Re: [cisco-voip] UCCx 10.5 custom stored procedure for reporting

2016-04-07 Thread Justin Steinberg 
i haven't experienced this issue before.Care to share your stored
procedure ?

On Thu, Apr 7, 2016 at 6:06 PM, Bill Talley  wrote:

> Hi all,
>
> Has anyone imported custom stored procedures into the db_cra for use in
> CUIC?  I'm having an issue getting a new stored proc loaded using either
> RazorSQL or AGS Server Studio.  From what I've read, I need to execute the
> stored proc; however, when I do that I get an error that uccxhruser doesn't
> have permission to execute the stored proc.  It seems I can't apply
> permissions to the uccxhruser account on the stored proc until the stored
> proc is loaded.   Would anyone have any tips on how I can go about getting
> the stored proc loaded to the database?
>
> Hopefully this makes sense to someone ;-)
>
> TIA,
> Bill
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] H323 call rejection using Translation Profile not working

2016-04-07 Thread Jeffrey Girard 
All –
Playing around with call blocking using an H.323 gateway.

Gateway has an FXO port and it is configured as an H323 GW to a 
CUCM.

Here is the code

voice translation-rule 1
rule 1 reject /1000/
exit

voice translation-profile call_block
translate calling 1
exit

dial-peer voice 100 pots
answer-address 1000
translation-profile incoming call_block
call-block translation-profile incoming call_block
call-block disconnect-cause call-reject

If I do a test of the translation profile using
Test voice translation-rule 1 /1000/
I get
/1000/ blocked on rule 1

However, when I have debug voice dialpeer enabled, I see that the incoming call 
matches on the correct dial peer (dial peer 100) and then continues to process 
and searches for an outbound dial peer.

I have tried several variations.  I have taken out the “translation-profile 
incoming call_block” command from the dial peer.  I have tried adding the 
command “translation-profile incoming call_block” directly to the voice port.

In all instances, the correct incoming dial peer matches, but then it seems 
like the translation profile does not get called.

Any thoughts?

Jeff
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Norton, Mike 
I use Digicert wildcard certs a lot for totally unrelated uses. Just did one 
yesterday. I have never seen them want to generate the private key for me. That 
would be silly. If anyone other than me had the private key, then it wouldn’t 
be very private, would it? Maybe there is a way to have them generate the 
private key, but I can confirm it certainly isn’t mandatory.

After submitting the CSR, before signing, they do allow you to change the CN to 
wildcard on their site.

They do allow you to get multiple certs with the same wildcard CN using 
different keypairs. They call it “Get a duplicate” and it doesn’t cost anything 
extra.

The only piece I’m not sure about is if they allow multiple SANs on a wildcard 
cert. Other than possibly that, I know the rest is doable.

Like I said, I am using them for non-UC stuff. If Cisco says they don’t support 
it then I’d be hesitant to do it even if it is doable.

-mn


From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of 
Daniel Ohnesorge via cisco-voip
Sent: April-07-16 4:18 PM
To: ryanh...@outlook.com; jcolon...@gmail.com; Cisco VOIP 

Cc: Cisco VOIP 
Subject: Re: [cisco-voip] Digicert Wildcard cert

Jose,

A few things to know; most wildcard certs from Verisign, GoDaddy etc. generate 
a key pair (private and public key) for you and send you a passphrase protected 
.pfx or .p12 file which can then be imported to IIS, Apache or any application 
(even Expressway for that matter). CUCM however does not allow private key 
import as it sees it a security risk and mandates that keys must be generated 
on CUCM via CSR.

The next thing to know is how CUCM deals with changes between its CSR and the 
certificate. The rule is that the Common Name of the CSR doesn't have to match 
but the SAN entries must match. So if you generate a Multi-SAN certificate CSR, 
CUCM will automatically put all CUCM/CUPS nodes in the list and you/the CA are 
expected to ensure those entries match. Theoretically, the CA could change the 
Common Name to *.domain.com during signing and you could 
actually import it in to CUCM. The challenge here is a) finding a CA which 
allows distinct individual keys/certs for the same wildcard Common Name and b) 
finding a CA that allows multiple SAN entries although the Common Name is a 
wildcard.

You would be better off to work with the CA to refund the Wildcard certificate 
and swap it with a Multi-SAN product.

Sent from my iPhone

On 8 Apr 2016, at 07:34, Ryan Huff 
> wrote:
As far as I am aware, true wildcard certificates (*.domain.tld) are not 
supported with UCOS (despite whether they work or not).

Thanks,

Ryan

On Apr 7, 2016, at 5:30 PM, Jose Colon II 
> wrote:
After reading the numerous posts saying that the wildcard certs would work I 
purchased the wild card cert. Just wondering how people got them to work.

Thanks

On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff 
> wrote:
Jose,

I believe what you want are multi server (SAN) certificates for tomcat. You 
specify the distribution when generating the CSR.

Thanks,

Ryan

> On Apr 7, 2016, at 5:21 PM, Jose Colon II 
> > wrote:
>
> I have read a lot on forums that the digicert wildcard certs work great for 
> UC apps as long as I am on 10.5 which I am.
>
> Can someone lay out the process of uploading these certs as I am having a 
> hard time with them. What format do I need them. What cert goes where etc.
>
> Thanks in advance.
>
> Jose
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Daniel Ohnesorge via cisco-voip 
Jose,

A few things to know; most wildcard certs from Verisign, GoDaddy etc. generate 
a key pair (private and public key) for you and send you a passphrase protected 
.pfx or .p12 file which can then be imported to IIS, Apache or any application 
(even Expressway for that matter). CUCM however does not allow private key 
import as it sees it a security risk and mandates that keys must be generated 
on CUCM via CSR. 

The next thing to know is how CUCM deals with changes between its CSR and the 
certificate. The rule is that the Common Name of the CSR doesn't have to match 
but the SAN entries must match. So if you generate a Multi-SAN certificate CSR, 
CUCM will automatically put all CUCM/CUPS nodes in the list and you/the CA are 
expected to ensure those entries match. Theoretically, the CA could change the 
Common Name to *.domain.com during signing and you could actually import it in 
to CUCM. The challenge here is a) finding a CA which allows distinct individual 
keys/certs for the same wildcard Common Name and b) finding a CA that allows 
multiple SAN entries although the Common Name is a wildcard.

You would be better off to work with the CA to refund the Wildcard certificate 
and swap it with a Multi-SAN product.

Sent from my iPhone

> On 8 Apr 2016, at 07:34, Ryan Huff  wrote:
> 
> As far as I am aware, true wildcard certificates (*.domain.tld) are not 
> supported with UCOS (despite whether they work or not).
> 
> Thanks,
> 
> Ryan
> 
> On Apr 7, 2016, at 5:30 PM, Jose Colon II  wrote:
> 
>> After reading the numerous posts saying that the wildcard certs would work I 
>> purchased the wild card cert. Just wondering how people got them to work. 
>> 
>> Thanks
>> 
>>> On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff  wrote:
>>> Jose,
>>> 
>>> I believe what you want are multi server (SAN) certificates for tomcat. You 
>>> specify the distribution when generating the CSR.
>>> 
>>> Thanks,
>>> 
>>> Ryan
>>> 
>>> > On Apr 7, 2016, at 5:21 PM, Jose Colon II  wrote:
>>> >
>>> > I have read a lot on forums that the digicert wildcard certs work great 
>>> > for UC apps as long as I am on 10.5 which I am.
>>> >
>>> > Can someone lay out the process of uploading these certs as I am having a 
>>> > hard time with them. What format do I need them. What cert goes where etc.
>>> >
>>> > Thanks in advance.
>>> >
>>> > Jose
>>> > ___
>>> > cisco-voip mailing list
>>> > cisco-voip@puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-voip
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] UCCx 10.5 custom stored procedure for reporting

2016-04-07 Thread Bill Talley 
Hi all,

Has anyone imported custom stored procedures into the db_cra for use in
CUIC?  I'm having an issue getting a new stored proc loaded using either
RazorSQL or AGS Server Studio.  From what I've read, I need to execute the
stored proc; however, when I do that I get an error that uccxhruser doesn't
have permission to execute the stored proc.  It seems I can't apply
permissions to the uccxhruser account on the stored proc until the stored
proc is loaded.   Would anyone have any tips on how I can go about getting
the stored proc loaded to the database?

Hopefully this makes sense to someone ;-)

TIA,
Bill
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Ryan Huff 
As far as I am aware, true wildcard certificates (*.domain.tld) are not 
supported with UCOS (despite whether they work or not).

Thanks,

Ryan

On Apr 7, 2016, at 5:30 PM, Jose Colon II 
> wrote:

After reading the numerous posts saying that the wildcard certs would work I 
purchased the wild card cert. Just wondering how people got them to work.

Thanks

On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff 
> wrote:
Jose,

I believe what you want are multi server (SAN) certificates for tomcat. You 
specify the distribution when generating the CSR.

Thanks,

Ryan

> On Apr 7, 2016, at 5:21 PM, Jose Colon II 
> > wrote:
>
> I have read a lot on forums that the digicert wildcard certs work great for 
> UC apps as long as I am on 10.5 which I am.
>
> Can someone lay out the process of uploading these certs as I am having a 
> hard time with them. What format do I need them. What cert goes where etc.
>
> Thanks in advance.
>
> Jose
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Jose Colon II 
After reading the numerous posts saying that the wildcard certs would work
I purchased the wild card cert. Just wondering how people got them to work.

Thanks

On Thu, Apr 7, 2016 at 4:24 PM, Ryan Huff  wrote:

> Jose,
>
> I believe what you want are multi server (SAN) certificates for tomcat.
> You specify the distribution when generating the CSR.
>
> Thanks,
>
> Ryan
>
> > On Apr 7, 2016, at 5:21 PM, Jose Colon II  wrote:
> >
> > I have read a lot on forums that the digicert wildcard certs work great
> for UC apps as long as I am on 10.5 which I am.
> >
> > Can someone lay out the process of uploading these certs as I am having
> a hard time with them. What format do I need them. What cert goes where etc.
> >
> > Thanks in advance.
> >
> > Jose
> > ___
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Ryan Huff 
Jose,

I believe what you want are multi server (SAN) certificates for tomcat. You 
specify the distribution when generating the CSR.

Thanks,

Ryan

> On Apr 7, 2016, at 5:21 PM, Jose Colon II  wrote:
> 
> I have read a lot on forums that the digicert wildcard certs work great for 
> UC apps as long as I am on 10.5 which I am.
> 
> Can someone lay out the process of uploading these certs as I am having a 
> hard time with them. What format do I need them. What cert goes where etc. 
> 
> Thanks in advance.
> 
> Jose
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] Digicert Wildcard cert

2016-04-07 Thread Jose Colon II 
I have read a lot on forums that the digicert wildcard certs work great for
UC apps as long as I am on 10.5 which I am.

Can someone lay out the process of uploading these certs as I am having a
hard time with them. What format do I need them. What cert goes where etc.

Thanks in advance.

Jose
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] cisco prime collaboration provisioning

2016-04-07 Thread Daniel Ohnesorge via cisco-voip 
Greenfield deployment? It's awesome, will use it every time. Brownfield 
deployment? No where near production ready. 

TAC typically escalate every case to the BU if anything goes wrong and most 
cases end up with you, TAC and developers on a WebEx.

I see a lot of potential with the product and at Live they market it as the new 
interface for everything which is fine but it still needs to mature and needs 
more development attention.

Sent from my iPhone

> On 8 Apr 2016, at 05:53, Scott Voll  wrote:
> 
> Anybody using it?  worth my time?  personal opinions?
> 
> Scott
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] static.....7961 / plantronics savi?????

2016-04-07 Thread Scott Voll 
I will have to look at Jitter.  the static happens as soon as you have dial
tone.

Firmware version is 9.4.2sr1-1s

everything runs G711 both WAN and LAN.

 Brian -- We are doing BIB call recording but it happens with simple dial
tone so I don't think your bug is what I'm up against and my firmware is
newer.

Scott




On Thu, Apr 7, 2016 at 9:23 AM, Ryan Huff  wrote:

> Does the average/max jitter change for the phone significantly when the
> static is present (versus when it is not)?
>
> Which codec (I assume g.711) and what 41/61 load are you using?
>
> Thanks,
>
> Ryan
>
> > On Apr 7, 2016, at 12:12 PM, Scott Voll  wrote:
> >
> > I'm running CM 10.5.  Everyone is Extension Mobility
> >
> > I have a 7961 phone.
> >
> > we have plantronic savi 74x series headsets.
> >
> > I have a headset that the user is complaining about static on the
> headset.
> >
> > So in normal fashion we have:
> >
> > 1. replaced headset
> > 2. replaced the base unit for the headset
> > 3. replaced the cables to and from the base unit
> > 4. replaced the 7961
> >
> > So interesting after replacing the 7961 the static went away.
> >
> > next day the static is back
> >
> > so further troubleshooting the next day unplug each cable from the
> device of the base and the cable that runs to the phone is unplugged and
> the static goes away. plug it back in and the static is there.
> >
> > So reboot the phone.  soon as the phone reboots the static is gone.
> hours later the static comes back.  reset the phone and static is gone.
> >
> > Anyone have a clue as to what the root issue maybe?  Everything has been
> replaced once.
> >
> > other ideas?
> >
> > TIA
> >
> > Scott
> > ___
> > cisco-voip mailing list
> > cisco-voip@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] static.....7961 / plantronics savi?????

2016-04-07 Thread Brian Meade 
Are you doing call recording via BIB?

If so, maybe this bug?
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsx19401

On Thu, Apr 7, 2016 at 12:11 PM, Scott Voll  wrote:

> I'm running CM 10.5.  Everyone is Extension Mobility
>
> I have a 7961 phone.
>
> we have plantronic savi 74x series headsets.
>
> I have a headset that the user is complaining about static on the headset.
>
> So in normal fashion we have:
>
> 1. replaced headset
> 2. replaced the base unit for the headset
> 3. replaced the cables to and from the base unit
> 4. replaced the 7961
>
> So interesting after replacing the 7961 the static went away.
>
> next day the static is back
>
> so further troubleshooting the next day unplug each cable from the device
> of the base and the cable that runs to the phone is unplugged and the
> static goes away. plug it back in and the static is there.
>
> So reboot the phone.  soon as the phone reboots the static is gone.  hours
> later the static comes back.  reset the phone and static is gone.
>
> Anyone have a clue as to what the root issue maybe?  Everything has been
> replaced once.
>
> other ideas?
>
> TIA
>
> Scott
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Cisco UCM with Skype for Business

2016-04-07 Thread Ki Wi 
Hi Daniel,
I guess the intra-domain federation is not the way to go as long as the
"jabber for everyone" work for field staffs who doesn't need telephony
function. Simple IM function fits their requirement.

Thanks for the tips on MFA. I will explore more on this.

Regards,
Kin Wai

On Thu, Apr 7, 2016 at 2:07 PM,  wrote:

> Hi KiWi,
>
> Intra-domain federation definitely covers the scenario where some users
> are on 1 system while others are on another. In-fact it was designed more
> as a migration tool to eventually migrate everyone to Cisco. If user kiwi
> is IM enabled on SfB/Lync, he/she must not be IM enabled on Cisco
> IM/Presence. If the hard phone is controlled by CUCI-Lync, then CUCI-Lync
> can instruct Lync to change to status to Orange/Busy but that is coming
> from Lync and nothing to do with CUPS.
>
> MFA on ADFS 3.0 works really well as does OpenAM - you could have 1st
> factor as username/password, 2nd factor as TOTP time based token code (like
> Google Authenticator). With regards to Client Certificates, they themselves
> should be treated as a 2nd factor as if you were to logon to another device
> that did not have the cert, login would fail. But more traditional 2FA
> would use TOTP which can be integrated with both ADFS and OpenAM.
>
>
>
> On 2016-04-07 15:48, Ki Wi wrote:
>
> Daniel,
> for 2 ways intra-domain federation. I suppose if covers scenario whereby
> some users are on Jabber and some users are on SfB as documented.
>
> For example user "Ki Wi, k...@mycompany.com" uses SfB clients and uses
> cisco hardphone. I answered on my hardphone. Will IM update SfB that Ki
> Wi is busy/on the phone?
>
> If everyone is using SfB clients only then it will be fine but most of the
> time, the client already have a lot of hard phones deployed or they simply
> prefers hardphone.
>
> Multi-factor authentication via ADFS 3.0 . Anyone tried it? What is
> choosen?
> I believe on mobile client, it might be a challenge to present additional
> "factor" such as client certificate.
>
> Regards,
> Ki Wi
>
> On Thu, Apr 7, 2016 at 12:01 PM,  wrote:
>
>> No Worries KiWi
>>
>> Regarding Presence, Partitioned Intra-Domain Federation supports two-way
>> IM and Presence so you should be covered there. Regarding your security
>> concerns, this can also be done. For example, you can achieve Multi-Factor
>> Authentication out of the box using SAML SSO products (ADFS 3.0 and OpenAM
>> both support MFA) which is supported over Expressway. If using Client
>> Certificates for said authentication, you could have an MDM solution like
>> Mobile Iron be the only way to distribute the certificates using SCEP. DDoS
>> protection can always be achieved by ASA or 3rd Party Firewall.
>>
>> On 2016-04-07 13:08, Ki Wi wrote:
>>
>> Hi Matt, Alastair & Daniel,
>> thanks!
>>
>> Looks like the deployment choices doesn't change much since OCS days
>> except the additional of VCS option now only.
>> For presence, seems like there's this product but I'm not sure it is 1
>> way or 2 way sync. Seems like UCM to Lync only.
>>
>> http://www.bridgeoc.com/products/licc/licc.htm
>>
>> Jabber is a fantastic application which client is using now. However,
>> when it comes to Jabber on mobile via expressway. It is lacking of security
>> measures in place.
>>
>> The client I have is very concern about identify theft for higher
>> management. Therefore, single factor authentication is not sufficient. They
>> wanted every client authenticating via expressway to be MDM managed. This
>> is not available today and SFB apparently have a lot of 3rd party
>> applications doing this. One of them is skypeshield which I found online.
>>
>> Jabber for everyone users are able to use expressway for free right? I
>> saw on other threads here. Someone answered yes.
>>
>> Regards,
>> Ki Wi
>>
>> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) <
>> matt.sl...@dimensiondata.com> wrote:
>>
>>> Another option, although not perfect, is using a hardware device like a
>>> Kuandobox.
>>>
>>>
>>>
>>> http://www.plenom.com/products/kuandobox/
>>>
>>>
>>>
>>> Works well in cube environments, but not so well in offices, or places
>>> where users use speakerphone often.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On
>>> Behalf Of *Alastair Watts
>>> *Sent:* Wednesday, April 6, 2016 8:28 AM
>>> *To:* kiwi.vo...@gmail.com; dan...@ohnesorge.me
>>> *Cc:* cisco-voip@puck.nether.net
>>> *Subject:* Re: [cisco-voip] Cisco UCM with Skype for Business
>>>
>>>
>>>
>>>
>>>
>>> I echo Daniel's comments below regarding the Lync/SfB integration, and
>>> recommend that you look at the reasons why you're choosing to integrate SfB
>>> - particularly with voice/video or with SfB mobile clients.
>>>
>>>
>>>
>>> In the last few months, Cisco acquired Acano, whose portfolio of
>>> products can assist with bridging SfB and CUCM when joining the two is
>>> required.
>>>
>>>
>>>
>>> I strongly recommend

Re: [cisco-voip] Cisco UCM with Skype for Business

2016-04-07 Thread Daniel Ohnesorge via cisco-voip 
 

Hi KiWi, 

Intra-domain federation definitely covers the scenario where some users
are on 1 system while others are on another. In-fact it was designed
more as a migration tool to eventually migrate everyone to Cisco. If
user kiwi is IM enabled on SfB/Lync, he/she must not be IM enabled on
Cisco IM/Presence. If the hard phone is controlled by CUCI-Lync, then
CUCI-Lync can instruct Lync to change to status to Orange/Busy but that
is coming from Lync and nothing to do with CUPS. 

MFA on ADFS 3.0 works really well as does OpenAM - you could have 1st
factor as username/password, 2nd factor as TOTP time based token code
(like Google Authenticator). With regards to Client Certificates, they
themselves should be treated as a 2nd factor as if you were to logon to
another device that did not have the cert, login would fail. But more
traditional 2FA would use TOTP which can be integrated with both ADFS
and OpenAM. 

On 2016-04-07 15:48, Ki Wi wrote: 

> Daniel, 
> for 2 ways intra-domain federation. I suppose if covers scenario whereby some 
> users are on Jabber and some users are on SfB as documented. 
> 
> For example user "Ki Wi, k...@mycompany.com" uses SfB clients and uses cisco 
> hardphone. I answered on my hardphone. Will IM update SfB that Ki Wi is 
> busy/on the phone? 
> 
> If everyone is using SfB clients only then it will be fine but most of the 
> time, the client already have a lot of hard phones deployed or they simply 
> prefers hardphone. 
> 
> Multi-factor authentication via ADFS 3.0 . Anyone tried it? What is choosen? 
> I believe on mobile client, it might be a challenge to present additional 
> "factor" such as client certificate. 
> 
> Regards, 
> Ki Wi 
> 
> On Thu, Apr 7, 2016 at 12:01 PM,  wrote:
> 
> No Worries KiWi 
> 
> Regarding Presence, Partitioned Intra-Domain Federation supports two-way IM 
> and Presence so you should be covered there. Regarding your security 
> concerns, this can also be done. For example, you can achieve Multi-Factor 
> Authentication out of the box using SAML SSO products (ADFS 3.0 and OpenAM 
> both support MFA) which is supported over Expressway. If using Client 
> Certificates for said authentication, you could have an MDM solution like 
> Mobile Iron be the only way to distribute the certificates using SCEP. DDoS 
> protection can always be achieved by ASA or 3rd Party Firewall. 
> 
> On 2016-04-07 13:08, Ki Wi wrote: 
> 
> Hi Matt, Alastair & Daniel, 
> thanks! 
> 
> Looks like the deployment choices doesn't change much since OCS days except 
> the additional of VCS option now only. 
> For presence, seems like there's this product but I'm not sure it is 1 way or 
> 2 way sync. Seems like UCM to Lync only. 
> 
> http://www.bridgeoc.com/products/licc/licc.htm [1] 
> 
> Jabber is a fantastic application which client is using now. However, when it 
> comes to Jabber on mobile via expressway. It is lacking of security measures 
> in place. 
> 
> The client I have is very concern about identify theft for higher management. 
> Therefore, single factor authentication is not sufficient. They wanted every 
> client authenticating via expressway to be MDM managed. This is not available 
> today and SFB apparently have a lot of 3rd party applications doing this. One 
> of them is skypeshield which I found online. 
> 
> Jabber for everyone users are able to use expressway for free right? I saw on 
> other threads here. Someone answered yes. 
> 
> Regards,
> Ki Wi 
> 
> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) 
>  wrote:
> 
> Another option, although not perfect, is using a hardware device like a 
> Kuandobox. 
> 
> http://www.plenom.com/products/kuandobox/ 
> 
> Works well in cube environments, but not so well in offices, or places where 
> users use speakerphone often. 
> 
> FROM: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] ON BEHALF OF 
> Alastair Watts
> SENT: Wednesday, April 6, 2016 8:28 AM
> TO: kiwi.vo...@gmail.com; dan...@ohnesorge.me
> CC: cisco-voip@puck.nether.net
> SUBJECT: Re: [cisco-voip] Cisco UCM with Skype for Business 
> 
> I echo Daniel's comments below regarding the Lync/SfB integration, and 
> recommend that you look at the reasons why you're choosing to integrate SfB - 
> particularly with voice/video or with SfB mobile clients. 
> 
> In the last few months, Cisco acquired Acano, whose portfolio of products can 
> assist with bridging SfB and CUCM when joining the two is required. 
> 
> I strongly recommend reviewing the Cisco Live talk that was presented earlier 
> this year in Melbourne (available at 
> https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886 
> [2]) , which goes into integration options between Lync/SfB and Cisco, 
> including limitations, and includes the Acano product set and how it can 
> assist with the integration. 
> 
> Al 
> 
> On 6 Apr 2016, at 17:10, Daniel Ohnesorge via cisco-voip 
>  wrote: 
> 
>