subject:"\[cisco\-voip\] UCCX 11 Finesse HAoW Island Mode"

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

2016-02-05 Thread Justin Steinberg

This isn't the full answer you're looking for, but I'll still throw it out
there...

I know LDAP enabled agents can login to Finesse when the UCM publisher is
down as that happened to me last week.  The UCM LDAP auth component doesn't
rely on the Dirsync service, so the UCM LDAP auth runs on all UCM nodes.

I had a UCS blade failure that took down the UCM pub, but the UCCX pub and
all the primary AD servers were still online for the UCM subs to
authenticate.

On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway <
avholloway+cisco-v...@gmail.com> wrote:

> UCCXers,
>
> I'm trying to avoid spinning up an entire lab to answer a simple question
> that the SRND is glossing over.  "Can Agents login to Finesse on the Island
> Mode side opposite the CUCM Publisher if using LDAP Authentication?"
>
> What the SRND has to say about failover and Island Mode:
>
>
> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00
>
> A little further down in the SRND it talks about Finesse in Island Mode,
> and it states that Agents can work on both sides, but it does not state, if
> that is: A) for only already logged in Agents, or B) for CUCM local
> authentication or LDAP authentication or otherwise.
>
>
> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00
>
> This is a very shallow description on what I consider to be a very deep
> topic, so I'm asking here for real world experience.
>
> Assume that we have two Data Centers: DC-A and DC-B.
>
> *DC-A Contains:*
>
>- LDAP Server A
>- CUCM Publisher
>- UCCX Publisher (Currently Engine Master)
>- Agents
>
>
> *DC-B Contains*
>
>- LDAP Server B
>- CUCM Subscriber
>- UCCX Subscriber (Currently Engine Slave)
>- Agents
>
>
> *Assumed Config*
>
>- Call flows are internal, no voice gateways to worry about
>- CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP
>Server B second
>- UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and
>CUCM Sub second
>- UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and
>CUCM Pub second
>- UCCX CTI Route Points have Device Pool with CMG pointing at CUCM Pub
>first and CUCM Sub second
>- UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM
>Pub first and CUCM Sub second
>- UCCX Subscriber CTI Ports have Device Pool with CMG pointing at CUCM
>Sub first and CUCM Pub second
>
>
> *Question*
>
>1. Can an Agent in DC-B, who was not logged in before Island Mode
>happened, now log in, while in Island mode?  Does CUCM's authentication
>method change the answer?  E.g., LDAP integrated user versus local user.
>
> Thank you.
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

2016-02-05 Thread Brian V

common mistake that can happen and makes it "look like" only the 
publisher can provide LDAP authentication is if you're doing secure LDAP 
(over SSL) and didn't distribute the root CA/chain for the SSL 
encryption to all the CUCM nodes.  More of an issue with older CUCM but 
thought i'd mention it.
Each CUCM node can perform the LDAP authentication (not the sync). Also 
make sure any firewalls and such allow the LDAP requests from the 
subscriber nodes as well as the publisher.




On 2/5/2016 3:49 PM, Justin Steinberg wrote:
This isn't the full answer you're looking for, but I'll still throw it 
out there...


I know LDAP enabled agents can login to Finesse when the UCM publisher 
is down as that happened to me last week.  The UCM LDAP auth component 
doesn't rely on the Dirsync service, so the UCM LDAP auth runs on all 
UCM nodes.


I had a UCS blade failure that took down the UCM pub, but the UCCX pub 
and all the primary AD servers were still online for the UCM subs to 
authenticate.


On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway 
> wrote:


UCCXers,

I'm trying to avoid spinning up an entire lab to answer a simple
question that the SRND is glossing over.  "Can Agents login to
Finesse on the Island Mode side opposite the CUCM Publisher if
using LDAP Authentication?"

What the SRND has to say about failover and Island Mode:


http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00

A little further down in the SRND it talks about Finesse in Island
Mode, and it states that Agents can work on both sides, but it
does not state, if that is: A) for only already logged in Agents,
or B) for CUCM local authentication or LDAP authentication or
otherwise.


http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00

This is a very shallow description on what I consider to be a very
deep topic, so I'm asking here for real world experience.

Assume that we have two Data Centers: DC-A and DC-B.

*DC-A Contains:*

  * LDAP Server A
  * CUCM Publisher
  * UCCX Publisher (Currently Engine Master)
  * Agents


*DC-B Contains*

  * LDAP Server B
  * CUCM Subscriber
  * UCCX Subscriber (Currently Engine Slave)
  * Agents


*Assumed Config*

  * Call flows are internal, no voice gateways to worry about
  * CUCM LDAP Auth config is pointing at LDAP Server A first and
LDAP Server B second
  * UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first
and CUCM Sub second
  * UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first
and CUCM Pub second
  * UCCX CTI Route Points have Device Pool with CMG pointing at
CUCM Pub first and CUCM Sub second
  * UCCX Publisher CTI Ports have Device Pool with CMG pointing at
CUCM Pub first and CUCM Sub second
  * UCCX Subscriber CTI Ports have Device Pool with CMG pointing
at CUCM Sub first and CUCM Pub second


*Question*

 1. Can an Agent in DC-B, who was not logged in before Island Mode
happened, now log in, while in Island mode?  Does CUCM's
authentication method change the answer?  E.g., LDAP
integrated user versus local user.

Thank you.

___
cisco-voip mailing list
cisco-voip@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip




___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

2016-02-05 Thread Anthony Holloway

Actually, that pretty much answers my question, I think.  And thank you for
replying.

According to this cisco-viop thread
, there
was some confusion, or at least doubt, about what happens to LDAP auth when
the publisher is down.  Ryan and Daniel provided some great research and
answers there, and now you've sealed the lid on the discussion.  At least,
from a pure CUCM point of view.  As long as Finesse doesn't have some
nuanced behavior or defect
, then it should
theoretically work pretty seamlessly for already logged in Agents or
otherwise.

On Fri, Feb 5, 2016 at 1:49 PM, Justin Steinberg 
wrote:

> This isn't the full answer you're looking for, but I'll still throw it out
> there...
>
> I know LDAP enabled agents can login to Finesse when the UCM publisher is
> down as that happened to me last week.  The UCM LDAP auth component doesn't
> rely on the Dirsync service, so the UCM LDAP auth runs on all UCM nodes.
>
> I had a UCS blade failure that took down the UCM pub, but the UCCX pub and
> all the primary AD servers were still online for the UCM subs to
> authenticate.
>
> On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> UCCXers,
>>
>> I'm trying to avoid spinning up an entire lab to answer a simple question
>> that the SRND is glossing over.  "Can Agents login to Finesse on the Island
>> Mode side opposite the CUCM Publisher if using LDAP Authentication?"
>>
>> What the SRND has to say about failover and Island Mode:
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00
>>
>> A little further down in the SRND it talks about Finesse in Island Mode,
>> and it states that Agents can work on both sides, but it does not state, if
>> that is: A) for only already logged in Agents, or B) for CUCM local
>> authentication or LDAP authentication or otherwise.
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00
>>
>> This is a very shallow description on what I consider to be a very deep
>> topic, so I'm asking here for real world experience.
>>
>> Assume that we have two Data Centers: DC-A and DC-B.
>>
>> *DC-A Contains:*
>>
>>- LDAP Server A
>>- CUCM Publisher
>>- UCCX Publisher (Currently Engine Master)
>>- Agents
>>
>>
>> *DC-B Contains*
>>
>>- LDAP Server B
>>- CUCM Subscriber
>>- UCCX Subscriber (Currently Engine Slave)
>>- Agents
>>
>>
>> *Assumed Config*
>>
>>- Call flows are internal, no voice gateways to worry about
>>- CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP
>>Server B second
>>- UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and
>>CUCM Sub second
>>- UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and
>>CUCM Pub second
>>- UCCX CTI Route Points have Device Pool with CMG pointing at CUCM
>>Pub first and CUCM Sub second
>>- UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM
>>Pub first and CUCM Sub second
>>- UCCX Subscriber CTI Ports have Device Pool with CMG pointing at
>>CUCM Sub first and CUCM Pub second
>>
>>
>> *Question*
>>
>>1. Can an Agent in DC-B, who was not logged in before Island Mode
>>happened, now log in, while in Island mode?  Does CUCM's authentication
>>method change the answer?  E.g., LDAP integrated user versus local user.
>>
>> Thank you.
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

2016-02-05 Thread Anthony Holloway

Great point about LDAP over SSL and certs.  Thank you for mentioning this.

On Fri, Feb 5, 2016 at 2:10 PM, Brian V  wrote:

> common mistake that can happen and makes it "look like" only the publisher
> can provide LDAP authentication is if you're doing secure LDAP (over SSL)
> and didn't distribute the root CA/chain for the SSL encryption to all the
> CUCM nodes.  More of an issue with older CUCM but thought i'd mention it.
> Each CUCM node can perform the LDAP authentication (not the sync).  Also
> make sure any firewalls and such allow the LDAP requests from the
> subscriber nodes as well as the publisher.
>
>
>
>
> On 2/5/2016 3:49 PM, Justin Steinberg wrote:
>
> This isn't the full answer you're looking for, but I'll still throw it out
> there...
>
> I know LDAP enabled agents can login to Finesse when the UCM publisher is
> down as that happened to me last week.  The UCM LDAP auth component doesn't
> rely on the Dirsync service, so the UCM LDAP auth runs on all UCM nodes.
>
>
> I had a UCS blade failure that took down the UCM pub, but the UCCX pub and
> all the primary AD servers were still online for the UCM subs to
> authenticate.
>
> On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> UCCXers,
>>
>> I'm trying to avoid spinning up an entire lab to answer a simple question
>> that the SRND is glossing over.  "Can Agents login to Finesse on the Island
>> Mode side opposite the CUCM Publisher if using LDAP Authentication?"
>>
>> What the SRND has to say about failover and Island Mode:
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00
>>
>> A little further down in the SRND it talks about Finesse in Island Mode,
>> and it states that Agents can work on both sides, but it does not state, if
>> that is: A) for only already logged in Agents, or B) for CUCM local
>> authentication or LDAP authentication or otherwise.
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00
>>
>> This is a very shallow description on what I consider to be a very deep
>> topic, so I'm asking here for real world experience.
>>
>> Assume that we have two Data Centers: DC-A and DC-B.
>>
>> *DC-A Contains:*
>>
>>- LDAP Server A
>>- CUCM Publisher
>>- UCCX Publisher (Currently Engine Master)
>>- Agents
>>
>>
>> *DC-B Contains*
>>
>>- LDAP Server B
>>- CUCM Subscriber
>>- UCCX Subscriber (Currently Engine Slave)
>>- Agents
>>
>>
>> *Assumed Config*
>>
>>- Call flows are internal, no voice gateways to worry about
>>- CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP
>>Server B second
>>- UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and
>>CUCM Sub second
>>- UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and
>>CUCM Pub second
>>- UCCX CTI Route Points have Device Pool with CMG pointing at CUCM
>>Pub first and CUCM Sub second
>>- UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM
>>Pub first and CUCM Sub second
>>- UCCX Subscriber CTI Ports have Device Pool with CMG pointing at
>>CUCM Sub first and CUCM Pub second
>>
>>
>> *Question*
>>
>>1. Can an Agent in DC-B, who was not logged in before Island Mode
>>happened, now log in, while in Island mode?  Does CUCM's authentication
>>method change the answer?  E.g., LDAP integrated user versus local user.
>>
>> Thank you.
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
> ___
> cisco-voip mailing 
> listcisco-voip@puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] UCCX 11 Finesse HAoW Island Mode

2016-02-05 Thread Anthony Holloway

UCCXers,

I'm trying to avoid spinning up an entire lab to answer a simple question
that the SRND is glossing over.  "Can Agents login to Finesse on the Island
Mode side opposite the CUCM Publisher if using LDAP Authentication?"

What the SRND has to say about failover and Island Mode:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00

A little further down in the SRND it talks about Finesse in Island Mode,
and it states that Agents can work on both sides, but it does not state, if
that is: A) for only already logged in Agents, or B) for CUCM local
authentication or LDAP authentication or otherwise.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00

This is a very shallow description on what I consider to be a very deep
topic, so I'm asking here for real world experience.

Assume that we have two Data Centers: DC-A and DC-B.

*DC-A Contains:*

   - LDAP Server A
   - CUCM Publisher
   - UCCX Publisher (Currently Engine Master)
   - Agents


*DC-B Contains*

   - LDAP Server B
   - CUCM Subscriber
   - UCCX Subscriber (Currently Engine Slave)
   - Agents


*Assumed Config*

   - Call flows are internal, no voice gateways to worry about
   - CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP
   Server B second
   - UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and CUCM
   Sub second
   - UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and
   CUCM Pub second
   - UCCX CTI Route Points have Device Pool with CMG pointing at CUCM Pub
   first and CUCM Sub second
   - UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM
   Pub first and CUCM Sub second
   - UCCX Subscriber CTI Ports have Device Pool with CMG pointing at CUCM
   Sub first and CUCM Pub second


*Question*

   1. Can an Agent in DC-B, who was not logged in before Island Mode
   happened, now log in, while in Island mode?  Does CUCM's authentication
   method change the answer?  E.g., LDAP integrated user versus local user.

Thank you.
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

Re: [cisco-voip] UCCX 11 Finesse HAoW Island Mode

[cisco-voip] UCCX 11 Finesse HAoW Island Mode

5 matches

Site Navigation

Mail list logo

Footer information