Añadir a la recogida (s) Añadir a salvo
  1. Ninguna Categoria
Subido por teodoro brito

BRKCOL-2239 jabber LDAP

Anuncio 
BRKCOL-2239
Jabber Deployment
Revisited
Part 1: Deployment and
Provisioning
Bryan Morris
Technical Marketing Engineer
Cisco Jabber Team
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1.
Find this session in the Cisco Live Mobile App
2.
Click “Join the Discussion”
3.
Install Spark or go directly to the space
4.
Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PART ONE
PART TWO
Enabling
Users for
Jabber
Connecting
Jabber to
Services
Users &
Contacts
Installing
Jabber
Clients
Jabber IM
& Presence
Voice/Video
Calling
Conferencing
Options
Desktop
Share
Application
Integration
Jabber
Diagnostics
Jabber
Modes
Jabber User
Authentication
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
PART ONE
PART TWO
Enabling
Users for
Jabber
Connecting
Jabber to
Services
Users &
Contacts
Installing
Jabber
Clients
IM &
Presence
Voice/Video
Calling
Conferencing
Options
Desktop
Share
Application
Integration
Jabber
Diagnostics
Jabber
Modes
Jabber User
Authentication
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
This presentation assumes
1.
Jabber On-Premise
2.
Jabber Client 11.9+
3.
UC Manager 11.5SU3a+
JABBER MODES
EXPLAINED
Jabber Operating Modes
•
Jabber provides multiple operating modes to meet different customer
requirements.
IM Only Mode
Desk phone Control*
Extend & Connect *
Full UC Mode
Mix different Cisco
Jabber modes
to create your end
user experience
Soft Phone Mode
Soft Phone Mode
(with Contact list)
Soft Phone for
VDI mode*
BRKCOL-2239
* Not available on all platforms
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
BRKCOL-2239
Contact
resolution (UDS)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
NEW in
Jabber
12.0
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
Contact
resolution (UDS)
IM & Presence
Services
Contact List
Storage
Presence
Service
Instant
Messaging
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
Contact
resolution (UDS)
IM & Presence
Services
Contact List
Storage
Presence
Service
Instant
Messaging
IM ONLY MODE
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
Contact
resolution (UDS)
IM & Presence
Services
Contact List
Storage
Presence
Service
Instant
Messaging
SOFT PHONE
Client ONLY
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
NEW in
Jabber
12.0
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
Contact
resolution (UDS)
IM & Presence
Services
Contact List
Storage
Presence
Service
Instant
Messaging
Enable/Display IM&Presence in Messaging/Presence Settings
SOFT PHONE
+ Contact List
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
Contact
resolution (UDS)
IM & Presence
Services
Contact List
Storage
Presence
Service
Instant
Messaging
FULL Unified
Communications
Mode
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Infrastructure Services for Jabber
Required
Required
UC Manager
Services
User
Management
Config/Profile
Management
Call Control
SIP
CTI
Control
IM & Presence
Services
Contact
resolution (UDS)
Jabber 12.0 more flexibility
to use services
Contact List
Storage
Presence
Service
Instant
Messaging
Other
Services
Visual
Voicemail
Conference
Bridge
Mobile & Remote
Access
WebEx/Spark
Services
BRKCOL-2239
Contact
resolution (LDAP)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Building Clusters
UC CLUSTER
Single Node:
25,000 Users
Single Cluster: Up to 6 Nodes per cluster
deployed in pairs for HA
75,000 Users
Single or Multi-domain configuration
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Building Clusters – Scale solution with more clusters
UC CLUSTER
UC CLUSTER
Single or Multi-domain configuration
Single or Multi-domain configuration
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Building Clusters – Voice/IM&P Clusters
UDS
Discovery
NEW in
12.0
(11.5SU4)
UDS
Discovery
Home
Cluster
VOICE/VIDEO
CLUSTER
VOICE/VIDEO
CLUSTER
1
2
CENTRALISED
IM&P CLUSTER
(No Telephone Services)
Note: No SIP publish trunk
required for centralised
IM&P Model (client based)
Single node for
User management
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
CREATING
JABBER USERS
Jabber User Structure
IM & Presence Service
•
Example for Full UC deployment
•
Modify to change operating mode
UC Manager
UserID
Address
Scheme
[email protected]
DEFAULT Presence
Domain (XMPP)
End Users
Base
Config
IM&P enabled
Home
Cluster
Voice/Video Services
End User
Group
Membership
DN/URI Associations to User
Jabber
XML
VisualVM
UC Manager UserID
synced from LDAP
(or locally created)
AND/OR
Directory
Soft
(CSF)
CTI (DeskPh)
DN/URI
Associations
to Device
Desk/CTI
(SEP)
Conf (WebEx)
*(IM&P profile not used)
SIP URI
Mobile
(BOT/TCT)
Service
Profile
Associated Devices
BRKCOL-2239
CTI Group
Membership
Directory
Number
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Creating Jabber Users
User Creation using LDAP Sync/Feature Template
SYNC Users via LDAP + Feature template
Creates the User
Sets Home cluster
Assigns Service profile
Enables for IM&P
Assigns groups
Creates DN
Creates SIP URI
Quick User/Phone Add
Creates Device
Associates to Line
Associates to User
Associates for presence
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Creating a Service Profile on UC Manager
•
Service profile is a collection of UC service definitions
Create voicemail if using Cisco Unity Connection
Mail store is not required as Jabber uses VMREST API
Create
Conference
on Unity
server Profile is using WebEx Meetings
Set Directory Profile. Uncheck UDS if using LDAP
Define profiles if not using auto-discovery
Technically only required for Centralized IM&P deployments but
good practice to set
Only required if deploying desk phone control mode
Alternatively <useCUCMGroupForCti>true</useCUCMGroupForCti>
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Create User Profile on UC Manager
Goto User Management>User Settings>User Profile
Associate universal
templates to User Profile
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Create Universal Device & Line Templates on UC Manager
Universal Device and Line Templates are associated to use via User Profile
Go to User Management>User/Phone Add>…
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create Universal Device & Line Templates on UC Manager
Universal Device and Line Templates are associated to use via User Profile
Go to User Management>User/Phone Add>…
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create Feature Group Template on UC Manager
Goto User Management>User/Phone Add>Feature Group Template
•
Check Home Cluster
•
Enabled IM as required
•
Select service profile
•
Select user profile
•
Enabled CTI if using desk
phone control mode
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
LDAP: UC Manager UserID
•
This is the UserID we will use to
login to Jabber
•
In a single domain
recommendation is
sAMAccountName
•
In a multi-domain forest
recommendation is:
userPrincipalName
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Communication Addresses – XMPP (Jabber ID)
•
Administrator can decide what schema to use for XMPP address format
Option 1: (Default JID mode)
Option 2: (flexible JID mode)
JID is created based on UC manager ID +
admin defined presence domain
JID is created based on email or MS SIP
address
Why choose this method:
Why choose this method:
•
Default IM&P server configuration
•
UC Manager user ID <> Email ID
•
Presence ID = UC manager user ID
•
Aligns Email and IM&P Address
•
Doesn’t require addition directory config
•
Supports Multi-domain configuration
Note: requires contact source configuration in
jabber-config.xml file
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
LDAP: Sync
•
Define Sync settings
•
Account
•
Search base
•
Attributes
Remember: this is
used for UDS contact
source
•
If using Flexible JID
set Directory URI
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Communication Addresses – Flexible JID mode
•
Flexible JID mode needs to be configured on presence server
On presence server Go to: Presence>Settings>Advanced Configuration
Change the
IM Address Scheme
to Directory URI
NOTE: LDAP config in UC
manager must also be mapped
(we will see this later)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
LDAP: Sync Group Settings
•
Group settings allow us to apply the Feature Group template and define a mask
to import directory numbers from AD/LDAP
Feature
Template
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
User Creation process – Running Sync imports users
SYNC Users via LDAP + Feature template
Creates the User
Sets Home cluster
Assigns Service profile
Enables for IM&P
Assigns groups
Creates DN
Creates SIP URI
Quick User/Phone Add
Creates Device
Associates to Line
Associates to User
Associates for presence
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Add Device to LDAP Sync'd Used
•
Go to User Management>User/Phone Add>Quick User/Phone Add
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Add Device to LDAP Sync'd Used
•
Go to User Management>User/Phone Add>Quick User/Phone Add
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
Add Device to LDAP Sync'd Used
•
Go to User Management>User/Phone Add>Quick User/Phone Add
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
The End Result……
Device Created
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
The End Result……
Directory number
associated to new
device
Directory URL
populated
User associated with
Line for presence
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
Summary of User Creation
1: We took the User
from the directory
with directory
number and URI
+14085551234
[email protected]
3: We enabled IM&P
and other settings with
a feature template
2: We sync'd the user
including group membership
and service profile
4: We auto created
directory number with
URI based on email
5: We created device
and associated line
and user with quick
phone add
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
HOW JABBER CONNECTS
TO UC SERVICES
Understanding Jabber Configuration Store
•
•
•
•
Jabber Clients maintain a
local configuration store
Store contains service
profile, jabber-config and
buddy list configuration data
FAST
Login
1 to 5
minutes*
Store is AES-256-CBC with
self-generated
encryption keys
Keys are stored
in keychain,
keystore, profile
depending on platform
* Config then
refreshed for
persistent
connection
every 7~9
hours
On next login config &
contacts restored from
local storage for
fast login experience
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Jabber Day Zero Login and Regular Login
Day 0
Login
On Day 0 client
retrieves config and
contacts
FAST
Login
Contact List and
client config are
encrypted and
saved locally
1 to 5
minutes*
* Config then
refreshed for
persistent
connection
every 7~9
hours
On next login config &
contacts restored from
local storage for
fast login experience
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
DAY 0
LOGIN
Day Zero Service Discovery
•
Day 0
Login
Jabber needs to find its services….
On-Premise Deployment or
Cloud Deployment?
On Day 0 client
retrieves config and
contacts
Locate Home Cluster
•
Jabber finds services using Service Discovery
•
•
•
•
Seed = Service Domain “example.com”
DNS & REST requested used to locate service
UDS (REST) used to identify home cluster
Configuration Store can then be populated
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
DAY 0
LOGIN
How to find the Service Domain
•
The service domain may be identified using the client….
Ask the User
Automatic
(Client knew Service domain)
BRKCOL-2239
Manual - AVOID!!!
(Don’t discover, I’ll tell you)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
DAY 0
LOGIN
Service Domain - Automatic Discovery Methods
If logged into windows domain
then environment variables show UPN
EMM can push configuration for
mobile clients (iOS/android)
(override with UPN_DISCOVERY_ENABLED)
msiexec /i CiscoJabberSetup.msi SERVICES_DOMAIN=example.com
ciscojabber://provision?ServicesDomain=example.com
URL Provisioning
MSI install switches or package
management (SCCM/GP)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
DAY 0
LOGIN
Cloud Discovery (WebEx Messenger)
•
•
Jabber will also check if the Jabber domain is enabled
for WebEx Messenger
WebEx
Messenger
Client sends REST request to Cisco WebEx service to
check domain
http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com
•
If response from cloud indicates the domain is enabled
for WebEx Messenger then client will automatically
switch to cloud mode.
•
If your organisation is using on-premise mode please
contact WebEx support to disable cloud.
BRKCOL-2239
Jabber
Client
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
DAY 0
LOGIN
On Premise Discovery
•
•
•
Jabber will send a DNS request to try
and locate a UC manager cluster to
register to.
DNS
Server
Admin must create DNS SRV
record(s) pointing a UC manager node
in a cluster
UC Manager
Discovery can also support multiple
clusters with cluster discovery
(discussed later)
Corporate
Network
DNS SRV Request for
_cisco-uds._tcp.servicedomain.com
BRKCOL-2239
Jabber
Client
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
DAY 0
LOGIN
Service Discovery – Cluster discovery
•
Once Jabber has a Cisco-UDS server
address from DNS SRV it will connect to
UDS server
•
Firstly, it will check the version of UC
Manager
https://host:8443/cucm-uds/version
•
Where is my
home cluster
Secondly it will confirm if this is the “home
cluster” for the jabber user
https://host:8443/cucm-uds/clusterUser?username=asmith
•
If the user is provisioned on the cluster the
server will respond with local server
address
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
DAY 0
LOGIN
Service Discovery – Cluster discovery
•
•
•
In a multi-cluster if the user doesn’t exist
on the queried server a cluster discovery
is performed to known clusters.
Cluster 2
Cluster 1
UDS
Request
The UDS server will query other clusters
defined in cluster ILS configuration.
(UDS REST is used)
UDS
Request
Users home cluster is defined in end
user configuration
Cluster 3
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
DAY 0
LOGIN
Service Discovery – Cluster discovery
•
In a multi-cluster if the user doesn’t exist
on the queried server a cluster discovery
is performed to known clusters.
•
The UDS server will query other clusters
defined in cluster ILS configuration.
(UDS REST is used)
•
Users home cluster is defined in end
user configuration
Cluster 2
Cluster 1
Home Sweet
Home!!!
Cluster 3
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
DAY 0
LOGIN
Service Discovery – Home Cluster
•
Cluster 2
Jabber will request a list of all UDS nodes in the cluster,
randomize the list and connect to a UDS node in home
cluster.
https://host:8443/cucm-uds/servers
•
Jabber will now proceed to download configuration info
from UDS and TFTP services on UC Manager/IM&P
<XML>
User Profile
Service Profile
Jabber-config
Device List
Device Config
Contact List
Configuration downloaded to local config store
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Jabber Diagnostics will show you all
the UDS REST and TFTP requests the
Jabber client made during service
discovery
FAST
LOGIN
Day Zero Login is complete…….
Day 0
Login
On first login client
retrieves config and
contacts
Config and contacts
refreshed from
server after login
FAST
Login
Contact List and
client config are encrypted
and saved locally
1 to 5
minutes*
On next login config &
contacts restored from
local storage for
fast login experience
User can force
early refresh
using “Refresh
configuration” if
required
* Config then refreshed every 7~9 hours
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
FAST
LOGIN
Edge Discovery – Always performed
Jabber also
performs “Edge”
discovery with a 2nd
SRV request
Am I inside
the corporate
network
DNS
Server
(external)
Internet
Different
Servers
Expressway
DNS
Server
(internal)
UC Manager
Corporate
Network
Expressway
DNS SRV Request for
DNS SRV Request for
_collab-edge._tcp.servicedomain.com
_cisco-uds._tcp.servicedomain.com
Jabber
Client
This DNS record ONLY exists
on external DNS server
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
Secure Communication - Cert Requirements
•
Jabber uses secure communications to connect to UC services
•
CA signed Certificates must be in place
•
Default self-signed certs will generate following error message
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
Certificate Signing Request
•
Certificate management is
performed in OS admin
•
“tomcat” certificate is required
for UC manager TFTP/UDS
services
•
“cup-xmpp” certificate is
required for XMPP on IM&P
•
•
If using multi-domain then all
domains must be in SAN
Jabber will check certificate
revocation (both internally and
externally)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Cisco Collaboration Cloud On-boarding
Push Notifications
•
If using Jabber iOS clients you also need to connect your UC Manager cluster to
the Cisco Collaboration Cloud.
Alternative routes
via Proxy or Expressway
Call/Chat
event for
Jabber User
fos-a.wbx2.com
push.webexconnect.com
idbroker.webex.com
443/TCP
Cisco Cloud
Apple Notification from
17.0.0.0/8 5223/TCP
17.0.0.0/8 443/TCP
Jabber
Corporate
Firewall
iOS
BRKCOL-2239
Apple iCloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
Cisco Collaboration Cloud On-boarding
Push Notifications
Advanced Features> Cisco Cloud Onboarding
New configuration screen in
UC manager from 11.5SU3
Process creates machine
account based on UC
manager license.
Customer doesn’t require
Spark org.
Process can also install
required Certificates for
connection to cloud.
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
HOW JABBER
AUTHORISATION
WORKS
Service Authorisation and Authentication
?
•
Jabber must authenticate to services like UDS,
XMPP, Unity and expressway
•
Jabber will query UC manager to identify the
authorisation method deployed.
•
SSO Discovery:
https://cucm:8443/ssosp/ws/public/singleSignOn
•
SSO Discovery will return on of 4 responses…..
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
SSO Discovery Responses
•
If running UC Manager 9.x,10.x,11.0,(11.5,12.x optional)
1.
2.
•
Username/password no refresh token (UC or LDAP Authentication)
SAML-SSO no refresh token (IDP Authentication)
If running UC Manager 12.0 (incl. 11.5 SU3+)
3.
4.
OAuth 2.0 with refresh token (UC or LDAP Authentication)
OAuth 2.0 with SAML-SSO and refresh token (IDP Authentication)
When using remote access Expressway can be hardcoded to single authentication method or can query
cluster on users behalf
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
How do you know your using OAuth?
•
Once OAuth is enabled
Jabber login screen will
change.
•
Login screen will not be
presented as webpage from
UC manager
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
How does OAuth 2.0 with refresh work…..
IDP
User
LDAP
User
• Jabber discovers New Authorisation flow is being used.
• Authorisation Service redirects client to authentication
Service before authorisation can take place.
CUCM
User
UC Manager
Authentication
Jabber 11.9
Client
UC Manager
Authorisation
IM&P
Chat Service
Authorised
Users Only
(Token required)
BRKCOL-2239
Unity Connection
Voicemail
UC Manager
UDS Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
How does OAuth 2.0 with refresh work…..
IDP
User
LDAP
User
• Jabber will authenticate with Authentication service.
•
Authentication method is dependant on UC Manager configuration
CUCM
User
UC Manager
Authentication
Jabber 11.9
Client
UC Manager
Authorisation
IM&P
Chat Service
Authorised
Users Only
(Token required)
BRKCOL-2239
Unity Connection
Voicemail
UC Manager
UDS Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
How does OAuth 2.0 with refresh work…..
• Authentication service refers
Jabber back to Authorisation
service
• Access and Refresh tokens issued
IDP
User
LDAP
User
CUCM
User
UC Manager
Authorisation
IM&P
Chat Service
Jabber 11.9
Client
Unity Connection
Voicemail
UC Manager
UDS Service
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
How does OAuth 2.0 with refresh work…..
IDP
User
LDAP
User
• Once issued Access token used for service access
•
All CUCM services, IM&P services trust token
• Unity Connection can also trust CUCM token
CUCM
User
UC Manager
Authentication
UC Manager
Authorisation
IM&P
Chat Service
Jabber 11.9
Client
Unity Connection
Voicemail
UC Manager
UDS Service
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
How does OAuth 2.0 with refresh work…..
IDP
User
LDAP
User
CUCM
User
UC Manager
Authentication
No need
To go back to
Authentication
• Before access token life expires Jabber will use
Refresh token to request new Access token
from OAuth server.
UC Manager
Authorisation
IM&P
Chat Service
Jabber 11.9
Client
Unity Connection
Voicemail
UC Manager
UDS Service
60
Mins
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
How does OAuth 2.0 with refresh work…..
IDP
User
LDAP
User
• When Refresh token expires full authentication
required again
CUCM
User
UC Manager
Authentication
Jabber 11.9
Client
60
Days
UC Manager
Authorisation
IM&P
Chat Service
Authorised
Users Only
(Token required)
BRKCOL-2239
Unity Connection
Voicemail
UC Manager
UDS Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Jabber 11.9 OAuth
User Experience
On first login client
requires full
authentication
If access or refresh
token still valid token is
used for authorisation
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
Turning on OAuth 2.0 with Refresh token
•
OAuth with Refresh Tokens must be enabled on UC manager/IM&P
•
On Unity the admin must configure Authz server and then enable in enterprise
parameters
•
OAuth must also be enabled on expressway if using MRA.
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
69
UNDERSTANDING
USERS & CONTACTS
Communication Addresses
The user will have a UC manager userID
cholland (typically AD userid)
The user will have communication addresses
XMPP Address – Chat / Presence
E.164 Address – Voice/Video Calling
SIP Address – Voice/Video Calling
Jabber internally operates on communication
addresses
NOTE: If deploying phone mode with contacts you still need to plan XMPP address as contact list
is store on presence server
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Jabber must be able to resolve Communication addresses!!!
•
Jabber must has a contact
resolution service (WebEx, LDAP,
UDS)
•
Contact service populates JIDs with
Display Name
(Eyeball friendly information)
Communications Addresses
(addresses to call)
Photos / Avatar
(enhances User experience)
Other attributes
(Job, Address etc.)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Contact Source Summary
Network Contact Sources
WebEx
LDAP
Platform Contact Sources
UDS
Outlook
Cache
(Local)
Cache entry expires after
1 day + random delta
Notes
Custom
Device
•
Jabber will automatically connect to
contacts sources
•
Admin can configure sources
•
Jabber maintains local cache
•
Jabber manages duplicate contacts
across multiple sources
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
On Premise Contact Sources
UDS Mode
UDS LDAP Proxy mode
LDAP Mode
SYNC
LDAP
LDAP
LDAP
•
Default Configuration
•
New in UC Manager 11.5
•
Direct LDAP v3 connection
•
Simple configuration
•
Uses UDS REST API
•
Most scalable
•
UC manager based
•
Proxy to LDAP server
•
LDAP/GC DNS SRV discovery
•
80,000 contacts max
•
No 80,000 limit
•
•
No Search scope
(apart from LDAP sync)
•
On Premise + MRA support
Most customizable method
(Attributes map/Authentication)
No Address attributes
•
•
•
On Premise + MRA
•
•
Not supported for MRA
(auto fall back to UDS source)
No Address attributes
Web server required for
photo support
•
Richest Attribute set
•
Web server required for
photo support
•
Global Search scopes
•
Full MS Office support
•
Reduced MS office integration
•
Native photo support
•
Per service profile scope
•
Reduced MS office integration
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
SYNC
UDS Contact Source – Local Database
•
LDAP
Enabled in Service profile User Management>User Setting>Service Profile
Server is randomly selected node in cluster
(Avoid using UdsServer setting in Jabber-config.xml as this
can overload single UC Manager node)
•
Limited Attribute mapping configured in System>LDAP>LDAP Directory
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
UDS Contact Source - LDAP Proxy
LDAP
•
Client is enabled using service profile as with regular UDS mode
•
UDS Proxy is enabled in System>LDAP>LDAP Search
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
76
UDS Contact Source - LDAP Proxy
LDAP
•
Phone and Directory URI can be remapped
•
LDAP hosts are defined as UC services (up to 3)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
UDS Photo source
Web Server
•
UDS doesn’t support photo objects
•
Photos must be loaded from web server
•
Photos can be JPG, PNG or BMP with a
recommended size of 128x128 pixels
•
Jabber will resize/crop photos to fit client interface
•
Admin must add following lines to jabberconfig.xml for UDS photo operation
(unauthenticated)
<UdsPhotoUriWithToken>http://www.photo/url/path/%%uid%%.jpg</UdsPhotoUriWithToken>
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
LDAP Contact Source
LDAP
•
Jabber 11.8+ uses LDAP integration called Cisco Directory integration(CDI)
•
Configuration is by Service Profile & Jabber-config.xml (if required)
•
CDI supports server auto-discovery
•
CDI support full directory attribute mapping
•
CDI supports a number of authentication methods:
SASL-KERBEROS, SASL-EXTERNAL, Basic BIND and anonymous
•
Basic BIND supports admin or user defined credentials for access
•
CDI provides optimizations for Active Directory (ANR and Server discovery)
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
Server Connection: Server Auto discovery
•
For Zero Configuration Jabber will try
to detect LDAP servers.
•
Jabber will query DNS domain for LDAP server based on
•
Windows Environment, Admin defined domain, service domain
(LdapUserDomain parameter used by admin defined domain)
•
Uses standard DNS SRV Records
•
•
Automatic discovery using
DNS SRV records
_gc._tcp.domain.com (1st choice)
_ldap._tcp.domain.com (2nd choice)
•
Jabber will query directory type (AD/OpenLDAP) to set
base attribute mapping
•
Jabber will query defaultNameContext to use if search base
not defined by admin (Jabber 11.8(1))
•
Allows LDAP load distribution!!!
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
80
Server Connection: Administrator defined Server
Admin can define LDAP server address in
service profile or config file.
NOTE: Do not define server to use auto discovery
Service profile allows alignment to groups of
users!!!
Admin defined FQDN or
IP Address
in Service profile
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
Search: Where to Search?
•
Jabber will try to read the RootDSE of the directory to automatically identify
search base for Zero Configuration.
•
Admin can also define search bases in service profile…
Service profile accepts
up to 3 search bases
Jabber-config.xml file can
accept 5 if required
cn=users1,dc=example,dc=com
cn=users2,dc=example,dc=com
cn=users3,dc=example,dc=com
<SearchBase1>
…
<SearchBase5>
If using phone mode also add
to jabber-config.xml
<PresenceDomain>
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
SASL: Simple Authentication and Security Layer
GSSAPI : Generic Security Services Application Program Interface
LDAP CDI Authentication
Kerberos
GSSAPI
(WIN/MAC)
External
(WIN/MAC)
GSSAPI/SASL Methods
Admin
Jabber
Shared
UserID
Credentials (Not OAUTH)
Jabber
User
Entered
SIMPLE BIND Methods
Anonymous
BIND
Anon Method
Order defined by
<LdapSupportedMechanisms>GSSAPI EXTERNAL PLAIN</LdapSupportedMechanisms>
•
GSSAPI/SASL methods are default for Windows and Mac and managed in
jabber config.xml. SASL falls back to SIMPLE if no SASL method available
•
SIMPLE BIND is managed using service profiles
•
Anonymous BIND is managed using Jabber-config.xml
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
83
LDAP CDI Authentication – GSSAPI
GSSAPI allows Jabber to use Kerberos authentication
(AD Directory)
•
If a Kerberos key is available for LDAP server then Jabber will attempt to a
SASL/Kerberos authentication to server
•
Workstation must be logged into Active Directory Domain
Note: SASL EXTERNAL is the alternative to GSSAPI typically used
with physical card authentication
•
GSSAPI/EXTERNAL config can be managed using jabber-config.xml
<LdapSupportedMechanisms>GSSAPI EXTERNAL PLAIN</LdapSupportedMechanisms>
admin can define which authentication methods to use.
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Admin Quick
TIP
LDAP CDI Authentication – GSSAPI
•
The “klist.exe” command displays keys / tickets available
•
Jabber can use Kerberos is ticket exists for LDAP server domain
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
LDAP CDI Authentication – SIMPLE BIND
•
Service Profile….
Jabber UserID (Not OAUTH)
Check “Use Logged on User Credentials”
Admin
Shared
Credentials
Admin Shared Credentials
Enter on service profile
NOT currently available in UC Manager 12
(workaround: set in jabber-config.xml)
User enters LDAP credentials in client
Leave all fields empty
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
86
LDAP CDI Authentication – Anonymous BIND
Anonymous
BIND
•
Not commonly used for security reasons
•
GSSAPI/EXTERNAL config can be managed using jabber-config.xml
<UseAnonymousBinding>TRUE</UseAnonymousBinding>
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Server Optimization Tips
•
LDAP Server
Optimization
Tips for LDAP service optimization
1)
DO Use Global Catalog rather than
Domain controller (3268 / 3269)
2)
DO Index ALL Jabber key fields. i.e.
telephone numbers
3)
DO Distribute load across LDAP
servers with DNS/SRV records
4)
Do use service profiles to create
group/location based server
connections
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
LDAP Photo Objects
•
Jabber CDI can retrieve photos directly from
LDAP Server
•
Photos can be JPG, PNG or BMP with a
recommended size of 128x128 pixels
•
Jabber will resize/crop photos to fit client interface
LDAP Server
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
89
LDAP alternative photo source
•
If you LDAP server doesn’t hold photos they can
be loaded from a web server
•
Photos can be JPG, PNG or BMP with a
recommended size of 128x128 pixels
Web Server
•
Jabber will resize/crop photos to fit client interface
(unauthenticated)
•
Admin must add following lines to jabberconfig.xml for UDS photo operation
<PhotoUriSubstitutionEnabled>True</PhotoUriSubstitutionEnabled>
<PhotoUriSubstitutionToken>sAMAccountName</PhotoUriSubstitutionToken>
<PhotoUriWithToken>http://example.com/photo/sAMAccountName.jpg</PhotoUriWithToken>
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
NOW WE INSTALL JABBER CLIENTS
Getting the Jabber Client Software
Windows:
Cisco Jabber for Windows Install
Cisco Jabber for Windows Admin
(COP files, custom MST, AD proxy address tool)
Cisco Jabber – JAWS Scripts
DeskPhone Video Services Interface
Mac :
Cisco Jabber for Mac Installer
Cisco Jabber for Mac App (manual)
Mobile Apps only
distributed
on App Stores
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
92
Installing on Windows
•
Jabber for Windows is installed from MSI Client
•
MSI can be pushed using management app (GP/SCCP)
•
MSI can be deployed with switches
•
MSI can be modified with MST
msiexec /i CiscoJabberSetup.msi parameter=value
Useful Settings
Settings to avoid!
UPN_DISCOVERY_ENABLED=
Settings to be aware of
CLICK2X=
CLEAR=1
SERVICES_DOMAIN=
CUP_ADDRESS=
VOICE_SERVICE_DOMAIN=
CCMCIP=
EXCLUDED_SERVICES=
TFTP=
LANGUAGE=
CTI=
BRKCOL-2239
PRODUCT_MODE=
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
93
Installing on Mobile devices (iOS/Android)
App
Store
•
Jabber Mobile Apps are only published on App Stores
•
NOT available on cisco.com
•
Can be downloaded by end user
•
Can be pushed onto device from public App store
If Application is pushed onto device then a
AppConfig compliant MDM can be used
to push parameters to client.
http://appconfig.org
Airwatch Example
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
94
Keeping Jabber up to date
•
Major Jabber release every 6 months approximately (MR every 8 Weeks)
•
Jabber provides a built in feature for pushing updates
Add an entry to jabber-config.xml pointing at a second XML file
<UpdateUrl>http://s1.example.com/Jabber.xml</UpdateUrl>
Update file should contain following….
For mac add a duplicate block with “JabberMac”
Force update option
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
95
JABBER BASIC
DEPLOYMENT
COMPLETE
PART ONE
PART TWO
Enabling
Users for
Jabber
Connecting
Jabber to
Services
Jabber User
Authentication
Users &
Contacts
Installing
Jabber
Clients
IM &
Presence
Voice/Video
Calling
Conferencing
Options
Desktop
Share
Application
Integration
Jabber
Diagnostics
Jabber
Modes
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1.
Find this session in the Cisco Live Mobile App
2.
Click “Join the Discussion”
3.
Install Spark or go directly to the space
4.
Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
•
Please complete your Online
Session Evaluations after each
session
•
Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
•
All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Complete Your Online
Session Evaluation
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
•
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Tech Circle
•
Meet the Engineer 1:1 meetings
•
Related sessions
BRKCOL-2239
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Thank you
Documentos relacionados
Cisco Certified Network Associate Routing and Switching certificate
Cisco Certified Network Associate Routing and Switching certificate
1.0.1.2 Class Activity - Branching Out
1.0.1.2 Class Activity - Branching Out
Dev Days 2020 - Zen of Python
Dev Days 2020 - Zen of Python
CCNA Security 2.0
CCNA Security 2.0
shrewsoft-vpn-client-how-to-establish-an-ip-sec-vpn-tunnel-to-cisco-rv042
shrewsoft-vpn-client-how-to-establish-an-ip-sec-vpn-tunnel-to-cisco-rv042
DEVNET-1296
DEVNET-1296
content cnams downloads certificates 20111021 CERTIFICATE 1710276 8
content cnams downloads certificates 20111021 CERTIFICATE 1710276 8
cisco-umbrella-secure-internet-gateway-sig-essentials-package
cisco-umbrella-secure-internet-gateway-sig-essentials-package
Descargar
Anuncio
Anuncio