Monday, September 28, 2015

CUCM using SIP phones as PLAR or ring down lines

Customer using Cisco 8841 and 8851 phones wanted to use a particular button on several phones as ring down or PLAR lines.  The basic idea is after accessing a DN, rather than being returned dial tone you automatically call another number.  This is common in elevators, emergency phones, common areas, etc.

The steps below are found in various CUCM documents, but step 5 needs a bit of clarification.  Since the phones I was testing with are SIP based running sip88xx.10-3-1-20, you do indeed need to apply SIP dial rules to the phone devices, but configuring the rule takes one more bit of information. See my italics and pictures.  This technique that includes defining the button used as the PLAR seems to be required for multiple button Cisco 7800 and 8800 series phones.

Note: if you are using Cisco 3905 phones as ring down / PLAR devices, you do not and should not define the button in the SIP dial pattern. 

I've modified some of the other steps to hopefully help avoid confusion as well.

How to Configure Cisco multiple line SIP phones as PLAR / ring down phones

Step 1:
Create  a partition, for example, P1, and a calling search space, for example  CSS1, so CSS1 contains P1. (In Cisco Unified Communications Manager  Administration, choose Call Routing > Class of Control > Partition or Calling Search Space.)

Step 2:
Create  a null (blank) translation pattern, for example, TP1, in partition P1. In this null (blank)  pattern, make sure that you enter the directory number for the PLAR destination in the Called Party Transformation Mask field and that the translation pattern uses a CSS that has access to that destination. (In Cisco  Unified Communications Manager Administration, choose Call Routing > Translation Pattern.)

Step 3:
Assign the calling search space, CSS1, to either a device or line on a phone that will be dialing automatically. (In Cisco Unified Communications Manager Administration, choose Device > Phone.) 

Step 4:
For phones that are running SIP, create a SIP dial rule. (In Cisco Unified Communications Manager Administration, choose Call Routing > Dial Rules > SIP Dial Rules. Choose 7940_7960_OTHER. Enter a name for the pattern; for example, PLAR1. Click Save; then, click Add Plar. Click Save.) 

Here's the missing piece:  after you click Add Plar you must define what button number on the phone has the DN that is acting as the PLAR.  Leaving the PLAR default will show you a line with a blank pattern.  While this seems correct as it is similar to the blank translation pattern you created earlier, it will not work.

Here's a working SIP Dial rule:

The device where this will be applied will automatically dial when the fourth DN / button is accessed.
In addition, if you mistakenly choose Add Pattern rather than Add PLAR and make it look just like the above rule, your PLAR will still not work.

Here's a great looking SIP Dial rule that doesn't work:

Looks good, works badly.

Step 5:
For  phones that are running SIP, assign the SIP dial rule configuration  that you created for PLAR to the phones (In Cisco Unified Communications Manager Administration, choose  Device > Phone. Choose the SIP dial rule configuration from the SIP Dial Rules drop-down list box.)

FYI... here's another post of mine from years a ago reiterating the first several steps suitable for SCCP devices

Sunday, September 20, 2015

Cisco CUCM weak ephemeral Diffie-Hellman public key

At the time of this writing, due to one or more SSL vulnerabilities that were discovered in CUCM’s web server you may suddenly be prevented from accessing the administrative interface. This is the result of various Internet browser upgrades attempting to protect you from these vulnerabilities but in the process, preventing access to the CUCM web pages.  The good news is because your CUCM servers are typically not exposed to remote users, the only threat would be from malicious users inside your network, and then only malicious users extremely knowledgeable in these vulnerabilities and possible exploits, and then only those literate in Cisco CUCM or other UC applications.   While compromises to your CUCM server's security may be unlikely, keeping up to date with software patches / upgrades is prudent.

Your new browser looking out for your best interests.
For your reference, Cisco publishes information re: security advisories here:

Google has decided to be rather unforgiving (maybe call it condescending?) and not even provide an interactive way for a Chrome user to opt out of their security measures.

The real fix is to upgrade / patch your systems to versions that rectify the vulnerabilities.

In the interim, there are workarounds for most browsers if you care to suggest your users go that route.

For Firefox (the one I use):
Navigate to about:config in the address bar.
Choose “I’ll be careful”
Search for security.ssl3.dhe_rsa_aes
Double click security.ssl3.dhe_rsa_aes_128_sha  and security.ssl3.dhe_rsa_aes_256_sha to change them to false.
Restart Firefox.

For Chrome (I haven’t tried this personally but is the commonly referenced workaround):
In MS Windows, right click on desktop and choose New | Shortcut
In the location field, including the double quotation marks enter "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0039,0x0033
Choose Next and enter a name like “CUCM Chrome” and Finish.
You should be able to use that shortcut to start a version of Chrome access the CUCM interface.