Presentation Title

Presenter Name and Title SessionID Understanding how to make the most of your Cisco Jabber Deployment

Shane Long Technical Marketing Engineer Agenda

• What is Service Discovery • Directory Integration • Jabber Architectural Enhancements • Jabber in VDI

• Jabber utilises Service Discovery to determine • Operating mode - on premise, cloud OR hybrid • inside OR outside corporate network • service location • configuration retrieval • service subscription

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Jabber sends HTTP and DNS Queries * CAS: Connect • Jabber sends all requests (HTTP request & DNS Authentication Service queries) simultaneously

• The record returned with the highest priority will be Messenger used for connection to service HTTP Request to CAS* • Jabber also evaluates returned responses to http://loginp.webexconnect.com/cas/Fede determine if it is inside or outside the organization ratedSSO?org=[DOMAIN] (Edge Detection) DNS SRV Lookups Priority Service HTTP Request / DNS SRV 1 WebEx Messenger HTTP CAS lookup 2 Unified CM 9.x _cisco-uds._tcp. DNS (internal or external) 3 Cisco Presence 8.x _cuplogin._tcp. DNS Queries 4 Cisco Expressway _collab-edge._tls.

• If Jabber is inside the organization it will send traffic directly to UC Manager

• If Jabber is outside the organization, it will transform all traffic and send via _collab-edge Expressway (MRA) record DNS • NOTE: If in cloud mode, Jabber will always send WebEx Messenger traffic directly to the cloud

• Jabber for Windows will not prompt user to enter login credentials until the Windows machine is connected to a network Network becomes • Once a network connection becomes available available Jabber will initiate service discovery • Jabber for Windows will use domain User Principal Name (UPN) for service discovery e.g. [email protected] • example.com is used as the Discovery Domain (_cisco- uds._ecp.example.com etc) • “smiller” is used for home cluster discovery • UPN discovery can be disabled (fall back to manual) • UPN_DISCOVERY_ENABLED=false

• Jabber needs a domain to send WebEx Messenger and DNS SRV requests • Jabber has a number of methods of retrieving this domain dependant on platform

Platform UPN Manual MSI Transformation URL Configuration MAM Preconfiguration jabber-config.xml

Windows

Mac

Android

iOS

Default

• Jabber can be configured to run in • Full UC Mode • IM only mode • Phone only mode

• Jabber phone only mode can provide all of the Jabber full UC mode functionality excluding IM & Presence based services

• To run Jabber in phone only mode, ensure that the UC Manager user is not enabled for IM & Presence services • Uncheck “Enable User for Unified CM IM and Presence…” to run Jabber in phone mode • Users can be enabled for full UC mode by checking the tick box “Enable User for Unified CM IM and Presence….”

• This is the cluster the user “belongs to”

• Used by ILS service to locate home cluster • Home Cluster can be assigned manually, using LDAP sync agreement or using BAT • Ensure users are only assigned to a single Home Cluster!!!

• Different behaviour in UC Manager 9.x/10.x/11.x

DNS 4 1 ILS 3 Service 2

Cluster 1 Cluster 3 – DNS SRV returns a node in Cluster 1 – Jabber connects to node in Cluster 1 and asks for homecluster of “cholland” – Cluster 1 queries other clusters for “cholland” home cluster via ILS Service and returns Cluster 2 to Jabber – Jabber connects to Cluster 2 for service

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Jabber Home Cluster Request • Jabber will be returned a UC Manager node to connect to • This can be any UC Manager in any cluster in the deployment as long as the ILS service is configured and running for all clusters

• Jabber sends a request to the UC Manager node with UC Manager UID to locate the users Home Cluster

https://ccm-sjcvtg-091.cisco.com:8443/cucm-uds/clusterUser?username=shalong

• The following XML document is returned to Jabber with Home Cluster information

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Jabber Servers Request • Jabber sends a “servers” request to the returned Home Cluster node to retrieve list of nodes in the cluster

https://ccm-gwyvtg-021.cisco.com:8443/cucm-uds/servers

• The following XML document is returned to Jabber with cluster servers information

• Jabber will select one of these nodes at random and use that node for device discovery and UDS (including UDS directory integration if enabled)

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 TFTP and UC Manager Group • Jabber will retrieve TFTP server information from a UDS API and will connect to one of the TFTP nodes at random • Jabber will choose from one of 3 TFTP servers in the cluster

• Jabber will register to a node in the cluster based UC Manager groups • CSF device assigned to Device Pool • Device Pool assigned a UC Manager Group • The UC Manager group contains the available nodes for CSF registration

• ClusterUser(HomeCluster):https://CUCM_ADDRESS:8443/cucm-uds/clusterUser?username=USERID

• UDS Servers:https://CUCM_ADDRESS:8443/cucm-uds/servers

• UDS User Profile:https://CUCM_ADDRESS:8443/cucm-uds/user/USERID

• TFTP Service Profile:http://CUCM_ADDRESS:6970/SPDefault.cnf.xml

• TFTP Jabber-Config:http://CUCM_ADDRESS:6970/jabber-config.xml

• UDS User Devices:https://CUCM_ADDRESS:8443/cucm-uds/user/USERID/devices

• TFTP Device Profile:http://CUCM_ADDRESS:6970/CSF_USERID.cnf.xml

• UDS Search User:https://CUCM_ADDRESS:8443/cucm-uds/users?name=pa

• UDS Number User:https://CUCM_ADDRESS:8443/cucm-uds/users?numberlast=7803

• UDS userID User:https://CUCM_ADDRESS:8443/cucm-uds/users?username=shalong

• UDS email User:https://CUCM_ADDRESS:8443/cucm-uds/[email protected]

Service Profile IM&P UC Service SIP URI URI association to User assigned CTI UC Service Mobile Voicemail UC Service Line association User to SIP URI Device Conference association UC Service to line Directory XML File UC Service Home IM&P Softphone Cluster enabled User Directory association Number to devices

Desk Phone membership of group End User Devices Group

User association to line membership of group CTI Group Group Membership

Service Profile IM&P • Jabber will pull most of its UC Service configuration from service profiles assigned CTI UC Service • Service profiles can be used to Voicemail User UC Service delivery different feature sets Conference UC Service • CTI Mode Directory • Voicemail XML File UC Service IM&P • Directory enabled

• Directory Service supports basic settings – for advanced settings • Your goals should be to make the config such as attribute mapping, jabber- file minimal – do as much in the service config.xml can be used inclusive of profiles as possible. “OVER CONFIGURATION” MAY LEAD TO service profile ERRORS

UC Service

Service Service profiles require three Profile configuration steps Define default templates before you create users

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Jabber User Configuration • Service profiles don’t provide access to all settings, the client will download jabber configuration file

http://myserver/Jabber/update.xml http://photos/photo/%%uid%%.jpg T rue • Keep your XML file simple!!! tip • Only specify the settings you need You can view the current jabber-config.xml file at: • Don’t specify default values • Test your XML file using a browser http://{cucm}:6970/jabber-config.xml Port 6972 can be used for secure download

Priority • During start-up Jabber clients will take Bootstrap/Local configuration from multiple sources

• Jabber builds a local configuration which is Service Profiles populated from different sources

IM & P Config • Configuration sources have different priorities

• Operating configuration can made up from Jabber-config.xml different configuration sources

• Configuration can be created at parameter level eg. Configuration LDAP Host from Jabber-config.xml Operating LDAP user ID from Service profile Config LDAP password from Service profile

• Jabber must have a contact resolution service (WebEx, LDAP, UDS)

• Contact service populates JIDs with

Display Name (Eyeball friendly information) Communications Addresses (addresses to call) Photos / Avatar (enhances User experience) Other attributes (Job, Address etc.)

WebEx LDAP UDS used by Messenger on Premise Expressway Outlook Notes Custom Device

• Jabber will automatically connect to contacts sources

• Admin can configure sources

Cache • Jabber maintains local cache (Local) • Jabber manages duplicate contacts Cache entry expires after across multiple sources 1 day + random delta BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Contact Source Summary Network Contact Sources Platform Contact Sources

WebEx LDAP UDS used by Messenger on Premise Expressway Outlook Notes Custom Device

• Jabber will automatically connect to contacts sources

• Admin can configure sources

• Jabber 11.8 introduced a new LDAP directory integration • Cisco Directory integration works across all Jabber platforms (don’t need two anymore) • Configuration can mostly be performed in service profiles (group based config) • Scheme information goes in jabber- config.xml file

Server Type/Schema Server Connection Authentication (AD, OpenLDAP) Information Method

Search/Query LDAP Server Parameters Optimization

• Jabber supports LDAPv3 as a on premise LDAP contact source…

• Examples include (but not limited too)

Microsoft Active Directory Microsoft AD LDS OpenLDAP 2008, 2012, 2016 2008, 2012, 2016 Jabber will attempt to identity AD and Open LDAP servers

• Jabber will default to AD schema sAMAccountName = username

• Jabber LDAP settings can be customized for custom directories

(&(objectCategory=person)(objectClass=user)(sAMAccountName=cholland))

• Predictive Search (Performed by Users) ANR Token Non ANR

• Contact resolution Domain FlexJID

• Telephone Search TIP: Check phonemask setting if you have irregular length numbers Phone #

• Cache refresh Object

• Photo Lookup Photo

ANR is a function supported by Microsoft Directory Servers Provides an efficient method to search multiple attributes AD has a default set of ANR attributes but admin can extend selection OpenLDAP doesn’t support ANR. Jabber will try to detect a directory that doesn’t use ANR (&(objectCategory=person)(objectClass=user)(ANR=smith*))

Admin can use ANR settings and Predictive search filter to disable ANR, NEVER DISABLE FOR AD!!!!

• Jabber will by default try to auto-detect the LDAP server.

• Alternatively the admin can define the server address in a service profile or jabber config file. Service profile is recommended

Automatic discovery using Admin defined FQDN or IP Address DNS SRV records in Service profile

• For Zero Configuration Jabber will try to detect LDAP servers.

• Jabber will query DNS domain for LDAP server based on • Windows Environment, Admin defined domain, service domain (LdapUserDomain parameter used by admin defined domain)

• Uses standard DNS SRV Records • _gc._tcp.domain.com (1st choice) • _ldap._tcp.domain.com (2nd choice)

• Jabber will query directory type (AD/OpenLDAP) to set base attribute mapping

• Jabber will query defaultNameContext to use if search base Automatic discovery using not defined by admin (Jabber 11.8(1)) DNS SRV records • Allows LDAP load distribution!!!

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Server Connection: Administrator defined Server Admin can define LDAP server address in service profile or config file. Service profile allows alignment to groups of users!!!

Admin defined FQDN or IP Address in Service profile

• Jabber will try to read the RootDSE of the directory to automatically identify search base for Zero Configuration.

• Admin can also define search bases in service profile…

Service profile accepts up to 3 search bases cn=users1,dc=example,dc=com cn=users2,dc=example,dc=com cn=users3,dc=example,dc=com Jabber-config.xml file can accept 5 if required

…

• Service Profile…. • Jabber Configuration File (if needed!!) • Used to define which authentication methods to use. Options are “GSSAPI EXTERNAL PLAIN”

• Which logged on user credentials to use. Normally CUCM but can be other credentials example, unity

• Alternative domain used for discovery / to add to userID when using Jabber credentials • Enable anonymous BIND.

• Tips for LDAP service optimization

1) DO Use Global Catalog rather than Domain controller 2) DO Index ALL Jabber key fields. i.e. telephone numbers 3) DO Distribute load across LDAP servers with DNS/SRV records LDAP Server Optimization 4) Do use service profiles to create group/location based server connections

• Classic UDS Operation • UDS Proxy Operation • Jabber uses UDS for • Search forwarded to AD / LDAP Server directory when LDAP v3 connected via Cisco • Can search beyond Expressway (MRA) LDAP 160,000 limit • Provides same • Search performed attributes as classic against CUCM end UDS operation HTTPS user database HTTPS

• Maximum contacts possible 160,000

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public UDS Proxy Mode Configuration New menu LDAP> LDAP Search Directory type and Username attribute taken from LDAP sync directory Server address defined as UC service as used by service profiles DirectoryURI mappable for flexibleJID/Multi-domain

• Enhanced Diagnostics tool now provides support for contact sources testing

Ctrl-Shift-D Show Diagnostics • Ctrl-Shift-C Show Contacts tool

These features work together to enhance user experience which provides

• Improved Login flow Push Notification OAuth • Better Service offline handling

• Enhanced Authorisation

• Optimized for Mobile Devices

Off-Line Login Fast Login

• Jabber for iPhone and iPad is migrating to Apple Push Notification service for Chat and Call notifications during 2017

• You need to take action now…. • Jabber 11.9 will deliver this • This change requires upgrades to the UC infrastructure supporting Jabber iOS clients. • This migration is to support changes Apple are planning in a future release of iOS. • Current method of operation is expected to be deprecated by Apple in 2018

IM&P / UC Manager Node IM&P / Messenger Messenger Platform Platform UC Manager Node

SIP XMPP

Keep Keep Alive Alive

Jabber Jabber Process JABBER in Process JABBER in FOREGROUND BACKGROUND

• Jabber 11.9 delivers on the Phase 2 of APNS support

• Delivered in combination with UC Manager release 11.5SU3 • Provides Push notification for incoming voice calls when Jabber in background/not running. • Complements IM/Chat Push Jabber iOS customers should plan to migrate to push model before June 2018 notifications delivered in Jabber 11.8

IM&P / UC Manager Node IM&P / Messenger Messenger Platform Platform UC Manager Node

SIP XMPP HTTPS

Cisco Collaboration Apple APNs Keep Alive Incoming Chat Notification/ Jabber call Jabber Jabber Process JABBER in Process JABBER in FOREGROUND BACKGROUND

Servers will tell Jabber will be An APNs notification Chat messages Jabber on start-up suspended and will wake OR start carried in APNs if PUSH has terminated when Jabber running. payload are been enabled put in background (Jabber will then login encrypted to UC Service)

1. Jabber will require upgrading to 11.9+ 2. CUCM, IM&P will require upgrades to 11.5.SU3

3. CUCM Cluster will require registration to Cisco collaboration cloud (direct / proxy / expressway) 4. Firewall ACLs may require modification

5. Expressway will require an upgrade if using Mobile Remote Access (MRA). 6. Recommended to enable oAuth to enhance the login experience

Direct (via firewall) Registration creates a token which is CUCM must be able to connect Cisco distributed to all cloud nodes in cluster Via Proxy server (with auth) These hosts This token allows all fos-a.wbx2.com nodes to send APNs push.webexconnect.com request to Cisco idbroker.webex.com cloud. On this port Via Expressway TCP/443

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public How to configure UC Manager Registration Advanced Features> Cisco Cloud Onboarding New configuration screen in UC manager from 11.5SU2 Process creates machine account based on UC manager license. (Customer domain registration not a requirement for APNs) Process can also install required Certificates for connection to cloud.

iPhone / iPad will need to be Devices on corporate network able to connect to Apple Cloud / may require ACL APN service

iOS devices connect to 17.0.0.0/8 using port 5223/TCP

On Wi-Fi they can fallback to iOS devices on Internet/Expressway 17.0.0.0/8 using port 443/TCP connect directly

Call to Action • Jabber iOS customers should plan to migrate to push model before June 2018 to continue receiving chat and call notifications on Jabber iPhone/iPad take action now. • It is recommended to begin UC infrastructure upgrades ASAP • If your customer doesn’t take action then Jabber will NOT….. • be notified for incoming chat messages! • be notified of incoming voice/video calls! when Jabber is sent to background.

Config • Enhanced Login flow now connects Refresh to services in parallel

• New cached configuration enables Cached Settings faster login process • New background config refresh used to update cache

• Force Cache update available on client help menu

On first login client Config and contacts retrieves config and refreshed from server after login For troubleshooting contacts user can force early refresh using “Refresh configuration” if 1 to 5 required Contact List and minutes* client config are encrypted and saved locally * Config then refreshed for persistent connection every 7~9 hours On next login config & contacts restored from local storage for fast login experience

• Prior to 11.9 Jabber was dependant on it primary authenticator.. • Example: WebEx Messenger

• Jabber now connects to available services disabling features not available.

• Example: • No internet access to WebEx Note: Services must be available Messenger would not stop the use of for first time login voice/video services from UC Manager

• Oauth v2 (Open Authorisation) is an open standard for token based authentication and authorisation

• UC Manager 11.5SU3+ provides OAuth support with REFRESH tokens

• Once authenticated Jabber is issued with access tokens which it uses to access services.

• Token based authorisation provides faster reconnect to services

Jabber uses a discovery request to identify if Possible outcomes are OAuth flow is available. • UC Manager 9.x,10.x,11.0,(11.5,12.x optional) • Username/password no refresh token IMPORTANT: CUCM, IM&P, UnityC and • SAML-SSO no refresh token Expressway versions must be aligned to support new flow. • UC Manager 12.0 (incl. 11.5 SU3+) • OAuth 2.0 with refresh token • OAuth 2.0 with SAML-SSO and refresh token

Do I need to Enable feature using following Service parameter IM&P get a token Chat Service Unity Connection Voicemail Jabber 11.9 UC Manager Client Flow may be via expressway UDS Service

IDP • Jabber discovers New Authorisation flow is being used. User • Authorisation Service redirects client to authentication LDAP User Service before authorisation can take place.

CUCM User

UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail Authorised Users Only UC Manager (Token required) UDS Service

IDP User • Jabber will authenticate with Authentication service. LDAP • Authentication method is dependant on UC Manager User configuration CUCM User

UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail Authorised Users Only UC Manager (Token required) UDS Service

IDP • Authentication service refers User Jabber back to Authorisation LDAP User service CUCM • Access and Refresh tokens issued User

UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail Authorised Users Only UC Manager (Token required) UDS Service

IDP User • Once issued Access token used for service access LDAP • All CUCM services, IM&P services trust token User • Unity Connection can also trust CUCM token CUCM User

UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail UC Manager UDS Service

IDP User • Before access token life expires Jabber will use LDAP Refresh token to request new Access token User No need from OAuth server. CUCM To go bac k t o User Authentication UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail UC Manager 60 UDS Service Mins

IDP User • When Refresh token expires full authentication LDAP required again User

CUCM User

UC Manager Authentication UC Manager Authorisation IM&P Chat Service Jabber 11.9 Unity Connection Client Voicemail Authorised Users Only UC Manager UDS Service 60 (Token required) Days © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Jabber 11.9 architecture Putting it all together…

Call/Chat delivered to users clients

Push Notification Fast Login Off-line Login OAuth alerts Jabber of Client uses cached allows the client to allows Jabber to incoming chat/call config for quick by-pass unavailable quickly access service reconnect services authorised UC services

Desktop Virtualized Mobile Web

Vendor Application Version VDI Operating System

Citrix XenDesktop 7.5 -> 7.13 Windows 7, 8, 8.1, 10 Windows Server 2012 Citrix XenApp 7.5 -> 7.13 R2, 2012, 2008 R2 VMware Horizon View 6.0->7.0 Windows 7, 8, 8.1, 10

For Citrix XenApp Published Application environments, VXME is only supported on Windows based endpoints

DATACENTER • Cisco Jabber in a virtual environment supports CTI functionality VDI • Deskphone Control Mode • Extend and Connect • Configuration remains the same as deploying on a standard desktop • Configure CTI profile for Deskphone Control Mode • Configure RD device type for Extend and Connect • Jabber in virtual environments does not support deskphone video mode (CUVA mode)

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Softphone: VDI Challenge • Voice and Video embedded Data Center inside the display protocol Virtual Desktop Display Protocol • Media terminated on VDI

Media Flow • Expensive encode and Thin Client decode Signalling • Heavy processing on Cisco virtual desktop in data Unified CM center

Signalling • Media flow via datacenter (hairpinning) Display Protocol • Bandwidth Explosion Media Flow • Non encoded media Virtual Desktop sent inside display protocol BRKCOL-201 3 • ©Latency 2017 Cisco and/or its affiliates.and All rightsJitter reserved. Cisco Public 70 Softphone: Convergence of VDI, Voice and Video • Cisco Virtualization Data Center Experience Media Edition Virtual Desktop (VXME) Display Protocol • Installed on VDI endpoint

Thin VXME • Bundles SIP stack and media Signalling Client engine Signalling • Integrates with Citrix Cisco Receiver/VMware View Client Unified Media CM • Ter minat es media Signalling • Removes hairpinning effect Signalling • QoS support Display Protocol • Seamless experience

VXME • Cisco VXME enables Jabber Virtual Desktop softphone capabilities in virtual environments

Data Centre Endpoint - User 1 Device Manager HVD – User 1 VDI VXME Agent VDI Virtual Agent Channel Client SIP Broker (Citrix or VMware) Cisco Jabber Device Selector Virtualization Experience VXME Plugin Media Engine

IM&P (Optional)

CTI SIP UDS Manager Line XMPP Signalling CTI Signalling Unified CM SIP Signaling Display Protocol API / Virtual Channel Jabber Login \ Config (HTTPS)

Data Centre Endpoint User 1 Device Manager HVD – User 1 VDI VXME Agent VDI Virtual Agent Channel Client SIP Broker (Citrix or VMware) Cisco Jabber Device Selector Virtualization Experience VXME Plugin Media Engine

IM&P (Optional) Endpoint User

CTI SIP 2 UDS Manager Line XMPP Signalling CTI Signalling Unified CM SIP Signaling RTP Media (Voice, Video) Display Protocol API / Virtual Channel

DATACENTER

Jabber for Windows VXME Agent

ICA/HDX

VXME Client

Jabber for Windows VXME Agent

ICA/HDX

VXME Client

DATACENTER

Jabber for Windows VXME Agent

PCoIP

VXME Client

BRKCOL-201 3 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 VXME: Supported Platforms • VXME can be deployed on various OSes Operating System Device • Windows and WES Windows 7, 8, 8.1, 10 Hardware specifications based (32/64 bit) • Certain Linux Windows Embedded Hardware specifications based distributions 7 (32/64 bit), 8 (64 bit) • Hardware specifications Windows ThinPC 32 bit, Hardware specifications based requirements are defined in Windows 10 IOT product docs Dell/Wyse SUSE Linux D50D, Z50D, D50Q, Z50Q, Z50QQ • Video capabilities/quality is Unicon eLux Hardware specifications based dependent on HP Thin Pro Specific Platforms hardware

specifications Ubuntu 14.04 32bt LTS Hardware specifications based

• Service Discovery is essential to providing the login user experience for your end userd • Jabber can connect to your corporate directory with minimal configuration • Ensure your environment is ready for APNS! • oAUth greatly enhances the user experience • Jabber can be deployed in VDI. VXME is required for softphone mode in VDI