Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator
No multi-line support or extension mobility on Jabber which means most people can't use it for UCCX yet. You can use it as long as you don't need EM or multiple lines for your agents. Are you opening it up for people connecting remotely without VPN? If so, you'll want to use a Collab Edge architecture as it's not safe to open up CUCM/IMP directly. If it's just for internal users, you should be good to go with the ACLs. You shouldn't need to worry about any multicast for Jabber/CIPC outside of MMOH which you mentioned. On Thu, May 14, 2015 at 2:30 PM, Lelio Fulgenzi le...@uoguelph.ca wrote: I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IMP, UCCx, etc) and I was hoping to get some ideas as to what others have done and if I'm missing anything obvious here. I'm using the CUCM/IMP port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we are using an ASA appliance pair, v 9.1(3). Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time. I've also been told that we might have some multicast limitations with the firewall, basically, multicast traffic can't pass through our firewall. Any comments would be helpful. But I'm wondering, specifically: - Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example? - What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life? - Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH? Thanks in advance for any help! Lelio --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 le...@uoguelph.ca www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] setting up firewall security for jabber and/of IP Communicator
I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IMP, UCCx, etc) and I was hoping to get some ideas as to what others have done and if I'm missing anything obvious here. I'm using the CUCM/IMP port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we are using an ASA appliance pair, v 9.1(3). Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time. I've also been told that we might have some multicast limitations with the firewall, basically , multicast traffic can't pass through our firewall. Any comments would be helpful. But I'm wondering, specifically: * Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example? * What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life? * Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH? Thanks in advance for any help! Lelio --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 le...@uoguelph.ca www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator
Thanks Brian. Right now, it's going to be for on-campus users only. We are re-evaluating our NAC solution, so for now, it's going to be limited to a few hard coded subnets that we will be trusting (eeek). I'm hoping that our NAC solution will have some sort of way to ensure that only certain groups of users will be allowed through, but that's for another day. What do you mean by Collab Edge architecture though? Do you mean ExpressWay C/E? If so, yes, we're going to be looking at that as well as part of the phased approach. Although without a split DNS deployment, we might have some issues. :( I'm hoping that through some ingenious configuration, we might actually be able to use the EW on-campus for some devices that are can't negotiate voice VLANs properly. Do you see IPCommunicator living a long life? Or has it seen the last of days? --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 le...@uoguelph.ca www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 - Original Message - From: Brian Meade bmead...@vt.edu To: Lelio Fulgenzi le...@uoguelph.ca Cc: cisco-voip voyp list cisco-voip@puck.nether.net Sent: Thursday, May 14, 2015 2:47:20 PM Subject: Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator No multi-line support or extension mobility on Jabber which means most people can't use it for UCCX yet. You can use it as long as you don't need EM or multiple lines for your agents. Are you opening it up for people connecting remotely without VPN? If so, you'll want to use a Collab Edge architecture as it's not safe to open up CUCM/IMP directly. If it's just for internal users, you should be good to go with the ACLs. You shouldn't need to worry about any multicast for Jabber/CIPC outside of MMOH which you mentioned. On Thu, May 14, 2015 at 2:30 PM, Lelio Fulgenzi le...@uoguelph.ca wrote: I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IMP, UCCx, etc) and I was hoping to get some ideas as to what others have done and if I'm missing anything obvious here. I'm using the CUCM/IMP port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we are using an ASA appliance pair, v 9.1(3). Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time. I've also been told that we might have some multicast limitations with the firewall, basically , multicast traffic can't pass through our firewall. Any comments would be helpful. But I'm wondering, specifically: * Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example? * What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life? * Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH? Thanks in advance for any help! Lelio --- Lelio Fulgenzi, B.A. Senior Analyst, Network Infrastructure Computing and Communications Services (CCS) University of Guelph 519‐824‐4120 Ext 56354 le...@uoguelph.ca www.uoguelph.ca/ccs Room 037, Animal Science and Nutrition Building Guelph, Ontario, N1G 2W1 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] CUCM - MOH Silence
All, So, I'm a bit rusty this year on trace analysis and I need a second opinion. From the below screenshot snippets out of TranslatorX, it would appear as though the MOH_3 gets selected, then an AuConnectRequest gets issued, and not but a few seconds later, I see an AuDisconnectRequest. The caller experience is simply silence on the line while the call is connected (or not connected) to MOH. If there was another key piece of information I could look for to help myself understand why it disconnected so quickly, what should I look for? Thanks. [image: Inline image 1] ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] CUCM - MOH Silence
Not sure about the trace but I would start with basic config check/troubleshooting. Are you running unicast or multicast MOH? Is the IP Voice Media Streaming App running on all nodes? (If yes try restarting the service) Is the MOH resource in the MRG/MRGL? Are all devices using that MRGL? Is MOH selected for your codec? (System, Service Parameters, server, IP Voice Media Streaming App) Have you uploaded a new MOH file? If so try with the default. I would start there, or try basic ip-phone to ip-phone calls, exclude voice gateways etc and work my way forward. On Thu, May 14, 2015 at 10:50 PM, Anthony Holloway avholloway+cisco-v...@gmail.com wrote: All, So, I'm a bit rusty this year on trace analysis and I need a second opinion. From the below screenshot snippets out of TranslatorX, it would appear as though the MOH_3 gets selected, then an AuConnectRequest gets issued, and not but a few seconds later, I see an AuDisconnectRequest. The caller experience is simply silence on the line while the call is connected (or not connected) to MOH. If there was another key piece of information I could look for to help myself understand why it disconnected so quickly, what should I look for? Thanks. [image: Inline image 1] ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] CUCM Immersive Video Device List
Below is a list of all the devices on CUCM 10.5(2)SU1 that are configured to use the Immersive Video region bandwidth setting. Does anyone know if there is a way to modify this list? I would like to add the new DX series into the list. Seems like an oversight since the EX are in the list. Product Protocol Feature Parameters Cisco TelePresence SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 1000 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 1100 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 1300-47 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 1300-65 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 200 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 3000 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 3200 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 400 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 500-32 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence 500-37 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Codec C40 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Codec C60 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Codec C90 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence EX60 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence EX90 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence IX5000 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX200 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX200 G2 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX300 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX300 G2 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX700 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence MX800 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 42 (C20) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 42 (C40) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 42 (C60) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 52 (C40) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 52 (C60) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 52 Dual (C60) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 65 (C60) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Profile 65 Dual (C90) SIP Immersive Video Support for TelePresence Devices Cisco TelePresence Quick Set C20 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence SX10 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence SX20 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence SX80 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence TX1310-65 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence TX9000 SIP Immersive Video Support for TelePresence Devices Cisco TelePresence TX9200 SIP Immersive Video Support for TelePresence Devices Generic Multiple Screen Room System SIP Immersive Video Support for TelePresence Devices Generic Single Screen Room System SIP Immersive Video Support for TelePresence Devices ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] CUCM - MOH Silence
Another common source of this is codec mismatch. So if your ingress region isn't related to the region that MoH is in with the G.711/G.722 bandwidth profile, you'll get this issue. If you get tone-on-hold then it is usally partition/css/tftp related but dead silence is usually codec related. Thanks, -r Date: Thu, 14 May 2015 23:13:40 +0200 From: roger.wikl...@gmail.com To: avholloway+cisco-v...@gmail.com Subject: Re: [cisco-voip] CUCM - MOH Silence CC: cisco-voip@puck.nether.net Not sure about the trace but I would start with basic config check/troubleshooting. Are you running unicast or multicast MOH?Is the IP Voice Media Streaming App running on all nodes? (If yes try restarting the service)Is the MOH resource in the MRG/MRGL?Are all devices using that MRGL?Is MOH selected for your codec? (System, Service Parameters, server, IP Voice Media Streaming App)Have you uploaded a new MOH file? If so try with the default. I would start there, or try basic ip-phone to ip-phone calls, exclude voice gateways etc and work my way forward. On Thu, May 14, 2015 at 10:50 PM, Anthony Holloway avholloway+cisco-v...@gmail.com wrote: All, So, I'm a bit rusty this year on trace analysis and I need a second opinion. From the below screenshot snippets out of TranslatorX, it would appear as though the MOH_3 gets selected, then an AuConnectRequest gets issued, and not but a few seconds later, I see an AuDisconnectRequest. The caller experience is simply silence on the line while the call is connected (or not connected) to MOH. If there was another key piece of information I could look for to help myself understand why it disconnected so quickly, what should I look for? Thanks. ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Sip Trunk - CUCM and Third-party PBX
Typically you can disable SIP INVITE AUTHENTICATION on PBX’s. What kind of PBX is it? On May 14, 2015, at 1:44 AM, Tim Smith tim.sm...@enject.com.au wrote: Hi Claiton, I don’t think this has changed recently. You can’t do a SIP REGISTER from CUCM directly on a trunk. You need to have something in between, such as a CUBE / Acme, or some other SBC I would be pushing the PBX guys to see whether they can do without the registration requirement and just go via IP’s. Or is it temporary? Maybe you can do H323 instead. Cheers, Tim From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Claiton Campos Sent: Monday, 11 May 2015 11:33 PM To: cisco-voip@puck.nether.net Subject: [cisco-voip] Sip Trunk - CUCM and Third-party PBX I have a scenario where I need to create a SIP trunk between a CUCM 10.5 and a third-party PBX. The problem is that the third-party PBX prompts the trunk sip is authenticated through username and password should I register on the CUCM. Has anyone had an experience with this type of configuration on a SIP Trunk? Tks, ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] changing vCPU count in cluster
5 node 10.5.2 ccm cluster, each node based on the 2,500 user OVA The OVA deploys with one vCPU however, the docwiki (http://docwiki.cisco.com/wiki/Virtualization_for_Cisco_Unified_Communications_Manager_(CUCM)#Notes_on_2500_user_VM_configurations) Shows that it may be advisable to deploy with 2 vCPU on the VM. So my question is that in my running 5 node cluster; what would be the best way to do that? Power off one VM at a time, add the vCPU and then power back on? Should I do the pub first etc? Thanks, Ryan ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Sip Trunk - CUCM and Third-party PBX
Username and password does not necessarily mean REGISTER unless they specifically said so of course. Proxy authentication is another way to authenticate with username/password. That you can configure under User Management - SIP Realm When you place an outbound call to the third-party PBX they will respond with 407 (Proxy Authentication Required) and include a SIP Realm. CUCM will match that with configured SIP Realm and create a new INVITE with configured credentials. On Mon, May 11, 2015 at 3:33 PM, Claiton Campos claitoncam...@gmail.com wrote: I have a scenario where I need to create a SIP trunk between a CUCM 10.5 and a third-party PBX. The problem is that the third-party PBX prompts the trunk sip is authenticated through username and password should I register on the CUCM. Has anyone had an experience with this type of configuration on a SIP Trunk? Tks, ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
