Feature I have wanted to do for ages: SSLVPN for Phones!!!

Hi Guys!

I have always always wanted to try the SSL VPN feature for phones, I have always thought what a great idea, So let's start looking at how to make it happen!



Cool new N7k feature

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/itd/configuration/guide/b-Cisco-Nexus-7000-Series-Intelligent-Traffic-Director-Configuration-Guide-Release-6x/b-Cisco-Nexus-7000-Series-Intelligent-Traffic-Director-Configuration-Guide-Release-6x_configuring-itd.html

It's a built in load balancer! Wish I had a 7k to try it on!

Cisco Jabber: Huge Improvements, Part 1 of 6 - Initial Jabber Setup



Hi  Guys!

I am pleased to finally be able to say I would be happy to recommend and deploy Cisco Jabber for customers ahead of Microsoft Lync.

I may bleed Cisco Green/Blue but even I could not defend Cisco Jabber over Microsoft Lync, the list of features were simply too much in Microsoft's Favour.

However with the most recent releases, Cisco have added some major features each of which we will cover in these blog posts.



  • Collaboration Edge, which is basically a repurposed VCS Express that allows external users of jabber to use jabber without having to VPN in first. This is an absolute boon: Although Anyconnect for PC's and mobile devices tried doing some fancy tricks like seeing what local domain name you had and launching VPN's based on this, it would often not work that well. Collaboration edge is a far superior method and we will be covering it later in this 5 part series.
  • Jabber SDK, which allows you to integrate Jabber into your webpages, think of things like live chats on your website that could go straight to your corporate IM platform (perhaps to people who run your cold-call campaigns etc.)
  • A universal directory service, which we will go into in more detail but essentially means there's no need to configure a complicated LDAP setup in order to get good directory support: Directory information can be pulled from outlook and other locations as well as CUCM itself
  • Instant Message logging for compliance purposes, so you can log instant messaging just like you would email which could be important for your organisation.
  • Finally, Jabber integration amongst organisations via XMPP allowing you to federate with other organisations, this is also possible with SIP.
Jabber is worth checking out: you are entitled to it as part of your CUCM installation completely for free so why not!

This first entry will look at Jabber setup and configuration, which is actually very simple and straightforward.

Let's get into it!


In this article I have assumed that you have already got the basics of IM and Presence, FYI incase you have been away from jabber for a long time (like I had been, having almost given up on it since it looked like a windows 3.11 app). Cisco are trying very hard to integrate Jabber into the core product. It is not unreasonable at all to assume that the Cisco IM and Presence server will eventually disappear completely and all tasks will be undertaken within the CUCM app. For now to add presence you simply install the IM and Presence server as another server like you would add a subscriber:


Once this is done, install the CUCM IM & Presence Server (hence forth referred to as  IMP) just like you would a CUCM subscriber. There is very little you have to configure on the IMP server.  


To make a user a jabber user, you just enable it for the user by selecting the service profile and enabling it for the user:



It's really quite straightforward! Technically your user is now 100 percent enabled for Instant messaging, of course without a good directory and some infrastructure setup etc. it won't be a great experience but this could certainly get you off the ground.

Jabber now relies heavily on good certificates and good DNS information. These are two technologies that I find a lot of System Administrators struggling with, How many of you are still using the default self-signed CUCM Certificate? Start getting used to certificates, they are going to be the defacto security method within a very short period of time (for an example of how useful certificates can be, check out my blog post: http://www.ccierants.com/2013/12/ccie-rants-christmas-special-ssh-keys.html which describes securing routers with SSH keys.


OK, so with all of this in mind, let's take the next step, Install the latest jabber client which is actually pretty nice on MAC and try to sign in, you will be presented with the option for manual setup, since we have not setup any DNS we can't have jabber just sign in for us by automatically discovering the server but we will take a look at that later.




When you go to sign into the server, you will be presented with an invalid certificate error like the following:
This can be annoying for your users, so I recommend that you install a proper certificate. 

Assuming you don't ever want to go into this trouble, you can configure a DNS entry for your clients that points straight to your server, this way when the clients initially try and connect they will perform a DNS lookup.

The following document from Cisco: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/CJAB_BK_C606D8A9_00_cisco-jabber-dns-configuration-guide.pdf is a ridiculously good document describing the DNS implications for Jabber, I won't go into every detail but suffice to say you need to know if your running split DNS or two separate domains (for example, ccierants.local vs ccierants.com) 


The first two SRV DNS records that are looked for and should ONLY be discoverable for your internal domain are: _cisco-uds or _cuplogin, if these are not available jabber assumes that it's not in the internal domain and looks for _collab-edge SRV records.

So you can see with some good DNS setup you would be able to have this automatically sign in.

Your probably asking at this point wait a minute I thought this whole article was about federation: I promise it still is, but before you get into federation you need to be aware of how important DNS is to getting federation working correctly, and this provides a gentle introduction to DNS so you can see the idea's and benefits behind it.

Next, let's take a quick look at how to do your certificates properly so we can avoid those nasty error messages from appearing on end users desktops which I am sure we all want to avoid.

You have three options of dealing with Cert's as per the great cisco document here:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html
Method 1: Users simply click Accept to all certificate popups. This might be the most ideal solution for smaller environments. If you click Accept, certificates are placed into the Enterprise Trust store on the device. After certificates are placed in the Enterprise Trust store, users are no longer prompted when they log into the Jabber Client on that local device.

Method 2: The required certificates (Table 2) are downloaded from the individual servers (by default, these are self-signed certificates) and installed into the Enterprise Trust store of the user device. This might be the ideal solution if your environment does not have access to a Private or Public CA for certificate signing.

Method 3: A Public or Private CA (Table 2) signs all of the required certificates. This is the Cisco recommended method. This method requires that a Certificate Signing Request (CSR) is generated for each of the certificates, is signed, re-uploaded to the server, and then imported to the Trusted Root Certificate Authorities Store on user devices. See the Generate a CSR and the How do I get certificates to user devices certificate stores? sections of this document for more information.


The first method is the least desirable but sometimes the Windows Administrator will not have setup his Certificate Authority correctly or he may not have set one up at all! If he is worth his salt, he will have installed and correctly configured a CA enviroment as they are critically important in most major windows applications these days.

Assuming this is the case, when the user goes to sign into jabber they will be prompted to accept the cert:



If the cert is accepted, it will be added to the enterprise trust store as shown in the screenshot below:




Incidentally, this is where you need to go if you need to delete a certificate from the trust store for some reason for Cisco Jabber.


Method 2 is a bit better as basically you use group policy to automatically install the certificate into the users enterprise trust store so that they do not have to accept the cert, and they will not ever receive the popup box. But this will only work for Windows devices or devices that can accept a group policy update.


The best method is method 3, using a proper CA to present the certificate. You could do this with a private or public CA, Private CA is a good option if you mostly have windows and mac clients as you can get them to trust your root CA, if you have a lot of iphones and Ipad's it can be a bit more troublesome as you will need a method to get the root CA's generated by your private CA onto the devices which can be labour-intensive unless you have good mobile device management. So for those kind of deployments you might consider using a public CA, but be warned this can cost money.

I am going to assume that your going with Method 3, Private CA for the rest of this tutorial.

So, if you decide to go with the Private CA method, you need to login to Jabber and go to OS administration, from here you should go to Security -> Certificate Management


From here you want to click on the generate CSR button:
 Enter 2048 for the encryption but continue to use tomcat as the CSR method



 Once this is done, click "Download CSR" on the previous page.

This is the Certificate Signing request that (hopefully) your Windows System admin will know how to enroll into his CA and with any luck he should send you back a shiney certificate, ask him to export it as BASE64 if possible. Ask him to also export the trusted root CA cert so we can import this into jabber too.

Once this is done, you need to import the certificate, click on "Upload/Download" Certificate.



The first thing you need to do is import the trusted root CA, select tomcat-trust from the dropdown:


Upload the file, once this is done, click upload certificate again but this time select "tomcat" only from the drop down list.

Once you have uploaded this, you will need to restart tomcat:

admin:utils service restart Cisco Tomcat
 Don't press Ctrl-c while the service is getting RESTARTED.If Service has not Restarted Properly, execute the same Command Again
Service Manager is running
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STOPPING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTING]
Cisco Tomcat[STARTED]


Once this is done, you should be able to test if your certificate has installed correctly and is trusted correctly by simply logging into your CUCM IM & P webpage and ensuring a valid certificate is presented. you will need to ensure you are visting the page via it's DOMAIN NAME as the certificate will be signed against the domain name: Remember: it's important to get used to using DNS from now on, Jabber and IM really relies on it, and once IPv6 is more widely deployed all us network engineers are going to be relying on DNS a lot more!


Once this is done, you should be able to login to Jabber without any error messages or any extra configuration required for users, just login and start enjoying!

It's important to note that if your integrating with CUCM or Webex or Unity Connection, all of these applications will ALSO present certificates to your jabber client, thus you will have to perform the exact same actions with these applications.

I hope you have enjoyed this blog post and look forward to writing the next one for you. Jabber is finally good!



Popular old posts.