deploying cisco jabber on premise aleksander kocelj · trusted root cert distributed to client, can...
TRANSCRIPT
www.ciscoday.com
31. 3. 2016.
Hotel Crowne Plaza
Beograd, Srbija
Cisco dan
• Aleksander Kocelj
System engineer
• 31.3.2016
Cisco Jabber design overview
Instant Messaging
Persistent Chat Rooms
Application Integration
Video Conferencing
Remote Access
Secure Communication
Voice & Video
File Transfer
Desktop Sharing
Voice Messaging
Schedule Integration
Desk phone Control
Contact Search Presence
Single Sign-On WebEx
Meetings
Cisco
Jabber For Windows, iOS, Mac and Android platforms
Agenda
• Preparing the Server Infrastructure
• Service Discovery
• Certificates
• Contact Sources
• Group working
• Application Integration
• Summary
• Jabber deployment should focus on delivering the correct user experience
• Jabber deployment success should not be measured in technical completeness but user end adoption
• Users adoption will be poor on a badly deployed system
• We’re going to focus on deployment practises to MAXIMIZE USER ADOPTION
The REAL agenda
Your GOAL is User Experience & Adoption
Introducing the Cisco Jabber Deployment Report Card
Preparing backend Infrastructure
Preparing backend Infrastructure
Jabber Architecture
Unified CM
Expressway-E Expressway-C
IM & Presence Server
LDAP AD
Conductor TelePresence Server
Unity Connection
Exchange Server
WebEx Meetings
Jabber Clients (Corporate Network)
DNS CertAuth
Internet
Home Office
Coffee Shop
Cisco Web Conferencing
B2B Federated Organizations
Telepresence
Core Infrastructure Services
Cisco Collaboration Endpoint Mobile and Remote Access
Internet Services
Federation
Preparing backend Infrastructure
Jabber Core Services (UC manager 9.x+)
UC Manager IM&P AD/LDAP
• Authentication
• Configuration
• Call Control
• IM/Chat
• Presence
• Contact Lookup (Contact source)
Preparing backend Infrastructure
Jabber Core Services – LDAP Sync
• Recommended approach for creating users is to sync with UC Manager.
UC Manager IM&P AD/LDAP
LDAP SYNC
LDAP AUTHENTICATION
UC Manager
DB SYNC
• Jabber also provides options to use Single Sign-On using a SAML 2.0 IDP (Example: MS ADFS 2.0, Ping Identity)
Preparing backend Infrastructure
Jabber Core Services – LDAP Sync
• Recommended approach for creating users is to sync with UC Manager.
UC Manager IM&P AD/LDAP
[email protected] Jabber ID or “JID”
“Jabber” Domain Cluster UserID
LDAP SYNC DB SYNC
Preparing backend Infrastructure
Jabber User Configuration
SIP URI
End User Group
CTI Group
IM&P UC Service
CTI UC Service
Voicemail UC Service
Conference UC Service
Directory UC Service XML File
IM&P enabled
Directory Number
Devices
User
Service Profile
Group Membership
User association to line
User association
to devices
Device association to line
Line association to SIP URI
URI association to User assigned
membership of group
membership of group
Mobile
Softphone
Desk Phone
Home Cluster
Service discovery
Users should never be prompted to enter information they don’t
understand
Jabber “Service Discovery” is designed to require a user to
just identify themselves…
Service discovery will detect
infrastructure and configuration
What is Service Discovery
• Service Discovery allows Jabber clients to……
Jabber Operating Mode (Cloud/On Premise or IM/Voice/Full UC)
Identify Operating Domain(s) (Presence/DNS)
Network Location (Inside/Outside)
Service Registration (UC service)
Deploying Jabber Service Discovery
Name and Domain…..
• Jabber will try to establish the operating domain for the presence environment, it can do this in several ways
– Prompt the user asking for their userID (email address)
– Obtain the UPN from active directory (on Windows domain only)
– Installer pre-population, Admin can pre-populate installer or provide installer parameters (Windows only)
– Population using URL configuration (Mac,iOS & Android)
– Application Wrapper (iOS & Android)
[email protected] Jabber ID or “JID”
Deploying Jabber Service Discovery
Jabber Operating Mode
• Jabber can operate in a number of different configurations
Jabber can also operate in IM/Voice/Video or Full UC modes but this is defined later in configuration process.
WebEx Messenger
& Hybrid Mode
On Premise (CUP) UCM / IM&P 8.x
On Premise (UDS) UCM / IM&P 9.x
(Recommended for On Premise)
Deploying Jabber Service Discovery
Lookup the Domain
• Jabber needs to establish the operating mode for presence domain
WebEx Messenger
& Hybrid Mode
On Premise (CUP) UCM / IM&P 8.x
On Premise (UDS) UCM / IM&P 9.x
Jabber will by default query all service types
• For WebEx it will issue an HTTP request (CAS) http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com
• For UDS mode it will issue a DNS SRV request DNS SRV : _cisco-uds._tcp.example.com
• For CUP mode it will issue a DNS SRV request DNS SRV: _cuplogin._tcp.<domain_name>
Jabber will also query to locate an ExpressWay Remote access service
• Remote Access (MRA) DNS SRV request DNS SRV: _collab-edge._tcp.<domain_name>
Mobile Remote Access
Deploying Jabber Service Discovery
The results are in…..!
• Jabber will stack rank the results it
gets and select the top response for
login.
• Jabber will now CACHE the
operating mode until a login change.
• The login screen will indicate which
service you are connected to
1. WebEx Messenger
2. Mobile Remote Access
3. UDS On Premise
4. CUP On Premise
Deploying Jabber Service Discovery
Service Discovery Flow – On-Premises
Deployment
Messenger
cpaige @ corp.example.com Central UCM
UDS
Home UCM Cluster
UCM IM/P
Unity Connection
WebEx Meetings Server
DNS SRV lookup
HTTP Request to CAS URL for corp.example.com
corp.example.com is not WebEx domain
Look for home UCM cluster
Home UCM cluster address
2
2
3 5
6
4
3
Service Profile & jabber-config from TFTP
_cisco-uds
Central UCM UDS address
7 User log in
UCM Call Control
Connect/Register 8
1
Internal DNS
Deploying Jabber Service Discovery
The LAST resort
• This really is your last resort (you just lost all
the marks for Service Discovery on report
card)
• Should ONLY be used for testing and Lab
deployments
• Consider Install customization BEFORE
using advanced settings for end users
• Use only for Lab testing
Certificates
Jabber uses Certificates to validate connect to infrastructure services
With an incorrectly configured environment Jabber will prompt
users to accept certificates
+10%
Certificate Management – Self Signed Option
When Jabber is presented with a
new certificate it will prompt the
user to accept each certificate
(based on admin policy)
If the user is allowed to accept
the certificate it will be added to
the users device cert store
(based on OS).
On Windows, self signed certs
will be added to the Enterprise
Trust Store
UC Manager IM&P UCxn CWMS
Certificate Management – Private/Public
CA Option
• RECOMMENDED CONFIG
• With CA issued certificates in
place mean users are not
prompted to accept certificates
UC Manager IM&P UCxn CWMS Private or Public Cert Authority
Trusted Root Cert distributed to Client, can be via policy
Trusted CA issued certificates installed on each server in cluster
UC Manager
Tomcat Cert
IM & P
Tomcat and XMPP Cert
Unity Connection
Tomcat Cert
WebEx Meeting Server
Tomcat Cert
CAPF functionality uses CTL files so not affected by this change
iPhone
Contact sources
Contact Sources provide jabber with the ability to resolve contact
details.
Incorrect implementation of contact sources can affect the ability to
initiate communications, i.e. voice/video
Contact Sources
• Good contact data is required for a successful Jabber deployment.
• Poor or incorrectly configured contact sources will impact User
experience
• Example of incorrect configuration:
– Contact displaying in email style, [email protected]
– Unable to search for contacts
– Incoming calls not resolved to contact
– Unable to start voice/video calls
– UC manager unable to dial numbers
Understanding Jabber Contact Sources
Contact Source Types
LDAP based contact Source (EDI or BDI mode) Must be used for on premise deployments
HTTP/REST based contact Source CUCM contact source
MS Outlook Contacts Search local contacts from Jabber
Custom Contacts (Jabber Win 9.7 +) Non directory based contacts stored on IM&P server
Understanding Jabber Contact Sources
Contact Lookup by Jabber ID – Account Name
(&(objectCategory=person)(objectClass=user)(sAMAccountName=cholland))
Understanding Jabber Contact Sources
Contact Lookup using Predictive Search
(&(objectCategory=person)(objectClass=user)(ANR=smith*))
ANR Example
Understanding Jabber Contact Sources
Contact Lookup by Telephone Number
(&(objectCategory=person)(objectClass=user)(telephoneNumber=+1 (408) 555 6666)) (&(objectCategory=person)(objectClass=user)(|(|(|(mobile=+14085555555))(homePhone= 14085555555))(otherTelephone= 14085555555)))
Understanding Jabber Contact Sources
LDAP Contact Sources
• Jabber supports LDAPv3 servers
• Attributes default to Microsoft AD Scheme
• Configuration is highly customizable
• Jabber expects attributes to be index correctly and
will use optimized ANR queries by default
• Jabber has two LDAP configuration models
– Basic Directory Integration (BDI), Mac, Android & iOS
– Enhanced Directory Integration (EDI), Windows
• Windows EDI mode uses Microsoft ADSI which provide Directory auto
discovery and windows integrated authentication
Group working
Jabber provides a number of features enabling group collaboration
Implementing group chat, file transfer and conferencing extents the user
experience
Jabber Group Working
What are Persistent Chat Rooms
• A Jabber Chat room is XMPP persistent text chat function provided by the Cisco Unified IM & Presence server
• Rooms have a discussion subject i.e. “Currency trading”
• Members gather and have text conversations inside the room
• Rooms can be public or restricted (closed).
• Rooms may require a password for access.
• Rooms can be created by Admins or Users (based on policy)
• Persistent Chat rooms are supported by Windows and Mac (Mac 11.0)
"eventplanning358951823618236@conference-2-standalonecluster764bb.tme-example.com"
Jabber Group Working
Jabber Hub View – Chat Room Tab
• Chat rooms can be enabled for clients
running in On Premise mode.
• The required backend infrastructure must
be in place (Database servers)
• The administrator enables the chat room
feature in the Jabber clients via the XML
configuration file
• The Chat rooms Icon will appear on
Jabber hub view.
• A Badge indicates Chat Room activity
Chat Icon with badge
All Rooms: Catalogue of all rooms defined in deployment
My Rooms: Rooms that I am a member of.
Filters: User defined filtered chat/room views.
Jabber Group Working
Jabber Hub View – Chat Room Tabs
Jabber Group Working
Chat Room Features
Jabber Group Working
What do I need to enable Chat Rooms
• IM&P Server 10.0+ (10.5.2+ recommended)
• PostgreSQL or Oracle Database
• Linux Host with SSH v2 (for file transfer)
• Jabber for Windows 9.7+ (10.5+ recommended)
• End Users that Persistently Chat….
Jabber Group Working
Infrastructure
Unified Communications Manager
Cisco IM & Presence
Database Server
External File Server (optional)
SSH
Jabber for Windows Client
ODBC
Jabber for Windows Client
Jabber for Windows Client
Jabber 11.0 provides new Group Chat Escalation Features
Jabber Group Working
Conference Experience Enhancements
Cloud CMR Escalation Cloud CMR Support for Video(SIP) and WebEx
IM Desktop Share (Windows only) enhancement 10 parties in share
Audio/Video Bridge Conferencing Escalate call to bridge DN/URI destination
WebEx Personal Room Escalation support for WebEx Personal Rooms
Application integration
Jabber provides integration options for desktop environments
Microsoft Office integration allows users to access Jabber function directly
from applications like Outlook
Application Integration
Microsoft Office Integration
• Cisco Jabber for windows integrated with Outlook 2010 & 2013 & 2016
Application Integration
Save my Chat to Outlook / File ( Jabber 10.6+)
• Jabber for Windows now provides the option to save Chat / IM conversations to Microsoft Outlook.
• IM messages saved via Exchange server
• Feature can be enabled/disable by Jabber administrator as required (disabled by default)
• Alternatively Jabber can save chats to a local folder on local drive for used by Windows search function
Application Integration
Save to Outlook Configuration
• Administrator must enable save to Outlook, disabled by default for
compliance
• Enabled using EnableSaveChatHistoryToExchange in jabber-
config.xml file
• Jabber will discover Exchange server
using auto discovery by default
• Admin options to manually specify
servers and authentication method
• User also has advanced options to
specify server if required
Application Integration
Web Directory Integration
• Jabber provides URI
handlers that can be
incorporated into web
pages
• Using Simple HTML /
JavaScript a page can
support
• XMPP: - Chat Messages
• TEL: - Voice/Video Calls
Application Integration
What about other applications….?
• Jabber provides a global Hot
key which can be used to call
the contents of the clipboard
• Admin can enable/disable
and change key combination.
(disabled by default)
• Jabber-config.xml +
<MakeCallHotKey> True <MakeCallHotKey> <MakeCallHotKey> CTRL+SHIFT+B </MakeCallHotKey>
50
Closing Thoughts
What did your last Jabber
deployment score?
Did you get 100%?
GOOD USER EXPERIENCE
PLANNED DEPLOYMENT
= SUCCESS
• Detailed design video, please look at Cisco live https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=837
63&backBtn=true