HCS SA Recommended Deployment White Paper

White Paper
Cisco Hosted Collaboration Solution

Shared Architecture Configuration
Recommended Deployment
Contents
Introduction....................................................................................................................................5
Cisco HCS Shared Architecture Overview ........................................................................................6
Assumptions .................................................................................................................................................................................. 6
Endpoints Support ......................................................................................................................................................................... 6
Prerequisites.................................................................................................................................................................................. 7
Caveats .......................................................................................................................................................................................... 7
Software Matrix ............................................................................................................................................................................. 7
Infrastructure Setup....................................................................................................................................................................... 7
Dedicated Virtual Routing and Forwarding (VRF) for Shared Architecture deployments................................................................. 7
VM and Cluster Support ................................................................................................................................................................. 8
UC Application OVA Specifications................................................................................................................................................. 8
Co-residency Support ..................................................................................................................................................................... 8
Expressway OVA Specifications...................................................................................................................................................... 9
Co-residency Support ..................................................................................................................................................................... 9
Recommended Virtual Machine Sizing ........................................................................................................................................... 9
Installation.................................................................................................................................... 12
UC Application Inst allation .......................................................................................................................................................... 12
Add Prime License Manager to HCM -F ......................................................................................................................................... 12
Assign a Cluster to a License Manager in HCM-F........................................................................................................................... 12
Partitioned Cisco Unity Connection.............................................................................................................................................. 12
DNS Records ................................................................................................................................................................................ 12
Public DNS ................................................................................................................................................................................... 12
Local DNS..................................................................................................................................................................................... 13
Configure IM and P ....................................................................................................................... 14

Add LDAP Server and Authentication in Unified CM ..................................................................................................................... 14
Configure Managed File Transfer in Cisco Unified CM IM and Presence ........................................................................................ 16
Prerequisites for M anaged File Transfer in IM and P .................................................................................................................... 16
External Database Setup Requirements ....................................................................................................................................... 17
External Database Requirements for IM and Pre sence Se rvice..................................................................................................... 17
Set Up External Dat abase Connection .......................................................................................................................................... 18
Accessing IM and Presence Service St atus Information on an external database .......................................................................... 19
Set Up an External File Server ...................................................................................................................................................... 19
Prerequisites for External File Server ........................................................................................................................................... 20
Set Up a User ............................................................................................................................................................................... 21
Set Up Directories ........................................................................................................................................................................ 21
Obtain the Public Key .................................................................................................................................................................. 22
Configure an External File Server Inst ance on IM and Presence Service ........................................................................................ 22
Enable Managed File Transfer on IM and Presence Service .......................................................................................................... 23
Configure Unity Connection .......................................................................................................... 25

Configure Call Screening .............................................................................................................................................................. 26
Expressway-C Configuration for Unified Communications ............................................................. 27

Configure DNS and NTP Settings .................................................................................................................................................. 27
Enable Mobile and Remote Access............................................................................................................................................... 27
Configure the Domains to Route to Unified CM ........................................................................................................................... 27
Configure SIP................................................................................................................................................................................ 28
Configure Uni fied CM Servers ...................................................................................................................................................... 28
Configure a Uni fied Communications Traversal Zone to Expressway -E ......................................................................................... 28
Configure Expressway-E for MRA ................................................................................................................................................. 29
Tune the Performance of the Expressway Registration Cache ...................................................................................................... 29
Configure DNS, NTP, and IP Settings ............................................................................................................................................ 30
Configure SIP................................................................................................................................................................................ 30
Create the DNS Zone .................................................................................................................................................................... 31
Configure a Uni fied Communications Traversal Zone to Expressway -C ......................................................................................... 31
Configure Uni fied CM for C all Routing .......................................................................................................................................... 32
Enable Pre-routed Route Header for SIP REGISTER ....................................................................................................................... 32
Routing Configuration .................................................................................................................................................................. 33
Pre-search Transforms ................................................................................................................................................................. 33
Search Rule s ............................................................................................................................................................................... 33
Configure Transforms .................................................................................................................................................................... 34
Configure Local Zone Se arch Rules ............................................................................................................................................... 34
Configure Traversal Zone ............................................................................................................................................................. 35
Configure A uthentica tion C re dentia ls in E xpres s wa y-E ..................................................................................................................... 36
Neighboring Between Expressway Clusters .................................................................................................................................. 36
Neighboring your clusters ............................................................................................................................................................ 36
Configure Traversal Zone Se arch Rules......................................................................................................................................... 37
Configure DNS Zone Se arch Rules ................................................................................................................................................ 37
Configure External (Unknown) IP Address Routing ....................................................................................................................... 38
Create Search Rules to Route Calls to IP addresses to the Expressway -E ...................................................................................... 39
Create Static Routes Towards the Internal Network ..................................................................................................................... 39
Logging in to MRA ........................................................................................................................................................................ 40
Configuration for Desk Phones and Jabber ................................................................................................................................... 41
Set a Default User Profile for a Site .............................................................................................................................................. 41
Configure Self-Provisioning in Cisco Unified CM ........................................................................................................................... 41
Hide the Service Domain for Jabber ............................................................................................................................................. 42
Persistent User Credentials for Expressway Si gn-In ...................................................................................................................... 42
How to Remotely Upgrade Phones .............................................................................................................................................. 42
Third-party UDS Applications for Directory Separation ................................................................. 42

Add a Third-P arty UDS for Directory Searches in Jabber ............................................................................................................... 42
Add Third-P arty UDS for Directory Se arches in De sk Phones ........................................................................................................ 44
Configure Directory Se arch in CUCM ............................................................................................................................................ 44
Configure Directory Se arch in Jabber ........................................................................................................................................... 45
Configure Directory Se arch in Desk Phone s .................................................................................................................................. 46
Configure User Separation with CUCM Native Directory Search ................................................................................................... 46
Configure User Separation with Imagicle ..................................................................................................................................... 48
Onboarding................................................................................................................................... 49
Customer Onboarding Process Overview ..................................................................................................................................... 49
New User Onboarding Process ..................................................................................................................................................... 49
Appendix A: Features for HCS Shared Architecture ....................................................................... 51

Appendix B: Shared Architecture for HCS 11.5 .............................................................................. 52
Software Matrix ........................................................................................................................................................................... 52
HCM-F Configuration ................................................................................................................................................................... 52
Add HCM-F to Cisco Unified CDM ................................................................................................................................................. 52
Add a Provider to Ci sco Uni fied CDM ........................................................................................................................................... 52
Add LDAP Server in Unified CDM and Define the C UCM LDAP Directory Name Procedure ........................................................... 52
Configure the Uni fied CM and IM and Presence Server Cluster in Cisco Unified CDM ................................................................... 53
Expressway-C Configuration for Unified Communications............................................................................................................ 55
Customer Configuration in Cisco Unified CDM ............................................................................................................................. 55
Set Up the Hierarchy.................................................................................................................................................................... 55
Configure Entitlement.................................................................................................................................................................. 55
Configure a Network Device List .................................................................................................................................................. 56
Configure Cisco Unified CM Groups.............................................................................................................................................. 56
Configuration for Desk Phones and Jabber ................................................................................................................................... 57
Self-Provisioning Process ............................................................................................................................................................. 57
Required Configuration in Cis co Unified CDM ............................................................................................................................ 57
Add a Self-Provisioning Line Mask ................................................................................................................................................ 58
Add a Self-Provisioning User Profile ............................................................................................................................................. 58
Create a Customer Di al Plan ......................................................................................................................................................... 59
Add a Country Di al Plan to a Dial Pl an Be fore Deploying to a Customer ....................................................................................... 59
Add a Site .................................................................................................................................................................................... 60
Add the First Site Dial Pl an ........................................................................................................................................................... 62
Add the E.164 Inventory to Cisco Unified CDM ............................................................................................................................. 63
Add a Directory Number Inventory .............................................................................................................................................. 63
Configure Directory Number Routing ........................................................................................................................................... 64
Associate a Range of E.164 Numbers to a Range o f Directory Numbers........................................................................................ 65
Configure Quick Add Subscriber for Self-Provi sioning .................................................................................................................. 66
Central Breakout SIP Trunk .......................................................................................................................................................... 67
Configure the Cisco Unified CDM SIP Trunk .................................................................................................................................. 67
Session Border Controller ............................................................................................................................................................ 68
Enable URI Di aling ....................................................................................................................................................................... 68
Create Customer and Users in OpenLDAP or Active Directory ...................................................................................................... 68
LDAP Integration in Ci sco Uni fied CDM ........................................................................................................................................ 69
Set Up an LDAP Server ................................................................................................................................................................. 69
Set Up LDAP for User Synchronization ......................................................................................................................................... 70
Automatically Move Users to a Site ............................................................................................................................................. 71
Synchronize Users from LDAP ...................................................................................................................................................... 71
Move Users to a Site .................................................................................................................................................................... 72
Enable LDAP Authentication in Unified CM for Users Synchronized from LDAP to Uni fied CDM ................................................... 72
Enter the Cisco Unified CM Directory Name in the LDAP Server ................................................................................................... 75
Configure the NBI Sync Customers Client to Perform CUCDM Sync .............................................................................................. 76
References.................................................................................................................................... 77
Introduction
HCS Shared Architecture (SA) configuration enables partners to provide true UC as a Service (UCaaS) for
customers w ith the best collaboration solution and at a more affordable price. HCS SA also leverages
existing HCS access methods to deploy the Unified Communications (UC) solution securely w ith Over the
Top (OTT) or private access of service w ith a managed netw ork.
The HCS SA configuration allow s partners to save capital expenditure (capex) investment at the data center
by sharing the UC cluster w ith multiple tenants. It also paves the w ay for automating the customer and user
onboarding process, allow ing partners to save even more on operating expenses.
OTT access for endpoints lets users easily register their phones and Jabber using the auto-registration
process w ith only a connection to the public internet. Private ac cess of service using a managed netw ork
(MPLS or VPN) is also possible for users w ho require higher service quality and reliability.
HCS SA configuration can be a perfect solution for a small customer, mid-market customer, or large
customer w ith many small sites. HCS SA configuration supports the full suite of HCS collaboration features
from dial tone, video, and mobility to team collaboration.
This w hite paper provides configuration steps for the SA implementation of HCS. These steps are validated
in Cisco labs to help partners deploy the solution quickly and easily. Please note that the main body of the
w hite paper describes information that is applicable to the latest release of HCS. There may be additional
considerations for older releases, w hich w ill be described in appendices.
For more information, w e recommend that partners refer to the follow ing Cisco documents :
Cisco HCS Solution Reference Network Design (SRND) Guide
Cisco HCS Capacity Planning Guide
Cisco HCS End-to-End Planning Guide
Cisco HCS Shared Architecture Overview
Assumptions
 SAN is deployed and configured.
 VMw are licenses are purchased and installed.
 The management applications are installed:
o a domain manager
o Cisco Hosted Collaboration Mediation Fulfillment (HCM-F)
o Cisco Prime License Manager
o Cisco Prime Collaboration Assurance (used only for monitoring the UC cluster and not
for shared customers).
 A partner-provided IT domain (for example, ciscolabs.com) is used for collaboration. The partner-
managed domain is shared by other customers.
Endpoints Support
The Cisco HCS SA architecture supports the follow ing endpoints:
 Cisco Jabber Desktop – Window s, MacOS

 Cisco Jabber Mobile - iPhone, Android, and iPad
 Cisco IP Phones 8800 and 7800 series, Cisco DX series, Cisco SX series, and Cisco MX series
w hen used w ith Expressw ay MRA. For more information, see the Expressw ay Documentation..
 Other Cisco endpoints are supported w ith a MPLS or VPN connection and the full list is
documented on Cisco.com.
Prerequisites
 Softw are dow nloads
 Licenses
Caveats
User passw ords are managed in the partner’s AD or LDAP.
Software Matrix
Table: Softw are matrix for HCS 12.5 Shared Architecture
Com ponents Softw are
Cisco Prim e Collaboration Assurance* 11.6 or later
Cisco HCM-F 11.5(2) or later
Cisco Unified CM 11.5(1)SU3a or later
Cisco IM and Presence Service 11.5(1)SU3a or later
Cisco Unity Connection 11.5(1)SU3a or later
Cisco Expressw ay-Core X8.10.3 or later
Cisco Expressw ay-Edge X8.10.3 or later
Cisco Jabber Latest available version
* Cisco Unified CM and Prime Collaboration Assurance are the included domain manager and
assurance components for HCS SA with the HCS-K9-BUNDLE license. Others are available as
part of the HCS open provisioning architecture (OPA) or subscription licenses.
The HCS SA customer onboarding process (including domain manager, LDAP, AD, Expressw ay, SBC, and
w elcome emails) can be automated w ith third-party tools that use the APIs in the HCS SA components.
Consult the vendor of your tool for information on integrating w ith HCS SA to automate customer
onboarding.
Infrastructure Setup
Management components are implemented in an existing Management Virtual Route Forw arding (VRF)
table, using the available IP addresses in this space.
 UC applications are implemented in a new shared VRF, just like any other customer UC application
in a dedicated instance.
 A Session Border Controller or a 3rd-party tool interface for the shared cluster in the shared VRF
w ith the UC applications.
 Shared VRF is extended from the data center PE to the Core Nexus 7000 and Aggregation Nexus
7000, just like any other tenant (for MPLS).
 Create a context for shared VRF in the firew all, just like any other tenant.
 The per-customer VRF terminates on the data center Provider Edge (for MPLS).
Dedicated Virtual Routing and Forwarding (VRF) for Shared Architecture

deployments
 Dedicated VRF in a Shared Architecture deployment is designed to provide security betw een the
tenants from the customer premise and Cisco HCS dedicated cluster (DC). The same principles of
VRF and VPN separation are follow ed for each tenant, up to the DC facing PE. The different tenant
VRFs are connected to the shared VRF in the PE, restricting visibility of each other's tenant routes.
 The number of VRFs/VPNs consumed in the MPLS core is one VPN/VRF per tenant, plus a shared
VRF per cluster. The PE tenant capacity is limited by the total number of VRFs it can support; this is
outside the scope of Cisco HCS, but w ithin the DC, the VRFs are aggregated into a shared VRF in
the Aggregation sw itch.
 As a result, the number of clusters that are supported by the Cisco HCS DC is dependent on the DC
type (Large PoD or Small PoD), regardless of the Shared Architecture deployment.
VM and Cluster Support
The follow ing versions of VMw are vSphere ESXi are recommended as a minimum:
 Cisco HCS 11.5: vSphere ESXi 6.0 Update 3
 Cisco HCS 12.5: vSphere ESXi 6.5 Update 2
UC Application OVA Specifications

Consult the follow ing links for the latest specifications:
Cisco Unified Communication Manager:

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/virtualization/virtual
ization-cisco-unified-communications-manager.html
Cisco Unified Communications Manager IM and Presence:
ization-cisco-ucm-im-presence.html
Cisco Unity Connection:
ization-cisco-unity-connection.html
Co-residency Support
For information about collaboration virtualization sizing and co-residency support, see
https://w ww.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/v irtualization/collaboration-
virtualization- sizing.html#cores.
For co-residency clarification and troubleshooting resources, see
https://w ww.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-
system/113520-edcs1153298.html.
Expressway OVA Specifications
Consult the follow ing links for the latest specifications:
ization-cisco-expressway.html
Co-residency Support
Expressw ay can co-reside w ith application (any other VMs occupying same host), subject to the follow ing
conditions:
 No oversubscription of CPU: 1:1 allocation of vCPU to physical cores must be used.
 No oversubscription of RAM: 1:1 allocation of vRAM to physical memory.
 No oversubscription of NIC: The Expressw ay handles large volumes of data, much of w hich is
for real- time communications, and it needs dedicated access to all the bandw idth specified for its
interfaces. For example, you should not assume that 4 co-resident, small Expressw ay VMs can
handle the expected load if there is only a 1 Gbps physical interface on the host. In this example,
none of the VMs meets the required minimum specification.
Sharing disk storage subsystem is supported subject to correct performance (latency, bandw idth)
characteristics.
For more information about Expressw ay VM sizing, see Cisco Expressway on Virtual Machine
Installation Guide (X8.10).
Recommended Virtual Machine Sizing

Cisco HCS SA configuration can use existing HCS Large, Small, or Micro Node deployments for providers
w ho already offer the HCS solution, assuming the required UCS resources are available. For new HCS
deployments, w e recommend the low er-cost Nexus 9000 series and Firepow er firew alls. Existing
deployments w ith Nexus 7K, 5K, and ASA can continue to be used.
The follow ing table show s the guidelines for the HCS data center components. Depending on the POD type,
certain B or C series servers can be deployed. The available choice of UCS servers can be found here:
Collaboration Virtualization Supported Hardw are. We recommend selecting the TRC servers to ensure
optimum compatibility and support.
Large PoD Chassis FI Compute Storage Security

Nexus 9504 or FI, SAN or
5108 6296 B Series Firepower 4100 or ASA 5585-X
N7000 NAS
Small PoD Chassis FI Compute Storage Security

Nexus 9300 or FI, SAN or
5108 6332 B Series Firepower 4100 or ASA 5555-X
N5600 NAS
Micro Node Chassis FI Compute Storage Security

Nexus 9300 or
N/A N/A C Series DAS Firepower 2130 or ASA 5555-X
N5600
Each UC cluster can support unique dial plans for up to 590 customers w ith 1 site. More Cisco Unity
Connection clusters can be added to 1 Cisco Unified CM cluster to provide voicemail services to more
customers. Multiple shared clusters can be combined on the s ame data center platform to support more
customers.
For more information about VM sizing, see
https://w ww.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/uc_system/v irtualization/cisco-collaboration-
virtualization.html.
Table: VM Sizing for Different Users
Applications for 5,000 Users w ith 2 Devices CPU RAM HD (GB) Cluster Details
per User (GB)
Cisco Unified CM – 10,000 Users 2 Cores 8 1 x 110 1 Pub, 2 Sub, 2 TFTP

and 1 Media
Cisco Unity Connection – 20,000 Users * 7 Cores 8 2 x 300 2 Nodes
Cisco Unified Presence – 5,000 IM and 2 Cores 4 2 x 80 2 Nodes

Presence Users
Expressw ay Medium OVA - 10,000 2 Cores 6 1 x 132 2 Clusters w ith 6 Exp-C
registrations and 800 active calls and 6 Exp-E Nodes **
Applications for 10,000 Users w ith 2 CPU RAM HD (GB) Cluster Details
Devices per User (GB)
Cisco Unified CM – 10,000 Users 4 Cores 8 1 x 110 1 Pub, 4 Sub, 2 TFTP,

and 1 Media

Presence Users
Expressw ay Medium OVA - 10,000 2 Cores 6 1 x 132 4 Clusters w ith 6 Exp-C

registrations and 800 active calls and 6 Exp-E Nodes **
Cisco Unified CM – 10,000 Users 4 Cores 8 1 x 110 1 Pub, 8 Sub, 2 TFTP

and 1 Media

Presence Users
Expressw ay Medium OVA - 10,000 2 Cores 6 1 x 132 8 Clusters w ith 6
registrations and 800 active calls Exp-C and 6 Exp-E
Nodes **
Cisco Unified CM – 10,000 Users w ith customer 4 Cores 8 1 x 110 1 Pub, 16 Sub, 2 TFTP
limit of 590 and 2 Media
Cisco Unified Presence – 25,000 IIM and 6 Cores 16 2 x 80 4 Nodes

Presence Users
Expressw ay Medium OVA - 10,000 2 Cores 6 1 x 132 16 Clusters w ith 6
registrations and 800 active calls Exp- C and 6 Exp-E
Nodes **
* To support more customers w ith Cisco Unity Connection, you can add a larger OVA or more clusters
for more voicemail ports.
** Expressw ay-C and Expressw ay-E clusters support a maximum of 6 nodes: 4 active and 2 standbys. Extra
nodes over 4 can be added to each cluster, up to a maximum of 6, for extra redundancy only. No extra
capacity is gained above 4 nodes. More clusters are needed for more capacity.
Procedure
Step 1: Review the installation requirements and record the configuration settings for each server that you
plan to install.
Step 2: For every node in your cluster, create virtual machines using the Virtual Server Template (OVA file)
recommended for your current release.
Different OVA files are available; choose the correct OVA file based on the environment in w hich you are
deploying.
Step 3 Dow nload OVA templates from the follow ing locations:
 Cisco Unified Communications Manager

 Cisco IM and Presence Service
 Cisco Unity Connection
 Cisco Expressw ay
The HCS management applications include the domain manager, mediation fulfillment (HCM- F), license
manager (Prime License Manager), assurance (Prime Collaboration Assurance), and user management (AD
and LDAP), w hich are shared across all unified collaboration clusters (dedicated and shared).
Application CPU RAM (GB) HD (GB) Cluster Details
HCM-F Application Node 4 Cores 16 80 1 Node
Cisco Prime License Manager (Standalone) 1 Core 4 50 1 Node
Cisco Prime Collaboration Assurance (MSP) 22 Cores 36 750 1 to 2 Nodes

Installation
UC Application Installation
For information about installing UC applications, see the follow ing documents.
 Installation Guide for Cisco Unified Communications Manager and IM and Presence Service
 Install, Upgrade, and Maintenance Guide for Cisco Unity Connection
 Cisco Expressway on Virtual Machine Installation Guide
Add Prime License Manager to HCM-F

We recommend a standalone Prime License Manager for SA customers. If a partner plans to implement a
reseller program, w e recommend a standalone Prime License Manager for each reseller to manage the
license properly. A partner can also use an existing Prime License Manager.
Procedure
Step 1 From the side menu, select License Managem ent > License Manager Sum mary.
Step 2 Click Add New .
Step 3 Enter the licensing details.
Step 4 Click Save.
Assign a Cluster to a License Manager in HCM-F

Procedure
Step 1 From the Infrastructure Manager interface, select License Managem ent > License Manager
Sum m ary.
Step 2 Select the License Manager to w hich you w ant to assign a cluster.
Step 3 Expand Clusters Managed by.
Step 4 Click Assign.
Step 5 Select the cluster you w ant to assign and click Assign.
Partitioned Cisco Unity Connection

To help the Cisco HCS solution scale more customers on the same hardw are, you can partition o1ne Cisco
Unity Connection instance to support up to 60 tenants w ith the 7vCPU OVA cluster. To support more than
60 customers, you can have multiple Cisco Unity Connection clusters associated w ith one Cisco Unified CM
cluster.
Cisco Unity Connection exposes the configuration and provisioning to support multiple customers by means
of REST APIs. The Cisco HCS service fulfillment layer uses the partitioned Cisco Unity Connection REST
APIs to allow Cisco HCS service providers to configure and provision customers into the partitioned Cisco
Unity Connection.
Cisco HCS continues to support the dedicated Cisco Unity Connection in addition to the new partitioned
instance. Partitioned Cisco Unity Connection is not a new product w ith a new SKU. The HCS administrator
and domain managers must decide the role of Cisco Unity Connection as either regular or partitioned.
For more information about partitioned Cisco Unity Connection, see the documentation at cisco.com.
Also look at the Design Guide for Cisco Unity Connection.
DNS Records
This section summarizes the public (external) and local (internal) DNS requirements. For more information,
see the Cisco Jabber Planning Guide on the Jabber Install and Upgrade Guides page.
Public DNS
The public (external) DNS must be configured w ith _collab-edge._tls. SRV records so that endpoints can
discover the Expressw ay-Es to use for Mobile and Remote Access. SIP service records are also required
(for general deployment, not specifically for Mobile and Remote Access). For example, for a cluster of 2
Expressw ay-E systems:
Dom ain Service Protocol Priority Weight Port Target host
example.com collab-edge tls 10 10 8443 expe1.example.com
example.com collab-edge tls 10 10 8443 expe2.example.com

example.com sips tcp 10 10 5061 expe1.example.com
example.com sips tcp 10 10 5061 expe2.example.com
Local DNS
The local (internal) DNS requires _cisco-uds._tcp. SRV records. For example:
Dom ain Service Protocol Priority Weight Port Target host
example.com cisco-uds tcp 10 10 8443 cucmserver1.example.com

example.com cisco-uds tcp 10 10 8443 cucmserver2.example.com
Notes:
 Im portant: For version X8.8 and later, you must create forw ard and reverse DNS entries for all
Expressw ay-E systems, so that systems making TLS connections to them can resolve their
FQDNs and validate their certificates.
 Ensure that the cisco-uds SRV records are NOT resolvable outside of the internal netw ork,
otherw ise the Jabber client w ill not start Mobile and Remote Access negotiation using the
Expressw ay-E.
You must create internal DNS records, for both forw ard and reverse lookups, for all Unified
Communications nodes used w ith Mobile and Remote Access. This allow s Expressw ay -C to
find the nodes w hen IP addresses or hostnames are used instead of FQDNs.
Configure IM and P
Add LDAP Server and Authentication in Unified CM

Use this procedure to enable LDAP Authentication on Cisco Unified CM in the follow ing situation, sometimes
referred to as "top-dow n" deployment:
• You do not plan to sync those users from LDAP to Cisco Unified CM.
• You plan to push those users from Cisco Unified CDM to Cisco Unified CM.
• You w ant to use LDAP to authenticate those users' access to Cisco Unified CM.
Procedure
Step 1 On Unified CM, disable dirsync.
a) Log in to Unified CM as an administrator.

b) Navigate to Cisco Unified Serviceability, and click Go.
c) Navigate to Tools > Service Activation.
d) Scroll dow n to Directory Services and uncheck Cisco DirSync.
e) Click Save.
Step 2 On Cisco Unified CM, enable LDAP.
a) In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

b) Navigate to System > LDAP > LDAP System .
c) Check Enable Synchronizing from LDAP Server .
d) Select the LDAP Server Type .
Note This value must match the LDAP Server Type you choose in Cisco Unified CDM.
e) Select the LDAP Attribute for User ID.

Note This value must match the LDAP attribute you choose in Cisco Unified CDM.
f) Click Save.
Step 3 On Cisco Unified CM, configure LDAP Directory.

c) Configure fields in the LDAP Directory Information section:
Field Description
LDAP Enter a unique name (up to 40 characters) for the LDAP directory.
Configuration Important: You use the LDAP Configuration Name w hen you
Name configure the LDAP Server in Cisco Unified CDM.
LDAP Manager Enter the user ID (up to 128 characters) of the LDAP Manager
Distinguished w ho is an administrative user that has access rights to the LDAP
Name directory.
LDAP Enter a passw ord (up to 128 characters) for the LDAP Manager.
Passw ord
Confirm Re-enter the passw ord that you provided in the LDAP Passw ord
Passw ord field.
LDAP User Enter the location (up to 256 characters) w here all LDAP users
Search Base exist. This location acts as a container or a directory. This
information varies depending on your customer setup.
LDAP Custom Select an LDAP custom filter to filter the results of LDAP
Filter searches. LDAP users that match the filter are imported into the
Unified CM database. LDAP users that do not match the filter do
not get imported. The default value is <None>. This value applies
a default LDAP filter that is specific to the LDAP server type. The
available default LDAP filters are:
• Microsoft Active Directory
(AD):(&(objectclass=user)(!(objectclass=Computer))
(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
• iPlanet or Sun One LDAP Server:(objectclass=inetOrgPerson)

• OpenLDAP:(objectclass=inetOrgPerson)
• Microsoft Active Directory Application Mode
(ADAM):(&(objectclass=user) (!(objectclass=Computer))(!( ms DS-
UserAccountDisabled=TRUE)))
d) Configure fields in the LDAP Server Information section:

Field Description
Hostname or IP Enter the hostname or IP address of the server w here the data for
Address for this LDAP directory resides.
Server
LDAP Port Enter the port number on w hich the corporate directory receives the
LDAP requests. You can access this field only if LDAP
authentication for users is enabled.
The default LDAP port for Microsoft Active Directory and for
Netscape Directory specifies 389. The default LDAP port for
Secured Sockets Layer (SSL) specifies 636.
How your corporate directory is configured determines w hich port
number to enter in this field. For example, before you configure the
LDAP Port field, determine w hether your LDAP server acts as a
Global Catalog server and w hether your configuration requires
LDAP over SSL. Consider entering one of the follow ing port
numbers:
LDAP Port w hen the LDAP server is not a Global Catalog server:
• 389 – When SSL is not required. (This port number specifies the
default that displays in the LDAP Port field.)
• 636 – When SSL is required. (If you enter this port number, make
sure that you check the Use SSL check box.)
LDAP Port w hen the LDAP server Is a Global Catalog server:
• 3268 – When SSL is not required.

• 3269 – When SSL is required. (If you enter this port number, make
sure that you check the Use SSL check box.)
Tip Your configuration may require that you enter a different port
number than the options that are listed in the preceding bullets.
Before you configure the LDAP Port field, contact the administrator
of your directory server to determine the correct port number to
enter.
Use SSL Check this checkbox to use Secured Sockets Layer (SSL)
encryption for security purposes.
Note If LDAP over SSL is required, the corporate directory SSL
certificate must be loaded into Cisco Unified CM. The Cisco Unified
Communications Operating System Administration Guide
documents the certificate upload procedure in the Security chapter.
Add Another Click this button to add another row to provide information about
Redundant LDAP another LDAP server.
Server
e) Click Save.
Step 4 On Cisco Unified CM, configure LDAP Authentication.

c) Check Use LDAP Authentication for End Users .
d) Enter the LDAP Manager Distinguished Nam e w ho is an administrative user that has access rights
to the LDAP directory.
e) Enter the LDAP Passw ord for the user ID in previous step.
f) Enter the LDAP User Search Base.
Im portant This value must match the LDAP User Search Base you configured for the LDAP
Directory in Unified CM. It must also match the LDAP Server you configure in Unified CDM.
g) Click Save.
Step 5 Sync the user data to your domain manager and set up LDAP user synchronization.
When users are pushed to Cisco Unified CM, the ldapDirectoryName field in the device/cucm/User is
populated w ith the CUCM LDAP Directory Name. Cisco Unified CM treats the users as LDAP integrated,
instead of local. The users appear as LDAP Active Users and use LDAP bind for authentication. From now
on, the users are authenticated in Cisco Unified CM against the LDAP directory.
Configure Managed File Transfer in Cisco Unified CM IM and Presence

Managed File Transfer (MFT) is a server-side file transfer solution. It allow s an IM and Presence service
client, such as Cisco Jabber to transfer files to other users, ad hoc group chats and persistent chats. It
allow s file sharing betw een users in one-to-one, ad hoc group, and persistent chat. The file repository is on a
customer-provided external file server. Audit logging of all uploads and dow nloads are in external database.
Prerequisites for Managed File Transfer in IM and P

• Jabber 10.6
• Unified CM IM & Presence 10.5.2 or above
• PostgreSQL 8.3.x or above
While transferring files betw een Jabber clients has been a supported feature for quite a w hile, this w as
limited to peer-peer transaction until now , w hich eliminated the possibility to transfer files in a group chats,
chat rooms.
Starting w ith Jabber 10.6 and Unified CM IM & Presence 10.5.2, a new method to transfer files betw een
clients has been introduced w ith the follow ing features:
• Group chat support of File transfer

• Chat room support of File transf er
• Admin can define a file size for Jabber users w hen transferring files
• File transfer compliance and screen captures are transferred for audit and policy control
• File transfer inline status message
This refers to "Managed File transfer". While the peer-peer option does not involve any central instance, the
Managed File transfer does rely on central database instance.
External Database Setup Requirements

General Requirem ents
Cisco recommends having a certified PostgreSQL and Oracle or Microsoft SQL Server administrator to
maintain and retrieve information from the external database.
Hardw are Requirem ents
A remote server on w hich you install the PostgreSQL or Oracle database.
Softw are Requirem ents
IM and Presence Service, current release
External Database:
Database Supported Versions
PostgreSQL Versions 8.3.x through 9.4.x are supported, and in IM and

Presence Service Release, 11.0(1) versions: 9.1.9, 9.2.6, 9.3.6,
9.4.1 have been tested.
Note You can also use version 8.1.x of the PostgreSQL
database, but the configuration of these versions may be
different to the PostgreSQL database configuration described in
this section. See the PostgreSQL documentation for details on
how to configure these PostgreSQL database versions. If you
use Version 8.1.x of the PostgreSQL database, the database
configuration on IM and Presence Service is the same as
described in this section.
Oracle Versions 9g, 10g, 11g, and 12c are supported, and in IM and
Presence Service Release, 11.0(1) versions: 11.2.0.1.0 and
12.1.0.1.0 have been tested.
External Database Requirements for IM and Presence Service

The external database requirements depend on the features you need to deploy on IM and Presence
Service.
Features Requirem ents
Persistent A minimum of one unique logical external database instance

Group Chat (tablespace) is required for the entire IM and Presence Service
feature intercluster. A unique logical external database instance for each
IM and Presence Service node or redundancy group in an IM and
Presence Service cluster provides optimum performance and
scalability, but is not mandatory.
High You must enable High Availability and Persistent Chat. Make sure
Availability for that both presence redundancy group nodes are assigned to the
Persistent Chat same unique logical external database instance.
feature
Oracle and PostgreSQL can be used w ith High Availability for
Persistent Chat. How ever, PostgreSQL has some significant
challenges it trying to make it a High Availability database w ith
automatic redundancy.
Message We recommend that you configure at least one external database

Archiver for each IM and Presence Service cluster; how ever, you may
(compliance) require more than one external database for a cluster depending on
feature your database server capacity.
Managed File You require one unique logical external database instance for each
Transfer IM and Presence Service node in an IM and Presence Service
feature cluster.
Note Database table space can be shared across multiple nodes
or clusters provided capacity and performance isn't overloaded.
For a configuration example to set up the PostgreSQL Server and database, see Cisco Unified Presence
Server PostgreSQL External Database and Compliance Configuration Example guide available at
https://w ww.cisco.com/c/en/us/support/unified-communications/unified-presence/products-configuration-
examples-list.html.
Set Up External Database Connection

IM and Presence Service does not establish a connection to the external database w hen you configure an
external database entry. The external database has not created the database schema at this point. It is only
w hen you assign an external database entry to a node that IM and Presence Service establishes an ODBC
(Open Database Connectivity) connection w ith the external database. Once IM and Presence Service
establishes a connection, the external database creates the database tables for the IM and Presence
Service features.
Once you assign an external database entry to a node, you can validate the connection using the System
Troubleshooter in the Cisco Unified CM IM and Presence Service Administration user interface.
Note
If your IM and Presence Service node connects to an external database server using IPv6, ensure that the
enterprise parameter is configured for IPv6 and that Eth0 is set for IPv6 on each node in the deployment;
otherw ise, the connection to the external database server fails. The Message Archiver and Cisco XCP Text
Conference Manager are unable to connect to the external database and fail. For information about
configuring IPv6 on IM and Presence Service, see Configuration and Administration of IM and Presence
Service on Cisco Unified Communications Manager guide available at
https://w ww.cisco.com/c/en/us/support/unified-communications/unified-communications- manager-im-
presence-service-version-11-5/model.html.
Before you begin
• Install and configure the external database.

• Obtain the hostname or IP address of the external database.
Procedure
Step 1 Log in to the Cisco Unified CM IM and Presence Administration user interface.
Step 2 Navigate to Messaging > External Server Setup > External Databases .
Step 3 Click Add New .
Step 4 Enter the name of the database that you defined at external database installation, for example,
tcmadb.
Step 5 Choose the database type from the drop-dow n list, Postgres or Oracle. If you chose Oracle as the
database type, enter the tablespace value.
Step 6 Enter the username for the database user (ow ner) that you defined at external database installation,
for example, tcuser.
Step 7 Enter and confirm the passw ord for the database user, for example, mypassw ord.
Step 8 Enter the hostname or IP address for the external database.
Step 9 Enter a port number for the external database.
The default port numbers for Postgres (5432), Oracle (1521), and Oracle w ith SSL enabled (2484) are
prepopulated in the Port Num ber field. You can choose to enter a different port number, if required.
Step 10 If you chose Oracle as the Database Type, the Enable SSL checkbox becomes active.
Check the checkbox to enable SSL. The Certificate Nam e drop-dow n list becomes active. Choose a
certificate from the drop-dow n list.
Notes
• When the Enable SSL check box or the Certificate drop-dow n field is modified, a notification to
restart the corresponding service assigned to the external database is sent. A message concerning
either Cisco XCP Message Archiver or Cisco XCP Text Conference Manager is generated.
• The certificate you need to enable SSL must be uploaded to the cup-xmpp-trust store. You must
upload this certificate before you enable SSL.
• Once the certificate is uploaded to the cup-xmpp-trust store, you must w ait 15 minutes for the
certificate to propagate to all the nodes of the IM and Presence Service cluster. If you do not w ait,
the SSL connection on nodes w here the certificate has not propagated fails.
• If the certificate is missing or has been deleted from the cup-xmpp-trust store, an alarm
XCPExternalDatabaseCertificateNotFound is raised in the Cisco Unified Communic ations Manager
Real Time Monitoring Tool (RTMT).
Step 11 Click Save.
Step 12 If you make a configuration change in the install_dir/data/pg_hba.conf file or the
install_dir/data/postgresql.conf file after you assign the external database, perform these steps:
a) Unassign and reassign the external database to the IM and Presence Service node.
b) Restart the Cisco XCP Router service. Log in to the Cisco Unified IM and Presence Serviceability
user interface.
c) Navigate to Tools > Control Center - Netw ork Services to restart this service.
Accessing IM and Presence Service Status Information on an external database

IM and Presence Service provides the follow ing status information on an external database:
• Database reachability — Verifies that the IM and Presence Service can ping an external database.
• Database connectivity — Verifies that the IM and Presence Service has successfully established an Open
Database Connectivity (ODBC) connection w ith the external database.
• Database schema verification — Verifies that the external database schema is valid.
Caution
If your IM and Presence Service node connects to an external database server using IPv6, ensure that the
enterprise parameter is configured for IPv6 and that Eth0 is set for IPv6 on each node in the deployment;
otherw ise, the connection to the external database server fails. The message archiver (compliance) and
Cisco XCP Text Conference Manager is unable to connect to the external database and fails. For
information about configuring IPv6 on IM and Presence Service, see Configuration and Administration of IM
and Presence Service on Cisco Unified Communications Manager guide.
Procedure
Step 1 Log in to the Cisco Unified CM IM and Presence Administration user interface.
Step 2 Navigate to Messaging > External Server Setup > External Databases .
Step 3 Click Find.
Step 4 Choose the external database entry that you w ant to view .
Step 5 Verify that there are check marks beside each of the result entries for the external database in the
External Database Status section.
Step 6 In the Cisco Unified CM IM and Presence Administration user interface, navigate to Diagnostics >
System Troubleshooter.
Step 7 Verify that there are check marks beside the status of each of the external database connection
entries in the
External Database Troubleshooter section.
Set Up an External File Server

Before you enable managed file transfer on an IM and Presence Service node consider these points:
• If you deploy any combination of the persistent group chat, message archiver, or managed file transfer
features on an IM and Presence Service node, you can assign the same physical external database
installation and external file server to all these features. How ever, you should consider the potential IM
traffic, the number of file transfers, and the file size w hen you determine the server capacity.
• Ensure that all clients can resolve the full FQDN of the IM and Presence Service node to w hich they
are assigned. For the managed file transfer feature to w ork, it is not enough for the clients to resolve
the hostname; they must be able to resolve the FQDN.
• The node public key is invalidated if the node's assignment is removed. If the node is reassigned, a
new node public key is automatically generated and the key must be reconfigured on the external file
server.
• The Cisco XCP File Transfer Manager service must be active on each node w here managed file
transfer is enabled.
You can configure one of the follow ing options on the File Transfer w indow :
• Disabled: file transfer is disabled for the cluster.
• Peer-to-Peer: one-to-one file transfers are allow ed, but files are not archived or stored on a server.
Group chat file transfer is not supported.
• Managed File Transfer: one-to-one and group file transfers are allow ed. File transfers are logged to a
database and the transferred files are stored on a server. The client must also support managed file
transfer, otherw ise no file transfers are allow ed.
• Managed and Peer-to-Peer File Transfer: one-to-one and group file transfers are allow ed. File transfers
are logged to a database and the transferred files are stored on a server only if the client supports
managed file transfer. If the client does not support managed file transfer, this option is equivalent to
the Peer-to-Peer option.
Note
If managed file transfer is configured on a node and you change the File Transfer Type to Disabled or
Peer-to-Peer, be aw are that the mapped settings to the external database and to the external file server for
that node are deleted. The database and file server remain configured but you must reas sign them if you re-
enable managed file transfer for the node.
Depending on your pre-upgrade setting, after an upgrade to IM and Presence Service Release 10.5(2) or
later, either Disabled or Peer-to-Peer is selected.
Prerequisites for External File Server

Before you begin
Tasks to complete before you begin to set up an external file server:
• Install and configure an external database, see Database Setup for IM and Presence Service on Cisco
Unified Communications Manager guide at http://w ww.cisco.com/c/en/us/support/unified-communications/
unified-communications-manager-callmanager/products-installation-and-configuration-guides-list.html.
• Configure an External Database Instance on IM and Presence Service.

Before setting up the users, directories, ow nership, permissions, and other tasks on the file server, complete
these steps.
Procedure
Step 1 Install a supported version of Linux.
Step 2 Verify the file server supports SSHv2 and OpenSSH 4.9 or later by entering one of the follow ing
commands as root:
# telnet localhost 22 Trying ::1...
Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.3
Or
# ssh -v localhost
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /root/.ssh/config ...
...debug1: Local version string SSH-2.0-OpenSSH_5.3
Step 3 To allow private/public key authentication, make sure that you have the follow ing fields in the
/etc/ssh/sshd_config file, set to yes.
• Set RSAAuthentication to yes
• Set PubkeyAuthentication to yes
If these are commented out in the file, the setting can be left alone.
Tip To enhance security, you can also disable passw ord login for the file transfer user (for example,
mftuser). This forces logging in only by SSH public/private key authentication.
Step 4 We recommend creating one or more separate partitions that are dedicated to file transfer storage
so that other applications that run on the server do not w rite to it. All file storage directories must be created
on these partitions.
Set Up a User
Procedure
Step 1 On the file server as root, create a user w ho ow ns the file storage directory structure (our example
uses mftuser) and force creation of the home directory (-m).
# useradd -m mftuser # passwd mftuser
Step 2 Sw itch to the mftuser.
# su mftuser
Step 3 Create a .ssh directory under the ~mftuser home directory that is used as a key store.
$ mkdir ~mftuser/.ssh/
Step 4 Create an authorized_keys file under the .ssh directory that is us ed to hold the public key text for
each managed file transfer enabled node.
$ touch ~mftuser/.ssh/authorized_keys
Step 5 Set the correct permissions for passw ordless SSH to function.
$ chmod 700 ~mftuser (directory)
$ chmod 700 ~/.ssh (directory)
$ chmod 700 ~/.ssh/authorized_keys (file)
Note Depending on your SSH configuration, these permissions may vary on some Linux systems.
Set Up Directories
Procedure
Step 1 Sw itch back to the root user.
$ exit
Step 2 Create a top-level directory structure (for example, /opt/mftFileStore/) to hold directories for all the IM
and Presence Service nodes that have managed file transfer enabled.
# mkdir -p /opt/mftFileStore/
Step 3 Provide the mftuser sole ow nership of the /opt/mftFileStore/ directory.
# chown mftuser:mftuser /opt/mftFileStore/
Step 4 Provide the mftuser sole permissions to the mftFileStore directory.
# chmod 700 /opt/mftFileStore/
Step 5 Sw itch to the mftuser.
# su mftuser
Step 6 Create a subdirectory under /opt/mftFileStore/ for each managed file transfer enabled node (Later,
w hen you enable managed file transfer, you assign each directory to a node).
$ mkdir /opt/mftFileStore/{node_1,node_2,node_3}
Note
• These directories and paths are used in the External File Server Directory field that you enter in
the Deploy an External File Server on IM and Presence Service task.
• If you have multiple IM and Presence Service nodes w riting to this file server, you must define a
target directory for each node, for example, {node_1, node_2, node_3}.
• Within each node's directory, the transfer type subdirectories (im, groupchat, and persistent) are
automatically created by IM and Presence Service, and are all subsequent directories.
Obtain the Public Key

Procedure
Step 1 To retrieve the file server's public key, enter:
$ ssh-keyscan -t rsa host
Where host is the hostname, FQDN, or IP address of the file server.
Warning:
• To avoid a man-in-the-middle attack, w here the file server public key is spoofed, you must verify
that the public key value that is returned by the ssh-keyscan -t rsa host command is the real
public key of the file server.
• On the file server, go to the location of the ssh_host_rsa_key.pub file (under /etc/ssh/ ) and confirm
the contents of the public key file, minus the host (the host is absent in the ssh_host_rsa_key.pub
file on the file server), matches the public key value returned by the command ssh-keyscan -t rsa
host.
Step 2 Copy the result of the ssh-keyscan -t rsa host command, not w hat is in the ssh_host_rsa_key.pub
file. Ensure to copy the entire key value, from the server hostname, FQDN, or IP address to the end.
Note Usually the server key begins w ith the hostname or FQDN, although it may begin w ith an IP address.
For example, copy:
hostname ssh-rsa AAAQEAzRevlQCH1KFAnXw hd5Uv EFzJs...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4r QUy3rp/sdug+/+N9MQ==
(ellipses added).
Step 3 Save the result of the ssh-keyscan -t rsa host command to a .text file. It is needed w hen you
Step 4 Open the authorized_keys file you created and leave it open. It is used in the Enable Managed File
Transfer on IM and Presence Service procedure.
Configure an External File Server Instance on IM and Presence Service

The procedure describes how to configure an external file server instance on IM and Presence Service. You
must configure one external file server instance for each node in your cluster that has managed file transfer
enabled. The external file server instances do not need to be physical instances of the external file server.
How ever, for a given hostname, specify a unique external file server directory path for each external file
server instance. You can configure all the external file server instances from the same node.
Before you begin
• Install and configure an external database, see Database Setup for IM and Presence Service on Cisco
Unified Communications Manager available at http://w ww.cisco.com/c/en/us/support/unified-
communications/unified-communications- manager-callmanager/ products-installation-and-
configuration-guides-list.html.
• Configure an External Database Instance on IM and Presence Service

• Set Up an External File Server
• Obtain the follow ing external file server information:
• Hostname, FQDN, or IP address
• Public key
• Path to the file storage directory
• User name
Procedure
Step 1 Log in to the Cisco Unif ied CM IM and Presence Administration user interface. Navigate to
Messaging >
External Server Setup > External File Servers .
Step 2 Click Add New . The External File Servers w indow appears.
Step 3 Enter the server details.
Field Description
Name Enter the name of the file server. Ideally the server name should be
descriptive enough to be instantly recognized.
Maximum characters: 128. Allow ed values are alphanumeric, dash,
and underscore.
Host/IP Enter the hostname or IP address of the file server.

Address
Note • The value entered for the Host/IP Address field must match
the beginning of the key that is entered for the External File Server
Public Key field (follow s).
• If you change this setting, you must restart the Cisco XCP Router
service.
External File Paste the file server's public key (the key you w ere instructed to save
Server Public to a text file) in to this field.
Key
If you did not save the key it can be retrieved from the file server by
running the command:
$ ssh-keyscan -t rsa host on the file server. Where host is the IP
address, hostname, or FQDN of the file server.
You must copy and paste the entire key text starting w ith the
hostname, FQDN, or IP address to the end. For example, copy:
extFileServer.cisco.com ssh-rsa
AAAQEAzRevlQCH1KFAnXw hd5Uv EFz Js...
...a7y49d+/Am6+ZxkLc4ux5xXZueL3GSGt4r QUy3rp/sdug+/+N9MQ==
(ellipses added).
Im portant This value must begin w ith the hostname, FQDN, or IP

address that you entered for the Host/IP Address field. For example, if
extFileServer is used in the Host/IP Address field, then this field must
begin w ith extFileServer follow ed by the entire rsa key.
External File The path to the top of the file server directory hierarchy. For example,
Server
Directory /opt/mftFileStore/node_1/
User Name The user name of the external file server administrator.
Step 4 Repeat these steps to create an external file server instance for each node in the cluster that has
managed file transfer enabled.
Step 5 Click Save.
Enable Managed File Transfer on IM and Presence Service

Before you begin
• Set up an external database

• Configure an External Database Instance on IM and Presence Service
• Set Up an External File Server
• Configure an External File Server Instance on IM and Presence Service
Procedure
Step 1 Log in to Cisco Unified CM IM and Presence Administration.
Step 2 Navigate to Messaging > File Transfer.
Step 3 In the File Transfer Configuration area of the The File Transfer w indow , choose either Managed
File Transfer or Managed and Peer-to-Peer File Transfer, depending on your deployment.
Step 4 Enter the Maxim um File Size. If you enter 0, the maximum size (4GB) applies.
Note You must restart the Cisco XCP Router service for this change to take effect.
Step 5 In the Managed File Transfer Assignment area, assign the external database and the external file
server for each node in the cluster.
1. External Database : From the drop-dow n list, choose the name of the external database.
2. External File Server: From the drop-dow n list, choose the name of the external file server.
Step 6 Click Save. After clicking Save a Node Public Key link, for each assignment, appears.
Step 7 For each node in the cluster that has managed file transfer enabled, you must copy the node's entire
public key to the external file server's authorized_keys file.
a) To display a node's public key, scroll dow n to the Managed File Transfer Assignment area and click the
Node Public Key link. Copy the entire contents of the dialog box including the node's IP address,
hostname, or FQDN.
ssh-rsa
yc2EAAAABIw AAAQEAp2g+S2XDEzptN11S5h5nw VleKBnfG2pdW6KiLfzu/sFLegioIIqA8jBguNY/......5s+tus
rtBBuciCkH5gfXw rsFS0O0AlfFvw nfq1xmKmIS9W2rf0Qp+A+G4MVpTx Hgaonw == imp@imp_node (ellipses
added).
Note
• If the managed file transfer feature is configured and the File Transfer Type is changed to
eitherDisabled or Peer-to-Peer, all managed file transfer settings are deleted.
• A node’s keys are invalidated if the node is unassigned from the external database and file server.
b) On the external file server, if it w as not left open, open the ~mftuser/.ssh/authorized_keys file that
you created under the mftuser's home directory and (on a new line) append each node's public key.
Note
The authorized_keys file must contain a public key for each managed file transfer enabled IM and
Presence Service node that is assigned to the file server.
c) Save and close the authorized_keys file.

Step 8 Ensure that the Cisco XCP File Transfer Manager service is active on all nodes w here managed file
transfer is enabled.
This service only starts if an external database and an external file ser ver have been assigned, and if the
service can connect to the database and mount the file server. Complete the follow ing steps to check that
the Cisco XCP File Transfer Manager service is active on all managed file transfer enabled nodes:
a) On any node in the cluster, log in to the Cisco Unified IM and Presence Serviceability user interface.
b) Navigate to Tools > Service Activation.
c) Choose a server (node) and click Go.
d) Ensure the check box next to Cisco XCP File Transfer Manager is checked and that the
Activation Status is Activated.
Note
If the above conditions are not met, click Refresh. If the Activation Status remains the same after a
Refresh, go to Step 8.
e) Repeat steps d on all nodes w here managed file transfer is enabled.

Step 9 If you are configuring the managed file transfer feature on a node for the first time, you must
manually start the Cisco XCP File Transfer Manager service, as follow s:
b) Navigate to Tools > Control Center - Feature Activation.
d) In the IM and Presence Services area, click the radio button next to Cisco XCP File Transfer
Manager.
e) Click Start.
f) Repeat steps c-e for all nodes w here managed file transfer is enabled. This should be the same as
step 6) in step 10 below .
Step 10 Restart the Cisco XCP Router service.
b) Navigate to Tools > Control Center - Netw ork Services.
d) In the IM and Presence Services area, click the radio button next to Cisco XCP Router.
e) Click Restart.
f) Repeat steps c-e for all nodes w here managed file transfer is enabled.
Step 11 Verify that there are no problems w ith the external database setup and w ith the external file
server setup.
• For the external database:

a) Log in to the node's Cisco Unified CM IM and Presence Administration user interface.
b) Navigate to Messaging > External Server Setup > External Databases.
c) Check the information provided in the External Database Status area.
• On the node w here you need to verify that the external file server is assigned:
a) Log in to the node's Cisco Unified CM IM and Presence Administration user interface.
b) Navigate to Messaging > External Server Setup > External File Servers .
c) Check the information provided in the External File Server Status area.
Configure Unity Connection

Step 1 In Expressw ay-C, navigate to Configuration > Unified Com m unications > Unity Connection
Servers, and add the entries for unity connection server:
• Enter your username

• Enter passw ord
• Set the TLS verify mode to Off.
Step 2 If the Unified CM Cluster has tw o or more servers, complete the follow ing manual configuration in
Unity Connection:
a) In Unity Connection, navigate to Telephony Integrations > Port Group, and then go to Edit > Servers.
b) Add the other CUCM Server (SIP Servers) IP Address/Hostname and Port details.
Step 3 If the Unity Connection Cluster has Active-Active publishers, complete the follow ing configuration: in
Unity Connection:
When Unified CDM provision the Voicemail service, the ports are created only for Publisher1 of Unity
Cluster. You need to manually add the ports for Publisher2.
a) In Unity Connection, navigate to Telephony Integrations > Port Group.

b) Select the desired Port Group
c) For the second publisher, navigate to Related Links > Add Ports
d) Navigate to Devices > Trunks, and add the remaining unity server IP Address and Destination Ports in
the Destination Addresses.
Step 4 Complete the follow ing configuration for Cisco Jabber client to retrieve the voicemail server
information: Cisco Jabber does not read Voicemail UC Service Profile w hen it is deployed only in the Phone
mode.
a) Update the jabber-config.xml file w ith the follow ing voicemail parameters.
<Voicemail>
<VoicemailService_UseCredentials From>phone</VoicemailService_UseCredentialsFrom>
<VoicemailPrimaryServer>X.X.X.X</VoicemailPrimaryServer>
</Voicemail>
Where X.X.X.X is the FQDN or Hostname of Unity Connection server.
b) Upload the jabber-config.xml to all the CUCM TFTP servers, and then restart the TFTP service on TFTP
server nodes.
c) Reset the Jabber client.

Step 5 Complete the follow ing configuration for Cisco Jabber client in IM and Presence server:
Jabber client's IM Address is in <UserID>@<DefaultDomain> format w hich w ill not be same as the user's e-
mail address. Update the IM Address Scheme configuration to display the proper e-mail address of user.
a) In Unified CM IM and Presence Administration, navigate to Presence > Settings > Advanced
Configuration.
b) Set the IM Address Schem e to Directory URI.

Note
Default Domain or IM Address Scheme cannot be changed until the follow ing services are stopped on all the
nodes. Ensure that HA is disabled before stopping these services.
• Cisco Presence Engine

• Cisco SIP Proxy
• Cisco XCP Router
• Cisco Sync Agent
• Cisco Client Profile Agent
Step 6 Complete the follow ing configuration for Exchange Integration in Unity Connection:
a) In Unity Connection, navigate to Unified Messaging > Unified Messaging Services .

b) Add a service w ith exchange server details
Step 7 In Unity Connection, navigate to Users > Users, and change the Class of Service from the Default
Class of Service to Customer Specific Class of Service (for example, Voice Mail User COS to Cu7-
C0003vmService_COS_1).
Step 8 In Unity Connection, navigate to Users > Users.
a) Navigate to Edit > Passw ord Settings .

b) Uncheck the User Must Change at Next Sing-In checkbox.
Step 9 In Microsoft Exchange Server, enable Impersonation Account for the User.
Step 10 In Unity Connection, navigate to Users > Users.
a) Navigate to Edit > Unified Messaging Accounts .
b) Add a new account for the user.
c) Click Test to perform a test and check for any issues w ith User's exchange integration.
Tip
Connection notifier service must be up and running in active Unity Connection node for MWI to w ork.
Configure Call Screening

Procedure
Step 1 Complete the follow ing steps in Unified CM:
a) Create a DN and then associate the DN to a CTI route point.

b) In the new ly created DN, set Call Forw ard All to Voice m ail and associate VM profile to DN.
c) Associate the VM profile to the number that needs to be screened.
d) In the SIP trunk to Voice Mail, check the Redirection header Inbound and outbound checkbox,
select
Cux-ISR-CSS, and reset the sip trunk.
Step 2 Complete the follow ing steps in Unity Connection:
a) Create a call handler (Call Managem ent > System Call Handlers ) w ith a display name. Associate
the right Phone system and partition.
b) Edit Transfer rules and uncheck Alternate and Closed rules.

c) Open Standard rule, and set Transfer calls to Extension or URI to the DN w hich needs to be
screened.
d) Check Ask Me If I w ant to Take a Call and Ask for Caller's Nam e , and save the settings.
e) Navigate to Call Managem ent > Call Routing > Forw arded Routing Rules and create a new rule.
f) Provide the display name of the new rule, and click the radio button Call Handler. Select the call
handler w hich w as created.
g) Click radio button Attem pt Transfer.

h) Add a new routing rule condition, w ith Forw arding station "equals" to the DN w hich w as associated
to CTI route point.
Expressway-C Configuration for Unified Communications
Configure DNS and NTP Settings

Check and configure the basic system settings on Expressw ay:
Procedure
Step 1 Specify the system host name and domain name at System > DNS.
Step 2 Specify the local DNS servers at System > DNS.
Step 3 Synchronize all Expressw ay systems to a reliable NTP service at System > Tim e . Use an
authentication method in accordance w ith your local policy.
Enable Mobile and Remote Access

1. Go to Configuration > Unified Com m unications > Configuration.
2. Set mobile and remote access to On.
3. Click Save.
Configure the Domains to Route to Unified CM

Configure the domains for the registration, call control, provisioning, messaging and presence services that
you w ant to route to Unified CM.
Procedure
Step 1 On Expressw ay-C, go to Configuration > Dom ains .
Step 2 Select the domains (or create a new domain, if not already configured) for the services to route to
Unified CM.
Step 3 For each domain, turn On the services for that domain that Expressw ay is to support.
Configure SIP
Procedure
Step 1 Navigate to Configuration > Protocol > SIP.
Step 2 Configure the SIP settings as follow s.
Configure Unified CM Servers

Configure the Unified CM servers used for remote access.
Procedure
Step 1 On Expressw ay-C, go to Configuration > Unified Com m unications > Unified CM servers.
The resulting page displays all configured servers.
Step 2 Add the details of a Unified CM publisher:

a. Click New .
b. Enter the Unified CM publisher address and the Username and Passw ord credentials of
an application user account that can access the server. The address can be specified
as an FQDN or as an IP address. The Unified CM user must have the Standard AXL
API Access role.
c. Set TLS Verify Mode to OFF.
The system attempts to contact the publisher and retrieve details of its associated
nodes.
d. Under ‘Related Tasks’ at the bottom of the page, repeat for each additional Unified CM
node, as w ell as all IM and Presence and Cisco Unity Connection nodes.
Configure a Unified Communications Traversal Zone to Expressway-E

Procedure
Step 1 On the Zones page create a Unified Communications Traversal Zone to VSCE.
a. Configure the SIP settings and authentication as show n in the follow ing image.
b. Ensure the Peer 1 address reflects the FQDN of Expressw ay-E and it resolves to the
externally reachable IP for a single NIC deployment of Expressw ay -E or the internally
reachable IP for a dual NIC deployment of Expressw ay-E.
c. Once added, ensure that the Status of the Zone is Active.
Step 2 Navigate to Configuration > Dial Plan > Search rules .

Verify the default search rules exist for the discovered Unified CM servers.
For more information on creating Secure Traversal Zones, see the Mobile and Remote Access via
Expressw ay Deployment Guide X8.10 (PDF).
Configure Expressway-E for MRA

Ensure that Expressw ay-E is publicly accessible and can be reached w ith a brow ser by using the domain
address [example: vcse.collabedge-XXX.dc-YY.com]. See DNS Records for more troubleshooting
information.
Tune the Performance of the Expressway Registration Cache

By tuning the SIP Authentication Remote Digest Cache on Cisco Expressw ay -E, you can reduce the
overhead of registration and digest calculation in the MRA solution. The performance improvement is
approximately 30% peak CPU saving on the processor core that handles SIP processing w hen compared
w ith the default settings.
We recommend that you understand the reliability of the connection betw een the remote phones and soft
clients along w ith the security implications of increasing the interval betw een validating credentials.
Softw are Requirements: Expressw ay-E version X8.10 or later.
Expressw ay Registration Caching
In this scenario, SIP is authenticated using a digest-based mechanism by w hich the credentials are
validated on Expressw ay-E but stored (or retrieved from) Expressw ay-C. Retrieving and validating the digest
authentication is costly, so the credentials are cached on Expressw ay-E. The cache has the follow ing
parameters.
 Digest Cache ExpireCheckInterval. Controls the timer frequency for checking or removing
expired digest credentials from the cache. The default is 3600 seconds.
 Digest Cache Lifetim e. Controls the lifetime of a digest. The default is 600 seconds. Expired
digests in a cache are erased.
Proposed Im provement: Set Digest Cache ExpireCheckInterval and Digest Cache Lifetim e
to 7200 seconds. The implication of this change is that the maximum time that a phone or soft
client can remain connected to the Expressw ay-E is now 7200 seconds or 2 hours. The cache
can maintain the credentials for a maximum of 14400 seconds or 4 hours. Credentials continue
to be additionally validated by the Cisco Unified CM. See the specific documentation for your
version to check the credential revocation policy. 

Procedure
1. SSH into Expressw ay-E as an administrator.

2. Set Digest Cache ExpireCheckInterval to 7200.
3. Verify that Digest Cache ExpireCheckInterval is 7200.
4. In tshell, set Digest Cache Lifetime to 7200.
5. Verify that Digest Cache Lifetime is 7200.
Configure DNS, NTP, and IP Settings

Check and configure the basic system settings on Expressw ay:
Procedure
Step 1 Specify the system host name and domain name at System > DNS.
Step 2 Specify the public DNS servers at System > DNS.
Step 3 Synchronize all Expressw ay systems to a reliable NTP service at System > Tim e . Use an
authentication method in accordance w ith your local policy.
Step 4 Navigate to System > Netw ork Interfaces > IP and verify the follow ing:
 LAN settings are in IPv4 mode.
 Dual netw ork interfaces are configured properly if needed.
 The IPv4 address, gatew ay, and subnet mask are correct.
 IPv4 static NAT mode is on for the external LAN.
 The IPv4 static NAT address is the correct public IP.
Configure SIP
Procedure
Step 1 Navigate to Configuration > Protocol > SIP.
Step 2 Configure the SIP settings as follow s.
Create the DNS Zone

Create a DNS Zone that allow s your Expressw ay-E to identify and route OTT calls.
Procedure
Step 1 On the Expressw ay-E, navigate to Configuration > Zones > Zones and click New .
Step 2 Configure zone of type DNS and set TLS Verify Mode to OFF.
Step 3 Click Create Zone.
Configure a Unified Communications Traversal Zone to Expressway-C

Procedure
Step 1 On the Zones page, create a Unified Communications Traversal Zone to Expressw ay -C.
Step 2 Configure the SIP settings and authentication as show n in the follow ing image.
The connection credentials on the Expressw ay pair should match.
Step 3 Ensure the TLS verify subject name address reflects the FQDN of Expressw ay -C and it is reachable.
Step 4 Once added, ensure the Status of the Zone is Active.

For more information on creating Secure Traversal Zones, see the Cisco Expressway Administration Guide (PDF).
Configure Unified CM for Call Routing
Configure Cisco Unified CM to receive calls directly from Expressw ay -E through Expressw ay-C and assist
w ith Mobile Remote Access (MRA).
Procedure
Step 1 Sign in to the Shared Architecture Unified CM.
Step 2 Navigate to System > Enterprise Param eters.
Step 3 Use CTRL+F to search for “fully.” The search takes you to the setting titled Cluster Fully
Qualified Dom ain Nam e .
Step 4 Enter the public domain name created for MRA f ollow ed by the FQDN of the Shared
architecture Cisco Unified Communications Manager.
For example: collabedge-161.dc-01.com cucm-shared.dcloud.cisco.com.
Step 5 Click Save.
Enable Pre-routed Route He ader for SIP REGISTER

By enabling the Pre-routed Route Header (PRRH) flag for the SIP REGISTER message on the Cisco
Expressw ay- C and E, you can increase the number of registrations on Expressw ays to a certain extent in
the MRA solution w ithout affecting call capacity.
Expressw ays on releases X8.11.4 and earlier cannot register more than 2500 endpoints in the MRA
solution. Using the PRRH capability for REGISTER improves the performance of Expressw ay by allow ing
more endpoints to be registered in an MRA deployment. The percentage of CPU consumed is noticeably
improved even w ith a higher number of registered endpoints.
For better performance results, w e recommend that you tune the performance of the registration cache,
along w ith setting this feature flag.
Softw are Requirements: Expressw ay-C and Expressw ay-E version X12.5 and later
PRRH Flag for the SIP REGISTER Message
At startup, the SIP Proxy – App reads the feature flag to determine w hether the SIP requests that have
preloaded route headers can be routed more efficiently to follow the existing proxy-routing logic. This flag is
available only for the SIP REGISTER message as of Expressw ay release X12.5.
Procedure
1. SSH into Expressw ay-E as an administrator.

2. Enable the PRRH SIP REGISTER message flag.
3. Verify that the message flag is enabled.
4. Repeat steps 1 to 3 on Expressw ay-C.

5. Reboot the Expressw ay nodes.
o In the UI for each node, click Maintenance > Restart options.
o Click Reboot.
Note: When you reboot an Expressw ay node, all active calls on the node are disconnected.
Routing Configuration
Pre-search Transforms
Pre-search transform configuration allow s the destination alias (called address) in an incoming search request
to be modified. The Expressw ay applies the transformation before any searches are sent to external zones.
The pre-search transform configuration described in this document is used to standardize destination aliases
originating from both H.323 and SIP devices. This means that the same call searches w ork for calls from both
H.323 and SIP endpoints.
For example, if the called address is an H.323 E.164 alias “01234”, the Expressw ay automatically appends
the configured domain name (in this case example.com) to the called address (that is, 01234@example.com
making it into a URI), before attempting to set up the call.
Use pre-search transforms w ith care, because they apply to all signaling messages. If they match, they w ill
affect the routing of Unified Communications messages, provisioning and presence requests as w ell as call
requests.
Transformations can also be carried out in search rules. Consider w hether it's best to use a pre-search
transform or a search rule to modify the called address to be looked up.
Search Rules
Search rules define how the Expressw ay routes calls (to destination zones, such as to Unified CM, or another
Expressw ay, or Meeting Server) in specific call scenarios. When a search rule is matched, the destination
alias can be modified according to the conditions defined in the search rule.
The search rules described in this document are used to ensure that endpoints can dial H.323 devices that
have registered E.164 numbers or H.323 IDs w ithout a domain portion. The search rules first search for
received destination aliases w ithout the domain portion of the URI, and then search w ith the full URI.
The search rules described here are used to enable the follow ing routing combinations:
Calling party Called party
Registered devices (Expressw ay-C) Registered devices (Expressw ay-C)
Registered devices (Expressw ay-C) External domains and un-registered

devices (via Expressw ay-E using DNS
zone)
Registered devices (Expressw ay-C) Public external IP addresses (via
Expressw ay-E)
External domains and un-registered Registered devices (Expressw ay-C)

devices
The routing configuration in this document searches for destination aliases that have valid SIP URIs. That is,
using a valid SIP domain, such as id@domain.
You can configure routing w hich enables calls to unregistered devices on an internal netw ork (routing to the
addresses of IP of the devices) by configuring a search rule w ith a mode of Any IP address w ith target Local
Zone. How ever, this is not recommended (and not described in this document). The best practice is to register
all devices and route using destination aliases.
Configure Transforms
The pre-search transform configuration described in this document is used to standardize destination aliases
originating from both H.323 and SIP devices.
The follow ing transform modifies the destination alias of all call attempts made to destination aliases w hich
do not contain an ‘@’. The old destination alias has @example.com appended to it, thus standardizing all
called destination aliases into a SIP URI format.
Procedure
Step 1 On Expressw ay-C and Expressw ay-E, navigate to Configuration > Dial plan > Transform s.
Step 2 Click New .

Step 3 Configure the transform fields as follow s:
Field On Expressw ay-C or E
Priority Enter 1
Description Enter Transform destination aliases to URI format
Pattern type Regex
Pattern string Enter ([^@]*)
Pattern behavior Replace
Replace string Enter \1@example.com
State Enabled
Step 4 Click Create transform.
Configure Local Zone Search Rules

Configure the search rules to route calls to the Local Zone (to locally registered endpoint aliases).
Procedure
Step 1 On Expressw ay-C and Expressw ay-E, navigate to Configuration > Dial plan > Search rules.
Step 2 First disable the supplied default search rule (LocalZoneMatch), as follow s:
Step 3 Click New .
Step 4 Configure the search rule fields as follow s:
Fields On Expressw ay-C or E
Rule name Enter Local zone – full URI
Description Enter Search local zone for SIP devices

w ith a domain
Priority Enter 50
Protocol Any
Source Any
Request must be authenticated No
Mode Alias pattern match
Pattern type Regex
Pattern string Enter (.+)@example.com.*
Pattern behavior Leave
On successful match Continue
Target LocaZone
State Enabled
Step 5 Click Create search rule.
Configure Traversal Zone

The traversal zone configuration defines a connection betw een the Expressw ay-Cand Expressw ay-Eplatforms.
A traversal zone connection allow s firew all traversal for signaling and media betw een the tw o platforms.
Expressw ay-C is configured w ith a traversal client zone. Expressw ay-E is configured w ith a traversal server
zone.
Procedure
Step 1 In Expressw ay-C and Expressw ay-E, navigate to Configuration > Zones > Zones
Step 2 Click New .
Step 3 Configure the fields as follow s:
Fields On Expressw ay-C On Expressw ay-E
Nam e Enter name, for example, Enter name, for example,

TraversalZone TraversalZone
Type Traversal client Traversal client
Usernam e Enter exampleauth Enter exampleauth
Passw ord Enter ex4mpl3.c0m Not Applicable
H.323 Mode On On
H.323 Protocol Assent Assent
H.323 Port Enter 6001 Enter 6001
H.323 H.460.19 Not applicable Off

dem ultiplexing
m ode
SIP Mode On On
SIP Port Enter 7001 Enter 7001
SIP Transport TLS TLS
SIP TLS verify Off Off

m ode
SIP Accept Allow Off

proxied
registrations
Location Peer Enter 192.0.2.2 Not applicable
1 address
Step 4 Click Create zone.
Configure Authentication Credentials in Expressway-E

Configure the authentication credentials in the Local authentication database (configured in the Expressw ay-E
only).
Procedure
Step 1 In Expressw ay-E, navigate to Configuration > Authentication > Devices > Local database.
Step 2 Click New .

Nam e Not applicable Enter exampleauth
Passw ord Not applicable Enter ex4mpl3.c0m
Step 4 Click Create credential.
Neighboring Between Expressway Clusters

You can neighbor your local Expressw ay (or Expressw ay cluster) to a remote Expressw ay cluster; this remote
cluster could be a neighbor, traversal client, or traversal server to your local Expressw ay. In this case, w hen
a call is received on your local Expressw ay and is passed via the relevant zone to the remote cluster, it is
routed to w hichever peer in that neighboring cluster has the low est resource usage. That peer then forw ard
the call as appropriate to one of its:
 locally registered endpoints (if the endpoint is registered to that peer)

 peers (if the endpoint is registered to another peer in that cluster)
 external zones (if the endpoint has been located elsew here)
For Expressw ay: Low est resource usage is determined by comparing the number of available media
sessions (maximum - current use) on the peers, and choosing the peer w ith the highest number. Peers that
are in maintenance mode are not considered.
For VCS: Low est resource usage is determined by comparing the number of available traversal calls
(maximum- current use) on the peers, and choosing the peer w ith the highest number. Peers that are in
maintenance mode are not considered.
When configuring a connection to a remote cluster, you create a single zone and configure it w ith details of
all the peers in the cluster. Adding this information to the zone ensures that the call is passed to that cluster
regardless of the status of the individual peers.
You also need to enter the IP address of all peers in the remote cluster w hen the connection is via a
neighbor or traversal client zone. You do not do this for traversal server zones, as these connections are not
configured by specifying the remote system's IP address.
Note Systems that are configured as peers must not also be configured as neighbors to each other, and
vice versa.
Neighboring Clusters
To neighbor your local Expressw ay (or Expressw ay cluster) to a remote Expressw ay cluster, you create a
single zone to represent the cluster and configure it w ith the details of all the peers in that cluster:
Procedure
Step 1 On your local Expressw ay (or, if the local Expressw ay is a cluster, on the primary peer), create a
zone of the appropriate type. This zone w ill represent the connection to the cluster.
Step 2 In the Location section, enter the IP address or FQDN of each peer in the remote cluster in the Peer
1 to Peer 6 address fields.
Note: Ideally you should use FQDNs in these fields. Each FQDN must be different and must resolve to a
single IP address for each peer. With IP addresses, you may not be able to use TLS verification, because
many CAs w ill not supply certificates to authenticate an IP address.
The order in w hich the peers in the remote Expressw ay cluster are listed here does not matter.
Whenever you add an extra Expressway to a cluster (to increase capacity or improve redundancy, for example)
you w ill need to modify any Expressw ays w hich neighbor to that cluster to let them know about the new
cluster peer.
Configure Traversal Zone Search Rules

Create the search rules to route calls via the traversal zone.
Procedure
Step 1 On Expressw ay-C and Expressw ay-E, navigate to Configuration > Dial plan > Search rules.
Step 2 Click New .

Rule name "Traversal zone search "Traversal zone search rule"

rule" for example for example
Description "Search traversal zone - "Search traversal zone -

EXPe" for example EXPc" for example
Priority 100 100
Protocol Any Any
Source Any Any
Request must No No
be
authenticated
Mode Any alias Any alias *
On successful Continue Continue

match
Target Traversal zone Traversal zone
State Enabled Enabled
This example routes any alias across the traversal zone tow ards the Expressw ay-C. You can be more
selective by adding search rules or configuring call policy.
Configure DNS Zone Search Rules

The DNS search rule defines w hen the DNS zone should be searched.
A specific regular expression is configured w hich prevent searches being made using the DNS zone (that is,
on the public internet) for destination addresses (URIs) using any SIP domains w hich are configured on the
local netw ork (local domains).
To create the search rules to route via DNS:
Procedure
Step 1 In Expressw ay-E, navigate to Configuration > Dial plan > Search rules
Step 2 Click New .

Fields Description
Rule nam e Enter rule name, for example, DNS zone search
rule.
Description Enter description, for example, Search DNS zone
(external calling)
Priority Enter 150
Protocol Any
Source All zones
Request m ust be No
authenticated
Mode Alias pattern match
Pattern type Regex
Pattern String Enter (?!.*@example\.com.*$).*
Pattern behavior Leave
On successful m atch Continue
Target Local Zone
State Enabled

Note: The regular expression used to prevent local domains being searched via the DNS zone can be
broken dow n into the follow ing components:
(.*) = match all pattern strings
(?!.*@example\.com.*$).* = do not match any pattern strings ending in @example.com
Calls destined for @cisco.com w ould be searched via the DNS zone, w hereas calls destined for
@example.com w ould not.
Configure External (Unknown) IP Address Routing

The follow ing configuration defines how an Expressw ay routes calls (and other requests) to external (unknow n)
IP addresses. An external IP address is an IP address w hich is not know n to the Expressw ay and therefore
assumed to be a publicly routable address.
Know n IP addresses are addresses defined in a subzone (using a subzone membership subnet rule).
All requests destined for external IP addresses, originating at the Expressw ay -C are routed to the
Expressw ay-E using a search rule.
The Expressw ay-E then attempts to open a connection directly to the IP address.
Procedure
Step 1 In Expressw ay-C and Expressw ay-E, navigate to Configuration > Dial plan > Configuration.
Step 2 Complete the follow ing fields:
Field Description
Calls to unknow n IP addresses In Expressw ay-C, set to Indirect.
In Expressw ay-E, set to Direct.
Step 3 Click Save.
Create Search Rules to Route Calls to IP addresses to the Expressway-E

Before you begin
Ensure you have configured how the Expressw ay handles calls to unknow n IP addresses.
Procedure
Step 1 In Expressw ay-E, navigate to Configuration > Dial plan > Search rules
Step 2 Click New .
Rule name Enter External IP address Not applicable

search rule
Description Enter Route external IP Not applicable

address
Priority Enter 100 Not applicable
Protocol Any Not applicable
Source Any Not applicable
Request must be No Not applicable

authenticated
Mode Any IP address Not applicable
On successful Continue Not applicable

match
Target TraversalZone Not applicable
State Enabled Not applicable
Create Static Routes Towards the Internal Network

With a deployment like Dual Netw ork Interfaces Deployment, you w ould typically configure the private
address of the external firew all as the default gatew ay of the Expressw ay-E. Traffic that has no more specific
route is sent out from either Expressw ay-E interface to he external firew all.
If the internal firew all (B) is doing NAT for traffic from the internal netw ork (subnet 10.0.30.0 in diagram) to
LAN1 of the Expressw ay-E (for example traversal client traffic from Expressw ay -C), that traffic is recognized
as being from the same subnet (10.0.20.0 in diagram) as it reaches LAN1 of the Ex pressw ay-E. The
Expressw ay-E w ill therefore be able to reply to this traffic through its LAN1 interface.
If the internal firew all (B) is not doing NAT for traffic from the internal netw ork (subnet 10.0.30.0 in
diagram) to LAN1 of the Expressw ay-E (for example traversal client traffic from Expressw ay-C), that traffic
still has the originating IP address (for example, 10.0.30.2 for traffic from Expressw ay -C in the diagram). You
must create a static route tow ards that source from LAN1 on the Expressw ay -E, or the return traffic goes to
the default gatew ay (10.0.10.1). You can do this on the w eb UI (System > Netw ork interfaces > Static
routes) or using xCom m and RouteAdd at the CLI.
If the Expressw ay-E needs to communicate w ith other devices behind the internal firew all (e.g., for reaching
netw ork services such as NTP, DNS, LDAP/AD and syslog servers), you also need to add static routes from
Expressw ay-E LAN1 to those devices/subnets.
In this particular example, w e w ant to tell the Expressw ay -E that it can reach the 10.0.30.0/24 subnet behind
the 10.0.20.1 firew all (router), w hich is reachable via the LAN1 interface. This is accomplished using the
follow ing xCom m and RouteAdd syntax:
xCommand RouteAdd Address: 10.0.30.0 PrefixLength: 24 Gateway: 10.0.20.1 Interface: LAN1
In this example, the Interface parameter could also be set to Auto as the gatew ay address (10.0.20.1) is only
reachable via LAN1.
Note: The xCom m and RouteAdd command and the equivalent w eb UI, are detailed in the Expressw ay
help and the Expressw ay Administrator Guide.
Procedure
Step 1 In Expressw ay-E, navigate to System > Netw ork interfaces > Static routes.
Step 2 Complete the follow ing fields to create a static route:
Fields Description
IP address Internal netw ork subnet
Prefix length
Address range
Gatew ay Firew all (router)
Interface LAN of the Expressw ay-E
Logging in to MRA
Prerequisite
Ensure that the Expressw ay-E is reachable from your desk phone after the netw ork configuration is done. See
the Cisco Expressw ay Basic Configuration Deployment Guide for detailed information.
 Sync the users w ith the Top Dow n approach.
 Create Jabber Config file for each customer for user separation and voice mail.
Configure the follow ing services for the end-users:
 Configure home cluster.
 Add mobility services.
 Add jabber/Iphone/Ipad/Android devices as required.
 Associate the user w ith the corresponding devices.

 Add ow ner user id.
Device Login Features
Using Jabber Log in to Window s Jabber as a Start chat w ith users of

customer user w ith username (for same customer.
example,
C1L1AutNcUser001@c1sa.com) Make call (Audio/Video)
and passw ord (Hcs@1234). betw een users w ithin the
customer.
Using Iphone Log in to Iphone as a customer
Share desktop.
user w ith username (for example,
C1L1AutNcUser002@c1sa.com) Start group chat.
and passw ord (Hcs@1234).
Use Call Forw ard and
Using Ipad Log in to Ipad as a customer user Call Transfer.
w ith username (for example,
C1L1AutNcUser003@c5sa.com)
and passw ord (Hcs@1234).
Using Log in to Andriod phone a
Andriod customer user w ith username (for
example,
C1L1AutNcUser002@c5sa.com)
and passw ord (for example,
Hcs@1234).
Configuration for Desk Phones and Jabber
Set a Default User Profile for a Site

Set a default user profile for a site, to be used w hen no user profile is specified w hen adding a subscriber.
Procedure
Step 1 Sign in to Cisco Unified CM as a provider, reseller, or customer administrator.
Step 2 Select Site Managem ent > Defaults .
Step 3 Click the Defaults to edit.
Step 4 In the Default User Profile (for User Self Provisioning) field, enter the default user profile
for the site.
Step 5 Click Save.
Configure Self-Provisioning in Cisco Unified CM

Perform the follow ing one-time configuration tasks on each cluster in Cisco Unified CM.
Procedure
Step 1 Ensure that the Cisco CallManager, Cisco CTIManager, and Self -Provisioning IVR services
are activated and running: Cisco Unified Serviceability > Tools > Control Center –
Feature Services.
Step 2 Configure auto registration.

a. Go to System > Cisco Unified CM.
b. Select the appropriate Cisco Unified CM.
c. Set the starting and ending directory number range.
d. Select the Universal Device Template and Universal Line Template created for auto
registration.
Note: These templates are created in User Managem ent > User/Phone Add in
Cisco Unified CM.
e. Uncheck Auto-registration Disabled.
Step 3 Create 1 partition and a unique calling search space (CSS) for self -provisioning
a. Go to Call Routing > Class of Control > Partition and create a partition.
b. Go to Call Routing > Class of Control > Calling Search Space and create the
CSS.
c. Assign the new partition to the new CSS.
Step 4 Configure a CTI route point, w hich provides the number that users dial to connect to the IVR.
a. Go to Device > CTI Route Point.
b. Click Add New .
c. Fill in name, device pool, CSS, and any other needed options.
d. Add a new DN in the proper partition (this is the IVR number that users dial).
Step 5 Configure an application user and credentials so the system can connect to the IVR self -
provisioning service.
a. Go to User Managem ent > Application User.
b. Click Add New .
c. Fill in user ID and passw ord.
d. Add to Access Control Group and select the follow ing groups: Standard CTI
Enabled, Standard CTI Secure Connection, Standard CCM End Users, and
Standard CCM Admin Users.
e. Add the CTI route point device to the list of controlled devices.
Step 6 Configure self-provisioning.

a. Go to User Managem ent > Self-Provisioning.
b. Add the new CTI route point.
c. Select the new application user.
d. Click Save.
Hide the Service Domain for Jabber

The service domain can be hidden in the Jabber configuration files to present a better end-user experience.
For Window s applications, modify the Jabber installer w ith the follow ing information:
 msiexec /i CiscoJabberSetup.msi VOICE_SERV ICES_DOMA IN=<s ervice-domain>

SERVICES_DOMA IN=<service-domain> CLEAR=1
For Mobile applications, provide the follow ing link to launch Jabber on the first launch:
 ciscojabber://provision?ServicesDomain=<service-domain>
More information can be found in the Cisco documentation here.
Persistent User Credentials for Expressway Sign-In

System administrators can enable the “User Credentials Persistent for Expressw ay Sign In” setting in the
phone configuration profile to enable the device to store the user credentials w hich allow s Expressw ay
registrations to persist reboot or short pow er outage. Without this setting enabled, users might have to re-
enter credentials after a reboot or short pow er outage.
How to Remotely Upgrade Phones

Mobile and Remote Access is supported on 78XX and 88XX phones w ith firmw are ver sion 11.0(1) or later
and DX series endpoints w ith 10.2.4(99) or later. Once a device is registered over MRA, it receives new er
firmw are as specified on Cisco Unified CM.
If you have 78XX/88XX/DX devices on an older load that doesn’t support MRA, then you can go to
upgrade.cisco.com for instructions on how to upgrade the firmw are to a version that supports MRA.
UDS Applications for Directory Separation

Directory separation ensures that each customer in a Shared Architecture deployment can access the
correct list of contacts. Partners w ho w ant to use HCS SA to provide UCaaS or Managed Services to their
customers can use CUCM-based Native Directory Search or a third-party UDS application to enable
directory separation.
Add a Third-Party UDS for Directory Searches in Jabber

The follow ing steps w ill make directory searches in Jabber show only the users in their ow n customer base
instead of all the users in the shared Cisco Unified CM.
Procedure
Step 1 Create an XML file.

Change the UdsServer to the appropriate customer domain from the below template and save it as
jabber-config-customer-name.xml.
<?xml version="1.0" encoding="UTF-8"?>

<config version="1.0">
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<UdsServer>uds.provider.com</UdsServer>
</Directory>
</config>
Step 2 Upload the XML file to Cisco Unified CM TFTP.

a. Sign in to Cisco Unified CM.
b. Go to Cisco Unified OS Administration.
c. Go to Softw are Upgrades and TFTP File Management.
d. Click Upload File.
e. Click Choose File and find the XML file.
f. Click Upload File.
Step 3 Restart the TFTP service.

a. Go to Cisco Unified Serviceability.
b. Go to Tools and Control Center – Feature Services.
c. Select the Cisco Unified CM Server.
d. Select Cisco TFTP.
e. Click Restart.
Step 4 Add the customer entry to the Expressw ay-C Allow List.
a. Sign in to Expressw ay-C as an administrator.
b. Go to Configuration and Unified Communications and Configuration.
c. Click the Configure HTTP server allow list.
d. Click New .
e. For Expressw ay version X8.8 or earlier, enter the customer domain w ith UDS servic e in the
name (ex uds.provider.com).
f. For Expressw ay version X8.9 or later, enter https://<customer-

name>.<uds.provider.com>:8443/cucm-uds/ in the URL field (replace the customer-name
and domain.com w ith the appropriate entry). Make sure to select Prefix match for the match
type. An HTTPS entry per customer is required. There also needs to be one HTTP entry
shared for all the customers w hich is http://<customer-name>.<uds.provider.com>/. Make
sure to select Prefix match for the match type, and select Choose methods for allow ed
methods and select all the available options.
g. Click Create entry.
Step 5 Fill in the Cisco Support field w ith the XML config filename.
a. Sign in to Cisco Unified Communications Manager.
b. Find the device configuration page for the associated Jabber device.
c. Fill in the Cisco Support field w ith configurationfile=jabber-config-customer.x ml and replace
the xml file name w ith the appropriate file name.
d. If you do not see the Cisco Support field for mobile devices, then install the follow ing Cisco
Options Packages for your release of Cisco Unified CM: cmterm-android-install-
XXX.cop.sgn, cmterm-jabbertablet- install-XXX.cop.sgn, and cmterm-iphone-install-
XXX.cop.sgn.
Add Third-Party UDS for Directory Searches in Desk Phones

Take the follow ing steps to add customer-specific directory searches in desk phones only.
Procedure
Step 1 Sign in to Cisco Unified CM.
Step 2 Go to Device > Device Settings > Phone Services .
Step 3 Search for Corporate Directory and select.
Step 4 In the Service URL field, enter the UDS URL.
Step 5 Click Save.
Step 6 Reboot any registered phones.

Tip: Another option for some devices is to modify the “Alternate phone book server address” in the device
page w ith the UDS URL.
Configure Directory Search in CUCM

You can enhance Directory Search for Shared Architecture deployments by configuring the follow ing
parameters. All of them are required fields that are configured through the AXL interface.
Param eter Nam e Default Setting Description
Directory Search Scope All Users in the Allow s you to determine w hether user data service (UDS)
System user searches are limited to users mapped to the same
customer, or to all users in the system. When the scope is
set to “Only Users w ithin the Same Customer,” the UDS
search requires authentication and UDS w ill limit search
results to users w ith the same customer.
Search Behavior for Only Search w ithin Allow s you to determine the behavior for UDS user searches
Users w ith No Customer Users w ith No by an end user that is not mapped to any customer.
Mapping Customer Mapping
User Customer Map 0000-00-00 00:00 Allow s you to schedule a user customer mapping audit.
Audit Time When this parameter is set, the audit for the user customer
mapping betw een CUCM and the configured LDAP directory
w ill be performed at the configured time. After the audit is
completed, you can generate a report w ith the Real-Time
Monitoring Tool (RTMT) under the "Cisco DirSync" to view
the results.
Im portant: the value you enter for this parameter must not
be in the past.
Note: There is no need to change the Corporate directory and other service URL. CE platform phones may require
that you modify the alternate phone book server address in CUCM's Device page. Use the updatePhone AXL API to
add a query parameter in the alternate phone book server URL to limit the contact search scope to a specific customer
(for example, “?customer=[customerName]”).
Configure Directory Search in Jabber

The procedure in this topic makes directory searches in Jabber only show the users in their ow n customer
base instead of all the users in the Shared Unified CM.
Procedure
Step 1 Create XML File. Change the UdsServer to the appropriate customer domain from the follow ing template and
save it as jabber-config-<customer-name>.
<?xml version="1.0" encoding="UTF-8"?>

<config version="1.0">
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
<UdsPhotoUriWithToken>http://c1.<app name>.dcloud.cisco.com/JabberPhotos/%%uid%%.png
</UdsPhotoUriWithToken>
<BDIUriPrefix>sip:</BDIUriPrefix>
<UdsServer>c1.<app name>.dcloud.cisco.com</UdsServer>
</Directory>
</config>
Line related to photos is optional. It provides you the possibility to serve a .png image of each user from the third -party
app (used for directory seperation), located in the folder C:\inetpub\w w w root\JabberPhotos\.
Step 2 Upload XML File to Unified CM TFTP.

a) Log in to Unified CM, and navigate to Cisco Unified OS Adm inistration.
b) Navigate to Softw are Upgrades and TFTP File Managem ent.
c) Click Upload File to select and upload the XML file.
Step 3 Restart the TFTP Service.

a) In Unified CM GUI, navigate to Cisco Unified Serviceability.
b) Navigate to Tools and Control Center – Feature Services .
c) Select Cisco Unified Com m unications Manager Server.
d) Select Cisco TFTP.
e) Click Restart.
Step 4 Add Customer Entry into Exp-C Allow List.

a) Log in to Expressw ay-C w ith admin user.
b) Navigate to Configuration > Unified Com m unications > Configuration.
c) Click Configure HTTP server allow list.
d) Click New .
1. For Expressw ay version 8.8 or earlier, enter the customer domain w ith third-party app in the Nam e
field (ex c2.<third-party app>.dcloud.cisco.com).
2. For Expressw ay version 8.9 or later, enter in the URL field
https://<customer-name>.<third-party app name>.<domain.com>:8443/cuc m-uds/ w hile replacing the
customer-name and domain.com w ith the appropriate entry. Ensure to select Prefix m atch for the m atch
type.
An HTTPS entry per customer is required. There also needs to be one HTTP entry shared for all the
customers w hich is https://<customer-name>.<third-party app name>.<domain.com>:8443/cuc m-uds/
w hile replacing the customer-name w ith any customer name (the DNS entries all resolve to the same
third-party IP) and the domain.com w ith the appropriate entry. Ensure to select Prefix m atch for the
m atch type, and select Choose methods for allow ed m ethods, and then select all the available options.
e) Click Create entry.
Step 5 Fill in the Cisco Support Field w ith XML Config file name.
a) In Unified CM, locate the desired device configuration page for the associated Jabber device.
b) Complete the Cisco Support Field w ith configurationfile=jabber-config-c2.xml and replace the xml file name
w ith the appropriate file name.
c) If you don't see the Cisco Support Field for mobile devices, then install the follow ing Cisco Options
Packages for your release of Cisco Unified Communications Manager:
• cmterm-android-install-XXX.cop.sgn
• mterm-jabbertablet-install-XXX.cop.sgn
• cmterm-iphone-install-XXX.cop.sgn
Configure Directory Search in Desk Phones

The follow ing steps make directory searches in Desk Phones only.
Before you begin

For the Corporate directories to w ork on Desk Phones, ensure that you've added the follow ing under
<configuration> in the C:\Program Files(x86)\StoneVoiceAS\Apps\Speedy\Settings and open
SpeedyPhoneService.config.xml file in the third-party app server:
<preference key="Speedy.AuthLevel.ShowLocalContacts" value="2" />
<preference key="Speedy.directories.ShowLocalDirs" value="false" />
<preference key="Speedy.directories. ShowDirectoryType" value="false" />
Procedure
Step 1 Log in to Unified CM, and navigate to Go to Device > Device Settings > Phone Services.
Step 2 Search for Corporate Directory and select the directory.
Step 3 In the Service URL field, enter
http://<IP of app server>/fw/Apps/Speedy/xml/directories/

default.aspx?name=#DEVICENAME#
Use any DNS name w hich resolves to the third-party app server IP.
Step 4 Click Save.
Step 5 Reboot any phones already registered.
Another option for some devices is to modify the Alternate phone book server address in the
device page w ith https://customer-name.<third-party app>.domain.com:8443/
cucm-uds/users. Be sure to replace customer-name.<third-party app>.domain.com w ith the DNS
entry, w hich resolves to the third-party app IP in the HCS SA domain.
Configure User Separation with CUCM Native Directory Search

Follow this process for configuring user separation w ith Native Directory Search in CUCM:
Step 1 Configure Active Directory:

a) Create a separate OU for each customer. For example, CUST 1 and CUST 2.
Step 2 Configure the domain manager:

a) Set up an LDAP server.
b) Set up LDAP for user synchronization.
c) Synchronize users from LDAP.
d) Move the users to site (w hich w ill push them to CUCM).
e) Enter the CUCM LDAP Directory Name field in the LDAP Server on the domain manager.
f) Synchronize users from LDAP.
g) Synchronize Cisco Unified CM data to the domain manager.
Step 3 Configure CUCM:

a) Enable the dirsync service.
b) Enable LDAP (uncheck the Synchronize check box).
c) Configure LDAP Directory
d) Configure LDAP Authentication
Step 4 Set the CUCM Enterprise Parameters:
a) Subscribe the Corporate Directory Phone Service to users (go to Enterprise Param eters > Phone URL
Param eters > URL Authentication > Value and set it to <http://hostname or IP Address:8080
/ccmcip/authenticate.jsp>).
b) Set the DirectoryPartitionSearch parameter, w hich w ill determine w hether UDS user searches w ill be
limited to users mapped to the same customer (w hen enabled) or to all users (w hen disabled) .
c) Get the Service value w ith the follow ing AXL API:
d) Get the Service AXL API Service Response:
e) Update the Service AXL API Call to enable the Service Parameter:
After the service is enabled, you can verify the service w ith the same Get AXL API Call.
f) Set the EnableUserSearchWithCustomer parameter, w hich determines the behavior for UDS searches by
a User that is not mapped to any Customer:
Enabled: search only w ithin Users w ith no Customer mapping
Disabled: User searches are not permitted.
Note that the AXL API calls described above also apply to this parameter.
g) Run the follow ing in the command line:
i. utils contactsearchauthentication status
ii. utils contactsearchauthentication disable
iii. utils contactsearchauthentication enable
h) UDS contact search behavior depends on the follow ing settings:
Configure User Separation with Imagicle
Follow this process for configuring user separation w ith Imagicle:

Step 2 Configure Imagicle. See their documentation for the latest configuration instructions:
https://w ww.imagicle.com/kb#/kb/contacts-separation_547.html

d) Move users to site (w hich w ill push them to CUCM).

a) Disable dirsync.
b) Enable LDAP.
c) Configure LDAP Directory.
d) Configure LDAP Authentication.
e) Create the XML Directory IP Phone Service for Imagicle Speedy Service.
f) Unsubscribe the Corporate Directory Phone Service to users.
g) Subscribe the Imagicle Speedy Phone Service to users (Go to Enterprise Param eters > Phone URL
Param eters > URL Authentication > Value and set it to <http://Imagicle Hostname> or <IP
Address/fw /authenticate.asp>)
Migrate User Separation from Imagicle to CUCM Native Directory Search

Follow this process for migrating user separation from Imagicle to CUCM Native Directory Search:


d) Move users to site (w hich w ill push them to CUCM).

a) Enable the dirsync service.
b) Enable LDAP and clear the Synchronize check box.
c) Configure LDAP Directory.
d) Configure LDAP Authentication.
e) Unsubscribe the Imagicle Speedy Phone Service to users .
f) Subscribe the Corporate Directory Phone Service to users.
g) Subscribe the Corporate Directory Phone Service to users (go to Enterprise Param eters > Phone URL
Param eters > URL Authentication > Value and set it to <http://hostname or IP Address:8080
/ccmcip/authenticate.jsp>).
h) Use AXL Update to enable DirectoryPartitionSearch.
i) Use AXL Update to enable UserSearchWithCustomer.
j) Run the follow ing in the command line:
i. utils contactsearchauthentication status
ii. utils contactsearchauthentication disable
iii. utils contactsearchauthentication enable
Onboarding
Customer Onboarding Process Overview

Step 1 Create the customer and users in Active Directory.
Step 2 Configure the customer in a domain manager.

a. Set up the hierarchy.
b. Configure entitlement.
c. Configure a Netw ork Device List.
d. Configure Cisco Unified Communications Manager Groups.
e. Create a customer dial plan.
f. Add a country dial plan.
g. Add a site.
h. Add the first site dial plan.
i. Add an E.164 inventory.
j. Add DN management.
k. Configure DN routing.
l. Associate a range of E.164 numbers to a range of DNs.
Step 3 Integrate LDAP.

a. Set up an LDAP Server.
b. Set up LDAP for user synchronization.
c. Synchronize users from LDAP.
Step 4 Synchronize and move users to a site.
Step 5 Enable LDAP authentication in Unified CM for users that are synchronized from LDAP to the domain
manager.
Step 6 Configure endpoints for desk phones and Jabber.

a. Add a self-provisioning user profile.
b. Set a default user profile for a site.
c. Add a self-provisioning line mask.
d. Configure self-provisioning in Cisco Unified CM.
Step 7 Add third-party UDS for directory searches in Jabber.
New User Onboarding Process

Step 1 Create users in Active Directory and LDAP.
Step 2 Synchronize users from Active Directory and LDAP.
Step 3 Move users to the site.

Appendix A: Features for HCS Shared Architecture
The follow ing links show the features available for OTT connected users w ith 78XX or 88XX devices. Some
features may require special configuration changes to the dial plan.
 Cisco IP Phone 7800 Series Administration Guide

 Cisco IP Phone 8800 Series Administration Guide
 Planning Guide for Cisco Jabber
A VPN connection betw een the customer site and service provider data center can be provided as an add-
on to the base OTT access. Details about how VPN options and how to configure VPN can be found on
Cisco.com.
A VPN connection w ill allow for all Cisco endpoints compatible w ith the installed Cisco Unified CM version to
be supported w ith HCS SA. For a detailed list of supported devices, see the documentation on Cisco.com.
For more information on the full list of available features and comparison betw een HCS standard and HCS
SA w ith VPN connectivity, see the follow ing sections of Cisco HCS documentation:
 Unified CM Feature Support Table

 Cisco IM and Presence Service Feature Support Table
 Cisco Unity Connection Feature Support Table
Appendix B: Shared Architecture for HCS 11.5
This appendix w ill provide guidance for partners interested in deploying a shared architecture w ith Cisco
HCS release 11.5. Note that this appendix w ill only describe information and procedures that are specific to
HCS release 11.5. For general advice, see the main sections of the document.
Software Matrix
Table: Softw are matrix for HCS 11.5 Shared Architecture
Com ponents Softw are

Cisco Unified CDM* 11.5(2) or later
Cisco Prime Collaboration Assurance* 11.6 or later
Cisco HCM-F 11.5(2) or later
Cisco Unified CM 11.5(1)SU3a or later
Cisco IM and Presence Service 11.5(1)SU3a or later
Cisco Unity Connection 11.5(1)SU3a or later
Cisco Expressw ay-Core X8.10.3 or later
Cisco Expressw ay-Edge X8.10.3 or later
Cisco Jabber Latest available version
* Cisco Unified CM and Prime Collaboration Assurance are the included domain manager and
assurance components for HCS SA with the HCS-K9-BUNDLE license. Others are available as
part of the HCS open provisioning architecture (OPA) or subscription licenses.
In this appendix, w e describe using Cisco Unified CDM as the domain manager. If you use a different
domain manager, consult the documentation for that product.
The HCS SA customer onboarding process (including Cisco Unified CDM, LDAP, AD, Expressw ay , SBC,
and w elcome emails) can be automated w ith third-party tools that use the APIs in the HCS SA components.
Consult the vendor of your tool for information on integrating w ith HCS SA to automate customer on-
boarding.
HCM-F Configuration
Customer information on the Cisco Unified CDM server is pushed to the Cisco HCM-F server and does not
require configuration.
Add HCM -F to Cisco Unified CDM

Procedure
Step 1 Sign in as hcsadmin.
Step 2 Go to Device Managem ent > HCMF.
Step 3 Click Add and fill in the hostname, administrator credentials, and version.
Step 4 Click Save.
Add a Provider to Cisco Unified CDM

Procedure
Step 1 Sign in as hcsadmin.
Step 2 Go to Provider Managem ent > Providers .
Step 3 Click Add and fill in the name, domain name, and administrator credentials
Step 4 Click Save.
Add LDAP Server in Unified CDM and Define the CUCM LDAP Directory Name
Procedure
Step 1 In Unified CDM, navigate to LDAP Managem ent > LDAP Server, and select the appropriate LDAP
server.
Step 2 Fill in the AD Sync Mode w ith the LDAP Directory name from Unified CM (LDAP > LDAP
Directory), and click Save.
Step 3 Add/update users in Unified CM.
Step 4 In Unified CDM, select the site in hierarchy and navigate to User Managem ent > Manage users .
Step 5 Select Add or update users to CUCM from the Action drop-dow n list.
Step 6 Select a Netw ork Device List that contains the target Unified CM server.
Step 7 Click Select All.
Step 8 Click Save to move the selected users to Unified CM.
Step 9 Repeat for other sites.
Configure the Unified CM and IM and Presence Server Cluster in Cisco Unified
CDM
Procedure
Step 1 Sign in as the appropriate hierarchy administrator.
Only a provider administrator can create a shared architecture.
Step 2 Set the hierarchy path to the top level. Create a shared architecture node at the provider
level. Optionally, partners can create a reseller node.
The UC cluster server should be placed either at shared architecture provider node or the
reseller node (exclusive shared architecture cluster for the reseller).
Step 3 Click Device Managem ent > Cisco Unified Com m unications Manager > Servers .
Step 4 Click Add.
Step 5 Enter the Unified CM or IM and Presence server name in the Server Nam e field.
Note: A Unified CM server that has been configured in HCM-F and synchronized to Cisco
Unified CDM can exist at the sys.hcs hierarchy. If the server name you enter matches this
server, the Migrate from HCM-F to Unified CDM check box is displayed. Click Save to
migrate this server to the current hierarchy level. The fields are populated w ith the values
that w ere configured in HCM-F. If you do not w ant to migrate the server, enter a different
server name.
Step 6 Select Voice_Video in the Server Type field for Cisco Unified CM or IM&P for IM and
Presence.
Step 7 To configure a publisher node, check Publisher.

On the Publisher tab, specify the follow ing information for Unified CDM:
Field Description
Prime Select the Prime Collaboration management application monitoring this

Collaboration cluster.
To disassociate Prime Collaboration for this cluster, select None.
Call Processing The Call Processing ID of this cluster.

ID
Cluster ID The Cluster ID of this cluster.
Multi-Tenant Read-only field. If creating at provider level, this field is set to

Shared. If creating at customer level, this field is set to Dedicated.
Version Select the version of the Unified CM Servers in this cluster. The
available versions depend on the version of the HCM-F device that
has been configured.
Port The port on the Unified CM server to connect to. Default is 8443.
User Move Set to Autom atic to automatically move synchronized users to sites,
Mode based on the filters and filter order defined in User Managem ent >
Manage Filters. Set to Manual if you w ant an administrator to manually
move synchronized users to a site.
User Select the profile that specifies the devices and services to w hich
Entitlement users w ho are synchronized from this Unified CM are entitled.
Profile
Note: A violation of the Entitlement Profile does not prevent a user
from being synchronized to Unified CDM from Unified CM. How ever,
subsequent updates to the user fail until the user’s configuration
satisfies the restrictions in the Entitlement Profile.
Step 8 For a Unified CM or IM and Presence publisher node, fill in the Cluster Nam e field w ith the name
you w ant for this cluster. A new cluster is created w ith this name. This field is required. For Unified CM or IM
and Presence subscriber nodes, select the Unified CM or IM and Presence cluster from the Cluster Nam e
field.
Step 9 Expand netw ork addresses.
a. Select SERVICE_PROVIDER_SPACE.
b. The Hostnam e field is automatically populated w ith the Unified CM
Server Name. Edit it if necessary.
c. Enter the IP address of the Cisco Unified CM or IM and Presence Server in the
IPv4 Address field.
Note: Either the hostname or the IP address as required. Ensure that the hostname or IP
address does not contain a trailing blank space. Unified CDM cannot validate an entry that
contains a blank space at the end of the hostname or IP address.
d. Fill in the domain of the Unified CM or IM and Presence application.

e. Provide an optional description for the netw ork address.
f. If NAT is used, configure an APPLICATION_SPACE netw ork address.
Step 10 Expand Credentials.
a. Add credentials for PLATFORM, ADMIN, HTTP, and SNMP_Vx
credential types. Click + to add more credentials.
b. Fill in the user ID and passw ord that you configured w hen you installed
the Unified CM or IM and Presence Service.
c. Select RO (Read-only) or RW (Read or Write) for the Access Type. The
default is RO.
d. Provide an optional description for the credential.
ADMIN, HTTP, PLATFORM, and SNMP are required for Prime Collaboration Assurance
to manage Unified CM. PLATFORM and ADMIN are also required for Service Inventory
to generate reports for UC applications.
Note: Expiration of the ADMIN account results in failed data synchronization betw een
Unified CM or IM and Presence and Unified CDM.
Step 11 On the Field Mappings tab, complete field mappings as necessary. Hard-coded mappings
appear in grey and cannot be modified.
Step 12 Click Save. A Unified CM or IM and Presence netw ork device is created in Unified CDM. A
cluster and Unified CM or IM and Presence are created in the SDR.
Step 13 Test the connection betw een Unified CM or IM and Presence and Unified CDM.
a. Select Device Managem ent > Advanced > Cisco Unified Com m unications
Manager Netw ork Device.
b. Click the Unified CM or IM and Presence Server you just added.
c. Select Action > Test Connection.
If the test fails, and you used a hostname, ensure that Unified CDM has the correct DNS
and Domain set.
a. Sign in to the platform CLI.
b. Query the current DNS setting: netw ork dns.
c. Set the DNS if needed: netw ork dns <dns_server_ip_address>.
d. Query the current domain setting: netw ork domain.
e. Set the domain if needed: netw ork domain <domain>.
Note: Use the Cisco Unified CM Netw ork Device page only for testing the
connection. Do not edit Unified CM from this page. To change any configuration of
the Unified CM, edit it from the Device Managem ent > Cisco Unified
Com m unications Manager > Servers page in Unified CDM.
Expressway-C Configuration for Unified Communications
Customer Configuration in Cisco Unified CDM
Set Up the Hierarchy

Sign in to the server as the provider or reseller administrator, depending on w hich organization manages the
customer.
Procedure
Step 1 Create a customer.

a. Go to Customer Management and Customers.
b. Click Add.
c. Fill in the customer name and administrator passw ord, and any other optional details.
d. Click Shared UC Applications.
e. Click Save.
Step 2 Create an intermediate node.

a. Go to Hierarchy Management and Hierarchy.
b. Select the new customer in the top menu.
c. Click Add.
d. Fill in the name and optional description.
e. Click Save.
Step 3 Review the hierarchy.
Step 4 (Optional) Manage local administrators.
Configure Entitlement
Entitlement represents the set of services and devices (and their number) available for particular
subscribers.
Example:
1. Customer A specifies a user has voice service, an IP device, an analog set, and nothing else.
2. Customer B specifies users have both voice and voicemail services on 10 devices, and nothing else.
Procedure
Step 1 (Optional) Define more device types.
Step 2 Create device groups to define sets of device types that users may be entitled to.
Step 3 Create entitlement catalogs to define limits on devices and services that entitlement profiles may
entitle users to.
Step 4 Create entitlement profiles to define the devices and services users are entitled to.
Step 5 Identify the entitlement profile for users that are synchronized from Cisco Unified CM.
Step 6 Identify the entitlement profile for users that are synchronized from LDAP.
Step 7 Assign entitlement profiles to existing users in Cisco Unified CDM.
Configure a Network Device List

Procedure
Step 1 Sign in to Unified CDM as a provider or reseller administrator.
Step 2 Click Custom er Management > Netw ork Device Lists . Select a customer on the hierarchy tree
w here the NDL is to be created.
Step 3 Click Add.
Step 4 Enter a name for the NDL and optionally a description.
Step 5 Expand Cisco Unified CM and select the Cisco Unified CM instance.
Step 6 Expand Cisco Unity Connection and select the Cisco Unity Connection instance.
Step 7 (Optional) Add Cisco WebEx instances to the NDL.
Step 8 Click Save.
Configure Cisco Unified CM Groups

Procedure
Step 1 Sign in as the provider, reseller, or customer administrator.
Step 2 For a new instance, ensure the hierarchy path is set to the target node of the new instance.
Step 3 Sign in as the provider or reseller administrator and select Devic e Management > Cisco Unified
Communications Manager > Unified CM Groups.
Step 4 Perform one of the follow ing:
 To add a new Cisco Unified CM group, click Add, then go to step 5.
 To edit an existing Cisco Unified CM group, click on the line item in the list of
existing instances. Go to step 5.
Step 5 Modify the follow ing fields as required.
Option Description
Name (Mandatory) Enter the name of the new group.

Auto-registration Cisco Check the Auto-registration Cisco Unified Com m unications Manager
Unified Group check box if you w ant this group to be the default Cisco Unified
Communications CM group w hen auto-registration is enabled.
Manager Group
Leave this check box unchecked if you do not w ant devices to auto-
register w ith this Cisco Unified CM group.
Tip: Each Cisco Unified CM cluster can have only one default auto-
registration group. If you choose a different group as the default auto-
registration group, that is, you check the Auto-registration Cisco Unified
Com m unications Manager Group box for a different Cisco Unified CM
group, the previously chosen auto-registration group no longer serves as
the default for the cluster. The Auto-registration Cisco Unified
Com m unications Manager check box displays for the previously chosen
group (the original default), and the check box gets disabled for the group
that now serves as the default.
Unified CM Group Click Add (+) to select a Cisco Unified CM to add to the group. Repeat as
Items (Mandatory) necessary to add multiple Cisco Unified CMs to the group.
Click Rem ove (-) to remove a Cisco Unified CM from the group.
Click the up and dow n arrow s to change the order of the Cisco Unified
CMs in the group.
Priority (Mandatory) Enter the priority number for this Cisco Unified CM in the group. The
smaller the integer, the higher the priority.
Selected Cisco Unified This field displays the Cisco Unified CMs that are in the group.
Communications
Managers
Step 6 Click Save.

The group appears in the CallManager Groups list. When you click on the name of the Cisco Unified CM
group in the list, the group's characteristics are displayed.
 To modify any of these characteristics, make your changes and click Save.
 To delete a group, check the box to the left of the Name column in the group list, and click Delete.
Configuration for Desk Phones and Jabber
Self-Provisioning Process
The Cisco Unified CDM Self -Provisioning feature allow s a user or administrator to add an un-provisioned
phone to a Cisco Unified CM system w ith minimal administrative effort. A phone can be added by plugging it
into the netw ork and follow ing a few prompts to identify the user.
The follow ing process is used to self -provision a phone.
Step 1 The user or administrator connects the phone to the netw ork.
Step 2 The user or administrator enters the server domain f or the Expressw ay (ex. collabedge-
161.dc-01.com) and user credentials.
Step 3 The phone connects to the Expressw ay and auto-registers.
Step 4 The user or administrator dials the IVR application and satisfies the prompts (self -service ID
and PIN provided by the administrator).
Step 5 The IVR application deletes the auto-registered phone and adds it back using templates that
are associated w ith the user by their user profile.
Required Configuration in Cisco Unified CDM

The follow ing components in Unified CDM must be configured before proceeding.
 Hierarchy Management, configured at Provider > Custom er > Interm ediateNode > Site.
 Site dial plan, configured at Dial Plan Managem ent > Site > Dial Plan.
 Site defaults, configured at Site Managem ent > Defaults.
 Directory number inventory, configured at Dial Plan Managem ent > Num ber
Managem ent > Add Directory Num ber Inventory.
 Dial plan verification. Dial plans must match the user numbers in Active Directory.
Add a Self-Provisioning Line Mask

Procedure
Step 1 Sign in to Cisco Unified CDM as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy path to the site node w here you w ant to configure self -provisioning.
Step 3 Select User Managem ent > Self-Provisioning > Line Mask .
Step 4 Click Add.
Step 5 Provide the follow ing information:

a. Description.
b. Mask (ex XXXX).
Step 6 Click Save.
Add a Self-Provisioning User Profile

Procedure
Step 1 Sign in to Cisco Unified CDM as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy path to the site node w here you w ant to configure self -provisioning.
Step 3 Select User Managem ent > Self-Provisioning > User Profile .
Step 4 Click Add.
Step 5 Perform the follow ing on the Device Template Desk Phone tab.
a. Click the plus sign to add a new template.
b. Under Device Security Profile, select Model-independent Security Profile by Null
String 1024.
c. Select the SIP Profile.
d. Check Allow Control of Device From CTI.
e. Under Calling Search Space, select the appropriate option (ex. Cu2Si4-InternalOnly-
CSS).
Step 6 Perform the follow ing on the Line Template tab.

a. Click the plus sign to add a new template.
b. Under Partition, select the appropriate option (example. Cu2-DirNum- PT).
c. Under Calling Search Space, select the appropriate option (example. Cu2Si4-
InternalOnly-CSS).
d. Under Voice Mail Profile, select the appropriate option or Default.
Step 7 Click Save.
Step 8 Enter other optional settings, if applicable.

Create a Customer Dial Plan
Configure a type 4 dial plan.
Procedure
Step 1 Sign in as the provider or customer administrator.
Step 2 Select Dial Plan Managem ent > Custom er > Dial Plan.
Step 3 Click Add.

Note: A Site Location Code is NOT required for this customer, so do not click the Site-Location
Code (SLC) based dial plan box. Only type 4 dial plan (w hich does not include SLC) has been
tested by Cisco for the HCS SA configuration.
Step 4 Check Enable CSS filtering to filter the calling search spaces available w hen configuring a
subscriber, phone, or line, to site level Class of Service calling search spaces. Filtering is disabled
by default, w hich results in all available Cisco Unified CM calling search spaces being available
w hen configuring a subscriber, phone, or line.
Step 5 Click Save.

Note: The Customer ID is a unique, auto-generated, read-only number allocated to the customer.
The Customer ID is particularly useful in shared deployments (w here a cluster may be shared
across multiple customers) to correlate specific elements to a customer. It appears in Cisco Unified
CM as a prefix to elements (f or example Cu2Si7 identifies Customer 2, Site 7).
Add a Country Dial Plan to a Dial Plan Before Deploying to a Customer

Perform this procedure only w hen a custom dial plan is required.
Procedure
Step 1 Sign in as hcsadmin or provider administrator.
Step 2 Select Dial Plan Managem ent > Advanced Configuration > Dial Plan Schem a Group .
Step 3 Choose an dial plan schema group to clone, or create a new dial plan schema group.
If you choose an existing dial plan schema group, select Action > Clone . Update the Dial Plan
Schema Group Name on the General tab. For example, clone Cisco Type 4 Schema Group and
give it the name "Cisco Type 4 Schema Group w ith France."
Step 4 Click the Country Schem as tab.
Step 5 Add the tw o schemas associated w ith the country dial plan to the dial plan schema group.
 HcsGenericCustomer<Country>DP-V<version>- SCH: The schema template used to
deploy the customer-level country dial plan elements for the target country.
 HcsGenericSite<Country>DP-V<version>-SCH: The schema template used to deploy the
site-level country dial plan elements for the target country.
Provide the follow ing mandatory information for the tw o schemas:
eld Description
Dial Plan Schema Usage Select Add Site for both schemas.
Country Name Select the target country.
Dial Plan Schema Scope Select Custom er for the customer schema. Select Site for the site
schema.
Dial Plan Schema Name Select HcsGenericCustomer<Country>DP-V<version>-SCH for the
customer schema.
Select HcsGenericSite<Country>DP-V<version>- SCH for the site
schema.
Step 6 Add more country dial plan schemas as necessary.

Step 7 Click Save.
Step 8 Deploy the customized schema group to the customer.
1. Select Dial Plan Management > Advanced Configuration > Associate Custom Dial Plan Schema
Group.
a. Set the hierarchy path to the customer hierarchy node.

b. Click Add.
c. From the Dial Plan Schem a Group field, select the customized dial plan
schema group w ith your added country or countries.
d. Click Save.
Add a Site
Procedure
Step 1 Sign in to the server as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy to the intermediate node for the customer for w hom you are creating the site.
Step 3 Click Site Management >Sites.
Step 4 Click Add.
Step 5 Complete the follow ing fields:
Option Description
Site Name The name of the site. This field is mandatory.

Spaces in the site name are converted to underscores in the site
local administrator name and email, if Create Local Adm in is
checked.
Note: A customer location that has been configured in HCM-F

and synchronized to Cisco Unified CDM may exist at the sys.hcs
hierarchy. If the site name you enter matches this customer
location, the Migrate from HCM-F to Unified CDM check box is
displayed. Click Save to migrate this customer location to a site at
the current hierarchy level.
The fields are populated w ith the values that w ere configured in
HCM-F. If you do not w ant to migrate the customer location, enter
a different site name.
You cannot migrate a customer location to a site if the customer

for the site is dif ferent than the customer associated w ith the
customer location.
When migrating a customer location to a site, an NDL is not
selected for the site. You can set the NDL for the site later.
Description A description for the site.

Extended Name External clients can use the extended name of the site if needed.
This field is not used by other components in Cisco HCS.
Note: This field exists in the Customer Location record in SDR.
When the customer is managed by Cisco Unified CM 10.x, the
extended name is synchronized from Cisco Unified CM 10.x to the
Customer Location record in SDR.
External ID External clients can use the external ID of the site if needed. This
field is not used by other components in Cisco HCS.
Create Local Admin Controls w hether a default local administrator is created for the
site.
The customer role used to create a new role prefixed w ith the site
Cloned Admin Role
name. The created site role, show n in Default Adm in Role field,
is assigned to the default local administrator user. This field
appears only if Create Local Adm in is checked.
Default Admin Role The created site role that is assigned to the default local
administrator. This field is read only and appears only if Create
Local Adm in is checked.
Default Admin Passw ord The passw ord to assign to the default local administrator. This
field appears only if Create Local Adm in is checked.
Repeat Default Admin Confirm the default local administrator passw ord. This field
Passw ord appears only if Create Local Adm in is checked.
Country The country is used to determine w hich dial plan to dow nload to
the site w hen the dial plan is configured on the site. This field is
mandatory.
Netw ork Device List Choose the NDL containing the UC applications and WebEx to be
used by the site. Once an NDL has been set for the site, it cannot
be removed from the site, nor can the NDL be changed to another
NDL.
Auto Push Users to Cisco If enabled, users are automatically pushed to the Cisco Unified
Unified Communications CM that is associated w ith the NDL. The default is disabled.
Manager
You can edit the site later, and enable this check box for one of
the follow ing reasons:
 To automatically push users at the site to the Cisco
Unified CM
 To perform an Auto User Push w hen an NDL is added to

the site
 To perform an Auto User Push w hen a Cisco Unified CM

is associated w ith an NDL
Step 6 Click Save.

Once saved, the follow ing occurs:
 A Site hierarchy node is created.

 A Location is created.
 A Customer Location in the SDR is created.
 Optionally, a default site administrator is created.
 If the Auto Push Users to Cisco Unified Com m unications Manager box is
checked, all users associated w ith the NDL are pushed to the Cisco Unified CM
associated w ith the NDL.
Add the First Site Dial Plan
Procedure
Step 1 Sign in as the customer or provider administrator.
Step 2 Set the hierarchy path to the site for w hich you w ant to create a site dial plan. If the hierarchy
path is not set to a site, you are prompted to select a site.
Step 3 Select Dial Plan Managem ent > Site > Dial Plan.
Step 4 Click Add.
Step 5 Modify the External Breakout Num ber , if necessary. The External Breakout Number is the
PSTN prefix that is used w hen deploying a country dial plan. For Cisco HCS Type 1 to 4 dial
plan schemas, you deploy country dial plans at the customer level. The country dial plan is
not pushed to Unified CM until the first site associated w ith a given country is deployed. For
example, if a site is associated w ith the United States, and it is the first site dial plan being
created for the USA, the US country dial plan is deployed as part of creating the site's dial
plan. The default is 9. The External Breakout Number is one digit in length.
Note. We support only one External Breakout Number for each country. For example, all
sites in the USA have the same External Breakout number as the first site in the USA.
Step 6 Enter the Extension Length. Values can be 1 to 30. The default is 4; for example, 2000.
Note: The extension length for DNs is not enforced. Therefore, the administrator must be
conscious of extension length w hen adding DNs for a particular site; otherw ise DNs may not
be dialable.
Step 7 Perform one of the follow ing for sites w ithout Inter-Site Prefixes (ISPs). This field appears if
your Customer Dial Plan does not use ISPs; for example, HCS Type 3 dial plans (SLC, no
ISP, DN=SLC+EXT).
 Check Use extension prefix if your customer dial plan has an extension prefix
defined and you w ant this site to use the extension prefix.
 If an Extension prefix is not defined in the customer dial plan for this site, go to the
next step.
Step 8 Enter the Area Code. Enter 0 or more valid local area codes for the site. Specify the length of
the subscriber part of the PSTN number for each area code. The area code is used to
generate the PSTN local route patterns for the site. For example, in the USA, if area codes
are added for Dallas, Texas, the area codes could be specified for local dialing as 214, 469,
and 972 w ith a subscriber length of 7.
Step 9 Enter the Local Num ber Length, w hich is the length for the subscriber section of the entire
E.164 number.
Step 10 Check Area Code used for Local Dialing if the area code is needed for local dialing from
this site. In the US, this setting determines w hether you use 7-digit or 10-digit local dialing.
Step 11 Select the Published number from the list of available E.164 inventory numbers, or enter a
custom number.
The site published number is the default E.164 mask w hen a line is associated to a phone at
a particular site.
Step 12 Select the Em ergency Call Back Num ber for the site from the list of available E.164
inventory numbers, or enter a custom number.
The site emergency call-back number is the calling number w hen initiating an outgoing
emergency call. It can be used w hen you use Extension Mobility and make an emergency
call from a site other than your ow n. It can be used w hen the emergency call goes out to the
PSTN netw ork, w hen the system includes the site emergency number so that the origin of the
call is know n. The system adds this calling party transformation to the DN2DDI4Emer- PT
partition.
Notes:
 The emergency number is not the number to dial for an emergency. Instead, it is the
number used to identify the calling party for emergency calls originating from a
particular site.
 Under the Em ergency Num ber field, there is the Site ID read-only field. The Site ID
is a unique, auto generated, read-only number for each customer site w hich is
prefixed to elements as an identifier (for example, Cu4Si2 indicates Customer 4,
Site 2).
Step 13 Click Save to add the Site Dial Plan you defined. The site information is loaded on the Unified
CM, and is identifiable by its customer ID, and site ID prefix.
Add the E.164 Inventory to Cisco Unified CDM

Use this procedure to define an inventory of E.164 numbers available to users.
Im portant: Each addition to the E.164 Inventory must contain a unique set of numbers. That is, you cannot
assign the same number more than once (globally).
Procedure
Step 1 Sign in as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy path to point to the customer for w hom you are adding the E.164 inventory.
Step 3 Select Dial Plan Management > Number Management > Add E164 Inventory.
Field Description
Site For a site-specific E.164 inventory, select the customer site. For a customer-w ide
E.164 inventory, leave this field unset.
Country Select the country associated w ith the E.164 inventory. If a site w as specified, this field is
automatically populated w ith the country associated w ith the site. This field is mandatory.
Country Code The country code for the selected country. Refer to this read-only field w hen specifying the
Starting Number and Ending Number fields w hich must contain a valid country code.
Starting Number Enter the starting number of the range of E.164 numbers. The field is populated w ith + follow ed
by the country code for the selected country. Append the rest of the starting number after the
country code. This field is mandatory.
Ending Number Enter the ending number of the range of E.164 numbers. The format is the same as the
Starting Number. This field is optional. If not provided, the single E.164 Number specified in the
Starting Number is added. If provided, the range of E.164 Numbers is added: Starting Number
– Ending Number, inclusive. A maximum of 1000 numbers can be added at a time.
Step 5 Click Save.
Add a Directory Number Inventory

Use this procedure to add a single directory number (DN) or range of DNs for your customer. The DNs
(extensions) you specify are validated against the Dial Plan type (Type 1 to 4). The extension length
assigned to the site is enforced for site location code (SLC)-based dial plans. The maximum number of
directory numbers you can add at a time is 1,000.
If you are a customer w ith multiple sites using a Type 4 dial plan, ensure that the directory numbers you
specify are unique across sites.
Notes:
 This procedure creates the DN inventory only in Cisco Unified CDM. The numbers are not
passed on to Cisco Unified CM.
 Directory numbers can only be added or deleted. You cannot edit the directory numbers once
they are added. The usage and availability property for each DN is associated w ith a line or
taken into use by a service.
Step 2 Select an available customer from the hierarchy node at the top of the interface.
Step 3 Select Dial Plan Managem ent > Num ber Managem ent > Add Directory Num ber Inventory.
Step 4 From the Site field, select the site for w hich you are adding directory numbers. Leave this field empty to
add customer level directory numbers.
Note: Customer level directory numbers can only be created for dial plans that do not use site location
codes (flat dial plans). Attempting to create customer level direc tory numbers for site location code-
based dial plans result in an error instructing you to specify a site w hen adding new DN inventory.
Step 5 Using the Extension Length, Site Location Code , and ISP read-only fields as guides for the site, enter
the first number for the DN range in the Starting Extension field.
Note: For a Type 4 dial plan (no SLCs), the Starting and Ending Extension fields must contain no more
than 16 digits each, including the + sign before the DN number, if used. For Types 1 to 3 dial plans, the
Starting and Ending Extension fields must be less than or equal to the site Extension Length. If the
Starting or Ending Extension field length is less than the site Extension Length, the DN number is
padded w ith zeroes until its length equals that of the site Extension Length.
For a Type 4 dial plan (no SLCs), the Starting and Ending Extension fields may contain a * prefix
(asterisk) before the 15-digit directory number. The * prefix denotes DNs that are used w ith hunt groups,
assistant lines, Contact Center lines, and so on. This type of directory number cannot be reached from
an outside line and cannot be associated w ith E.164 numbers. Typically, a DN w ith the * prefix is not
called from another line (user), but is tied to a service feature such as call pickup, hunt groups, or
Contact Center
Exam ple: If the Extension Length field show s four digits for a Type 3 Dial Plan, ensure that you enter
a number containing four digits or less in the Starting Extension field. For example, DN 1234. If you
enter DN 123, the extension number is created as DN 0123.
Step 6 (Optional). Using the Extension Length, Site Location Code , and ISP read-only fields as guides for
the site, enter the last number for the DN range in the Ending Extension field. If you are adding a
single DN, the ending number is the same as the starting number.
Note: The maximum number of directory numbers you can add is 1,000 at a time. If you need more than
1,000 directory numbers, repeat this procedure as required to add ranges.
Step 7 Click Save.
Configure Directory Number Routing

Directory Number Routing is a translation pattern that is put into the PreISR and ISR partitions to route
intrasite and intersite calls to extensions (directory numbers). This is similar to the w ay site location codes
(SLCs) are used as short codes for Type 1, 2, and 3 customer dial plans.
Typically, Directory Number Routing is used for Type 4 (flat dial plans) so that from a customer and site
perspective, you can see w hich patterns are directory numbers because there are no SLCs available.
Procedure
Step 1 Sign in as the provider, reseller, customer, or site administrator.
Step 2 Select a valid site under your customer in the hierarchy node at the top of the view . If you attempt to add
Directory Number Routing at any other node in the hierarchy, you w ill receive an error indicating that you
must be at a site.
Step 3 Select Dial Plan Managem ent > Site > Directory Num ber Routing.
Step 4 Click Add.
Step 5 Enter a prefix in the Directory Num ber Routing Prefix field using up to 30 characters.
Exam ple: Enter 234.
Step 6 Enter a DN mask length in the Directory Num ber Mask Length field.
Exam ple: Enter 4. For this example, the Directory Number Routing w ould be 234XXXX,
w here XXXX is the mask.
Step 7 Click Save to add the Directory Number Routing that you defined. The new Directory Number
Routing appears in the table.
Associate a Range of E.164 Numbers to a Range of Directory Numbers

Use this procedure to associate a range of E.164 numbers w ith a range of directory numbers (DN) at a
customer or site. These associations create Direct Dial Inw ard (DDI) associations so that incoming PSTN
numbers are routed to directory numbers.
If you create the association at a site, you can mix customer-level DNs and E.164 numbers w ith site-level
DNs and E.164 numbers.
Procedure
Step 1 Sign in as provider, reseller, customer, or site administrator.
Step 2 Set the hierarchy path to point to the customer or site w here you w ant to associate E.164 numbers
w ith directory numbers.
Step 3 Select Dial Plan Management > Number Management > E164 Associations (N to N DN).
Step 4 Click Add.
Field Description
Range Select one of the follow ing ranges:
 1—To list all E.164 numbers and DNs

 10—To list all E.164 numbers and DNs that end in one zero (0)
 100—To list all E.164 numbers and DNs that end in tw o zeros (00)
 1000—To list all E.164 numbers and DNs that end in three zeros (000)
Note: The range values you select map to the mask value w hen the association
translation pattern is created. For example, w hen 10 is selected, all E.164 numbers
and directory numbers that end in 0 are listed. The mask affects all digits 0 to 9, so
you can't start the mask on a nonzero number. Likew ise, w hen 100 is selected, the
E.164 number and DN end in tw o zeros. This pattern results in a mask of XX.
This field is mandatory and affects w hat appears in the fields that follow .
E164 Select the starting number of the range of E.164 numbers from the list. For a
Number customer-level association, only customer-level E.164 numbers are available. For a
site-level configuration, both customer-level and site-level E.164 numbers are
available.
DN Select the starting extension number from the list. This field is mandatory.
Number
Note: You cannot associate extension numbers that begin w ith an asterisk (*).
Step 6 Click Save.
Configure Quick Add Subscriber for Self-Provisioning

Procedure
Step 1 Synchronize users from LDAP to Unified CDM or create users in Unified CDM.
Step 2 Verify w hether subscribers have a primary extension and self -service configured in
Subscriber Managem ent > Subscribers .
a. If they do not, then go to Subscriber Managem ent > Quick Add Subscriber.
b. Select the proper username.
c. Enter a PIN.
d. Click Set Self Service Id at the bottom of the page.
e. Add the proper lines info for the subscriber.
f. Add Jabber device details if applicable.
g. Fill in any other details as necessary.
h. Click Save.
Step 3 Synchronize users from Unified CDM to Cisco Unified CM if not configured to automatically
synchronize.
a. In Unified CDM, go to User Managem ent > Manage Users.
b. Select Add or update users to Cisco Unified CM.
c. Select the appropriate Netw ork Device List.
d. Select the appropriate users.
e. Click Save.
Step 4 Verify that the primary extension and the self -service User ID are auto-generated for users in
Cisco Unified CM.
Step 5 Provide the follow ing information to the user for registering endpoints:
 Collab-edge address (the service domain)
 User ID
 User passw ord
 User self-service ID (only for desk phones)
 User PIN (only for desk phones)
 IVR number (only for desk phones)
 (Optional) QR code for video-enabled phones. The QR code needs to contain the
service domain and user ID w ith a comma separating the fields (for example,
“collab-edge.dc-01.com,userone”).
Note: With the information from step 5, users can self -provision their desk phones, using the
follow ing steps.
1. Plug their phone into the netw ork.
2. Enter the Expressw ay domain as the service domain.
3. Enter their user ID and passw ord, and then w ait for the phone to automatically
register and reboot.
4. Dial the IVR number.
5. Enter the user self -service ID.
Note: With the information from step 5, users can provision Jabber, using the follow ing steps.
1. Dow nload the Jabber installation file from cisco.com.
2. Open Jabber.
3. Enter the user ID w ith the collab-edge domain (example. user1@collab-edge-
161.dc-01.com).
4. Enter the user passw ord and sign in.
Users may need to restart Jabber (2-3 times) for directory search to w ork in case
they have logged into Jabber w ith a different profile in the past. This forces Jabber
to dow nload the new configuration file.
Central Breakout SIP Trunk

For HCS SA, the customer references for creating a SIP Trunk for Central Breakout refer to the single
customer that represents all of the customers in the SA cluster. Create only 1 trunk for Central Breakout.
Configure the Cisco Unified CDM SIP Trunk

Procedure
Step 2 Set the hierarchy path to the node w here the Cisco Unified CM is configured.
 If you logged in as the provider or reseller administrator, select Device

Managem ent > Cisco Unified Com m unications Manager > SIP Trunks.
 If you logged in as the customer administrator, select Device Managem ent >
Advanced > SIP Trunks.
 To add a new SIP trunk, click Add, then go to Step 4.
 To edit an existing SIP trunk, choose the SIP trunk to be updated by clicking on its
box in the leftmost column, then click Modify to edit the selected SIP trunk. Go to
Step 5.
Step 5 From the Cisco Unified Com m unications Manager field, select the hostname, domain
name, or IP address of the Unified CM to w hich you w ant to add the SIP trunk.
This field appears only w hen a SIP trunk is added. It doesn’t appear w hen you edit a SIP
trunk.
Im portant:
The Cisco Unified Communications Manager field show s, in addition to the Unified CM
located at the node, ALL Unified CM nodes in the hierarchies above the node you are adding
the SIP trunk. To provision a Unified CM server, see Installation Guide for Cisco Unified
Communications Manager and IM and Presence Service.
Step 6 In the Device Nam e field, enter a unique name for the new SIP trunk or change the existing
name if necessary.
Step 7 Complete the fields on each tab as appropriate. The follow ing f ields on each tab are required:
 Device Information tab

o Device Name
o Trunk Service Type
o Call Classification
o Location
o Use Trusted Relay Point
Step 8 To save a new SIP trunk, click Save. To save an updated SIP trunk, click Update.
The SIP trunk appears in the SIP trunk list. You can view the SIP trunk and its characteristics
by logging in to the Unified CM w here the SIP trunk w as added, selecting Device > Trunk,
and performing the Find operation. When you click on the name of the SIP trunk in the list,
the trunk characteristics are displayed.
Note: The SIP trunk is automatically reset on the Unified CM as soon as it is added. To reset
the SIP trunk at any other time, perform Reset SIP Trunks. For more information on
configuring SIP trunks, see the Installing and Upgrading Guide for Cisco Hosted
Collaboration Solution for Contact Center.
Session Border Controller

With the Open Architecture, partners are free to choose alternative options to the Cisco Unified Border
Element (ENT Edition). This option has been open to partners since HCS 10.0.1.
For more information, see the “Data Center Provisioning and Aggregation” chapter in the Cisco
Hosted Collaboration Solution, Release Customer Onboarding Guide.
Enable URI Dialing

The follow ing steps show one w ay to enable URI dialing in HCS SA. For more information, see the Cisco
Unified Communications Manager System Guide.
Procedure
Step 1 – Sign in to Cisco Unified CM Administration.
Step 2 – Create one common partition to use for URI w ith all the customers by going to Call
Routing > Class of Control > Partition > Add New .
Step 3 – Add the new partition to the appropriate CSS for each customer or site by going to Call
Routing > Class of Control > Calling Search Space to select the CSS (for example, Cu1Si1 -
InternalOnly-CSS) and then add the partition created in the first step.
Step 4 – Add the new partition created in the first step to the Directory URI Alias Partition in the
Enterprise Parameters under the System menu.
Create Customer and Users in OpenLDAP or Active Directory

User management can be perf ormed w ith OpenLDAP solutions that provide LDAP services to integrate w ith
Cisco Unified CDM and Cisco Unified CM.
The follow ing steps show one w ay to add a customer and users into a Microsoft AD.
Procedure
Step 1 Open the Active Directory Users and Computers application.
Step 2 Create the appropriate OU structure under the main domain.

Step 3 Create a new user in the new OU.
a. Fill in the First nam e, Last nam e, and User logon nam e fields, then click Next.
b. Fill in the passw ord and any other optional check boxes, then click Next.
c. Click Finish.
Step 4 Double-click the user to open the properties.

a. In the General tab, fill in the Telephone num ber and E-m ail fields.
b. In the Telephones tab, fill in the IP phone num ber field.
Step 5 Fill in any other optional data as needed.

Step 6 Save the user.
LDAP Integration in Cisco Unified CDM
Set Up an LDAP Servesyr

Use this procedure to set up an LDAP server for integration w ith Cisco Unified CDM.
Procedure
Step 1 Sign in to Cisco Unified CDM as a provider, reseller, or c ustomer administrator.
Step 2 Set the hierarchy node to the node w here you w ant the users to be synchronized (w e recommend the
intermediate node).
Step 3 Navigate to LDAP Managem ent > LDAP Server .
Step 4 Click Add.
Step 5 Complete the fields:
Field Description
Description Defaults to the current hierarchy level.

Hostname Hostname or IP address of the LDAP server. This field is required.
Port Port number for LDAP traffic. Defaults to 389.
User DN The User Distinguished Name of an administrative user w ho has access rights
to the Base DN on the LDAP server. This field is required.
Examples:
 Administrator@stb.com
 OU=LDAP0,DC=stb,DC=com
 uid=admin,ou=system
 cn=admin,dc=shared,dc=com
Admin Passw ord Administrator passw ord associated w ith the user. This field is required.
Search Base DN Base Distinguished Name for LDAP search. This should be a container or
directory on the LDAP server w here the LDAP users exist, such as an
Organization Unit or OU.
As an example, to search w ithin an Organizational Unit called CUS01 under a
domain called GCLAB.COM, the Search Base DN w ould be
OU=CUS01,DC=GCLAB,DC=COM.
For Shared Architecture the OU w ill be unique for each customer.
The domain w ill be the same for all customers.
This field is required.

Search Filter An RFC 2254 conformant string used to restrict the results returned by list
operations on the LDAP server.
Filter examples:
 (telephoneNumber =919*): all telephone numbers starting w ith 919
 ((&(OfficeLocations=RTP)(|(department=Engineer ing)(department=M
arketing))): office is located in RTP and department is either
Engineering or Marketing
 (&(MemberOf=cn=Admin,ou=users,dc=foo,dc=com)(!(c=US))): all
Admins except those in the U.S.
Server Type LDAP server type – select either Open LDAP or Microsoft Active Directory.
AD Sync Mode Defaults to Direct.
Cisco Unified The LDAP Directory configured on Cisco Unified CM that users are considered
Communications synchronized from. Required for users that are synchronized from this LDAP
Manager server to use SSO or LDAP authentication to sign in to Cisco Unified CM.
LDAP
Directory Name
Encryption Method Choose betw een No Encryption, Use SSL Encryption (ldaps://), or Use
StartTLS Extension.
Server Root If Trust All is not checked, the LDAP server's SSL certificate is validated
Certificate against this root certificate. If no Server Root Certificate is specified, validation
is done against any existing trusted CA certificates. Use this option for custom
root certificates in .pem format. See SSO Certificate Management for more
information.
Trust All Check to disable certificate validation.
Step 6 Click Save.
Set Up LDAP for User Synchronization

Follow these steps to set up an LDAP for user synchronization. This process synchronizes users from the
configured LDAP directory into Cisco Unified CDM. The users then appear at the hierarchy node at w hich
the LDAP User Sync object exists. You can manage the users through User Management menu options (for
example, move users to other hierarchies, or push to Cisco Unified CM).
Procedure
Step 1 Sign in as a provider, reseller, or customer administrator.
Step 2 Set the hierarchy path to the node of the LDAP server you w ant to synchronize users from.
Step 3 Select LDAP Management > LDAP User Sync.
Step 4 Click Add.
Step 5 On the Base tab, provide the follow ing information:
Field Description
LDAP Server This read-only field displays the LDAP Server you are synchronizing users
from.
LDAP Im portant: Leave unchecked to synchronize users from LDAP.

Authentication Only
The default is unchecked. When unchecked, users are synchronized from the
configured LDAP directory and their passw ords are authenticated against the
configured LDAP directory. When checked, users are not synchronized from
the configured LDAP directory, but their passw ords are authenticated against
the LDAP directory. When checked, you can manually add users from the GUI
or API, bulk load them, or synchronize them from Cisco Unified CM.
User Model Type The User Model Type identif ies w hich LDAP object, defined in the configured
LDAP server, is used to import and authenticate users.
If the LDAP server is OpenLDAP, the default is device/ldap/inetOrgPerson. If
the LDAP server is Active Directory, the default is device/ldap/user.
To identify a non-default User Model Type to use, contact the LDAP
administrator for the LDAP server from w hich you are synchronizing users.
User Entitlement Select the profile that specifies the devices and services to w hich users
Profile synchronized from the LDAP server are entitled.
The selected profile is assigned to each synchronized user. It is checked
during user provisioning to ensure the user's configuration does not exceed
the allow ed services and devices specified in the entitlement profile.
User Role Select the role to be assigned to all synchronized users. This value can be
changed manually for individual users after synchronization. This field is
mandatory.
User Move Mode Indicates w hether users are automatically moved to sites based on the filters
and filter order defined in User Managem ent > Manage Filters .
User Delete Mode Indicates w hether users are automatically deleted from Cisco Unified CDM if
they are deleted from the LDAP directory. If set to automatic, all subscriber
resources associated w ith the user, such as a phone, are also deleted.
User Purge Mode Indicates w hether users are automatically deleted from Cisco Unified CDM
w hen they are purged from the LDAP device model. An administrator can
remove the LDAP user from the device layer even if the user has not been
removed from the LDAP directory.
Step 6 On the Field Mappings tab, enter the follow ing required mappings:
 LDAP Username (for example, sAMAccountName)
 Surname
Step 7 (Optional) Complete other field mappings as needed, for other operations such as pushing users to
Cisco Unified CM or creating move filters.
Step 8 Click Save.
Automatically Move Users to a Site

Procedure
Step 1 Select the customer intermediate node in the hierarchy.
Step 2 Go to User Managem ent > Manage Filter s > Define Filters.
Step 3 Fill in name, appropriate hierarchy, and role (w e recommend self service).
Step 4 Decide w hich condition determines the site.
Synchronize Users from LDAP

For Cisco Unified CDM, you can synchronize users from LDAP by activating a scheduled synchronization, or
by performing a manual synchronization.
Procedure
Step 1 To activate a scheduled LDAP synchronization:
a. Navigate to LDAP Managem ent > LDAP Schedule.

b. Click an LDAP Schedule.
c. Check the Active check box.
d. Click Save.
Step 2 To perform a manual LDAP synchronization:
a. Set the hierarchy path to the hierarchy node w here the LDAP server is.
b. Click User Management > Sync & Purge > LDAP Users.
c. Complete the follow ing fields:
Field Description
Remove Log Messages Select if you w ant to remove user management logs before
synchronizing or purging.
Remove Log Direction Select Local to remove logs at the hierarchy of the LDAP
server. Select Dow n to remove logs at and below the hierarchy
of the LDAP server. This field appears only if Rem ove Log
Messages is checked.
Action Select synchronize or purge. This field is mandatory.
d. Click Save to start the action you selected.
Cisco Unified CDM attempts to synchronize users from the LDAP server. It may take a few minutes for the
users to show up in Cisco Unified CDM.
Move Users to a Site

Perform this procedure if it w as not done automatically in Automatically Move Users to Site.
Procedure
Step 1 Sign in to Cisco Unified CDM as a provider, reseller, or customer administr ator.
Step 2 Go to User Management and Move Users.
Step 3 Select Move user by usernam e .
Step 4 Select User.
Step 5 Select the correct site for the Move To Hierarchy option.
Step 6 Select SiteSelfService for the Move To Role option.
Step 7 Click Save.
Enable LDAP Authentication in Unified CM for Users Synchronized from LDAP to

Unified CDM
Use this procedure to enable LDAP authentication on Cisco Unified CM in the follow ing situation, sometimes
referred to as "top-dow n" deployment:
 You plan to synchronize users from LDAP to Cisco Unified CDM.
 You do not plan to synchronize those users from LDAP to Cisco Unified CM.
 You plan to push those users from Cisco Unified CDM to Cisco Unified CM.
 You w ant to use LDAP to authenticate those users' access to Cisco Unified CM.

Procedure
Step 1 On Cisco Unified CM, disable dirsync.
a. Sign in as an administrator.
b. In the Navigation menu, select Cisco Unified Serviceability and click Go.
c. Select Tools > Service Activation.
d. Scroll dow n to Directory Services and uncheck Cisco DirSync.
e. Click Save.
Step 2 On Cisco Unified CM, enable LDAP.
a. In the Navigation menu, select Cisco Unified CM Adm inistration and click Go.
b. Select System > LDAP > LDAP System .
c. Check Enable Synchronizing from LDAP Server .
d. Select the LDAP Server Type. Im portant: This value must match the LDAP Server Type you
choose in Cisco Unified CDM.
e. Select the LDAP Attribute for User ID. Im portant: This value must match the LDAP attribute you
choose in Cisco Unified CDM.
f. Click Save.
Step 3 In Cisco Unified CM, configure LDAP Directory.
b. Select System > LDAP > LDAP Directory.
c. Configure fields in the LDAP Directory Information section.
Field Description
LDAP Configuration Enter a unique name (up to 40 characters) for the LDAP directory. Important: You
Name use the LDAP Configuration Name w hen you configure the LDAP Server in Cisco
Unified CDM.
LDAP Manager Enter the user ID (up to 128 characters) of the LDAP Manager w ho is an administrative
Distinguished Name user that has access rights to the LDAP directory.
LDAP Passw ord Enter a passw ord (up to 128 characters) for the LDAP Manager.
Confirm Passw ord Re-enter the passw ord that you provided in the LDAP Passw ord field.
LDAP User Search Enter the location (up to 256 characters) w here all LDAP users exist. This location acts
Base as a container or a directory. This information varies depending on your customer
setup.
LDAP Custom Filter Select an LDAP custom filter to filter the results of LDAP searches. LDAP users that
match the filter are imported into the Unified CM database. LDAP users that do not
match the filter do not get imported. The default value is <None>. This value applies
a default LDAP filter that is specific to the LDAP server type. The available default
LDAP filters are:
 Microsoft Active Directory
(AD):(&(objectclass=user)(!(objectclass=Computer))
(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
 iPlanet or Sun One LDAP
Server:(objectclass=inetOrgPerson)
 OpenLDAP:(objectclass=inetOrgPerson)
 Microsoft Active Directory Application Mode
(ADAM):(&(objectclass=user)
(!(objectclass=Computer))( !( msDS-
UserAccountDisabled=TRUE)))
d. Configure fields in the LDAP Server Information section.
Field Description
Hostname or IP Enter the hostname or IP address of the server w here the data for this LDAP directory
Address for resides.
Server
LDAP Port Enter the port number on w hich the corporate directory receives the LDAP requests.
You can access this field only if LDAP authentication for users is enabled.
The default LDAP port for Microsoft Active Directory and for Netscape Directory
specifies 389. The default LDAP port for Secured Sockets Layer (SSL) specifies 636.
How your corporate directory is configured determines w hich port number to enter in this
field. For example, before you configure the LDAP Port field, determine w hether your
LDAP server acts as a Global Catalog server and w hether your configuration requires
LDAP over SSL. Consider entering one of the follow ing port numbers:
LDAP Port w hen the LDAP server is not a Global Catalog server:
 389 – When SSL is not required. (This port number specifies the default that
displays in the LDAP Port field.)
 636 – When SSL is required. (If you enter this port number, make sure that
you check the Use SSL check box.)
LDAP Port w hen the LDAP server is a Global Catalog server:
 3268 – When SSL is not required.

 3269 – When SSL is required. (If you enter this port number, make sure that
you check the Use SSL check box.)
Tip: Your configuration may require that you enter a different port number than the
options that are listed in the preceding bullets. Before you configure the LDAP Port
field, contact the administrator of your directory server to determine the correct port
number to enter
Use SSL Check this check box to use Secured Sockets Layer (SSL) encryption for security
purposes.
Note: If LDAP over SSL is required, the corporate directory SSL certificate must
be loaded into Cisco Unified CM. The Cisco Unified Communications Operating
System Administration Guide documents the certificate upload procedure in the
Security chapter.
Add Another Click this button to add another row to provide information about Redundant LDAP
another LDAP server.
Server
e. Click Save.
Step 4 On Cisco Unified CM, configure LDAP authentication.
b. Select System > LDAP > LDAP Authentication.
c. Check Use LDAP Authentication for End Users.
d. Enter the LDAP Manager Distinguished Name, w hich is an administrative user that has access
rights to the LDAP directory.
e. Enter the LDAP Passw ord for the user ID in previous step.
f. Enter the LDAP User Search Base.
Im portant: This value must match the LDAP User Search Base you configured for the LDAP
Directory in Unified CM. It must also match the LDAP Server you configure in Unified CDM.
g. Enter the hostname or IP of the LDAP server.
Im portant: This value must match the LDAP server hostname you configured for the LDA P
Directory in Unified CM. It must also match the LDA P Server hostname you configure in Unified
CDM.
h. Click Save.
Step 5 Synchronize Cisco Unified CM data to Cisco Unified CDM.

a. Sign in to Cisco Unified CDM as a customer administrator.
b. Select Device Managem ent > Advanced > Perform Publisher Actions.
c. Select Action > Im port.
d. For the App Type, select Cisco Unified Com m unications Manager Device.
e. Select an available Cisco Unified CM device to be synchronized.

f. Click Save.
Step 6 On Cisco Unified CDM, set up the LDAP server.

Im portant: Set Cisco Unified Com m unications Manager LDAP Directory Nam e to the LDAP
Configuration Name you used to configure the LDAP Directory on Cisco Unified CM.
Step 7 On Cisco Unified CDM, set up LDAP for user synchronization.
Step 8 On Cisco Unified CDM, synchronize users from LDAP to Cisco Unified CDM.
Step 9 On Cisco Unified CDM, push users to Cisco Unified CM, either by User Management or by Subscriber
Management.
When users are pushed to Cisco Unified CM, the ldapDirectoryNam e field in the device/cucm/User is
populated w ith the Cisco Unified CM LDAP Directory Name. Cisco Unified CM treats the users as LDAP
integrated, instead of local. The users appear as LDAP Active Users and use LDAP bind for authentication.
From now on, the users are authenticated in Cisco Unified CM against the LDAP directory.
Enter the Cisco Unified CM Directory Name in the LDAP Server

Procedure
Step 1 Go to LDAP Managem ent > LDAP Server.
Step 2 Select the appropriate server.
Step 3 Fill in the Cisco Unified Com m unications Manager LDAP Directory Nam e w ith the LDAP
directory name and click Save.
The LDAP directory name is configured in Cisco Unified CM at Cisco Unified
Com m unications Manager System > LDAP > LDAP Directory.
Step 4 Add or update users in Cisco Unified CM.
Step 5 Select the site in hierarchy and User Managem ent > Manage users .
Step 6 Select Add or update users to Cisco Unified CM.
Step 7 Select the Netw ork Device List, select all users, and click Save.
Step 8 Repeat for other sites.
Configure the NBI Sync Customers Client to Perform CUCDM Sync

For Shared Architecture, use the NBI Sync Customers client to trigger syncs on customers that are specified
in an external file. You may have multiple customer files, and run multiple syncs at any time.
Procedure
Step 1 Dow nload the NBI Sync customer client jar file.
Step 2 Create the customer file(s), one line per customer name.
customername1
customername2
customername3
Restriction: There is a maximum of 50 customers per customer file.
Step 3 Add this command to your cron job to run automatically hourly, daily, w eekly, or monthly:
java -jar /auto/hcs-sync_customers_from_file.jar -f <filename> -u <username> -p <passw ord> -h
<hostname>
Param eter Description
<filename> The file path for the customer file.
<username> The admin user name for the HCM-F server.
<passw ord> The passw ord for the HCM-F username.
<hostname> The address of the HCM-F server.
Step 4 Verify that the sync w as successful, in the HCM-F interface, Adm inistration > Jobs.
References
 Cisco Hosted Collaboration Solution Documents
 Cisco Hosted Collaboration Solution, Solution Reference Netw ork Design Guide
 Cisco Hosted Collaboration Solution, Customer Onboarding Guide
 Cisco Hosted Collaboration Solution, Installation Guide
 Cisco Expressw ay on Virtual Machine Guides
 Guides for Cisco Unified Communications Manager
 Guides for Cisco Unified Communications Manager and IM and Presence Service
 Guides for Cisco Unity Connection

HCS SA Recommended Deployment White Paper

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCS SA Recommended Deployment White Paper

Uploaded by

Copyright:

Available Formats

White Paper

Cisco Hosted Collaboration Solution

Configure IM and P ....................................................................................................................... 14

Configure Unity Connection .......................................................................................................... 25

Expressway-C Configuration for Unified Communications ............................................................. 27

Third-party UDS Applications for Directory Separation ................................................................. 42

Appendix A: Features for HCS Shared Architecture ....................................................................... 51

 Cisco Jabber Desktop – Window s, MacOS

Dedicated Virtual Routing and Forwarding (VRF) for Shared Architecture

UC Application OVA Specifications

Cisco Unified Communication Manager:

Recommended Virtual Machine Sizing

Large PoD Chassis FI Compute Storage Security

Small PoD Chassis FI Compute Storage Security

Micro Node Chassis FI Compute Storage Security

Cisco Unified CM – 10,000 Users 2 Cores 8 1 x 110 1 Pub, 2 Sub, 2 TFTP

Cisco Unified Presence – 5,000 IM and 2 Cores 4 2 x 80 2 Nodes

Cisco Unified CM – 10,000 Users 4 Cores 8 1 x 110 1 Pub, 4 Sub, 2 TFTP,

Cisco Unity Connection – 20,000 Users * 7 Cores 8 2 x 300 4 Nodes

Cisco Unified Presence – 15,000 IM and 4 Cores 8 2 x 80 2 Nodes

Expressw ay Medium OVA - 10,000 2 Cores 6 1 x 132 4 Clusters w ith 6 Exp-C

Cisco Unified CM – 10,000 Users 4 Cores 8 1 x 110 1 Pub, 8 Sub, 2 TFTP

Cisco Unity Connection – 20,000 Users * 7 Cores 8 2 x 300 8 Nodes

Cisco Unified Presence – 25,000 IM and 6 Cores 16 2 x 80 2 Nodes

Cisco Unity Connection – 20,000 Users * 7 Cores 8 2 x 300 14 Nodes

Cisco Unified Presence – 25,000 IIM and 6 Cores 16 2 x 80 4 Nodes

 Cisco Unified Communications Manager

Application CPU RAM (GB) HD (GB) Cluster Details

HCM-F Application Node 4 Cores 16 80 1 Node

Cisco Prime License Manager (Standalone) 1 Core 4 50 1 Node

Cisco Prime Collaboration Assurance (MSP) 22 Cores 36 750 1 to 2 Nodes

Add Prime License Manager to HCM-F

Step 2 Click Add New .

Step 3 Enter the licensing details.

Step 4 Click Save.

Assign a Cluster to a License Manager in HCM-F

Step 3 Expand Clusters Managed by.

Step 4 Click Assign.

Partitioned Cisco Unity Connection

Dom ain Service Protocol Priority Weight Port Target host

example.com collab-edge tls 10 10 8443 expe1.example.com

example.com collab-edge tls 10 10 8443 expe2.example.com

Dom ain Service Protocol Priority Weight Port Target host

example.com cisco-uds tcp 10 10 8443 cucmserver1.example.com

Add LDAP Server and Authentication in Unified CM

a) Log in to Unified CM as an administrator.

a) In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

e) Select the LDAP Attribute for User ID.

a) In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

• iPlanet or Sun One LDAP Server:(objectclass=inetOrgPerson)

d) Configure fields in the LDAP Server Information section:

• 3268 – When SSL is not required.

Step 4 On Cisco Unified CM, configure LDAP Authentication.

a) In Unified CM, navigate to Cisco Unified CM Administration, and click Go.

Configure Managed File Transfer in Cisco Unified CM IM and Presence

Prerequisites for Managed File Transfer in IM and P

• Group chat support of File transfer

External Database Setup Requirements

PostgreSQL Versions 8.3.x through 9.4.x are supported, and in IM and

External Database Requirements for IM and Presence Service

Persistent A minimum of one unique logical external database instance

Message We recommend that you configure at least one external database