Professional Documents
Culture Documents
HCS SA Recommended Deployment White Paper
HCS SA Recommended Deployment White Paper
Installation.................................................................................................................................... 12
UC Application Inst allation .......................................................................................................................................................... 12
Add Prime License Manager to HCM -F ......................................................................................................................................... 12
Assign a Cluster to a License Manager in HCM-F........................................................................................................................... 12
Partitioned Cisco Unity Connection.............................................................................................................................................. 12
DNS Records ................................................................................................................................................................................ 12
Public DNS ................................................................................................................................................................................... 12
Local DNS..................................................................................................................................................................................... 13
Onboarding................................................................................................................................... 49
Customer Onboarding Process Overview ..................................................................................................................................... 49
New User Onboarding Process ..................................................................................................................................................... 49
References.................................................................................................................................... 77
Introduction
HCS Shared Architecture (SA) configuration enables partners to provide true UC as a Service (UCaaS) for
customers w ith the best collaboration solution and at a more affordable price. HCS SA also leverages
existing HCS access methods to deploy the Unified Communications (UC) solution securely w ith Over the
Top (OTT) or private access of service w ith a managed netw ork.
The HCS SA configuration allow s partners to save capital expenditure (capex) investment at the data center
by sharing the UC cluster w ith multiple tenants. It also paves the w ay for automating the customer and user
onboarding process, allow ing partners to save even more on operating expenses.
OTT access for endpoints lets users easily register their phones and Jabber using the auto-registration
process w ith only a connection to the public internet. Private ac cess of service using a managed netw ork
(MPLS or VPN) is also possible for users w ho require higher service quality and reliability.
HCS SA configuration can be a perfect solution for a small customer, mid-market customer, or large
customer w ith many small sites. HCS SA configuration supports the full suite of HCS collaboration features
from dial tone, video, and mobility to team collaboration.
This w hite paper provides configuration steps for the SA implementation of HCS. These steps are validated
in Cisco labs to help partners deploy the solution quickly and easily. Please note that the main body of the
w hite paper describes information that is applicable to the latest release of HCS. There may be additional
considerations for older releases, w hich w ill be described in appendices.
For more information, w e recommend that partners refer to the follow ing Cisco documents :
Cisco HCS Solution Reference Network Design (SRND) Guide
Cisco HCS Capacity Planning Guide
Cisco HCS End-to-End Planning Guide
Cisco HCS Shared Architecture Overview
Assumptions
SAN is deployed and configured.
VMw are licenses are purchased and installed.
The management applications are installed:
o a domain manager
o Cisco Hosted Collaboration Mediation Fulfillment (HCM-F)
o Cisco Prime License Manager
o Cisco Prime Collaboration Assurance (used only for monitoring the UC cluster and not
for shared customers).
A partner-provided IT domain (for example, ciscolabs.com) is used for collaboration. The partner-
managed domain is shared by other customers.
Endpoints Support
The Cisco HCS SA architecture supports the follow ing endpoints:
Other Cisco endpoints are supported w ith a MPLS or VPN connection and the full list is
documented on Cisco.com.
Prerequisites
Softw are dow nloads
Licenses
Caveats
User passw ords are managed in the partner’s AD or LDAP.
Software Matrix
Table: Softw are matrix for HCS 12.5 Shared Architecture
Com ponents Softw are
Cisco Prim e Collaboration Assurance* 11.6 or later
Cisco HCM-F 11.5(2) or later
Cisco Unified CM 11.5(1)SU3a or later
Cisco IM and Presence Service 11.5(1)SU3a or later
Cisco Unity Connection 11.5(1)SU3a or later
Cisco Expressw ay-Core X8.10.3 or later
Cisco Expressw ay-Edge X8.10.3 or later
Cisco Jabber Latest available version
* Cisco Unified CM and Prime Collaboration Assurance are the included domain manager and
assurance components for HCS SA with the HCS-K9-BUNDLE license. Others are available as
part of the HCS open provisioning architecture (OPA) or subscription licenses.
The HCS SA customer onboarding process (including domain manager, LDAP, AD, Expressw ay, SBC, and
w elcome emails) can be automated w ith third-party tools that use the APIs in the HCS SA components.
Consult the vendor of your tool for information on integrating w ith HCS SA to automate customer
onboarding.
Infrastructure Setup
Management components are implemented in an existing Management Virtual Route Forw arding (VRF)
table, using the available IP addresses in this space.
UC applications are implemented in a new shared VRF, just like any other customer UC application
in a dedicated instance.
A Session Border Controller or a 3rd-party tool interface for the shared cluster in the shared VRF
w ith the UC applications.
Shared VRF is extended from the data center PE to the Core Nexus 7000 and Aggregation Nexus
7000, just like any other tenant (for MPLS).
Create a context for shared VRF in the firew all, just like any other tenant.
The per-customer VRF terminates on the data center Provider Edge (for MPLS).
The number of VRFs/VPNs consumed in the MPLS core is one VPN/VRF per tenant, plus a shared
VRF per cluster. The PE tenant capacity is limited by the total number of VRFs it can support; this is
outside the scope of Cisco HCS, but w ithin the DC, the VRFs are aggregated into a shared VRF in
the Aggregation sw itch.
As a result, the number of clusters that are supported by the Cisco HCS DC is dependent on the DC
type (Large PoD or Small PoD), regardless of the Shared Architecture deployment.
VM and Cluster Support
The follow ing versions of VMw are vSphere ESXi are recommended as a minimum:
Cisco HCS 11.5: vSphere ESXi 6.0 Update 3
Cisco HCS 12.5: vSphere ESXi 6.5 Update 2
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/virtualization/virtual
ization-cisco-ucm-im-presence.html
Cisco Unity Connection:
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/virtualization/virtual
ization-cisco-unity-connection.html
Co-residency Support
For information about collaboration virtualization sizing and co-residency support, see
https://w ww.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/v irtualization/collaboration-
virtualization- sizing.html#cores.
For co-residency clarification and troubleshooting resources, see
https://w ww.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-
system/113520-edcs1153298.html.
Expressway OVA Specifications
Consult the follow ing links for the latest specifications:
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/virtualization/virtual
ization-cisco-expressway.html
Co-residency Support
Expressw ay can co-reside w ith application (any other VMs occupying same host), subject to the follow ing
conditions:
No oversubscription of CPU: 1:1 allocation of vCPU to physical cores must be used.
No oversubscription of RAM: 1:1 allocation of vRAM to physical memory.
No oversubscription of NIC: The Expressw ay handles large volumes of data, much of w hich is
for real- time communications, and it needs dedicated access to all the bandw idth specified for its
interfaces. For example, you should not assume that 4 co-resident, small Expressw ay VMs can
handle the expected load if there is only a 1 Gbps physical interface on the host. In this example,
none of the VMs meets the required minimum specification.
Sharing disk storage subsystem is supported subject to correct performance (latency, bandw idth)
characteristics.
For more information about Expressw ay VM sizing, see Cisco Expressway on Virtual Machine
Installation Guide (X8.10).
Each UC cluster can support unique dial plans for up to 590 customers w ith 1 site. More Cisco Unity
Connection clusters can be added to 1 Cisco Unified CM cluster to provide voicemail services to more
customers. Multiple shared clusters can be combined on the s ame data center platform to support more
customers.
For more information about VM sizing, see
https://w ww.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/v irtualization/cisco-collaboration-
virtualization.html.
Table: VM Sizing for Different Users
Applications for 5,000 Users w ith 2 Devices CPU RAM HD (GB) Cluster Details
per User (GB)
Applications for 10,000 Users w ith 2 CPU RAM HD (GB) Cluster Details
Devices per User (GB)
Applications for 10,000 Users w ith 2 CPU RAM HD (GB) Cluster Details
Devices per User (GB)
Applications for 20,000 Users w ith 2 CPU RAM HD (GB) Cluster Details
Devices per User (GB)
Applications for 40,000 Users w ith 2 CPU RAM HD (GB) Cluster Details
Devices per User (GB)
Cisco Unified CM – 10,000 Users w ith customer 4 Cores 8 1 x 110 1 Pub, 16 Sub, 2 TFTP
limit of 590 and 2 Media
* To support more customers w ith Cisco Unity Connection, you can add a larger OVA or more clusters
for more voicemail ports.
** Expressw ay-C and Expressw ay-E clusters support a maximum of 6 nodes: 4 active and 2 standbys. Extra
nodes over 4 can be added to each cluster, up to a maximum of 6, for extra redundancy only. No extra
capacity is gained above 4 nodes. More clusters are needed for more capacity.
Procedure
Step 1: Review the installation requirements and record the configuration settings for each server that you
plan to install.
Step 2: For every node in your cluster, create virtual machines using the Virtual Server Template (OVA file)
recommended for your current release.
Different OVA files are available; choose the correct OVA file based on the environment in w hich you are
deploying.
Step 3 Dow nload OVA templates from the follow ing locations:
The HCS management applications include the domain manager, mediation fulfillment (HCM- F), license
manager (Prime License Manager), assurance (Prime Collaboration Assurance), and user management (AD
and LDAP), w hich are shared across all unified collaboration clusters (dedicated and shared).
UC Application Installation
For information about installing UC applications, see the follow ing documents.
Installation Guide for Cisco Unified Communications Manager and IM and Presence Service
Install, Upgrade, and Maintenance Guide for Cisco Unity Connection
Cisco Expressway on Virtual Machine Installation Guide
Step 1 From the side menu, select License Managem ent > License Manager Sum mary.
Step 1 From the Infrastructure Manager interface, select License Managem ent > License Manager
Sum m ary.
Step 2 Select the License Manager to w hich you w ant to assign a cluster.
Step 5 Select the cluster you w ant to assign and click Assign.
DNS Records
This section summarizes the public (external) and local (internal) DNS requirements. For more information,
see the Cisco Jabber Planning Guide on the Jabber Install and Upgrade Guides page.
Public DNS
The public (external) DNS must be configured w ith _collab-edge._tls. SRV records so that endpoints can
discover the Expressw ay-Es to use for Mobile and Remote Access. SIP service records are also required
(for general deployment, not specifically for Mobile and Remote Access). For example, for a cluster of 2
Expressw ay-E systems:
Local DNS
The local (internal) DNS requires _cisco-uds._tcp. SRV records. For example:
Notes:
Im portant: For version X8.8 and later, you must create forw ard and reverse DNS entries for all
Expressw ay-E systems, so that systems making TLS connections to them can resolve their
FQDNs and validate their certificates.
Ensure that the cisco-uds SRV records are NOT resolvable outside of the internal netw ork,
otherw ise the Jabber client w ill not start Mobile and Remote Access negotiation using the
Expressw ay-E.
You must create internal DNS records, for both forw ard and reverse lookups, for all Unified
Communications nodes used w ith Mobile and Remote Access. This allow s Expressw ay -C to
find the nodes w hen IP addresses or hostnames are used instead of FQDNs.
Configure IM and P
• You do not plan to sync those users from LDAP to Cisco Unified CM.
• You plan to push those users from Cisco Unified CDM to Cisco Unified CM.
• You w ant to use LDAP to authenticate those users' access to Cisco Unified CM.
Procedure
Step 1 On Unified CM, disable dirsync.
f) Click Save.
Step 3 On Cisco Unified CM, configure LDAP Directory.
LDAP Enter a unique name (up to 40 characters) for the LDAP directory.
Configuration Important: You use the LDAP Configuration Name w hen you
Name configure the LDAP Server in Cisco Unified CDM.
LDAP Manager Enter the user ID (up to 128 characters) of the LDAP Manager
Distinguished w ho is an administrative user that has access rights to the LDAP
Name directory.
LDAP Enter a passw ord (up to 128 characters) for the LDAP Manager.
Passw ord
Confirm Re-enter the passw ord that you provided in the LDAP Passw ord
Passw ord field.
LDAP User Enter the location (up to 256 characters) w here all LDAP users
Search Base exist. This location acts as a container or a directory. This
information varies depending on your customer setup.
LDAP Custom Select an LDAP custom filter to filter the results of LDAP
Filter searches. LDAP users that match the filter are imported into the
Unified CM database. LDAP users that do not match the filter do
not get imported. The default value is <None>. This value applies
a default LDAP filter that is specific to the LDAP server type. The
available default LDAP filters are:
• Microsoft Active Directory
(AD):(&(objectclass=user)(!(objectclass=Computer))
(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Hostname or IP Enter the hostname or IP address of the server w here the data for
Address for this LDAP directory resides.
Server
LDAP Port Enter the port number on w hich the corporate directory receives the
LDAP requests. You can access this field only if LDAP
authentication for users is enabled.
The default LDAP port for Microsoft Active Directory and for
Netscape Directory specifies 389. The default LDAP port for
Secured Sockets Layer (SSL) specifies 636.
How your corporate directory is configured determines w hich port
number to enter in this field. For example, before you configure the
LDAP Port field, determine w hether your LDAP server acts as a
Global Catalog server and w hether your configuration requires
LDAP over SSL. Consider entering one of the follow ing port
numbers:
LDAP Port w hen the LDAP server is not a Global Catalog server:
• 389 – When SSL is not required. (This port number specifies the
default that displays in the LDAP Port field.)
• 636 – When SSL is required. (If you enter this port number, make
sure that you check the Use SSL check box.)
LDAP Port w hen the LDAP server Is a Global Catalog server:
Add Another Click this button to add another row to provide information about
Redundant LDAP another LDAP server.
Server
e) Click Save.
e) Enter the LDAP Passw ord for the user ID in previous step.
f) Enter the LDAP User Search Base.
Im portant This value must match the LDAP User Search Base you configured for the LDAP
Directory in Unified CM. It must also match the LDAP Server you configure in Unified CDM.
g) Click Save.
Step 5 Sync the user data to your domain manager and set up LDAP user synchronization.
When users are pushed to Cisco Unified CM, the ldapDirectoryName field in the device/cucm/User is
populated w ith the CUCM LDAP Directory Name. Cisco Unified CM treats the users as LDAP integrated,
instead of local. The users appear as LDAP Active Users and use LDAP bind for authentication. From now
on, the users are authenticated in Cisco Unified CM against the LDAP directory.
Starting w ith Jabber 10.6 and Unified CM IM & Presence 10.5.2, a new method to transfer files betw een
clients has been introduced w ith the follow ing features:
Cisco recommends having a certified PostgreSQL and Oracle or Microsoft SQL Server administrator to
maintain and retrieve information from the external database.
Hardw are Requirem ents
A remote server on w hich you install the PostgreSQL or Oracle database.
Softw are Requirem ents
IM and Presence Service, current release
External Database:
Database Supported Versions
Oracle Versions 9g, 10g, 11g, and 12c are supported, and in IM and
Presence Service Release, 11.0(1) versions: 11.2.0.1.0 and
12.1.0.1.0 have been tested.
High You must enable High Availability and Persistent Chat. Make sure
Availability for that both presence redundancy group nodes are assigned to the
Persistent Chat same unique logical external database instance.
feature
Oracle and PostgreSQL can be used w ith High Availability for
Persistent Chat. How ever, PostgreSQL has some significant
challenges it trying to make it a High Availability database w ith
automatic redundancy.
For a configuration example to set up the PostgreSQL Server and database, see Cisco Unified Presence
Server PostgreSQL External Database and Compliance Configuration Example guide available at
https://w ww.cisco.com/c/en/us/support/unified-communications/unified-presence/products-configuration-
examples-list.html.
Step 5 Choose the database type from the drop-dow n list, Postgres or Oracle. If you chose Oracle as the
database type, enter the tablespace value.
Step 6 Enter the username for the database user (ow ner) that you defined at external database installation,
for example, tcuser.
Step 7 Enter and confirm the passw ord for the database user, for example, mypassw ord.
Step 8 Enter the hostname or IP address for the external database.
Step 9 Enter a port number for the external database.
The default port numbers for Postgres (5432), Oracle (1521), and Oracle w ith SSL enabled (2484) are
prepopulated in the Port Num ber field. You can choose to enter a different port number, if required.
Step 10 If you chose Oracle as the Database Type, the Enable SSL checkbox becomes active.
Check the checkbox to enable SSL. The Certificate Nam e drop-dow n list becomes active. Choose a
certificate from the drop-dow n list.
Notes
• When the Enable SSL check box or the Certificate drop-dow n field is modified, a notification to
restart the corresponding service assigned to the external database is sent. A message concerning
either Cisco XCP Message Archiver or Cisco XCP Text Conference Manager is generated.
• The certificate you need to enable SSL must be uploaded to the cup-xmpp-trust store. You must
upload this certificate before you enable SSL.
• Once the certificate is uploaded to the cup-xmpp-trust store, you must w ait 15 minutes for the
certificate to propagate to all the nodes of the IM and Presence Service cluster. If you do not w ait,
the SSL connection on nodes w here the certificate has not propagated fails.
• If the certificate is missing or has been deleted from the cup-xmpp-trust store, an alarm
XCPExternalDatabaseCertificateNotFound is raised in the Cisco Unified Communic ations Manager
Real Time Monitoring Tool (RTMT).
Step 11 Click Save.
Step 12 If you make a configuration change in the install_dir/data/pg_hba.conf file or the
install_dir/data/postgresql.conf file after you assign the external database, perform these steps:
a) Unassign and reassign the external database to the IM and Presence Service node.
b) Restart the Cisco XCP Router service. Log in to the Cisco Unified IM and Presence Serviceability
user interface.
c) Navigate to Tools > Control Center - Netw ork Services to restart this service.
• Database reachability — Verifies that the IM and Presence Service can ping an external database.
• Database connectivity — Verifies that the IM and Presence Service has successfully established an Open
Database Connectivity (ODBC) connection w ith the external database.
• Database schema verification — Verifies that the external database schema is valid.
Caution
If your IM and Presence Service node connects to an external database server using IPv6, ensure that the
enterprise parameter is configured for IPv6 and that Eth0 is set for IPv6 on each node in the deployment;
otherw ise, the connection to the external database server fails. The message archiver (compliance) and
Cisco XCP Text Conference Manager is unable to connect to the external database and fails. For
information about configuring IPv6 on IM and Presence Service, see Configuration and Administration of IM
and Presence Service on Cisco Unified Communications Manager guide.
Procedure
Step 1 Log in to the Cisco Unified CM IM and Presence Administration user interface.
Step 2 Navigate to Messaging > External Server Setup > External Databases .
Step 3 Click Find.
Step 4 Choose the external database entry that you w ant to view .
Step 5 Verify that there are check marks beside each of the result entries for the external database in the
External Database Status section.
Step 6 In the Cisco Unified CM IM and Presence Administration user interface, navigate to Diagnostics >
System Troubleshooter.
Step 7 Verify that there are check marks beside the status of each of the external database connection
entries in the
External Database Troubleshooter section.
• The node public key is invalidated if the node's assignment is removed. If the node is reassigned, a
new node public key is automatically generated and the key must be reconfigured on the external file
server.
• The Cisco XCP File Transfer Manager service must be active on each node w here managed file
transfer is enabled.
You can configure one of the follow ing options on the File Transfer w indow :
• Disabled: file transfer is disabled for the cluster.
• Peer-to-Peer: one-to-one file transfers are allow ed, but files are not archived or stored on a server.
Group chat file transfer is not supported.
• Managed File Transfer: one-to-one and group file transfers are allow ed. File transfers are logged to a
database and the transferred files are stored on a server. The client must also support managed file
transfer, otherw ise no file transfers are allow ed.
• Managed and Peer-to-Peer File Transfer: one-to-one and group file transfers are allow ed. File transfers
are logged to a database and the transferred files are stored on a server only if the client supports
managed file transfer. If the client does not support managed file transfer, this option is equivalent to
the Peer-to-Peer option.
Note
If managed file transfer is configured on a node and you change the File Transfer Type to Disabled or
Peer-to-Peer, be aw are that the mapped settings to the external database and to the external file server for
that node are deleted. The database and file server remain configured but you must reas sign them if you re-
enable managed file transfer for the node.
Depending on your pre-upgrade setting, after an upgrade to IM and Presence Service Release 10.5(2) or
later, either Disabled or Peer-to-Peer is selected.
• Install and configure an external database, see Database Setup for IM and Presence Service on Cisco
Unified Communications Manager guide at http://w ww.cisco.com/c/en/us/support/unified-communications/
unified-communications-manager-callmanager/products-installation-and-configuration-guides-list.html.
Procedure
Step 1 Install a supported version of Linux.
Step 2 Verify the file server supports SSHv2 and OpenSSH 4.9 or later by entering one of the follow ing
commands as root:
# telnet localhost 22 Trying ::1...
Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.3
Or
# ssh -v localhost
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /root/.ssh/config ...
...debug1: Local version string SSH-2.0-OpenSSH_5.3
Step 3 To allow private/public key authentication, make sure that you have the follow ing fields in the
/etc/ssh/sshd_config file, set to yes.
• Set RSAAuthentication to yes
• Set PubkeyAuthentication to yes
If these are commented out in the file, the setting can be left alone.
Tip To enhance security, you can also disable passw ord login for the file transfer user (for example,
mftuser). This forces logging in only by SSH public/private key authentication.
Step 4 We recommend creating one or more separate partitions that are dedicated to file transfer storage
so that other applications that run on the server do not w rite to it. All file storage directories must be created
on these partitions.
Set Up a User
Procedure
Step 1 On the file server as root, create a user w ho ow ns the file storage directory structure (our example
uses mftuser) and force creation of the home directory (-m).
# useradd -m mftuser # passwd mftuser
Step 2 Sw itch to the mftuser.
# su mftuser
Step 3 Create a .ssh directory under the ~mftuser home directory that is used as a key store.
$ mkdir ~mftuser/.ssh/
Step 4 Create an authorized_keys file under the .ssh directory that is us ed to hold the public key text for
each managed file transfer enabled node.
$ touch ~mftuser/.ssh/authorized_keys
Step 5 Set the correct permissions for passw ordless SSH to function.
$ chmod 700 ~mftuser (directory)
$ chmod 700 ~/.ssh (directory)
$ chmod 700 ~/.ssh/authorized_keys (file)
Note Depending on your SSH configuration, these permissions may vary on some Linux systems.
Set Up Directories
Procedure
Step 1 Sw itch back to the root user.
$ exit
Step 2 Create a top-level directory structure (for example, /opt/mftFileStore/) to hold directories for all the IM
and Presence Service nodes that have managed file transfer enabled.
# mkdir -p /opt/mftFileStore/
Step 3 Provide the mftuser sole ow nership of the /opt/mftFileStore/ directory.
# chown mftuser:mftuser /opt/mftFileStore/
Step 4 Provide the mftuser sole permissions to the mftFileStore directory.
# chmod 700 /opt/mftFileStore/
Step 5 Sw itch to the mftuser.
# su mftuser
Step 6 Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node (Later,
w hen you enable managed file transfer, you assign each directory to a node).
$ mkdir /opt/mftFileStore/{node_1,node_2,node_3}
Note
• These directories and paths are used in the External File Server Directory field that you enter in
the Deploy an External File Server on IM and Presence Service task.
• If you have multiple IM and Presence Service nodes w riting to this file server, you must define a
target directory for each node, for example, {node_1, node_2, node_3}.
• Within each node's directory, the transfer type subdirectories (im, groupchat, and persistent) are
automatically created by IM and Presence Service, and are all subsequent directories.
• To avoid a man-in-the-middle attack, w here the file server public key is spoofed, you must verify
that the public key value that is returned by the ssh-keyscan -t rsa host command is the real
public key of the file server.
• On the file server, go to the location of the ssh_host_rsa_key.pub file (under /etc/ssh/ ) and confirm
the contents of the public key file, minus the host (the host is absent in the ssh_host_rsa_key.pub
file on the file server), matches the public key value returned by the command ssh-keyscan -t rsa
host.
Step 2 Copy the result of the ssh-keyscan -t rsa host command, not w hat is in the ssh_host_rsa_key.pub
file. Ensure to copy the entire key value, from the server hostname, FQDN, or IP address to the end.
Note Usually the server key begins w ith the hostname or FQDN, although it may begin w ith an IP address.
For example, copy:
hostname ssh-rsa AAAQEAzRevlQCH1KFAnXw hd5Uv EFzJs...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4r QUy3rp/sdug+/+N9MQ==
(ellipses added).
Step 3 Save the result of the ssh-keyscan -t rsa host command to a .text file. It is needed w hen you
Step 4 Open the authorized_keys file you created and leave it open. It is used in the Enable Managed File
Transfer on IM and Presence Service procedure.
• Install and configure an external database, see Database Setup for IM and Presence Service on Cisco
Unified Communications Manager available at http://w ww.cisco.com/c/en/us/support/unified-
communications/unified-communications- manager-callmanager/ products-installation-and-
configuration-guides-list.html.
Field Description
Name Enter the name of the file server. Ideally the server name should be
descriptive enough to be instantly recognized.
Maximum characters: 128. Allow ed values are alphanumeric, dash,
and underscore.
• If you change this setting, you must restart the Cisco XCP Router
service.
External File Paste the file server's public key (the key you w ere instructed to save
Server Public to a text file) in to this field.
Key
If you did not save the key it can be retrieved from the file server by
running the command:
$ ssh-keyscan -t rsa host on the file server. Where host is the IP
address, hostname, or FQDN of the file server.
You must copy and paste the entire key text starting w ith the
hostname, FQDN, or IP address to the end. For example, copy:
extFileServer.cisco.com ssh-rsa
AAAQEAzRevlQCH1KFAnXw hd5Uv EFz Js...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4r QUy3rp/sdug+/+N9MQ==
(ellipses added).
External File The path to the top of the file server directory hierarchy. For example,
Server
Directory /opt/mftFileStore/node_1/
User Name The user name of the external file server administrator.
Step 4 Repeat these steps to create an external file server instance for each node in the cluster that has
managed file transfer enabled.
Step 5 Click Save.
Step 5 In the Managed File Transfer Assignment area, assign the external database and the external file
server for each node in the cluster.
1. External Database : From the drop-dow n list, choose the name of the external database.
2. External File Server: From the drop-dow n list, choose the name of the external file server.
Step 6 Click Save. After clicking Save a Node Public Key link, for each assignment, appears.
Step 7 For each node in the cluster that has managed file transfer enabled, you must copy the node's entire
public key to the external file server's authorized_keys file.
a) To display a node's public key, scroll dow n to the Managed File Transfer Assignment area and click the
Node Public Key link. Copy the entire contents of the dialog box including the node's IP address,
hostname, or FQDN.
ssh-rsa
yc2EAAAABIw AAAQEAp2g+S2XDEzptN11S5h5nw VleKBnfG2pdW6KiLfzu/sFLegioIIqA8jBguNY/......5s+tus
rtBBuciCkH5gfXw rsFS0O0AlfFvw nfq1xmKmIS9W2rf0Qp+A+G4MVpTx Hgaonw == imp@imp_node (ellipses
added).
Note
• If the managed file transfer feature is configured and the File Transfer Type is changed to
eitherDisabled or Peer-to-Peer, all managed file transfer settings are deleted.
• A node’s keys are invalidated if the node is unassigned from the external database and file server.
b) On the external file server, if it w as not left open, open the ~mftuser/.ssh/authorized_keys file that
you created under the mftuser's home directory and (on a new line) append each node's public key.
Note
The authorized_keys file must contain a public key for each managed file transfer enabled IM and
Presence Service node that is assigned to the file server.
This service only starts if an external database and an external file ser ver have been assigned, and if the
service can connect to the database and mount the file server. Complete the follow ing steps to check that
the Cisco XCP File Transfer Manager service is active on all managed file transfer enabled nodes:
a) On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.
b) Navigate to Tools > Service Activation.
c) Choose a server (node) and click Go.
d) Ensure the check box next to Cisco XCP File Transfer Manager is checked and that the
Activation Status is Activated.
Note
If the above conditions are not met, click Refresh. If the Activation Status remains the same after a
Refresh, go to Step 8.
a) On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.
b) Navigate to Tools > Control Center - Feature Activation.
c) Choose a server (node) and click Go.
d) In the IM and Presence Services area, click the radio button next to Cisco XCP File Transfer
Manager.
e) Click Start.
f) Repeat steps c-e for all nodes w here managed file transfer is enabled. This should be the same as
step 6) in step 10 below .
Step 10 Restart the Cisco XCP Router service.
a) On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.
b) Navigate to Tools > Control Center - Netw ork Services.
c) Choose a server (node) and click Go.
d) In the IM and Presence Services area, click the radio button next to Cisco XCP Router.
e) Click Restart.
f) Repeat steps c-e for all nodes w here managed file transfer is enabled.
Step 11 Verify that there are no problems w ith the external database setup and w ith the external file
server setup.
a) Log in to the node's Cisco Unified CM IM and Presence Administration user interface.
b) Navigate to Messaging > External Server Setup > External File Servers .
c) Check the information provided in the External File Server Status area.
a) In Unity Connection, navigate to Telephony Integrations > Port Group, and then go to Edit > Servers.
b) Add the other CUCM Server (SIP Servers) IP Address/Hostname and Port details.
Step 3 If the Unity Connection Cluster has Active-Active publishers, complete the follow ing configuration: in
Unity Connection:
When Unified CDM provision the Voicemail service, the ports are created only for Publisher1 of Unity
Cluster. You need to manually add the ports for Publisher2.
a) Update the jabber-config.xml file w ith the follow ing voicemail parameters.
<Voicemail>
<VoicemailService_UseCredentials From>phone</VoicemailService_UseCredentialsFrom>
<VoicemailPrimaryServer>X.X.X.X</VoicemailPrimaryServer>
</Voicemail>
Where X.X.X.X is the FQDN or Hostname of Unity Connection server.
b) Upload the jabber-config.xml to all the CUCM TFTP servers, and then restart the TFTP service on TFTP
server nodes.
a) In Unified CM IM and Presence Administration, navigate to Presence > Settings > Advanced
Configuration.
Default Domain or IM Address Scheme cannot be changed until the follow ing services are stopped on all the
nodes. Ensure that HA is disabled before stopping these services.
a) Create a call handler (Call Managem ent > System Call Handlers ) w ith a display name. Associate
the right Phone system and partition.
d) Check Ask Me If I w ant to Take a Call and Ask for Caller's Nam e , and save the settings.
e) Navigate to Call Managem ent > Call Routing > Forw arded Routing Rules and create a new rule.
f) Provide the display name of the new rule, and click the radio button Call Handler. Select the call
handler w hich w as created.
Step 1 Specify the system host name and domain name at System > DNS.
Step 3 Synchronize all Expressw ay systems to a reliable NTP service at System > Tim e . Use an
authentication method in accordance w ith your local policy.
Step 2 Select the domains (or create a new domain, if not already configured) for the services to route to
Unified CM.
Step 3 For each domain, turn On the services for that domain that Expressw ay is to support.
Configure SIP
Procedure
Step 1 On Expressw ay-C, go to Configuration > Unified Com m unications > Unified CM servers.
The resulting page displays all configured servers.
The system attempts to contact the publisher and retrieve details of its associated
nodes.
d. Under ‘Related Tasks’ at the bottom of the page, repeat for each additional Unified CM
node, as w ell as all IM and Presence and Cisco Unity Connection nodes.
In this scenario, SIP is authenticated using a digest-based mechanism by w hich the credentials are
validated on Expressw ay-E but stored (or retrieved from) Expressw ay-C. Retrieving and validating the digest
authentication is costly, so the credentials are cached on Expressw ay-E. The cache has the follow ing
parameters.
Digest Cache ExpireCheckInterval. Controls the timer frequency for checking or removing
expired digest credentials from the cache. The default is 3600 seconds.
Digest Cache Lifetim e. Controls the lifetime of a digest. The default is 600 seconds. Expired
digests in a cache are erased.
Proposed Im provement: Set Digest Cache ExpireCheckInterval and Digest Cache Lifetim e
to 7200 seconds. The implication of this change is that the maximum time that a phone or soft
client can remain connected to the Expressw ay-E is now 7200 seconds or 2 hours. The cache
can maintain the credentials for a maximum of 14400 seconds or 4 hours. Credentials continue
to be additionally validated by the Cisco Unified CM. See the specific documentation for your
version to check the credential revocation policy.
Procedure
Step 1 Specify the system host name and domain name at System > DNS.
Step 3 Synchronize all Expressw ay systems to a reliable NTP service at System > Tim e . Use an
authentication method in accordance w ith your local policy.
Step 4 Navigate to System > Netw ork Interfaces > IP and verify the follow ing:
LAN settings are in IPv4 mode.
Dual netw ork interfaces are configured properly if needed.
The IPv4 address, gatew ay, and subnet mask are correct.
IPv4 static NAT mode is on for the external LAN.
The IPv4 static NAT address is the correct public IP.
Configure SIP
Procedure
Step 1 On the Expressw ay-E, navigate to Configuration > Zones > Zones and click New .
Step 2 Configure zone of type DNS and set TLS Verify Mode to OFF.
Step 1 On the Zones page, create a Unified Communications Traversal Zone to Expressw ay -C.
Step 2 Configure the SIP settings and authentication as show n in the follow ing image.
The connection credentials on the Expressw ay pair should match.
Step 3 Ensure the TLS verify subject name address reflects the FQDN of Expressw ay -C and it is reachable.
Configure Cisco Unified CM to receive calls directly from Expressw ay -E through Expressw ay-C and assist
w ith Mobile Remote Access (MRA).
Procedure
Step 3 Use CTRL+F to search for “fully.” The search takes you to the setting titled Cluster Fully
Qualified Dom ain Nam e .
Step 4 Enter the public domain name created for MRA f ollow ed by the FQDN of the Shared
architecture Cisco Unified Communications Manager.
Routing Configuration
Pre-search Transforms
Pre-search transform configuration allow s the destination alias (called address) in an incoming search request
to be modified. The Expressw ay applies the transformation before any searches are sent to external zones.
The pre-search transform configuration described in this document is used to standardize destination aliases
originating from both H.323 and SIP devices. This means that the same call searches w ork for calls from both
H.323 and SIP endpoints.
For example, if the called address is an H.323 E.164 alias “01234”, the Expressw ay automatically appends
the configured domain name (in this case example.com) to the called address (that is, 01234@example.com
making it into a URI), before attempting to set up the call.
Use pre-search transforms w ith care, because they apply to all signaling messages. If they match, they w ill
affect the routing of Unified Communications messages, provisioning and presence requests as w ell as call
requests.
Transformations can also be carried out in search rules. Consider w hether it's best to use a pre-search
transform or a search rule to modify the called address to be looked up.
Search Rules
Search rules define how the Expressw ay routes calls (to destination zones, such as to Unified CM, or another
Expressw ay, or Meeting Server) in specific call scenarios. When a search rule is matched, the destination
alias can be modified according to the conditions defined in the search rule.
The search rules described in this document are used to ensure that endpoints can dial H.323 devices that
have registered E.164 numbers or H.323 IDs w ithout a domain portion. The search rules first search for
received destination aliases w ithout the domain portion of the URI, and then search w ith the full URI.
The search rules described here are used to enable the follow ing routing combinations:
Calling party Called party
The routing configuration in this document searches for destination aliases that have valid SIP URIs. That is,
using a valid SIP domain, such as id@domain.
You can configure routing w hich enables calls to unregistered devices on an internal netw ork (routing to the
addresses of IP of the devices) by configuring a search rule w ith a mode of Any IP address w ith target Local
Zone. How ever, this is not recommended (and not described in this document). The best practice is to register
all devices and route using destination aliases.
Configure Transforms
The pre-search transform configuration described in this document is used to standardize destination aliases
originating from both H.323 and SIP devices.
The follow ing transform modifies the destination alias of all call attempts made to destination aliases w hich
do not contain an ‘@’. The old destination alias has @example.com appended to it, thus standardizing all
called destination aliases into a SIP URI format.
Procedure
Step 1 On Expressw ay-C and Expressw ay-E, navigate to Configuration > Dial plan > Transform s.
Priority Enter 1
State Enabled
Priority Enter 50
Protocol Any
Source Any
Request must be authenticated No
Target LocaZone
State Enabled
H.323 Mode On On
For VCS: Low est resource usage is determined by comparing the number of available traversal calls
(maximum- current use) on the peers, and choosing the peer w ith the highest number. Peers that are in
maintenance mode are not considered.
When configuring a connection to a remote cluster, you create a single zone and configure it w ith details of
all the peers in the cluster. Adding this information to the zone ensures that the call is passed to that cluster
regardless of the status of the individual peers.
You also need to enter the IP address of all peers in the remote cluster w hen the connection is via a
neighbor or traversal client zone. You do not do this for traversal server zones, as these connections are not
configured by specifying the remote system's IP address.
Note Systems that are configured as peers must not also be configured as neighbors to each other, and
vice versa.
Neighboring Clusters
To neighbor your local Expressw ay (or Expressw ay cluster) to a remote Expressw ay cluster, you create a
single zone to represent the cluster and configure it w ith the details of all the peers in that cluster:
Procedure
Step 1 On your local Expressw ay (or, if the local Expressw ay is a cluster, on the primary peer), create a
zone of the appropriate type. This zone w ill represent the connection to the cluster.
Step 2 In the Location section, enter the IP address or FQDN of each peer in the remote cluster in the Peer
1 to Peer 6 address fields.
Note: Ideally you should use FQDNs in these fields. Each FQDN must be different and must resolve to a
single IP address for each peer. With IP addresses, you may not be able to use TLS verification, because
many CAs w ill not supply certificates to authenticate an IP address.
The order in w hich the peers in the remote Expressw ay cluster are listed here does not matter.
Whenever you add an extra Expressway to a cluster (to increase capacity or improve redundancy, for example)
you w ill need to modify any Expressw ays w hich neighbor to that cluster to let them know about the new
cluster peer.
Request must No No
be
authenticated
This example routes any alias across the traversal zone tow ards the Expressw ay-C. You can be more
selective by adding search rules or configuring call policy.
Step 4 Click Create search rule.
Rule nam e Enter rule name, for example, DNS zone search
rule.
Description Enter description, for example, Search DNS zone
(external calling)
Protocol Any
Request m ust be No
authenticated
Mode Alias pattern match
State Enabled
Field Description
Calls to unknow n IP addresses In Expressw ay-C, set to Indirect.
In Expressw ay-E, set to Direct.
Step 1 In Expressw ay-E, navigate to Configuration > Dial plan > Search rules
Step 2 Click New .
Step 3 Configure the fields as follow s:
If the internal firew all (B) is not doing NAT for traffic from the internal netw ork (subnet 10.0.30.0 in
diagram) to LAN1 of the Expressw ay-E (for example traversal client traffic from Expressw ay-C), that traffic
still has the originating IP address (for example, 10.0.30.2 for traffic from Expressw ay -C in the diagram). You
must create a static route tow ards that source from LAN1 on the Expressw ay -E, or the return traffic goes to
the default gatew ay (10.0.10.1). You can do this on the w eb UI (System > Netw ork interfaces > Static
routes) or using xCom m and RouteAdd at the CLI.
If the Expressw ay-E needs to communicate w ith other devices behind the internal firew all (e.g., for reaching
netw ork services such as NTP, DNS, LDAP/AD and syslog servers), you also need to add static routes from
Expressw ay-E LAN1 to those devices/subnets.
In this particular example, w e w ant to tell the Expressw ay -E that it can reach the 10.0.30.0/24 subnet behind
the 10.0.20.1 firew all (router), w hich is reachable via the LAN1 interface. This is accomplished using the
follow ing xCom m and RouteAdd syntax:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1 Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gatew ay address (10.0.20.1) is only
reachable via LAN1.
Note: The xCom m and RouteAdd command and the equivalent w eb UI, are detailed in the Expressw ay
help and the Expressw ay Administrator Guide.
Procedure
Step 1 In Expressw ay-E, navigate to System > Netw ork interfaces > Static routes.
Step 2 Complete the follow ing fields to create a static route:
Fields Description
Prefix length
Address range
Logging in to MRA
Prerequisite
Ensure that the Expressw ay-E is reachable from your desk phone after the netw ork configuration is done. See
the Cisco Expressw ay Basic Configuration Deployment Guide for detailed information.
Sync the users w ith the Top Dow n approach.
Create Jabber Config file for each customer for user separation and voice mail.
Configure the follow ing services for the end-users:
Configure home cluster.
Add mobility services.
Add jabber/Iphone/Ipad/Android devices as required.
Step 4 In the Default User Profile (for User Self Provisioning) field, enter the default user profile
for the site.
Step 1 Ensure that the Cisco CallManager, Cisco CTIManager, and Self -Provisioning IVR services
are activated and running: Cisco Unified Serviceability > Tools > Control Center –
Feature Services.
c. Fill in name, device pool, CSS, and any other needed options.
d. Add a new DN in the proper partition (this is the IVR number that users dial).
Step 5 Configure an application user and credentials so the system can connect to the IVR self -
provisioning service.
a. Go to User Managem ent > Application User.
b. Click Add New .
c. Fill in user ID and passw ord.
d. Add to Access Control Group and select the follow ing groups: Standard CTI
Enabled, Standard CTI Secure Connection, Standard CCM End Users, and
Standard CCM Admin Users.
e. Add the CTI route point device to the list of controlled devices.
ciscojabber://provision?ServicesDomain=<service-domain>
More information can be found in the Cisco documentation here.
Step 4 Add the customer entry to the Expressw ay-C Allow List.
a. Sign in to Expressw ay-C as an administrator.
b. Go to Configuration and Unified Communications and Configuration.
c. Click the Configure HTTP server allow list.
d. Click New .
e. For Expressw ay version X8.8 or earlier, enter the customer domain w ith UDS servic e in the
name (ex uds.provider.com).
Directory Search Scope All Users in the Allow s you to determine w hether user data service (UDS)
System user searches are limited to users mapped to the same
customer, or to all users in the system. When the scope is
set to “Only Users w ithin the Same Customer,” the UDS
search requires authentication and UDS w ill limit search
results to users w ith the same customer.
Search Behavior for Only Search w ithin Allow s you to determine the behavior for UDS user searches
Users w ith No Customer Users w ith No by an end user that is not mapped to any customer.
Mapping Customer Mapping
User Customer Map 0000-00-00 00:00 Allow s you to schedule a user customer mapping audit.
Audit Time When this parameter is set, the audit for the user customer
mapping betw een CUCM and the configured LDAP directory
w ill be performed at the configured time. After the audit is
completed, you can generate a report w ith the Real-Time
Monitoring Tool (RTMT) under the "Cisco DirSync" to view
the results.
Im portant: the value you enter for this parameter must not
be in the past.
Note: There is no need to change the Corporate directory and other service URL. CE platform phones may require
that you modify the alternate phone book server address in CUCM's Device page. Use the updatePhone AXL API to
add a query parameter in the alternate phone book server URL to limit the contact search scope to a specific customer
(for example, “?customer=[customerName]”).
Step 1 Create XML File. Change the UdsServer to the appropriate customer domain from the follow ing template and
save it as jabber-config-<customer-name>.
Line related to photos is optional. It provides you the possibility to serve a .png image of each user from the third -party
app (used for directory seperation), located in the folder C:\inetpub\w w w root\JabberPhotos\.
Step 5 Fill in the Cisco Support Field w ith XML Config file name.
a) In Unified CM, locate the desired device configuration page for the associated Jabber device.
b) Complete the Cisco Support Field w ith configurationfile=jabber-config-c2.xml and replace the xml file name
w ith the appropriate file name.
c) If you don't see the Cisco Support Field for mobile devices, then install the follow ing Cisco Options
Packages for your release of Cisco Unified Communications Manager:
• cmterm-android-install-XXX.cop.sgn
• mterm-jabbertablet-install-XXX.cop.sgn
• cmterm-iphone-install-XXX.cop.sgn
Procedure
Step 1 Log in to Unified CM, and navigate to Go to Device > Device Settings > Phone Services.
Step 2 Search for Corporate Directory and select the directory.
Step 3 In the Service URL field, enter
Use any DNS name w hich resolves to the third-party app server IP.
Step 4 Click Save.
Step 5 Reboot any phones already registered.
Another option for some devices is to modify the Alternate phone book server address in the
device page w ith https://customer-name.<third-party app>.domain.com:8443/
cucm-uds/users. Be sure to replace customer-name.<third-party app>.domain.com w ith the DNS
entry, w hich resolves to the third-party app IP in the HCS SA domain.
a) Subscribe the Corporate Directory Phone Service to users (go to Enterprise Param eters > Phone URL
Param eters > URL Authentication > Value and set it to <http://hostname or IP Address:8080
/ccmcip/authenticate.jsp>).
b) Set the DirectoryPartitionSearch parameter, w hich w ill determine w hether UDS user searches w ill be
limited to users mapped to the same customer (w hen enabled) or to all users (w hen disabled) .
c) Get the Service value w ith the follow ing AXL API:
e) Update the Service AXL API Call to enable the Service Parameter:
After the service is enabled, you can verify the service w ith the same Get AXL API Call.
f) Set the EnableUserSearchWithCustomer parameter, w hich determines the behavior for UDS searches by
a User that is not mapped to any Customer:
Enabled: search only w ithin Users w ith no Customer mapping
Disabled: User searches are not permitted.
Note that the AXL API calls described above also apply to this parameter.
g) Run the follow ing in the command line:
i. utils contactsearchauthentication status
ii. utils contactsearchauthentication disable
iii. utils contactsearchauthentication enable
h) UDS contact search behavior depends on the follow ing settings:
Configure User Separation with Imagicle
Follow this process for configuring user separation w ith Imagicle:
Step 2 Configure Imagicle. See their documentation for the latest configuration instructions:
https://w ww.imagicle.com/kb#/kb/contacts-separation_547.html
Onboarding
Step 5 Enable LDAP authentication in Unified CM for users that are synchronized from LDAP to the domain
manager.
Software Matrix
Table: Softw are matrix for HCS 11.5 Shared Architecture
* Cisco Unified CM and Prime Collaboration Assurance are the included domain manager and
assurance components for HCS SA with the HCS-K9-BUNDLE license. Others are available as
part of the HCS open provisioning architecture (OPA) or subscription licenses.
In this appendix, w e describe using Cisco Unified CDM as the domain manager. If you use a different
domain manager, consult the documentation for that product.
The HCS SA customer onboarding process (including Cisco Unified CDM, LDAP, AD, Expressw ay , SBC,
and w elcome emails) can be automated w ith third-party tools that use the APIs in the HCS SA components.
Consult the vendor of your tool for information on integrating w ith HCS SA to automate customer on-
boarding.
HCM-F Configuration
Customer information on the Cisco Unified CDM server is pushed to the Cisco HCM-F server and does not
require configuration.
Step 3 Click Add and fill in the hostname, administrator credentials, and version.
Step 3 Click Add and fill in the name, domain name, and administrator credentials
Add LDAP Server in Unified CDM and Define the CUCM LDAP Directory Name
Procedure
Step 1 In Unified CDM, navigate to LDAP Managem ent > LDAP Server, and select the appropriate LDAP
server.
Step 2 Fill in the AD Sync Mode w ith the LDAP Directory name from Unified CM (LDAP > LDAP
Directory), and click Save.
Step 3 Add/update users in Unified CM.
Step 4 In Unified CDM, select the site in hierarchy and navigate to User Managem ent > Manage users .
Step 5 Select Add or update users to CUCM from the Action drop-dow n list.
Step 6 Select a Netw ork Device List that contains the target Unified CM server.
Step 7 Click Select All.
Step 8 Click Save to move the selected users to Unified CM.
Step 9 Repeat for other sites.
Configure the Unified CM and IM and Presence Server Cluster in Cisco Unified
CDM
Procedure
Step 1 Sign in as the appropriate hierarchy administrator.
Only a provider administrator can create a shared architecture.
Step 2 Set the hierarchy path to the top level. Create a shared architecture node at the provider
level. Optionally, partners can create a reseller node.
The UC cluster server should be placed either at shared architecture provider node or the
reseller node (exclusive shared architecture cluster for the reseller).
Step 3 Click Device Managem ent > Cisco Unified Com m unications Manager > Servers .
Step 5 Enter the Unified CM or IM and Presence server name in the Server Nam e field.
Note: A Unified CM server that has been configured in HCM-F and synchronized to Cisco
Unified CDM can exist at the sys.hcs hierarchy. If the server name you enter matches this
server, the Migrate from HCM-F to Unified CDM check box is displayed. Click Save to
migrate this server to the current hierarchy level. The fields are populated w ith the values
that w ere configured in HCM-F. If you do not w ant to migrate the server, enter a different
server name.
Step 6 Select Voice_Video in the Server Type field for Cisco Unified CM or IM&P for IM and
Presence.
Field Description
Port The port on the Unified CM server to connect to. Default is 8443.
User Move Set to Autom atic to automatically move synchronized users to sites,
Mode based on the filters and filter order defined in User Managem ent >
Manage Filters. Set to Manual if you w ant an administrator to manually
move synchronized users to a site.
User Select the profile that specifies the devices and services to w hich
Entitlement users w ho are synchronized from this Unified CM are entitled.
Profile
Note: A violation of the Entitlement Profile does not prevent a user
from being synchronized to Unified CDM from Unified CM. How ever,
subsequent updates to the user fail until the user’s configuration
satisfies the restrictions in the Entitlement Profile.
Step 8 For a Unified CM or IM and Presence publisher node, fill in the Cluster Nam e field w ith the name
you w ant for this cluster. A new cluster is created w ith this name. This field is required. For Unified CM or IM
and Presence subscriber nodes, select the Unified CM or IM and Presence cluster from the Cluster Nam e
field.
Step 9 Expand netw ork addresses.
a. Select SERVICE_PROVIDER_SPACE.
b. The Hostnam e field is automatically populated w ith the Unified CM
Server Name. Edit it if necessary.
c. Enter the IP address of the Cisco Unified CM or IM and Presence Server in the
IPv4 Address field.
Note: Either the hostname or the IP address as required. Ensure that the hostname or IP
address does not contain a trailing blank space. Unified CDM cannot validate an entry that
contains a blank space at the end of the hostname or IP address.
Step 11 On the Field Mappings tab, complete field mappings as necessary. Hard-coded mappings
appear in grey and cannot be modified.
Step 12 Click Save. A Unified CM or IM and Presence netw ork device is created in Unified CDM. A
cluster and Unified CM or IM and Presence are created in the SDR.
Step 13 Test the connection betw een Unified CM or IM and Presence and Unified CDM.
a. Select Device Managem ent > Advanced > Cisco Unified Com m unications
Manager Netw ork Device.
b. Click the Unified CM or IM and Presence Server you just added.
c. Select Action > Test Connection.
If the test fails, and you used a hostname, ensure that Unified CDM has the correct DNS
and Domain set.
a. Sign in to the platform CLI.
b. Query the current DNS setting: netw ork dns.
c. Set the DNS if needed: netw ork dns <dns_server_ip_address>.
d. Query the current domain setting: netw ork domain.
e. Set the domain if needed: netw ork domain <domain>.
Note: Use the Cisco Unified CM Netw ork Device page only for testing the
connection. Do not edit Unified CM from this page. To change any configuration of
the Unified CM, edit it from the Device Managem ent > Cisco Unified
Com m unications Manager > Servers page in Unified CDM.
Configure Entitlement
Entitlement represents the set of services and devices (and their number) available for particular
subscribers.
Example:
1. Customer A specifies a user has voice service, an IP device, an analog set, and nothing else.
2. Customer B specifies users have both voice and voicemail services on 10 devices, and nothing else.
Procedure
Step 2 Create device groups to define sets of device types that users may be entitled to.
Step 3 Create entitlement catalogs to define limits on devices and services that entitlement profiles may
entitle users to.
Step 4 Create entitlement profiles to define the devices and services users are entitled to.
Step 5 Identify the entitlement profile for users that are synchronized from Cisco Unified CM.
Step 6 Identify the entitlement profile for users that are synchronized from LDAP.
Step 2 Click Custom er Management > Netw ork Device Lists . Select a customer on the hierarchy tree
w here the NDL is to be created.
Step 5 Expand Cisco Unified CM and select the Cisco Unified CM instance.
Step 6 Expand Cisco Unity Connection and select the Cisco Unity Connection instance.
Step 3 Sign in as the provider or reseller administrator and select Devic e Management > Cisco Unified
Communications Manager > Unified CM Groups.
Step 4 Perform one of the follow ing:
To edit an existing Cisco Unified CM group, click on the line item in the list of
existing instances. Go to step 5.
Step 5 Modify the follow ing fields as required.
Option Description
Tip: Each Cisco Unified CM cluster can have only one default auto-
registration group. If you choose a different group as the default auto-
registration group, that is, you check the Auto-registration Cisco Unified
Com m unications Manager Group box for a different Cisco Unified CM
group, the previously chosen auto-registration group no longer serves as
the default for the cluster. The Auto-registration Cisco Unified
Com m unications Manager check box displays for the previously chosen
group (the original default), and the check box gets disabled for the group
that now serves as the default.
Unified CM Group Click Add (+) to select a Cisco Unified CM to add to the group. Repeat as
Items (Mandatory) necessary to add multiple Cisco Unified CMs to the group.
Click Rem ove (-) to remove a Cisco Unified CM from the group.
Click the up and dow n arrow s to change the order of the Cisco Unified
CMs in the group.
Priority (Mandatory) Enter the priority number for this Cisco Unified CM in the group. The
smaller the integer, the higher the priority.
Selected Cisco Unified This field displays the Cisco Unified CMs that are in the group.
Communications
Managers
To modify any of these characteristics, make your changes and click Save.
To delete a group, check the box to the left of the Name column in the group list, and click Delete.
Self-Provisioning Process
The Cisco Unified CDM Self -Provisioning feature allow s a user or administrator to add an un-provisioned
phone to a Cisco Unified CM system w ith minimal administrative effort. A phone can be added by plugging it
into the netw ork and follow ing a few prompts to identify the user.
The follow ing process is used to self -provision a phone.
Step 1 The user or administrator connects the phone to the netw ork.
Step 2 The user or administrator enters the server domain f or the Expressw ay (ex. collabedge-
161.dc-01.com) and user credentials.
Step 4 The user or administrator dials the IVR application and satisfies the prompts (self -service ID
and PIN provided by the administrator).
Step 5 The IVR application deletes the auto-registered phone and adds it back using templates that
are associated w ith the user by their user profile.
Hierarchy Management, configured at Provider > Custom er > Interm ediateNode > Site.
Site dial plan, configured at Dial Plan Managem ent > Site > Dial Plan.
Site defaults, configured at Site Managem ent > Defaults.
Directory number inventory, configured at Dial Plan Managem ent > Num ber
Managem ent > Add Directory Num ber Inventory.
Dial plan verification. Dial plans must match the user numbers in Active Directory.
Step 2 Set the hierarchy path to the site node w here you w ant to configure self -provisioning.
Step 3 Select User Managem ent > Self-Provisioning > Line Mask .
Step 2 Set the hierarchy path to the site node w here you w ant to configure self -provisioning.
Step 3 Select User Managem ent > Self-Provisioning > User Profile .
Step 5 Perform the follow ing on the Device Template Desk Phone tab.
a. Click the plus sign to add a new template.
b. Under Device Security Profile, select Model-independent Security Profile by Null
String 1024.
c. Select the SIP Profile.
d. Check Allow Control of Device From CTI.
e. Under Calling Search Space, select the appropriate option (ex. Cu2Si4-InternalOnly-
CSS).
Step 2 Select Dial Plan Managem ent > Custom er > Dial Plan.
Step 4 Check Enable CSS filtering to filter the calling search spaces available w hen configuring a
subscriber, phone, or line, to site level Class of Service calling search spaces. Filtering is disabled
by default, w hich results in all available Cisco Unified CM calling search spaces being available
w hen configuring a subscriber, phone, or line.
Step 2 Select Dial Plan Managem ent > Advanced Configuration > Dial Plan Schem a Group .
Step 3 Choose an dial plan schema group to clone, or create a new dial plan schema group.
If you choose an existing dial plan schema group, select Action > Clone . Update the Dial Plan
Schema Group Name on the General tab. For example, clone Cisco Type 4 Schema Group and
give it the name "Cisco Type 4 Schema Group w ith France."
Step 5 Add the tw o schemas associated w ith the country dial plan to the dial plan schema group.
HcsGenericCustomer<Country>DP-V<version>- SCH: The schema template used to
deploy the customer-level country dial plan elements for the target country.
HcsGenericSite<Country>DP-V<version>-SCH: The schema template used to deploy the
site-level country dial plan elements for the target country.
Provide the follow ing mandatory information for the tw o schemas:
eld Description
Dial Plan Schema Usage Select Add Site for both schemas.
Dial Plan Schema Scope Select Custom er for the customer schema. Select Site for the site
schema.
Dial Plan Schema Name Select HcsGenericCustomer<Country>DP-V<version>-SCH for the
customer schema.
Select HcsGenericSite<Country>DP-V<version>- SCH for the site
schema.
Add a Site
Procedure
Step 1 Sign in to the server as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy to the intermediate node for the customer for w hom you are creating the site.
Step 3 Click Site Management >Sites.
Step 4 Click Add.
Step 5 Complete the follow ing fields:
Option Description
The fields are populated w ith the values that w ere configured in
HCM-F. If you do not w ant to migrate the customer location, enter
a different site name.
External ID External clients can use the external ID of the site if needed. This
field is not used by other components in Cisco HCS.
Create Local Admin Controls w hether a default local administrator is created for the
site.
The customer role used to create a new role prefixed w ith the site
Cloned Admin Role
name. The created site role, show n in Default Adm in Role field,
is assigned to the default local administrator user. This field
appears only if Create Local Adm in is checked.
Default Admin Role The created site role that is assigned to the default local
administrator. This field is read only and appears only if Create
Local Adm in is checked.
Default Admin Passw ord The passw ord to assign to the default local administrator. This
field appears only if Create Local Adm in is checked.
Repeat Default Admin Confirm the default local administrator passw ord. This field
Passw ord appears only if Create Local Adm in is checked.
Country The country is used to determine w hich dial plan to dow nload to
the site w hen the dial plan is configured on the site. This field is
mandatory.
Netw ork Device List Choose the NDL containing the UC applications and WebEx to be
used by the site. Once an NDL has been set for the site, it cannot
be removed from the site, nor can the NDL be changed to another
NDL.
Auto Push Users to Cisco If enabled, users are automatically pushed to the Cisco Unified
Unified Communications CM that is associated w ith the NDL. The default is disabled.
Manager
You can edit the site later, and enable this check box for one of
the follow ing reasons:
To automatically push users at the site to the Cisco
Unified CM
Step 2 Set the hierarchy path to the site for w hich you w ant to create a site dial plan. If the hierarchy
path is not set to a site, you are prompted to select a site.
Step 3 Select Dial Plan Managem ent > Site > Dial Plan.
Step 5 Modify the External Breakout Num ber , if necessary. The External Breakout Number is the
PSTN prefix that is used w hen deploying a country dial plan. For Cisco HCS Type 1 to 4 dial
plan schemas, you deploy country dial plans at the customer level. The country dial plan is
not pushed to Unified CM until the first site associated w ith a given country is deployed. For
example, if a site is associated w ith the United States, and it is the first site dial plan being
created for the USA, the US country dial plan is deployed as part of creating the site's dial
plan. The default is 9. The External Breakout Number is one digit in length.
Note. We support only one External Breakout Number for each country. For example, all
sites in the USA have the same External Breakout number as the first site in the USA.
Step 6 Enter the Extension Length. Values can be 1 to 30. The default is 4; for example, 2000.
Note: The extension length for DNs is not enforced. Therefore, the administrator must be
conscious of extension length w hen adding DNs for a particular site; otherw ise DNs may not
be dialable.
Step 7 Perform one of the follow ing for sites w ithout Inter-Site Prefixes (ISPs). This field appears if
your Customer Dial Plan does not use ISPs; for example, HCS Type 3 dial plans (SLC, no
ISP, DN=SLC+EXT).
Check Use extension prefix if your customer dial plan has an extension prefix
defined and you w ant this site to use the extension prefix.
If an Extension prefix is not defined in the customer dial plan for this site, go to the
next step.
Step 8 Enter the Area Code. Enter 0 or more valid local area codes for the site. Specify the length of
the subscriber part of the PSTN number for each area code. The area code is used to
generate the PSTN local route patterns for the site. For example, in the USA, if area codes
are added for Dallas, Texas, the area codes could be specified for local dialing as 214, 469,
and 972 w ith a subscriber length of 7.
Step 9 Enter the Local Num ber Length, w hich is the length for the subscriber section of the entire
E.164 number.
Step 10 Check Area Code used for Local Dialing if the area code is needed for local dialing from
this site. In the US, this setting determines w hether you use 7-digit or 10-digit local dialing.
Step 11 Select the Published number from the list of available E.164 inventory numbers, or enter a
custom number.
The site published number is the default E.164 mask w hen a line is associated to a phone at
a particular site.
Step 12 Select the Em ergency Call Back Num ber for the site from the list of available E.164
inventory numbers, or enter a custom number.
The site emergency call-back number is the calling number w hen initiating an outgoing
emergency call. It can be used w hen you use Extension Mobility and make an emergency
call from a site other than your ow n. It can be used w hen the emergency call goes out to the
PSTN netw ork, w hen the system includes the site emergency number so that the origin of the
call is know n. The system adds this calling party transformation to the DN2DDI4Emer- PT
partition.
Notes:
The emergency number is not the number to dial for an emergency. Instead, it is the
number used to identify the calling party for emergency calls originating from a
particular site.
Under the Em ergency Num ber field, there is the Site ID read-only field. The Site ID
is a unique, auto generated, read-only number for each customer site w hich is
prefixed to elements as an identifier (for example, Cu4Si2 indicates Customer 4,
Site 2).
Step 13 Click Save to add the Site Dial Plan you defined. The site information is loaded on the Unified
CM, and is identifiable by its customer ID, and site ID prefix.
Im portant: Each addition to the E.164 Inventory must contain a unique set of numbers. That is, you cannot
assign the same number more than once (globally).
Procedure
Step 1 Sign in as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy path to point to the customer for w hom you are adding the E.164 inventory.
Step 3 Select Dial Plan Management > Number Management > Add E164 Inventory.
Step 4 Provide the follow ing information:
Field Description
Site For a site-specific E.164 inventory, select the customer site. For a customer-w ide
E.164 inventory, leave this field unset.
Country Select the country associated w ith the E.164 inventory. If a site w as specified, this field is
automatically populated w ith the country associated w ith the site. This field is mandatory.
Country Code The country code for the selected country. Refer to this read-only field w hen specifying the
Starting Number and Ending Number fields w hich must contain a valid country code.
Starting Number Enter the starting number of the range of E.164 numbers. The field is populated w ith + follow ed
by the country code for the selected country. Append the rest of the starting number after the
country code. This field is mandatory.
Ending Number Enter the ending number of the range of E.164 numbers. The format is the same as the
Starting Number. This field is optional. If not provided, the single E.164 Number specified in the
Starting Number is added. If provided, the range of E.164 Numbers is added: Starting Number
– Ending Number, inclusive. A maximum of 1000 numbers can be added at a time.
This procedure creates the DN inventory only in Cisco Unified CDM. The numbers are not
passed on to Cisco Unified CM.
Directory numbers can only be added or deleted. You cannot edit the directory numbers once
they are added. The usage and availability property for each DN is associated w ith a line or
taken into use by a service.
Step 2 Select an available customer from the hierarchy node at the top of the interface.
Step 3 Select Dial Plan Managem ent > Num ber Managem ent > Add Directory Num ber Inventory.
Step 4 From the Site field, select the site for w hich you are adding directory numbers. Leave this field empty to
add customer level directory numbers.
Note: Customer level directory numbers can only be created for dial plans that do not use site location
codes (flat dial plans). Attempting to create customer level direc tory numbers for site location code-
based dial plans result in an error instructing you to specify a site w hen adding new DN inventory.
Step 5 Using the Extension Length, Site Location Code , and ISP read-only fields as guides for the site, enter
the first number for the DN range in the Starting Extension field.
Note: For a Type 4 dial plan (no SLCs), the Starting and Ending Extension fields must contain no more
than 16 digits each, including the + sign before the DN number, if used. For Types 1 to 3 dial plans, the
Starting and Ending Extension fields must be less than or equal to the site Extension Length. If the
Starting or Ending Extension field length is less than the site Extension Length, the DN number is
padded w ith zeroes until its length equals that of the site Extension Length.
For a Type 4 dial plan (no SLCs), the Starting and Ending Extension fields may contain a * prefix
(asterisk) before the 15-digit directory number. The * prefix denotes DNs that are used w ith hunt groups,
assistant lines, Contact Center lines, and so on. This type of directory number cannot be reached from
an outside line and cannot be associated w ith E.164 numbers. Typically, a DN w ith the * prefix is not
called from another line (user), but is tied to a service feature such as call pickup, hunt groups, or
Contact Center
Exam ple: If the Extension Length field show s four digits for a Type 3 Dial Plan, ensure that you enter
a number containing four digits or less in the Starting Extension field. For example, DN 1234. If you
enter DN 123, the extension number is created as DN 0123.
Step 6 (Optional). Using the Extension Length, Site Location Code , and ISP read-only fields as guides for
the site, enter the last number for the DN range in the Ending Extension field. If you are adding a
single DN, the ending number is the same as the starting number.
Note: The maximum number of directory numbers you can add is 1,000 at a time. If you need more than
1,000 directory numbers, repeat this procedure as required to add ranges.
Typically, Directory Number Routing is used for Type 4 (flat dial plans) so that from a customer and site
perspective, you can see w hich patterns are directory numbers because there are no SLCs available.
Procedure
Step 1 Sign in as the provider, reseller, customer, or site administrator.
Step 2 Select a valid site under your customer in the hierarchy node at the top of the view . If you attempt to add
Directory Number Routing at any other node in the hierarchy, you w ill receive an error indicating that you
must be at a site.
Step 3 Select Dial Plan Managem ent > Site > Directory Num ber Routing.
Step 5 Enter a prefix in the Directory Num ber Routing Prefix field using up to 30 characters.
Exam ple: Enter 234.
Step 6 Enter a DN mask length in the Directory Num ber Mask Length field.
Exam ple: Enter 4. For this example, the Directory Number Routing w ould be 234XXXX,
w here XXXX is the mask.
Step 7 Click Save to add the Directory Number Routing that you defined. The new Directory Number
Routing appears in the table.
If you create the association at a site, you can mix customer-level DNs and E.164 numbers w ith site-level
DNs and E.164 numbers.
Procedure
Step 1 Sign in as provider, reseller, customer, or site administrator.
Step 2 Set the hierarchy path to point to the customer or site w here you w ant to associate E.164 numbers
w ith directory numbers.
Step 3 Select Dial Plan Management > Number Management > E164 Associations (N to N DN).
Step 4 Click Add.
Step 5 Provide the follow ing information:
Field Description
Note: The range values you select map to the mask value w hen the association
translation pattern is created. For example, w hen 10 is selected, all E.164 numbers
and directory numbers that end in 0 are listed. The mask affects all digits 0 to 9, so
you can't start the mask on a nonzero number. Likew ise, w hen 100 is selected, the
E.164 number and DN end in tw o zeros. This pattern results in a mask of XX.
This field is mandatory and affects w hat appears in the fields that follow .
E164 Select the starting number of the range of E.164 numbers from the list. For a
Number customer-level association, only customer-level E.164 numbers are available. For a
site-level configuration, both customer-level and site-level E.164 numbers are
available.
DN Select the starting extension number from the list. This field is mandatory.
Number
Note: You cannot associate extension numbers that begin w ith an asterisk (*).
Step 1 Synchronize users from LDAP to Unified CDM or create users in Unified CDM.
Step 2 Verify w hether subscribers have a primary extension and self -service configured in
Subscriber Managem ent > Subscribers .
a. If they do not, then go to Subscriber Managem ent > Quick Add Subscriber.
b. Select the proper username.
c. Enter a PIN.
d. Click Set Self Service Id at the bottom of the page.
e. Add the proper lines info for the subscriber.
f. Add Jabber device details if applicable.
g. Fill in any other details as necessary.
h. Click Save.
Step 3 Synchronize users from Unified CDM to Cisco Unified CM if not configured to automatically
synchronize.
a. In Unified CDM, go to User Managem ent > Manage Users.
b. Select Add or update users to Cisco Unified CM.
c. Select the appropriate Netw ork Device List.
d. Select the appropriate users.
e. Click Save.
Step 4 Verify that the primary extension and the self -service User ID are auto-generated for users in
Cisco Unified CM.
Step 5 Provide the follow ing information to the user for registering endpoints:
Collab-edge address (the service domain)
User ID
User passw ord
User self-service ID (only for desk phones)
User PIN (only for desk phones)
IVR number (only for desk phones)
(Optional) QR code for video-enabled phones. The QR code needs to contain the
service domain and user ID w ith a comma separating the fields (for example,
“collab-edge.dc-01.com,userone”).
Note: With the information from step 5, users can self -provision their desk phones, using the
follow ing steps.
1. Plug their phone into the netw ork.
2. Enter the Expressw ay domain as the service domain.
3. Enter their user ID and passw ord, and then w ait for the phone to automatically
register and reboot.
4. Dial the IVR number.
5. Enter the user self -service ID.
Note: With the information from step 5, users can provision Jabber, using the follow ing steps.
1. Dow nload the Jabber installation file from cisco.com.
2. Open Jabber.
3. Enter the user ID w ith the collab-edge domain (example. user1@collab-edge-
161.dc-01.com).
4. Enter the user passw ord and sign in.
Users may need to restart Jabber (2-3 times) for directory search to w ork in case
they have logged into Jabber w ith a different profile in the past. This forces Jabber
to dow nload the new configuration file.
Step 2 Set the hierarchy path to the node w here the Cisco Unified CM is configured.
If you logged in as the customer administrator, select Device Managem ent >
Advanced > SIP Trunks.
To edit an existing SIP trunk, choose the SIP trunk to be updated by clicking on its
box in the leftmost column, then click Modify to edit the selected SIP trunk. Go to
Step 5.
Step 5 From the Cisco Unified Com m unications Manager field, select the hostname, domain
name, or IP address of the Unified CM to w hich you w ant to add the SIP trunk.
This field appears only w hen a SIP trunk is added. It doesn’t appear w hen you edit a SIP
trunk.
Im portant:
The Cisco Unified Communications Manager field show s, in addition to the Unified CM
located at the node, ALL Unified CM nodes in the hierarchies above the node you are adding
the SIP trunk. To provision a Unified CM server, see Installation Guide for Cisco Unified
Communications Manager and IM and Presence Service.
Step 6 In the Device Nam e field, enter a unique name for the new SIP trunk or change the existing
name if necessary.
Step 7 Complete the fields on each tab as appropriate. The follow ing f ields on each tab are required:
Step 8 To save a new SIP trunk, click Save. To save an updated SIP trunk, click Update.
The SIP trunk appears in the SIP trunk list. You can view the SIP trunk and its characteristics
by logging in to the Unified CM w here the SIP trunk w as added, selecting Device > Trunk,
and performing the Find operation. When you click on the name of the SIP trunk in the list,
the trunk characteristics are displayed.
Note: The SIP trunk is automatically reset on the Unified CM as soon as it is added. To reset
the SIP trunk at any other time, perform Reset SIP Trunks. For more information on
configuring SIP trunks, see the Installing and Upgrading Guide for Cisco Hosted
Procedure
Step 1 – Sign in to Cisco Unified CM Administration.
Step 2 – Create one common partition to use for URI w ith all the customers by going to Call
Routing > Class of Control > Partition > Add New .
Step 3 – Add the new partition to the appropriate CSS for each customer or site by going to Call
Routing > Class of Control > Calling Search Space to select the CSS (for example, Cu1Si1 -
InternalOnly-CSS) and then add the partition created in the first step.
Step 4 – Add the new partition created in the first step to the Directory URI Alias Partition in the
Enterprise Parameters under the System menu.
Step 2 Set the hierarchy node to the node w here you w ant the users to be synchronized (w e recommend the
intermediate node).
Field Description
Administrator@stb.com
OU=LDAP0,DC=stb,DC=com
uid=admin,ou=system
cn=admin,dc=shared,dc=com
Admin Passw ord Administrator passw ord associated w ith the user. This field is required.
Search Base DN Base Distinguished Name for LDAP search. This should be a container or
directory on the LDAP server w here the LDAP users exist, such as an
Organization Unit or OU.
As an example, to search w ithin an Organizational Unit called CUS01 under a
domain called GCLAB.COM, the Search Base DN w ould be
OU=CUS01,DC=GCLAB,DC=COM.
For Shared Architecture the OU w ill be unique for each customer.
The domain w ill be the same for all customers.
((&(OfficeLocations=RTP)(|(department=Engineer ing)(department=M
arketing))): office is located in RTP and department is either
Engineering or Marketing
(&(MemberOf=cn=Admin,ou=users,dc=foo,dc=com)(!(c=US))): all
Admins except those in the U.S.
Server Type LDAP server type – select either Open LDAP or Microsoft Active Directory.
AD Sync Mode Defaults to Direct.
Cisco Unified The LDAP Directory configured on Cisco Unified CM that users are considered
Communications synchronized from. Required for users that are synchronized from this LDAP
Manager server to use SSO or LDAP authentication to sign in to Cisco Unified CM.
LDAP
Directory Name
Encryption Method Choose betw een No Encryption, Use SSL Encryption (ldaps://), or Use
StartTLS Extension.
Server Root If Trust All is not checked, the LDAP server's SSL certificate is validated
Certificate against this root certificate. If no Server Root Certificate is specified, validation
is done against any existing trusted CA certificates. Use this option for custom
root certificates in .pem format. See SSO Certificate Management for more
information.
Trust All Check to disable certificate validation.
Field Description
LDAP Server This read-only field displays the LDAP Server you are synchronizing users
from.
User Role Select the role to be assigned to all synchronized users. This value can be
changed manually for individual users after synchronization. This field is
mandatory.
User Move Mode Indicates w hether users are automatically moved to sites based on the filters
and filter order defined in User Managem ent > Manage Filters .
User Delete Mode Indicates w hether users are automatically deleted from Cisco Unified CDM if
they are deleted from the LDAP directory. If set to automatic, all subscriber
resources associated w ith the user, such as a phone, are also deleted.
User Purge Mode Indicates w hether users are automatically deleted from Cisco Unified CDM
w hen they are purged from the LDAP device model. An administrator can
remove the LDAP user from the device layer even if the user has not been
removed from the LDAP directory.
Step 6 On the Field Mappings tab, enter the follow ing required mappings:
Surname
Step 7 (Optional) Complete other field mappings as needed, for other operations such as pushing users to
Cisco Unified CM or creating move filters.
Step 2 Go to User Managem ent > Manage Filter s > Define Filters.
Step 3 Fill in name, appropriate hierarchy, and role (w e recommend self service).
Field Description
Remove Log Messages Select if you w ant to remove user management logs before
synchronizing or purging.
Remove Log Direction Select Local to remove logs at the hierarchy of the LDAP
server. Select Dow n to remove logs at and below the hierarchy
of the LDAP server. This field appears only if Rem ove Log
Messages is checked.
Action Select synchronize or purge. This field is mandatory.
d. Click Save to start the action you selected.
Cisco Unified CDM attempts to synchronize users from the LDAP server. It may take a few minutes for the
users to show up in Cisco Unified CDM.
Step 1 Sign in to Cisco Unified CDM as a provider, reseller, or customer administr ator.
Step 5 Select the correct site for the Move To Hierarchy option.
You do not plan to synchronize those users from LDAP to Cisco Unified CM.
You plan to push those users from Cisco Unified CDM to Cisco Unified CM.
You w ant to use LDAP to authenticate those users' access to Cisco Unified CM.
Procedure
Step 1 On Cisco Unified CM, disable dirsync.
a. Sign in as an administrator.
b. In the Navigation menu, select Cisco Unified Serviceability and click Go.
c. Select Tools > Service Activation.
d. Scroll dow n to Directory Services and uncheck Cisco DirSync.
e. Click Save.
Step 2 On Cisco Unified CM, enable LDAP.
a. In the Navigation menu, select Cisco Unified CM Adm inistration and click Go.
b. Select System > LDAP > LDAP System .
c. Check Enable Synchronizing from LDAP Server .
d. Select the LDAP Server Type. Im portant: This value must match the LDAP Server Type you
choose in Cisco Unified CDM.
e. Select the LDAP Attribute for User ID. Im portant: This value must match the LDAP attribute you
choose in Cisco Unified CDM.
f. Click Save.
Step 3 In Cisco Unified CM, configure LDAP Directory.
a. In the Navigation menu, select Cisco Unified CM Adm inistration and click Go.
b. Select System > LDAP > LDAP Directory.
c. Configure fields in the LDAP Directory Information section.
Field Description
LDAP Configuration Enter a unique name (up to 40 characters) for the LDAP directory. Important: You
Name use the LDAP Configuration Name w hen you configure the LDAP Server in Cisco
Unified CDM.
LDAP Manager Enter the user ID (up to 128 characters) of the LDAP Manager w ho is an administrative
Distinguished Name user that has access rights to the LDAP directory.
LDAP Passw ord Enter a passw ord (up to 128 characters) for the LDAP Manager.
Confirm Passw ord Re-enter the passw ord that you provided in the LDAP Passw ord field.
LDAP User Search Enter the location (up to 256 characters) w here all LDAP users exist. This location acts
Base as a container or a directory. This information varies depending on your customer
setup.
LDAP Custom Filter Select an LDAP custom filter to filter the results of LDAP searches. LDAP users that
match the filter are imported into the Unified CM database. LDAP users that do not
match the filter do not get imported. The default value is <None>. This value applies
a default LDAP filter that is specific to the LDAP server type. The available default
LDAP filters are:
Microsoft Active Directory
(AD):(&(objectclass=user)(!(objectclass=Computer))
(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
iPlanet or Sun One LDAP
Server:(objectclass=inetOrgPerson)
OpenLDAP:(objectclass=inetOrgPerson)
Microsoft Active Directory Application Mode
(ADAM):(&(objectclass=user)
(!(objectclass=Computer))( !( msDS-
UserAccountDisabled=TRUE)))
Field Description
Hostname or IP Enter the hostname or IP address of the server w here the data for this LDAP directory
Address for resides.
Server
LDAP Port Enter the port number on w hich the corporate directory receives the LDAP requests.
You can access this field only if LDAP authentication for users is enabled.
The default LDAP port for Microsoft Active Directory and for Netscape Directory
specifies 389. The default LDAP port for Secured Sockets Layer (SSL) specifies 636.
How your corporate directory is configured determines w hich port number to enter in this
field. For example, before you configure the LDAP Port field, determine w hether your
LDAP server acts as a Global Catalog server and w hether your configuration requires
LDAP over SSL. Consider entering one of the follow ing port numbers:
LDAP Port w hen the LDAP server is not a Global Catalog server:
389 – When SSL is not required. (This port number specifies the default that
displays in the LDAP Port field.)
636 – When SSL is required. (If you enter this port number, make sure that
you check the Use SSL check box.)
LDAP Port w hen the LDAP server is a Global Catalog server:
Use SSL Check this check box to use Secured Sockets Layer (SSL) encryption for security
purposes.
Note: If LDAP over SSL is required, the corporate directory SSL certificate must
be loaded into Cisco Unified CM. The Cisco Unified Communications Operating
System Administration Guide documents the certificate upload procedure in the
Security chapter.
Add Another Click this button to add another row to provide information about Redundant LDAP
another LDAP server.
Server
e. Click Save.
Step 4 On Cisco Unified CM, configure LDAP authentication.
a. In the Navigation menu, select Cisco Unified CM Adm inistration and click Go.
b. Select System > LDAP > LDAP Authentication.
c. Check Use LDAP Authentication for End Users.
d. Enter the LDAP Manager Distinguished Name, w hich is an administrative user that has access
rights to the LDAP directory.
e. Enter the LDAP Passw ord for the user ID in previous step.
f. Enter the LDAP User Search Base.
Im portant: This value must match the LDAP User Search Base you configured for the LDAP
Directory in Unified CM. It must also match the LDAP Server you configure in Unified CDM.
g. Enter the hostname or IP of the LDAP server.
Im portant: This value must match the LDAP server hostname you configured for the LDA P
Directory in Unified CM. It must also match the LDA P Server hostname you configure in Unified
CDM.
h. Click Save.
Step 8 On Cisco Unified CDM, synchronize users from LDAP to Cisco Unified CDM.
Step 9 On Cisco Unified CDM, push users to Cisco Unified CM, either by User Management or by Subscriber
Management.
When users are pushed to Cisco Unified CM, the ldapDirectoryNam e field in the device/cucm/User is
populated w ith the Cisco Unified CM LDAP Directory Name. Cisco Unified CM treats the users as LDAP
integrated, instead of local. The users appear as LDAP Active Users and use LDAP bind for authentication.
From now on, the users are authenticated in Cisco Unified CM against the LDAP directory.
Step 3 Fill in the Cisco Unified Com m unications Manager LDAP Directory Nam e w ith the LDAP
directory name and click Save.
The LDAP directory name is configured in Cisco Unified CM at Cisco Unified
Com m unications Manager System > LDAP > LDAP Directory.
Step 4 Add or update users in Cisco Unified CM.
Step 5 Select the site in hierarchy and User Managem ent > Manage users .
Step 7 Select the Netw ork Device List, select all users, and click Save.
customername1
customername2
customername3
Restriction: There is a maximum of 50 customers per customer file.
Step 3 Add this command to your cron job to run automatically hourly, daily, w eekly, or monthly:
java -jar /auto/hcs-sync_customers_from_file.jar -f <filename> -u <username> -p <passw ord> -h
<hostname>
Param eter Description
<filename> The file path for the customer file.
<username> The admin user name for the HCM-F server.
<passw ord> The passw ord for the HCM-F username.
<hostname> The address of the HCM-F server.
Step 4 Verify that the sync w as successful, in the HCM-F interface, Adm inistration > Jobs.
References
Cisco Hosted Collaboration Solution Documents
Cisco Hosted Collaboration Solution, Solution Reference Netw ork Design Guide
Cisco Hosted Collaboration Solution, Customer Onboarding Guide
Cisco Hosted Collaboration Solution, Installation Guide
Cisco Expressw ay on Virtual Machine Guides
Guides for Cisco Unified Communications Manager
Guides for Cisco Unified Communications Manager and IM and Presence Service
Guides for Cisco Unity Connection