Friday, April 22, 2016

CUCM Authentication URL format

When testing authentication against CUCM v10 using the Authentication URL, here is the format:

http://10.10.20.20:8080/ccmcip/authenticate.jsp?UserID=testusername&Password=testpassword&devicename=SEPAAAABBBBCCCC


Thursday, April 21, 2016

Singlwire Informacast Resiliency feature

Somewhere around version 9 Singlewire introduced a "resiliency" feature where you no longer had to depend on a single server to provide paging, alerting, bells, etc. to your masses.  You can now deploy multiple backup servers (much like CUCM, called subscribers) that would perform all the paging functions in the event the publisher or higher order subscribers failed.  Now that they are on version 11 and I haven't deployed one since about version 8, here are few tips to get you over the resiliency feature deployment that I bumped into today.

1. Send Commands to Phones by JTAPI

If you are familiar with the single server deployment model or audio paging solutions from other vendors, you may be familiar with the suggestion they all make to modify the CUCM cluster's Authentication URL.  The Singlewire documentation still addresses this in multiple places, which is good as it is a common point of failure in these types of deployments.  Singlewire and others will strongly recommend you change the default CUCM Authentication URL to a custom URL pointing to your fancy new paging server instead.  The idea here is to have all the phones authenticate to the paging server when they are sent a page request rather than potentially overloading the CUCM Publisher with those same authentication requests.  You don't want thousands of phones smashing on CUCM's Tomcat door just because your receptionist wants to announce she found a pair of sunglasses at the front desk. 

The challenge is now that if you have redundant paging servers, what do you use for the new Authentication URL?  Normally you would use a URL that points to the Singlewire server.  But now you have two (or three or whatever). If your first paging server fails and the second takes over all the paging functions, your phones are still going to look for the first paging server to authenticate against and nothing will work even if subscribers are up and healthy because there is no paging server to authenticate the page requests.

What do you do?

You use JTAPI instead of HTML requests.  HTML sounds way simpler to me and it's been how things were done for some time now.  Why not stick with it?  Quietly you will find the Singlwire subscriber servers use JTAPI regardless of how you've chosen to authenticate requests from the Singlewire publisher.  This solves the problem of what URL to change the CUCM Authentication URL to as you can now set the one and only option to your one and only paging server using HTML requests, the Singlewire publisher.  But since the subscribers use JTAPI rather than HTML, why not use JTAPI on the publisher as well?  Just do it.  When you buy another administration bolt on tool and it wants you to change the Authentication URL to itself as well you'll thank me.  How many daisy chained authentication server requests do you need?

On the publisher you will find the single checkbox option under Admin | Broadcast Parameters.



2. Unified Communications Application User

Having installed you subscriber and it looking healthy you decide to shutdown the publisher and actually test the resiliency function.  You dial a CUCM route pattern that was working perfectly when the publisher was up but now hear something like "We're sorry. No devices could be activated. Your broadcast will not be completed."  You know your SNMP and AXL settings are correct since your pages worked through the publisher and you know it's not a HTML authentication issue since you are using JTAPI now so what is the problem?

Although most of the configuration information in a resilient Singlewire solution is replicated from the publisher to the subscribers, the CUCM Application User settings are not. Why? Don't know.  They just aren't.

Log into your subscriber server HTML interface where you typically are prevented from really doing anything and set your CUCM Application User credentials there.  Go to Admin | Telephony | Cisco Unified Communications Manager Cluster | Edit Telephony Configuration and enter the user name and password there.




3. Stop / Restart the singlewireInformaCast service

How do you replicate a server failure to test resiliency?  You could shut down the whole server, maybe use a fancy network ACL, maybe just pull an Ethernet cable, whatever, because you just can't find a tool in the administrative interface to stop or restart services. 

From the main administration page, choose the Webadmin option.  This wil take you to another log in and adminstrative interface.  From there choose System | Bootup and Shutdown.  That's right.  You can simply stop and start services manually from the option labelled Bootup and Shutdown.  This is not terribly intuitive as far as I'm concerned but it works.  Scroll down the service list and click singlewireInformaCast.  You can Stop Now or Start Now on the Publisher server to simulate a server outage.

Here's what it looks like if you're in the right place:



Tuesday, March 29, 2016

Using Cisco UCCX CUIC as a wallboard and CSCun28885 Tomcat inactivity timeouts

A co-worker of mine was involved in a new Cisco UCCX roll-out where the client was looking to use a CUIC report on a large LED flat screen as a wallboard solution.  After creating the report, running it via a permalink and adjusting screen resolution and Internet Explorer zooming to make the report readable, the client found the result to be satisfactory.  They unfortunately realized that because Cisco Tomcat has a maximum inactivity timeout of 14400 seconds, their new wallboard would break overnight if there was no activity in the call center and CUIC would need to be shutdown and restarted every AM.

You can find some background here:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun28885
https://supportforums.cisco.com/discussion/12538621/uccx-cuic-dashboard-timeout
https://supportforums.cisco.com/discussion/12934891/uccx-tomcat-session-timeout-values-can-not-be-updated-cscun28885

From some email exchanges it looked like every 4 hours or AM someone would need to:
  1. Kill Internet Explorer
  2. Start Internet Explorer back up.
  3. Navigate to the CUIC dashboard permalink.
  4. Login to the CUIC dashboard.
Being pressed for time he asked for help and here's the solution, as dirty as it may be, I came up with.

Powershell script to stop IE, start IE, navigate to a web page and log in:

#====================
# Script closes instances of IE,
# opens a new visible instance,
# navigates to a URL
# and logs into CUIC
# NOTE: user name and password stored here in clear text
#
# WebMaxtor
# 03/28/2016
#====================

# Edit this $Url to be the URL or IP address of the site to launch
# This could be the CUIC logon page or a dashboard permalink
# This assumes there will be no challenge to accept certificates
# Typical CUIC logon page URL below as example
$Url = 'https://uccx01.demo-domain.com:8444/cuic/Login.htmx'
# Edit this to be the username
$Username='rmaslanka3'
# Edit this to the corresponding password
$Password='12345'

# Close IE to eliminate timed out reports
#
# option 1:
# Get-Process iexplore | Foreach-Object { $_.CloseMainWindow() }
#
# option 2:
#(New-Object -COM "Shell.Application").Windows() |
#  ? { $_.Name -like "*Internet Explorer*" } |
#  % { $_.Quit() }
#
# option 3:
Get-Process iexplore | Stop-Process

# Wait a few seconds to be safe for processes stop if need be
while ($IE.Busy -eq $true)
{
Start-Sleep -Milliseconds 2000;
}

# Start a visible Internet Explorer instance
$IE = New-Object -com internetexplorer.application;
$IE.visible = $true;
$IE.navigate($url);

# Wait a few seconds and then log on
while ($IE.Busy -eq $true)
{
Start-Sleep -Milliseconds 2000;
}

# fill in the form and click submit button
$IE.Document.getElementById('j_username').value = $Username
$IE.Document.getElementByID('j_password').value=$Password
$IE.Document.getElementById('cuesLoginSubmitButton').Click()


Windows Batch file to make running powershell script easier:

@ECHO OFF
PowerShell.exe -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dpn0.ps1""' -Verb RunAs}"


The beauty of the batch file is if the powershell script and the batch file are named the same except for the file extension (i.e. MyFile.bat and MyFile.ps1) and reside in the same folder, you can just click the BAT file and you are off and running.

There are multiple methods to close IE via powershell and I can't be sure what will work best in your environment so be sure to test the three options or come up with your own.

The final step was then calling the BAT file from Window's Scheduled Tasks on a regular basis to ensure the report was not effected by the Tomcat inactivity timer.


Monday, March 14, 2016

VMware Workstation bridged network ping guest host

For years I've run Cisco UC servers on my laptop via VMware Player or VMware Workstation for testing interesting scenarios outside of production.  My latest laptop sports an Intel i5 with 8 GBs of RAM which is more than enough horsepower to run at least a couple small OVA servers in VMware Workstation 11.

The last time I tried to boot up a CUCM 10.5 server I was surprised to find I couldn't even ping between the host and guest.  The networking was set up pretty simply, used the default bridged VMware adapter and I was certain I used this server before.

The fix was ultimately to disable the DNE LightWeight Filter on the physical adapter on my laptop.  It seems to have been installed recently when I was forced to use Citrix to connect to a clients network remotely.

Below is a screenshot of the ping failures, the DNE Lightweight Filter correctly unchecked.  You hit OK at this point, the adapter resets and you might be in business again.



Good luck. Hope this helps.

Tuesday, February 23, 2016

Cisco Unity Connection and Office 365 Unified Messaging Integration

Helped a cohort out troubleshooting a new Unity Connection 11 and Office 365 Unified Messaging integration today.  A couple quick notes to help you out:
  • It's recommended to use Search for Hosted Exchange Servers.   
  • The Active Directory DNS Domain Name has been outlook .office365.com at the last few sites I've dealt with or deployed.
  • The username to access Exchange must be in the username@domain.com format.
  • As usual, Unity Connection errors can be misleading.  Here we were being returned a "Searching the network Failed to locate a Domain Controller via DNS." error.  Despite looking to be a network access or name resolution problem, it's actually a symptom of a bad password on the Exchange access account. 
Good job, Cisco.