Tuesday, February 24, 2015

CUCM <None> CSS and PT

From an old CUCM Sytem Guide:

"Before you configure any partitions or calling search spaces, all directory numbers (DN) reside in a special partition named <None>, and all devices are assigned a calling search space also named <None>. When you create custom partitions and calling search spaces, any calling search space that you create also contains the <None> partition, while the <None> calling search space contains only the <None> partition."

Short story:
  • <None> partition is accessible from everywhere.
  • <None> calling search space can only access the <None> partition.

Thursday, February 05, 2015

Cisco Unity Connection CLID / Calling Number modifications in email notifications or Unified Messaging

Customer asked to have the leading PSTN access code digits removed from the CLID that was shown in email notifications / Unified Messages accessible in Outlook.

When an incoming call was presented to users, they were accustomed to seeing a 9 or a 91 in front of a number in the phone CLID display.  They liked this, as it allowed them to dial from the received calls or missed calls on their Cisco phones.

If a call went to voice mail, users were likely away from their phones and were picking up the messages on their smart phones remotely via an MS Exchange integration.  The problem then was that the phone number couldn't be clicked and dialed from the smartphone with the same leading 9 or 91 used for outgoing calls on their desk phone.

For example...
  • Incoming call from Joe's Pizza at 1(585)555-1212 shows up as 915855551212 on the Cisco phone display.  This is good, as it can be returned from the phone's directories without editting the number.
  • Incoming call from Joe's Pizza at 1(585)555-1212 gets forwarded to Unity Connection, and the message is delivered to your iPhone with the CLID of 915855551212. This is bad because the iPhone doesn't know you use a 9 in your office to make calls and considers it an invalid number.
Note: Need a picture or more detail here

My fix was to set the Calling Party Transformation Mask to XXXXXXXXXX on the voice mail's hunt pilot.  This allows the 10 CLID digit format iPhone's like to be passed to Unity Connection.  Then you also need to check Use Calling Party's External Phone Number Mask in the hunt pilot as well.

Wednesday, February 04, 2015

Cisco CUCM VMware tools install issue

Just ran into a customer running CUCM 9.1.2 where I was tasked with adding another subscriber to the cluster.  Good fun with a new C240 chassis, and all things went as planned until I found I could not install VMware tools on the server.

Given it's version 9, I first tried the simple method to install from the vSphere client. Normally you can right-click the guest server and choose Guest | Install / Upgrade VMware tools.  My experience is this is typically a 30 second process, but after a couple minutes I felt it was failing and cancelled the install from the same menu.

I was able to edit the server properties through the vSphere client and under the Advanced section, checked the Check and upgrade Tools during power cycling option, but I wasn't in the mood to wait for a graceful restart, nor interupt any services.

Instead, I SSH'd to the server and  ran "utils os secure permissive".  This basically stops the CUCM firewall.

I then tried the install via the vSphere client and boom, 30 seconds or so later they are installed an up to date.

Then, for good measure ran "utils os secure enforce" to re-enable the firewall.

Good one.

For your install options per app and version, see: http://docwiki.cisco.com/wiki/VMware_Tools

For a similar thread and my inspiration, see: https://supportforums.cisco.com/discussion/12274396/cucm-105-vmware-tools

Tuesday, December 23, 2014

VCS Certificate Creation and Use Notes

Q1: The "Cisco TelePresence VCS Certificate Creation and Use Deployment Guide Cisco VCS X8.2" indicates when generating the CSR on Expressway Core for MRA, you need to include the FQDNs of all the CUCM phone security profile names.  Given the phone security profiles are typically in the format of  "Cisco 7841 - Standard SIP Non-Secure Profile", what would be the FQDN of this profile?

A1: The answer is actually in the "Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide Cisco VCS X8.2", not the certificate guide.

“The Phone Security  Profiles in Unified CM  (System  > Security > Phone  Security Profile ) that are configured for TLS and are used for devices  requiring remote access must have a name in the form of an FQDN that includes the enterprise domain, for example jabber.secure.example.com. (This is because those names must be present in the list of Subject Alternate Names in  the VCS Control's server certificate.)”  

So, instead of adding a profile called “Standard Secure EX90 Profile”, you need to add a profile called EX90.secure.example.com and add each of those profile FQDNs to the CSR on Expressway Core.


Q2:  In a working MRA (Mobile Remote Access) environment, you upload new certificates signed by a public CA / certificate authority to both your VCS / Expressway Edge and Core.  The MRA (Mobile Remote Access) Traversal Zone looks good on both VCS / Expressway servers but your remote Jabber clients return a "cannot communicate with the server" message.  Checking the VCS logs, you find errors like this:

portforwarding: Level="ERROR" Detail="Client control socket open failed" forwarding="localhost:8191:localhost:8192" host="expressway-edge1.mydomainname.com" id="59XXXXXX-9XXXX-1XXX-9XXX-0010XXXXXXXX" retcode="255" err="ssh_x509store_cb: subject='OU=Domain Control Validated,OU=COMODO SSL Unified Communications,CN=expressway-edge1.mydomainname.com', error 20 at 0 depth lookup:unable to get local issuer certificate
 ssh_verify_cert: verify error, code=20, msg='unable to get local issuer certificate'
 key_verify failed for server_host_key
 " UTCTime="2014-12-31 17:42:12,345"

A2: The issue is when you receive the new certificate for the server and install it, you should / need to install the entire certificate chain your CA provided.   This includes the trusted CA root certs. As an example, here where we used a certificate signed by Comodo, there were three other root and intermediate certificates supplied by Comodo that need to be installed as well.  They also need to be installed on both the Edge and Core servers.  Do not assume that since you already see your CA name on the VCSs' trusted lists that new certificates issued for the servers will work.


Q3:  You installed a publicly signed certificate on both the Expressway Edge and Core servers but MRA (Mobile Remote Access) users are still being challenged to accept certificates.  What do you look for?

A3:  From the "Cisco Expressway Certificate Creation and Use Deployment Guide" (note: this guide appears to be updated regularly with new information):
For Mobile and remote access deployments, the Expressway-C server certificate needs to include all the Unified CM phone security profile names, and all the IM and Presence chat node aliases. The Expressway-E server certificate needs to include all the Unified CM registrations domains, the XMPP federation domains and the IM and Presence chat node aliases.

Also note, the the Unified CM registrations domains need to be preceded with a "collab-edge".  So... if your CUCM domain is mydomain.com, you need to include an entry in the CSR that loks like collab-edge.mydomain.com.  Since this doesn't seem to make sense, you might try to use the SRV name format of _collab-edge._tls.mydomain.com when generating the CSR.  The current Expressway-E server has an option for this, makes total sense, but you'll likely find your CA doesn't support that name format.  Don't bother.  Use the DNS format with just the collab-edge prefix.

Tuesday, November 04, 2014

Cisco AnyConnect Secure Mobility Client list of networks drop down

Using the Cisco AnyConnect Secure Mobility Client vesion 3.1.04066, I found the first network you connect to is the only network that is automatically retained in the VPN drop down list.  I regularly need to connect to dozens of networks to provide support, so being able to populate that list and refer to it later is very helpful.

The older Cisco VPN Client allowed for a pretty simple method to add or import profiles.  Each network profile was stored in a seperate PCF file.  This would allow you to maintain a list of locations / networks in the client that you could connect to simply by choosing one on a list.

The newer Cisco AnyConnect Secure Mobility Client doesn't use provide the same method to create or maintain a list of networks. There is a drop down list though, so how does a user populate it?

On a Windows 7 machine you will find a single XML file in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder. The one on my machine is called AnyConnect_Essentials_client_profile.xml.

In that file you will find a section that looks something like:


I found that if you simply add a second HostEntry section, the VPN client drop down list will include the second network you want to connect to.


Choose you entry from the list, click connect and Ta-Da!