Labccie 3022

CCIE Collaboration -
Troubleshooting Jabber Login

Devasayee Gopalan
Ishan Sambhi
LABCCIE-3022
Agenda
• Accessing the Lab
• MRA Solution Overview
• Deployment Scenarios
• MRA Solution Configuration (This section is already completed in this lab)
• Getting ready
• VCS Expressway Configuration
• VCS Control Configuration
• Unified CM Configuration
• IM&P Server Configuration
• Firewall Configuration
• Troubleshooting Jabber Login

Accessing the Lab
• VPN Details
 Open Cisco Any Connect VPN client
 Enter the Server IP address “72.163.218.175”
LABCCIE-3200 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Accessing the Lab
• Go to Settings ; Uncheck the “Block Connections to untrusted servers”
• Check the “Allow local (LAN) access when using VPN (if configured)”
Accessing the Lab
• Click on “Connect”. When it prompts for username & password login with the
following credentials
• Username : ciscolive1
• Password : ciscolive1
Accessing the Lab
• Once connected , you can access the below Servers :

• Windows PC RDP : 192.168.X.14
• VCS-C : 192.168.X.10
• VCSE : 192.168.X.11
• IM&P : 192.168.X.22
• CUCM : 192.168.X.23
• All servers Username / password : admin / ciscolive
• Windows PC login : administrator / Cisco,123
• The X in the 3rd octet would be the VLAN number of your POD and will be provided to you
by the proctor
Accessing the Lab
• When accessing servers from each other for example when the CUCM
has to reach out to the VCS . Please use the below IP addresses :
• VCSC - 192.168.105.10
• VCSE - 192.168.105.11
• Int PC : 192.168.105.15
• Ext PC : 192.168.105.14
• CUCM : 192.168.105.23
• IMP : 192.168.105.22
• Note : Do not use the IP’s in the previous slide when accessing the
servers from each other
MRA Solution Overview
Mobile and Remote Access
 The mobile and remote access solution supports a hybrid on-premise and cloud-based
service model, providing a consistent experience inside and outside the enterprise. It
provides a secure connection for Jabber application traffic without having to connect to
the corporate network over a VPN.
AnyConnect VPN
Unified CM
&
applications
Expressway
Firewall Traversal
 It is a device and operating system agnostic solution for Cisco Unified Client Services
Framework clients on Windows, Mac, iOS and Android platforms
• Session-based firewall traversal
• Allows access to collaboration applications ONLY
 It allows Jabber clients that are outside the enterprise to:
• use instant messaging and presence services
• make voice and video calls
• search the corporate directory
• share content
• launch a web conference
• access visual voicemail
 HTTPS proxy for secure provisioning of endpoints
 SIP/TLS, RTP/SRTP for audio/video media
 XCP router in the Edge for IM&P for Jabber
 Visual Voicemail (REST/HTTPS) supported with HTTPS Directory Access (8.6.2
UDS/HTTPS) supported with HTTPS
Requirement
 Support Version
Software Version Status
VCS X8.1 or later version
Unified CM 9.1.2 or later version
• Unified IM&P 9.1.1 or later version
9.7 or later version (* 9.6 support it as experimental but require additional

Jabber for Windows
configuration, refer to slide 123 for more detail)
| 9.6.1 or later version with minimum iOS6.1

Jabber for iPad/iPhone
(* iPhone4 only support audio call)
• Jabber for MAC 9.7.2
EX/MX series Endpoint TC7.1.0 or later version
Deployment Scenarios
Single network elements
 In this scenario there are single (non-clustered) Unified CM, IM & Presence, VCS
Control and VCS Expressway servers (or combination of Expressway-C and
Expressway-E)
Single clustered network elements
 In this scenario each network element is clustered Unified CM, IM & Presence, VCS
Control and VCS Expressway servers (or combination of Expressway-C and
Expressway-E)
Multiple clustered network elements
 In this scenario there are multiple clusters of each network element of Unified CM,
IM & Presence, VCS Control and VCS Expressway servers (or combination of
Expressway-C and Expressway-E)
Hybrid deployment
 In this scenario, IM and Presence services for Jabber clients are provided via the
WebEx cloud and registered on Unified CM via VCS Control and VCS Expressway
servers (or combination of Expressway-C and Expressway-E)
MRA Solution Configuration
Deployment Scenario
• In this lab we are going to use single network element deployment model.
• Single SIP domain deployment
• Simple deployment with single UDS and IMP server
Jabber Client External DNS VCS Expressway VCS Control Internal DNS CUCM Home UDS IM＆P Server
VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

expressway.ciscolive.com SRV Record: cucm.ciscolive.com cups.ciscolive.com
control.ciscolive.com
* FQDN & IP Address listed above are just sample for configuration reference
External DNS Configuration
Note : This step has been already completed for this lab

SRV Record: cucm.ciscolive.com cups.ciscolive.com
expressway.ciscolive.com
Note : This step has been * FQDN & IP Address listed above are just sample for configuration reference
already completed for this lab
Configure SRV record – External DNS
Service Protocol Port Record Definition/Host
_collab-edge TLS 8443 expressway.ciscolive.com
 External DNS Record (for general deployment not specifically Mobile and Remote
Access service)
 Configure A/AAAA record as needed

_sips TCP 5061 expressway.ciscolive.com
_sip TCP 5060 expressway.ciscolive.com
Note : This step has been

Internal DNS Configuration
Cluster VCS Expressway Cluster VCS Control Single-Node CUCM Single-Node IMP
Note : This step has been already

completed for this lab
Configure SRV record – Internal DNS
_cuplogin TCP 8443 cups.ciscolive.com
_cisco-uds TCP 8443 cucm.ciscolive.com
_sips TCP 5061 cucm.ciscolive.com
_sip TCP 5060 cucm.ciscolive.com
_sip UDP 5060 cucm.ciscolive.com
 Configure A/AAAA record as needed

IMPORTANT: Make sure _cuplogin SRV/FQDN record is NOT resolvable outside of
internal network otherwise Jabber client won’t start Mobile and Remote Access
negotiation via VCS Expressway (or Expressway-E).
Note : This step has been * FQDN & IP Address listed above are just sample for configuration reference
• Getting Ready – Integrating IM&P and CUCM
Changing CUCM Hostname to IP
On the IM&P Server - Integrating IM&P with CUCM
Integrating IM&P with CUCM

Password : ciscolive

CUCM Security Password : ciscolive
Changing IM&P Hostname to IP
Configuring
TFTP
Server on
IM&P
Login to the IM&P Server

using putty to restart the
server
Restart the
IM&P Server
Login to the IM&P

server and go to
the Serviceability
tab
Ensure that all services on the IM&P are activated
MRA Solution Configuration Go back to the
Administration
page on the
• Getting Ready – Integrating IM&P and CUCM IM&P Server
Go to System -> Cluster and see

if things are green , ignore the
Cisco XCP Message Archiver
service
VCS Expressway Configuration

VCS Expressway Cluster VCS Control Single-Node CUCM Single-Node IMP

• System host name and domain name
 Ensure host name and domain name are specified for every VCS
 Ensure that VCS is Synchronized on every VCS . If NTP is not synchronized over
traversal it may lead to a lot of problems
• Server Certificate
 Install appropriate serve certificates and trusted CA certificates for TLS traversal session
between VCS Control
• This deployment requires secure communication between VCS Control

already completed for this
lab
• Mobile and Remote Access
 Enable Mobile and remote access feature from
Configuration > Unified Communications > Configuration
• Traversal Zone
 Create TLS verify enable Unified Communications traversal zone between VCS
Control and enable Mobile and remote access
• Traversal Zone
Control and enable Mobile and remote access – Create a new User for Traversal
Authentication
VCS Expressway
Configuration
• Traversal Zone
 Create TLS verify enable
Unified Communications
traversal zone between
VCS Control and enable
Mobile and remote access
– Create a new User for
Traversal Authentication
• Traversal Zone
Control and enable Mobile and remote access – Create a new User for Traversal
Authentication
User the Password - ciscolive
• Traversal Zone
 Create TLS verify enable traversal zone between VCS Control and enable Mobile and
remote access
 Use the below setting on the Traversal Server Configuration
Please verify this step at the end of all
VCS Expressway Configuration the configuration – This wont be active
unless the configuration on the VCSC is
• Unified Communications Status completed
 After all configurations, Unified Communication status should shows…
• Unified Communications mode: Enabled
• Unified Communication service: Active
• Zone (Sip status): Active
VCS Control Configuration
• Solution Configuration - Deployment Scenarios

• System host name and domain name
 Ensure host name and domain name are specified for every VCS
• DNS Server on the VCS control
 Ensure the DNS server is the 192.168.X.15 DNS sever , if not configured please
configure and Flush DNS cache
 Ensure that VCS is Synchronized on every VCS . If NTP is not synchronized over
traversal it may lead to a lot of problems
• Server Certificate
 Install appropriate serve certificates and trusted CA certificates for TLS traversal session between
VCS Expressway
• This deployment requires secure communication between VCS Control and Expressway
• For detail of certificate creation and deployment, please refer to “Cisco VCS Certificate Creation
and Use Deployment Guide”

• Mobile and Remote Access
 Enable Mobile and remote access feature from Configuration > Unified Communications
> Configuration
• Configure Unified CM servers
 Add Unified Communication server used for remote access from Configuration >
Unified Communications > Unified CM servers
 Step 1: Click “New”
 Step 2: Entre Unified CM publisher address, AXL Web service username and password,
then click “Add address”
 VCS automatically negotiate SIP link between Unified CM
• Depending on Unified CM configuration, link establishes with TCP or TLS
• Neighbor zone between Unified CM
 Non-configurable neighbor zone “CEtcp-<UCMName>” or/and “CEtls-<UCMName>”
automatically created after configure Unified CM servers
• Search rule pointing to Unified CM
 Non-configurable search rule “CEtcp-<UCMName>” or/and “CEtls-<UCMName>” automatically
created after configure Unified CM servers
• Configure IM and Presence server
 Add IM and Presence used for remote access from
Configuration > Unified Communications > IM and Presence servers
 Step 1: Click “New”
 Step 2: Add publisher FQDN, AXL Web service username and password, then click
“Add address”
 Configured IM and Presence server will add on VCS and status shows as “Active”
• Traversal Zone
 Create TLS verify enable Unified Communication traversal zone between VCS
Expressway and enable Mobile and remote access
• Traversal Zone
 Create TLS verify enable traversal zone between VCS Expressway and enable
Username : traversal
Password : ciscolive
• Traversal Zone
 Create TLS verify enable traversal zone between VCS Expressway and enable
• Enable Mobile and remote access: “Yes”

• Entire FQDN of each VCS Expressway
• SIP domain to route to Unified CM
 Configure the domains for registration, call control, provisioning, messaging and
presence services are to be routed to Unified CM from Configuration > Domains
(select target domain and click “View/Edit”)
 Enable feature to route to Unified CM
• Zone Status
 After all configurations, traversal zone status should shows “Active”
(require to complete VCS Expressway configuration before zone status become
active)
• Unified Communications Status
 After all configurations, Unified Communication status should shows…
• Unified Communications mode: Enabled
• Unified Communication service: Active
• Zone (Sip status): Active
Unified CM Configuration

• Maximum Session Bit Rate
 Ensure that the Maximum Session Bit Rate for Video Calls and Audio Bit Rate
between and within region is set to a suitable upper limit (i.e. 6000kbps and
Wideband) System > Region
• End User Configuration
 Enable user for Unified CM IM and Presence service with appropriate profile – In this
lab you can use the “Non” UC Service Profile”
Unified CM Configuration You may need to associate the device(CSF) after
creating it on the CUCM
 Associated user with appropriate Controlled Devices
 Make sure “Standard CCM End Users” and “Standard CTI Enabled” add as Access
Control Group
• Phone Configuration
 Add Phone with appropriate profile and DN
 Device owner user ID must be mapped on the device to link the service profile
 If owner user ID is not specified, user will use the default service profile
 Add owner user ID in “Associate End Users” under Directory Number Configuration
IM&P Server Configuration

IM&P Server Configuration
• User Profile sync status
 Check user profile created on Unified CM properly sync
System > Cluster Topology
Firewall Configuration
• Solution Configuration- Deployment Scenario
Cluster VCS Expressway Cluster VCS Control Single-Node CUCM Single-Node IMP
• Port usage: VCS Control to VCS Expressway
DMZ
Internet
IM&P
CUCM-UDS VCS Control VCS Expressway
VCS Control VCS Expressway
Source Port Listening Port
TLSA = Configurable TCP Outbound ports range
Management Control Inbound and outbound calls
Open Firewall Private to DMZ

TLSB = Configurable traversal port for traversal link between Control
and Expressway (i.e. 7001, 7002, etc.)
IP address of IP address of
IP Address
- VCS Control - VCS Expressway
Ue = Configurable TCP ephemeral port range
TCP Ue
XMPP (IM and Presence) TCP 7400
30000 to 35999 *
YC = Configurable traversal media ports range (on Control/C)
SSH TCP Ue
TCP 2222
(HTTP/S tunnels) 30000 to 35999 *
YE = Configurable traversal media ports range (on Expressway/E)
TCP & TLSA TCP & TLSB
IP Ports
SIP signaling
25000 to 29999 7001
* Default ephemeral ports range (X8.1) for is 30000 – 35999 which
SIP media
UDP YC UDP YE configurable
30002 to 35999 ** 36000 to 36001**
TURN server control UDP source port UDP 3478 *** ** Default media ports range (X8.1) is 36000 – 59999 which
configurable
Note : This step has been *** Default TURN request listening port. For large scale deployment,
default port range is 3478-3483
already completed for this lab LABCCIE-3200 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
• Port usage: VCS Expressway to/from Public Internet
DMZ
Internet
IM&P
VCS Expressway Internet SIP UA
Source Port Listening Port
N = VCS wait unit it receives media, then it sends its media to the IP
Management Control Outbound to SIP UA in the Internet port from which media was received (egress port of the media from
Open Firewall DMZ to Internet the far end non SIP-aware firewall)
IP address of IP address of S = Source port, typically >=1024

IP Address
- VCS Expressway - Any (or specific IP)
XMPP (IM and Presence) N/A N/A YE = Configurable traversal media ports range (on Expressway/E)
UDS
N/A N/A
(Provisioning and Phonebook) ** Default media ports range (X8.1) is 36000 – 59999 which
TURN Server Control N/A N/A
configurable
TLS TLS S
IP Ports
SIP signaling
25000 to 29999 >= 1024
UDP YE UDP N
Media
36000 to 59999 ** >= 1024

• Port usage: VCS Expressway to/from Public Internet
DMZ
Internet
IM&P
VCS Expressway Internet SIP UA
Listening Port Source Port
N = VCS wait unit it receives media, then it sends its media to the IP
Management Control Inbound from SIP UA in the Internet
port from which media was received (egress port of the media from
Open Firewall Internet to DMZ the far end non SIP-aware firewall)
IP address of IP address of
IP Address
- VCS Expressway - Any (or specific IP) S = Source port, typically >=1024
TCP S
XMPP (IM and Presence) TCP 5222
>= 1024 YE = Configurable traversal media ports range (on Expressway/E)
UDS TCP S
(Provisioning and Phonebook)
TCP 8443
>= 1024 ** Default media ports range (X8.1) is 36000 – 59999 which
UDP S
configurable
TURN Server Control UDP 3478 ***
>= 1024
IP Ports
*** Default TURN request listening port. For large scale deployment,
TLS S
SIP signaling TLS 5061 default port range is 3478-3483
>= 1024
UDP YE UDP N
Media
36002 to 59999 ** >= 1024

Internal port usage
• Port usage: VCS Control to Unified CM and IM&P
DMZ
IM&P
Internet
Management System VCS Control

Listening Port Source Port Ue = Configurable TCP ephemeral port range
Management Control Private Network
* Default ephemeral ports range (X8.1) for is 30000 – 35999 which
Open Firewall N/A
configurable
IP address of
IP address of
- VCS Control
IP Address - Unified CM
- IM & Presence Server
TCP 7400 TCP Ue

XMPP (IM and Presence)
(IM&P Server) 30000 to 35999 *
UDS TCP 8443 TCP Ue

(Provisioning and Phonebook) (CUCM Server) 30000 to 35999 *
IP Ports
TCP 6970 TCP Ue

TFTP
(TFTP Server) 30000 to 35999 *
TCP 443 TCP Ue

CUC (Voicemail)
(CUC server) 30000 to 35999 *

completed for this lab LABCCIE-3200 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Jabber for Windows
• IMP base deployment
Phone service is not yet ready
Entre IMP user ID and password Client attempting logon over MRA Logon…, attempting UCM registration
Registration Status
• Jabber for Windows registered on Home-UDS
Jabber Client External VCS VCS Internal

“liveuser” CUCM TFTP IM＆P
DNS Expressway Control DNS Home Server Server
UDS
Phone registered on CUCM and ready for phone service
Registration Status
• Jabber for Windows registered on Home-UDS
Jabber Client Internal CUCM IM＆P

External VCS VCS DNS TFTP Server
“liveuser” DNS Expressway Control Home Server
UDS
Phone registered on CUCM and ready for phone service

Detail status available from Help > Show connection status
Step 1
 If Jabber Displays “Cannot Communicate with Server “ , try clearing Jabber Cache from the
Local PC
 To Clear Jabber Cache : Go to Start -> Run and go to %APPDATA%
 Go into both Local and Roaming folders and within Cisco folder delete Unified Communications
folder
 Path :C:\Users\administrator\AppData\Local\Cisco\Unified Communications

 C:\Users\administrator\AppData\Roaming\Cisco\Unified Communications
Step 2 :
 Verify DNS SRV records on the external PC and the VCS-C
 From the external PC try using nslookup , set type=srv and perform an SRV lookup for
_collab-edge._tls.ciscolive.com – this should resolve to expressway.ciscolive.com
 On the VCS-C use the DNS Lookup tool to check for _cuplogin._tcp.ciscolive.com ,_cisco-
uds._tcp.cisco.com and for expressway.ciscolive.com
 DNS Lookup Utility on the VCS
Step 2 : (Continued)
 Result
Step 2 : ( Continued )
 Ifyou do not get the above results , make sure the right DNS Server is
configured on the VCS-C , under System -> DNS
Step 3 :
 Make sure that IMP Server is active and reachable
Step 3 : (Continued)
 If you see the below error Output
 Restart XCP Router Service on the IMP Server and refresh the IMP Servers
from the VCS-C
Step 4:
 IfNTP is not synchronised and the traversal is created - it may cause issues and
you see an X-Auth token expired error in the Jabber PRT
 To resolve this issue :
 Synchronise NTP on the C and E to preferably the same source at the same
stratum ( preferably Stratum 3 and lower ) and recreate the traversal server /
traversal client zones
Step 5:
 IfLogin is still failing , collect Diagnostic logs from the VCS-C and VCS-E for a
failed Jabber Login attempt and work with the proctor to review them
 To capture logs:
 Go to Maintenance -> Diagnostics -> Diagnostic Logging
Step 5:
 Click on Start New Log
 Recreate the issue & Click Stop Logging
Step 5: (Continued)
 Click on Download Log and Save
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank You

Labccie 3022

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Labccie 3022

Încărcat de

Drepturi de autor:

Formate disponibile

CCIE Collaboration -

Troubleshooting Jabber Login

• Troubleshooting Jabber Login

• Once connected , you can access the below Servers :

9.7 or later version (* 9.6 support it as experimental but require additional

| 9.6.1 or later version with minimum iOS6.1

VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

Service Protocol Port Record Definition/Host

Note : This step has been

Note : This step has been already

 Configure A/AAAA record as needed

Changing CUCM Hostname to IP

Changing CUCM Hostname to IP

Changing CUCM Hostname to IP

Integrating IM&P with CUCM

Integrating IM&P with CUCM

Integrating IM&P with CUCM

Changing IM&P Hostname to IP

Changing IM&P Hostname to IP

Changing IM&P Hostname to IP

Login to the IM&P Server

Login to the IM&P

Ensure that all services on the IM&P are activated

Go to System -> Cluster and see

• Single SIP domain deployment

VCS Expressway Cluster VCS Control Single-Node CUCM Single-Node IMP

Note : This step has been

User the Password - ciscolive

VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

Note : This step has been

• Enable Mobile and remote access: “Yes”

VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

VCS Expressway VCS Control Single-Node CUCM Single-Node IMP

Open Firewall Private to DMZ

IP address of IP address of S = Source port, typically >=1024

Note : This step has been already

Note : This step has been already

Management System VCS Control

TCP 7400 TCP Ue

UDS TCP 8443 TCP Ue

TCP 6970 TCP Ue

TCP 443 TCP Ue

Note : This step has been already

Phone service is not yet ready

Jabber Client External VCS VCS Internal

Phone registered on CUCM and ready for phone service

Jabber Client Internal CUCM IM＆P

Phone registered on CUCM and ready for phone service

 Path :C:\Users\administrator\AppData\Local\Cisco\Unified Communications

 Recreate the issue & Click Stop Logging

S-ar putea să vă placă și