Wednesday, November 08, 2017

UiPath Close Application Activity Value does not fall within the expected range.

While working in UiPath on a UCCX related RPA robot I found the Close Application activity was raising an exception

Main has thrown an exception

Source: Close application

Message: Value does not fall within the expected range.

I couldn't find a solid example of how to implement it correctly in the UiPath documentation but did find the UiPath Academy does provide a sample with the answer.  Ultimately you need to populate the Close Application Target.Selector property correctly.  It does not automatically inherit it from a Open Application activity.

Selector not populated
Selector populated (notepad.exe example)

You can find the appropriate value by one of two ways.  Simply using the Indicate on Screen feature of the Close Application activity to point to a running instance of your application will automatically populate the Target.Selector property.

No Screenshot Selected

Notepad selected (with error message)

Alternatively, you can use the UiExplorer on the Studio menu to find your application XML snippet and populate it manually.

I, for one, welcome our new RPA overloards.

Wednesday, October 11, 2017

End to end authentication and encryption in Cisco Collaboration and through MRA

It's 2017.  You want end to end authentication and encryption. outside and in. You should see padlocks everywhere.

Here's how to get yours.
Ten easy steps (super abridged version):

Look for your padlocks!
  1. Sign your CUCM tomcat and CallManager certificates, IM&P tomcat, cup-xmpp and cup-xmpp-s2s certificates and UCXN tomcat certificate.
  2. Activate and start CAPF on CUCM and restart TFTP.
  3. Install LSCs on devices via CAPF enrollment.
  4. Change CUCM to Mixed Mode and retart TFTP and CallManager.
  5. Create a secure Phone Security Profile and apply to on-premise endpoints.
  6. Sign Expressway C server certificate and include an alternate name to use as a CUCM device security profile name.
  7. Sign Expressway E server certificate and include an alternate name of just domain.
  8. Configure Expressway C and E for MRA.
  9. Configure a secure Device Security Profile called your C alternative name and apply to outside CUCM devices.
  10. Make calls and enjoy the padlocks.
So you want secure audio to Unity Connection too?
  1. Apply a secure profile to the CUCM SIP trunk where the Subject Name is CUC FQDN and transports use TLS and port 5061.
  2. Change your CUC port group to use 5061/TLS, Next Generation Encryption and sRTP.
Extra credit fun notes:
  • If using TLS to secure communication between CUCM and your LDAP server, change the port from the default 389 to 636.

Friday, July 07, 2017

Unity Connection Cobras Export Import Schedule Detail Missing

I recently used the Cobras Export and Import tools found at to perform a physical to virtual migration and upgrade from Unity Connection 8.6 to 11.5.

One issue I found was that schedules with multiple details weren't imported completely.  I don't know if this is an issue with the export or the import process or possibly with the Connection versions but after checking the target 11.5 cluster I found only the first detail in the schedules with multiple details was restored.

It may also be worth noting that all the detail in each of the affected schedules were named the same, for example "Detail for All Hours - All Days" used multiple times to describe individual detail for each day.  I don't remember seeing anyone use this technique elsewhere so it may also have been a contributing factor.

Lesson learned: check your schedules after your import is complete.

The Cobras Export for Connection version was 8.0.76 and Import for Connection was 8.0.92.

Friday, June 30, 2017

Failed to mount Cisco Prime Collaboration Deployments export as NFS store to the ESXi host.

Running Cisco PCD 11.5.3 to migrate / upgrade CUCM and IM&P from version 8 to 11, and from physical to new virtual C240 chassis.  After installing PCD on one of the chassis and adding the CUCM cluster to inventory, I had trouble adding the new C240 ESXi hosts to inventory.

After entering the correct ESXi interface address and double checking the root password, I was consistently returned an error that says:

"Failed to mount Cisco Prime Collaboration Deployments export as NFS store to the ESXi Host.  Please look at the exception details in PCD logs and check the ESXi logs for further details of the exceptions reported on PCD."

There were no obvious events in VMware corresponding to trying to add the hosts to inventory in PCD.  The PCD logs did have entries showing Java exceptions but there was no verbose comments to indicate what raised the errors, nor could I find any Cisco documentation regarding deciphering the logs.

There are lots of discussions on the Internet and Cisco's support forums regarding the common causes of this problem.

  1. Your VMware license type may be unsupported.  If you have the Cisco UC Virtualization Hypervisor (appears as "Hypervisor Edition" in vSphere Client) license installed, you can remove it temporarily and use the Evaluation Mode license.  I had no license installed yet and was in Evaluation Mode.
  2. Network issues like firewalls between PCD and the host or poor DNS implementations may cause this.  In my case, PCD was running on the same host I was trying to import with no firewall or ACLs between the PCD and ESXi networks.  DNS resolution worked forward and reverse everywhere.
  3. Vmware being in lockdown mode may cause this.  This was easy to confirm from the VMware and ESXi configurations and I went so far as tring to set "utils os secure permissive" in the event something was overly restrictive in PCD's OS.

Ultimately my problem was an issue with an OVERLY COMPLEX PASSWORD on the ESXi root user account.

I didn't want to change the root user password as it was terribly complex and few knew it.  Adding a new user with a password comprised of just alpha characters allowed me to complete the ESXi import almost instantly though.

One challenge is ESXi 6 now enforces complex passwords by default, so this is easier said than done.

To support less complex password in ESXi 6 you can modify the security setting string under "Advanced Settings | Security".  The default ESXi 6 string is "retry=3 min=disabled,disabled,disabled,7,7"  From VMware's site "With this setting, passwords with one or two character classes and pass phases are not allowed, because the first three items are disabled. Passwords from three- and four-character classes require seven characters."

First I modified that string on the two chassis that would be running the enterprise. The much less restrictive string found in ESXi 5 is "retry=3 min=8,8,8,7,6".

Then I added a new user through my vSphere client that I would use for PCD purposes.  I planned to then delete it when the project was complete.  Here I added the "pcd" user, and because I already modified the ESXi security string I could use a simple password like "MyPassword".

Then I added the Administrator role to the pcd user so that PCD could actually manage the host.  This provides more privileges than is actually required but I did not want to troubleshoot permissions during the project and would be removing this account later regardless.

Adding the ESXi hosts to PCD inventory then worked instantly using the new "pcd" user and password.

In hindsight the PCD logs did reference:

2017-06-29 15:24:32,863 ERROR [pool-3-thread-14] db.DBEntity.hexStringToByteArray - Exception parsing int
java.lang.NumberFormatException: For input string: "y2"

I imagine if PCD is looking at the ESXi inventory password as a string of hex characters then using extended characters might break the process.  This is just conjecture though.

Monday, May 22, 2017

Cisco Quality Manager 11.5.1 SR6 with Microsoft SQL Server Express 2014

After smashing around in SQL for too long to get the basic QM communication to work (shown below), I found that Andrzej Gołębiowski  documented the same requirements at back in 2014.  He has some additional detail regarding SQL versions, service usage and best practices there. I encourage you to check it out.  My info is limited to the basics required to get QM running on a rainy Tuesday morning.

I was recently tasked with spinning up a Cisco WFO QM / Quality Manager instance for a demo to be run out of our own office.  Given it was only a demo I used a small stand alone OVA for QM (version 11.5(1) currently available here),  a trial version of Windows Server 2012 R2 ( and a  version of MS SQL Express 2014 (

When downloading MS SQL Express, choose the ExpressAndTools 64BIT\SQLEXPRWT_x64_ENU.exe version.  You may have to scroll down a bit on MS's page to find it.  Having the extra administration tools available up front is worth the extra few minutes it takes to download the media.

If you are not typically administering MS SQL servers, you will need to perform some SQL setup that is not documented in the Cisco QM install information.

You will need to enable TCP connections to SQL server.

  • Run Microsoft SQL Server Management Studio.
  • Right Click on your SQL server and choose Properties.
  • Verify Allow remote connections to this server is checked.

  • Run SQL Server Configuration Manager.
  • Expand SQL SErver Network Configuration and select Protocols for SQLEXPRESS
  • Right Click TCP/IP and choose Enable.

You will need to set SQL Server to listen on a static port.

  • Still in SQL Server Configuration Manager...
  • Expand SQL Server Network Configuration and select Protocols for SQLEXPRESS
  • Right Click TCP/IP and choose Properties.
  • Choose the IP Addresses tab.
  • Scroll down to the IPAll section.
  • Remove the value in TCP Dynamic Ports.
  • Enter 1433 as the TCP Port

  • Still in SQL Server Configuration Manager...
  • Choose SQL Server Services.
  • Right Click SQL Server (SQLEXPRESS) and choose Restart
  • After the server is restarted, make note of the Process ID.
  • From the windows CLI, run netstat -ano | find /i "<your process ID>" 
The listening port should now be 1433.
 You will need to turn on the SQL Server Browser Services

  • Still in SQL Server Configuration Manager
  • Choose SQL Server Services.
  • Right Click SQL Server Browser and choose Properties.
  • On the Service tab,  change the Start Mode to Automatic.
  • On the Log On tab, choose the Start Button.

Assuming you've previously followed the Cisco QM Installation guides, you should now be able to have QM make successful connections to SQL server.