filters tab on Alexs Jabber client

Step 1252 Click Create Filter at the bottom of the Jabber Client

Step 1253 Enter the following in the Create Filter
pop-up window
a. Filter Label Jabber Talk
b. keywords 1 XMPP
c. Keyword 2 Presence
d. Keyword 3 Jabber
e. Click Create
Step 1254 Click Create Filter (again)


Step 1255 Enter the following in the Create Filter pop-
up window
a. Filter Label Alex is Paranoid
b. keywords 1 Alex
c. Keyword 2 Ace
d. Keyword 3 Your Fired
e. Click Create

Step 1256 Observe Alexs new filters


Step 1258 Type Alex my question is in regards to XMPP in Jabber, please
contact me when you have a chance, in the Alex Ace Tech Talk chat
room. There are two word Alex is filtering on XMPP and Jabber in this text

Step 1259 Close the Conversation Window, so Blake is not active in the conversation



Step 1260 Observe that Blake is still a member of the conversation by looking in the
All rooms tab of the Jabber Client


Step 1262 Click Filters Tab, in Alexs Jabber Client

Step 1263 Observe there are 2 Filtered items waiting, and it shows in two places the
left navigation tab and the upper filter tab

Step 1264 Double click the Alex is P filter

Step 1265 Double click the Jabber T. filter

Step 1266 Observe the filter indicators clear on the Jabber client



Step 1267 Observe the two filter conversation in the conversation window

Step 1268 Click on Alex Ace Tech Talk, chat room

Step 1269 enter @bl in the enter text section, observe it brings up a contact search

Step 1270 Select Blake Bad

Step 1271 Enter I will get back to you this
afternoon


Step 1273 Switch to SiteB-WS02 (172.19.X.202 Blake
Bad) RDP Session

Step 1274 Click the P-Chat navigation tab is not all
ready selected

Step 1275 Click the Filters tab at the top of the p-chat
window



Step 1277 Observe there is a filter indicator

Step 1278 Double click the My Ment

Step 1279 Observe the mentioned conversation

Step 1280 Switch to Internet-DNS-Srv (172.19.x.220) RDP Session

Step 1281 Click the Join Room brown door icon on the MomentIM upper tool bar

Step 1282 Enter the following in the Join Room
pop-up window
a. Join or Create the following
conference rooms Selected
b. Conference Room server
conference-2-
standalonecluster
c. conference Room Name IT
Team Chat Persistent
d. Click Finish

Step 1283 Click and check make the room
Persistent

Step 1284 Click OK

Step 1285 Click the Join Room brown door icon on the MomentIM upper tool bar



Step 1286 Enter the following in the Join Room pop-up window
a. Join or Create the following conference rooms Selected
b. Conference Room server conference-2-standalonecluster
c. conference Room Name Brown Bag Lunch Tech Talk
Persistent
d. Click Finish

Step 1287 Click and check Make the room Persistent

Step 1288 Click OK

Step 1289 Click the Disconnect switch icon on the MomentIM upper tool bar

Step 1290 Click Create a New Profile, on the bottom of the MomentIM client

Step 1291 Enter Nancy Fox, in the new profile
pop-up window

Step 1292 Click OK, to create the profile

Step 1293 Enter the following in the account
details
a. Username nfox
b. Server siteb.com
c. password Cisc0123
d. Save Password Checked
e. This is a new account
UNChecked



Step 1294 Click Connection, on the left side navigation pane

Step 1295 Enter the following information into the connection window
a. Specify host and port Selected
b. Host 10.1.2.112
c. Port 5222
d. Secure connection Encrypt the connection whenever possible
e. Click OK, to create the profile

Step 1296 Click Nancy Fox, profile to connect as nancy

Step 1297 Click the Add Contact, button on the MomentIM upper tool bar

Step 1298 Click Add Contact, from the pop-up menu

Step 1299 Enter the following in the add contact pop-up window
a. Contact Type Jabber
b. Contact ID aace
c. NickName Alex Ace
d. Group Unified
e. Click OK

Step 1300 Add another contact for Black Bad (bbad)



Step 1301 Observe the two contacts have been added to MomentIM contacts for Nancy
fox

Step 1302 Click Join Room, brown door icon

Step 1303 Enter the following information in the Join Room pop-up window
a. Join or Create the following conference room Checked
b. Conference Room Server Conference-2-standalone-cluster
c. Conference Room Name Nancy Fox Tech Talk Persistent
d. Click Finish

Step 1304 Click and Check Make the room persistent

Step 1305 Click and check Enable room
moderation

Step 1306 Click OK



Step 1307 Click and Drag Blake Bad, form Nancys MomentIM contact list to the
Nancy Fox Tech Talk Chat room conversation window. This will send a invite
to Blake for this chat room

Step 1308 Click OK, to invite Blake to the conference

Step 1310 Select P-Chat tab in Alexs Jabber Client
Step 1311 Click All Rooms
Step 1312 Click Refresh

Step 1313 Click Join, to join Nancy Foxs Tech Talk



Step 1314 Observe the conversation window


Step 1316 Observe the chat room notification, in the lower right corner of Blakes
desktop.

Step 1317 Click Enter

Step 1318 Observe the conversation window, also notice Blake and Ace did not have
permission to send message because it is a moderated chat room



Deleting Chat Rooms

Step 1319 Switch to Internet-DNS-Server (172.19.X.220) RDP Session

Step 1320 Right Click the Conversation window, for the chat room Nancy Fox Tech
Talk. MomentIM calls this Destroying the Conference Room

Step 1321 Select Admin Destroy Conference Room, from the pop-up menu

Step 1322 Click Yes, to confirm the destroy of the room

Step 1323 Click OK, to confirm the Destroy Reason. The reason can be edited if wished



Step 1324 Click OK, on the room destroy conformation


Step 1326 Click OK, and clear the broadcast message about the room being destroyed

Step 1327 Observe that Nancys room has been removed from Alexs All Rooms tab in
her Jabber Client


Step 1329 Click OK, and clear the broadcast message about the room being destroyed



JST Features Task 9: Jabber Guest
In this section one Expressway E and one Expressway C will be configured to perform the
task of Jabber guest.

In this activity, you will learn the methods to

Configure Expressway E
Configure Expressway C
Configure Jabber Guest Server

Required Resources
To complete this section of the lab you will need a computer that is connected to the lab via
VPN.

Jabber Guest server software runs as a virtual machine, deployed with the Cisco
Expressway Series gateway alongside your existing Cisco Unified
Communications installation. A Second Expressway Series edge server in the
demilitarized zone between your firewall and the Internet gives your business
or organization secure access to Jabber Guest features. And when visitors to
your website or mobile application click the Jabber Guest link, their
communications are secure, too-their video calls, the information they research,
and the information they give your agents.
Figure 1 shows you how Jabber Guest looks to your customer.

Simple, straightforward, and welcoming.



And Figure 2 shows you how Jabber Guest looks to your IT department.

Also simple and straightforward.
Jabber Guest is designed to be easy:
It's easy to develop the parts of your website that use it: We've built in a developer quick-
start approach with software development kits (SDKs), documentation, sample codes, and
other provisions.
It's easy to deploy: Access to your site is through URLs, and URLs are also the pathway by
which the links in your portal are made with your contact center, business office, or other
places in your organization. You can create these links in a number of ways, including
through a RESTful API that can be integrated into your application.
It's easy to access: Your guest just clicks on a link on your website or mobile application.
The user experience is simple.
Jabber Guest relies on the Cisco Unified Communications Manager (UCM). It offers two
features from the Cisco UCM portfolio that we've been discussing as especially valuable for
satisfying your customers: instant-on voice and video; and the ability to display information
such as flash videos, images, and URLs to the customer.
You see video of your customer captured by a camera on his or her computer, tablet, or
smartphone.
As guests, your visitors have a great deal of choice:
Point-to-point video
Point-to-many video (videoconference)
The ability to see themselves before going live on video
In-call control through a keypad
The ability to mute video, audio, or both
The ability to see themselves as well as your employee(s)
The choice of camera and audio device
The choice of clicking on your website from a tablet or PC or clicking on an app from a
mobile device


As developers, your IT personnel can:
Use an SDK to create desktop web applications: We provide sample HTML and JavaScript
with which they can set up video widgets and an event handler
Use SDKs to set up mobile native applications for iOS devices
Embed Jabber Guest functions easily into any web-based or mobile application
In addition, Jabber Guest call control is designed to be compatible with upcoming WebRTC
standards.
We make life easier for your other employees, too. They can:
Bring videos and other content into a conversation with a guest
Bring in an expert at another location - even halfway around the world
Focus on the business at hand, rather than the technology
Even relax and enjoy the interaction

Jabber Guest Deployment

Configuring Expressway for Jabber Guest Functionality
In this section two Expressways, a C and an E, will be configured These two Expressways
are two completely different set of Expressways from what was used in the previous Collab-
Edge section of this lab. Future releases of Expressway will support both Collab-Edge and
Jabber Guest on the same set of Expressways.



Both Expressways and the Jabber Guest VMs have been deployed in the lab for
the student.

Short Video on deploying the Expressway Virtual Machines

Short video on deploying Jabber Guest Server Virtual Machine
Watch this video in HD here - http://youtu.be/hsT5Jejx9Ow



Step 1330 Switch to SiteB-AD (172.19.X.120) RDP Session

Step 1331 Click Firefox, from the task bar at the bottom of the desktop

This section will be done twice, once for Siteb-JabGstC01 and once for
SiteB-JabGstE01 Follow from here down and when you get to a table
take the left side the first time through for SiteB-JabGstC01, and take
the right side when doing the second pass for SiteB-JabGstE01

In this first section of Jabber Guest Expressway configuration, many of
the same initial steps will be performed on the Expressways in the Collab-edge
section done earlier in this lab.

SiteB-Jabber Guest C 01
SiteB-Jabber Guest E 01
Step 1332 Click Jabber Guest SiteB-
JabGstC01, from the Firefox
favorite bar

Step 1332 Open a new tab in Firefox
Step 1333 Click Jabber Guest SiteB-
JabGstE01 from the Firefox
favorite bar

Step 1334 Click I Understand the Risks, (if presented)

Step 1335 Click Add Exception, (if presented)

Step 1336 Click Confirm Security Exception, (if presented)

admin (all lower case)
Password TANDBERG (all upper case)
Click Login

Step 1338 Observe the Expressway/VSC web administrator



Step 1339 Click the Red Box, that says this system has five alarms

Step 1340 Observe the five system alarms

Step 1341 Click Time, under on the first alarm under the Action heading

Alternatively Click System Time

Step 1342 Observe that the first three NTP servers have place holders in the address
field



Step 1343 Delete and clear all the default entries in the address fields

Step 1344 Enter 128.107.212.175, in the first NTP Server Address

Step 1345 Select US/Pacific, for the time Zone


Step 1347 Observe the bottom of the time page for a minute or so, eventually the
status will go from Rejected to Starting to Synchronized

dropped from five alarms to three alarms (you might have to click on the
red alarm box to get it to change from five to three if you dont give it
enough time)



Step 1349 Click Change the admin password link under action on the alarm page

Or Click Users Administrator Accounts

Step 1350 Click admin, to open the admin
configuration page

Step 1351 Enter Cisc0123, in the
password field

Step 1352 Enter Cisc0123, in the confirm
password field


dropped from five alarms to two alarms

Step 1355 Click View Instruction on changing the root password, under actions

Step 1356 Observe the Using the Root Account, help page pop-up

Step 1357 Close the Help Page, when finished reading it
Step 1358 Click the PuTTy, icon on the bottom tool bar

Step 1359 Click SiteB-JabGstC01, from
the saved sessions list in PuTTy

Click SiteB-JabGstE01, from the saved
session list in PuTTy


Step 1361 Click Yes on the PuTTy security warning

Step 1362 Enter root, to login as (all lower case)

Step 1363 Enter TANDBERG, FOR Password (all uppercase)

Step 1364 Enter passwd, at the prompt




Step 1366 Enter Cisc0123, for new UNIX password (it will not look like you are
typing)


Step 1368 Enter Cisc0123, to
retype the new UNIX
password


Step 1370 Close the PuTTy
window

Step 1371 Click OK, to confirm
closing PuTTy

dropped from two alarms to one alarms

Options are used to add additional features to the Expressway. Option keys can
either be valid for a fixed time period or have an unlimited duration. Your
Expressway may have been shipped with one or more optional features pre-
installed. To purchase further options, contact your Cisco representative.

The Option keys page (Maintenance > Option keys) lists all the existing
options currently installed on the Expressway, and allows you to add new
options.

The System information section summarizes the existing features installed on the
Expressway and displays the Validity period of each installed key. The options that you
may see here include:

Traversal Server: enables the Expressway to work as a firewall traversal server.
H.323 to SIP Interworking gateway: enables H.323 calls to be translated to SIP
and vice versa.
Advanced Networking: enables static NAT functionality and the LAN 2 port on an
Expressway-E.
Rich media sessions: determines the number of non-Unified Communications calls
allowed on the Expressway (or Expressway cluster) at any one time. See the Call
types and licensing [p.264] section for more information.
TURN Relays: the number of concurrent TURN relays that can be allocated by this
Expressway (or Expressway cluster). See About ICE and TURN services [p.49] for
more information.
Encryption: indicates that AES (and DES) encryption is supported by this software
build.


Microsoft Interoperability: enables encrypted calls to and from Microsoft Lync
2010 Server (for both native SIP calls and calls interworked from H.323). It is also
required by the Lync B2BUA when establishing ICE calls to Lync 2010 clients. It is
required for all types of communication with Lync 2013.
Expressway Series: identifies and configures the product for Expressway Series
system functionality.

Step 1373 Click Add a Release Key, under action

Or Click Maintenance Option Keys

Step 1374 Observe the Option Keys admin page, take note of the active options

Notice the Serial Number (S/N), in the lower right hand corner of the
admin page. This is the serial number that is used to generate licenses
and options keys

The Release Keys and Options keys have already been installed into SiteB-ExpC02
and SiteB-ExpE02 (the cluster pair of expressway servers)

Step 1375 Observe the server model name at the top of the admin page, this will
change once all the option keys are installed




This key is the Service Contract Release key
Step 1377 Copy and Paste the license number

4871176275042305

in the Release Key Field

Careful to make sure you have the release key
field and not the option key field. This key
validates the service contract on the server

Ignore the two new alarms that appear for a
invalid key, this will clear itself after a restart,
later in the section

Step 1359 Copy and Paste the license
number

4288141040879898

in the Release Key Field

Step 1378 Click Set Release Key

Step 1379 Observe the Yellow message at the top of the screen (do not restart we
will do that later)

This option key is the Expressway series key

116341E00-1-8AD9AE82

in the Software Option Field


116341E00-1-A14E7789

in the Software Option Field

Notice the although this is ultimately going
to be an Expressway-E server at this point
it is an Expressway-C, but will change roles
when a later option key is installed




Step 1364 Observe the server model name at the top has change (The E expressway
will also say C for now, we will change the E to a E later in the section)

Step 1365 Observe the Yellow message at the top of the screen (do not restart we
will do that later)

This option key is the Rich Media Key

116341W100-1-6D415BF0

in the software Option Field


116341W100-1-5B0DD1B0

in the software Option Field





Use Left Column First
Pass of Section
Nothing Here

This is an Expressway-E
Only section

Move on to next step below
continue setting up SiteB-
JabGstC01 if this is your
first pass of this section of
the lab
Step 1369 Copy and Paste the license number (Must Be All
Caps)

116341I1800-1-EC92C886

in the Software Option Field (this option key is for the E
expressway only). This option key is the Turn Relay 1800


Step 1370 Copy and Paste the license number (Must Be All
Caps)

116341T00-1-DE3F1423

in the Software Option Field (this option key is for the E
expressway only). This option key is the Traversal Service for
E option key

Step 1369 Click Add Options

Step 1370 Observe the model name at the top of the page
changed from C to E

Step 1371 Observe the options added to the Expressway-E



Step 1372 Click System DNS, in the Expressway web admin

Step 1373 Enter the following information for each Exprssway
System Host Name siteb-jabgstc01
Domain Name siteb.com
Address 1 10.1.2.120
Click Save

System Host Name siteb-jabgste01
Domain Name siteb.com
Address 1 10.1.3.20
Click Save

Step 1374 Scroll down and click DNS Lookup Utility

Step 1375 Enter siteb-jabgstc01.siteb.com (the domain name is not needed)

Step 1376 Click Lookup

Step 1377 Observe the successful DNS Lookup

Step 1378 Click Maintenance Restart Options

Step 1379 Click Restart, (careful to not click shutdown)



Step 1380 Click OK, to restart the system

Step 1381 Observe the system is restarting

Step 1382 Repeat Steps 1332 1382 for SiteB-JABGSTE01, while siteb-jabgstc01 is
restarting

Configuring the Expressway-E Unified Communications
This section sets the SiteB-ExpE01 Mobile and Remote Access and H.323 SIP Interworking
mode configuration.

Step 1385 Switch to the Firefox tab with SiteB-jabgstE01 web admin in it

Step 1386 Wait for the SiteB-jabgstE01 to restart if not already restarted (about 1 to
3 minutes)

Step 1387 Enter admin, (all lower case)

Step 1388 Enter Cisc0123


Step 1390 Click the Red Alarm alert message

Step 1391 Click Reconfigure Interworking Mode, in the action column

Step 1392 Select Off, for H.323 SIP interworking Mode




Step 1394 Confirm successful save


Step 1396 Select Jabber Guest Services,
Unified Communications Mode



Configuring the Expressway-C for Unified Communications
In this section the student will configure the Expressway-C

Careful this section is only for Expressway-C

Step 1400 Switch to the Firefox Tab with SiteB-JabGstC01 web admin web page

Step 1401 Use the following credentials to login to SiteB-ExpC01 (if Logged out)
b. Password Cisc0123 (CaSe SeNsAtIvE)
c. Click Login



Step 1402 Click the Red Alarm alert message

Step 1403 Click Reconfigure Interworking Mode, in the action column

Step 1404 Select Off, for H.323 SIP interworking Mode




Step 1408 Select Jabber Guest Services, in the
Unified Communications Mode field





Configuring the domains to route to Unified CM
You must configure the domains for which registration, call control;
provisioning, messaging and presence services are to be routed to Unified CM.

SIP registrations and provisioning on Unified CM: endpoint
registration, call control and provisioning for this SIP domain is serviced
by Unified CM. The Expressway acts as a Unified Communications
gateway to provide secure firewall traversal and line-side support for Unified CM
registrations.

IM and Presence services on Unified CM: instant messaging and presence
services for this SIP domain are provided by the Unified CM IM and Presence service.

Step 1411 Click Configuration Domains

Step 1412 Click New

Step 1413 Enter siteb.com, in the Domain Name field

Step 1414 Set On, Jabber Guest

Step 1415 Click Create Domain

Step 1416 Observe that the domain was created



Configuring the Expressway-C for Root CA Certificate

Step 1420 Open a new Firefox Tab

Step 1421 Click Certificate Services, on the Firefox favorites bar

Step 1422 Enter Administrator, in the username field (if login pop-up is presented)

Step 1423 Enter Cisc0123, in the password field (if login pop-up is presented)

Step 1424 Click Login (if login pop-up is presented)




Step 1426 Select Base 64, Encoding Method


Step 1428 Click OK, to save the file to the students computer

Step 1429 Click the Firefox Download Arrow

Step 1430 Click the File Folder, to open in containing folder

In the Certificate Management section in this lab, a CA Root Certificate was already
downloaded to the SiteB-AD server. That original CA Root Certificated that was
previously downloaded can be used for this section of the lab as well.

The reason the CA is being downloaded again is for the possible use case where a
student only wants to only perform the Jabber Guest section of the lab.



Step 1431 Rename the file to SiteB-CARoot3.cer

Step 1432 Close the Windows File Explorer

Step 1433 Switch back to the Firefox tab with SitebB-JabGstC01
with Expressway web page administrator

Step 1434 Click Maintenance Security Certificates Trusted CA Certificates


Step 1436 Click downloads, on the left side navigation pane

Step 1437 Select CARootCert3, from the folder it was downloaded to on the students
computer

Step 1438 Click Open, on the file upload screen


Step 1440 Observe the certificate upload at the top of the page



Add Client Server Template to MS CA Server
In this section the Microsoft Certificate Authority server will be customized to add a new
template. This function is not part of the UC solution but is a necessary action that needs to
be performed to use the MS CA to generation CA signed certificates for Expressway.

Adding a new Client Server Certificate Template to the CA server was
performed in the Collab-Edge Section of this lab. If you are only doing
the Jabber Guest section of the lab ONLY you will need to go back and
perform the Adding Client Server Template to MS CA Server from the
Collab-Edge section of the lab. CLICK HERE to go back and add the
Client Server template to the MS CA server. Search on RRR to return
back to here after you are done.

If you have done the Collab-Edge section of this lab, continue on with the next section.

Configuration of Certificates to prepare for Implementing Traversal Zones

Step 1420 Switch back to the Firefox tab with MS Active Directory Certificate
Server with web administrator

Step 1421 Confirm Base 64 under Encoding Method is
selected

Step 1441 Click Download latest base CRL

Step 1442 Select Save

Step 1443 Click OK





Step 1446 Right click certcrl.crl

Step 1447 Click Rename, on the pop-up menu

Step 1448 Enter CARootCRL2.crl, to rename the file. The CARootCRL.crl from the
Collab-Edge is the same file and can be used, but for the lab we are
creating a 2
nd
file in the instance that a student only wants to perform the
Jabber Guest section of the lab


Step 1450 Switch to the Firefox Tab with SiteB-ExpC01 web admin open in it

Step 1451 Login in to SiteB-JabGstC01 with the following credentials (if needed)
d. Username admin (lower case)
e. Password Cisc0123 (case sensitive)
f. Click Login


Step 1453 Click Browse, in the Manual CRL Update section

Step 1454 Click Downloads, in the left navigation pane

Step 1455 Select CARootCRL2.crl





Step 1458 Confirm successful upload of CRL



a. Key Length (in bits) 2048
b. Country US
c. Sate or province CA
d. Locality (town name) San Jose
e. Organization (company name) Cisco
f. Organizational Unit Cisco
g. Click Generate CSR





Step 1464 Click OK, to open the CSR in a notepad

Step 1465 Click Format Word Wrap, in notepad to see the whole file (might
already be done)

Step 1466 Click CTRL-A, to highlight the whole text in notepad

Step 1467 Click CTRL-C, to copy the text into your computer buffer


Step 1469 Switch to the Firefox tab with MS Certificate Server web admin page open

Step 1470 Click Certificate Service, Firefox favorite to bring the CA server web admin
to the home page





Step 1473 Click inside the Saved Request field

Step 1474 Press CTRL-V, to paste the CRS test into the saved request field

Step 1475 Select ClientServer, from the Certificate Template field (this is the
template crated in the previous section)







Step 1480 Click OK

Step 1481 Click the Firefox Download Arrow, in the upper right corner



Step 1484 Select Rename, from the pop-up windows

Step 1485 Rename the file to SiteB-JabGstC01_CASigned.cer


Step 1487 Switch to the SiteB-JabGstC01, tab in the Firefox browser on SiteB-AD
RDP session

Step 1488 Click Browse, to upload a new certificate, at the bottom of the server
certificate screen

Step 1489 Click Downloads, in the left navigation pane



Step 1490 Find and select the SiteB-JabGstC01_CASigned.pem, from the
downloads directory




Step 1493 Click I Understand The Risk




Step 1497 Click Restart, from the yellow warning message at the top of the Server
Certificate page

Step 1498 Click Restart, again on the Restart Options window




Add CA Signed Certificate on SiteB-JabGstE01

Step 1500 Switch to the Firefox Tab, with SiteB-JabGstE01 web admin open in it

Step 1501 Login with the following credentials (if logged out)
a. Click Home
b. UserName admin
d. Click Login

Step 1502 Click Maintenance Security Certificates Trusted CA Certificate


Step 1504 Click Downloads, in the left side navigation pane (Might already be here)

Step 1505 Select CARootCert3.cer



Step 1508 Observe and confirm that CA Root Certificate has been uploaded



Step 1511 Click Downloads, in the left
side navigation pane

Step 1512 Select CARootCRL2.crl




Step 1515 Observe and confirm the CRL was uploaded successfully



a. Key Length (in bits) 2048
b. Country US
c. Sate or province CA
d. Locality (town name) San Jose
e. Organization (company name) Cisco
f. Organizational Unit Cisco
g. Click Generate CSR





Step 1521 Click OK, to open the CSR in a notepad

Step 1522 Click Format Word Wrap, in notepad to see the whole file (if needed)

Step 1523 Click CTRL-A, to highlight the whole text in notepad

Step 1524 Click CTRL-C, to copy the text into your computer buffer


Step 1526 Switch to the Firefox Tab with MS CA Server web admin open

Step 1527 Click Certificate Services, on the Firefox favorite bar





Step 1530 Select and make active the Saved Request field

Step 1531 Select ClientServer, from the Certificate Template field







Step 1536 Click OK

Step 1537 Click the Firefox Download Arrow, in the upper right corner



Step 1540 Select Rename, from the pop-up windows

Step 1541 Rename the file to SiteB-JabGstE01_CASigned.pem

Step 1542 Click Yes, to confirm name extension change


Step 1544 Switch to the SiteB-JabGstE01, tab in the Firefox browser on SiteB-AD
RDP session


Step 1545 Click Browse, to upload a new certificate, at the bottom of the server
certificate screen

Step 1546 Find and select the SiteB-ExpE01Cert.pem, from the downloads directory




Step 1549 Click I Understand the Risks




Step 1553 Click Restart, from the yellow warning message at the top of the Server
Certificate page

Step 1554 Click Restart, again on the Restart Options window




Configuring Traversal Zones

Configuring traversal server zones
An Expressway-E can act as a traversal server, providing firewall traversal on
behalf of traversal clients (an Expressway-C).

To act as a traversal server, the Expressway-E must have a special type of two-
way relationship with each traversal client. To create this connection, you create
a traversal server zone on your local Expressway-E and configure it with the
details of the corresponding zone on the traversal client. (The client must also be
configured with details of the Expressway-E.)

After you have neighbored with the traversal client you can:
provide firewall traversal services to the traversal client
query the traversal client about its endpoints
apply transforms to any queries before they are sent to the traversal client
control the bandwidth used for calls between your local Expressway and the traversal
client

Note: traversal client-server zone relationships must be two-way. For firewall traversal to
work, the traversal server and the traversal client must each be configured with the others
details. The client and server will then be able to communicate over the firewall and query
each other.

CLICK HERE to find the Expressway documentation on Cisco.com

Step 1556 Switch to SiteB-JabGstE01 web admin Firefox tab (if not all ready there)
on the SiteB-AD RDP session

Step 1557 Wait for SiteB-JabGstE01, to finish restarting

Step 1558 Login as
c. Click Login


Step 1560 Click New

b. Type Unified Communications Traversal



Step 1562 Click Add/Edit Local Authentication Database

Step 1563 Click New

Step 1564 Enter TraversalAdmin, in the Name field



Step 1567 Close the Local Authentication Database, pop-up window

Step 1568 Fill in the following information (change only what is listed below leave all
other fields at default)
a. UserName TraversalAdmin
b. TLS Verify Subject Name SiteB-jabgstC01.siteb.com
c. Media Encryption Mode Forced Encrypted
d. Authentication Policy Treat As Authenticated
e. Click Create Zone



Step 1569 Switch to SiteB-JabGstC01, tab in Firefox on SiteB-AD RDP Session

Step 1570 Login as (if needed)
c. Click Login


Step 1572 Click New

Step 1580 Enter the following information (change only what is listed below leave all
other fields at default)
b. Type Unified Communications Traversal
c. UserName TraversalAdmin
d. Password Cisc0123
e. Port 7001
f. Authentication Policy Treat As Authenticated
g. Peer 1 Address siteb-jabgste01.siteb.com
h. Click Create Zone



Step 1582 Observe that SiteB-JabGstC01 show active traversal zone
a. Click Configuration Zones Zones
b. Click TraversalZoneSiteB
c. Scroll to the bottom and observe that status is Active

Step 1583 Observe that SiteB-JabGstE01 show active traversal zone
a. Switch to SiteB-JabGstE01, Firefox tab admin web page
b. Click Configuration Zones Zones
c. Click TraversalZoneSiteB
d. Scroll to the bottom and observe that SIP Reachable & status is
Active



Configuration of Turns on JabGstE01
In this section Turns will be configured on the Expressways.

Step 1584 Switch to SiteB-JabGstE01, tab in Firefox on SiteB-AD RDP Session (if not
already there

a. UserName admin (lower case)
c. Click Login

Step 1586 Click configuration Traversal Turns

Step 1587 Click Configure TURN client credentials on local database, hyperlink

Step 1588 Click New

Step 1589 Enter TurnAdmin, in the Name field



Step 1592 Close the Local Authentication Database, pop-up window



Step 1593 Select ON, for Turn Services

Step 1594 Enter TurnAdmin, in the Authentication realm field


Configure Cisco Jabber Guest Server List - JabGstC01
In this section the Jabber guest server will be added to the Expressway C configuration.

Step 1596 Switch to SiteB-JabGstC01, tab in Firefox on SiteB-AD RDP Session (if not
already there

a. Click Home, if on the logout screen
b. UserName admin (lower case)
d. Click Login

Step 1598 Click configuration Unified Communications Configuration



Step 1599 Click Configure Jabber guest Servers, from the advanced section

Step 1600 Click New

When more than one server is added, the priority can be used to control how HTTP
traffic is load balanced between the Cisco Jabber Guest servers in a cluster. Lower
numbers have higher priority. Two servers can have the same priority.

Step 1601 Enter the following in the Jabber Guest Server window
a. Domain siteb.com
b. Server Hostname siteb-jabgstsrv01.siteb.com (must be FQDN
even though it says Hostname)
c. Priority 1
d. Click Create Entry



Configure Neighbor Zone to Jabber Guest Server on the JabGstC01
In this section a neighbor zone (sip trunk) will be created to access the Jabber Guest server
from the Expressway C server.

Step 1602 Click Configuration Zones Zones on SiteB-JabGstC01

Step 1603 Click New

Step 1604 Enter the following Information (leave unmentioned fields as default)
a. Name siteb-jabgstsrv01
b. Type Neighbor
c. H.323 Mode Off
d. ICE Support On
e. Authentication Policy Treat as authenticated
f. Location Peer 1 Address siteb-jabgstsrv01.siteb.com
g. Click Create Zone

Configure Neighbor Zone to CUCM on the JabGstC01
In this section a neighbor zone (sip trunk) will be created to access the CUCM server from
the Expressway C server.


Step 1606 Click New



a. Name siteb-cucm911
b. Type Neighbor
c. H.323 Mode Off
d. Port 5060
e. SIP Transport TCP
f. Authentication Policy Treat as authenticated
g. Location Peer 1 Address siteb-cucm911.siteb.com
h. Location Peer 2 Address siteb-cucm02.siteb.com
i. Advance Zone Profile Custom
j. Call signaling Routed Mode Always
k. Click Create Zone

Configure Search rules on the JabGstC01
In this section a search rule (kind of like a dial peer) will be created to match on so the call
can be routed.

The Search rules page (Configuration > Dial plan > Search rules) is used to
configure how the Expressway routes incoming search requests to the appropriate
target zones (including the Local Zone) or policy services.

Step 1608 Click configuration Dial Plan Search Rules

Step 1609 Click New



a. Rule Name Call Manager Route
b. Description Call Search Pattern to CUCM 911
c. Mode Alias Pattern Match
d. Pattern Type Regex (regular expression)
e. Pattern String (.*)@siteb.com(.*) - (copy paste this)
f. Replace String \1@siteb.com\2 - (copy paste this)
g. On successful Match Stop
h. Target Siteb-cucm911
i. State Enabled
j. Click Create Search Rule

Configure B2BUA Turn Servers on the JabGstC01
In this section the B2BUA turns server will be configured.

Step 1611 Click Applications B2BUA B2BUA Turn Servers

Step 1612 Click New



a. Turn server Address 10.1.3.42
b. Turn Server Port 3478 (default)
c. Description SiteB-JabGstE01
d. Turn Services Username TurnAdmin
e. Turn Services Password Cisc0123
f. Click Add Address

Configure SIP Trunk on CUCM to SiteB-JabGstC01 (Expressway C)
In this section a SIP trunk will be created on the CUCM pointing to the Expressway C server.


Step 1615 Open Firefox, or open new Tab in Firefox if already open

Step 1616 Click SiteB-UC, Firefox favorite

Step 1617 Click SiteB-CUCM911


c. Click Login

Step 1620 Click Device Trunk



Step 1622 Select SIP Trunk, from the Trunk Type field

Step 1623 Click Next

Step 1624 Enter the following information (any fields not mentioned are left at default)
a. Device Name SiteB-JabGstC01
b. Description SIP trunk to EXP C01 Jabber Guest
c. Device Pool Default
d. Call Classification OnNet
e. Click and Check SRTP Allowed
f. Click and Check Run On All Active Unified CM Nodes
g. Inbound Calls Calling Search Space Unlimited-CSS
h. Click and Check Redirecting Diversion Header Delivery
Inbound
i. Destination Address 10.1.2.42
j. Destination Port 5060
k. SIP Trunk Security Profile Non secure SIP Trunk Profile
l. SIP Profile Standard SIP profile for Cisco VCS
m. DTMF Signaling Method RFC 2833
n. Normalization Script vcs-interop
o. Click Save
p. Click OK, on the reset warning
q. Click Reset
r. Click Reset, again on pop-up window
s. Click Close, to close the reset pop-up window



Configure Jabber Guest Server
In this section the Jabber Guest server will be configured.


Step 1626 Open Firefox, or a new tab in Firefox if already open

Step 1627 Navigate to https://10.1.2.43/admin
Or click Jabber Guest SiteB-JabGstSrv01, from the Firefox favorite bar

Step 1628 Click I Understand The Risk, for the Firefox invalid certificate (if
presented)





Step 1631 Enter the following credentials to login to the Jabber Guest Server
a. Alias admin
b. Password jabbercserver
c. Click Sign In

Step 1632 Enter Cisc0123, new password

Step 1633 Enter Cisc0123, confirm New Password

Step 1634 Click Sign In



Configure Jabber Guest Server Settings - Links

Step 1635 Click Settings Links

Step 1636 Domain Used For Links siteb-jabgste01.siteb.com

Step 1637 Click and Check Allow Adhoc Links

Step 1638 Click Update

Configure Jabber Guest Server Settings Secure SIP Trust Cert

Step 1639 Click Secure SIP Trust Certificate, from the left side navigation menu

Step 1640 Click Choose File

Step 1641 Click Downloads, from the file upload pop-up window left side navigation
menu

Step 1642 Select CARootCert3.cer, from the list of files. This is the CA Root
Certificate that was downloaded earlier in this section of the lab


Step 1644 Click Upload, to upload the CA Root Cert to the Jabber Guest Server


Step 1645 Observe the Tomcat restart message, and the CA Root Cert presented at
the lower section of the page



Configure Jabber Guest Server Restart TomCat Service

Step 1646 Click the PuTTy icon on the task bar on the bottom of the SiteB-AD desktop

Step 1647 Double Click SiteB-JabGstSrv01, form the list of sessions

Step 1648 Click Yes, on any PuTTy Security Warnings

Step 1649 Enter the following credentials to login to the console of Jabber Guest
Server
a. Enter root for the login as name (lower case)
b. Enter jabbercserver for the Password (lower case)
c. Enter jabbercserver for the current password
d. Enter C1sc0123, for new password
e. Enter C1sc0123, for the repeat new password

Step 1650 Enter service tomcat-as-standalone.sh restart

Step 1651 Wait for the tomcat service to restart


Step 1653 Click OK, to confirm the exit of PuTTy



Configure Jabber Guest Server Local SSL Certificate

Step 1654 Click Local SSL Certificate, from the left side navigation menu

Step 1655 Click Create a new certificate signing request

Step 1656 Click Download a certificate signing request

Step 1657 Select Open with





Step 1660 Click OK

Step 1661 Click OK, to open in notepad

Step 1662 Click CTRL-A, to highlight the whole certificate in notepad

Step 1663 Click CTRL-C, to put the content into the paste buffer


Step 1665 Switch Tabs, in Firefox to the MS Certificate Services tab, or open a new
tab

Step 1666 Click the Certificate Services on the favorite bar in Firefox



Step 1667 Click Request a certificate


Step 1669 Click and make focus Saved Request Field

Step 1670 Press CTRL-V, to paste the saved certificate into the field

Step 1671 Select ClientServer, in the certificate Template







Step 1676 Click OK



Step 1679 Rename to SiteB-JabGstSrv01_CASigned


Step 1681 Switch back to Firefox

Step 1682 Switch to the Tab with Cisco Jabber Guest Admin in it



Step 1683 Click Choose File

Step 1684 Click Downloads, on the left side of the File Upload pop-up window

Step 1685 Select SiteB-JabGstSrv01_CASigned, file from the File Upload pop-up
window


Step 1687 Click Install a certificate authority signed certificate



Step 1688 Observe the message that the server has a certificate authority signed
certificate

Configure Jabber Guest Server Call Control and Media

Step 1689 Click Call Control and Media

Step 1690 Enter the following in the SIP section
a. Route Calls Using Cisco Expressway Selected
b. Enable SIP over TLS Checked
c. Enable SRTP Checked
d. SIP Port 5061
e. SIP Domain Siteb.com
f. SIP Server siteb-jabgstC01.siteb.com
g. Send SIP Traffic To Expressway-C server that proxied the
HTTP request from Jabber Guest client



Step 1691 Scroll down and Enter the following in the Cisco Expressway C and E
Sections
a. Expressway-C (IP Address or DNS Name) siteb-
jabgstC01.siteb.com
b. Select Expressway-C server specified above
c. HTTP Port 443
d. Domain siteb.com
e. Username admin
f. Password Cisc0123
g. Expressway-E Turn Server (IP Address or DNS Name) siteb-
jabgstE01.siteb.com
h. Turn Port 3478
i. Click Update

Step 1692 Observe a successful update at the top of the screen

Step 1693 Click Call control and Media (Local), from the left side navigation pane

Step 1694 Enter SiteB-JabGstSrv01.siteb.com




Configure Jabber Guest Server Making a Call
In this section the student will make a call from a workstation via the Jabber Guest server

Step 1696 Switch to SiteB-WS02 (172.19.X.202) RDP Session

Step 1697 Open Firefox

Step 1698 Navigate to the following in Firefox
https://siteb-jabgste01.siteb.com:9443/call/aace@siteb.com
Or
Click Jabber Guest Call JG Call AAce on the Firefox favorite bar

Step 1699 Click Install, to install the Jabber Guest Plug-In


Step 1701 Click The Green Download Arrow, in the upper right corner of Firefox


Step 1702 Double click the jabberGuest-Browswer_Plug.., in the download
windows

Step 1703 Click Run (Wait for it)

Step 1704 Click Always Allow, on the plug-in pop-up windows

Step 1705 Click Call (the green call button)




Step 1707 Click Answer, on the incoming call pop-up in the lower left corner of the
SiteB-WS01s desktop

Step 1708 Observe there is now a call between the Jabber Guest and Jabber Windows
on Aaces desktop

Step 1709 Click the Red Handset to disconnect the call



Call History on SiteB-JabGstC01

On Expressway-C go to - Status Search History

The call history gives you a long of the call flow, it is good to get familiar with a few good
calls to learn how to read the output.

Step 1710 Experiment with more Jabber Guest calls and move on to the next section



Configure Jabber Guest Server Non ADHock Call
In this section the ADHock calls will be turned off and specific links will be created so only
certain numbers can be called via Jabber Guest.

Call links
A Cisco Jabber Guest call link allows anyone to click-to-call an endpoint in the enterprise
without creating an account, setting a password or otherwise authenticating.
The Cisco Jabber Guest web client launches when a link is clicked. This process greatly
simplifies how a user places a call; they simply click on the provided link. This allows the
user to easily place a video call to the destination associated with the link.

The Cisco Jabber Guest server checks to see if the link exists in the database when a call is
placed using it. The following operational parameters for the call are taken from the
database if the link exists:
destination endpoint
caller ID
called ID
time

The server checks the Ad Hoc link setting if the link is not listed in the database. If Ad hoc
links are enabled, the server sends the call to VCS or Cisco UCM using the string to the right
of /call/ as the route string. If the setting is disabled, the call is not routed unless the link
exists in the database. Ad hoc links are enabled from Cisco Jabber Guest Administration.
Calls can be made to any Cisco Unified Communications Manager endpoint by dialing the
directory number (DN). Calls can also be placed using a URI if URI dialing has been enabled.
Call links are constructed in the following format:
https://example-jabberc/call/DN or UserID@example.com
The following table provides some examples of how links are constructed.

Call links are classified as either in database or as ad hoc. When a Cisco Jabber Guest client
tries to place a call to a link, the Cisco Jabber Guest server first checks to see if the link
exists in the database. If so, the operational parameters (destination endpoint, caller ID,
called ID, and time the link is valid) are taken from the database. If the link is not listed in
the database, the server next checks the Ad Hoc link setting. If that is enabled, the server
sends the call to Cisco TelePresence Video Communication Server or Cisco Unified
Communications Manager using the string to the right of /call/ as the route string. If the
setting is disabled, the call will not route unless the link exists in the database. Ad hoc links
must be enabled before calls can be placed with them.


Step 1712 Open Firefox, and click Jabber Guest SiteB-JabGstSrv01 Or switch to
the tab in Firefox that has Jabber Guest Admin already open

Step 1713 Enter the following credentials to login in to Jabber Guest Admin (if needed)
Alias admin (lower case)
Password Cisc0123 (case sensitive)
Click Login In



Step 1714 Click Links, from the top menu

Step 1715 Click New

Step 1716 Enter the following Link information
Select Custom String from the Request Path Drop-down menu
Request Path TechSupport
Destination aace@siteb.com
Display Name Site B Tech Support
Caller Name Support Customer
Click Create



Step 1717 Observe a successful create and the link address

Ad hoc links are disabled by default and are enabled from Cisco Jabber Guest
Administration.
A call link is either an entry in the Cisco Jabber Guest Server database, or an ad
hoc link that is not in the database.

With AD Hoc turned on or enabled, any number on the system can be dialed.
Creating links only allows users to dial numbers on the system you wish them to
dail.

Step 1718 Click Settings Links



Step 1719 Click and Unselect Allow Adhoc Links


Step 1722 Navigate to
https://siteb-jabgste01.siteb.com:9443/call/aace@siteb.com

Step 1723 Observe that the previous call that was successful can no longer be
completed because Ad-Hoc calls are no longer allowed on the system

Step 1724 Navigate to
https://siteb-jabgste01.siteb.com:9443/call/TechSupport in Firefox



Step 1725 Observe the ready to call = Site B Tech Support

Step 1726 Click Call


Step 1728 Observe the caller ID on the incoming call pop-up in the lower left of SiteB-
WS01 desktop

Step 1729 Click Answer Call

Step 1730 Observe the call is connected




Step 1732 Observe connected Call

Step 1733 Click End Call

Step 1734 Continue to explore Jabber Guest, and revisit any other sections of this lab
guide that you wish to explore

This Concludes the official lab Guide steps, please feel free to
continue to explore the lab


Section 4: Appendix



Appendix A: ExpressWay Options Keys for JSTII Lab
The option keys in this lab only apply to the server deployed in this lab due to the
automatically generated serial number on each Expressway at the time of deployment.

Collab Edge Lab Option Keys
SiteB-ExpC01 Serial Number - 049491D5
Valid Software contract - Release Key: 4360497995181665
H323 SIP Interworking Gateway Key: 116341G00-1-87EACCFB
Expressway Series Key: 116341E00-1-096C2A6F

SiteB-ExpC02 Serial Number 06126E24
Valid Software contract Release Key: 1194266643158189
H323 SIP Interworking Gateway Key: 116341G00-1-C3DE9277
Expressway Series Key: 116341E00-1-B57F3034

SiteB-ExpE01 Serial Number 03118224
H323 SIP Interworking Gateway Key: 116341G00-1-A7FB3D03
Expressway Series Key: 116341E00-1-745E2397
Traversal service for E VSC (T) Boarder Controller Key: 116341T00-1-F768D3DC
Turn Relay 1800 Turns Key: 116341I1800-1-8F82AD62

SiteB-ExpE02 Serial Number - 023393F5
H323 SIP Interworking Gateway Key: 116341G00-1-CF24D548
Expressway Series Key: 116341E00-1-1D400744
Traversal service for E VSC (T) Boarder Controller Key: 116341T00-1-AF35A121
Turn Relay 1800 Turns Key: 116341I1800-1-A7C4DC9D

Options keys for JSTII Jabber Guest on 8.2.0

SiteB-JabGstC01 - Serial Number - 0280C83C
Valid Software contract - Release Key:4871176275042305
Expressway Series Key:116341E00-1-8AD9AE82
Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-6D415BF0

SiteB-JabGstE01 - Serial Number - 0912E2FD
Valid Software contract - Release Key:4288141040879898 -
Expressway Series Key:116341E00-1-A14E7789
Turn Relay 1800 Turns Key:116341I1800-1-EC92C886
Traversal service for E VSC (T) Boarder Controller Key:116341T00-1-DE3F1423
Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-5B0DD1B0



Appendix B: CUCM Server Name change to FQDN

Changing the CUCM Server Name
Open a browser on your desktop and navigate to 172.19.X.110, where X = your pod
number (for example 172.19.22.110 = pod 22)

Step 1 Browse to SiteB-CUCM911 (172.19.X.110
X=pod#) from the students desktop
Step 2 Click Continue to Website
Step 3 Click Yes or accept to any security warnings, if any
Step 4 Log in using the following credentials:
Username Administrator
Password Cisc0123

Step 5 Click System Server

Step 6 Click Find

Step 7 Observe that the CUCM and IMP servers are only entered into the database as
hostnames, this is the default install configuration

All UC Servers in this lab are upgraded from 9.1.1 to version 10.0.1. Due to time
constraints the server hostnames and DNS entries have been left as 9.11

Step 8 Select SiteB-CUCM911 (2
nd
pass
SiteB-CUCM02, 3
rd
pass SiteB-
IMP911, 4
th
pass SiteB-IMP02)

Step 9 Enter SiteB-CUCM911.siteb.com, in the hostname/IP address field

Step 10 Click Save

Step 11 Click OK, on the certificate regeneration warning



Step 12 Click Go, on related links to go back to Find/List

Step 13 Click SiteB-IMP911

Step 14 Enter SiteB-IMP911.siteB.com, in the hostname/IP address field

Step 15 Click Save

Step 16 Click OK, on the certificate regeneration warning

Step 17 Click Go, on related links to go back to Find/List

Step 18 Repeat steps 32 41 for SiteB-CUCM02, SiteB-IMP911 & SiteB-IMP02

Step 19 Observe that four servers are listed as FQDN format



End Of Lab
This concludes the lab. On behalf of the Americas Partners Organization Solutions
Readiness Engineers we thank you for taking the time to complete this lab. We hope that
this lab surpassed your goals and expectation and was a very useful and positive learning
experience for increasing your knowledge of Ciscos Collaboration products.

Please dont forget to complete your survey for todays session.

The Solutions Readiness Engineers have a YouTube channel that has
step-by-step videos for each of our lab offerings. You can find our
YouTube Channel here: http://youtube.com/CiscoFieldTrainers

Thank you for taking our lab and as always thank you for using Cisco
products.

The Ultimate Cisco Jabber Specialist 2 Lab Guide - NoVideo

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Ultimate Cisco Jabber Specialist 2 Lab Guide - NoVideo

Uploaded by

Copyright:

Available Formats

The Ultimate Cisco Jabber Specialist 2 Lab

You might also like