Download - Jabber Design
-
1 Cisco Jabber
Jabber overview
Cisco Jabber integrates a wide array of communications applications and services into a single desktop
computer application. It provides access to a variety of communications tools, including voice-mail (Cisco
Unity Connection), video (engine based on Cisco Movi Precision video engine), web conferencing (Cisco
Webex), call management (Unified CM), directories (LDAP), and presence (Unified Presence)
information.
Cisco Jabber operates in Desk Phone (CTI control of the users desk phone for Click to Call) and Soft
Phone (software client operation) modes, and is supported on Apple Macintosh and Microsoft Windows
platforms. There are also mobile clients available on iOS(iPhone, iPad), Android and BlackBerry.
Jabber offers the following key features and benefits for the end-users:
Instant Message/Chat over XMPP including:
o Rich text formatting
o File transfer
o Screen capture
o Group chat
o Emoticons
Desk phone control
Software phone calling
High definition video
Video desktop sharing
Visual voicemail
WebEx Integration
Exchange Calendaring Integration
Microsoft Office integration
Directory integration
Click to Call Functionality support for Microsoft Applications
Cisco Jabber for mobile clients includes:
Instant Message/Chat over XMPP
Software phone calling
Visual voicemail
WebEx Integration
Figure below shows the components that make up the Jabber solution.
-
Figure 1 Jabber Components
UCM LDAP Directory
The integration is accomplished by means of the following two separate processes:
LDAP synchronization
o Synchronization of Unified CM with a corporate LDAP directory allows reuse of
user data stored in the LDAP directory and allows the corporate LDAP directory
to serve as the central repository for that information. Unified CM has an
integrated database for storing user data and a web interface within Unified CM
Administration for creating and managing user data in that database. When
synchronization is enabled, that local database is still used, but the Unified CM
facility to create user accounts becomes disabled
LDAP authentication
o This process enables the IMS library to authenticate user credentials against a
corporate LDAP directory. When this feature is enabled, End User passwords are
authenticated against the corporate directory, while Application User passwords
are still authenticated locally against the Cisco Unified Cisco Unified
Communications Manager database. Cisco Extension Mobility PINs are also still
authenticated locally.
-
1.2.1 LDAP System Configuration
Administrators use this window to enable LDAP synchronization and to set up the LDAP server
type and the LDAP attribute name for the user ID.
After an LDAP Directory configuration for the DirSync service gets created or the LDAP user
authentication is enabled, the settings in the LDAP System window become read-only.
The Active Directory sAMAccountName attribute will be used for the User ID synchronization.
This will provide the user to a similar experience to working with their domain login credentials.
Table 1 LDAP System Settings
Parameter Value
Enable Synchronizing from LDAP Server Yes (Checked)
LDAP Server Type Microsoft Active Directory
LDAP Attribute for User ID sAMAccountName
This section will outline the design and implementation of the Cisco Jabber solution and
Collaboration edge Mobile and Remote Access (MRA), including IM/P, Expressway and Cisco
Jabber.
Home Depot requirements around enrolling Cisco Jabber as a product are on 2 fronts
1. Jabber in Phone-only mode
a. Jabber phone-only mode does not rely or even need the IM/P servers or its services. The
Jabber devices register directly to the UCM and can be used to either control a users IP
Phone on the desk (deskphone-control mode) or can work as an independent phone
client (softphone mode).
2. Jabber in Full-UC mode
T h e f o l l o w i n g t a b l e o u t l i n e s a t a h i g h l e v e l t h e m a j o r d i f f e r e n c e s i n b o t h t h e s e m o d e s
Table 2 Voicemail UC service
Install Mode Jabber Full UC Jabber Phone mode
Standards based Instant Messaging and Presence X
User managed Contact list with groups X
Directory search (Active Directory/LDAP) X X
MS Outlook Contact search X X
Soft phone Standards based Voice and Video Calling X X
Commented [PK(1]: To be updated
-
Install Mode Jabber Full UC Jabber Phone mode
Desk Phone Control X X
Desk phone Control with video support X X
Extend and Connect 3rd party PBX/PSTN phone control X X
Video Desktop Sharing (BFCP Standards based) X X
Visual Voicemail (Unity Connection) X X
Call History X X
WebEx Meetings Integration X X
(incl support for Outlook, Notes, Google) X X
Admin/User defined custom DHTML Tabs X X
Microsoft Office Integration (Office 2007/2010) X X
Both of these modes are supported on the Enterprise segment as well as when Jabber clients
register over the MRA architecture. Given that we have UCM v10.5 deployed, the IM/P portion
will be designed on separate servers that are specifically deployed as IM/P nodes and run the
IM/P services. As a client. Jabber will be deployed over Windows/MAC and mobile devices
running iOS and Android Operating System.
Irrespective of the phone modes mentioned above following are the common design criteria
1. DNS SRV (DNS Service Record) records are used for automatic discovery of the UC servers and
the different services.
2. AD (Active Directory) attribute modification is required to enable Presence in Office applications
3. Cisco Jabber Client retrieve contact photo from AD thumbnailPhoto field, which needs to be pre-
loaded into AD. That is Home Depots responsibility to provide photo standards, employee photo
will be updated by AD support team.
4. User Search - There are three options: EDI, BDI, and UDS
a. EDI Enhanced Directory Integration requires no configuration by default. If you install
the Cisco Jabber for Windows on a workstation that is registered to an Active Directory
domain, Cisco Jabber for Windows automatically discovers the directory service and
connects to a Global Catalog in the domain.
b. BDI Basic Directory Integration is an LDAP-based contact source for Android, iPhone,
Mac, iOS integration and will be utilized for these devices
c. UDS User Data Service is an interface in Cisco Unified Communications Manager that
makes contact information available to Cisco Jabber for VPN-less connectivity through
Expressway-Edge server and is the only option available when users connect using the
Cisco MRA solution.
5. Cisco Jabber Integration with Unity Connection
-
a. Cisco Unity Connection provides Cisco Jabber users with the ability to view, play, sort,
and delete voicemail messages.
6. Cisco recommends converting all phone numbers be reformatted in AD to +E.164 format, with the
exception of the Internal Dial Plan phone number (700xxxxyyyyy) .
a. Regarding contact number display, Jabber is just the passive receiving end, as long as
those four AD attributes got populated with expected format, Jabber will display it in
contacts information. Note that any extra formatting (dashes) will automatically be
stripped out when presented in Jabber.
7. Application Dial Rules will be implemented as Home Depot desires Jabber to be able to dial 10-
digit local or 11-digit Long Distance PSTN calls.
Cisco Jabber Voice Architecture
1.3.1 Jabber and CUCM
At initial login, Jabber downloads its configuration profile from the Cisco Presence server via
AXL SOAP. The configuration file contains the primary and backup TFTP addresses of the
CUCM cluster.
When configured as Softphone, Jabber will download its configuration file from CUCM. In
Softphone mode, the Jabber is created in the CUCM DB as a SIP CSF device type endpoint.
Similarly to an IP-Phone, the configuration file downloaded from the CUCM TFTP contains the
list CUCM primary and failover server addresses and the transport protocol for Jabber to use in
softphone mode to connect to CUCM. This list is based on the Device Pool of the CSF defined
on the CUCM.
The client will receive services information via the service profile configured under the enduser
configuration in CUCM and gets downloaded from the CUCM TFTP services. With those UC
services now available from the TFTP download the Jabber client will now connect to the CUCM
CTI Managers, to take control of its IP-Phone when using the DeskPhone mode.
The Jabber client speaks native QBE with the CUCM CTI Manager, and thus there is no need to
load TSP or JTAPI plugin on the PC.
If the CTI connection to CUCM is lost while Jabber is operating in desk phone mode, the
application tries to re-establish the connection to the primary and then to the backup servers.
Connection attempts continue on a round-robin basis, beginning again with the primary server.
Successive attempts to reconnect to a server occur at intervals of 4, 8, 16, 32, and 60 seconds
(maximum) until a connection is re-established.
-
1.3.2 Jabber and Cisco Unity Connection Voicemail
Jabber can retrieve, listen, and delete Voicemail stored on the CUC virtual servers via IMAP, or
securely via TLS.
The IP addresses and TLS settings are learned from the users CUCM Service Profile in 10.x
which has the voicemail server defined. Also the Jabber client user can simply dial voice-mail
from the client to interact with the voice messaging system.
Home Depot does use Cisco Unity Connection voicemail and will be using the visual voicemail
feature in the Jabber client.
CUCM Configuration for Jabber Voice
1.4.1 UC Service profiles for Jabber client
All the UC services like LDAP, Voicemail, CTI, etc are now configured on CUCM and assigned
to the end user in CUCM. Under UC Service, configure the following services for Cisco Jabber
Voicemail feature.
1.4.2 UC Service
The UC services that can be given to a user are as follows:
1. Voicemail
2. Mailstore (not deployed in Home Depot)
3. Conferencing (not deployed in Home Depot)
4. IM and Presence
5. CTI
There will be 2 service profiles created, one for the Phone-only mode deployment and another for Full-UC mode deployment. Typically the only difference in the Service profiles will be the use of IM and Presence services between these 2 deployment methods.
-
1.4.2.1 Voicemail UC Service
Table 3 Voicemail UC service
Configuration Parameter Value
Product Type Unity Connection
Name VM_SVC
Description Voicemail Service
Hostname/IP Address atl-nsv-cuc01.homedepot.com
Port 443
Protocol HTTPS
Name VM_SVC2
Description Voicemail Service
Hostname/IP Address aus-nsv-cuc01.homedepot.com
Port 443
Protocol HTTPS
1.4.2.2 Mailstore
This service is not designed for or implemented in Home Depot environment.
1.4.2.3 Conferencing Server
This service is not designed for or implemented in Home Depot environment.
1.4.2.4 CTI UC Service
For CTI access to devices users need access to a CTI server. We can configure multiple CTI
servers for redundancy.
Table 4 CTI UC Service
-
Configuration Value
Product Type CTI
Name CTI_SVC
Description CTI Service
Hostname/IP Address atl-nsv-cucm-services01.homedepot.com
Port 2748
Product Type TCP
Name CTI_SVC2
Description CTI Service
Hostname/IP Address aus-nsv-cucm-services01.homedepot.com
Port 2748
Protocol TCP
1.4.2.5 Directory UC Service
Table 5 Directory UC Service
Configuration Value
Product Type Directory
Name DIR_SVC
Description Directory Service
Hostname/IP Address atl-nsv-cucm-services01.homedepot.com
Port 389
Protocol TCP
Name DIR_SVC
Description Directory Service
Hostname/IP Address aus-nsv-cucm-services01.homedepot.com
Port 389
Protocol TCP
Name GC-Amer
Description Global Catalog
Hostname/IP Address amer-gc.amer.homedepot.com
Port 3269
Protocol TCP
1.4.2.1 IM and Presence UC service
This UC service is only applicable in Full-UC mode. Phone-only Mode users do not have this
service applied through their service profile
-
Table 6 IMP Server Service
Configuration Value
Product Type IM and Presence
Name IMP_SVC_Primary
Description CUCM IMP Service
Hostname/IP Address atl-nsv-cups01.homedepot.com
Name IMP_SVC_Secondary
Description CUCM IMP Service
Hostname/IP Address aus-nsv-cups01.homedepot.com
1.4.3 Service Profiles
UC services are assigned to users via service profile. There will be 2 service profiles created,
one for Phone-only mode and another for Full-UC mode. Home Depot will decide and
communicate the assignments for their users and then these profiles will be assigned
accordingly on the End-User page.
1.4.3.1 Phone-Only mode UC Service profile
Following Service profile is created for the Phone-only mode deployment of Jabber at
Home Depot. This is set as the default profile in Home Depot as there will be large number
of users who would need this functionality as compared against Full UC mode.
Table 7 UC Service Profile Phone-Only mode
-
Configuration Value
Name THD-Service Profile-PhoneMode
Description THD-PhoneMode profile
Make this the default service profile for the system
Checked
Voicemail Profile
Primary VM_SVC
Secondary VM_SVC
Tertiary
Credential source for voicemail service Unified CM IM and Presence
Mailstore Profile
Primary
Secondary
Tertiary
Conferencing Profile
Primary
Secondary
Tertiary
Directory Profile
Primary
Secondary
Tertiary
Use UDS for Contact Resolution Unchecked
Use Logged On User Credential Unchecked
Username N/A
Password N/A
Search Base 1 N/A
Search Base 2 N/A
Search Base 3 N/A
Recursive Search on All Search Bases Checked
Search Timeout (seconds)Required Field 5
Base Filter (Only used for Advance Directory)
N/A
Predictive Search Filter (Only used for Advance Directory)
N/A
IM and Presence Profile
Primary
Secondary
Tertiary
CTI Profile
Primary CTI_SVC
Secondary CTI_SVC2
-
Configuration Value
Tertiary
1.4.3.1 Full-UC mode UC Service profile
Following Service profile is created for the Full-UC mode deployment of Jabber at Home
Depot and will be applied on a case-case basis only to specific users as identified.
Table 8 UC Service Profile Full-UC mode
-
Configuration Value
Name THD-Service Profile-FullMode
Description THD-FullUC profile
Make this the default service profile for the system
Unchecked
Voicemail Profile
Primary VM_SVC
Secondary VM_SVC
Tertiary
Credential source for voicemail service Unified CM IM and Presence
Mailstore Profile
Primary
Secondary
Tertiary
Conferencing Profile
Primary
Secondary
Tertiary
Directory Profile
Primary
Secondary
Tertiary
Use UDS for Contact Resolution Unchecked
Use Logged On User Credential Unchecked
Username N/A
Password N/A
Search Base 1 N/A
Search Base 2 N/A
Search Base 3 N/A
Recursive Search on All Search Bases Checked
Search Timeout (seconds)Required Field 5
Base Filter (Only used for Advance Directory)
N/A
Predictive Search Filter (Only used for Advance Directory)
N/A
IM and Presence Profile
Primary IMP_SVC_Primary
Secondary IMP_SVC_Secondary
Tertiary
CTI Profile
Primary CTI_SVC
Secondary CTI_SVC2
-
Configuration Value
Tertiary
Cisco Jabber Configuration
To enable Cisco Jabber Voice and Video feature, Cisco Jabber device must to be added to
UCM as soft phone device. Different Cisco Jabber platform requires corresponding Phone type
and Device name, below table provides the details.
Table 9 Cisco Jabber Platform and associated device name
Cisco Jabber Platform Phone Type Device Name
Windows Cisco Unified Client Services Framework
CSF
MAC Cisco Unified Client Services Framework
CSF
iPhone Cisco Dual Mode for iPhone TCT
iPad Cisco Jabber for Tablet TAB
Android Cisco Dual Mode for Android BOT
The below table will use Cisco Jabber CSF as the example to demonstrate the parameters
needed to register a Cisco Jabber CSF device.
Table 10 Cisco Jabber Client Configuration
Configuration Data Value
Phone Type Cisco Unified Client Services Framework
Device Name CSF (ex. CSFIOB01)
Description Firstname Lastname CSF
Device Pool DP-
Phone Button Template Standard Client Services Framework
Common Phone Profile Standard Common Phone Profile
Calling Search Space CSS-Device-
Location LOC-
Primary Phone
Owner User ID Select appropriate userid (ex.iob01)
Allow Control of Device from CTI Checked
Presence Group Standard Presence Group
Device Security Profile Cisco Unified Services Framework
-
Configuration Data Value
Standard SIP
SUBSCRIBE Calling Search Space
SIP Profile Standard SIP Profile for Jabber
Allow Control of Device from CTI Checked
Video Calling Enabled
Line [1] Directory Number Shared Line with HW Phone
Line [1] Route Partition Shared Line with HW Phone
Line [1] Allow Control of Device from CTI
Checked
Users Associated with Line (ex. Jdoe)
Table 11 Cisco Jabber Client DN and User to Line Association
Directory Number 700xxxxyyyyy
Users Associated with Line Userid (configure the UserID here)
Associated Devices CSFiob01
Display Name Firstname Lastname
ASCII Display Firstname Lastname
1.5.1 Jabber for iPhone
Table below shows the common parameters needed to register a Jabber for iPhone client as a
softphone.
Table 12 Jabber for iPhone configuration on UCM
Configuration Data Value
Phone Type Cisco Dual Mode for iPhone
Device Name TCT (ex. TCTJDOE)
Device Pool DP-
Phone Button Template Standard Dual Mode for iPhone
Common Phone Profile Standard Common Phone Profile
Calling Search Space CSS-Device-
Location LOC-
Primary Phone
Owner User ID Select appropriate userid (ex.iob01)
Allow Control of Device from CTI Checked
-
Configuration Data Value
Presence Group Standard Presence Group
Device Security Profile Cisco Dual Mode for iPhone - Standard SIP Non-Secure Profile
SIP Profile Standard SIP Profile for Mobile Device
Line [1] Directory Number XXXXXXXXXX
Line [1] Route Partition XXXXXXXXXX
Line [1] Allow Control of Device from CTI
Checked
Line [1] Presence Group Standard Presence Group
Users Associated with Line (ex. Jdoe)
1.5.2 Jabber for iPad
Table below shows the common parameters needed to register a Jabber for iPad client as a
softphone.
Table 13 Jabber for iPad configuration
Configuration Data Value
Phone Type Cisco Jabber for Tablet
Device Name TAB (ex. TABJDOE)
Device Pool DP-
Phone Button Template Standard Jabber for Tablet
Common Phone Profile Standard Common Phone Profile
Calling Search Space CSS-Device-
Location LOC-
Primary Phone
Owner User ID Select appropriate userid (example -iob01)
Allow Control of Device from CTI
Checked
Presence Group Standard Presence Group
Device Security Profile Cisco Jabber for Tablet - Standard SIP Non-Secure Profile
SIP Profile Standard SIP Profile
-
Configuration Data Value
Line [1] Directory Number XXXXXXXXXX
Line [1] Route Partition XXXXXXXXXX
Line [1] Allow Control of Device from CTI
Checked
Line [1] Presence Group Standard Presence Group
Users Associated with Line (ex. Jdoe)
1.5.3 Jabber for Android
Table below shows the common parameters needed to register a Jabber for Android client as a
softphone.
Table 14 Jabber for Android configuration
Configuration Data Value
Phone Type Cisco Dual Mode for Android
Device Name BOT (ex. BOTJDOE)
Device Pool XXXXXXXXXX
Phone Button Template Standard Dual Mode for Android
Common Phone Profile Standard Common Phone Profile
Calling Search Space CSS-Device-
Location LOC-
Primary Phone
Owner User ID Select appropriate userid (example -iob01)
Allow Control of Device from CTI Checked
Presence Group Standard Presence Group
Device Security Profile Cisco Dual Mode for Android - Standard SIP Non-Secure Profile
SIP Profile Standard SIP Profile for Mobile Device
Line [1] Directory Number XXXXXXXXXX
Line [1] Route Partition XXXXXXXXXX
Line [1] Allow Control of Device from CTI
Checked
Line [1] Presence Group Standard Presence Group
-
1.5.4 End Users Cisco Jabber related configuration
Update the End-User with the following configurations and associate a user with the service
profile.
Keep all other values as what have already been set except the ones called out below.
Table 15 Cisco Jabber Clients with Hard phone Associations
Parameter Value
UserID userid
Service Settings
Home Cluster Checked
Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile)
Unchecked
Include meeting information in presence Unchecked
UC Service Profile Use System Default (THD-Service Profile-PhoneMode)
Device Associations SEPAABBCCDDEE01
CSFuserid
TCTuserid
TABuserid
BOTuserid
Primary Extension 700xxxxyyyy
User Groups Standard CCM End Users
Standard CTI Allow Control of Phones supporting Connected Xfer and conf
Standard CTI Enabled
1.5.5 Application Dial Rules
Home Depot has expressed a desire that their users would use 10-digit local calling or 11-digit
LD calling to PSTN from the Jabber clients. This is especially applicable for calling people in
their Personal Contact list in MS Outlook application or from a browser. Application dial rules
are implemented in Home Depot environment to achieve this 10-digit or 11-digit calls to PSTN.
The ipPhone attribute is in the correct format and will not use the ADRs in the directory are in a
format that can be directly dialed.
-
Table 16 Application Dial Rules Local Calls
Parameters Value
Name JabberX
Number begins with X
Number of Digits 10
Total Digits to be removed 0
Prefix with Pattern 91
Where X = numbers 2 to 9
Table 17 Application Dial Rules LD Calls
Parameters Value
Name Jabber LD Calls
Number begins with 1
Number of Digits 11
Total Digits to be removed 0
Prefix with Pattern 9
1.5.6 Jabber Video Desktop Sharing Configuration
To configure video desktop sharing in version 9.x of CUCM the BFCP configuration element is
natively installed and does not require the install of a COP file.
Table 18 Enable BFCP Jabber SIP profile
Parameter Value
Name Standard SIP Profile for Jabber
Description SIP profile for CSF devices
Allow Presentation Sharing using BFCP Checked
The Jabber SIP Profile is a copy of the standard SIP profile with the above BFCP parameter checked. All other parameters on this profile will remain as is. Assign this Jabber SIP profile to SIP Trunk to CUPS and CSF devices created for Jabber
1.5.6.1 Jabber desktop video
There is no separate configuration required to enable video sharing on CSF devices. It is
enabled by default. For this feature, to work Home Depot users need to
1. be on active calls to user desktop sharing capabilities. Video desktop sharing sessions can be
initiated only from active calls.
-
2. enable video desktop sharing only on soft phone devices. Video desktop sharing cannot be
enabled on desk phone devices.
1.5.7 Cisco Jabber - Cisco Jabber-config.xml file
Home Depot has requested to disable certain features and functions on the Jabber clients. The
XML File is how Jabber customizes certain configuration elements and features. To achieve
this, certain values in the jabber-config file have been modified. Additionally to achieve LDAP
BDI integration to work for MAC/iOS/Android devices, certain values have been changed. Below
Cisco Jabber-config.xml file will be used to change default Cisco Jabber behavior.
----------------------------------------------------------------------------------------------------------------------
true
true
false
false
DISABLED
true
false
CTRL+Alt+D
deskphone
false
false
false
-
false
OFF
0
ldap.amer.homedepot.com
ldap.amer.homedepot.com
389
389
ipphone
ipphone
mail
mail
OU=THD Accounts,DC=amer,DC=homedepot,DC=com
OU=THD
Accounts,DC=amer,DC=homedepot,DC=com
true
true
thumbnailPhoto
thumbnailPhoto
homedepot.com
homedepot.com
----------------------------------------------------------------------------------------------------------------------
Current Versions / Devices Supported
The below table details the latest versions of the Jabber clients and the system requirements for
installing them on the respective platforms.
-
Table 19 Jabber Clients System requirements
Client Current Versions System Requirements
Jabber for Windows 11.0 Operating system
Microsoft Windows 10 (Desktop OS x86)
Medianet MSI and Deskphone Video capabilities are not currently supported on Windows 10.
Microsoft Windows 8.x, 32 and 64 bit
Microsoft Windows 7 SP1 or later, 32 and 64 bit
Minimum CPU speed and type
Mobile AMD Sempron Processor 3600+ 2 GHz
Intel Core2 CPU T7400 at 2. 16 GHz
Intel Atom
Installed RAM
2-GB RAM (Windows 7 and Windows 8)
Free physical memory
128 MB
Disk space
256 MB
Graphics Processing
DirectX11 (Windows 7)
I/O ports
When using USB cameras and audio devices, USB 2.0 is required.
Jabber for iPhone and iPad
11.0 iPhone 4s, 5, 5c, 5s, 6, and 6 Plus
iPad 2, iPad with Retina display (3rd and 4th
generation), iPad Air, iPad mini, or iPad mini with
Retina display, iPad Air 2, and iPad mini 3
iPod touch 5th generationiOS versions:
iOS 8.0 and later (public releases)
Jabber for Android
Device Device Model Operating System
Cisco DX 70 10.2.x version
80 10.2.x version
-
Client Current Versions System Requirements
650 10.2.x version
HTC One M7 Android OS 4.4.2 or later
One M8 Android OS 4.4.2 or later
One Max Android OS 4.4.2 or later
Google Nexus 5 Android OS 4.4 or later
6 Android OS 5.0.2 or later
7 Android OS 4.4 or later
9 Android OS 5.0.2 or later
10 Android OS 4.4 or later
LG G2 Android OS 4.2.2 or later
G3 Android OS 4.4.2 or later
Motorola Moto G Android OS 4.4.2 or later
Samsung Galaxy Note II Android OS 4.2 or later
Note III Android OS 4.3 or later
Note IV Android OS 4.4.4 or later
Note Edge Android OS 4.4.4 or later
Note Pro 12.2 Android OS 4.4.2 or later
Rugby Pro Android OS 4.2.2 or later
SII Android OS 4.1.2 or later
SIII Android OS 4.2.2 or later
S4 Android OS 4.2.2 or later
S4 mini Android OS 4.2.2 or later
S5 Android OS 4.2.2 or later
S5 mini Android OS 4.2.2 or later
Tab 3 8-inch Android OS 4.4 or later
S6 Android OS 5.0.2 or later
S6 Edge Android OS 5.0.2 or later
Tab 4 7-inch, 8-inch, and 10.1-inch
Android OS 4.4.2 or later
Tab PRO 8.4-inch and 10.1-inch
Android OS 4.4.2 or later
Tab S 8.4-inch & 10.5-inch
Android OS 4.4.2 or later
Note 10.1-inch 2014 Edition
Android OS 4.4.2 or later
Sony Xperia M2 Android OS 4.3 or later
Z1 Android OS 4.2 or later
Z2 Android OS 4.4.2 or later
Z2 tablet Android OS 4.4.2 or later
Z3 Android OS 4.4.2 or later
ZR/A Android OS 4.1.2 or later
Z3 Tablet Compact
Android OS 4.4.4 or later
Huawei Ascend G6 Android OS 4.2.2 or later
Mate 7 Android OS 4.4.x
Sonim XP7 Android OS 4.4.4
Xiaomi 4 Android OS 4.4.x
-
Jabber and Quality of Service
End-End QoS policies and strategic direction around desktop traffic marking needs to be
considered for future deployment beyond this pilot deployment of Jabber clients
1.7.1 QoS Policies in Microsoft Windows
UC clients receive the DSCP marking settings to use for Audio and Audio/Video calls from their
Cisco Unified Communication Manager (CUCM) when they register to the CUCM as a
(soft)phone client.
It marks with the values specified in Cisco Unified Communication Manager: The Client
Services Framework marks all signalling with a CS3 classification. The media associated with
audio-only calls is marked EF, and video calls are marked with a DSCP value of AF41 for both
audio and video.
This can be configured for following Microsoft OSs:
Windows XP: any user
Windows Vista: Administrator user with User Account Control off
Windows 7: Administrator user with User Account Control off
Windows 8: QoS Group policies can be applied to the workstation. You can create a GPO which specifies the CSF application is allowed to mark traffic in specific port ranges.
Home Depot can configure group policies in Microsoft Windows so that Windows clients
automatically apply Differentiated Services Code Point (DSCP) values to media streams for
Cisco Jabber for Windows. The policies you configure should match the CiscoJabber.exe
application, the UDP protocol, and a source port range. In most cases, you should configure
one policy to apply DSCP values to the audio call port range and another policy to apply DSCP
values to the video call port range.
Personal computer traffic is typically untrusted, and the network will strip DSCP markings made
by an application from the PC unless the above items are implemented.
1.7.2 Port Ranges on Cisco Unified Communications Manager
Cisco Unified Communications Manager lets you define one port range for Cisco Jabber for
Windows. Cisco Jabber for Windows divides this port range equally and uses the lower half for
audio calls and the upper half for video calls. For example, you define a port range of 1000 to
3000 in Cisco Unified Communications Manager. Cisco Jabber for Windows uses a port range
of 1000 to 2000 for audio calls and a port range of 2000 to 3000 for video calls.
-
1.7.3 Allocation of video and media ports for Jabber
For CSF devices, you can specify a range of numbers available to be used for media ports in
the SIP profile of the device in Cisco Unified Communications Manager. Use the Start Media
Port and Stop Media Port fields to specify this range.
The audio port for SIP devices is allocated randomly in the first half of this range, and the video
port for SIP devices is allocated randomly in the second half of this range.
So, an audio only call will be in range 16384-24576 and if it is a video call it will be in range
24577-32767 for both the video media and audio media. For Home Depot, the Jabber devices
should be treated as a trusted entity from the PC and put in the tier 3 video class of AF41 for
video (video with audio) and EF for the audio only calls; signaling will be marked as CS3. The
CSF SIP Signaling port is TCP/UDP 5060.
There is no change in how video and audio ports are allocated for the devices used when you
are using your desk phone. Audio is terminated on the desk phone itself, and video always uses
the following ports:
Supported LDAP Directory Services
Cisco Jabber for Windows v11.x supports integration with the following directory services:
1. Active Directory Domain Services for Windows Server 2012 R2
2. Active Directory Domain Services for Windows Server 2008 R2
3. OpenLDAP 2.4 and later
4. Active Directory Lightweight Directory Service (AD LDS) or Active Directory Application Mode
(ADAM)
Microsoft Active Directory 2008 R2 is used by Home Depot.
1.8.1 AD attributes and Cisco Jabber fields
Table 20 AD Phone attributes and Cisco Jabber fields mapping
AD Attribute Cisco Jabber Field
telephoneNumber Work
Mobile Mobile
homePhone Home
otherTelephone Other
ipPhone ipPhone
-
DNS SRV Records for Cisco Jabber Login
Configure the following Internal and External DNS SRV records for Cisco Jabber login.
Table 21 Internal DNS SRV Records for Cisco Jabber Auto Login
Domain Service Protocol
Port Priority Weight TTL Host
homedepot.com
_cuplogin _tcp 8443 10 10 86400 atl-nsv-cups01.homedepot.com
homedepot.com _cisco-uds _tcp 8443 10 10 86400 atl-nsv-cucm01.homedepot.com
homedepot.com
_cisco-uds _tcp 8443 10 10 86400 aus-nsv-cucm02.homedepot.com
Table 22 External DNS SRV Records for Cisco Jabber Auto Login
Domain Service Protocol
Port Priority Weight TTL Host
homedepot.com _collab-edge
_tls 8443 10 10 86400 uc-remote.homedepot.com
homedepot.com _sips Tcp 5061 10 10 86400 uc-remote.homedepot.com
Integration with Microsoft Outlook and Office 2010
Microsoft Exchange integration with the IM and Presence Service allows users to incorporate
their calendar/meeting status from Microsoft Outlook into their availability status on the IM and
Presence Service. The table below shows the reachability mappings, and how the IM and
Presence Service correlates the status of meetings (as shown in Microsoft Outlook calendar) in
the availability status of users on the IM and Presence Service.
Client side integration for Outlook and Office integration allows Home Depot users to perform
Click2Call from these applications.
Cisco Jabber Auto Login Procedure
In an Active Directory integrated environment, the Cisco Jabber client auto login consists of the
following three key steps:
1. Cisco Jabber client gets a Service domain;
2. Cisco Jabber client discovers available service;
3. Cisco Jabber client authenticate with AD and apply Service profile to Cisco Jabber client.
-
1.11.1 Cisco Jabber Client gets a service domain.
The user is prompted to enter a Cisco Jabber user account which will be used to determine the
services domain in Home Depot scenario, user Cisco Jabber user account format is:
[email protected] or [email protected]
The following steps are an example of how the client gets a services domain after a new
installation
1. John Doe launches Cisco Jabber for the first time.
2. Cisco Jabber prompts Joe to enter his login account.
3. Assuming Joes sAMAccountName is jdoe, Mike enters [email protected].
4. The client extracts service domainhomedepot.com from the above sign-in address.
1.11.2 Cisco Jabber client discovers available service
The client requests the following SRV records:
1. _cisco-uds
2. _cuplogin
3. _collab-edge
If the name server returns: _cisco-uds or _cuplogin
The client detects it is inside the corporate network and connects to one of the following:
Cisco Unified Communications Manager - if the name server returns _cisco-uds.
Cisco IMP - if the name server returns _cuplogin.
_collab-edge
The client attempts to connect to the internal network through Expressway Mobile and Remote
Access (Mobile and Remote Access (MRA)) and discover services.
If the DNS has no response for SRV queries, the client prompts users to manually enter setup
and sign in details.
1.11.3 Cisco Jabber client authenticates with AD and applies Service profile
Based on the discovered service, Cisco Jabber client will take following actions:
-
1. _cisco-uds
The client does the following:
a) Prompt the user for credentials to authenticate with AD.
b) Retrieve the service profile. The service profile provides the client with the authenticator as well
as client and UC service configuration.
2. _cuplogin
The client does the following:
a) Determine that Cisco IMP is the primary source of authentication.
b) Automatically connects to the server.
c) Prompts the user for credentials, authenticates with AD
d) Retrieve client and service configuration.
3. _collab-edge
If the name server returns the _collab-edge SRV record, the client does the following:
a) Send internal SRV request (_cisco-uds and _cuplogin) to Expressway-E
b) Expressway-E forward the request to Expressway-C
c) Expressway-C looks up the internal SRV records and provides the records to the Expressway-E
and then Expressway-E responses clients request.
d) After the client gets the internal SRV records, it retrieves service profiles from CUCM. The service
profiles then provide the client with the users home cluster, the primary source of authentication.
Collaboration Edge Design
Collaboration Edge is an umbrella term to describe Ciscos entire collaboration architecture. The
goal of Collaboration Edge Architecture is to help bridge islands to enable any to any
collaboration no matter what size your organization is.
Collaboration Edge Architecture Core Products Includes
1. Cisco Expressway
2. Cisco UCM
3. Cisco Jabber
4. CUBE
5. Gateway
6. SRST
Cisco Mobile and Remote Access (MRA) (Mobile Remote Access)/VPN-Less access for Cisco
Jabber is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as
-
Cisco Jabber to have their registration, call control, provisioning, messaging and presence
services provided by Cisco UCM when the endpoint is not within the enterprise network. The
rest of this chapter will focus on Mobile Remote Access/VPN-Less access for Cisco Jabber.
The overall solution provides:
1. Off-premises access for Cisco Jabber and EX/MX/SX Series clients
2. Secure business-to-business Communications
3. Service: WebEx, Voice messaging, Audio/Video Call
4. Gateway and interoperability services
1.12.1 Mobile and Remote Access (MRA) Overview
Expressway is based on the existing Cisco Telepresence Video Communication Server (VCS).
Both products share the same codebase. The installed option keys (license) decide in which
mode the code operates. A Cisco Expressway solution consists of two entities: Expressway-C
and Expressway-E.
Expressway-C is deployed inside the enterprise network. It serves as a SIP-Proxy and a
communications gateway for Cisco Unified CM. Expressway-C is configured as a Unified
Communications traversal Client to communicate with Express-E to allow inbound and
outbound calls to traverse the device. In the Home Depot setup, Expressway-C and
Expressway-E is deployed in a cluster for redundancy and scalability.
Expressway-E cluster is deployed in the DMZ. It is also a SIP-Proxy and it is configured as
a Unified Communications traversal server to receive communication from the
Expressway-C. In Home Depots environment the Expressway-E is configured with two
network interfaces (this requires Advanced Networking option key to be installed on the
Expressway-E system. One NIC is connected to the internal network and one is connected
to DMZ network which is facing the internet). The external facing NIC/DMZ NIC has an
externally resolvable name of (uc-remote.homedepot.com) which resolves to a public IP
address (207.11.113.60) by the external/public DNS servers.
Expressway-C initiates traversal connections outbound through the firewall to specific ports on
Expressway-E with secure login credentials. Once the connection has been established,
Expressway-C sends keep-alive packets to Expressway-E to maintain the connection. When
Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.
Expressway-C then routes the call to CUCM to reach the called user or endpoint and then the
call will be established.
-
Figure 2 Jabber MRA architecture
1.12.2 Mobile and Remote Access (MRA) Setup
Prior to MRA deployment, make sure you have already completed basic configuration
Expressway-C and Expressway-E such as DNS, NTP, etc.
1.12.3 Communication Protocols and Communication Security
Accordingly, below TCP/UDP ports need to be opened in DMZ outside firewall.
Table 23 Inbound from public internet to Expressway-E (DMZ)
CONNECTION TYPE
SOURCE ENVIRON
MENT
SOURCE (Session initiation)
PORTS/ PROTOCOL
DESTINATION ENVIRONMENT
DESTINATION (Session
destination)
PORTS/PROTO
COL
Comments
Internal Production 151.140.142.0/23 TCP/ >=1024
DMZ 192.168.52.27 TCP/ 443 HTTPS Management of VCS-E [pg. 4]
Internal Production 151.140.142.0/23 TCP/ >=1024
DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]
Internal Production 151.140.130.0/23 TCP/ >=1024
DMZ 192.168.52.27 TCP/ 443 HTTPS Management of VCS-E [pg. 4]
Internal Production 151.140.130.0/23 TCP/ >=1024
DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]
-
CONNECTION TYPE
SOURCE ENVIRON
MENT
SOURCE (Session initiation)
PORTS/ PROTOCOL
DESTINATION ENVIRONMENT
DESTINATION (Session
destination)
PORTS/PROTO
COL
Comments
Internal Production 151.140.12.80 TCP/ >=1024
DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]
Internal Production 151.140.12.80 UDP/ >=1024
DMZ 192.168.52.27 UDP/ 161
SNMP Management of VCS-E [pg. 4]
Internal Production 172.26.50.157 TCP/ 25000-29999
DMZ 192.168.52.27 TCP/ 7001
SIP Signaling [pg. 8,28]
Internal Production 172.26.50.157 UDP/ 36002-40999
DMZ 192.168.52.27 UDP/ 36002-40999
RTP/RTCP [pg. 8,28]
Internal Production 172.26.50.157 TCP/ 30000-35999
DMZ 192.168.52.27 TCP/ 7400
XMPP (IM and Presence) [pg. 28,33]
Internal Production 172.26.50.157 TCP/ 30000-35999
DMZ 192.168.52.27 TCP/ 2222
SSH (HTTPS tunnels) [pg. 28]
Internal DMZ 192.168.52.27 UDP / 123 Production 165.130.1.7 UDP/ 123
NTP [pg. 5]
Internal DMZ 192.168.52.27 TCP/ 30000-35999
Production 165.130.210.127
TCP/ 636 LDAPS [pg. 5]
Internal DMZ 192.168.52.27 TCP/ 30000-35999
Production 165.130.143.238
TCP/ 636 LDAPS [pg. 5]
Internal DMZ 192.168.52.27 UDP/ 30000-35999
Production 165.130.1.10 UDP/ 514
Splunk [pg. 5]
Internal DMZ 192.168.52.27 UDP/ >=1024
Production 165.130.1.9 UDP/ 53 DNS [pg. 7]
Internet DMZ 192.168.52.19 TCP/ 25000-29999
Internet ANY TCP/ >=1024
SIP Signaling [pg. 9]
Internet DMZ 192.168.52.19 UDP/ 36002-40999
Internet ANY UDP/ >=1024
RTP/RTCP [pg. 9,29]
Internet Internet ANY TCP/ >=1024
DMZ 192.168.52.19/207.11.113.60
TCP/ 5222
XMPP (IM and Presence) [pg. 29]
Internet Internet ANY TCP/ >=1024
DMZ 192.168.52.19/207.11.113.60
TCP/ 8443
UDS (phone and provisioning) [pg. 29]
Internet Internet ANY TCP/ >=1024
DMZ 192.168.52.19/207.11.113.60
TCP/ 5061
SIP Signaling [pg. 9,29]
Internet Internet ANY UDP/ >=1024
DMZ 192.168.52.19/207.11.113.60
UDP/ 36002-40999
RTP/RTCP [pg. 9,29]
1.12.4 Expressway Security Certificates requirement
Expressway needs certificates for:
HTTPS Connectivity
TLS connectivity for SIP signaling, endpoints
Connections to other systems such as CUCM and IMP.
Below certificates are required:
-
Certificate for Expressway-C server (Must include Webserver and Client Authentication
extension)
o Private certificates issued by Home Depot CA are deployed. This is the same CA that
issues UCM certificates
Certificate for Expressway-E server (Must include Webserver and Client Authentication
extension)
o Private certificates issued by Entrust CA are deployed. This is the external CA for
Expressway-E
Root Certificate of CA server
1.12.5 Setting up the Expressway-C
To enable Unified Communications for Mobile and Remote Access (MRA) on Expressway-C
navigate to:
Configuration > Unified Communications > Configuration, Select Mobile and remote access
Table 24 Mobile and Remote access
Parameter Value
Unified Communications mode Mobile and remote access
You must configure the domains for which registration, call control, provisioning message and
presence services are to be routed to Unified CM.
Table 25 Expressway Core Domains
Parameter Value
Domain homedepot.com
SIP registrations and provisioning on Unified CM On
IM and Presence services on Unified CM On
XMPP federation Off
To provide provisioning, SIP registration and IMP services Expressway-C needs to be aware of
the deployed IMP and CUCM Servers.
Table 26 Discover CUCM Server
Parameter Value
Unified CM Publisher address atl-nsv-cucm.homedepot.com
Username administrator
Password *******
TLS verify mode Off
-
To configure the IMP servers used for remote access, on Expressway-C, navigate to:
Configuration->Unified Communications > IM and Presence servers
Click New Button to add a new IMP server, below table details the configured values
Table 27 Discover IMP Server
Parameter Value
IM and Presence publisher address atl-nsv-cups01.homedepot.com
Username administrator
Password *******
TLS verify mode On
Since Home Depot will use CA-signed certificates, the Expressway-Cs trusted CA list must
include the root CA of the issuer of the tomcat certificate.
Note: the status of the IMP server will show as Inactive until a valid traversal zone connection
between the Expressway-C and the Expressway-E has been established (this step is detailed in
following section)
To support mobile and remote access feature, there must be a secure traversal zone
connection between the Expressway-C and Expressway-E.
To set up a secure traversal zone, configure your Expressway-C as follows:
1. Go to Configuration>Zones>zones.
2. Click New
3. Configure the fields as follows:
Table 28 Unified Communications Traversal Zone Parameters
Parameter Value
Name Expressway_Traversal_Zone
Type Unified Communications traversal
Username thdmratzauth
Password *******
H.323 Mode Off
Sip Section
Mode On
Port 7001
Accept proxied registrations Allow
ICE Support Off
SIP poison mode Off
-
Parameter Value
Authentication section
Authentication policy Treat as authenticated
Location section
Peer 1 address atl-nsv-vcse01.homedepot.com
1.12.6 Setting up the Expressway-E
To enable Unified Communications for Mobile and Remote Access (MRA) on Expressway-E,
navigate to
Configuration > Unified Communications > Configuration
Select Mobile and remote access
Table 29 Mobile and remote access
Parameter Value
Unified Communications mode Mobile and remote access
To disable TURN services on Expressway-E, navigate to
Configuration>Traversal>TURN
Ensure that TURN services are off
To support mobile and remote access feature, there must be a secure traversal zone
connection between the Expressway-C and Expressway-E.
1. To set up a secure traversal zone, configure your Expressway-E as follows:
2. Go to Configuration>Zones>zones.
3. Click New
Configure the fields as follows:
Table 30 Unified Communications Traversal Zone Parameters
Parameter Value
Name Mobile and Remote Access (MRA) Traversal Zone
Type Unified Communications traversal
Username mra
Password Click Add/Edit local authentication database, then in the popup dialog click New and enter Name (mra) and Password (XXXXX) and click Create Credential.
H.323 Mode Off
Sip Section
Mode On
-
Parameter Value
Port 7001
Transport TLS
Unified Communications Services Yes
TLS verify mode On
TLS verify subject name Expressway-Cs FQDN
Media encryption mode Force encrypted
Authentication section
Authentication policy Do not check credentials
Location section
Peer 1 address N/A
Peer2Z6 address N/A
1.12.7 Summary of supported and Unsupported Cisco Jabber feature for Mobile and Remote Access (MRA)
Table 31 Summary of Supported Jabber feature for Mobile and Remote Access (MRA)
Service Supported Unsupported
Directory
UDS directory search X
LDAP directory search X
Directory photo resolution X
* Need Web server
Intradomain federation X
Interdomain federation X
Instant Messaging and Presence
On-premises X
Cloud X
Chat X
Group chat X
High Availability: On-premises deployments X
File transfer: On-premises deployments X
File transfer: Cloud deployments X
Desktop clients, some file transfer features are supported for mobile clients.
-
Service Supported Unsupported
Video desktop share - BFCP X (Cisco Jabber for mobile clients only support BFCP receive.)
Audio and Video
Audio and video calls X
* Cisco Unified Communications Manager 9.1(2) and later
Deskphone control mode (CTI) X
Extend and connect X
Dial via Office - Reverse X
Session persistency X
Early media X
SelfCare Portal access X
Voicemail
Visual voicemail X