Wednesday, December 20, 2017

Blocking Calls Based on Calling Party ID

There are several good write ups on how to block incoming calls on CUCM according to the CLID of the caller.  The feature basically revolves around the ability to "Route next hop by CNGID".  To save reading another version, here's a link to one of the oldest and my favorite:

Here's an image that summarizes it all:

A big caveat though that I recently ran into is how calls presented to CUCM over a SIP trunk  are presented.  In my case, if a caller was hiding their caller ID the From: field in the SIP header contained the word "anonymous" rather than being blank or including zeros or the like.  The issue here is once you ask CUCM to route via the calling ID and if your calling ID is a word rather than some digits, you will find CUCM can't natively handle a request to route the call to a word.  The call is rejected with a 404 error.

The link above includes references to a LUA script that might be applied to the SIP trunk in question.  It also later references a change to the same LUA script.

I'm frankly not terribly comfortable depending on these scripts since I never craft them myself so I am effectively either relearning what they do on the fly or just blindly putting my faith into them.

The alternative I just used was this config on the CUBE routers in question:

voice class sip-profiles 10
request ANY sip-header From modify "<sip:anonymous@" "<sip:0000000000@"

voice service voip
sip-profiles inbound
sip-profiles 10 inbound

It's a more aggressive version of a SIP profile modifying only INVITES suggestion found here:

The idea is the same regardless.  Replace the useless caller id (ie: the word "anonymous") with something else that CUCM understands (ie: 0000000000).

If you have been blocking calls like this and finding you and yours moving to SIP trunks, be forewarned and address it now.

Wednesday, November 08, 2017

UiPath Close Application Activity Value does not fall within the expected range.

While working in UiPath on a UCCX related RPA robot I found the Close Application activity was raising an exception

Main has thrown an exception

Source: Close application

Message: Value does not fall within the expected range.

I couldn't find a solid example of how to implement it correctly in the UiPath documentation but did find the UiPath Academy does provide a sample with the answer.  Ultimately you need to populate the Close Application Target.Selector property correctly.  It does not automatically inherit it from a Open Application activity.

Selector not populated
Selector populated (notepad.exe example)

You can find the appropriate value by one of two ways.  Simply using the Indicate on Screen feature of the Close Application activity to point to a running instance of your application will automatically populate the Target.Selector property.

No Screenshot Selected

Notepad selected (with error message)

Alternatively, you can use the UiExplorer on the Studio menu to find your application XML snippet and populate it manually.

I, for one, welcome our new RPA overloards.

Wednesday, October 11, 2017

End to end authentication and encryption in Cisco Collaboration and through MRA

It's 2017.  You want end to end authentication and encryption. outside and in. You should see padlocks everywhere.

Here's how to get yours.
Ten easy steps (super abridged version):

Look for your padlocks!
  1. Sign your CUCM tomcat and CallManager certificates, IM&P tomcat, cup-xmpp and cup-xmpp-s2s certificates and UCXN tomcat certificate.
  2. Activate and start CAPF on CUCM and restart TFTP.
  3. Install LSCs on devices via CAPF enrollment.
  4. Change CUCM to Mixed Mode and retart TFTP and CallManager.
  5. Create a secure Phone Security Profile and apply to on-premise endpoints.
  6. Sign Expressway C server certificate and include an alternate name to use as a CUCM device security profile name.
  7. Sign Expressway E server certificate and include an alternate name of just domain.
  8. Configure Expressway C and E for MRA.
  9. Configure a secure Device Security Profile called your C alternative name and apply to outside CUCM devices.
  10. Make calls and enjoy the padlocks.
So you want secure audio to Unity Connection too?
  1. Apply a secure profile to the CUCM SIP trunk where the Subject Name is CUC FQDN and transports use TLS and port 5061.
  2. Change your CUC port group to use 5061/TLS, Next Generation Encryption and sRTP.
Extra credit fun notes:
  • If using TLS to secure communication between CUCM and your LDAP server, change the port from the default 389 to 636.

Friday, July 07, 2017

Unity Connection Cobras Export Import Schedule Detail Missing

I recently used the Cobras Export and Import tools found at to perform a physical to virtual migration and upgrade from Unity Connection 8.6 to 11.5.

One issue I found was that schedules with multiple details weren't imported completely.  I don't know if this is an issue with the export or the import process or possibly with the Connection versions but after checking the target 11.5 cluster I found only the first detail in the schedules with multiple details was restored.

It may also be worth noting that all the detail in each of the affected schedules were named the same, for example "Detail for All Hours - All Days" used multiple times to describe individual detail for each day.  I don't remember seeing anyone use this technique elsewhere so it may also have been a contributing factor.

Lesson learned: check your schedules after your import is complete.

The Cobras Export for Connection version was 8.0.76 and Import for Connection was 8.0.92.

Friday, June 30, 2017

Failed to mount Cisco Prime Collaboration Deployments export as NFS store to the ESXi host.

Running Cisco PCD 11.5.3 to migrate / upgrade CUCM and IM&P from version 8 to 11, and from physical to new virtual C240 chassis.  After installing PCD on one of the chassis and adding the CUCM cluster to inventory, I had trouble adding the new C240 ESXi hosts to inventory.

After entering the correct ESXi interface address and double checking the root password, I was consistently returned an error that says:

"Failed to mount Cisco Prime Collaboration Deployments export as NFS store to the ESXi Host.  Please look at the exception details in PCD logs and check the ESXi logs for further details of the exceptions reported on PCD."

There were no obvious events in VMware corresponding to trying to add the hosts to inventory in PCD.  The PCD logs did have entries showing Java exceptions but there was no verbose comments to indicate what raised the errors, nor could I find any Cisco documentation regarding deciphering the logs.

There are lots of discussions on the Internet and Cisco's support forums regarding the common causes of this problem.

  1. Your VMware license type may be unsupported.  If you have the Cisco UC Virtualization Hypervisor (appears as "Hypervisor Edition" in vSphere Client) license installed, you can remove it temporarily and use the Evaluation Mode license.  I had no license installed yet and was in Evaluation Mode.
  2. Network issues like firewalls between PCD and the host or poor DNS implementations may cause this.  In my case, PCD was running on the same host I was trying to import with no firewall or ACLs between the PCD and ESXi networks.  DNS resolution worked forward and reverse everywhere.
  3. Vmware being in lockdown mode may cause this.  This was easy to confirm from the VMware and ESXi configurations and I went so far as tring to set "utils os secure permissive" in the event something was overly restrictive in PCD's OS.

Ultimately my problem was an issue with an OVERLY COMPLEX PASSWORD on the ESXi root user account.

I didn't want to change the root user password as it was terribly complex and few knew it.  Adding a new user with a password comprised of just alpha characters allowed me to complete the ESXi import almost instantly though.

One challenge is ESXi 6 now enforces complex passwords by default, so this is easier said than done.

To support less complex password in ESXi 6 you can modify the security setting string under "Advanced Settings | Security".  The default ESXi 6 string is "retry=3 min=disabled,disabled,disabled,7,7"  From VMware's site "With this setting, passwords with one or two character classes and pass phases are not allowed, because the first three items are disabled. Passwords from three- and four-character classes require seven characters."

First I modified that string on the two chassis that would be running the enterprise. The much less restrictive string found in ESXi 5 is "retry=3 min=8,8,8,7,6".

Then I added a new user through my vSphere client that I would use for PCD purposes.  I planned to then delete it when the project was complete.  Here I added the "pcd" user, and because I already modified the ESXi security string I could use a simple password like "MyPassword".

Then I added the Administrator role to the pcd user so that PCD could actually manage the host.  This provides more privileges than is actually required but I did not want to troubleshoot permissions during the project and would be removing this account later regardless.

Adding the ESXi hosts to PCD inventory then worked instantly using the new "pcd" user and password.

In hindsight the PCD logs did reference:

2017-06-29 15:24:32,863 ERROR [pool-3-thread-14] db.DBEntity.hexStringToByteArray - Exception parsing int
java.lang.NumberFormatException: For input string: "y2"

I imagine if PCD is looking at the ESXi inventory password as a string of hex characters then using extended characters might break the process.  This is just conjecture though.