1 Cisco Jabber

Jabber overview

Cisco Jabber integrates a wide array of communications applications and services into a single desktop

computer application. It provides access to a variety of communications tools, including voice-mail (Cisco

Unity Connection), video (engine based on Cisco Movi Precision video engine), web conferencing (Cisco

Webex), call management (Unified CM), directories (LDAP), and presence (Unified Presence)

information.

Cisco Jabber operates in Desk Phone (CTI control of the users desk phone for Click to Call) and Soft

Phone (software client operation) modes, and is supported on Apple Macintosh and Microsoft Windows

platforms. There are also mobile clients available on iOS(iPhone, iPad), Android and BlackBerry.

Jabber offers the following key features and benefits for the end-users:

Instant Message/Chat over XMPP including:

o Rich text formatting

o File transfer

o Screen capture

o Group chat

o Emoticons

Desk phone control

Software phone calling

High definition video

Video desktop sharing

Visual voicemail

WebEx Integration

Exchange Calendaring Integration

Microsoft Office integration

Directory integration

Click to Call Functionality support for Microsoft Applications

Cisco Jabber for mobile clients includes:

Instant Message/Chat over XMPP

Software phone calling

Visual voicemail

WebEx Integration

Figure below shows the components that make up the Jabber solution.

Figure 1 Jabber Components

UCM LDAP Directory

The integration is accomplished by means of the following two separate processes:

LDAP synchronization

o Synchronization of Unified CM with a corporate LDAP directory allows reuse of

user data stored in the LDAP directory and allows the corporate LDAP directory

to serve as the central repository for that information. Unified CM has an

integrated database for storing user data and a web interface within Unified CM

Administration for creating and managing user data in that database. When

synchronization is enabled, that local database is still used, but the Unified CM

facility to create user accounts becomes disabled

LDAP authentication

o This process enables the IMS library to authenticate user credentials against a

corporate LDAP directory. When this feature is enabled, End User passwords are

authenticated against the corporate directory, while Application User passwords

are still authenticated locally against the Cisco Unified Cisco Unified

Communications Manager database. Cisco Extension Mobility PINs are also still

authenticated locally.

1.2.1 LDAP System Configuration

Administrators use this window to enable LDAP synchronization and to set up the LDAP server

type and the LDAP attribute name for the user ID.

After an LDAP Directory configuration for the DirSync service gets created or the LDAP user

authentication is enabled, the settings in the LDAP System window become read-only.

The Active Directory sAMAccountName attribute will be used for the User ID synchronization.

This will provide the user to a similar experience to working with their domain login credentials.

Table 1 LDAP System Settings

Parameter Value

Enable Synchronizing from LDAP Server Yes (Checked)

LDAP Server Type Microsoft Active Directory

LDAP Attribute for User ID sAMAccountName

This section will outline the design and implementation of the Cisco Jabber solution and

Collaboration edge Mobile and Remote Access (MRA), including IM/P, Expressway and Cisco

Jabber.

Home Depot requirements around enrolling Cisco Jabber as a product are on 2 fronts

1. Jabber in Phone-only mode

a. Jabber phone-only mode does not rely or even need the IM/P servers or its services. The

Jabber devices register directly to the UCM and can be used to either control a users IP

Phone on the desk (deskphone-control mode) or can work as an independent phone

client (softphone mode).

2. Jabber in Full-UC mode

T h e f o l l o w i n g t a b l e o u t l i n e s a t a h i g h l e v e l t h e m a j o r d i f f e r e n c e s i n b o t h t h e s e m o d e s

Table 2 Voicemail UC service

Install Mode Jabber Full UC Jabber Phone mode

Standards based Instant Messaging and Presence X

User managed Contact list with groups X

Directory search (Active Directory/LDAP) X X

MS Outlook Contact search X X

Soft phone Standards based Voice and Video Calling X X

Commented [PK(1]: To be updated

Install Mode Jabber Full UC Jabber Phone mode

Desk Phone Control X X

Desk phone Control with video support X X

Extend and Connect 3rd party PBX/PSTN phone control X X

Video Desktop Sharing (BFCP Standards based) X X

Visual Voicemail (Unity Connection) X X

Call History X X

WebEx Meetings Integration X X

(incl support for Outlook, Notes, Google) X X

Admin/User defined custom DHTML Tabs X X

Microsoft Office Integration (Office 2007/2010) X X

Both of these modes are supported on the Enterprise segment as well as when Jabber clients

register over the MRA architecture. Given that we have UCM v10.5 deployed, the IM/P portion

will be designed on separate servers that are specifically deployed as IM/P nodes and run the

IM/P services. As a client. Jabber will be deployed over Windows/MAC and mobile devices

running iOS and Android Operating System.

Irrespective of the phone modes mentioned above following are the common design criteria

1. DNS SRV (DNS Service Record) records are used for automatic discovery of the UC servers and

the different services.

2. AD (Active Directory) attribute modification is required to enable Presence in Office applications

3. Cisco Jabber Client retrieve contact photo from AD thumbnailPhoto field, which needs to be pre-

loaded into AD. That is Home Depots responsibility to provide photo standards, employee photo

will be updated by AD support team.

4. User Search - There are three options: EDI, BDI, and UDS

a. EDI Enhanced Directory Integration requires no configuration by default. If you install

the Cisco Jabber for Windows on a workstation that is registered to an Active Directory

domain, Cisco Jabber for Windows automatically discovers the directory service and

connects to a Global Catalog in the domain.

b. BDI Basic Directory Integration is an LDAP-based contact source for Android, iPhone,

Mac, iOS integration and will be utilized for these devices

c. UDS User Data Service is an interface in Cisco Unified Communications Manager that

makes contact information available to Cisco Jabber for VPN-less connectivity through

Expressway-Edge server and is the only option available when users connect using the

Cisco MRA solution.

5. Cisco Jabber Integration with Unity Connection

a. Cisco Unity Connection provides Cisco Jabber users with the ability to view, play, sort,

and delete voicemail messages.

6. Cisco recommends converting all phone numbers be reformatted in AD to +E.164 format, with the

exception of the Internal Dial Plan phone number (700xxxxyyyyy) .

a. Regarding contact number display, Jabber is just the passive receiving end, as long as

those four AD attributes got populated with expected format, Jabber will display it in

contacts information. Note that any extra formatting (dashes) will automatically be

stripped out when presented in Jabber.

7. Application Dial Rules will be implemented as Home Depot desires Jabber to be able to dial 10-

digit local or 11-digit Long Distance PSTN calls.

Cisco Jabber Voice Architecture

1.3.1 Jabber and CUCM

At initial login, Jabber downloads its configuration profile from the Cisco Presence server via

AXL SOAP. The configuration file contains the primary and backup TFTP addresses of the

CUCM cluster.

When configured as Softphone, Jabber will download its configuration file from CUCM. In

Softphone mode, the Jabber is created in the CUCM DB as a SIP CSF device type endpoint.

Similarly to an IP-Phone, the configuration file downloaded from the CUCM TFTP contains the

list CUCM primary and failover server addresses and the transport protocol for Jabber to use in

softphone mode to connect to CUCM. This list is based on the Device Pool of the CSF defined

on the CUCM.

The client will receive services information via the service profile configured under the enduser

configuration in CUCM and gets downloaded from the CUCM TFTP services. With those UC

services now available from the TFTP download the Jabber client will now connect to the CUCM

CTI Managers, to take control of its IP-Phone when using the DeskPhone mode.

The Jabber client speaks native QBE with the CUCM CTI Manager, and thus there is no need to

load TSP or JTAPI plugin on the PC.

If the CTI connection to CUCM is lost while Jabber is operating in desk phone mode, the

application tries to re-establish the connection to the primary and then to the backup servers.

Connection attempts continue on a round-robin basis, beginning again with the primary server.

Successive attempts to reconnect to a server occur at intervals of 4, 8, 16, 32, and 60 seconds

(maximum) until a connection is re-established.

1.3.2 Jabber and Cisco Unity Connection Voicemail

Jabber can retrieve, listen, and delete Voicemail stored on the CUC virtual servers via IMAP, or

securely via TLS.

The IP addresses and TLS settings are learned from the users CUCM Service Profile in 10.x

which has the voicemail server defined. Also the Jabber client user can simply dial voice-mail

from the client to interact with the voice messaging system.

Home Depot does use Cisco Unity Connection voicemail and will be using the visual voicemail

feature in the Jabber client.

CUCM Configuration for Jabber Voice

1.4.1 UC Service profiles for Jabber client

All the UC services like LDAP, Voicemail, CTI, etc are now configured on CUCM and assigned

to the end user in CUCM. Under UC Service, configure the following services for Cisco Jabber

Voicemail feature.

1.4.2 UC Service

The UC services that can be given to a user are as follows:

1. Voicemail

2. Mailstore (not deployed in Home Depot)

3. Conferencing (not deployed in Home Depot)

4. IM and Presence

5. CTI

There will be 2 service profiles created, one for the Phone-only mode deployment and another for Full-UC mode deployment. Typically the only difference in the Service profiles will be the use of IM and Presence services between these 2 deployment methods.

1.4.2.1 Voicemail UC Service

Table 3 Voicemail UC service

Configuration Parameter Value

Product Type Unity Connection

Name VM_SVC

Description Voicemail Service

Hostname/IP Address atl-nsv-cuc01.homedepot.com

Port 443

Protocol HTTPS

Name VM_SVC2

Description Voicemail Service

Hostname/IP Address aus-nsv-cuc01.homedepot.com

Port 443

Protocol HTTPS

1.4.2.2 Mailstore

This service is not designed for or implemented in Home Depot environment.

1.4.2.3 Conferencing Server

This service is not designed for or implemented in Home Depot environment.

1.4.2.4 CTI UC Service

For CTI access to devices users need access to a CTI server. We can configure multiple CTI

servers for redundancy.

Table 4 CTI UC Service

Configuration Value

Product Type CTI

Name CTI_SVC

Description CTI Service

Hostname/IP Address atl-nsv-cucm-services01.homedepot.com

Port 2748

Product Type TCP

Name CTI_SVC2

Description CTI Service

Hostname/IP Address aus-nsv-cucm-services01.homedepot.com

Port 2748

Protocol TCP

1.4.2.5 Directory UC Service

Table 5 Directory UC Service

Configuration Value

Product Type Directory

Name DIR_SVC

Description Directory Service

Hostname/IP Address atl-nsv-cucm-services01.homedepot.com

Port 389

Protocol TCP

Name DIR_SVC

Description Directory Service

Hostname/IP Address aus-nsv-cucm-services01.homedepot.com

Port 389

Protocol TCP

Name GC-Amer

Description Global Catalog

Hostname/IP Address amer-gc.amer.homedepot.com

Port 3269

Protocol TCP

1.4.2.1 IM and Presence UC service

This UC service is only applicable in Full-UC mode. Phone-only Mode users do not have this

service applied through their service profile

Table 6 IMP Server Service

Configuration Value

Product Type IM and Presence

Name IMP_SVC_Primary

Description CUCM IMP Service

Hostname/IP Address atl-nsv-cups01.homedepot.com

Name IMP_SVC_Secondary

Description CUCM IMP Service

Hostname/IP Address aus-nsv-cups01.homedepot.com

1.4.3 Service Profiles

UC services are assigned to users via service profile. There will be 2 service profiles created,

one for Phone-only mode and another for Full-UC mode. Home Depot will decide and

communicate the assignments for their users and then these profiles will be assigned

accordingly on the End-User page.

1.4.3.1 Phone-Only mode UC Service profile

Following Service profile is created for the Phone-only mode deployment of Jabber at

Home Depot. This is set as the default profile in Home Depot as there will be large number

of users who would need this functionality as compared against Full UC mode.

Table 7 UC Service Profile Phone-Only mode

Configuration Value

Name THD-Service Profile-PhoneMode

Description THD-PhoneMode profile

Make this the default service profile for the system

Checked

Voicemail Profile

Primary VM_SVC

Secondary VM_SVC

Tertiary

Credential source for voicemail service Unified CM IM and Presence

Mailstore Profile

Primary

Secondary

Tertiary

Conferencing Profile

Primary

Secondary

Tertiary

Directory Profile

Primary

Secondary

Tertiary

Use UDS for Contact Resolution Unchecked

Use Logged On User Credential Unchecked

Username N/A

Password N/A

Search Base 1 N/A

Search Base 2 N/A

Search Base 3 N/A

Recursive Search on All Search Bases Checked

Search Timeout (seconds)Required Field 5

Base Filter (Only used for Advance Directory)

N/A

Predictive Search Filter (Only used for Advance Directory)

N/A

IM and Presence Profile

Primary

Secondary

Tertiary

CTI Profile

Primary CTI_SVC

Secondary CTI_SVC2

Configuration Value

Tertiary

1.4.3.1 Full-UC mode UC Service profile

Following Service profile is created for the Full-UC mode deployment of Jabber at Home

Depot and will be applied on a case-case basis only to specific users as identified.

Table 8 UC Service Profile Full-UC mode

Configuration Value

Name THD-Service Profile-FullMode

Description THD-FullUC profile

Make this the default service profile for the system

Unchecked

Voicemail Profile

Primary VM_SVC

Secondary VM_SVC

Tertiary

Credential source for voicemail service Unified CM IM and Presence

Mailstore Profile

Primary

Secondary

Tertiary

Conferencing Profile

Primary

Secondary

Tertiary

Directory Profile

Primary

Secondary

Tertiary

Use UDS for Contact Resolution Unchecked

Use Logged On User Credential Unchecked

Username N/A

Password N/A

Search Base 1 N/A

Search Base 2 N/A

Search Base 3 N/A

Recursive Search on All Search Bases Checked

Search Timeout (seconds)Required Field 5

Base Filter (Only used for Advance Directory)

N/A

Predictive Search Filter (Only used for Advance Directory)

N/A

IM and Presence Profile

Primary IMP_SVC_Primary

Secondary IMP_SVC_Secondary

Tertiary

CTI Profile

Primary CTI_SVC

Secondary CTI_SVC2

Configuration Value

Tertiary

Cisco Jabber Configuration

To enable Cisco Jabber Voice and Video feature, Cisco Jabber device must to be added to

UCM as soft phone device. Different Cisco Jabber platform requires corresponding Phone type

and Device name, below table provides the details.

Table 9 Cisco Jabber Platform and associated device name

Cisco Jabber Platform Phone Type Device Name

Windows Cisco Unified Client Services Framework

CSF

MAC Cisco Unified Client Services Framework

CSF

iPhone Cisco Dual Mode for iPhone TCT

iPad Cisco Jabber for Tablet TAB

Android Cisco Dual Mode for Android BOT

The below table will use Cisco Jabber CSF as the example to demonstrate the parameters

needed to register a Cisco Jabber CSF device.

Table 10 Cisco Jabber Client Configuration

Configuration Data Value

Phone Type Cisco Unified Client Services Framework

Device Name CSF (ex. CSFIOB01)

Description Firstname Lastname CSF

Device Pool DP-

Phone Button Template Standard Client Services Framework

Common Phone Profile Standard Common Phone Profile

Calling Search Space CSS-Device-

Location LOC-

Primary Phone

Owner User ID Select appropriate userid (ex.iob01)

Allow Control of Device from CTI Checked

Presence Group Standard Presence Group

Device Security Profile Cisco Unified Services Framework

Configuration Data Value

Standard SIP

SUBSCRIBE Calling Search Space

SIP Profile Standard SIP Profile for Jabber

Allow Control of Device from CTI Checked

Video Calling Enabled

Line [1] Directory Number Shared Line with HW Phone

Line [1] Route Partition Shared Line with HW Phone

Line [1] Allow Control of Device from CTI

Checked

Users Associated with Line (ex. Jdoe)

Table 11 Cisco Jabber Client DN and User to Line Association

Directory Number 700xxxxyyyyy

Users Associated with Line Userid (configure the UserID here)

Associated Devices CSFiob01

Display Name Firstname Lastname

ASCII Display Firstname Lastname

1.5.1 Jabber for iPhone

Table below shows the common parameters needed to register a Jabber for iPhone client as a

softphone.

Table 12 Jabber for iPhone configuration on UCM

Configuration Data Value

Phone Type Cisco Dual Mode for iPhone

Device Name TCT (ex. TCTJDOE)

Device Pool DP-

Phone Button Template Standard Dual Mode for iPhone

Common Phone Profile Standard Common Phone Profile

Calling Search Space CSS-Device-

Location LOC-

Primary Phone

Owner User ID Select appropriate userid (ex.iob01)

Allow Control of Device from CTI Checked

Configuration Data Value

Presence Group Standard Presence Group

Device Security Profile Cisco Dual Mode for iPhone - Standard SIP Non-Secure Profile

SIP Profile Standard SIP Profile for Mobile Device

Line [1] Directory Number XXXXXXXXXX

Line [1] Route Partition XXXXXXXXXX

Line [1] Allow Control of Device from CTI

Checked

Line [1] Presence Group Standard Presence Group

Users Associated with Line (ex. Jdoe)

1.5.2 Jabber for iPad

Table below shows the common parameters needed to register a Jabber for iPad client as a

softphone.

Table 13 Jabber for iPad configuration

Configuration Data Value

Phone Type Cisco Jabber for Tablet

Device Name TAB (ex. TABJDOE)

Device Pool DP-

Phone Button Template Standard Jabber for Tablet

Common Phone Profile Standard Common Phone Profile

Calling Search Space CSS-Device-

Location LOC-

Primary Phone

Owner User ID Select appropriate userid (example -iob01)

Allow Control of Device from CTI

Checked

Presence Group Standard Presence Group

Device Security Profile Cisco Jabber for Tablet - Standard SIP Non-Secure Profile

SIP Profile Standard SIP Profile

Configuration Data Value

Line [1] Directory Number XXXXXXXXXX

Line [1] Route Partition XXXXXXXXXX

Line [1] Allow Control of Device from CTI

Checked

Line [1] Presence Group Standard Presence Group

Users Associated with Line (ex. Jdoe)

1.5.3 Jabber for Android

Table below shows the common parameters needed to register a Jabber for Android client as a

softphone.

Table 14 Jabber for Android configuration

Configuration Data Value

Phone Type Cisco Dual Mode for Android

Device Name BOT (ex. BOTJDOE)

Device Pool XXXXXXXXXX

Phone Button Template Standard Dual Mode for Android

Common Phone Profile Standard Common Phone Profile

Calling Search Space CSS-Device-

Location LOC-

Primary Phone

Owner User ID Select appropriate userid (example -iob01)

Allow Control of Device from CTI Checked

Presence Group Standard Presence Group

Device Security Profile Cisco Dual Mode for Android - Standard SIP Non-Secure Profile

SIP Profile Standard SIP Profile for Mobile Device

Line [1] Directory Number XXXXXXXXXX

Line [1] Route Partition XXXXXXXXXX

Line [1] Allow Control of Device from CTI

Checked

Line [1] Presence Group Standard Presence Group

1.5.4 End Users Cisco Jabber related configuration

Update the End-User with the following configurations and associate a user with the service

profile.

Keep all other values as what have already been set except the ones called out below.

Table 15 Cisco Jabber Clients with Hard phone Associations

Parameter Value

UserID userid

Service Settings

Home Cluster Checked

Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile)

Unchecked

Include meeting information in presence Unchecked

UC Service Profile Use System Default (THD-Service Profile-PhoneMode)

Device Associations SEPAABBCCDDEE01

CSFuserid

TCTuserid

TABuserid

BOTuserid

Primary Extension 700xxxxyyyy

User Groups Standard CCM End Users

Standard CTI Allow Control of Phones supporting Connected Xfer and conf

Standard CTI Enabled

1.5.5 Application Dial Rules

Home Depot has expressed a desire that their users would use 10-digit local calling or 11-digit

LD calling to PSTN from the Jabber clients. This is especially applicable for calling people in

their Personal Contact list in MS Outlook application or from a browser. Application dial rules

are implemented in Home Depot environment to achieve this 10-digit or 11-digit calls to PSTN.

The ipPhone attribute is in the correct format and will not use the ADRs in the directory are in a

format that can be directly dialed.

Table 16 Application Dial Rules Local Calls

Parameters Value

Name JabberX

Number begins with X

Number of Digits 10

Total Digits to be removed 0

Prefix with Pattern 91

Where X = numbers 2 to 9

Table 17 Application Dial Rules LD Calls

Parameters Value

Name Jabber LD Calls

Number begins with 1

Number of Digits 11

Total Digits to be removed 0

Prefix with Pattern 9

1.5.6 Jabber Video Desktop Sharing Configuration

To configure video desktop sharing in version 9.x of CUCM the BFCP configuration element is

natively installed and does not require the install of a COP file.

Table 18 Enable BFCP Jabber SIP profile

Parameter Value

Name Standard SIP Profile for Jabber

Description SIP profile for CSF devices

Allow Presentation Sharing using BFCP Checked

The Jabber SIP Profile is a copy of the standard SIP profile with the above BFCP parameter checked. All other parameters on this profile will remain as is. Assign this Jabber SIP profile to SIP Trunk to CUPS and CSF devices created for Jabber

1.5.6.1 Jabber desktop video

There is no separate configuration required to enable video sharing on CSF devices. It is

enabled by default. For this feature, to work Home Depot users need to

1. be on active calls to user desktop sharing capabilities. Video desktop sharing sessions can be

initiated only from active calls.

2. enable video desktop sharing only on soft phone devices. Video desktop sharing cannot be

enabled on desk phone devices.

1.5.7 Cisco Jabber - Cisco Jabber-config.xml file

Home Depot has requested to disable certain features and functions on the Jabber clients. The

XML File is how Jabber customizes certain configuration elements and features. To achieve

this, certain values in the jabber-config file have been modified. Additionally to achieve LDAP

BDI integration to work for MAC/iOS/Android devices, certain values have been changed. Below

Cisco Jabber-config.xml file will be used to change default Cisco Jabber behavior.

----------------------------------------------------------------------------------------------------------------------

true

true

false

false

DISABLED

true

false

CTRL+Alt+D

deskphone

false

false

false

false

OFF

0

ldap.amer.homedepot.com

ldap.amer.homedepot.com

389

389

ipphone

ipphone

mail

mail

OU=THD Accounts,DC=amer,DC=homedepot,DC=com

OU=THD

Accounts,DC=amer,DC=homedepot,DC=com

true

true

thumbnailPhoto

thumbnailPhoto

homedepot.com

homedepot.com

----------------------------------------------------------------------------------------------------------------------

Current Versions / Devices Supported

The below table details the latest versions of the Jabber clients and the system requirements for

installing them on the respective platforms.

Table 19 Jabber Clients System requirements

Client Current Versions System Requirements

Jabber for Windows 11.0 Operating system

Microsoft Windows 10 (Desktop OS x86)

Medianet MSI and Deskphone Video capabilities are not currently supported on Windows 10.

Microsoft Windows 8.x, 32 and 64 bit

Microsoft Windows 7 SP1 or later, 32 and 64 bit

Minimum CPU speed and type

Mobile AMD Sempron Processor 3600+ 2 GHz

Intel Core2 CPU T7400 at 2. 16 GHz

Intel Atom

Installed RAM

2-GB RAM (Windows 7 and Windows 8)

Free physical memory

128 MB

Disk space

256 MB

Graphics Processing

DirectX11 (Windows 7)

I/O ports

When using USB cameras and audio devices, USB 2.0 is required.

Jabber for iPhone and iPad

11.0 iPhone 4s, 5, 5c, 5s, 6, and 6 Plus

iPad 2, iPad with Retina display (3rd and 4th

generation), iPad Air, iPad mini, or iPad mini with

Retina display, iPad Air 2, and iPad mini 3

iPod touch 5th generationiOS versions:

iOS 8.0 and later (public releases)

Jabber for Android

Device Device Model Operating System

Cisco DX 70 10.2.x version

80 10.2.x version

Client Current Versions System Requirements

650 10.2.x version

HTC One M7 Android OS 4.4.2 or later

One M8 Android OS 4.4.2 or later

One Max Android OS 4.4.2 or later

Google Nexus 5 Android OS 4.4 or later

6 Android OS 5.0.2 or later

7 Android OS 4.4 or later

9 Android OS 5.0.2 or later

10 Android OS 4.4 or later

LG G2 Android OS 4.2.2 or later

G3 Android OS 4.4.2 or later

Motorola Moto G Android OS 4.4.2 or later

Samsung Galaxy Note II Android OS 4.2 or later

Note III Android OS 4.3 or later

Note IV Android OS 4.4.4 or later

Note Edge Android OS 4.4.4 or later

Note Pro 12.2 Android OS 4.4.2 or later

Rugby Pro Android OS 4.2.2 or later

SII Android OS 4.1.2 or later

SIII Android OS 4.2.2 or later

S4 Android OS 4.2.2 or later

S4 mini Android OS 4.2.2 or later

S5 Android OS 4.2.2 or later

S5 mini Android OS 4.2.2 or later

Tab 3 8-inch Android OS 4.4 or later

S6 Android OS 5.0.2 or later

S6 Edge Android OS 5.0.2 or later

Tab 4 7-inch, 8-inch, and 10.1-inch

Android OS 4.4.2 or later

Tab PRO 8.4-inch and 10.1-inch

Android OS 4.4.2 or later

Tab S 8.4-inch & 10.5-inch

Android OS 4.4.2 or later

Note 10.1-inch 2014 Edition

Android OS 4.4.2 or later

Sony Xperia M2 Android OS 4.3 or later

Z1 Android OS 4.2 or later

Z2 Android OS 4.4.2 or later

Z2 tablet Android OS 4.4.2 or later

Z3 Android OS 4.4.2 or later

ZR/A Android OS 4.1.2 or later

Z3 Tablet Compact

Android OS 4.4.4 or later

Huawei Ascend G6 Android OS 4.2.2 or later

Mate 7 Android OS 4.4.x

Sonim XP7 Android OS 4.4.4

Xiaomi 4 Android OS 4.4.x

Jabber and Quality of Service

End-End QoS policies and strategic direction around desktop traffic marking needs to be

considered for future deployment beyond this pilot deployment of Jabber clients

1.7.1 QoS Policies in Microsoft Windows

UC clients receive the DSCP marking settings to use for Audio and Audio/Video calls from their

Cisco Unified Communication Manager (CUCM) when they register to the CUCM as a

(soft)phone client.

It marks with the values specified in Cisco Unified Communication Manager: The Client

Services Framework marks all signalling with a CS3 classification. The media associated with

audio-only calls is marked EF, and video calls are marked with a DSCP value of AF41 for both

audio and video.

This can be configured for following Microsoft OSs:

Windows XP: any user

Windows Vista: Administrator user with User Account Control off

Windows 7: Administrator user with User Account Control off

Windows 8: QoS Group policies can be applied to the workstation. You can create a GPO which specifies the CSF application is allowed to mark traffic in specific port ranges.

Home Depot can configure group policies in Microsoft Windows so that Windows clients

automatically apply Differentiated Services Code Point (DSCP) values to media streams for

Cisco Jabber for Windows. The policies you configure should match the CiscoJabber.exe

application, the UDP protocol, and a source port range. In most cases, you should configure

one policy to apply DSCP values to the audio call port range and another policy to apply DSCP

values to the video call port range.

Personal computer traffic is typically untrusted, and the network will strip DSCP markings made

by an application from the PC unless the above items are implemented.

1.7.2 Port Ranges on Cisco Unified Communications Manager

Cisco Unified Communications Manager lets you define one port range for Cisco Jabber for

Windows. Cisco Jabber for Windows divides this port range equally and uses the lower half for

audio calls and the upper half for video calls. For example, you define a port range of 1000 to

3000 in Cisco Unified Communications Manager. Cisco Jabber for Windows uses a port range

of 1000 to 2000 for audio calls and a port range of 2000 to 3000 for video calls.

1.7.3 Allocation of video and media ports for Jabber

For CSF devices, you can specify a range of numbers available to be used for media ports in

the SIP profile of the device in Cisco Unified Communications Manager. Use the Start Media

Port and Stop Media Port fields to specify this range.

The audio port for SIP devices is allocated randomly in the first half of this range, and the video

port for SIP devices is allocated randomly in the second half of this range.

So, an audio only call will be in range 16384-24576 and if it is a video call it will be in range

24577-32767 for both the video media and audio media. For Home Depot, the Jabber devices

should be treated as a trusted entity from the PC and put in the tier 3 video class of AF41 for

video (video with audio) and EF for the audio only calls; signaling will be marked as CS3. The

CSF SIP Signaling port is TCP/UDP 5060.

There is no change in how video and audio ports are allocated for the devices used when you

are using your desk phone. Audio is terminated on the desk phone itself, and video always uses

the following ports:

Supported LDAP Directory Services

Cisco Jabber for Windows v11.x supports integration with the following directory services:

1. Active Directory Domain Services for Windows Server 2012 R2

2. Active Directory Domain Services for Windows Server 2008 R2

3. OpenLDAP 2.4 and later

4. Active Directory Lightweight Directory Service (AD LDS) or Active Directory Application Mode

(ADAM)

Microsoft Active Directory 2008 R2 is used by Home Depot.

1.8.1 AD attributes and Cisco Jabber fields

Table 20 AD Phone attributes and Cisco Jabber fields mapping

AD Attribute Cisco Jabber Field

telephoneNumber Work

Mobile Mobile

homePhone Home

otherTelephone Other

ipPhone ipPhone

DNS SRV Records for Cisco Jabber Login

Configure the following Internal and External DNS SRV records for Cisco Jabber login.

Table 21 Internal DNS SRV Records for Cisco Jabber Auto Login

Domain Service Protocol

Port Priority Weight TTL Host

homedepot.com

_cuplogin _tcp 8443 10 10 86400 atl-nsv-cups01.homedepot.com

homedepot.com _cisco-uds _tcp 8443 10 10 86400 atl-nsv-cucm01.homedepot.com

homedepot.com

_cisco-uds _tcp 8443 10 10 86400 aus-nsv-cucm02.homedepot.com

Table 22 External DNS SRV Records for Cisco Jabber Auto Login

Domain Service Protocol

Port Priority Weight TTL Host

homedepot.com _collab-edge

_tls 8443 10 10 86400 uc-remote.homedepot.com

homedepot.com _sips Tcp 5061 10 10 86400 uc-remote.homedepot.com

Integration with Microsoft Outlook and Office 2010

Microsoft Exchange integration with the IM and Presence Service allows users to incorporate

their calendar/meeting status from Microsoft Outlook into their availability status on the IM and

Presence Service. The table below shows the reachability mappings, and how the IM and

Presence Service correlates the status of meetings (as shown in Microsoft Outlook calendar) in

the availability status of users on the IM and Presence Service.

Client side integration for Outlook and Office integration allows Home Depot users to perform

Click2Call from these applications.

Cisco Jabber Auto Login Procedure

In an Active Directory integrated environment, the Cisco Jabber client auto login consists of the

following three key steps:

1. Cisco Jabber client gets a Service domain;

2. Cisco Jabber client discovers available service;

3. Cisco Jabber client authenticate with AD and apply Service profile to Cisco Jabber client.

1.11.1 Cisco Jabber Client gets a service domain.

The user is prompted to enter a Cisco Jabber user account which will be used to determine the

services domain in Home Depot scenario, user Cisco Jabber user account format is:

sAMAccountName@homedepot.com or UserID@homedepot.com

The following steps are an example of how the client gets a services domain after a new

installation

1. John Doe launches Cisco Jabber for the first time.

2. Cisco Jabber prompts Joe to enter his login account.

3. Assuming Joes sAMAccountName is jdoe, Mike enters jdoe@homedepot.com.

4. The client extracts service domainhomedepot.com from the above sign-in address.

1.11.2 Cisco Jabber client discovers available service

The client requests the following SRV records:

1. _cisco-uds

2. _cuplogin

3. _collab-edge

If the name server returns: _cisco-uds or _cuplogin

The client detects it is inside the corporate network and connects to one of the following:

Cisco Unified Communications Manager - if the name server returns _cisco-uds.

Cisco IMP - if the name server returns _cuplogin.

_collab-edge

The client attempts to connect to the internal network through Expressway Mobile and Remote

Access (Mobile and Remote Access (MRA)) and discover services.

If the DNS has no response for SRV queries, the client prompts users to manually enter setup

and sign in details.

1.11.3 Cisco Jabber client authenticates with AD and applies Service profile

Based on the discovered service, Cisco Jabber client will take following actions:

1. _cisco-uds

The client does the following:

a) Prompt the user for credentials to authenticate with AD.

b) Retrieve the service profile. The service profile provides the client with the authenticator as well

as client and UC service configuration.

2. _cuplogin

The client does the following:

a) Determine that Cisco IMP is the primary source of authentication.

b) Automatically connects to the server.

c) Prompts the user for credentials, authenticates with AD

d) Retrieve client and service configuration.

3. _collab-edge

If the name server returns the _collab-edge SRV record, the client does the following:

a) Send internal SRV request (_cisco-uds and _cuplogin) to Expressway-E

b) Expressway-E forward the request to Expressway-C

c) Expressway-C looks up the internal SRV records and provides the records to the Expressway-E

and then Expressway-E responses clients request.

d) After the client gets the internal SRV records, it retrieves service profiles from CUCM. The service

profiles then provide the client with the users home cluster, the primary source of authentication.

Collaboration Edge Design

Collaboration Edge is an umbrella term to describe Ciscos entire collaboration architecture. The

goal of Collaboration Edge Architecture is to help bridge islands to enable any to any

collaboration no matter what size your organization is.

Collaboration Edge Architecture Core Products Includes

1. Cisco Expressway

2. Cisco UCM

3. Cisco Jabber

4. CUBE

5. Gateway

6. SRST

Cisco Mobile and Remote Access (MRA) (Mobile Remote Access)/VPN-Less access for Cisco

Jabber is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as

Cisco Jabber to have their registration, call control, provisioning, messaging and presence

services provided by Cisco UCM when the endpoint is not within the enterprise network. The

rest of this chapter will focus on Mobile Remote Access/VPN-Less access for Cisco Jabber.

The overall solution provides:

1. Off-premises access for Cisco Jabber and EX/MX/SX Series clients

2. Secure business-to-business Communications

3. Service: WebEx, Voice messaging, Audio/Video Call

4. Gateway and interoperability services

1.12.1 Mobile and Remote Access (MRA) Overview

Expressway is based on the existing Cisco Telepresence Video Communication Server (VCS).

Both products share the same codebase. The installed option keys (license) decide in which

mode the code operates. A Cisco Expressway solution consists of two entities: Expressway-C

and Expressway-E.

Expressway-C is deployed inside the enterprise network. It serves as a SIP-Proxy and a

communications gateway for Cisco Unified CM. Expressway-C is configured as a Unified

Communications traversal Client to communicate with Express-E to allow inbound and

outbound calls to traverse the device. In the Home Depot setup, Expressway-C and

Expressway-E is deployed in a cluster for redundancy and scalability.

Expressway-E cluster is deployed in the DMZ. It is also a SIP-Proxy and it is configured as

a Unified Communications traversal server to receive communication from the

Expressway-C. In Home Depots environment the Expressway-E is configured with two

network interfaces (this requires Advanced Networking option key to be installed on the

Expressway-E system. One NIC is connected to the internal network and one is connected

to DMZ network which is facing the internet). The external facing NIC/DMZ NIC has an

externally resolvable name of (uc-remote.homedepot.com) which resolves to a public IP

address (207.11.113.60) by the external/public DNS servers.

Expressway-C initiates traversal connections outbound through the firewall to specific ports on

Expressway-E with secure login credentials. Once the connection has been established,

Expressway-C sends keep-alive packets to Expressway-E to maintain the connection. When

Expressway-E receives an incoming call, it issues an incoming call request to Expressway-C.

Expressway-C then routes the call to CUCM to reach the called user or endpoint and then the

call will be established.

Figure 2 Jabber MRA architecture

1.12.2 Mobile and Remote Access (MRA) Setup

Prior to MRA deployment, make sure you have already completed basic configuration

Expressway-C and Expressway-E such as DNS, NTP, etc.

1.12.3 Communication Protocols and Communication Security

Accordingly, below TCP/UDP ports need to be opened in DMZ outside firewall.

Table 23 Inbound from public internet to Expressway-E (DMZ)

CONNECTION TYPE

SOURCE ENVIRON

MENT

SOURCE (Session initiation)

PORTS/ PROTOCOL

DESTINATION ENVIRONMENT

DESTINATION (Session

destination)

PORTS/PROTO

COL

Comments

Internal Production 151.140.142.0/23 TCP/ >=1024

DMZ 192.168.52.27 TCP/ 443 HTTPS Management of VCS-E [pg. 4]

Internal Production 151.140.142.0/23 TCP/ >=1024

DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]

Internal Production 151.140.130.0/23 TCP/ >=1024

DMZ 192.168.52.27 TCP/ 443 HTTPS Management of VCS-E [pg. 4]

Internal Production 151.140.130.0/23 TCP/ >=1024

DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]

CONNECTION TYPE

SOURCE ENVIRON

MENT

SOURCE (Session initiation)

PORTS/ PROTOCOL

DESTINATION ENVIRONMENT

DESTINATION (Session

destination)

PORTS/PROTO

COL

Comments

Internal Production 151.140.12.80 TCP/ >=1024

DMZ 192.168.52.27 TCP/ 22 SSH Management of VCS-E [pg. 4]

Internal Production 151.140.12.80 UDP/ >=1024

DMZ 192.168.52.27 UDP/ 161

SNMP Management of VCS-E [pg. 4]

Internal Production 172.26.50.157 TCP/ 25000-29999

DMZ 192.168.52.27 TCP/ 7001

SIP Signaling [pg. 8,28]

Internal Production 172.26.50.157 UDP/ 36002-40999

DMZ 192.168.52.27 UDP/ 36002-40999

RTP/RTCP [pg. 8,28]

Internal Production 172.26.50.157 TCP/ 30000-35999

DMZ 192.168.52.27 TCP/ 7400

XMPP (IM and Presence) [pg. 28,33]

Internal Production 172.26.50.157 TCP/ 30000-35999

DMZ 192.168.52.27 TCP/ 2222

SSH (HTTPS tunnels) [pg. 28]

Internal DMZ 192.168.52.27 UDP / 123 Production 165.130.1.7 UDP/ 123

NTP [pg. 5]

Internal DMZ 192.168.52.27 TCP/ 30000-35999

Production 165.130.210.127

TCP/ 636 LDAPS [pg. 5]

Internal DMZ 192.168.52.27 TCP/ 30000-35999

Production 165.130.143.238

TCP/ 636 LDAPS [pg. 5]

Internal DMZ 192.168.52.27 UDP/ 30000-35999

Production 165.130.1.10 UDP/ 514

Splunk [pg. 5]

Internal DMZ 192.168.52.27 UDP/ >=1024

Production 165.130.1.9 UDP/ 53 DNS [pg. 7]

Internet DMZ 192.168.52.19 TCP/ 25000-29999

Internet ANY TCP/ >=1024

SIP Signaling [pg. 9]

Internet DMZ 192.168.52.19 UDP/ 36002-40999

Internet ANY UDP/ >=1024

RTP/RTCP [pg. 9,29]

Internet Internet ANY TCP/ >=1024

DMZ 192.168.52.19/207.11.113.60

TCP/ 5222

XMPP (IM and Presence) [pg. 29]

Internet Internet ANY TCP/ >=1024

DMZ 192.168.52.19/207.11.113.60

TCP/ 8443

UDS (phone and provisioning) [pg. 29]

Internet Internet ANY TCP/ >=1024

DMZ 192.168.52.19/207.11.113.60

TCP/ 5061

SIP Signaling [pg. 9,29]

Internet Internet ANY UDP/ >=1024

DMZ 192.168.52.19/207.11.113.60

UDP/ 36002-40999

RTP/RTCP [pg. 9,29]

1.12.4 Expressway Security Certificates requirement

Expressway needs certificates for:

HTTPS Connectivity

TLS connectivity for SIP signaling, endpoints

Connections to other systems such as CUCM and IMP.

Below certificates are required:

Certificate for Expressway-C server (Must include Webserver and Client Authentication

extension)

o Private certificates issued by Home Depot CA are deployed. This is the same CA that

issues UCM certificates

Certificate for Expressway-E server (Must include Webserver and Client Authentication

extension)

o Private certificates issued by Entrust CA are deployed. This is the external CA for

Expressway-E

Root Certificate of CA server

1.12.5 Setting up the Expressway-C

To enable Unified Communications for Mobile and Remote Access (MRA) on Expressway-C

navigate to:

Configuration > Unified Communications > Configuration, Select Mobile and remote access

Table 24 Mobile and Remote access

Parameter Value

Unified Communications mode Mobile and remote access

You must configure the domains for which registration, call control, provisioning message and

presence services are to be routed to Unified CM.

Table 25 Expressway Core Domains

Parameter Value

Domain homedepot.com

SIP registrations and provisioning on Unified CM On

IM and Presence services on Unified CM On

XMPP federation Off

To provide provisioning, SIP registration and IMP services Expressway-C needs to be aware of

the deployed IMP and CUCM Servers.

Table 26 Discover CUCM Server

Parameter Value

Unified CM Publisher address atl-nsv-cucm.homedepot.com

Username administrator

Password *******

TLS verify mode Off

To configure the IMP servers used for remote access, on Expressway-C, navigate to:

Configuration->Unified Communications > IM and Presence servers

Click New Button to add a new IMP server, below table details the configured values

Table 27 Discover IMP Server

Parameter Value

IM and Presence publisher address atl-nsv-cups01.homedepot.com

Username administrator

Password *******

TLS verify mode On

Since Home Depot will use CA-signed certificates, the Expressway-Cs trusted CA list must

include the root CA of the issuer of the tomcat certificate.

Note: the status of the IMP server will show as Inactive until a valid traversal zone connection

between the Expressway-C and the Expressway-E has been established (this step is detailed in

following section)

To support mobile and remote access feature, there must be a secure traversal zone

connection between the Expressway-C and Expressway-E.

To set up a secure traversal zone, configure your Expressway-C as follows:

1. Go to Configuration>Zones>zones.

2. Click New

3. Configure the fields as follows:

Table 28 Unified Communications Traversal Zone Parameters

Parameter Value

Name Expressway_Traversal_Zone

Type Unified Communications traversal

Username thdmratzauth

Password *******

H.323 Mode Off

Sip Section

Mode On

Port 7001

Accept proxied registrations Allow

ICE Support Off

SIP poison mode Off

Parameter Value

Authentication section

Authentication policy Treat as authenticated

Location section

Peer 1 address atl-nsv-vcse01.homedepot.com

1.12.6 Setting up the Expressway-E

To enable Unified Communications for Mobile and Remote Access (MRA) on Expressway-E,

navigate to

Configuration > Unified Communications > Configuration

Select Mobile and remote access

Table 29 Mobile and remote access

Parameter Value

Unified Communications mode Mobile and remote access

To disable TURN services on Expressway-E, navigate to

Configuration>Traversal>TURN

Ensure that TURN services are off

To support mobile and remote access feature, there must be a secure traversal zone

connection between the Expressway-C and Expressway-E.

1. To set up a secure traversal zone, configure your Expressway-E as follows:

2. Go to Configuration>Zones>zones.

3. Click New

Configure the fields as follows:

Table 30 Unified Communications Traversal Zone Parameters

Parameter Value

Name Mobile and Remote Access (MRA) Traversal Zone

Type Unified Communications traversal

Username mra

Password Click Add/Edit local authentication database, then in the popup dialog click New and enter Name (mra) and Password (XXXXX) and click Create Credential.

H.323 Mode Off

Sip Section

Mode On

Parameter Value

Port 7001

Transport TLS

Unified Communications Services Yes

TLS verify mode On

TLS verify subject name Expressway-Cs FQDN

Media encryption mode Force encrypted

Authentication section

Authentication policy Do not check credentials

Location section

Peer 1 address N/A

Peer2Z6 address N/A

1.12.7 Summary of supported and Unsupported Cisco Jabber feature for Mobile and Remote Access (MRA)

Table 31 Summary of Supported Jabber feature for Mobile and Remote Access (MRA)

Service Supported Unsupported

Directory

UDS directory search X

LDAP directory search X

Directory photo resolution X

* Need Web server

Intradomain federation X

Interdomain federation X

Instant Messaging and Presence

On-premises X

Cloud X

Chat X

Group chat X

High Availability: On-premises deployments X

File transfer: On-premises deployments X

File transfer: Cloud deployments X

Desktop clients, some file transfer features are supported for mobile clients.

Service Supported Unsupported

Video desktop share - BFCP X (Cisco Jabber for mobile clients only support BFCP receive.)

Audio and Video

Audio and video calls X

* Cisco Unified Communications Manager 9.1(2) and later

Deskphone control mode (CTI) X

Extend and connect X

Dial via Office - Reverse X

Session persistency X

Early media X

SelfCare Portal access X

Voicemail

Visual voicemail X