Re: [cisco-voip] Cube Recording Configuration

2016-04-01 Thread Daniel Ohnesorge via cisco-voip
Hi All,

I think the config looks correct;

- Dial-peer 1 is the dial-peer you want to record so you apply media-class 30
- Media-class 30 is associated with recorder 400
- Recorder 400 is associated with media-recording 3 (in other words dial-peer 3)
- Dial-peer 3 is the 'SIP Trunk' towards MediaSense

On MediaSense you would need to make sure 450123 is configured to record but 
I'm sure you've configured that already.

I've had some really weird issues with MediaSense in the past where CUCM was 
sending TCP SYN on port 5060 but MediaSense never responded. A cluster reboot 
of MediaSense solved that issue. Perhaps take an IP Traffic Export on the 
router to see if it is sending TCP SYN and if MediaSense is responding.

Sent from my iPhone

> On 2 Apr 2016, at 02:02, Anthony Holloway  
> wrote:
> 
> First of all, be careful doing this in production:
> 
> voice service voip
>  ip address trusted list
>   ipv4 0.0.0.0 0.0.0.0
> 
> That is just reducing the security of your application and opening you up to 
> abuse.  It's fine for troubleshooting and eliminating it as root cause, but 
> then remove it and add addresses/subnets in there to lock down from where you 
> will accept control traffic from.
> 
> One last thing on this topic, since your dial-peers 2 and 3 already point to 
> IP addresses of SIP peers, you don't need to even do anything more.  That 
> simple fact already permits those IP addresses to send you control traffic.
> 
> Ok, on to the recording bit.  I have not done this task myself, but looking 
> quickly through the following document:
> 
> http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-ntwk-based.html
> 
> ...it looks like you might have at least one error in your configuration.
> 
> The one error I think you have:  Your "media-class 30" dial-peer command 
> should be on dial-peer 3, not dial-peer 1.
> 
>> On Fri, Apr 1, 2016 at 3:56 AM, daniele visaggio 
>>  wrote:
>> Good morning,
>> 
>> I'm trying to record calls via CUBE. It doesn't work. This means that on the 
>> recording server I can't see any SIP invite incoming from CUBE.
>> 
>> Scenario:
>> 
>> Phone --- CUCM --- SIP --- CUBE  ITSP  PSTN
>>   |
>>   |
>> Recording Server
>> 
>> 
>> Let's say I want to record all calls going to the PSTN.
>> 
>> This is my config:
>> 
>> #
>> !
>> voice service voip
>>  ip address trusted list
>>   ipv4 0.0.0.0 0.0.0.0
>>  allow-connections sip to sip
>> !
>> media profile recorder 400
>> media-recording 3
>> !
>> media class 30
>> recorder profile 400
>> !
>> !
>> dial-peer voice 1 voip
>> description :: Incoming calls from CUCM ::
>> session protocol sipv2
>> incoming called-number .
>> media-class 30
>> codec g711ulaw
>> !
>> dial-peer voice 2 voip
>> description :: To ITSP/PSTN ::
>> destination-pattern 0T
>> session protocol sipv2
>> session target ipv4:10.128.179.12
>> codec g711ulaw
>> !
>> dial-peer voice 3 voip
>> description :: To Recorder Server ::
>> destination-pattern 450123
>> session protocol sipv2
>> session target ipv4:10.130.221.218
>> codec g711ulaw
>> !
>> 
>> 
>> I double checked the configuration and it seems correct to me.  
>> 
>> Is there something else I need to do? Can someone spot an error? 
>> 
>> 
>> Thank you,
>> 
>> Daniele
>> 
>> 
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] bandwidth restrictions for MRA clients - necessary or not?

2016-04-04 Thread Daniel Ohnesorge via cisco-voip
You can set up Device Mobility for the Expressway-C /32 address which means if 
anything is registered in CUCM with the -C IP, it will be placed in a Device 
Pool of your choosing. We have implemented this and it works great.

Sent from my iPhone

> On 4 Apr 2016, at 23:39, Lelio Fulgenzi  wrote:
> 
> 
> quick question... how are people restricting the video/audio bandwidth for 
> Jabber MRA clients or physical phone MRA clients for that matter?
> 
> we have not had to use locations or enabled mobility (i think that's the IP 
> Address based feature) since we have high speed, low latency WAN links to our 
> locations.
> 
> is it even a problem that I need to consider?
> 
> i'd like to make sure we have the best video quality while on-campus 
> (including those connected via high speed WAN links), so i've set the default 
> bw to 10mbps.
> 
> i'm wondering how that will impact MRA clients.
> 
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst, Network Infrastructure
> Computing and Communications Services (CCS)
> University of Guelph
> 
> 519‐824‐4120 Ext 56354
> le...@uoguelph.ca
> www.uoguelph.ca/ccs
> Room 037, Animal Science and Nutrition Building
> Guelph, Ontario, N1G 2W1
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Cube Recording Configuration

2016-04-04 Thread Daniel Ohnesorge via cisco-voip
I'll test it in the lab some time this week but I'm not sure what the problem 
could be.

Sent from my iPhone

> On 4 Apr 2016, at 23:27, daniele visaggio  wrote:
> 
> Thank you for all of your responses.
> 
> Sadly i'm still not able to get this working. 
> 
> @daniel
> 
> for the time being I have no mediasense server. It's just a microsip client + 
> wireshark (this is to simulate the recorder and look up the signaling). The 
> problem is that I can't see any signaling whatsoever reaching my fake 
> recorder. dial-peer on cube are all using udp, so in wireshark/microsip I 
> expect to see at least an incoming invite.
> 
> Btw I tried with tcp too and even then I couldn't spot any incoming SYN 
> packet. 
> 
> It seems the dial-peer pointing the fake recorder simply doesn't get matched 
> (so no signaling).
> 
> 2016-04-01 21:59 GMT+02:00 :
>> Hi All,
>> 
>> I think the config looks correct;
>> 
>> - Dial-peer 1 is the dial-peer you want to record so you apply media-class 30
>> - Media-class 30 is associated with recorder 400
>> - Recorder 400 is associated with media-recording 3 (in other words 
>> dial-peer 3)
>> - Dial-peer 3 is the 'SIP Trunk' towards MediaSense
>> 
>> On MediaSense you would need to make sure 450123 is configured to record but 
>> I'm sure you've configured that already.
>> 
>> I've had some really weird issues with MediaSense in the past where CUCM was 
>> sending TCP SYN on port 5060 but MediaSense never responded. A cluster 
>> reboot of MediaSense solved that issue. Perhaps take an IP Traffic Export on 
>> the router to see if it is sending TCP SYN and if MediaSense is responding.
>> 
>> Sent from my iPhone
>> 
>>> On 2 Apr 2016, at 02:02, Anthony Holloway  
>>> wrote:
>>> 
>> 
>>> First of all, be careful doing this in production:
>>> 
>>> voice service voip
>>>  ip address trusted list
>>>   ipv4 0.0.0.0 0.0.0.0
>>> 
>>> That is just reducing the security of your application and opening you up 
>>> to abuse.  It's fine for troubleshooting and eliminating it as root cause, 
>>> but then remove it and add addresses/subnets in there to lock down from 
>>> where you will accept control traffic from.
>>> 
>>> One last thing on this topic, since your dial-peers 2 and 3 already point 
>>> to IP addresses of SIP peers, you don't need to even do anything more.  
>>> That simple fact already permits those IP addresses to send you control 
>>> traffic.
>>> 
>>> Ok, on to the recording bit.  I have not done this task myself, but looking 
>>> quickly through the following document:
>>> 
>>> http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-ntwk-based.html
>>> 
>>> ...it looks like you might have at least one error in your configuration.
>>> 
>>> The one error I think you have:  Your "media-class 30" dial-peer command 
>>> should be on dial-peer 3, not dial-peer 1.
>>> 
 On Fri, Apr 1, 2016 at 3:56 AM, daniele visaggio 
  wrote:
 Good morning,
 
 I'm trying to record calls via CUBE. It doesn't work. This means that on 
 the recording server I can't see any SIP invite incoming from CUBE.
 
 Scenario:
 
 Phone --- CUCM --- SIP --- CUBE  ITSP  PSTN
   |
   |
 Recording Server
 
 
 Let's say I want to record all calls going to the PSTN.
 
 This is my config:
 
 #
 !
 voice service voip
  ip address trusted list
   ipv4 0.0.0.0 0.0.0.0
  allow-connections sip to sip
 !
 media profile recorder 400
 media-recording 3
 !
 media class 30
 recorder profile 400
 !
 !
 dial-peer voice 1 voip
 description :: Incoming calls from CUCM ::
 session protocol sipv2
 incoming called-number .
 media-class 30
 codec g711ulaw
 !
 dial-peer voice 2 voip
 description :: To ITSP/PSTN ::
 destination-pattern 0T
 session protocol sipv2
 session target ipv4:10.128.179.12
 codec g711ulaw
 !
 dial-peer voice 3 voip
 description :: To Recorder Server ::
 destination-pattern 450123
 session protocol sipv2
 session target ipv4:10.130.221.218
 codec g711ulaw
 !
 
 
 I double checked the configuration and it seems correct to me.  
 
 Is there something else I need to do? Can someone spot an error? 
 
 
 Thank you,
 
 Daniele
 
 
 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip
>>> 
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/c

Re: [cisco-voip] Cisco UCM with Skype for Business

2016-04-06 Thread Daniel Ohnesorge via cisco-voip
You have a few options but none will suit your needs:

- Partitioned Intra-Domain Federation from CUPS to Lync will provide 
IM/Presence 
- Direct SIP Trunk to Lync Mediation Server will provide the ability to call 
Enterprise Voice enabled Lync clients (no video)
- VCS/Expressway to Lync Mediation Server with/without Media Bypass will 
provide voice and video to Enterprise Voice enabled Lync clients
- RCC (with Enterprise Voice disabled) will give you deskphone control of your 
Cisco phones from Lync client
- CUCILync (with Enterprise Voice disabled) will give you voice/video softphone 
as well as deskphone control

All of the above solutions cater different needs but you are limited with 
mobile support. You can run Jabber on mobile devices in Phone-only mode and 
then have separate Lync client for IM but that would be a bad user experience.

Unless there is a specific reason to use Lync/SFB, if you already have a CUCM 
you may want to go Jabber and choose one of the above options.

This is always a good read: 
https://social.technet.microsoft.com/Forums/office/en-US/cef0dd13-1092-46ec-9d1c-6679511d2206/lync-cisco-cucm-rcc?forum=ocsvoice

and: http://www.justin-morris.net/cuci-lync-and-why-you-should-think-twice/

and finally: 
https://supportforums.cisco.com/discussion/11500646/cupsjabberlynccucilynciphoneandriod-head-spinning

Sent from my iPhone

> On 6 Apr 2016, at 17:06, Ki Wi  wrote:
> 
> Hi Group,
> anyone have experience integrating ?
> 
> The objective is to use Skype for business client for IM & voice/video call.
> 
> It seems like the legacy approach is to use CUCILYNC. However, that's for 
> windows desktop. If we use Skype for mobile clients, there's no such plug in.
> 
> Is there a way to achieve presence synchronization between UCM and Skype 
> presence service?
> Assuming they are using the same URI ?
> +
> Able to leverage on UCM to receive and initial calls.
> 
> Regards,
> Ki Wi
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] bandwidth restrictions for MRA clients - necessary or not?

2016-04-06 Thread Daniel Ohnesorge via cisco-voip
 

Lelio, 

Jabber has been using something call CPVE for a while; Cisco Precision
Video Engine. CPVE comes from the Tandberg acquisition and was mainly
used in Tandberg Movi (later Jabber Video). CPVE indeed starts at a low
quality bitrate and then assesses the network using RTCP and other
technologies to up-scale and down-scale as needed. 

You stated your requirement in your initial email - "i'd like to make
sure we have the best video quality while on-campus". While it's fine to
assume that over 3G/4G video may be disabled or perhaps a low bandwidth,
what about MRA clients using home or cafe WiFi? If said WiFi has a fast
bandwidth e.g. 50 Mbps and your Jabber MRA device calls an on-prem video
device, you have no control over the bandwidth. 

The idea behind Device Mobility is quite simple, for your case you could
do it like this; 

- Create a Device Pool named Internet_DP
- Create Internet_RG region and assign Internet_RG to Internet_DP
(Internet_RG has region relationships to your on-campus regions limiting
the bandwidth e.g. 512 Kbps max video)
- Create a Physical Location Internet_PL and Device Mobility Group
Internet_DMG and assign both to Internet_DP
- Create a Device Mobility Info (basically a subnet) called Internet_DMI
and give it the IP of your Expressway-C with subnet mask of 32 e.g.
10.10.10.100/32
- Associate Internet_DP with the Internet_DMI
- Enable Device Mobility from CallManager Service Parameters (enabled
Device Mobility for all phones) or enable on a per-phone basis via BAT
or individually

What happens now is that anytime a BOT/TCT/TAB/CSF/78XX/88XX phone
registers via Expressway, it's registration IP will always be the IP of
Expressway-C. CUCM realizes this and essentially changes the DP to
Internet_DP where you have defined your lower bandwidth region
relationships. Once that device comes back to the corporate network it
will no longer have a registration IP of the Expressway-C, rather a
normal DHCP IP and will of course use the normal Device Pool which you
configured which may have a maximum BW of 10 Mbps. 

Hope this helps!

On 2016-04-07 00:05, Lelio Fulgenzi wrote: 

> I honestly don't know. 
> 
> I'm new to the whole Jabber world, as well as to video codecs and bit rates.  
> 
> I could be worrying about something that I don't need to be, i.e. a 10 minute 
> Jabber video call will never use more than X megabytes of data. 
> 
> Then again, it's only a matter of time until clients will want to use the 
> quality that comes with a mobile phone front facing camera to have a HD video 
> call from anywhere. 
> 
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst, Network Infrastructure
> Computing and Communications Services (CCS)
> University of Guelph
> 
> 519‐824‐4120 Ext 56354
> le...@uoguelph.ca
> www.uoguelph.ca/ccs
> Room 037, Animal Science and Nutrition Building
> Guelph, Ontario, N1G 2W1 
> 
> -
> 
> FROM: "Dennis Heim" 
> TO: "Lelio Fulgenzi" , cisco-voip@puck.nether.net
> SENT: Wednesday, April 6, 2016 10:00:11 AM
> SUBJECT: RE: [cisco-voip] bandwidth restrictions for MRA clients - necessary 
> ornot?
> 
> Can many mobile jabber devices with cellular connectivity do more than 360p? 
> 
> FROM: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] ON BEHALF OF 
> Lelio Fulgenzi
> SENT: Wednesday, April 06, 2016 9:53 AM
> TO: cisco-voip@puck.nether.net
> SUBJECT: Re: [cisco-voip] bandwidth restrictions for MRA clients - necessary 
> or not? 
> 
> Thanks Eric. 
> 
> I had a similar discussion with a Cisco engineer. Basically, let Jabber 
> figure things out. Which is all fine and dandy, until you read that Canada 
> pays some of the highest fees for mobile data in the world. lol. 
> 
> There are not many unlimited data plans available, and a simple 10 minute 
> video call at 10mbps (using 5mbps for calc) could probably use up 3gb of data 
> traffic. 
> 
> But then, I don't want to impact quality for Jabber clients on wifi 
> connections. 
> 
> I'm guessing that I might go with leaving device mobility out of the picture 
> for now and ensuring video calling is disabled while on mobile networks. 
> 
> -
> 
> FROM: "Eric Pedersen" 
> TO: "Lelio Fulgenzi" , cisco-voip@puck.nether.net
> SENT: Monday, April 4, 2016 11:00:36 AM
> SUBJECT: RE: [cisco-voip] bandwidth restrictions for MRA clients - necessary 
> ornot? 
> 
> Jabber apparently monitors packet loss and sets the video rate accordingly, 
> which is why the quality starts out really low and them improves with the 
> call. I don't think any of the phones do that, but I believe the 8845 maximum 
> bandwidth is 2mpbs. 
> 
> FROM: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] ON BEHALF OF 
> Lelio Fulgenzi
> SENT: 04 April 2016 7:40 AM
> TO: cisco-voip@puck.nether.net
> SUBJECT: [cisco-voip] bandwidth restrictions for MRA clients - necessary or 
> not? 
> 
> quick question... how are people restricting the video/audio bandwidth for 
> Jabber MRA clients or ph

Re: [cisco-voip] Cisco UCM with Skype for Business

2016-04-06 Thread Daniel Ohnesorge via cisco-voip
 

No Worries KiWi 

Regarding Presence, Partitioned Intra-Domain Federation supports two-way
IM and Presence so you should be covered there. Regarding your security
concerns, this can also be done. For example, you can achieve
Multi-Factor Authentication out of the box using SAML SSO products (ADFS
3.0 and OpenAM both support MFA) which is supported over Expressway. If
using Client Certificates for said authentication, you could have an MDM
solution like Mobile Iron be the only way to distribute the certificates
using SCEP. DDoS protection can always be achieved by ASA or 3rd Party
Firewall. 

On 2016-04-07 13:08, Ki Wi wrote: 

> Hi Matt, Alastair & Daniel, 
> thanks! 
> 
> Looks like the deployment choices doesn't change much since OCS days except 
> the additional of VCS option now only. 
> For presence, seems like there's this product but I'm not sure it is 1 way or 
> 2 way sync. Seems like UCM to Lync only. 
> 
> http://www.bridgeoc.com/products/licc/licc.htm [1] 
> 
> Jabber is a fantastic application which client is using now. However, when it 
> comes to Jabber on mobile via expressway. It is lacking of security measures 
> in place. 
> 
> The client I have is very concern about identify theft for higher management. 
> Therefore, single factor authentication is not sufficient. They wanted every 
> client authenticating via expressway to be MDM managed. This is not available 
> today and SFB apparently have a lot of 3rd party applications doing this. One 
> of them is skypeshield which I found online. 
> 
> Jabber for everyone users are able to use expressway for free right? I saw on 
> other threads here. Someone answered yes. 
> 
> Regards,
> Ki Wi 
> 
> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) 
>  wrote:
> 
> Another option, although not perfect, is using a hardware device like a 
> Kuandobox. 
> 
> http://www.plenom.com/products/kuandobox/ 
> 
> Works well in cube environments, but not so well in offices, or places where 
> users use speakerphone often. 
> 
> FROM: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] ON BEHALF OF 
> Alastair Watts
> SENT: Wednesday, April 6, 2016 8:28 AM
> TO: kiwi.vo...@gmail.com; dan...@ohnesorge.me
> CC: cisco-voip@puck.nether.net
> SUBJECT: Re: [cisco-voip] Cisco UCM with Skype for Business 
> 
> I echo Daniel's comments below regarding the Lync/SfB integration, and 
> recommend that you look at the reasons why you're choosing to integrate SfB - 
> particularly with voice/video or with SfB mobile clients. 
> 
> In the last few months, Cisco acquired Acano, whose portfolio of products can 
> assist with bridging SfB and CUCM when joining the two is required. 
> 
> I strongly recommend reviewing the Cisco Live talk that was presented earlier 
> this year in Melbourne (available at 
> https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886 
> [2]) , which goes into integration options between Lync/SfB and Cisco, 
> including limitations, and includes the Acano product set and how it can 
> assist with the integration. 
> 
> Al 
> 
> On 6 Apr 2016, at 17:10, Daniel Ohnesorge via cisco-voip 
>  wrote: 
> 
> You have a few options but none will suit your needs: 
> 
> - Partitioned Intra-Domain Federation from CUPS to Lync will provide 
> IM/Presence  
> 
> - Direct SIP Trunk to Lync Mediation Server will provide the ability to call 
> Enterprise Voice enabled Lync clients (no video) 
> 
> - VCS/Expressway to Lync Mediation Server with/without Media Bypass will 
> provide voice and video to Enterprise Voice enabled Lync clients 
> 
> - RCC (with Enterprise Voice disabled) will give you deskphone control of 
> your Cisco phones from Lync client 
> 
> - CUCILync (with Enterprise Voice disabled) will give you voice/video 
> softphone as well as deskphone control 
> 
> All of the above solutions cater different needs but you are limited with 
> mobile support. You can run Jabber on mobile devices in Phone-only mode and 
> then have separate Lync client for IM but that would be a bad user 
> experience. 
> 
> Unless there is a specific reason to use Lync/SFB, if you already have a CUCM 
> you may want to go Jabber and choose one of the above options. 
> 
> This is always a good read: 
> https://social.technet.microsoft.com/Forums/office/en-US/cef0dd13-1092-46ec-9d1c-6679511d2206/lync-cisco-cucm-rcc?forum=ocsvoice
>  
> 
> and: http://www.justin-morris.net/cuci-lync-and-why-you-should-think-twice/ 
> 
> and finally: 
> https://supportforums.cisco.com/discussion/11500646/cupsjabberlynccucilynciphoneandriod-head-spinning
>  
> 
> Sent from my iPhone 
> 
> On 6 Apr 2016, at 17:06, Ki Wi  wrote: 
> 
>

Re: [cisco-voip] Cisco UCM with Skype for Business

2016-04-06 Thread Daniel Ohnesorge via cisco-voip
 

Hi KiWi, 

Intra-domain federation definitely covers the scenario where some users
are on 1 system while others are on another. In-fact it was designed
more as a migration tool to eventually migrate everyone to Cisco. If
user kiwi is IM enabled on SfB/Lync, he/she must not be IM enabled on
Cisco IM/Presence. If the hard phone is controlled by CUCI-Lync, then
CUCI-Lync can instruct Lync to change to status to Orange/Busy but that
is coming from Lync and nothing to do with CUPS. 

MFA on ADFS 3.0 works really well as does OpenAM - you could have 1st
factor as username/password, 2nd factor as TOTP time based token code
(like Google Authenticator). With regards to Client Certificates, they
themselves should be treated as a 2nd factor as if you were to logon to
another device that did not have the cert, login would fail. But more
traditional 2FA would use TOTP which can be integrated with both ADFS
and OpenAM. 

On 2016-04-07 15:48, Ki Wi wrote: 

> Daniel, 
> for 2 ways intra-domain federation. I suppose if covers scenario whereby some 
> users are on Jabber and some users are on SfB as documented. 
> 
> For example user "Ki Wi, k...@mycompany.com" uses SfB clients and uses cisco 
> hardphone. I answered on my hardphone. Will IM&P update SfB that Ki Wi is 
> busy/on the phone? 
> 
> If everyone is using SfB clients only then it will be fine but most of the 
> time, the client already have a lot of hard phones deployed or they simply 
> prefers hardphone. 
> 
> Multi-factor authentication via ADFS 3.0 . Anyone tried it? What is choosen? 
> I believe on mobile client, it might be a challenge to present additional 
> "factor" such as client certificate. 
> 
> Regards, 
> Ki Wi 
> 
> On Thu, Apr 7, 2016 at 12:01 PM,  wrote:
> 
> No Worries KiWi 
> 
> Regarding Presence, Partitioned Intra-Domain Federation supports two-way IM 
> and Presence so you should be covered there. Regarding your security 
> concerns, this can also be done. For example, you can achieve Multi-Factor 
> Authentication out of the box using SAML SSO products (ADFS 3.0 and OpenAM 
> both support MFA) which is supported over Expressway. If using Client 
> Certificates for said authentication, you could have an MDM solution like 
> Mobile Iron be the only way to distribute the certificates using SCEP. DDoS 
> protection can always be achieved by ASA or 3rd Party Firewall. 
> 
> On 2016-04-07 13:08, Ki Wi wrote: 
> 
> Hi Matt, Alastair & Daniel, 
> thanks! 
> 
> Looks like the deployment choices doesn't change much since OCS days except 
> the additional of VCS option now only. 
> For presence, seems like there's this product but I'm not sure it is 1 way or 
> 2 way sync. Seems like UCM to Lync only. 
> 
> http://www.bridgeoc.com/products/licc/licc.htm [1] 
> 
> Jabber is a fantastic application which client is using now. However, when it 
> comes to Jabber on mobile via expressway. It is lacking of security measures 
> in place. 
> 
> The client I have is very concern about identify theft for higher management. 
> Therefore, single factor authentication is not sufficient. They wanted every 
> client authenticating via expressway to be MDM managed. This is not available 
> today and SFB apparently have a lot of 3rd party applications doing this. One 
> of them is skypeshield which I found online. 
> 
> Jabber for everyone users are able to use expressway for free right? I saw on 
> other threads here. Someone answered yes. 
> 
> Regards,
> Ki Wi 
> 
> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) 
>  wrote:
> 
> Another option, although not perfect, is using a hardware device like a 
> Kuandobox. 
> 
> http://www.plenom.com/products/kuandobox/ 
> 
> Works well in cube environments, but not so well in offices, or places where 
> users use speakerphone often. 
> 
> FROM: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] ON BEHALF OF 
> Alastair Watts
> SENT: Wednesday, April 6, 2016 8:28 AM
> TO: kiwi.vo...@gmail.com; dan...@ohnesorge.me
> CC: cisco-voip@puck.nether.net
> SUBJECT: Re: [cisco-voip] Cisco UCM with Skype for Business 
> 
> I echo Daniel's comments below regarding the Lync/SfB integration, and 
> recommend that you look at the reasons why you're choosing to integrate SfB - 
> particularly with voice/video or with SfB mobile clients. 
> 
> In the last few months, Cisco acquired Acano, whose portfolio of products can 
> assist with bridging SfB and CUCM when joining the two is required. 
> 
> I strongly recommend reviewing the Cisco Live talk that was presented earlier 
> this year in Melbourne (available at 
> https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886 
> [2]) , which goes into inte

Re: [cisco-voip] cisco prime collaboration provisioning

2016-04-07 Thread Daniel Ohnesorge via cisco-voip
Greenfield deployment? It's awesome, will use it every time. Brownfield 
deployment? No where near production ready. 

TAC typically escalate every case to the BU if anything goes wrong and most 
cases end up with you, TAC and developers on a WebEx.

I see a lot of potential with the product and at Live they market it as the new 
interface for everything which is fine but it still needs to mature and needs 
more development attention.

Sent from my iPhone

> On 8 Apr 2016, at 05:53, Scott Voll  wrote:
> 
> Anybody using it?  worth my time?  personal opinions?
> 
> Scott
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Daniel Ohnesorge via cisco-voip
Jose,

A few things to know; most wildcard certs from Verisign, GoDaddy etc. generate 
a key pair (private and public key) for you and send you a passphrase protected 
.pfx or .p12 file which can then be imported to IIS, Apache or any application 
(even Expressway for that matter). CUCM however does not allow private key 
import as it sees it a security risk and mandates that keys must be generated 
on CUCM via CSR. 

The next thing to know is how CUCM deals with changes between its CSR and the 
certificate. The rule is that the Common Name of the CSR doesn't have to match 
but the SAN entries must match. So if you generate a Multi-SAN certificate CSR, 
CUCM will automatically put all CUCM/CUPS nodes in the list and you/the CA are 
expected to ensure those entries match. Theoretically, the CA could change the 
Common Name to *.domain.com during signing and you could actually import it in 
to CUCM. The challenge here is a) finding a CA which allows distinct individual 
keys/certs for the same wildcard Common Name and b) finding a CA that allows 
multiple SAN entries although the Common Name is a wildcard.

You would be better off to work with the CA to refund the Wildcard certificate 
and swap it with a Multi-SAN product.

Sent from my iPhone

> On 8 Apr 2016, at 07:34, Ryan Huff  wrote:
> 
> As far as I am aware, true wildcard certificates (*.domain.tld) are not 
> supported with UCOS (despite whether they work or not).
> 
> Thanks,
> 
> Ryan
> 
> On Apr 7, 2016, at 5:30 PM, Jose Colon II  wrote:
> 
>> After reading the numerous posts saying that the wildcard certs would work I 
>> purchased the wild card cert. Just wondering how people got them to work. 
>> 
>> Thanks
>> 
>>> On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff  wrote:
>>> Jose,
>>> 
>>> I believe what you want are multi server (SAN) certificates for tomcat. You 
>>> specify the distribution when generating the CSR.
>>> 
>>> Thanks,
>>> 
>>> Ryan
>>> 
>>> > On Apr 7, 2016, at 5:21 PM, Jose Colon II  wrote:
>>> >
>>> > I have read a lot on forums that the digicert wildcard certs work great 
>>> > for UC apps as long as I am on 10.5 which I am.
>>> >
>>> > Can someone lay out the process of uploading these certs as I am having a 
>>> > hard time with them. What format do I need them. What cert goes where etc.
>>> >
>>> > Thanks in advance.
>>> >
>>> > Jose
>>> > ___
>>> > cisco-voip mailing list
>>> > cisco-voip@puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-voip
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Cisco inbound Calls to Lync EV User Call shows as "Anonymous"

2016-04-13 Thread Daniel Ohnesorge via cisco-voip
Hi Joel

A good start would be to run a PCAP on CUCM:

utils network capture eth0 size all count 10 file lync

While that's running, make the test call. Once completed press CTRL+C and 
collect the PCAP via CLI (file get activelog platform/cli/lync.cap) or RTMT 
choosing 'Packet Capture Logs'. 

From there you can use wireshark to filter for the IP address of your Lync and 
SIP port (ip.addr==1.2.3.4&&tcp.port==5060). Check the SIP headers from there 
to see if there are any references to Anonymous or if you can see a name/number.

Other things to check would be the SIP Profile associated with the trunk and if 
there are any SIP Normalization Scripts applied.

Thanks,
Daniel

Sent from my iPhone

> On 14 Apr 2016, at 10:30, joel  wrote:
> 
> So running into a strange issue, inbound calls from a Cisco IP phone to a 
> pure Lync 2013 EV user show the caller id as “Anonymous”. Running SIP trunks 
> from CUCM 10.5.2 to the Lync mediation servers to route those calls over to 
> that environment. If a call comes in from the PSTN the caller ID shows, but 
> if it is an internal call from a Cisco phone there is no CLID. Looked at the 
> Lync client log and I can see the SIP invite come across from 
> anonym...@domain.com for those calls in question. Anyone ever experience this 
> or have any suggestions, I did follow the Cisco integration guide on how to 
> build out the SIP trunk profiles and parameters that needed to be configured 
> for this integration.
> 
> 
> -- 
> Joel Davila
> 321.246.7704
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Constantly having db replication issues

2016-04-20 Thread Daniel Ohnesorge via cisco-voip
 

Hi Nick, 

At the time of failure, I like to tail the dbl logs to see whats
happening. First, run the command to see which log is the latest; file
list activelog cm/trace/dbl/sdi date detail. That output will list the
last written log file at the bottom for example log16.log. Then you can
tail file using the command; file tail activelog
cm/trace/dbl/sdi/log16.log. This will give you some idea of what is
happening at that time. 

On 2016-04-21 07:20, Nick Barnett wrote: 

> Thanks James 
> Ok, yes, there's a lot in rhosts. They are all identical, and each of them 
> has forward and reverse lookups. 
> 
> On Wed, Apr 20, 2016 at 12:39 PM, James Buchanan  
> wrote:
> 
> Hello,
> 
> Even though you are not using DNS, do you have DNS servers and a domain name 
> configured? If so, you should have forward and reverse entries configured for 
> all servers. When you look in Unified Reporting, do you see anything about 
> the rhosts under Database Status?
> 
> Thanks,
> 
> James 
> 
> On Wed, Apr 20, 2016 at 1:07 PM, Nick Barnett  wrote:
> 
> Thanks Ryan. 
> 
> We have 3 CCM and 1 TFTP node in each of our two data centers. The main data 
> center is here, and that is where our DRS sftp server (and publisher) is 
> located. Nothing is using DNS right now, all of the servers are entered into 
> CUCM as IP addresses... this cluster has been around for years. It was 
> upgraded from 7.BeforeMyTime to 8.6 to 10.0. 
> 
> On Wed, Apr 20, 2016 at 11:54 AM, Ryan Huff  wrote:
> 
> Hi Nick. 
> 
> Let me ask you a few things; 
> 
> - How is the cluster laid out (how many nodes in the cluster and what nodes 
> are in which DC)? 
> 
> - Are you using DNS and if so, where is the DNS server located and do you 
> have redundant DNS in both DCs? 
> 
> - Where is your DRS server in relation to the cluster publisher (same DC or 
> no)?
> 
> Thanks, 
> 
> Ryan 
> 
> On Apr 20, 2016, at 11:09 AM, Nick Barnett  wrote:
> 
> I'm wondering how many others have had as many issues with db replication? It 
> seems that any time we lose a connection to our 2nd data center (even a 2 
> minute MPLS planned maintenance outage causes the issue), our database 
> synchronization has errors.  After a WAN blip, within an hour or so, I get a 
> message from RTMT about a subscriber being in "blocked" state: 
> 
> %[AppID=Cisco Database Layer 
> Monitor][ClusterID=ProdVoiceCluster][NodeID=XXX1]: A change notification 
> client is busy (blocked). If the change notification client continues to be 
> blocked for 10 minutes, the system automatically clears the block and change 
> notification should resume successfully." 
> 
> After that, if I run utils dbreplication status, it will have errors... so 
> then I run the "repair all" option and it fixes it. Then I'm good for a few 
> weeks until something else happens that starts the whole cycle over. 
> 
> Something else that happens after a WAN blip is that DRS begins to fail, so 
> we have to restart the master DRS and the subsequent DRS services on the 
> subs. Am I doing something wrong? Is this normal? 
> 
> I'm on CUCM 10.0.1.12900-2.   
> 
> Thanks,
> Nick 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip 

  ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


[cisco-voip] Jabber Directory Groups over port 3268

2016-04-20 Thread Daniel Ohnesorge via cisco-voip
 

Hi Guys, 

Just as a quick FYI, Jabber 11.0 - 11.5 doesn't seem to be able to
search for Directory Groups over port 389. CUCM>System>LDAP>Directory is
currently synced with port 389 and all User Groups (distribution groups
from AD) sync over fine. However when searching in Jabber using EDI over
port 389, the Groups don't show up. This is what we see in the logs; 

_2016-04-21 13:00:52,505 DEBUG [0x2358]
[rdsource\ADPersonRecordSourceLog.cpp(50)] [csf.person.adsource]
[WriteLogMessage] - ConnectionManager::ExecuteQueryOnGroupSearchers -
Succeeded - Query string:
[(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648))(sAMAccountName=test
group*))], Attributes: [sAMAccountName]_
_2016-04-21 13:00:52,505 DEBUG [0x2358]
[rdsource\ADPersonRecordSourceLog.cpp(50)] [csf.person.adsource]
[WriteLogMessage] - QueryManager::ExecuteQuery - Query executed - about
to convert the results_
_2016-04-21 13:00:52,505 DEBUG [0x2358]
[rdsource\ADPersonRecordSourceLog.cpp(50)] [csf.person.adsource]
[WriteLogMessage] - QueryResultsConverter::ConvertResultSet - processing
handle [162896744]_
_2016-04-21 13:00:52,521 WARN [0x2358]
[rdsource\ADPersonRecordSourceLog.cpp(42)] [csf.person.adsource]
[WriteLogMessage] - QueryResultsConverter::ConvertResultSet - Query
Results Failed - COMException [0x80072030]_ 

0x80072030 means 'There is no such object on the server'. However, if I
use any LDAP Explorer and use the filter
(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648))(sAMAccountName=test
group*)) the result comes up fine. 

Based on some research, I think the relevant Bug ID's are CSCuu47641,
CSCuu48043 and CSCuu48329 with the last 2 being internal bugs. All bugs
have little to no useful information. Work around is to use port 3268
and the Groups show up straight away. 
  ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Admin for this email address?

2016-04-21 Thread Daniel Ohnesorge via cisco-voip
Hi Jamin,

ja...@puck.nether.net or svoll.v...@gmail.com

Cheers,
Daniel

Sent from my iPhone

> On 22 Apr 2016, at 08:11, Horton, Jamin  wrote:
> 
> Gentlemen,
>  
> Who is the Admin for this address and how can I get in touch with him/her? 
> Thanks!
>  
>  
> Jamin Horton – Collaboration Practice Manager
> CCIE Collaboration #39988
> Direct:  303-734-4048
> Cell:  720-401-8340
> Email:  jamin.hor...@oneneck.com
>  
>
> 
>
>  - This email may contain confidential and privileged material 
> for the sole use of the intended recipient. Any review or distribution by 
> others is strictly prohibited. If you are not the intended recipient, please 
> contact the sender and delete all copies.
>  
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] IM&P, Jabber, Presence Redundancy Groups, Assigned Presence Server

2016-04-25 Thread Daniel Ohnesorge via cisco-voip
Hi Anthony,

I dare say that the CUPS BU did not give user assignment much thought with 
regards to geographical regions. 

What I would do in this instance (and may or may not be possible for you to 
re-design) is to have separate clusters for your East Coast and West Coast. 
This would be achieved by changing the LDAP to point 1 cluster to a more 
specific geographical OU. 

For CUCM you can easily set up ILS/GDPR to exchange your extensions between 
cluster and EMCC (Extension Mobility Cross Cluster) is fairy trivial. This 
setup would also support centralised TFTP for phone registration and 
centralised Jabber login. Now when it comes to CUPS, you will of course be 
using Inter-cluster Peering. The downside to this for both CUCM and CUPS, there 
is no redundancy between East Coast and West Coast (between your DC's) but this 
can still be achieved with subscribers in each DC.

Sent from my iPhone

> On 26 Apr 2016, at 04:51, Anthony Holloway  
> wrote:
> 
> All,
> 
> My specific environment is
> CUCM 11.0(1a)SU1
> IM&P 11.0(1)
> Jabber for Windows 11.5(2)
> 
> Clustering over the WAN with local failover
> 2x CUCM nodes and 2x IM&P nodes in DC1 (east coast)
> 2x CUCM nodes and 2x IM&P nodes in DC2 (west coast)
> 
> The Challenge
> I need to *easily* assign users to the proper Presence Redundancy Group, 
> based on geographic region of the user.
> 
> My Thoughts
> First off, I needed to change the CUCM > Enterprise Parameters > User 
> Assignment Mode for Presence Server setting to None, so that if someone 
> clicks the CUCM > User Management > Assign Presence Users > Rebalance Users 
> button, it doesn't destroy the geographic assignments I'll have worked so 
> hard to maintain.
> 
> Second, I know that the CUCM > User Management > Assign Presence Users 
> setting takes precedence over the CUCM > User Management > User Settings > 
> Service Profile > IM and Presence Profile.  Otherwise, I'd just assign users 
> to Service Profiles by way of Feature Group Templates assigned to different 
> LDAP Directory sync agreements.
> 
> Third, BAT > Users > Update Users > Query has very little fields to filter 
> on.  How hard would it be to add a few more fields in here Cisco?  There's 
> just no way this is useful.  BAT > Users > Update Users > Custom File has 
> promise, but because of its mandatory User Template usage, it'll need some 
> careful testing with the Ignore Fields option.  I'm not excited about that 
> method, unless one of you calms my fears.
> 
> What I would like to ask the group is, how are you doing this, or how would 
> you suggest doing this?  I.e., Your process to assign users, both existing in 
> the system today, and newly synced from LDAP, to their geographic IM&P nodes 
> and therefore Presence Redundancy Groups?  I'm not quite looking for a SQL 
> query method, or an AXL method, something a operations person could manage 
> through the GUI.
> 
> Thanks.
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Add CPU on UC infrastructure

2016-05-27 Thread Daniel Ohnesorge via cisco-voip
Conveniently the DE's are stating that the minimum size for the CUCM database 
after v10.5 is 110GB yet the smaller size templates in even the latest version 
of the OVA is 80GB. So the OVA's are not perfect that's for sure.

Sent from my iPhone

> On 28 May 2016, at 00:01, Ryan Ratliff (rratliff)  wrote:
> 
> CUCM and IMP won’t have an issue and will pick up the new vCPUs during boot, 
> though you really shouldn’t have any performance issues if you are sized 
> appropriately and honoring what the OVA configures.
> 
> From what I recall CUC sets the number of CPUs during install and won’t use 
> any additional ones added afterwards. 
> 
> -Ryan
> 
> On May 26, 2016, at 5:56 PM, Alessandro Bertacco 
>  wrote:
> 
> Because After Upgrade to V11 from V10.5, and moving Virtual Machine to ESXi5 
> to ESX6, during boot and during service start up CPU are always 100%, and 
> booting Up are Slow as Old Snail!!
>  
> Note that Virtul Machine now Run on SSD Disk Storage!!
>  
> AB
>  
> Da: Ryan Huff [mailto:ryanh...@outlook.com] 
> Inviato: giovedì 26 maggio 2016 23:44
> A: Alessandro Bertacco 
> Cc: cisco-voip@puck.nether.net
> Oggetto: Re: [cisco-voip] Add CPU on UC infrastructure
>  
> I would first answer your question, with a question of my own. Why do you 
> need to add additional CPUs to your UC virtual?
>  
> Thanks,
>  
> Ryan
>  
> 
> 
> Thanks, 
>  
> Ryan
>> On May 26, 2016, at 4:33 PM, Alessandro Bertacco 
>>  wrote:
>> 
>> Hi Guys,
>>I need to give more CPU resource to my CUCM, CUC, and IM&presence version 
>> 11.
>>  
>> Which will be the impact of modifying virtual hardware of the Machine?
>>  
>> Thank you
>> Regards
>>  
>> Alessandro Bertacco
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] need help in configuring TP conductor and TP server

2016-06-02 Thread Daniel Ohnesorge via cisco-voip
 

Hi Muneeb, 

Jason Murray from Cisco recorded this excellent YouTube video back in
2014, the foundations are still very much the same, with a few
differences if you are deploying the latest versions. 

https://www.youtube.com/watch?v=jGzNLqDVs60 

Thanks,
Daniel 

On 2016-06-03 15:19, Muneeb khan wrote: 

> Hi, 
> 
> Can any one help me configuring TP conductor and TP server, and how it will 
> reflect cucm connectivity?  
> 
> Please guide me on it.  
> 
> Regards 
> Muhammad Muneeb Khan 
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

  ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Unity Connection vs Exchange UM

2016-07-11 Thread Daniel Ohnesorge via cisco-voip
Hi George,

When Unified Messaging (Single Inbox) is enabled  on Unity Connection, the 
features are pretty much the same across both platforms. Right now I could call 
in in to my external unity connection voicemail IVR and listen to my 
appointments and emails. The same could be done with Exchange UM. Go Unity :)

Sent from my iPhone

> On 12 Jul 2016, at 00:55,   
> wrote:
> 
> Guys,
>  
>   I have searched for a recent comparison of Unity Connection and MS Exchange 
> UM.  Does anyone have info on this?  I personally prefer to keep VOICE in 
> VOICE and not depend on MS, but also would like to see a recent side by side 
> comparison of these solutions.
>  
>  
> Thanks,
> Bill
>  
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


[cisco-voip] Serious 11.5 installation defect

2016-08-21 Thread Daniel Ohnesorge via cisco-voip

Hi All,

Just wanted to make you all aware of a serious installation defect with 
11.5 that the Cisco DE's are currently investigating and will soon be 
raising a new defect against.


Basically, the CUCM Publisher installation goes ahead fine but once you 
try to install any subscriber (including the CUPS DB PUB), the 
installation will fail after all Network and Connectivity checks passed. 
It has taken TAC, BU and DE's 2 weeks to figure out what was going 
wrong, it turns out that the password used for the Application User is 
too long (even though it is withing documentation guidelines). The 
password I used was 1 Uppercase, 14 lowercase, 1 number and 1 special 
character (underscore). DE's have been able to replicate the issue in 
the lab using the same complexity. When using a password such as 
ipcbu123 the installation is successful. This affects CUCM, CUPS and 
CUC.


Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Serious 11.5 installation defect

2016-08-21 Thread Daniel Ohnesorge via cisco-voip
In this case, the customer has a strict password policy and the password 
was generated via an internal web app. Normally I would also not use one 
that long!


On 2016-08-22 13:57, Anthony Holloway wrote:

Wow, good to know, but I cannot say that I have ever seen a password 
that long on a server before.  That's a first for me.  I tend to still 
use 8 character length.  Old habit, I'm sure.


Are you consistently deploy 16+ character passwords now a days?

On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
 wrote:



Hi All,

Just wanted to make you all aware of a serious installation defect 
with 11.5 that the Cisco DE's are currently investigating and will 
soon be raising a new defect against.


Basically, the CUCM Publisher installation goes ahead fine but once 
you try to install any subscriber (including the CUPS DB PUB), the 
installation will fail after all Network and Connectivity checks 
passed. It has taken TAC, BU and DE's 2 weeks to figure out what was 
going wrong, it turns out that the password used for the Application 
User is too long (even though it is withing documentation guidelines). 
The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
special character (underscore). DE's have been able to replicate the 
issue in the lab using the same complexity. When using a password such 
as ipcbu123 the installation is successful. This affects CUCM, CUPS 
and CUC.


Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Serious 11.5 installation defect

2016-08-22 Thread Daniel Ohnesorge via cisco-voip
This is going to cause problems for US Government customers that are 
wanting to deploy FedRAMP mode...


From 
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151_chapter_011010.html


"Credential Policy

When FedRAMP mode is enabled, the following credential policy takes 
effect automatically for new passwords and password changes. After 
FedRAMP mode is enabled, administrators can use the set password *** 
series of CLI commands to modify any of these requirements:


Password Length should be between 14 to 127 characters.
Password should have at least 1 lowercase, 1 uppercase, 1 digit and 1 
special character.

Any of the previous 24 passwords cannot be reused.
Minimum age of the password is 1 day and Maximum age of the password is 
60 days.
Any newly generated password's character sequence will need to differ by 
at least 4 characters from the old password's character sequence."



On 2016-08-23 00:33, Scott Voll wrote:

Sounds like one we had with Cisco Security Manager.  it would send a 
password under 15 characters correct because it encrypted the whole 
password.  but after 15 characters it would encrypt the 15 characters 
and add padding to the addition characters after the encryption. rather 
than sending the password with padding than encrypting it.


Reminder that if it's Cisco to make sure your password is less than 16 
characters ;-)


Scott

On Sun, Aug 21, 2016 at 10:43 PM, Daniel Ohnesorge via cisco-voip 
 wrote:
In this case, the customer has a strict password policy and the 
password was generated via an internal web app. Normally I would also 
not use one that long!


On 2016-08-22 13:57, Anthony Holloway wrote:

Wow, good to know, but I cannot say that I have ever seen a password 
that long on a server before.  That's a first for me.  I tend to still 
use 8 character length.  Old habit, I'm sure.


Are you consistently deploy 16+ character passwords now a days?

On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
 wrote:


Hi All,

Just wanted to make you all aware of a serious installation defect with 
11.5 that the Cisco DE's are currently investigating and will soon be 
raising a new defect against.


Basically, the CUCM Publisher installation goes ahead fine but once you 
try to install any subscriber (including the CUPS DB PUB), the 
installation will fail after all Network and Connectivity checks 
passed. It has taken TAC, BU and DE's 2 weeks to figure out what was 
going wrong, it turns out that the password used for the Application 
User is too long (even though it is withing documentation guidelines). 
The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
special character (underscore). DE's have been able to replicate the 
issue in the lab using the same complexity. When using a password such 
as ipcbu123 the installation is successful. This affects CUCM, CUPS and 
CUC.


Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Are there any gotchas to watch out for switching to FQDN server names from IP address server names?

2016-08-31 Thread Daniel Ohnesorge via cisco-voip
One of the most important points that people tend to forget when changing the 
processnode (System>Server) entries is that MGCP and SCCP gateways will 
download a config file (like a phone) and will need to resolve these entries. 
For what ever reason I've seen so many customers not add any ip name server to 
their routers so this one can bite you in the ass.

Now with regards to actually changing the entries, I have done this way too 
many times. What you REALLY need to do is change the entry one by one, then 
restart all the nodes in the cluster one by one. Then change the next entry and 
repeat! I know this sounds totally unnecessary but the processnode has the 
ability to stuff up your dbreplication to the point where TAC will suggest a 
rebuild.

Thanks,
Daniel

Sent from my iPhone

> On 1 Sep 2016, at 06:39, Ryan Huff  wrote:
> 
> Nick,
> 
> 
> If the UC servers already have DNS entries (means they already have a domain 
> name too); then the servers are already using FQDNs, at least for internal 
> referencing. If you're saying the you want to change the processNode names 
> (the CM Server references) then as long as the FQDNs are resolvable in the 
> forward and reverse direction, it should be fine.
> 
> 
> If you need to change the hostname or domain names of the servers to 
> something more palatable (a crossroads often encountered when dealing with 
> Jabber and end users and UC servers that were IP addresses first); that is a 
> horse of a much different color; please carefully consult 
> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/10_0_1/ipchange/CUCM_BK_C3782AAB_00_change-ipaddress-hostname-100/CUCM_BK_C3782AAB_00_change-ipaddress-hostname-100_chapter_0100.html
>  (especially in the case of IM & Presence HA) 
> 
> If you are also talking about changing the IP Phone URL references under 
> Enterprise Parameters (from IP address to FQDN); your phone networks will 
> need DNS capabilities to resolve those FQDNs as well. As a matter of 
> practice, I always ensure IP phone networks have DNS capabilities, but it can 
> be uncommonly found out in the wild.
> 
> 
> Beyond that, if you are simply just changing the processNode references for 
> IP addresses to FQDNs (presumably, so CUCM requests come from an FQDN and not 
> an IP address) and everything is already resolving correctly, you should be 
> g2g.
> 
> Thanks,
> 
> = Ryan =
> 
> 
> 
> From: cisco-voip  on behalf of Nick 
> Barnett 
> Sent: Wednesday, August 31, 2016 4:13 PM
> To: Cisco VoIP Group
> Subject: [cisco-voip] Are there any gotchas to watch out for switching to 
> FQDN server names from IP address server names?
>  
> We are on 10.0 and this cluster has been upgraded over the years from 8.0 to 
> 8.6 to 10.0.  I know it used to be common practice to rip the host name out 
> of a new node and put in the IP address. That's how we are set up... but now 
> that I need to do some work with certs so that jabber and cucilync work 
> properly, it's time to fix this.
> 
> Is there anything I should watch out for? Anything that may bite me in rare 
> cases? We have CER, CVP, CUC, UCCE and a rarely used IMP.
> 
> I checked that each node has DNS enabled by looking at "show network eth0" on 
> each sub. I also then looked up each FQDN from each node and they all resolve 
> properly. As far as I know, that's about it.
> 
> Thanks in advance!
> 
> nick
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


[cisco-voip] MRCP TTS Provide still showing in list after deleting from Provider Page

2017-01-09 Thread Daniel Ohnesorge via cisco-voip
 

Hi All, 

Running UCCX 11.0.1.1-75. When adding a new MRCP TTS Provider e.g.
"MRCP Test 1" and then deleting it, upon adding a new Provider again,
"MRCP Test 1" is showing from the Provider Name list (alongside IBM,
Nuance and Scansoft). Is there any way of deleting the custom entries
from the list after the actual Provider has been deleted? 

Thanks, 

Daniel 
  ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


[cisco-voip] Fax topology with ITSP/CUBE and VG310

2017-02-14 Thread Daniel Ohnesorge via cisco-voip

Hi All,

Just wanted to confirm my understanding with regards to which Fax 
topology to shoose. Some key points:


- The ITSP network to the customer is over a dedicated WAN link with QoS 
enabled

- The ITSP does not support any kind of Fax Relay
- The ITSP uses G711 ulaw for all calls

Topology: 
ITSP---SIP---CUBE---SIP---CUCM---SCCP---VG310---FXS---FAX_Machine


So the goal here is to ensure reliable fax messaging between CUBE and 
VG310. From my understanding, VG310 can only support NSE-based Modem 
Passthrough, NSE-based T.38 relay and Cisco Fax Relay hence I would need 
to enable the same on CUBE. What would be the best topology to choose in 
this scenario?


Appreciate any feedback.

Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Fax topology with ITSP/CUBE and VG310

2017-02-14 Thread Daniel Ohnesorge via cisco-voip
Sorry I should specify I meant "VG310 in SCCP mode can only support 
NSE-based Modem Passthrough, NSE-based T.38 relay and Cisco Fax Relay".


On 2017-02-15 10:25, dan...@ohnesorge.me wrote:


Hi All,

Just wanted to confirm my understanding with regards to which Fax 
topology to shoose. Some key points:


- The ITSP network to the customer is over a dedicated WAN link with 
QoS enabled

- The ITSP does not support any kind of Fax Relay
- The ITSP uses G711 ulaw for all calls

Topology: 
ITSP---SIP---CUBE---SIP---CUCM---SCCP---VG310---FXS---FAX_Machine


So the goal here is to ensure reliable fax messaging between CUBE and 
VG310. From my understanding, VG310 can only support NSE-based Modem 
Passthrough, NSE-based T.38 relay and Cisco Fax Relay hence I would 
need to enable the same on CUBE. What would be the best topology to 
choose in this scenario?


Appreciate any feedback.

Thanks,
Daniel

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] srtp packets

2017-02-15 Thread Daniel Ohnesorge via cisco-voip

Section 3.1 of RFC3711 states:

   The "Encrypted Portion" of an SRTP packet consists of the encryption
   of the RTP payload (including RTP padding when present) of the
   equivalent RTP packet.  The Encrypted Portion MAY be the exact size
   of the plaintext or MAY be larger.  Figure 1 shows the RTP payload
   including any possible padding for RTP [RFC3550].

   None of the pre-defined encryption transforms uses any padding; for
   these, the RTP and SRTP payload sizes match exactly.  New transforms
   added to SRTP (following Section 6) may require padding, and may
   hence produce larger payloads.  RTP provides its own padding format
   (as seen in Fig. 1), which due to the padding indicator in the RTP
   header has merits in terms of compactness relative to paddings using
   prefix-free codes.  This RTP padding SHALL be the default method for
   transforms requiring padding.  Transforms MAY specify other padding
   methods, and MUST then specify the amount, format, and processing of
   their padding.  It is important to note that encryption transforms
   that use padding are vulnerable to subtle attacks, especially when
   message authentication is not used [V02].  Each specification for a
   new encryption transform needs to carefully consider and describe the
   security implications of the padding that it uses.  Message
   authentication codes define their own padding, so this default does
   not apply to authentication transforms.

Hope that helps.

On 2017-02-16 14:58, cisco.voip wrote:

All, can somebody tell me the typical srtp packet size and format vs 
rtp packet size and format of a g711 encoded call.

I cannot find these number anywhere.
Thanks
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


Re: [cisco-voip] Home Cluster in User management

2017-05-23 Thread Daniel Ohnesorge via cisco-voip
Hi Scott,

On the LDAP Directory page you can specify a Feature Group Template.
This applies only to new users and does not affect existing already
imported users. Within the Feature Group Template (User
Management>User/Phone Add) you specify the 'Home Cluster' tick box as
well as IM&P, Service Profile and User Profile. 

Thanks, 

Daniel 

On 2017-05-24 08:31, Scott Voll wrote:

> Is there a way to tick the check mark on Home Cluster automatically with each 
> new user?  we are running 11.5. 
> 
> TIA 
> 
> Scott 
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip