Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
This is how I stop the cert error, As you stated, clear the cache folders and then use the following installation switch, it works 100% on Jabber version 12.9.5 msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Gary From: cisco-voip On Behalf Of Riley, Sean Sent: Thursday, 9 December 2021 12:36 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I received the same answer from tac as others. They have a but ID, but the workaround to disable telemetry is incorrect as we have had this disabled in the xml for a couple of years now. We will be upgrading with the install switch to disable webex going forward. Hopefully this puts a stop to this cert warning. https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg82067 >From support: One of the workarounds that I mentioned was to disable the Webex service, do you think you can try that? Uninstall Jabber, clear the cache and install it with the following command: msiexec.exe CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=Webex From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Riley, Sean Sent: Tuesday, November 30, 2021 12:17 PM To: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert We did not start to see the cert warnings until 11/15/21. Not sure if that helps correlate with a certificate expiring, etc. From: Lelio Fulgenzi mailto:le...@uoguelph.ca> > Sent: Monday, November 29, 2021 6:18 PM To: gba...@commandsolutions.com.au <mailto:gba...@commandsolutions.com.au> Cc: Riley, Sean mailto:sri...@robinsonbradshaw.com> >; cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au> > wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca <mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 3. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com> > Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com> > wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca <mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We a
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Do we know if we have to uninstall Jabber? Or is upgrading/re-installing with those command lines sufficient? I can’t recall if upgrading uninstalls files first. Sent from my iPhone On Dec 8, 2021, at 8:42 AM, Riley, Sean wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca I received the same answer from tac as others. They have a but ID, but the workaround to disable telemetry is incorrect as we have had this disabled in the xml for a couple of years now. We will be upgrading with the install switch to disable webex going forward. Hopefully this puts a stop to this cert warning. https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg82067 From support: One of the workarounds that I mentioned was to disable the Webex service, do you think you can try that? Uninstall Jabber, clear the cache and install it with the following command: msiexec.exe CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=Webex From: cisco-voip On Behalf Of Riley, Sean Sent: Tuesday, November 30, 2021 12:17 PM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert We did not start to see the cert warnings until 11/15/21. Not sure if that helps correlate with a certificate expiring, etc. From: Lelio Fulgenzi mailto:le...@uoguelph.ca>> Sent: Monday, November 29, 2021 6:18 PM To: gba...@commandsolutions.com.au<mailto:gba...@commandsolutions.com.au> Cc: Riley, Sean mailto:sri...@robinsonbradshaw.com>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 1. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is runni
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
I received the same answer from tac as others. They have a but ID, but the workaround to disable telemetry is incorrect as we have had this disabled in the xml for a couple of years now. We will be upgrading with the install switch to disable webex going forward. Hopefully this puts a stop to this cert warning. https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg82067 From support: One of the workarounds that I mentioned was to disable the Webex service, do you think you can try that? Uninstall Jabber, clear the cache and install it with the following command: msiexec.exe CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=Webex From: cisco-voip On Behalf Of Riley, Sean Sent: Tuesday, November 30, 2021 12:17 PM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert We did not start to see the cert warnings until 11/15/21. Not sure if that helps correlate with a certificate expiring, etc. From: Lelio Fulgenzi mailto:le...@uoguelph.ca>> Sent: Monday, November 29, 2021 6:18 PM To: gba...@commandsolutions.com.au<mailto:gba...@commandsolutions.com.au> Cc: Riley, Sean mailto:sri...@robinsonbradshaw.com>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 1. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers tru
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
We did not start to see the cert warnings until 11/15/21. Not sure if that helps correlate with a certificate expiring, etc. From: Lelio Fulgenzi Sent: Monday, November 29, 2021 6:18 PM To: gba...@commandsolutions.com.au Cc: Riley, Sean ; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 1. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi mailto:le...@uoguelph.ca>>; Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't d
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
I will open a TAC case as well. Maybe enough of those will get us an answer that does not require reinstalling. I do wish I could easily reproduce, but I am not able to at this time. Sean. From: Gary_Bates_Command_Solutions Sent: Monday, November 29, 2021 7:08 PM To: 'Lelio Fulgenzi' Cc: Riley, Sean ; cisco-voip@puck.nether.net Subject: RE: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Hi Lelio I was told by a Cisco rep its all to do with Cisco’s arrogant sales strategy, trying to get all on-prem users to switchover to either Hybrid Jabber / Hybrid Webex or full cloud connection with Webex. Unfortunately, it wasn’t communicated honestly and up front, my customer is very annoyed with Cisco and is slowly migrating towards MS Teams calling I don’t see any “fixes” now, only the way we could solve it is following the procedure below Gary From: Lelio Fulgenzi mailto:le...@uoguelph.ca>> Sent: Tuesday, 30 November 2021 10:18 AM To: gba...@commandsolutions.com.au<mailto:gba...@commandsolutions.com.au> Cc: Riley, Sean mailto:sri...@robinsonbradshaw.com>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 1. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
> On 30 Nov 2021, at 00:08, Gary_Bates_Command_Solutions > wrote: > > I was told by a Cisco rep its all to do with Cisco’s arrogant sales strategy, > trying to get all on-prem users to switchover to either Hybrid Jabber / > Hybrid Webex or full cloud connection with Webex. > > Unfortunately, it wasn’t communicated honestly and up front, my customer is > very annoyed with Cisco and is slowly migrating towards MS Teams calling For the benefit of anyone watching from Cisco: this is pretty much how our experience of this has played out. We were already considering a move to Teams and Direct Routing and this has simply accelerate that move. I’m about to start a proof of concept Direct Routing project and looking at the practicalities of a phased migration of users with help from our SIP TSP. --- /-Gary Parker--f--\ | Unified Communications Service Manager | n Loughborough University, IT Services | | tel:+441509635635 sip:g...@lboro.ac.uk o |https://www.osx.ninja/pubkey.txt | \r--d-/ ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Hi Lelio I was told by a Cisco rep its all to do with Cisco’s arrogant sales strategy, trying to get all on-prem users to switchover to either Hybrid Jabber / Hybrid Webex or full cloud connection with Webex. Unfortunately, it wasn’t communicated honestly and up front, my customer is very annoyed with Cisco and is slowly migrating towards MS Teams calling I don’t see any “fixes” now, only the way we could solve it is following the procedure below Gary From: Lelio Fulgenzi Sent: Tuesday, 30 November 2021 10:18 AM To: gba...@commandsolutions.com.au Cc: Riley, Sean ; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions mailto:gba...@commandsolutions.com.au> > wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca <mailto:ith...@uoguelph.ca> Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 3. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean mailto:sri...@robinsonbradshaw.com> > Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com> > wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca <mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi mailto:le...@uoguelph.ca> >; Gary Parker mailto:g.j.par...@lboro.ac.uk> >; Brian V mailto:bvanb...@gmail.com> > Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some r
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
They better come up with a better workaround to re-installing all our clients. If Jabber has a built in procedure, then they really need to make sure it works. Why are we all of a sudden seeing these cert issues? This downloading of fixes really needs to be curbed. Sent from my iPhone On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 1. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com>> wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi mailto:le...@uoguelph.ca>>; Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker mailto:g.j.par...@lboro.ac.uk>> Sent: Friday, November 12, 2021 5:24 AM To: Brian V mailto:bvanb...@gmail.com>> C
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Hi there We experienced this issue with our on-prem Jabber updates, Fix we applied was as follows: 1. Do a “clean install” of Jabber (must delete cache files and uninstall old version) 2. Wen installing new version, use this installation file with the switch at the end as below msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false Our desktop team added a script to clear the cache folders on desktops with previous installations as follows: ## Deleting all “.\Cisco” folders found on local profiles Write-Log "-> Deleting all `“.\Cisco`” folders found on local profiles" $users = Get-ChildItem -Path "C:\Users" $users | ForEach-Object { Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco" Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco" 3. In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX” This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins. HTH Gary From: cisco-voip On Behalf Of Lelio Fulgenzi Sent: Tuesday, 30 November 2021 8:24 AM To: Riley, Sean Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean mailto:sri...@robinsonbradshaw.com> > wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca <mailto:ith...@uoguelph.ca> Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi mailto:le...@uoguelph.ca> >; Gary Parker mailto:g.j.par...@lboro.ac.uk> >; Brian V mailto:bvanb...@gmail.com> > Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker mailto:g.j.par...@lboro.ac.uk> >; Brian V mailto:bvanb...@gmail.com> > Cc: cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker mailto:g.j.par...@lboro.ac.uk> > Sent: Friday, November 12, 2021 5:24 AM To: Brian V mailto:bvanb...@gmail.com> > Cc: Lelio Fulgenzi mailto:le...@uoguelph.ca> >; NateCCIE mailto:natec...@gmail.com> >; Johnson, Tim mailto:johns...@cmich.edu> >; cisco-voip@puck.nether.net <mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told. We’ve only had a few cases. Not sure this hasn’t made it to an advisory or bug or something. Sent from my iPhone On Nov 29, 2021, at 1:04 PM, Riley, Sean wrote: CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi ; Gary Parker ; Brian V Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker mailto:g.j.par...@lboro.ac.uk>> Sent: Friday, November 12, 2021 5:24 AM To: Brian V mailto:bvanb...@gmail.com>> Cc: Lelio Fulgenzi mailto:le...@uoguelph.ca>>; NateCCIE mailto:natec...@gmail.com>>; Johnson, Tim mailto:johns...@cmich.edu>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8†doc where it states that clients connect to "metrics-a.wbx2.com†(also mentioning that you must install a GoDaddy root cert). We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root). Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert. What a mess! That bug also says: "b) Disable the telemetry call to Webex in the jabber-config xml†…but then goes on to say: "This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.†¯\_(ツ)_/¯ Gary > On 11 Nov 2021, at 22:57, Brian V > mailto:bvanb...@gmail.com>> wrote: > > Part of the workaround referenced in the Bug doesn't make sense. They > reference adding some GoDaddy certs, but when you look at the URL they > reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. ___ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing li
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Did anyone come up with a solution to this, other than to tell the users to Accept the Cert? We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning. Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store? I have done the following, but we still have sporadic reports of the certificate warning from Jabber: 1. Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM 2. Added the HydrantID Server CA O1 to the computers trusted store via GPO. Thanks. From: cisco-voip On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 3:17 PM To: Lelio Fulgenzi ; Gary Parker ; Brian V Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker mailto:g.j.par...@lboro.ac.uk>>; Brian V mailto:bvanb...@gmail.com>> Cc: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker mailto:g.j.par...@lboro.ac.uk>> Sent: Friday, November 12, 2021 5:24 AM To: Brian V mailto:bvanb...@gmail.com>> Cc: Lelio Fulgenzi mailto:le...@uoguelph.ca>>; NateCCIE mailto:natec...@gmail.com>>; Johnson, Tim mailto:johns...@cmich.edu>>; cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8†doc where it states that clients connect to "metrics-a.wbx2.com†(also mentioning that you must install a GoDaddy root cert). We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root). Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert. What a mess! That bug also says: "b) Disable the telemetry call to Webex in the jabber-config xml†…but then goes on to say: "This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.†¯\_(ツ)_/¯ Gary > On 11 Nov 2021, at 22:57, Brian V > mailto:bvanb...@gmail.com>> wrote: > > Part of the workaround referenced in the Bug doesn't make sense. They > reference adding some GoDaddy certs, but when you look at the URL they > reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. ___ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Darn it. We've started seeing the alerts for some reason. Can we just tell people to accept? Argh. -Original Message- From: cisco-voip On Behalf Of Lelio Fulgenzi Sent: Friday, November 12, 2021 8:45 AM To: Gary Parker ; Brian V Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert (a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker Sent: Friday, November 12, 2021 5:24 AM To: Brian V Cc: Lelio Fulgenzi ; NateCCIE ; Johnson, Tim ; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert). We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root). Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert. What a mess! That bug also says: "b) Disable the telemetry call to Webex in the jabber-config xml” …but then goes on to say: "This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.” ¯\_(ツ)_/¯ Gary > On 11 Nov 2021, at 22:57, Brian V wrote: > > Part of the workaround referenced in the Bug doesn't make sense. They > reference adding some GoDaddy certs, but when you look at the URL they > reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
(a) do this (b) don't do this Is my favourite part! I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC (a) TAC suggests using the T train for voice gateways (b) The TAC suggests staying away from T train for voice gateways Or something like that. When you're first starting out and have a crush on Cisco, it's very had to work through that. -Original Message- From: Gary Parker Sent: Friday, November 12, 2021 5:24 AM To: Brian V Cc: Lelio Fulgenzi ; NateCCIE ; Johnson, Tim ; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert). We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root). Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert. What a mess! That bug also says: "b) Disable the telemetry call to Webex in the jabber-config xml” …but then goes on to say: "This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.” ¯\_(ツ)_/¯ Gary > On 11 Nov 2021, at 22:57, Brian V wrote: > > Part of the workaround referenced in the Bug doesn't make sense. They > reference adding some GoDaddy certs, but when you look at the URL they > reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert). We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root). Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert. What a mess! That bug also says: "b) Disable the telemetry call to Webex in the jabber-config xml” …but then goes on to say: "This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.” ¯\_(ツ)_/¯ Gary > On 11 Nov 2021, at 22:57, Brian V wrote: > > Part of the workaround referenced in the Bug doesn't make sense. They > reference adding some GoDaddy certs, but when you look at the URL they > reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy. See images below [image: image.png] [image: image.png] On Thu, Nov 11, 2021 at 3:48 PM Lelio Fulgenzi wrote: > Ok. This all points to desktops not accepting root certificate updates > from what I can tell. > > I just checked with my contact and ask about this on our site and he said > there is no blocking of root certs being downloaded. > > I'm going to guess then that I'm ok. > > I mean, I haven't heard anything yet either, so that's a good sign. > > This can only get better when we move to 30 day certs, right? > > ACME for the WIN > > -Original Message- > From: cisco-voip On Behalf Of > NateCCIE > Sent: Thursday, November 11, 2021 4:26 PM > To: 'Gary Parker' ; 'Johnson, Tim' < > johns...@cmich.edu> > Cc: cisco-voip@puck.nether.net > Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex > Cert > > CAUTION: This email originated from outside of the University of Guelph. > Do not click links or open attachments unless you recognize the sender and > know the content is safe. If in doubt, forward suspicious emails to > ith...@uoguelph.ca > > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203 > > -Original Message- > From: cisco-voip On Behalf Of Gary > Parker > Sent: Thursday, November 11, 2021 1:45 PM > To: Johnson, Tim > Cc: cisco-voip@puck.nether.net > Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex > Cert > > Quick follow-up: I’ve heard from another site (off-list) suffering this > now, too. > > Gary > > > On 11 Nov 2021, at 16:13, Gary Parker wrote: > > > > Thanks Tim, likewise: glad it’s not just us! > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Ok. This all points to desktops not accepting root certificate updates from what I can tell. I just checked with my contact and ask about this on our site and he said there is no blocking of root certs being downloaded. I'm going to guess then that I'm ok. I mean, I haven't heard anything yet either, so that's a good sign. This can only get better when we move to 30 day certs, right? ACME for the WIN -Original Message- From: cisco-voip On Behalf Of NateCCIE Sent: Thursday, November 11, 2021 4:26 PM To: 'Gary Parker' ; 'Johnson, Tim' Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203 -Original Message- From: cisco-voip On Behalf Of Gary Parker Sent: Thursday, November 11, 2021 1:45 PM To: Johnson, Tim Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Quick follow-up: I’ve heard from another site (off-list) suffering this now, too. Gary > On 11 Nov 2021, at 16:13, Gary Parker wrote: > > Thanks Tim, likewise: glad it’s not just us! ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203 -Original Message- From: cisco-voip On Behalf Of Gary Parker Sent: Thursday, November 11, 2021 1:45 PM To: Johnson, Tim Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert Quick follow-up: I’ve heard from another site (off-list) suffering this now, too. Gary > On 11 Nov 2021, at 16:13, Gary Parker wrote: > > Thanks Tim, likewise: glad it’s not just us! ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Quick follow-up: I’ve heard from another site (off-list) suffering this now, too. Gary > On 11 Nov 2021, at 16:13, Gary Parker wrote: > > Thanks Tim, likewise: glad it’s not just us! ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert
Thanks Tim, likewise: glad it’s not just us! I’m loathe to advise users to accept a certificate that’s flagged as bad for some reason, as that’s just bad security practice. As I mentioned earlier, I’ve added: WEBEX ...to our jabber-config.xml, and we’re advising users to reset their Jabber client to apply it, but that’s bound to upset a few who’ll lose their chat history and contacts. Gary > On 11 Nov 2021, at 15:30, Johnson, Tim wrote: > > I’ve heard from my help desk that they had a few users report the prompt for > accepting a cert. Unfortunately, they gathered zero details for me and just > had the users accept the cert… > > Good to know it’s not just us though. ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip