The Ultimate Cisco Jabber Specialist 2 Lab Guide - Part1

The Ultimate Cisco Jabber Specialist 2 Lab
PART 01
Table of Contents
Section 1: About The Lab.................................................................................................................... 3
What is Cisco Jabber ................................................................................................................................. 4
Related Links ............................................................................................................................................. 7
Lab Overview ....................................................................................................................................... 8
Jabber Specialist I 2013 Edition Video Walk Through............................................................................. 13
Task 1: Accessing the Lab Equipment ......................................................................................... 14
Task 2: Connecting to Remote Workstations & Servers ....................................................... 16
Section 2: System Preparation ....................................................................................................... 20
Sys Prep: CUCM Server Name to FQDN .................................................................................. 21
Section 3: Jabber Specialist Features .......................................................................................... 22
JST Features Task 1: Service Discovery Configuration ..................................................... 23
JST Features Task 2: Jabber Client Win Install WS01 ....................................................... 27
JST Features Task 3: Certificate Management ..................................................................... 33
JST Features Task 4: Jabber Client Win Install WS02 ....................................................... 64
JST Features Task 5: MRA with Cisco ExpressWay ............................................................. 68
Short Video on Cisco ExpressWay Virtual Machine Deployment ........................................................... 68
JST Features Task 6: Adding User Photos to Web Server.............................................. 141
Section 4: Appendix......................................................................................................................... 150
Appendix A: ExpressWay Options Keys for JSTII Lab ..................................................... 151
Appendix B: CUCM Server Name change to FQDN ........................................................... 152
Appendix C: Bootstrap Jabber for Windows Install........................................................... 154
End Of Lab ............................................................................................................................................ 166
Lab Guide Version 3.5 Presented by The Solutions Readiness Engineers Page 2 of 166
Section 1: About the Lab
Welcome To The
Jabber Specialist II Lab
What is Cisco Jabber

Cisco Jabber is a unified communications application that enables you to be more
productive from anywhere on any device. Find the right people, see if and how they are
available, and collaborate using your preferred method.
Todays global, distributed work environment has resulted in significant challenges for
workers, making it harder to connect with the right people and significantly increasing the
quantity and modes of communications. Organizations of all sizes are striving to improve
communications in order to retain customers, compete for new business, control costs, and
grow their business globally.
Cisco Jabber for Windows streamlines communications and enhances productivity by

unifying presence, instant messaging, video, voice, voice messaging, desktop sharing, and
conferencing capabilities securely into one client on your desktop. Cisco Jabber for Windows
delivers highly secure, clear, and reliable communications. It offers flexible deployment
models, is built on open standards, and integrates with commonly used desktop
applications. You can communicate and collaborate effectively from anywhere you have an
Internet connection (Figure 1).
Figure 1. Cisco Jabber for Windows
Features and Benefits
Reduce communication delays with presence and contact information: The Cisco Jabber
application enables you to see the availability of co-workers and colleagues within and
outside your organization. You can immediately see who is offline, available, busy, on the
phone, in a meeting, presenting, or in a do-not-disturb state. You can create customized
availability states such as Gone to lunch. Back at 1 p.m. to provide added context. These
capabilities help reduce communication delays and result in faster decision making and
enhanced productivity.
Quickly communicate with borderless enterprise-class instant messaging: Instant
messaging is an important communication option that lets you efficiently interact in todays
multitasking business environment. The Cisco Jabber application delivers enterprise-class
instant messaging capabilities that are based on the Extensible Messaging and Presence
Protocol (XMPP). The solution provides personal and group chat so you can quickly connect
with your business colleagues. Chat history and server-based logging capabilities allow you
to view the content of prior chats and to store messages for convenience, compliance, and
regulatory purposes. Instant messaging is integrated with other communication capabilities
so you can simply move between chats, audio conversations, and web conferences. You can
even share presence and send instant messages to people outside your organization who
may not be using Cisco Jabber. The enterprise-class instant messaging capabilities of this
application provide more efficient, highly secure, flexible, and borderless collaboration.
Bring business-class IP telephony and video to the desktop: Cisco Jabber delivers
business-quality voice and video to your desktop. Powered by the market-leading Cisco
Unified Communications Manager call-control solution, Cisco Jabber is a soft phone with
wideband and high-fidelity audio, standards-based high-definition video (720p), and desk
phone control features. These features mean that high-quality and high-availability voice
and video telephony is available at all locations and to your desk phones, soft clients, and
mobile devices. Cisco Jabber for Windows makes voice communications simple, clear, and
reliable (Figure2).
Figure 2. High-Definition Video with Integrated Audio Controls
Accelerate team performance with multiparty conferencing and collaboration: The Cisco
Jabber application provides for smooth escalation to desktop sharing or Ciscos market-
leading collaboration solution, Cisco WebEx conferencing. You can instantly share
documents and expand chats and conversations to multiparty voice, video, and web
conferencing.
Collaborate from common business applications: You can access the capabilities of the
Cisco Jabber application from common desktop applications such as Microsoft Outlook,
including lighting up presence and click-to-communicate (instant message and audio and
video calling) capabilities. For Microsoft Outlook 2010, you can use the Microsoft contact
card click-to-communicate icons directly from within the application to save time and
streamline workflows because you can view user availability and initiate communications
such as personal and group voice, video, and chat sessions without having to switch
between applications.
Related Links
Expressway
Expressway Basic Configuration (Expressway-C with Expressway-E) Deployment
Guide
Expressway Cluster Creation and Maintenance Deployment Guide

Certificate Creation and Use With Expressway Deployment Guide
Expressway Administrator Guide
Deployment Guide for IM and Presence Service on Cisco Unified Communications
Manager Communications Manager
Cisco Collaboration Edge Architecture
Cisco Expressway Series
Cisco Expressway Series Data Sheet
Jabber Clients
Cisco Jabber for Windows
Cisco Jabber for iPad
Cisco Jabber Android
Cisco Jabber MAC
Certificate Management
Security configuration on IM and Presence
Security Certificate management on CUCM
Security Certificate management on VCS/Expressway
Persistent Chat
External Database Setup for IM and Presence Service
PostgreSQL Database Software Download
Jabber Guest
Cisco Jabber Guest
Lab Overview
Audience and Prerequisites
This document is intended to assist solution architects, sales engineers, field engineers, and
consultants in learning many of the features of Cisco Unified Communications 10.x System,
and Cisco Jabber. This document assumes the reader has an architectural and
administrative understanding of the CUCM and has reviewed the latest CUCM SRND.
Basic knowledge of how to install and administer CUCM and IM&P is recommended however
not necessary.
This is a complex lab with many servers and devices interacting with each
other. It is strongly recommended that a dedicated and undisturbed six
hour window be committed to when completing this lab.
About The Lab

The Ultimate Cisco Jabber Specialist Lab 2014 Edition is completely self-paced and
virtualized. Although great lengths are taken to make all labs as true to real world as
possible, this lab is a virtual lab where pods are cloned, unconventional techniques are
utilized that would not typically be done in a production environment.
In the lab, we will be using Remote Desktop Protocol (RDP), Jabber softphones as well as
other software applications. The goal of the lab is for the attendee to become familiar with
the setup, implementation and usage of CUCM/IMP and Jabber.
This lab was upgraded from a previous UC 9.x Jabber lab and many of the old host names
have not been changed to save on development time. All CUCM/IM&P/CUC servers have
been upgraded to 10.x but many of the host names have remained the same, so the
student will see for example SiteA-CUCM911 host name but the server is really running
10.0.1 code.
Disclaimer
This lab is primarily intended to be a learning tool. In order to convey specific information,
the lab may not necessarily follow best practice recommendation at all times. This exercise
is intended to demonstrate one way to configure the network, servers and applications to
meet specified requirements for the lab environment. There are various ways that this can
be accomplished, depending on the situation and the customers goals/requirements. Please
ensure that you consult all current official Cisco documentation before proceeding with a
production/lab design or installation. By enrolling in this class or having access to this
document you acknowledge you are aware of this disclaimer and its implications.
Lab Guide Key
The following is a description of the conventions, colors, and notation used through this
document:
Sections with this background color and this icon touch on the business benefits of the
step or task with items and talking points highlighting a value proposition of a Solution.
Sections with this background color and this icon cover the technical description of the
step or task, with items and talking points of interest to technical audiences.
Sections with this background color and this icon provide a lab tip for the step or task.
Sections with this background color and this icon are for scenario description: Provides
background information for performing a step or task.
Sections with this background color and this icon represent a warning: read this section for
special instructions and considerations.
Pods
There are 20 pods in this lab environment; each pod contains the following server
configurations:
CUCM 10.5.1.10000-7 Server Providing local device registration and call

control
Cisco Unified CM IM & Presence Server 10.5.1.10000-9 Providing
Presence and Instant Messaging
Cisco Unity Connection 10.5.1.10000-7 Providing Unified Messaging &
Voice Mail
Two Windows 7 Workstations Student pod access and call clients
Expressway Version Collab-Edge 8.1.1
Expressway Version Jabber Guest 8.2.0
Jabber Guest Server Drop9 10.0.1.216
Lab Topology
In this lab topology each device is a virtual machine (VM). This lab is operating on Unified
Computer System (UCS) B-Series or C-Series systems. VMware ESXi 5.1 is the operating
system and hypervisor running on each lab host computer.
The lab UCS host computers are oversubscribed and are not following
Ciscos best practices for UC on UCS. Please follow the best practices
outlined on the uc-virtualized web site, this web site can be found here.
http://cisco.com/go/uc-virtualized
This topology shows one pod of equipment (Not all parts in this TOPO will be used in this
class since there are two parts to this class)
Lab Addressing Tables Internal and External Addresses
Domain SiteB.com X pod number

Subnet Masks /24 50 total pods
Cisc0123 (C i s c zero 1 2 - 3) in most cases is the password used

in this lab for all workstations and systems
C1sc0123 (C 1 s c zero 1 2 3) is used for SiteB-CUCM02,
SiteB-IMP02 platform/OS web page and CLI
Host IP Address IP Address Internal Domain\User Password

(Use from Student
Name External
WS)
SiteB
SiteB-CUCM911 172.19.X.110 10.1.2.110 Administrator Cisc0123
SiteB-CUCM02 10.1.2.111 Administrator Cisc0123
OS Admin & CLI Administrator C1sc0123
SiteB-IMP911 172.19.X.112 10.1.2.112 Administrator Cisc0123
SiteB-IMP02 10.1.2.113 Administrator Cisc0123
OS Admin & CLI Administrator C1sc0123
SiteB-CUC911 172.19.X.115 10.1.2.115 Administrator Cisc0123
SiteB-AD 172.19.X.120 10.1.2.120 Administrator Cisc0123
SiteB-WS01 172.19.X.201 10.1.2.201 SiteB\aace Cisc0123
StieB-WS02 172.19.X.202 10.1.2.202 SiteB\bbad Cisc0123
SiteB-ExpC01 172.19.X.142 10.1.2.142 admin Cisc0123
SiteB-ExpC02 172.19.X.143 10.1.2.143 admin Cisc0123
Mock Internet
Mock-Inet-DNS 172.19.X.220 10.1.3.20 Administrator Cisc0123
SiteB-ExpE01 172.19.X.242 10.1.3.142 admin Cisc0123
SiteB-ExpE02 172.19.X.243 10.1.3.143 admin Cisc0123
SiteB-WS01 172.19.X.240 10.1.3.101 SiteB\aace Cisc0123
StieB-WS02 172.19.X.241 10.1.3.102 SiteB\bbad Cisc0123
If you use the VM Workstations to access the UC Servers web

admin you will need to use the INTERNAL addresses to gain
access to the servers.
If you use your local computers browsers to access the UC

servers web admin you will need to use the NAT addresses
System Version Table
Description Version
Cisco Unified Communication Manager 10.5.1.10000-7
Cisco Unified CM IM & Presence 10.5.1.10000-9
Cisco Unity Connection 10.5.1.10000-7
Student Remote Work Stations Windows 7
MS Active Directory Server Windows 2008 R2 64
Jabber for Windows 10.5.0 Build 33957
ExpressWay Collab Edge 8.1.1
Connectivity to the Lab Environment

Detailed instructions will be given at the beginning of Task 1, on how to access the lab.
Connectivity to the lab will be achieved through a VPN connection via Cisco AnyConnect and
thereafter Remote Desktop Procedure (RDP) to the workstations.
Lab Pre-configuration
There are many parts of the lab that are prebuilt and preconfigured before the start of class.
Namely:
CUCM/IM&P/CUC/Expressway/Windows Server & Workstation VM Installations

Basic Dial Plan
User, Passwords, & PINs in Active Directory
Voice Mail Configuration
CIPC devices added to CUCM database
2 Windows 7 workstations per site, two sites per pod with CIPC running at startup
and registered to CUCM
Microsoft Windows 2008 & 2012 R2 server with AD, DNS, DHCP, NTP, FTP installed in
the central HQ. All users and DNS entries configured in advance
Site B is completely pre-configured except for Cisco Expressway
This lab is a follow along to last years wildly successful Jabber Specialist 2013 Edition. In
the 2013 edition lab the student performed a full Cisco CUCM/Presence/CUC/Jabber
deployment based on UC version 9.1.1 and Jabber Windows 9.2. This video is a walkthrough
of the 2013 edition of the Jabber Specialist Lab.
Jabber Specialist I 2013 Edition Video Walk Through

Watch this video in HD here - http://youtu.be/S6eoeQsH9ds
The lab guide for this lab can be found at - https://db.tt/TMSpQ4g3
Task 1: Accessing the Lab Equipment

This section of the lab walks the student through the process of setting up a VPN connection
to the Solutions Readiness Engineers (SRE) lab
Activity Objective
In this activity, you will learn the methods to access the lab equipment remotely.
Required Resources
Student PC connected to the internet.
This section is for students This section is for students that

that have Cisco AnyConnect DO NOT have Cisco AnyConnect
installed on their computer. installed on their computer.
Cisco AnyConnect Pre-Installed Install and Connect with Cisco

AnyConnect SSL VPN Client
The ASA might require an upgrade of
the AnyConnect client on the student
computer if an older version is in use
Step 1 Launch the Cisco AnyConnect VPN client Step 1 Open a web browser and connect to
http://tinyurl.com/CiscoAC31
Step 2 Enter uctraining.cisco.com/jabber Step 2 Download and install Cisco AnyConnect
Step 3 Click Connect
Step 3 Continue to left side of

this table and use the
Cisco AnyConnect Pre-
Installed steps to VPN
into the SRE Lab after
you have installed AnyConnect on your
computer
Step 4 Enter the lab Username & Password
(username = stu5xy (xy=pod#), for
example stu501 for pod01, and stu522 for
pod22).
The password will be assigned by the

instructor at the start of the lab
Step 5 Click OK to login
Step 6 Click Accept on the connection banner
Step 7 Continue to Task 2
Task 2: Connecting to Remote Workstations & Servers
Each pod will connect to 4 RDP connections in this section of the lab
Step 8 Click Start All Programs Accessories Remote Desktop

Connection, from the students personal computer
Step 9 Click Options
Step 10 Select Local Resource Tab

Step 11 Click Settings, under remote audio
Step 12 Select Play on this computer & Do Not Record
Step 13 Click OK
Step 14 Select the General tab and fill in the next two steps in the chart
X = you pod number (for example pod 5 = 172.19.5.220)
1nd RDP Session 2nd RDP Session 3rd RDP 4th RDP
Session Session
Step 15 172.19.x.220 172.19.x.120 172.19.x.201 172.19.x.202
Step 16 siteb\Administrator siteb\Administrator siteb\aace siteb\bbad
The 172.19 addresses in the chart below are for students to access their pods various Web
Admin pages from their own computers browser, while a VPN connection is established to
the lab.
Pod # SiteB-InetDns SiteB-AD SiteB-WS01 SiteB-WS02
Users siteb\Administrator siteb\Administrator siteb\aace siteb\bbad
Pod 01 172.19.1.220 172.19.1.120 172.19.1.201 172.19.1.202
Pod 02 172.19.2.220 172.19.2.120 172.19.2.201 172.19.2.202
Pod 03 172.19.3.220 172.19.3.120 172.19.3.201 172.19.3.202
Pod 04 172.19.4.220 172.19.4.120 172.19.4.201 172.19.4.202
Pod 05 172.19.5.220 172.19.5.120 172.19.5.201 172.19.5.202
Pod 06 172.19.6.220 172.19.6.120 172.19.6.201 172.19.6.202
Pod 07 172.19.7.220 172.19.7.120 172.19.7.201 172.19.7.202
Pod 08 172.19.8.220 172.19.8.120 172.19.8.201 172.19.8.202
Pod 09 172.19.9.220 172.19.9.120 172.19.9.201 172.19.9.202
Pod 10 172.19.10.220 172.19.10.120 172.19.10.201 172.19.10.202
Pod 11 172.19.11.220 172.19.11.120 172.19.11.201 172.19.11.202
Pod 12 172.19.12.220 172.19.12.120 172.19.12.201 172.19.12.202
Pod 13 172.19.13.220 172.19.13.120 172.19.13.201 172.19.13.202
Pod 14 172.19.14.220 172.19.14.120 172.19.14.201 172.19.14.202
Pod 15 172.19.15.220 172.19.15.120 172.19.15.201 172.19.15.202
Pod 16 172.19.16.220 172.19.19.120 172.19.19.201 172.19.19.202
Pod 17 172.19.17.220 172.19.17.120 172.19.17.201 172.19.17.202
Pod 18 172.19.18.220 172.19.18.120 172.19.18.201 172.19.18.202
Pod 19 172.19.19.220 172.19.19.120 172.19.19.201 172.19.19.202
Pod 20 172.19.20.220 172.19.20.120 172.19.20.201 172.19.20.202
Pod 21 172.19.21.220 172.19.21.120 172.19.21.201 172.19.21.202
Pod 22 172.19.22.220 172.19.22.120 172.19.22.201 172.19.22.202
Pod 23 172.19.23.220 172.19.23.120 172.19.23.201 172.19.23.202
Pod 24 172.19.24.220 172.19.24.120 172.19.24.201 172.19.24.202
Pod 25 172.19.25.220 172.19.25.120 172.19.25.201 172.19.25.202
Pod 26 172.19.26.220 172.19.26.120 172.19.26.201 172.19.26.202
Pod 27 172.19.27.220 172.19.27.120 172.19.27.201 172.19.27.202
Pod 28 172.19.28.220 172.19.28.120 172.19.28.201 172.19.28.202
Pod 29 172.19.29.220 172.19.29.120 172.19.29.201 172.19.29.202
Pod 30 172.19.30.220 172.19.30.120 172.19.30.201 172.19.30.202
Step 17 Enter IP Address for your pod in the computer field
Step 18 Enter Domain\User Name, in the User Name field (see chart above)
Step 20 Enter Cisc0123 in the password field
Step 21 Click OK
Step 22 Click Yes for the remote verification warning
Step 23 Your Remote Desktop should look something
like this
Step 24 Repeat steps 8 - 23 three more times to

open the all four RDP sessions
If you accidentally close CIPC during this lab or it was closed

when you started the workstation you will get a No
compatible sound devices: error if you try to open it. The
workstation must be rebooted to start CIPC again. Do the
following to reboot the workstation
Double click on the WorkStation Reboot icon on the desktop of the

affected workstation.
Wait for 2 minutes and RDP back into the rebooted workstation.
Section 2: System Preparation
Sys Prep: CUCM Server Name to FQDN
In this section the student will explore changes that are necessary on Cisco Unified
Communications Manager (CUCM). During the installation of Cisco Unified Communications
Manager the server name is configured with host-name. The hostname format needs to be
changed to the Fully Qualified Domain Name (FQDN) format.
The reason for changing the CUCM server names from hostname or IP address
to FQDN, is so they can be resolved by the different services on the UC network.
Also during the certificate validation process for Jabber Windows the FQDN is
usually called out in the CA signed certs.
The use of alternate names could be used in creating the certificates but is not
supported by Cisco.
Activity Objective
In this activity, you will learn the methods to:

Exploration only as this task has already been done for the student
Required Resources
None
Changing the CUCM Server Name
The lab network has already been changed for the student due to certificate issues that
would arise later in the lab. The steps to change the CUCM server name have been posted
to the appendix of this lab guide. Please CLICK HERE to review the steps.
Observe below in the first screen shot on the left that the server names are only host
names, and on the screen shot on the right they have been changed to the FQDN.
All UC Servers in this lab are upgraded from 9.1.1 to version 10.5. Due to time
constraints the server hostnames and DNS entries have been left as 9.11
Section 3: Jabber Specialist Features
JST Features Task 1: Service Discovery Configuration
Service discovery enables clients to automatically detect and locate services on your
enterprise network. Clients query domain name servers (DNS) to retrieve service (SRV)
records that provide the location of servers.
The primary benefits to using service discovery are:

Speeds time to deployment.
Allows you to centrally manage server locations.
Activity Objective
Access Microsoft DNS Administrator
Configure DNS Service Records on a Microsoft Windows 2008 R2 server
Use NSLookUp to confirm the accuracy and operation of configured SRV records
Required Resources
To complete this section of the lab the student will need a computer that is connected to the
lab via VPN and an RDP connection to your pods SiteB-AD (172.19.X.120).
Configure DNS Service Records
Creating DNS SRV records for Presence server discovery allows the
Administrator to streamline the user experience when first logging into
Jabber. If the Jabber client is configured for On Premise operation the
client will automatically connect to the Presence server infrastructure
within an organization without prompting the user for server
information. This can even be configured to work in a multi-cluster
environment where servers will redirect Jabber clients to their correct
home cluster.
Cisco would recommend this method of configuration a best practice.
Step 25 Switch to SiteB-AD (172.19.X.120) RDP session
opened earlier
Step 26 Click Start Administrative Tools DNS to open
the DNS Manager tool
Step 27 Click the + (plus sign) next to SITEB-AD
Forward Lookup Zone siteb.com
Step 28 Select siteb.com to highlight it

Step 29 Right click siteb.com
Step 30 Select Other New Records, from the pop-up menu
Step 31 Scroll down and select Service Location (SRV)

from the resource record types pop up window
Due to time constraints during the

development of this lab the upgraded CUCM
and IMP server did not get renamed with a
new host name, therefore both the CUCM
and IMP publishers have 911 in their name.
These server have been upgraded to 10.5.1
although their name remains the same.
Step 32 Click Create Record
Step 33 Fill in the following information:

a. Domain siteb.com (pre-filled-in)
b. Service _cisco-uds (underscore cisco)
c. Protocol _tcp (underscore tcp)

d. Priority 0 (default)
e. Weight 0 (default)
f. Port Number 8443
g. Host offering this service =

siteb-cucm911.siteb.com
Step 34 Click OK
Step 35 Click Create Record (again)

h. Domain siteb.com (pre-filled-in)
i. Service _cisco-uds (underscore cisco)
j. Protocol _tcp (underscore tcp)

k. Priority 0 (default)
l. Weight 0 (default)
m. Port Number 8443
n. Host offering this service =

siteb-cucm02.siteb.com
Step 37 Click OK
Step 38 Click Done
Step 39 Select _tcp, under siteb.com in the DNS Manager

Jabber will query DNS for SRV records based on user domain in parallel
The highest priority returned record will be used for service
Priority Service HTTPRequest/DNS SRV
1 WebEx Messenger HTTP CAS lookup
2 UC Manager 9.x/10.x _cisco-uds._tcp.example.com
3 Cisco Presence 8.x _cuplogin._tcp.example.com
4 Collaboration Edge _collab-edge._tls.example.com
Step 40 Observe that both _cisco-uds and _cuplogin are both present in the _tcp
section of siteb.com DNS records. The _cuplogin was left over from a
previous install of Jabber version 9.2, _cisco-uds takes priority
Step 41 Close DNS Manager
FYI The reason the sitea-cucm911.sitea.com FQDN has 911 in it is because this
lab was upgraded from a CUCM 9.11 to CUCM 10.5 but the host names have not
been changed. Sorry for the confusion, this will be changed in the future with time
permitting.
Verify _cisco-uds DNS Service Records
Step 42 Switch to SiteB-WS01 (172.19.X.201 Alex Ace RDP Session)

Step 43 Click Yes to the Revocation Security Alert (if presented)
Step 44 Click the Command Prompt icon on the task bar
Step 45 Type nslookup
Step 46 Press Enter to enter into nslookup mode
Step 47 Type set type=srv (in all lower case)
Step 48 Type _cisco-uds._tcp.siteb.com
Step 49 Press Enter

Note the output displays the appropriate
information for the _cisco-uds SRV record
that was built in the previous section.
If an error such as the one pictured below is returned check the command entered in above
or confirm your _cisco-uds service record has been configured properly on SiteBs AD.
Do not continue until a positive result is obtained.
Step 50 Close the Command Prompt window

Step 51 Do not close the RDP sessions
JST Features Task 2: Jabber Client Win Install WS01
In this section the students will do install Jabber client for Windows.
Activity Objective
In this activity the student will install the Cisco Jabber Client for Windows.
two standard installs
Required Resources
A personal computer VPNed into the lab environment and a RDP session into the labs
workstations.
Logging into Student Remote Workstations

If you have not logged into the student workstations please return to the logging into the
student remote workstations section to login to the student workstations
Checking Windows Certificate Manager
Later in this lab guide the student will work with certificate management to conceal the
invalid certificate messages from the end users. This section is to start becoming familiar
with certificate interaction. Observe that before the Windows Jabber Client is installed there
are no Jabber related certificates in the certificate manager on windows.
Step 52 Open the Command

Prompt window form the
task bar on SiteB-WS01
Step 53 Enter certmgr
Step 54 Press Enter

Step 55 Select Enterprise Trust Certificates (there might not be a certificate
subfolder for enterprise trust if there are no certificates)
Step 56 Observe that there are no trusted certificates in the right panel of Certificate
manager
Step 57 Do not close Certificate Manager
This is how it will look if no

Enterprise Certs have been
entered. This is the default for the
lab workstations.
Installing Jabber on Remote SiteB-WS01
In this section Jabber will be installed on the SiteB-WS01.
Jabber for Windows ships as a MSI installer files. Cisco provides a single
MSI file for both on premise and cloud configurations.
Step 58 Switch to Siteb-WS01 (172.19.x.201 Alex Ace) RDP Session (if not already
there)
Step 59 Launch the Firefox browser, on SiteB-WS01

DO NOT use any of the FireFox favorites on the tool
bar to install this version of Jabber, otherwise you
will install an old version of Jabber.
Step 60 Browse to the following URL from SiteB-WS01 Firefox app to

download Jabber http://tinyurl.com/JST2JabInst
Step 61 Click OK, on warning (if any)

Step 62 Click Download Jabber from the Dropbox web site
Step 63 Click Save File
Step 64 Click CiscoJabberSetup.msi in the Downloads window or folder (wait for it,
kind of slow to start install)
Step 65 Click Run
Step 66 Click Accept and Install
Step 67 Click Yes, when asked to allow changes to be

made to this computer (wait For it)
Step 68 Keep Launch Cisco Jabber checked
Step 69 Click Finish
Step 70 Click Accept to verify the non-valid CUCM certificate (The certificates might
come up in a different order depending on the SRV Record round robin state)
Step 71 Click Accept to verify the non-valid CUCM certificate again for the 2nd server
In Jabber 10.5 the Windows client is collecting the Username of the person logged into the
workstation from Windows and the domain name and automatically adding those to the login
so the user only has to put in the user password at initial login.
Step 72 Enter Cisc0123 for the users password
Step 73 Select Sign me in when Cisco Jabber Starts
Step 74 Click Sign In
Step 75 Click Accept to verify the non-valid IMP certificate (one of the certificates but
just show up as SiteB instead of a host name that is OK)
Step 76 Click Accept to verify the non-valid IMP certificate again for the 2nd server
Step 77 Click Accept to verify the non-valid CUC certificate
Step 78 Close all Firefox windows
Step 79 Observe Alex Ace is logged in to her Windows Jabber

Client
If the Cisco Jabber client fails to discover the network
service, this is most likely an issue with the SRV record
created in the first section of this lab guide. Use
NSLOOKUP in the command prompt from this
workstation to troubleshoot this issue. CLICK HERE to
return to the DNS configuration section.
Checking Certificates
After signing into Cisco Jabber Client for Windows observe the certificate that was added to
the certificate manager. During the certificate management section of this lab, the student
will learn how to avoid invalid certificate warning messages to be presented to the end user
the first time they login to Cisco Jabber Client for Windows.
Step 80 Open the Command Prompt window

form the task bar on SiteB-WS01 (if not
already open)

Step 82 Press Enter
Step 83 Select Enterprise Trust Certificates (there might not be a certificate

subfolder for enterprise trust if there are no certificates)
Step 84 Observe that there are no trusted certificates in the right panel of Certificate
manager (Sometimes F5 needs to be pressed to get screen to update)
Before Jabber Client Login After Cisco Jabber Client Login

Step 85 Close Certificate Manager
Step 86 Close DOS Box
JST Features Task 3: Certificate Management
In this section of the lab the self-signed certificates that are on the UC servers at the time
of install will be replaced by Certificate Authority (CA) signed certificates.
Cisco Jabber uses certificate validation to establish secure connections with servers.
When attempting to establish secure connections, servers present Cisco Jabber with
certificates. Cisco Jabber validates those certificates against certificates in the
Microsoft Windows certificate store. If the client cannot validate a certificate, it
prompts the user to confirm if they want to accept the certificate.
Activity Objective
Access Microsoft Certificate Manager

Create CA signed certificates using Microsoft Certificate Authority (CA)
Deploy CA signed certificates to CUCM/IM&P/CUC
Required Resources
To complete this section of the lab the student will need a computer that is connected to
the lab via VPN, and an RDP connection to your pods SiteB-AD (172.19.X.120).
Installing Certificate Authority Role on Windows 2008 R2 Server
Although installing MS Certificate Authority (CA) Role is not part of the Cisco Unified
Communication solution, it is necessary to have access to a 3rd party CA server to create
signed certificates. For simplicity, the MS CA Role was chosen for this lab since an MS
Windows 2008 R2 (Win2K8R2) server running as the Active Directory and Exchange server
already exists. This quick video will show the steps completed to prepare the Win2K8R2
server to be a CA.
Short Video on Installing Microsoft Certificate Authority Role on Win2K8R2
Watch this video in HD here - http://youtu.be/pr-mJrJSfV8
Download CA Root Certificate from CA Server
In this section the Certificate Authority (CA) Root Certificate will be downloaded from the CA
server, and uploaded to SiteB-CUCM911 tomcat-trust.
As part of the building of this lab the developers already uploaded

the CA Root Certificate to the publishers, and subsequently
replicated to the rest of the servers in the cluster. Although the CA
Root certificate has been uploaded the student is going to do it again
to learn the process.
Step 87 Switch to the SiteB-AD (172.19.X.120 x=pod#) RDP session
Step 88 Launch Firefox by clicking the icon on the task bar at the bottom of the
desktop
Step 89 Click Certificate Services on Firefoxs favorite bar
a: Log in to Certificate Services

with:Username Administrator
b: Password Cisc0123
Step 90 Click Download a CA certificate, certificate
chain, or CRL
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in
an ASCII string format by translating it into a radix-64 representation. Why 64? Because you
can generally rely on the same 64 characters being present in many character sets, and you
can be reasonably confident that your data's going to end up on the other side of the wire
uncorrupted.
Step 91 Select Base 64 under Encoding Method
Step 92 Click Download CA Certificate
Step 93 Click Save File (should be the default)
Step 94 Click OK to save the CA certificate
Step 95 Click the Firefox Download Arrow in the

upper left corner
Step 96 Click the File Folder next to certnew.cer
Step 97 Right click certnew.cer in the Explorer window
Step 98 Click Rename from the pop-up menu
During the course of this lab the student will create many certificates, it is much
easier to track which certificates are which by but renaming each one as you create
them.
Step 99 Rename the file to CARootCert.cer
Step 100 Close File Explorer window
Upload CA Root Certificate to CUCM
In this section the CA root certificate will be uploaded to SiteB-CUCM911 (publisher) and it
will be replicated to the other three servers in the clusters (SiteB-CUCM02, SiteB-IMP911,
and SiteB-IMP02).
Step 101 Return to the Firefox browser on SiteB-AD (172.19.X.120 x=pod#) RDP
Session
Step 102 Click + to open another browser

tab
Step 103 Click SiteB-CUCM911 favorite in the SiteB-UC Favorite folder
Step 104 Click Cisco Unified Communications Manager
Step 105 Click I Understand the Risks on the untrusted connection warning (If
presented)
Step 106 Click Add Exception on the untrusted connection warning (If presented)
Step 107 Click Confirm Security Exception on the add security exception pop-up
(If presented)
Step 108 Select Cisco Unified OS Administration from the top left Navigation drop-
down menu
Step 109 Click Go
Step 110 Log in using the following credentials:
a. Username Administrator (Case Sensitive)
b. Password Cisc0123 (Case Sensitive)
c. Click Login
Step 111 Click Security Certificate Management
Step 112 Click Find

Step 113 Observe the self-signed certificates that exist on CUCM by default at install
The CA Root Certificate was uploaded to the Tomcat-trust of the publisher during
lab development, and has been replicated to the subscribers in the cluster.
Observe the tomcat-trust has a certificate from siteb-SITEB-AD-CA.pem, that is the

root certificate that was replicated from the publisher to this subscriber. Previous
to the upload of the CA Root Cert the tomcat-trust on the publisher and this
subscriber was the self-signed certificate generated by the CUCM server installer
during the server install.
In this section the student will upload the CA Root to SiteB-CUCM911 (publisher)
so the student understands what was done to the publisher, although this step
could be skipped due to the fact that it was done prior to the start of the lab.
Step 114 Click Upload Certificate/Certificate Chain
Step 115 Select tomcat-trust, (careful here)
Step 116 Click Browse
Step 117 Click Downloads, on the left side navigation pane
Step 118 Click and Select CARootCert.cer from the list of files and folders
Step 119 Click Open
Step 120 Click Upload File, on the upload pop-up

window
Step 121 Verify the file uploaded successfully
Step 122 Click Close, to close the file upload pop-up window
Step 123 Click Find, to refresh the certificate list
Step 124 Observe that the SiteB-AD CA Root Certificate is now listed (notice no real
change due to the CA Root Cert being replicated form the publisher, also in
some cases the description will not change that is a version issue and has
not effect on the operation)
Generate and Download Certificate Signing Request (CSR)
In this section the student will generate a Certificate Signing Request which in turn will be
used on the MS CA to generate a self-signed certificate for each service on each server.
In CUCM 10.0 and lower a certificate would have been generated by the CA root for
each node in the cluster, and uploaded to each of the servers in the cluster. This
would have been repeated in the IMP clusters and the CUC clusters. In 10.5 CUCM
and IMP are in the same cluster so only one CA root certificate and one CA signed
certificate needs to be created and uploaded to the CUCM publisher and both the
root and the CA signed certificate will be replicated to all servers in the CUCM and
IMP cluster.
Step 125 Click Generate CSR form the OS Administrator web page
Step 126 Fill in the following information in the Generate Certificate Signing Request
pop-up windows:
a. Certificate Name tomcat

b. Distribution Multi-Server(San)
c. Key Length 2048
d. Hash Algorithm SHA256
e. Click Generate
After the Generate button is clicked a few moments later a pop-up screen will
appear and ask for the Admin Username and Password for both of the subscribers
since they both have different passwords than the publishers.
f. Enter UserName Administrator (twice)

g. Enter Password C1sc0123 (twice)
h. Click Login
i. Click Never Remember Password For This Site (firefox pop-up)
j. Observe Success message
k. Click Close to close the CSR pop-up window
Step 127 Verify Success of CSR generation
Step 128 Click Close, on the Generate CSR pop-up window
Step 129 Click Download CSR
Step 130 Confirm tomcat, is selected
Step 132 Select Save File
Step 133 Click OK to save the CSR
Step 134 Click Close on the Download Certificate Signing Request pop-up window
Step 135 Click the Download Arrow in the upper right corner of Firefox
Step 136 Click the File Folder
Step 137 Right click tomcat.csr in Explorer window
It is good practice to rename each certificate file as you download them to your
local computer, so the certificates do not get mixed up.
Step 139 Rename the file to SiteB-CUCM911_tomcat.csr (2nd time use SiteB-
IMP02_tomcate.csr)
Step 140 Double click SiteB-CUCM911_tomcat.csr, in Windows File Explorer
Step 141 Pick Select a program from a list of installed
programs
Step 142 Click OK

Step 143 Select Notepad
Step 144 Click OK
Step 145 Select Format Word Wrap, from the Notepad menus
Step 146 Press CTRL-A, to highlight everything in the CSR file
Step 147 Press CTRL-C, to copy highlighted data into the computer buffer
Be careful to not change anything in this test file, this is also a difficult
troubleshoot.
Step 148 Close NotePad
Step 149 Close the Windows File Explorer window
Submit and Download SiteB-CUCM02 Tomcat Signed CA Certificate
Step 150 Return to Firefox on SiteA-AD RDP session
Step 151 Switch back to the MS AD Certificate Services Web Page tab
Step 152 Click Certificate Services favorite link to return to the CA Services home
page
Step 153 Click Request A Certificate
Step 154 Click Advanced Certificate Request
Step 155 Click in the Saved Request field to make it

active
Step 156 Press CTRL-V to past the data saved to the

computer buffer
Step 157 Select Web Server for the Certificate

Template
Step 158 Click Submit
Step 159 Select Base 64 encoded
Step 160 Click Download Certificate (careful here)
Step 161 Select Save File (default)
Step 162 Click OK to save the certificate
Step 165 Right click certnew.cer in Explorer window
Step 166 Click Rename on the pop-up menu
Step 167 Enter SiteB-CUCM911_CASignedTomCat.cer to rename the file
Step 168 Close the File Explorer window
Upload SiteB-CUCM02 CA Signed Tomcat Certificate to CUCM
Step 169 Click the 2nd Firefox tab to switch to SiteB-CUCM911 Cisco Unified
Operating System Administration web page
Step 170 Login with the following information if the previous session logged out
a: Username Administrator
c: Click Login
Step 171 Click Security Certificate Management (if not all ready there)
Step 173 Select the following Certificate upload information

a: Certificate Name tomcat
b: Description Self-signed Certificate (default)
c: Upload File Click Browse
d: Upload file
Downloads\SiteB-CUCM911_CASignedTomCat.cer
e: Click Open
f: Click Upload file
g: Enter the 02 server credentials
a. Enter UserName Administrator (twice)
b. Enter Password C1sc0123 (twice)
h: Click Login
i: Click Never Remember Password For This Site (if presented)
Notice that unlike previous version of UC products where you had to generate a CSR for each
node in the cluster, create a CA signed certificate for each node in the cluster, and upload a
CA signed certificate for each node in the cluster, in UC 10.5 software you only have only to
generate one CSR per cluster (CUCM/IMP considered in same cluster now), create one CA
signed certificate per cluster and upload one CA signed certificate per cluster.
In previous versions of UC software the following was the method of configuring

certificates
Upload root certificate to the publisher of the CUCM Cluster
Upload root certificate to the publisher of the IMP Cluster
Upload root certificate to the publisher of the CUC Cluster
Generate CSRs for each node in the CUCM cluster
Generate CSRs for each node in the IMP cluster
Generate CSRs for each node in the CUC cluster
Create CA signed certificates for each node in the CUCM Cluster
Create CA signed certificates for each node in the IMP Cluster
Create CA signed certificates for each node in the CUC Cluster
Upload CA signed certificates for each node in the CUCM Cluster
Upload CA signed certificates for each node in the IMP Cluster
Upload CA signed certificates for each node in the CUC Cluster
Assuming three servers in each of the three clusters listed above, the following
would be true
Generate 27 CSRs (3 CUCM + 3 IMPs + 3 CUC) x 3 = 27 Servers

Create 27 CA signed certificates
Upload 27 CS signed certificates
In UC 10.5 software the following is the new method of configuring certificates
Upload root certificate to the publisher of the CUCM/IMP Cluster
Upload root certificate to the publisher of the CUC Cluster
Generate one CSRs for the whole CUCM/IMP cluster
Generate one CSRs for the whole CUC cluster
Create one CA signed certificates for the whole CUCM/IMP Cluster
Create one CA signed certificates for the whole CUC Cluster
Upload one CA signed certificates for the whole CUCM/IMP Cluster
Upload one CA signed certificates for the whole CUC Cluster
Assuming three servers in each of the three clusters listed above, the following
would be true
Generate 2 CSRs (1 for CUCM/IMP + 1 for CUC)

Create 2 CA signed certificates
Upload 2 CS signed certificates
And as you can see with the 10.5 upgrades to certificates there is much less work!
Step 174 Verify Successful certificate upload
Step 175 Click Close, to close the certificate upload pop-up window
Step 176 Click Find, to update the Certificate List
Step 177 Observe the updated tomcat and tomcat-trust certificates. Tomcat-trust has a
siteb-SITEB-AD-CA.pem file, and tomcat has a siteb-SITEB-AD-CA in the
description field
Step 178 Click the PuTTy icon on the task bar at the bottom of the SiteB-AD
RDP session
Step 25 Select SiteB-CUCM911 (repeat 3 more times so all

4 listed UC servers have had their Tom Cat service
restarted), from the saved sessions
SiteB- SiteB- SiteB- SiteB-IMP02

CUCM01 CUCM02 IMP911
Cisc0123 C1sc0123 Cisc0123 C1sc0123
To open more than one PuTTy session at a time do the following
Right click the PuTTy icon on the bottom task bar of SiteB-AD
Select SSH, Telnet and Rlogin client
Step 26 Click Open

Step 27 Login With
a: Login as
Administrator (Case
Sensitive)
(Case Sensitive) See
password chart above
for each server
Step 28 Enter utils service restart
Cisco Tomcat, (Case
Sensitive)
Step 29 Observe and wait for the
Tomcat service to fully stop and restart (takes about 1 minute You can
leave PuTTy open and repeat this section 3 more times for SiteB-CUCM02,
SiteB-IMP911, and SiteB-IMP02
Step 30 Repeat steps 178 184, three more time Go ahead and do the repeat while
the service restarts
Step 31 Close all PuTTy windows once the Tomcat service has restarted on each
servers
Step 32 Click OK to confirm PuTTy window close
Adding CA Signed XMPP Certificate to SiteB-IMP02
In this section the student will upload the CA signed XMPP certificate to SiteB-IMP02 server.
The CA Root Certificate was uploaded to the CUCM911 publisher server during the
previous section of the lab. Here the CA Root certificate will be uploaded for the
cup-xmpp-trust. A cup-xmpp CSR will be generated and certificate created from
this CSR.
Step 33 Switch to SiteB-AD (172.19.X.120) RDP Session (if not already there)
Step 34 Click + to open a 3rd Firefox tab
Step 35 Click SiteB-UC from the favorites tool bar
Step 36 Select SiteB-IMP911 from the SiteB-UC favorites drop down menu
Step 37 Click Cisco Unified Communications Manager IM andpresence
Step 38 Click I understand the Risks
Step 39 Click Add Exception
Step 40 Click Confirm Security Exception
Step 41 Select Cisco Unified IM and Presence OS Administrator from the

Navigation drop down menu in the upper right hand corner of the IM&P
administration web page
Step 42 Click Go to navigate to the OS Administrator


c. Click Login
Step 44 Click Security Certificate Management
Step 45 Click Find

a. Certificate Name cup-xmpp-trust
b. Upload File Click Browse Downloads\CARootCert.cer
c. Click Open
d. Click Upload File
Step 48 Observe the Successful Upload
Step 49 Click Close to close the file upload pop-up window
Step 50 Click Find to refresh the certificate list
Step 51 Observe that the SiteB-AD CA Root Certificate is now listed for cup-xmpp-
trust
Generate and Download Certificate Signing Request (CSR)
In this section the student will generate and download the CSR for the xmpp service on
SiteB-IMP02.
Step 52 Click Generate CSR
Step 53 Fill in the following information

in the Generate Certificate Signing Request pop-up windows:
a. Certificate Name cup-xmpp

b. Distribution Multi-Server(SAN)
c. Key Length 2048 (Default)
d. Hash Algorithm SHA256 (Default)
e. Click Generate CSR
Step 54 Enter the following credentials for SiteB-IMP02

a. Username Administrator
b. Password C1sc0123
c. Click Login
d. Click Never Remember Password for this site (on Firefox pop-
up)
Step 55 Verify Success of CSR generation
Step 56 Click Close on the Generate CSR pop-up window
Step 58 Select cup-xmpp, from the Certificate name filed
Step 61 Click OK to save the CSR
Step 62 Click Close on the Download Certificate Signing Request pop-up window
Step 65 Right click cup-xmpp.csr in File Explorer window
It is good practice to rename the certificates as you download them to your local
computer so they do not get mixed up or overwritten with the same name form a
different server.
Step 67 Rename the file to SiteB-IMP911_XMPP.csr

Step 68 Double click the newly renamed file SiteB-IMP911_XMPP.csr
Step 69 Choose Select a program from a list of installed programs (skip step if
not presented)
Step 70 Click OK (skip step if not presented)
Step 71 Select Notepad (skip step if not presented)
Step 72 Click OK (skip step if not presented)
Step 73 Select Format Word Wrap from the Notepad menus (skip step if already
done)
Step 74 Press CTRL-A to highlight everything in the CSR file
Step 75 Press CTRL-C to copy highlighted data into the computer buffer
Step 76 Close Notepad
Submit and Download Signed CA Certificate
Step 78 Return to Firefox, on SiteA-AD RDP session
Step 79 Switch back to the first Firefox Tab, with MS AD Certificate Services Web Page
Step 80 Click Certificate Services, favorite in Firefox to return to the CA Services

home page
Step 81 Click Request A Certificate
Step 83 Click Saved Request field to make it active
Step 84 Press CTRL-V to past the data saved to the

computer buffer
Step 85 Select Web Server for the Certificate

Template
Step 87 Select Base 64 encoded
Step 88 Click Download Certificate (careful here)
Step 89 Select Save File (default)
Step 90 Click OK to save the certificate
Step 93 Right click certnew.cer in Windows File Explorer
Step 95 Enter SiteB-IMP911_CASignedXMPP.cer to rename the file
Upload CA Signed Certificate to IMP02
Step 97 Click 3rd Firefox Tab, to switch to SiteB-IMP911 Operating System Console
web page
Step 98 Login with the following information if the previous session logged out
b. Password C1sc0123
c. Click Login
Step 99 Click Security Certificate Management (if not all ready there)

a. Certificate Purpose cup-xmpp
b. Description Self-signed Certificate (default)
c. Upload File Click Browse
d. Upload file
Downloads\SiteB-IMP911_CASignedXMPP.cer
e. Click Open
f. Click Upload file
g. Username Administrator (pop-up window)
h. Password C1sc0123
i. Click Login
j. Click OK, service restart (if presented)
Step 102 Verify the Successful certificate upload
Step 103 Click Close, to close the certificate upload pop-up window
Step 104 Click Find, to update the Certificate List
Step 105 Observe the updated cup-xmpp and cup-xmpp-trust
Step 106 Click PuTTy icon on the task bar at the bottom of the SiteB-AD
RDP session
Step 107 Select SiteB-IMP911 (repeat
Step 108 Click Open
Step 109 Enter Administrator login as name
Step 110 Enter Cisc0123 as the password
Step 111 Enter utils service restart Cisco XCP Router, (Case Sensitive)
Step 112 Observe and wait for the XCP RouterAd service to fully stop and restart (takes
about 2 to 5 minutes You can leave PuTTy open and continue on to next
step, to restart XCP router on
SiteB-IMP02)
Step 113 Right click the PuTTy icon
Step 114 Click SSH, Telnet and Rlogin

client from the pop-up window
to open another instance of
PuTTy
Step 115 Select SiteB-IMP02
Step 116 Click Open
Step 117 Enter Administrator login as name
Step 118 Enter C1sc0123 as the password
Step 119 Enter utils service restart Cisco XCP Router, (Case Sensitive)
Step 120 Observe and wait for the XCP RouterAd service to fully stop and restart (takes
about 2 to 5 minutes
Step 121 Close both PuTTy windows
Step 122 Click OK to confirm closing the PuTTy window
Accept new certificates for Pidgin
In this section the new CUP-XMPP certificates will be accepted for Pidgin to light up the
mock users presence indicators.
In this lab a third party IM client called Pidgin is used to light up all the mock users
presence indicators when looking at the Jabber clients on the virtual workstations.
This is purely cosmetic and is only to help make the lab more fun.
When the CUP-XMPP certificate was upgraded in the previous section the
certificates that Pidgin was using became invalid and need to be updated to
continue to light up the presence indicators for our mock users in Jabber.
Step 123 Switch to SiteB-AD (172.19.X.120 RDP Session) if not all ready there
Step 124 Minimize Firefox
Step 125 Observe there are multiple SSL Certificate Verification messages
Step 126 Click Accept on all the Pidgin SSL Certificate Verification messages
Step 127 Switch to SiteB-WS01 (172.19.X.201 RDP Session)
Step 128 Accept any and all In-Valid certificates for Jabber (if presented)
Step 129 Click Gear File Exit to close the Jabber client on SiteB-WS01
Step 130 Double click the Jabber Client icon on the desktop to open jabber on SiteB-
WS01
Step 131 Click Accept the invalid certification (if any)
Step 132 Enter Cisc0123 in the password field of the Jabber client
Step 134 Accept any In-Valid certificates
Step 135 Observe Alex Aces Jabber client becomes active again
When you are done with this section you will have done certificate management on
2 of the 5 UC servers in the SiteB pod. SiteB-CUCM01, SiteB-IMP911, witch in turn
the Root certificate and CA signed certificates where automatically propagated to
the rest of the servers in the clusters. The SiteB-CUC911 server certificates were
configured by the lab developer.
In the next section the CA Root Certificate will be installed on the workstation
before the install of the Jabber client and the end user will not have to accept any
certificates.
Adding the CA Root Certificate to SiteB-WS02
In this section the CA Root Certificate will be manually installed to the SiteB-WS02.
The CA Signed Root Certificate can be manually installed on to the workstation or

can be pushed down to the workstations using the group polices on the Active
Directory server.
Step 136 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP session
Step 137 Click Command icon on the bottom task bar
Step 139 Press Enter
Step 140 Click the Arrow next to Trusted Root Certification

Authority
Step 141 Click and highlight Certificates
Step 142 Observe there is no SiteB-AD certifications in the

Trusted Root CAs
Step 143 Launch Firefox on SiteB-WS02
Step 144 Click Certificate Services on the Firefox favorites bar
Step 145 Login with:

b. Password Cisc0123
Step 146 Click login

Step 147 Click Download a CA certificate, certificate chain, or CRL
Step 148 Select Base 64
Step 151 Click OK
Step 152 Click the Download Arrow in the upper right

corner
Step 153 Click the File Folder, next to the latest

downloaded file
Step 154 Right Click certnew.cer
Step 155 Click Rename
Step 156 Rename the file CARootCert.cer
Step 157 Double click CARootCert.cer
Step 158 Observe that the certificate is from the siteb-

SiteB-AD-CA
Step 159 Click Install Certificate
Step 160 Click Next, on the certificate import wizard welcome screen
Step 161 Select Place all certificates in the following store
Step 163 Select Trusted Root Certification Authorities, from the select certificate
store
Step 164 Click OK
Step 165 Click Next on the certificate import wizard
Step 167 Click Yes on the security warning
Step 168 Click OK on the import was successful message
Step 169 Click OK to close the certificate window
Step 170 Close the File Explorer windows
Step 171 Return to Certificate Manager
Step 172 Select Trusted Root Certification

Authorities (if not all ready there)
Step 173 Press F5 to refresh the list of issued trusts
Step 174 Observe there is now a siteb-SITEB-AD-CA certificate in the trusted root certs
(sometimes CertMgr needs to be closed and reopened to see the CA Cert)
Step 175 Close Certificate Manager
JST Features Task 4: Jabber Client Win Install WS02
In this section the students will install the Jabber client for Windows on SiteA-WS02, after
certificate management has been performed on the UC servers. This will eliminate the in-
valid certificate errors the end user saw during the initial login of Cisco Jabber Client for
Windows, in section 2 of the lab.
Activity Objective
In this activity the student will install the Cisco Jabber Client for Windows.
standard installs
Required Resources
A personal computer VPNed into the lab environment and a RDP session into the labs
workstations.
Logging into Student Remote Workstations

Checking Windows Certificate Manager
Later in this lab guide the student will work with certificate management to conceal the
invalid certificate messages from the end users. This section is to start becoming familiar
with certificate interaction. Observe that before the Windows Jabber Client is installed there
are no Jabber related certificates in the certificate manager on windows.
Installing Jabber on Remote SiteB-WS02

In this section Jabber will be installed on the SiteB-WS02
Jabber for Windows ships as a MSI installer files. Cisco provides a single
MSI file for both on premise and cloud configurations.
Step 176 Switch to Siteb-WS02 (172.19.x.202 Black Bad) RDP Session (if not
already there)
Step 177 Launch the Firefox browser, on SiteB-WS02 (if not all ready open)
DO NOT use any of the FireFox favorites on the tool

bar to install this version of Jabber, otherwise you
will install an old version of Jabber.
Step 178 Browse to the following URL from SiteB-WS02 Firefox

app to download Jabber
http://tinyurl.com/JST2JabInst
Step 179 Click OK, on warning (if any)

Step 180 Click Download Jabber from the Dropbox web site
Step 182 Click CiscoJabberSetup.msi in the

Downloads window or folder
Step 183 Click Run (wait for it this will take 10 to 15

seconds for the pop-up window to appear)
Step 185 Click Yes, when asked to allow changes to be

made to this computer (wait For it)
Step 186 Keep Launch Cisco Jabber checked
Observe that NO invalid certificate warning messages popped up before the log in
screen. This is because the CA signed certificates were uploaded to the UC servers
and the CA root certificate was deployed to the workstation.
The root certificate can be distributed to the workstations using group policies.
Step 188 Observe the username bbad is already filled in. Jabber 10.5
gathers the username from the domain login of the workstation
Step 189 Enter Cisc0123 for the users password
Step 190 Select Sign me in when Cisco Jabber Starts
Step 192 Observe the jabber client for Blake Bad logins in with
no user intervention for invalid certificates
If the Cisco Jabber client fails to discover the network

service, this is most likely an issue with the SRV record
created in the first section of this lab guide. Use
NSLOOKUP in the command prompt from this
workstation to troubleshoot this issue. CLICK HERE to
return to the DNS configuration section.
JST Features Task 5: MRA with Cisco ExpressWay
In this section the students will configure a Cisco Expressway E and C cluster as well as test
access from a remote workstation traversing the Expressway pair using the Mobile Remote
Access feature (MRA) of expressway.
This lab consists of two Expressway Es and two Expressway Cs that have
already been deployed for the student to save time. Also with each deployment
of an Expressway server the serial number is different, which would pose
issues with applying option keys in the lab.
The following video will demonstrate how the Expressways were deployed on
the ESXi hosts in the lab.
Short Video on Cisco ExpressWay Virtual Machine Deployment

Watch this video in HD here - http://youtu.be/Uoi3hosvygs
Activity Objective
Configure Service Records (SRV) on public and internal DNS Servers
Performing the initial configuration of the Expressway E and C Initial Config as well
as configure Traversal zones, Domains, and Certificate Management
Required Resources
lab via VPN, a compatible browser on the students computer, and RDP sessions to the five
devices in the lab.
About the Cisco Expressway

Cisco Expressway is designed specifically for comprehensive collaboration
services provided through Cisco Unified Communications Manager. It features
established firewall-traversal technology and helps redefine traditional enterprise
collaboration boundaries, supporting our vision of any-to-any collaboration.
As its primary features and benefits, Cisco Expressway:

Offers proven and highly secure firewall-traversal technology to extend your
organizational reach.
Helps enable business-to-business, business-to-consumer, and business-to-cloud-
service-provider connections.
Provides session-based access to comprehensive collaboration for remote workers,
without the need for a separate VPN client.
Supports a wide range of devices with Cisco Jabber for smartphones, tablets, and
desktops.
Complements bring-your-own-device (BYOD) strategies and policies for remote and
mobile workers.
The Expressway is deployed as a pair: an Expressway-C with a trunk and line-side

connection to Unified CM, and an Expressway-E deployed in the DMZ and configured with a
traversal zone to an Expressway-C.
The Expressway runs on VMware on a range of Cisco UCS servers. See Expressway on
Virtual Machine Installation
Expressway-C
Expressway-C delivers any-to-any enterprise wide conference and session management and
interworking capabilities. It extends the reach of Telepresence conferences by enabling
interworking between Session Initiation Protocol (SIP)- and H.323-compliant endpoints,
interworking with third-party endpoints; it integrates with Unified CM and supports third-
party IP private branch exchange (IP PBX) solutions. Expressway-C implements the tools
required for creative session management, including definition of aspects such as routing,
dial plans, and bandwidth usage, while allowing organizations to define call-management
applications, customized to their requirements.
Expressway-E
The Expressway-E deployed with the Expressway-C enables smooth video communications
easily and securely outside the enterprise. It enables business-to-business video
collaboration, improves the productivity of remote and home-based workers, and
enables service providers to provide video communications to customers. The
application performs securely through standards-based and secure firewall
traversal for all SIP and H.323 devices. As a result, organizations benefit from
increased employee productivity and enhanced communication with partners and
customers.
It uses an intelligent framework that allows endpoints behind firewalls to discover
paths through which they can pass media, verify peer-to-peer connectivity through each of
these paths, and then select the optimum media connection path, eliminating the need to
reconfigure enterprise firewalls.
The Expressway-E is built for high reliability and scalability, supporting multivendor firewalls,
and it can traverse any number of firewalls regardless of SIP or H.323 protocol.
Standard features
The primary purpose of the Expressway is to provide secure firewall traversal and session-
based access to Cisco Unified Communications Manager for remote workers, without the
need for a separate VPN client.
Rich media session features

The following features are available when rich media session licenses are installed on the
Expressway:
SIP Proxy
SIP / H.323 interworking
IPv4 and IPv6 support, including IPv4 / IPv6 interworking
QoS tagging
Bandwidth management on both a per-call and a total usage basis
Automatic downspeeding option for calls that exceed the available bandwidth
URI and ENUM dialing via DNS, enabling global connectivity
Up to 100 rich media sessions on Small/Medium VM server deployments and 500 rich
media sessions on Large VM server deployments
1000 external zones with up to 2000 matches
Flexible zone configuration with prefix, suffix and regex support
Can be neighbored with other systems such as a Cisco VCS or other gatekeepers and
SIP proxies
n+1 redundancy, can be part of a cluster of up to 6 Expressways for increased
capacity and redundancy
Intelligent Route Director for single number dialing and network failover facilities
Call Policy (also known as Administrator Policy) including support for CPL
Support for external policy servers
AD authentication for administrators of the Expressway
Embedded setup wizard using a serial port for initial configuration
System administration using a web interface or RS-232, SSH, and HTTPS
Intrusion protection
Mobile and remote access

Cisco Unified Communications mobile and remote access is a core part of the Cisco
Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their
registration, call control, provisioning, messaging and presence services provided by Cisco
Unified Communications Manager when the endpoint is not within the enterprise network.
The Expressway provides secure firewall traversal and line-side support for Unified CM
registrations.
The overall solution provides:

Off-premises access: a consistent experience outside the network for Jabber and
EX/MX/SX Series clients
Security: secure business-to-business communications
Cloud services: enterprise grade flexibility and scalable solutions providing rich
WebEx integration and Service Provider offerings.
Gateway and interoperability services: media and signaling
normalization, and support for non-standard endpoints
Figure 1: Unified Communications: mobile and remote access
Figure 2: Typical call flow: signaling and media paths
Unified CM provides call control for both mobile and on-premises endpoints.
Signaling traverses the Expressway solution between the mobile endpoint and Unified
CM.
Media traverses the Expressway solution and is relayed between endpoints directly;
all media is encrypted between the Expressway-C and the mobile endpoint.
Jabber client connectivity without VPN

The mobile and remote access solution supports a hybrid on-premises and cloud-based
service model, providing a consistent experience inside and outside the enterprise. It
provides a secure connection for Jabber application traffic without having to connect to the
corporate network over a VPN. It is a device and operating system agnostic solution for Cisco
Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms.
It allows Jabber clients that are outside the enterprise to:

use instant messaging and presence services
make voice and video calls
search the corporate directory
share content
launch a web conference
access visual voicemail
Public & Local DNS Requirements for Expressway
The local internal DNS has been configured for SRV records in previous sections of this lab,
in the next section the student will enter needed SRV records into the public DNS, as well as
needed A type DNS records in both the public and local DNS.
Public DNS
The public (external) DNS must be configured with _collab-edge._tls.<domain> SRV records
so that endpoints can discover the Expressway-Es to use for mobile and remote access. SIP
service records are also required. That Is for general deployment and not specifically for mobile
and remote access. For example, for a cluster of 2 Expressway-E systems:
Local DNS
The local (internal) DNS requires _cisco-uds._tcp.<domain>,
cuplogin._tcp.<domain>, _cisco-phone-http.<domain> and standard SIP service SRV
records. For example:
Ensure that the cisco-uds, _cuplogin and cisco-phone-http SRV records are NOT resolvable outside
of the internal network, otherwise the Jabber client will not start mobile and remote access negotiation via the
Expressway-E.
Entering Local DNS A Records For Expressway
Step 193 Return to the SiteB-AD (172.19.X.120) RDP session

opened earlier
Step 194 Click Start Administrative Tools DNS to open the
DNS Manager tool
Step 195 Click the + (plus signs) next to SITEB-AD Forward

Lookup Zone siteb.com
Step 198 Select New Host (A or AAAA) from the pop-

up menu
Step 199 Enter the following in the New Host pop-up

window:
a. Name siteb-expc01
b. IP Address 10.1.2.142
c. Check Create associated pointer

(PTR) record
d. Click Add Host
e. Click OK on the success message
Step 200 Repeat step 352 seven more times. In total eight entries should be created.
Name IP Address Name IP Address

(Expressway-C) (Expressway-E)
siteb-expc02 10.1.2.143 siteb-expe01 10.1.3.142
siteb-expc-cluster01 10.1.2.142 siteb-expe02 10.1.3.143
siteb-expc-cluster01 10.1.2.143 siteb-expe-cluster01 10.1.3.142
siteb-expe-cluster01 10.1.3.143
Step 201 Click Done on the New Host pop-up windows after entering the last New Host
Step 202 Review the DNS entries to make sure all eight new entries are correct
Step 203 Close the DNS Manager
An Expressway can be part of a cluster of up to six Expressways. Each

Expressway in the cluster is a peer of every other Expressway in the cluster.
When creating a cluster, you define a cluster name and nominate one peer as
the master from which all relevant configurations is replicated to the other peers
in the cluster. Clusters are used to:
Increase the capacity of your Expressway deployment compared with a

single Expressway.
Provide redundancy in the rare case that an Expressway becomes inaccessible (for
example, due to a network or power outage) or while it is in maintenance mode (for
example, during a software upgrade).
Entering Public DNS A & SRV Records for Expressway
In this section working in the Mock Internet DNS server, the student will add the necessary
A records and SRV records to allow clients to find the Expressway E device from the
Internet (or in this lab case the Mock Internet).
Step 204 Switch to the SiteB-InetDNS (172.19.X.220 x=pod#) RDP session
Step 205 Login in with the following credentials if not already logged in:
Step 206 Click the DNS Manager icon on the bottom task bar
Step 207 Click the Arrow next to SITEB-INETDNS Forward Lookup Zone
siteb.com
Step 210 Select New Host (A or AAAA) from the pop-up menu
Step 211 Enter the following in the New Host pop-up window
a. Name siteb-expc01
b. IP Address 10.1.2.142
c. Check Marked Create associated pointer (PTR) record
d. Click Add Host
e. Click OK on the success message
Step 212 Repeat step 396 to add the following entries. In total there should be eight
entries created
Name IP Address Name IP Address
(Expressway-C) (Expressway-E)
siteb-expc02 10.1.2.143 siteb-expe01 10.1.3.142
siteb-expc-cluster01 10.1.2.142 siteb-expe02 10.1.3.143
siteb-expc-cluster01 10.1.2.143 siteb-expe-cluster01 10.1.3.142
siteb-expe-cluster01 10.1.3.143
Step 213 Click Done on the new host pop-up windows
Step 214 Review the DNS entries

to make sure all eight
are correct
Step 215 Right click SiteB.com

in DNS Manager on
SiteB-InetDNS
Step 216 Select Other New

Records from the pop-
up menu
Step 217 Scroll down and select Service Location (SRV) from the Resource Record
Type pop up window
Step 218 Click Create Record
Step 219 Create the following record:

b. Service _collab-edge (underscore

collab)
c. Protocol _tls (underscore tls)
f. Port Number 8443
g. Host Offering This Service =
h. siteb-expe01.siteb.com
Step 220 Click OK
Step 221 Click Create Record (again)
Step 222 Create the following record:

b. Service _collab-edge (underscore

collab)
c. Protocol _tls (underscore tls)
f. Port Number 8443
g. Host Offering This Service =
h. siteb-expe02.siteb.com
Step 223 Click OK
Step 224 Click Done

Step 225 Select _tls, under siteb.com in the DNS Manager
Step 226 Observe that both _collab-edge are in the _tls folder and have the correct
addresses
Step 227 Close DNS Manager
Initial Expressway Configuration for Expressway C and E
These Expressways have been deployed and locked down for this lab. No initial
administration was done on these devices. The student will make all configuration changes
to the Expressways.
There are 4 Expressways in this lab for Collab Edge, two Cs and two Es. The
student will configure the first C and the first E of a two clustered pairs. SiteB-
ExpC02 and SiteB-ExpE02 have already had this configure done before class
started.
The following Video shows the deployment of an Cisco Expressway

Watch this video in HD here - http://youtu.be/Uoi3hosvygs
Step 228 Switch to the SiteB-AD (172.19.X.120 x=pod#) RDP Session

Step 229 Launch Firefox from the task bar at the bottom of the desktop (if not already
open)
Step 230 Click + sign to open a new tab if Firefox was already open
This section will be done twice, once for Siteb-ExpC01 and once for SiteB-ExpE01
Follow from here down and when you get to a table take the left side the first time
through for SiteB-ExpC01, and take the right side when doing the second pass for
SiteB-ExpE01
SiteB-Expressway C 01 SiteB-Expressway E 01
Use Left Column First Pass of Section Do this step when repeating
Step 231 Click Expressway SiteB- Open a new tab in Firefox and browse to
ExpC01 from the Firefox Expressway SiteB-ExpE01 from the Firefox
favorite bar favorite bar
Step 232 Click I Understand the Risks (if presented)
Step 233 Click Add Exception (if presented)
Step 234 Click Confirm Security Exception (if presented)
Step 235 Login in with the following credentials

a. Username admin (all lower case)
b. Password TANDBERG (all upper case)
c. Click Login
Step 236 Observe the Expressway/VSC Web Administration page

Step 237 Click the Red Box that indicates This system has 5 alarms
Step 238 Review the five system alarms listed
Step 239 Click the time link on the first alarm under the Action heading. Alternatively,
Click System Time
Step 240 Observe that the first three NTP servers have place holders in the address
field
Step 241 Delete and clear all the default entries in the address fields
Step 242 Enter 128.107.212.175 in the first NTP Server Address space
Step 243 Select US/Pacific for the time Zone
Step 245 Click Save
Step 246 Observe the bottom of the time page for a minute or so. Eventually the status
will go from Starting, to Rejected, to Synchronized. (There is no need to
manually refresh as it will do so automatically).
Step 247 Click the Red Alarms box again in the upper right corner.
Notice the number of alarms has changed from five to
three. If not enough time has passed clicking on the red
box again should update it to reflect the new number of
alarms.
Step 248 Click Change the admin password link under Action on the alarm page.
Alternatively click Users Administrator Accounts
Step 249 Click admin to open the admin

configuration page
Step 250 Enter Cisc0123 in the password

field
Step 251 Enter Cisc0123 in the confirm

password field
Step 252 Click Save
Step 253 Click the Red Alarms box again in the upper right corner. Notice it has
dropped from 5 alarms to 2 alarms.
Step 254 Click View Instruction on changing the root password under the Action
column heading
Step 255 Review the Using the Root Account Help page pop-up
Step 256 Close the Help Page when finished reading it
Step 257 Click the PuTTy icon on the bottom tool bar
Use Left Column First Pass of Section Do this section when repeating
Step 258 Click SiteB-ExpC01 from the Click SiteB-ExpE01 from the saved session
saved sessions list in PuTTy list in PuTTy
Step 259 Click Open
Step 260 Click Yes on PuTTy Security Alert (if presented)
Step 261 Login as root (all lower case)
Step 262 Enter the password TANDBERG (all uppercase)
Step 263 Type the UNIX command passwd at the # prompt
Step 265 Type in Cisc0123 as the new

UNIX password (It will not look
like you are typing.)
Step 267 Retype Cisc0123 to confirm

the new password
Step 269 Close the PuTTy window
Step 270 Click OK to confirm closing PuTTy
Step 271 Click the Red Alarms box again in the upper right corner. Notice it has
dropped from three alarms to one alarm.
Option keys are used to add additional features to the Expressway. Option keys
can either be valid for a fixed time period or have an unlimited duration. Your
Expressway may have been shipped with one or more optional features pre-
installed. To purchase further options, contact your Cisco representative.
The Option keys page (Maintenance Option keys) lists all the existing
options currently installed on the Expressway, and allows you to add new
options.
The System information section summarizes the existing features installed on the
Expressway and displays the Validity period of each installed key. The options that you
may see here include:
Traversal Server: enables the Expressway to work as a firewall traversal server.

H.323 to SIP Interworking gateway: enables H.323 calls to be translated to SIP
and vice versa.
Advanced Networking: enables static NAT functionality and the LAN 2 port on an
Expressway-E.
Rich media sessions: determines the number of non-Unified Communications calls
allowed on the Expressway (or Expressway cluster) at any one time. See the Call
types and licensing [p.264] section for more information.
TURN Relays: the number of concurrent TURN relays that can be allocated by this
Expressway (or Expressway cluster). See About ICE and TURN services [p.49] for
more information.
Encryption: indicates that AES (and DES) encryption is supported by this software
build.
Microsoft Interoperability: enables encrypted calls to and from Microsoft Lync
2010 Server (for both native SIP calls and calls interworked from H.323). It is also
required by the Lync B2BUA when establishing ICE calls to Lync 2010 clients. It is
required for all types of communication with Lync 2013.
Expressway Series: identifies and configures the product for Expressway Series
system functionality.
Step 272 Click Add a Release Key under the Action heading
Alternatively click Maintenance Option Keys
Step 273 Observe the Option Keys admin page and take note of the active options
Notice the Serial Number (S/N) in the lower right hand corner of the admin page.
This is the serial number that is used to generate licenses and options keys
The Release Keys and Options keys have already been installed
into SiteB-ExpC02 and SiteB-ExpE02 (the cluster pair of
expressway servers)
Step 274 Observe the server model name at the

top of the admin page, this will change
once all the option keys are installed
Step 275 Observe the Active Options
This key is the Service Contract Release Key:

Step 276 Copy and Paste this license number into Copy and Paste this license number into
the Release Key field the Release key field
4360497995181665 7176023658098439
into the Release Key field into the Release Key field
Careful to make sure you have the Release Key
field and not the Software Option key field. This
key validates the service contract on the server.
Ignore the two new alarms that appear for an

invalid key, these will clear after a restart that
will be performed later in this section.
Step 277 Click Set Release Key
Step 278 Observe the Yellow message at the top of the screen (Do not restart as
that will be completed in a later step)
This Software option key is the Expressway Series key:

Step 279 Copy and Paste this license Copy and Paste this license number (Must Be
number (Must Be All Caps) All Caps)
116341E00-1-096C2A6F 116341E00-1-745E2397
into the Software Option Field into the Software Option Field
Notice that although this will ultimately be

an Expressway-E server, at this point it is an
Expressway-C server. This role will change
when a later option key is installed.
Step 280 Click Add Option
Step 281 Observe the server model name at the top has change to Expressway-C. This
will change to Expressway-E later in this section.
Step 282 Observe the Yellow message at the top of the screen. Do not restart as this
will be done later in this section.
This Software option key is the H323 SIP Interworking key:

SiteB-Expressway C 01 SiteB-ExpressWay E 01
Step 283 Copy and Paste this license Copy and Paste this license number (Must Be
number (Must Be All Caps) All Caps)
116341G00-1-87EACCFB 116341G00-1-A7FB3D03
into the Software Option Field into the Software Option Field
Step 285 Observe the Interworking Active Options has been added
Use Left Column First Do this section when repeating

Pass of Section
No configuration required Step 286 Copy and Paste this license number (Must Be All
here for the Expressway-C Caps)
Move on to the next step 116341I1800-1-8F82AD62

below if this is the first pass
through this section of the into the Software Option Field (this option key is for the
lab E expressway only). This option key is the Turn Relay 1800
Step 288 Copy and Paste this license number (Must Be All
Caps)
116341T00-1-F768D3DC
into the Software Option Field (this option key is for the E
expressway only). This option key is the Traversal Service for E
option key
Step 289 Click Add Options
Step 290 Observe the updated model name at the top of

the page change from C to E
Step 291 Observe the options added to the Expressway-E
Step 292 Click System DNS, in the Expressway web admin
Step 293 Enter the following information for each Expressways:

a. System Host Name siteb-expc01 a. System Host Name siteb-expe01

b. Domain Name siteb.com b. Domain Name siteb.com
c. Address 1 10.1.2.120 c. Address 1 10.1.3.20
d. Click Save d. Click Save
Step 294 Scroll down and click DNS Lookup Utility
Step 295 Enter siteb-expc02.siteb.com (use same address for ping on both servers)
Step 296 Click Lookup
Step 297 Observe the successful DNS Lookup. (Keep going the restart will take place
later in the lab)
Configuring the Expressway Cluster
About clusters
An Expressway can be part of a cluster of up to six Expressways. Each
Expressway in the cluster is a peer of every other Expressway in the cluster.
When creating a cluster, you define a cluster name and nominate one peer as
the master from which all relevant configurations is replicated to the other peers
in the cluster. Clusters are used to:
Increase the capacity of your Expressway deployment compared with a single

Expressway.
Provide redundancy in the rare case that an Expressway becomes inaccessible (for
example, due to a network or power outage) or while it is in maintenance mode (for
example, during a software upgrade).
About the configuration master
All peers in a cluster must have identical configuration for subzones, zones, links, pipes,
authentication, bandwidth control and Call Policy. To achieve this, you define a cluster name
and nominate one peer as the configuration master. Any configuration changes made to the
master peer are then automatically replicated across all the other peers in the cluster.
You should only make configuration changes on the master Expressway. Any
changes made on other peers are not reflected across the cluster, and will be
overwritten the next time the masters configuration is replicated across the peers.
The only exceptions to this are some peer-specific configuration items.
You may need to wait up to one minute before changes are updated across all peers in the
cluster.
Click System Clustering on the Expressway Admin web page
Step 298 Enter the following Enter the following:

a: Cluster Name FQDN a: Cluster Name FQDN
siteb-expc-cluster01.siteb.com siteb-expe-cluster01.siteb.com
b: Configuration Master 1 b: Configuration Master 1
c: Cluster pre-shared key c: Cluster pre-shared key Cisc0123
Cisc0123 d: Peer 1 IP Address 10.1.3.142
d: Peer 1 IP Address 10.1.2.142 e: Peer 1 IP Address 10.1.3.143
e: Peer 1 IP Address 10.1.2.143 f: Click Save
f: Click Save
After the restart it might take a few min to

sync up the databases. Ignore the errors
as they should clear after a few min.
However, DO NOT restart now! They will
be restarted later in this section.)
The clustering page should look something

like this once in sync:
Step 299 Click Maintenance Restart Options
Step 300 Click Restart (Be careful to not click shutdown!)
Step 301 Click OK to restart the system
Step 302 Observe the system restarting
Step 303 Repeat Steps 386 460 for SiteB-EXPE01 while siteb-expc01 is restarting
STOP - make sure to go back and do SiteB-ExpE01!
Step 304 Switch to the Firefox tab with SiteB-expC01 Web admin in it
Step 305 Log in with:

(case sensitive)
Step 306 Click Login
Step 307 Click System Clustering
Step 308 Observe that clustering is

now active
Configuring the Expressway-E Unified Communications
This section sets the SiteB-ExpE01 Mobile and Remote Access to ON. This will automatically
turn this option on for the SiteB-ExpE02 Expressway since it is clustered with SiteB-ExpE01.
Cisco Unified Communications mobile and remote access is a core part of the
Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber
to have their registration, call control, provisioning, messaging and presence
services provided by Cisco Unified Communications Manager (Unified CM) when
the endpoint is not within the enterprise network. The Expressway provides
secure firewall traversal and line-side support for Unified CM registrations.
The overall solution provides:

Off-premise access: a consistent experience outside the network for Jabber and
EX/MX/SX Series clients
Security: secure business-to-business communications
Cloud services: enterprise grade flexibility and scalable solutions providing rich
WebEx integration and Service Provider offerings.
Gateway and interoperability services: media and signaling normalization, and
support for non-standard endpoints
Unified Communications: mobile and remote access
Jabber client connectivity without VPN

The mobile and remote access solution supports a hybrid on-premise and cloud-based
service model, providing a consistent experience inside and outside the enterprise. It
provides a secure connection for Jabber application traffic without having to connect to the
corporate network over a VPN. It is a device and operating system agnostic solution for Cisco
Unified Client Services Framework clients on Windows, Mac, iOS and Android platforms.
It allows Jabber clients that are outside the enterprise to:

Use instant messaging and presence services
Make voice and video calls
Search the corporate directory
Share content
Launch a web conference
Access visual voicemail
Step 309 Switch to the Firefox tab connected to SiteB-expE01 web admin
Step 310 Wait for the SiteB-ExpE01 to restart if not already restarted (about 1 to 3
minutes)
Step 311 Login with:

Step 312 Click Login
Step 313 Click Configuration Unified Communications Configuration
Step 314 Select Mobile and Remote Access from the Unified Communications mode
drop down menu
Step 315 Click Save
Step 316 Click System Clustering
Step 317 Observe that clustering is active on the Expressway-E servers.
Configuring the Expressway-C for Unified Communications
In this section the student will configure the Expressway-C to communicate with CUCM and
IM&P servers
Caution! This section is only for Expressway-C
Step 318 Switch to the Firefox Tab with SiteB-ExpC01 web admin web page
Step 319 Login with the following credentials (if Logged out):
a: Username admin (lower case)
b: Password Cisc0123 (CaSe SeNsAtIvE)
c: Click Login
Step 320 Click Configuration Unified Communications Configuration

Step 321 Select Mobile and Remote Access from the Unified Communications Mode
drop down menu
Step 322 Click Save
Configuring the domains to route to Unified CM
You must configure the domains for which registration, call control, provisioning,
messaging, and presence services are to be routed to Unified CM for.
SIP registrations and provisioning on Unified CM: endpoint

registration, call control and provisioning for this SIP domain is serviced by
Unified CM. The Expressway acts as a Unified Communications gateway to provide
secure firewall traversal and line-side support for Unified CM registrations.
IM and Presence services on Unified CM: instant messaging and presence

services for this SIP domain are provided by the Unified CM IM and Presence service.
Step 323 Click Configuration Domains
Step 324 Click New
Step 325 Enter siteb.com in the Domain

Name field
Step 326 Set On for the SIP registration and
provisioning on Unified CM
Step 327 Set On for the IM and Presence
services on Unified CM
Step 328 Click Create Domain
Step 329 Observe that the domain was created
Discovering IM&P and Unified CM servers
The Expressway-C must be configured with the address details of the IM&P
servers and Unified CM servers that are to provide registration call control,
provisioning, messaging and presence services.
To have TLS verify mode set to On (the default and recommended setting) when
discovering the IM&P and Unified CM servers, the Expressway-C must be configured to trust
the tomcat certificate presented by those IM&P and Unified CM servers.
Determine the relevant CA certificates to upload:

If the servers are using self-signed certificates, the Expressway-C's trusted CA list
must include a copy of the tomcat certificate from every IM&P / Unified CM server.
If the servers are using CA-signed certificates, the Expressway-C's trusted CA list
must include the root CA of the issuer of the tomcat certificates.
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled.
This means that the Expressway-C will verify the CallManager certificate for
subsequent SIP communications. Note that secure profiles are downgraded to
use TCP if Unified CM is not in mixed mode.
Step 330 Click Configuration Unified Communications IM and Presence

Servers
Step 331 Click New
Step 332 Enter the following IM&P information

a: IM&P Publisher Address siteb-imp911.siteb.com
b: Username AXLuserCUP
c: Password Cisc0123
d: TLS Verify Mode Off
e: Click Add Address
Step 333 Observe the IM&P Server Discovery was successful
Step 334 Click Configuration Unified Communications Unified CM Server
Step 335 Click New
Step 336 Enter the following CUCM information

a: CUCM Publisher Address siteb-CUCM911.siteb.com
b: Username AXLuserCUP
c: Password Cisc0123
d: TLS Verify Mode Off
e: Click Add Address
Step 337 Observe the successful discovery message for the CUCM servers.
Uploading CA Root Certification to Expressway
Just like all other PKI certificate security based systems the CA Root Certificate must be
downloaded from the CA and uploaded to the Expressways. In this section the student will
obtain the CA Root certificate from the CA and upload it to two of the Expressways.
Step 338 Open a new Firefox Tab
Step 339 Click Certificate Services, on the Firefox favorites bar
Step 340 If requested to, login with:

Step 341 Click Login (if login pop-up is presented)
Step 342 Click Download a CA certificate, certificate chain, or CRL
Step 343 Select Base 64, Encoding Method
Step 345 Click OK to save the file to the students computer
Step 346 Click the Download Arrow in the upper left corner of Firefox
Step 347 Click the Folder next to certnew.cer file to browse the folder where the new
CA Root Certificate was downloaded to
In the Certificate Management section in this lab, a CA Root

Certificate was already downloaded to the SiteB-AD server. The
original CA Root Certificate that was previously downloaded may be
used for this section of the lab as well.
The reason the CA is being downloaded again is in the event a student

wishes to only perform the Expressway section of the lab.
Step 348 Rename the file to CARoot2Cert.cer
Step 350 Return to the Firefox tab for the SitebB-ExpC01 Expressway Web Admin
Step 351 Click Maintenance Security Certificates Trusted CA Certificates
Step 353 Click Downloads on the left side

navigation pane
Step 354 Select the CARoot2Cert.cer file
Step 355 Click Open on the file upload screen
Step 356 Click Append CA Certificate
Step 357 Observe at the top of the page that

the certificate was uploaded
Add Client Server Template to MS CA Server
In this section the student will make the necessary changes to the Microsoft Certificate
Authority server, to prepare it to create CA Signed certificates for Expressway.
This next section although not part of the Cisco UC solution and is not a function
of the Microsoft CA server. This section was included because it is mandatory to
create a new CA template in MS CA server to create server certificates for
Expressway.
This template only needs to be created once on the MS CA server and can be
reused each time you need to create CA Signed certificates for the Expressway
servers.
The new Client Server Template will be used again later in this lab for the Jabber Guest
Expressways
Step 358 Click Start All Programs Administrative Tools Certification
Authority on the SiteB-AD RDP session (Should already be on this server)
Step 359 Click the + (plus sign) next to siteb-SITEB-AD-CA to open the sub-folders
Step 360 Click and highlight Certificate Templates
Step 361 Right click certificate templates and select Manage from the pop-up menu
Step 362 Click and highlight Web Server from the Certificate Templates Console
Step 363 Right click Web Server
Step 364 Click Duplicate Templates from the pop-up menu
Step 365 Select Windows Server 2003 Enterprise. It

must be 2003 or this new template, that is
being created, will not show up when
requesting a certificate.
Step 366 Click OK
Step 367 Enter ClientServer in the Template Display
Name field
Step 525 Click the Request Handling, Tab
Step 526 Select Allow private key to be

exported
Step 527 Click the Extensions tab
Step 528 Select Application Policies
Step 529 Click Edit
Step 530 Click Add on the Edit Application Policies Extension pop-up window
Step 531 Click Client Authentication
Step 532 Click OK
Step 533 Click OK to confirm the addition of Client Authentication
Step 534 Click Apply
Step 535 Click OK to close the properties of

New Template
Step 536 Close the Certificate Templates

Console
Step 537 Right Click Certificate Templates in

the Certification Authority console
Step 538 Click New
Step 539 Click Certificate Template to Issue
Step 540 Select ClientServer from the list of

Certificate Templates
Step 541 Click OK
Step 542 Close the Certification Authority console
Configuration of Certificates to prepare for Implementing Traversal Zones
In this section the student will generate and upload the appropriate certificates on the
Expressways and create a Traversal Zone between the Es and Cs so they can communicate
with each other.
Configuring traversal server zones

An Expressway-E can act as a traversal server, providing firewall traversal on
behalf of traversal clients (such as an Expressway-C).
To act as a traversal server, the Expressway-E must have a special type of two-
way relationship with each traversal client. To create this connection, you create
a traversal server zone on your local Expressway-E and configure it with the
details of the corresponding zone on the traversal client. (The client must also be
configured with details of the Expressway-E.)
After you have neighbored with the traversal client you can:
Provide firewall traversal services to the traversal client
Query the traversal client about its endpoints
Apply transforms to any queries before they are sent to the traversal client
Control the bandwidth used for calls between your local Expressway and the traversal
client
Note: traversal client-server zone relationships must be two-way. For firewall traversal to
work, the traversal server and the traversal client must each be configured with the others
details. The client and server will then be able to communicate over the firewall and query
each other.
CLICK HERE to find the Expressway documentation on Cisco.com
Step 543 Open FireFox on SiteB-AD (if not already open
Step 544 Switch to the first Tab on Firefox, to return to the MS Certificate Server Web
Page
Step 545 Click Certificate Services, on the IE Favorite bar
Step 546 Enter Administrator in the Field of the pop-up login window (if presented)
Step 547 Enter Cisc0123 in the Password field of the pop-up login window (if
presented)
Step 548 Click OK (if presented)
Step 549 Click Download a CA Certificate, Certificate chain, or CRL
Step 550 Click Yes if presented with a Web Access Warning
Step 551 Select Base 64
Step 552 Click Download Latest Base CRL
Step 553 Click Save in the pop-up window at the bottom of the IE Screen
Step 554 Click the Download Arrow in the upper left corner of Firefox
Step 555 Click the Folder next to certnew.cer file to browse the folder where the new
CA Root Certificate was downloaded to
Step 556 Right click certcrl.crl
Step 558 Enter CARootCRL.crl to rename the file
Step 559 Close Windows File Explorer
Step 560 Switch to the SiteB-ExpC01 web admin Firefox tab
Step 561 Login in to SiteB-ExpC01 with the following credentials (if needed)
a. Username admin (lower case)
b. Password Cisc0123 (case sensitive)
c. Click Login
Step 562 Click Maintenance Security Certificates CRL Management
Step 563 Click Browse in the Manual CRL Update section
Step 564 Click Downloads in the left

navigation pane
Step 565 Select CARootCRL.crl
Step 566 Click Open
Step 567 Click Upload CRL File
Step 568 Confirm the successful upload of CRL
Step 569 Click Maintenance Security Certificates Server Certificate
Step 571 Enter the following information
a. Common Name FQDN of Expressway
b. Subject Alternative Names FQDN of Expressway Cluster Plus
FQDNs of all peers in the cluster
c. IM and Presence chat note aliases delete entry
d. Key Length (in bits) 2048
e. Country US
f. Sate or province CA
g. Locality (town name) San Jose
h. Organization (company name) Cisco
i. Organizational Unit Cisco
j. Click Generate CSR
Step 572 Click Download to download CSR file
Step 573 Select Open
Step 574 Click OK to open the CSR in a notepad

Step 575 Click Format Word Wrap in Notepad to see the
whole file (might already be done)
Step 576 Click CTRL-A to highlight the whole text in notepad
Step 577 Click CTRL-C to copy the text into your computer buffer
Be careful not to change anything in this certificate while you have it open in
Notepad. It is not easy to troubleshoot if something changes in this file.
Step 579 Switch to the MS Certificate Server web admin page tab in Firefox
Step 580 Click on the Favorite link Certificate Service to bring the CA server web
admin to the home page
Step 581 Click Request a Certificate
Step 583 Click inside the Saved Request field
Step 584 Press CTRL-V to paste the CRS test into the
saved request field
Step 585 Select ClientServer from the Certificate

Template field (this is the template crated in
the previous section)
Step 587 Select Base 64 Encode
Step 588 Click Download Certificate
Step 590 Click OK
Step 591 Click the Download Arrow in the upper right corner or Firefox
Step 594 Select Rename from the pop-up windows
Step 595 Rename the file to SiteB-ExpC01Cert.cer
Step 596 Click Yes to confirm name extension change
Step 598 Switch to the SiteB-ExpC01 tab in the Firefox browser on SiteB-AD RDP
session
Step 599 Click Browse at the bottom of the server certificate screen to upload a new
certificate
Step 600 Click Downloads in the left navigation pane
Step 601 Find and select the SiteB-ExpC01Cert.cer from the downloads directory
Step 602 Click Open

Step 603 Click Upload Server Certificate Data
The browser will reinitialize and ask to accept the certificate again.
Step 604 Click I Understand The Risk

Step 607 Observe the certificate was uploaded but the system needs a restart
Step 608 Click Restart from the yellow warning message at the top of the Server
Certificate page
Step 609 Click Restart again on the Restart Options window
Step 610 Click OK to confirm the restart
Add CA Signed Certificate on SiteB-ExpE01
Step 611 Switch to the SiteB-ExpE01 web admin tab in Firefox
Step 612 Login with the following credentials (if logged out)
a. Click Home
b. Username admin
c. Password Cisc0123
d. Click Login
Step 613 Click Maintenance Security

Certificates Trusted CA Certificate
Step 615 Click Downloads in the left side

navigation pane
Step 616 Select CARoot2Cert.cer
Step 617 Click Open

Step 618 Click Append CA Certificate
Step 619 Observe and confirm that CA Root Certificate has

been uploaded
Step 620 Click Maintenance Security Certificates CRL Management
Step 622 Click Downloads in

the left side
navigation pane
Step 623 Select CARootCRL.crl
Step 624 Click Open
Step 625 Click Upload CRL File
Step 626 Observe and confirm the CRL was uploaded successfully
Step 627 Click Maintenance Security Certificates Server Certificate
a. Common Name FQDN of Expressway
b. Subject Alternative Names FQDN of Expressway Cluster Plus
FQDNs of all peers in the cluster
c. IM and Presence chat note aliases delete entry (if any)
d. Key Length (in bits) 2048
e. Country US
f. Sate or province CA
g. Locality (town name) San Jose
h. Organization (company name) Cisco
i. Organizational Unit Cisco
j. Click Generate CSR
Step 630 Click Download, to download CSR file
Step 631 Select Open
Step 632 Click OK to open the CSR in a Notepad
Step 633 Click Format Word Wrap in Notepad to see the whole file (if needed)
Step 634 Click CTRL-A to highlight the whole text in Notepad
Step 635 Click CTRL-C to copy the text into your computer buffer
Step 637 Switch to the MS CA Server web admin tab in

Firefox
Step 638 Click Certificate Services on the Firefox favorite

bar to return to the CA home page
Step 639 Click Request a Certificate
Step 641 Select and make active the Saved

Request field
Step 642 Select ClientServer from the Certificate

Template field
Step 644 Select Base 64 Encode
Step 645 Click Download Certificate
Step 647 Click OK
Step 648 Click the Download Arrow in the upper right corner or Firefox
Step 651 Select Rename from the pop-up windows
Step 652 Rename the file to SiteB-ExpE01Cert.cer
Step 653 Click Yes to confirm name extension change
Step 654 Close File Explorer window
Step 655 Switch to the SiteB-ExpE01 tab in the Firefox browser on SiteB-AD RDP
session
Step 656 Click Browse at the bottom of the server certificate screen to upload a new
certificate
Step 657 Find and select the SiteB-ExpE01Cert.cer file from the Downloads directory
Step 658 Click Open
Step 659 Click Upload Server Certificate Data
The browser will reinitialize and ask to accept the certificate again
Step 660 Click I Understand the Risks
Step 663 Observe the certificate has been uploaded but the system needs a restart
Step 664 Click Restart from the yellow warning message at the top of the Server
Certificate page
Step 665 Click Restart again on the Restart Options window
Step 666 Click OK to confirm the restart
Configuring Traversal Zones
In this section the student will configure the Traversal zones between the Es and Cs so
they can communicate across the firewalls.
Step 667 Switch to the SiteB-ExpE01 web admin Firefox tab (if not all ready there) on
the SiteB-AD RDP session
Step 668 Wait for SiteB-ExpE01 to finish restarting
Step 669 Login as

c. Click Login
Step 670 Click Configuration Zones Zones
Step 671 Click New

a. Name TraversalZoneSiteB
b. Type Traversal Server
Step 673 Click Add/Edit Local Authentication Database
Step 674 Click New
Step 675 Enter TraversalAdmin in the Name field
Step 676 Enter Cisc0123 in the password field
Step 677 Click Create Credential
Step 678 Close the Local Authentication Database pop-up window
Step 679 Fill in the following information (leaveing all un-mentioned fields at default):
a. Username TraversalAdmin
b. H323 Mode Off
c. Unified Communications Service Yes
d. TLS Verify Mode On
e. TLS Verify Subject Name SiteB-ExpC-Cluster01.siteb.com
f. Media Encryption Mode Forced Encrypted
g. Authentication Policy Treat As Authenticated
h. Click Create Zone
Step 680 Switch to SiteB-ExpC01 tab in Firefox on SiteB-AD RDP Session
Step 681 Login as:

c. Click Login
Step 682 Click configuration Zones Zones
Step 683 Click New
Step 684 Enter the following information:

a. Name TraversalZoneSiteB
b. Type Traversal Client
a. Username TraversalAdmin
c. H323 Mode Off
d. Port 7001
e. Unified Communications Service Yes
f. TLS Verify Mode On
g. Media Encryption Mode Forced Encrypted
h. Authentication Policy Treat As Authenticated
i. Peer 1 Address siteb-expe01.siteb.com
j. Peer 2 Address siteb-expe02.siteb.com
k. Click Create Zone
Observe that SiteB-ExpC01 show active traversal zone
Step 687 Click TraversalZoneSiteB
Step 688 Scroll to the bottom and observe that the State status is Active
If there is a warning or a connection has failed, wait a min and try to go back
in again. Sometimes it takes a minute or so to update and connect.
Observe that the SiteB-ExpE01 show active traversal zone

Step 689 Switch to SiteB-ExpE01, Firefox tab admin web page
Step 691 Click TraversalZoneSiteB
Step 692 Scroll to the bottom and observe that SIP Reachable and the State status is
Active
Validate Internal and External Jabber Client Usage
In this section the Cisco Jabber client on the workstations well be logged into both the
Internal and External UC services. By connecting to the Expressway-E while on the Internet
the Cisco Jabber client is able to register with CUCM without having to create a VPN
connection first.
Both SiteB-WS01 and SiteB-WS02 have Cisco IP Communicator

(CIPC) install, open, and registered with CUCM. Although you will
not have CIPC and Jabber running on the same computer in a
production network, the CIPC phone serves a purpose in the lab
environment. The CIPC is there to represent the users physical desk
phone, so the student can see what changes would be happening on
the desk phone as the Cisco Jabber client is being used.
During this simulated internet, the CIPC client will remain

connected while on the Mock internet but in real life it would not connect
without VPN from the internet.
Jabber Client Internal Validation Test
In this section the student will test the preconfigured system with the Jabber Clients
connected to the local internal network.
Step 693 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP Session
Step 694 Open Cisco Jabber if not already open
Step 695 Use the following login credentials (if login is needed)
a. Username aace
c. Click Login
Step 696 Click Line One, on the CIPC phone
Step 697 Observe when the CIPC (desk phone) goes off
hook the Jabber Presence changes to On a
call
Step 698 Click EndCall on CIPC
Step 699 Set Alex Aces presence to away
Step 700 Click Away to set a custom presence
Step 701 Type Gone To The Beach
Step 703 Switch to SiteB-WS02 (172.19.X.202 Blake Bad) RDP Session
Step 704 Observe that Alex Ace, in the contacts list, has a
presence indicator of amber that reads Gone To The
Beach
Step 705 Hover your mouse over Alex Ace in Blakes contact
list. The Icon of a phone handset on the right side of Alexs name appears.
Step 706 Click the Call Icon
Step 707 Click Alexs Work Number, to call Alex
Step 708 Quickly switch to SiteB-WS01 (172.19.X.201 Alex Ace)

RDP session
Step 709 Click Answer on the Incoming Call pop-up window in the
lower right hand corner of Alexs desktop
Step 710 Observe on Alexs Jabber Client that the status is still
Gone to the beach. This is because she manually set it.
On Blake Bads Jabber client, however, it indicates On A
Call.
Step 711 Click the Red Hand Set on the Blake Bads conversation
window to disconnect the call
Observe this call came up as a video call,
Both workstations are virtual machines in our lab, and there for do not have
a video camera attached to the workstation. e2eSoft VCam virtual video
driver has been installed on both workstations.
Although video was not needed for this lab, A video driver was required for
the Jabber Guest part of this calls.
Jabber Client Internal Voice Mail Validation Test
In this section the student will validate that both workstations are connected to Unity
Connection voice mail
Step 712 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP

Session
Step 713 Switch Alexs presence indicator back to Available
Step 714 Click the Voice Mail tab on Alex Aces Jabber client
Step 715 Observe that it indicates that she does not have any
VM at this time, but is connected to voicemail
Step 716 Click Help Show Connection Status, on Alexs

Jabber client
Step 717 Observe that the Jabber client is connected to the

following services (the server names might be different during your lab)
a. Softphone SiteB-CUCM02.siteb.com (CCMCIP)
b. VoiceMail Siteb-cuc911.siteb.com
c. Presence SiteB-IMP911.siteb.com
d. Outlook Yes
e. Directory LDAP
f. Close Connection Status, when done observing
Step 719 Click Help Show Connection Status, on Blakes Jabber client
Step 720 Observe Blakes Jabber Connection status
Step 721 Close Connection Status, on Blakes desktop when done observing
Step 722 Click the Voice Mail tab on Blakes Jabber client
Step 723 Observe that it indicates that he has voice mail
Moving SiteB-WS02 From The Internal To The External (internet) Network
In previous sections of the lab the SiteB-WS01 & SiteB-WS02 workstations have been
connected to the internal corporate network. In this section SiteBWS02 workstations will be
moved out of the corporate office and connect Jabber to the CUCM via the Expressways
without a VPN connection.
To demonstrate the Expressway functions workstations02 will be

moved from the internal corporate network, out on to the public
internet. For this lab we have create a MOCK INTERNET by using two
vlans. The 5xx series vlans are for the internal network, and the 6xx
vlans are the DMZ or our external MOCK internet.
The workstations have two network cards in them. To simulate

moving the computer from internal to external, the student will turn off the
internal network card and turn on the external network card. The following series
of lab steps will not only switch the network cards but prove to the student that
the workstation is now on a different network.
Step 724 Switch to siteB-WS02 (172.19.X.202 Blake Bad) RDP Session (if not already
there)
Step 725 Click the DOS Prompt icon on the task bar at the bottom of the desktop
Step 726 Enter ipconfig
Step 727 Observe that the workstation is on the .2 network (3rd Octet), the .2 network
is the internal corporate network
Step 728 Type nslookup and press Enter to enter into nslookup mode
Step 730 Type _cisco-uds._tcp.siteb.com

Step 732 Type _collab-edge._tls.siteb.com
As a reminder dont forget two DNS servers were previously configured:

Internal with _cisco-uds SRV records for the Jabber Clients to find the CUCM
External with _collab-edge SRV records for the Jabber Client to find the
Expressway E while it is outside on the Internet.
Step 733 Observe that the _cisco-uds is able to be resolved and that _collab-edge was
not able to be resolved since we are still internal
Step 734 Close the DOS Prompt
Step 735 Navigate to 172.19.X.110 (x=pod#) in a browser from the students

computer

c. Click Login
Step 738 Click Device Phone
Step 739 Click Find
Step 740 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab
developer, CFS should be CSF). Notice that both CSF devices are registered
on the .2 network
Step 742 Click File Exit on SiteB-WS02 Jabber Client to exit the app
The External Network On bat file turns off the internal network card
and turns on the external network card.
The Internal Network On bat file does the oppsit it turns off the
external network card and turns on the internal network card.
The two bat files move the SiteB workstations between the internal
network and the mock lab internet.
Step 743 Right Click External Network ON icon on SiteB-WS02s desktop
Step 744 Click Run as Administrator from the pop-up menu
Step 745 Click Yes to allow the application to make changes to the computer
When you click YES in the previous step, the RDP session will drop. In the
following steps an RDP connection will be created to the new workstation address
Step 746 Click Start All Programs Accessories Remote Desktop

Connection, from the students personal computer
Step 747 Enter 172.19.X.241, (x=pod#) in the Computer filed (workstations outside
address)
If the new RDP connection to .241 does not connect at first wait 30 seconds and
try again. It takes a little time for the network to converge.
Step 749 Click Use Another Account
Step 750 Enter siteb\bbad
Step 751 Password Cisc0123
Step 752 Click OK
Step 753 Click Yes to the invalid certificate warning
Step 754 Click Accept on the SiteB-ExpE01.siteb.com invalid certificate (If jabber is
open it will reconnect and an invalid certificate will be presented.)
Step 755 Click Accept on the SiteB-ExpE02.siteb.com invalid certificate (If jabber is
open it will reconnect and an invalid certificate will be presented.)
Validate SiteB-WS02 Is Connected To The External Network
The student should now be RDPed to SiteB-WS02 via the external address. This section will
validate that connection.
Step 756 Click the Command Prompt icon on the task bar at the bottom of the
desktop
Step 757 Enter ipconfig
Step 758 Observe that the workstation is on the .3 network (3rd Octet), the .3 network
in our lab is the MOCK internet which confirms the network change
Step 759 Type nslookup and press Enter to enter into nslookup mode

Step 761 Enter _cisco-uds._tcp.siteb.com
Step 763 Enter _collab-edge._tls.siteb.com
Step 764 Observe that the _cisco-uds is NOT able to be resolved and that _collab-edge
IS able to be resolved, which is opposite form the previous section
Step 765 Close the Command Prompt
Step 766 Navigate to 172.19.X.110 (x=pod#) in a browser from the students

computer

c. Click Login
Step 769 Click Device Phone
Step 770 Click Find
Step 771 Observe the IPv4 Address of the two CFS (disregard the Dyslexic lab
developer, CFS should be CSF). Notice that one CSF devices is registered on
the .201 which is SiteB-WS01 and is still connected to the internal network.
But the CFSUSER02 is connected to .143 which is the address of Expressway-
C
Step 772 Switch back to SiteB-WS02 (172.19.X.241 Blake Bad) RDP Session
Step 773 Double click the Jabber Icon on the desktop to open Jabber (If not all ready
open)
Step 774 Accept any and all Invalid Certificates
Step 775 Click Help Show Connection Status, on the Jabber client
Step 776 Observe that softphone is connected to Expressway, also notice that the
Voicemail is not connected. If Directory is not connect try search for a user
with at least 3 charters in the search and it should connect
Step 777 Click the VoiceMail tab on the Jabber Client
Step 778 Observe that voice mail is not connected
Creating a White List entry for VoiceMail on Expressway-C
In this section the student will create a white list entry for the voicemail server that will
allow the Jabber clients to access voicemail services.
Jabber client endpoints may need to access additional web services inside the
enterprise. This requires an "allow list" of servers to be configured to which the
Expressway will grant access for HTTP traffic originating from outside the
enterprise.
The features and services that may be required, and would need whitelisting,
include:
Visual Voicemail
Jabber Update Server
Custom HTML tabs / icons
Directory Photo Host
The IP addresses of all discovered Unified CM nodes (that are running the CallManager or
TFTP service) and IM&P nodes are added automatically to the allow list and cannot be
deleted . Note, however, that they are not displayed on the HTTP server allow list page.
Step 779 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session
Step 780 Open Firefox, if not already open
Step 781 Click Expressway SiteB-ExpC01, or switch to the tab that already has
SiteB-ExpC01 open in it
Step 782 Enter the following credentials to login in

c. Click Login
Step 783 Click Configurations Unified Communications Configuration
Step 784 Click Configure HTTP Server Allow List
Step 785 Click New
Step 786 Enter siteb-cuc911.siteb.com, in the Server Hostname
Step 787 Enter Visual VoiceMail White List, in the description field
Step 788 Click Create Entry
Step 790 Click Gear File Exit, to exit Jabber
Step 791 Double click the Jabber icon
Step 792 Enter Cisc0123 in the password field (if prompted)
Step 793 Click Sign In (if prompted)
Step 794 Click the VoiceMail tab on the Jabber Client
Step 795 Observe that voice mail is now connected
Step 796 Press the Triangle Play button on some of the VMs to test if they play. The
audio if any will be garbbled due to lab issues, but you should see the play
status bar moving across the VM if you cant hear it.
Step 797 Click the Contact tab in the Jabber client
Step 798 Hover the mouse over Alex Ace, in Blakes contact list
Step 799 Click the Call button
Step 800 Select Alexs Work

(+14085552001) number
Step 801 Switch to SiteB-WS01 (172.19.X.201 Alex Ace) RDP session
Step 802 Click Answer, on the Incoming Call pop-up window in the lower left corner
The call that is active right now is a call between Blake Bad (SiteB-WS02) external
and connected via the Expressway, and Alex Ace (SiteB-WS01) connected on the
internal network.
Step 803 Switch to SiteB-Ad (172.19.X.120 Administrator) RDP Session
Step 805 Click Expressway SiteB-ExpC01, or open Firefox tab with SiteB-ExpC01
already open in it
Step 806 Enter the following credentials to login in
c. Click Login
Step 807 Observe that on the main Status Overview status page there is one
current call. At this time the Expressway-C shows this as a video call
Step 808 Click Status Calls Calls
Step 809 Observe there is one call active
Step 810 Click the Start Time link for this call
Step 811 Observe the call information
Step 812 Click Status Calls History
Step 813 Observe the call history log (there might not be any calls here till you end the
first call)
Step 815 Click the Red Phone Handset, to disconnect the call
JST Features Task 6: Adding User Photos to Web Server
In this section the student will configure the jabber-config.xml file to point to our network
web server for the Jabber Clients to obtain the user photos at login. In previous sections of
the lab the Jabber Clients used EDI to obtain the photos from the Active Directory.
Activity Objective
Configure jabber-config.xml to allow for web based photos
Configure Expressway C to white list the photo web server
Required Resources
lab via VPN, and an RDP connection to your pods SiteB-AD (172.19.X.120).
Contact Photo Retrieval with UDS

UDS dynamically builds a URL for contact photos with a directory attribute and a
URL template.
To resolve contact photos with UDS, you specify the format of the contact photo
URL as the value of the
UdsPhotoUriWithToken parameter. You also include a %%uid%% token to
replace the contact username in
the URL, for example,
<UdsPhotoUriWithToken>http://server_name/%%uid%%.jpg</UdsPhotoUriWithToken>
UDS substitutes the %%uid%% token with the value of the userName attribute in UDS. For
example, a user
named Mary Smith exists in your directory. The value of the userName attribute for Mary
Smith is msmith.
To resolve the contact photo for Mary Smith, Cisco Jabber takes the value of the userName
attribute and
replaces the %%uid%% token to build the following URL:
http://staffphoto.example.com/msmith.jpg
Configure jabber-config.xml
The photos for our lab are stored on the external/DNS/webserver at

C:\inetpub\wwwroot\userphotos directory.
Step 816 Switch to SiteB-AD, (172.19.X.120) RDP Session
Step 817 Double click the Jabber Config folder on the desktop
Step 818 Double click the 03_Video_Case_Num_CFg folder
Step 819 Right click Jabber-config.xml
Step 820 Click Edit from the pop-up menu
Step 821 Add the following line of code in the directory section of the jabber-
config.xml. You should be able to copy and paste the line below
<UDSPhotoURIWithToken>http://10.1.3.20/userphotos/%%uid%%.jpg</UDSPhotoURIWithToken>
The whole file should look like this when the one line is added just in
the directory section:
Step 823 Click File Save on notepad
Step 824 Click File Exit to close notepad
Step 825 Open Firefox, on SiteB-AD (172.19.X.120) RDP session, or create a new
tab in the session of Firefox that is already open
Step 826 Click SiteB-UC SiteB-CUCM911 from the Firefox favorite bar
Step 827 Click Cisco Unified Communications

Manager
Step 828 Select Cisco Unified OS Administrator, from the navigation drop-down in
the upper right corner of the login page
Step 829 Click I Understand The risk (if presented)
Step 830 Click Add Exception (if presented)
Step 831 Click Confirm Security Exception (if presented)
Step 832 Select Cisco Unified OS Administration, from the navigation drop-down
menu
Step 833 Click Go
Step 834 Login with the following credentials

c. Click Login
Step 835 Click Software Upgrades TFTP File Management
Step 836 Click Upload file
Step 838 Select Desktop from the left side navigation pane
Step 839 Double click the Jabber Config file folder
Step 840 Double click 03_Video_Case_Num_CFG
Step 841 Select jabber-config.xml
Step 842 Click Open
Step 843 Click Upload File
Step 844 Verify File Uploaded Successfully, at

the top of the upload pop-up window
Step 845 Click Close, to close the upload pop-up

window
Step 846 Select Cisco Unified Serviceability, form the Navigation drop-down
window
Step 847 Click GO
Step 848 Login with the following credentials

c. Click Login
Step 849 Click Tools Control Center Feature Services
Step 850 Select SiteB-CUCM911.siteb.comeCUCM Voice/Video, from the Select

Server drop-down menu
Step 851 Click Go
Step 852 Select Cisco Tftp
Step 853 Click Restart
Step 854 Click OK, on the page refresh warning
Testing jabber-config.xml
In this section the student will point a browser to the URL below and it should retrieve the
jabber-config.xml from the CUCM TFTP server. All changes should be reflected in the output.
Step 855 Open Firefox, on SiteB-AD (if not already open), or open a new tab in
Firefox
Step 856 Navigate to http://10.1.2.110:6970/jabber-config.xml
The browser should present the output that is shown below, with the edit
that was made to the Directory section
White List Web Server
The student will add the web server with the photos on to the allow list on expressway, so
the Jabber client is permitted to access the web server.
Step 857 Switch to SiteB-AD (172.19.X.120) RDP

session
Step 859 Click Expressway SiteB-ExpC01, on

the Firefox favorites bar
Or switch to the tab that already has
SiteB-ExpC01 already open in it
Login with the following credentials (if not

already logged in)
a. admin (lower case)
Step 860 Click Configuration Unified Communications Configuration, in the

SiteB-ExpC01 administration web page
Step 861 Click Configure HTTP Server Allow List
Step 862 Click New
Step 863 Enter 10.1.3.20, in the Server hostname field
Step 864 Description Internet Web Server
Step 865 Click Create Entry
Step 866 Switch to SiteB-WS02, (172.19.X.241 Blake Bad) this workstation should
still be connected to the external network from a previous section
If you are not sure if the workstation is connected to the external

network confirm that SiteB-WS02 is connected to the external
network do the following
Click Help Show Connection Status

Observe that the Address in the first section says (CCMCIP
Expressway)
Close the Jabber Connection status screen
If it does say Expressway move on to the next step (outside
of this aqua box)
If the system does not say Expressway do the follow to switch SiteB-WS02 to the
external network.
Right Click External Network On icon on the desktop of

SiteB-WS02
Click Run As Administrator, from the pop-up menu
Click Yes to the warning, at this point you will loose

connectivity to the RDP session. Close the RDP window
Open a new RDP window and login to the following
Computer = 172.19.X.241
Username = siteb\bbad
Password = Cisc0123
Click Help Show Connection Status
Observe that the Address in the first section says
(CCMCIP Expressway)
Close the Jabber Connection status screen
Step 867 Click the Contacts tab on the left side of Cisco Jabber
Step 868 Observe that the Cisco Jabber contacts for Blake Bad do not have any
pictures (due to lab variations sometimes the pictures are still showing form
AD, this is OK keep going)
Step 869 Click Gear File Exit, on the Cisco Jabber client to close it on SiteB-
WS02
Due to issues in the lab, the two Jabber directories on the

workstation will need to be erase so they will be recreated when
Jabber Client is turned on again. The issue is that if the Jabber Client
has pictures already in the local photo directory the ones on the new
web server will not overwrite the photos previously downloaded from
the internal AD server. In a product network one or the other type of
photo source will exist not both as we demonstrated in the lab.
The bat file erases the Jabber directory and all sub directories below it in two
location on the local workstation.
C:\Users\bbad\AppData\Roaming\Cisco\Unified Communications
C:\Users\bbad\AppData\Local\Cisco\Unified Communications
Step 870 Right Click EraseJabber_WS02.bat, bat file on the SiteB-WS02 desktop
Step 871 Click Run as Administrator, from the pop-up menu
Step 872 Click Yes to allow the app to change the computer
Step 873 Double click the Jabber Client icon to open Jabber
Step 874 Enter the following credentials to login to the Jabber client
a. Email Address bbad@siteb.com
b. Click Continue
c. Username bbad@siteb.com (pre-filled in)
d. password Cisc0123
e. Sign me in when Cisco Jabber start Checked
f. Click Sign In
Step 875 Accept any invalid certificates (if needed)
In the next step when the Jabber client obtains the user photos
from the Mock Internet Web server, notice that the pictures look
WEIRD. They have intentionally changed with a special effect so
they look different then the pictures in the internal Active Directory
to help the student very quickly realize this is a different set of
pictures.
In most production network there will usually only be one source for the photos
unlike the experience we have just stepped through in the lab.
The altered user photos were copied into a directory

(C:\inetpub\wwwroot\userphotos) on the Mock Internet Web Server before the
class started. Also the IIS role has been installed and started on this server, to
enable it to be a web server.
Step 876 Observe that the Jabber Client now has pictures that
were retrieved from the web server (notice the
pictures have been made to look weird to prove the
difference in source of the photos)
This Concludes the official lab Guide steps, please

feel free to continue to explore the lab
Section 4: Appendix
Appendix A: ExpressWay Options Keys for JSTII Lab
The option keys in this lab only apply to the server deployed in this lab due to the
automatically generated serial number on each Expressway at the time of deployment.
Collab Edge Lab Option Keys

SiteB-ExpC01 Serial Number - 049491D5
Valid Software contract - Release Key: 4360497995181665
H323 SIP Interworking Gateway Key: 116341G00-1-87EACCFB
Expressway Series Key: 116341E00-1-096C2A6F
SiteB-ExpC02 Serial Number 06126E24

Valid Software contract Release Key: 1194266643158189
H323 SIP Interworking Gateway Key: 116341G00-1-C3DE9277
Expressway Series Key: 116341E00-1-B57F3034
SiteB-ExpE01 Serial Number 03118224

H323 SIP Interworking Gateway Key: 116341G00-1-A7FB3D03
Expressway Series Key: 116341E00-1-745E2397
Traversal service for E VSC (T) Boarder Controller Key: 116341T00-1-F768D3DC
Turn Relay 1800 Turns Key: 116341I1800-1-8F82AD62
SiteB-ExpE02 Serial Number - 023393F5

H323 SIP Interworking Gateway Key: 116341G00-1-CF24D548
Expressway Series Key: 116341E00-1-1D400744
Traversal service for E VSC (T) Boarder Controller Key: 116341T00-1-AF35A121
Turn Relay 1800 Turns Key: 116341I1800-1-A7C4DC9D
Options keys for JSTII Jabber Guest on 8.2.0
SiteB-JabGstC01 - Serial Number - 0280C83C

Valid Software contract - Release Key:4871176275042305
Expressway Series Key:116341E00-1-8AD9AE82
Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-6D415BF0
SiteB-JabGstE01 - Serial Number - 0912E2FD

Valid Software contract - Release Key:4288141040879898 -
Expressway Series Key:116341E00-1-A14E7789
Turn Relay 1800 Turns Key:116341I1800-1-EC92C886
Traversal service for E VSC (T) Boarder Controller Key:116341T00-1-DE3F1423
Rich Media Sessions - VCS:(W) +100 Traversal Calls:116341W100-1-5B0DD1B0
Appendix B: CUCM Server Name change to FQDN
Changing the CUCM Server Name
Open a browser on your desktop and navigate to 172.19.X.110, where X = your pod
number (for example 172.19.22.110 = pod 22)
Step 1 Browse to SiteB-CUCM911 (172.19.X.110

X=pod#) from the students desktop
Step 2 Click Continue to Website
Step 3 Click Yes or accept to any security warnings, if any

Username Administrator
Password Cisc0123
Step 5 Click System Server
Step 6 Click Find
Step 7 Observe that the CUCM and IMP servers are only entered into the database as
hostnames, this is the default install configuration
All UC Servers in this lab are upgraded from 9.1.1 to version 10.0.1. Due to time
constraints the server hostnames and DNS entries have been left as 9.11
Step 8 Select SiteB-CUCM911 (2nd pass

SiteB-CUCM02, 3rd pass SiteB-
IMP911, 4th pass SiteB-IMP02)
Step 9 Enter SiteB-CUCM911.siteb.com, in the hostname/IP address field
Step 10 Click Save
Step 11 Click OK, on the certificate regeneration warning
Step 12 Click Go, on related links to go back to Find/List
Step 13 Click SiteB-IMP911
Step 14 Enter SiteB-IMP911.siteB.com, in the hostname/IP address field
Step 15 Click Save
Step 16 Click OK, on the certificate regeneration warning
Step 17 Click Go, on related links to go back to Find/List
Step 18 Repeat steps 6 18 for SiteB-CUCM02, SiteB-IMP911 & SiteB-IMP02
Step 19 Observe that four servers are listed as FQDN format
Appendix C: Bootstrap Jabber for Windows Install
The CiscoJabberProperties.mst is used to modify the CiscoJabberSetup.msi to create
custom installers. When installing the custom Jabber Install MSI file, edited by Orca, it is
now referred to as a Bootstrap install.
The CiscoJabber-Admin-ffr.9-6 will be downloaded to the SiteB-AD server for use with
this lab. There are only a few entries that are different between the 9.6 and the 9.7 Admin
file, and the additional settings are not needed for this lab. (The 9.7 admin file was not
ready for the we released of this lab)
The Microsoft Orca program from the Microsoft Windows SDK has been installed on the
SiteB-AD server for use with this lab. The Jabber admin might need to edit the Cisco
JabberSetup.msi Installer package (.msi) files directly to customize the installer for their
particular deployment needs. The Orca database editor is a table-editing tool available in
the Windows Installer SDK and can be used to edit your .msi files. This lab discusses how to
use the Orca editor to modify the lab .msi files.
Warning Editing an MSI file can cause serious problems that may leave your
system in an unstable state. Cisco Systems cannot guarantee that problems
resulting from the incorrect use of the MSI file editor can be solved. Modifications
of the MSI file of a shipping product should only be attempted under direct
instruction from the product's vendor. Always make a copy of the file(s) being
modified.
An Administrator can create a customized Jabber installer for their

organization.
In this section a customized Jabber installer will be built using the

Microsoft Orca tool. The Orca tool allows an Administrator to apply an
MST transformation file to an MSI. Cisco provides an MST file in the
Jabber admin pack downloadable on cisco.com
In this section we are going to edit a Jabber MSI install file which is hardcoded to
install with additional parameters to make the end user first login experience
shorter and less frustrating.
This configuration also means the Jabber client will look for a CUCM server by
default using the _cisco-uds SRV Record created earlier in the lab.
Activity Objective
In this activity the student will edit and repackage the CiscoJabberSetup.msi with the
Microsoft Orca app as well as perform a bootstrap install, configure, and operate the Cisco
Jabber Client for Windows.
Required Resources
A personal computer VPNed into the lab environment and two RDP sessions into the lab. On
to the SiteB workstations and the second to the SiteB-AD server.
Logging into the Student Remote Workstations
Editing and Repackaging the CiscoJabberSetup.msi install file
In this section the student is going to download TWO files from Dropbox, one MSI and one
MST file. These two files will be downloaded to Siteb-AD, and used to create a Jabber Client
Bootstrap install.
Step 1 Return to or Open SiteB-AD server (172.19.X.120), RDP session

Step 2 Launch Firefox on SiteB-AD
Step 3 Browse to the following URL http://tinyurl.com/CiscoJabberSetup to

download the Jabber MSI Install file
Or use the Favorite in the Jabber Install folder
Step 4 Click Download

Step 6 Browse to the following URL http://tinyurl.com/CiscoJabberMST to
download the CiscoJabber MST Properties file
Or use the quick link on the Bookmarks Toolbar under

Jabber Install
Step 7 Click Download
Step 8 Select to Save File and Click OK
Step 9 Close all Firefox browser windows
Step 10 Start Microsoft Orca by clicking the Killer Whale icon on the task bar on of
the SiteA-AD server (172.19.x.120)
Step 11 Click File Open
Step 12 Browse to C:\Users\Administrator\Downloads

Step 13 Select CiscoJabberSetup.msi
Step 14 Click Open

Step 15 Click View Summary Information
Step 16 Locate the Languages field
Step 17 Remove all language codes except for 1033
Step 18 Click OK
Step 19 Click Transform Apply Transform
Step 20 Browse to C:\Users\Administrator\Downloads (should already be here)
Step 21 Select Installer Transforms (*.MST) for the files of type
Step 22 Select CiscoJabberProperties.mst
Step 23 Click Open (Wait for it its a little slow to open)
Step 24 Scroll down in the list of Tables in the left pane
Step 25 Select the Property table
Step 26 In the Property window scroll down to the green outlined properties (right
pane)
There are many different customizable fields in the MSI file. In this lab we
will change two: Service_Domain and Clear. By setting Clear to 1 you
enable Jabber directories to be deleted during upgrade or uninstall. To see
more about the different fields Click Here
SERVICES_DOMAIN Domain Sets the value of the domain where the

DNS SRV records for Service
Discovery reside.
This argument can be set to a domain

where no DNS SRV records reside if
you want the client to use installer
settings or manual configuration for this
information. If this argument is not
specified and Service Discovery fails,
the user will be prompted for services
domain information.
Step 27 Enter siteb.com in the Value for the SERVICE DOMAIN property field
Step 28 Enter 1 (number one) in the CLEAR property field
Step 29 Now select and highlight USE FT GATEWAY, 3rd from the top of the green
bordered list
Step 30 Hold the SHIFT key
Step 31 Select EXCLUDE SERVICES, while holding shift key it should highlight all the
fields except the two that were edited
Step 32 Click Table Drop Rows from the Orca menus. Only two green outlined
rows should remain as seen below
Caution! Do not to click Drop Table
Step 33 Click OK to confirm the dropped rows
Step 34 Click Tools Options
Step 35 Select the Database Tab

Step 36 Select Copy embedded streams
during Save As
Step 37 Click Apply
Step 38 Click OK
Step 39 Click File Save Transformed As
Step 40 Browse to C:\Users\Public\Jabber

Step 41 Type SiteBJabberInstall in the name
field
Step 42 Click Save
Step 43 Click OK to the Orca copy error message, if

one pops up
Step 44 Close Orca
Step 45 Click NO on the save changes to CiscoJabberSetup.msi pop-up warning
Bootstrap Jabber Install on Remote SiteB-WS02 Using the Custom MSI File
Default Configuration
In most environments, Cisco Jabber for Windows does not require any configuration to
connect to the CUCM server and perform directory queries.
In on-premises deployments, Cisco Jabber for Windows uses the _cisco-uds SRV record to
automatically discover Cisco Unified Communications Manager. If you add a DNS SRV record
for the _cisco-uds service name in the DNS server on the CUCM server domain, Cisco
Jabber for Windows can automatically connect to that CUCM server.
For directory integration in on-premises deployments, Cisco Jabber for Windows uses
Enhanced Directory Integration by default. If you install Cisco Jabber for Windows on a
workstation that is registered to an Active Directory domain, Cisco Jabber for Windows
automatically discovers the directory service and connects to a Global Catalog in the
domain.
In cloud-based deployments, Cisco WebEx Messenger provides Cisco Jabber for Windows
with presence capabilities and contact resolution. You perform all configurations for Cisco
Jabber for Windows using the Cisco WebEx Administration Tool. However, you can configure
Cisco Jabber for Windows in hybrid cloud-based deployments with additional options.
Custom Configuration
You should configure Cisco Jabber for Windows if:
You do not install Cisco Jabber for Windows on a workstation that is registered to an
Active Directory domain.
You plan to connect to Cisco Unified Communications Manager User Data Service or
another supported LDAP directory instead of EDI.
You need to specify custom settings so that Cisco Jabber for Windows can correctly
use your directory service. Custom directory settings include the following:
o Attribute mappings
o Connection settings
o Contact photo retrieval settings
o Directory search settings
o Intradomain federation settings
You plan to deploy with custom content such as the following:
o Scripts that allow users to submit problem reports
o Files that enable automatic updates

o Custom embedded tabs for displaying HTML content
o URLs that enable users to reset or retrieve forgotten passwords
You plan to deploy with custom policy configuration such as the following:
o Disabling screen captures
o Disabling file transfers
o Disabling video calls
You plan to specify a credentials configuration in your deployment.
In the previous section we used Microsoft ORCA to customize the MSI file, in this
section of the lab we are going to use the newly created MSI file to install our
second student workstation with Jabber. The end result is the end user will skip
the email section of sign-in and go right to logging in.
The same result could be achieved by using the command line install that follows,
from the directory that the MSI directory exists in.
Bootstrap Jabber Install for Jabber for Windows
Step 46 Switch to SiteB-WS02 (172.19.X.202 Black Bad) RDP session
Step 47 Click the button formally known as Start
Step 48 Type \\10.1.2.120\Users\Public\Jabber in the Run

field just above the Start button
Press Enter. An Explorer window should open to the

mapped drive
Step 49 Double Click SiteBJabberInstall to start the Jabber installation (wait for it)
Step 50 Click Run on the security warning (if any). Be

patient as this takes some time
Step 52 Click Yes, to allow the following program to make changes to this computer
(This window takes a min to pop up)
Step 53 Keep Launch Cisco Jabber Checked
Step 55 Minimize the windows Explorer window
Step 56 If the remote desktop screen is minimized (not full screen) Jabber will most
likely open to the far right on the screen. If this happens scroll to the right to
see Jabber on the screen.
In the previous section the student did a standard install with no

customization to the CiscoJabberSetup.msi file. When Jabber started
for the first time the student was presented with a login screen that
asked for the users email address.
In this second Jabber install the student installed

the customized CiscoJabberSetup.msi file that
was edited with the MS Orca tool. The follow two
parameters were added to the MSI file.
When Jabber starts for the first

time with the customized install Jabber should skip the
email address screen and go directly to the user name
and password screen. Jabber uses the _cisco-uds
service record in DNS to locate the Cisco Unified Communications Manager to login using TCP
on port 8334.
Another way to see if the bootstrap values made it to the computer

running Jabber is to look at the Jabber bootstrap file on the
workstation.
The file exist on the workstation that Jabber Client is installed.

Located in the C:\ProgramData\Cisco Systems\Cisco Jabber - In the
case of our lab it is on SiteB-WS02. ProgramData is a hidden folder
so it will need to be un-hidden, or programdata can be typed in
manually at the top of the file explorer even when it is hidden.
Notice in the screen shot the entries that were added to the MSI
install file are in the jabber-bootstrap file
Step 57 DO NOT login to SiteB-WS02s Jabber client at this time
In a previous section of this lab the student installed Cisco Jabber default MSI
install file on SiteB-WS01. After the install the student logged in the Jabber client
as Alex Ace. During the login process the Jabber client presented five invalid
certificates.
The next task focuses on Certificate Management. At the end of the task
SiteB-WS02 Jabber client we be logged in as Blake Bad and the Jabber
client should NOT present any invalid certificates.
End Of Lab
This concludes the lab. On behalf of the Americas Partners Organization Solutions
Readiness Engineers we thank you for taking the time to complete this lab. We hope that
this lab surpassed your goals and expectation and was a very useful and positive learning
experience for increasing your knowledge of Ciscos Collaboration products.
Please dont forget to complete your survey for todays session.
The Solutions Readiness Engineers have a YouTube channel that has

step-by-step videos for each of our lab offerings. You can find our
YouTube Channel here: Http://tinyurl.com/CollabVideos
Thank you for taking our lab and as always thank you for using Cisco products.

The Ultimate Cisco Jabber Specialist 2 Lab Guide - Part1

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

The Ultimate Cisco Jabber Specialist 2 Lab Guide - Part1

Загружено:

Авторское право:

Доступные форматы

The Ultimate Cisco Jabber Specialist 2 Lab

Section 1: About the Lab

What is Cisco Jabber

Cisco Jabber for Windows streamlines communications and enhances productivity by

Figure 1. Cisco Jabber for Windows

Expressway Cluster Creation and Maintenance Deployment Guide

Cisco Collaboration Edge Architecture

Cisco Expressway Series

Cisco Expressway Series Data Sheet

Cisco Jabber Android

Cisco Jabber MAC

Security Certificate management on CUCM

Security Certificate management on VCS/Expressway

PostgreSQL Database Software Download

Audience and Prerequisites

About The Lab

CUCM 10.5.1.10000-7 Server Providing local device registration and call

Domain SiteB.com X pod number

Cisc0123 (C i s c zero 1 2 - 3) in most cases is the password used

Host IP Address IP Address Internal Domain\User Password

If you use the VM Workstations to access the UC Servers web

If you use your local computers browsers to access the UC

Connectivity to the Lab Environment

CUCM/IM&P/CUC/Expressway/Windows Server & Workstation VM Installations

Jabber Specialist I 2013 Edition Video Walk Through

Task 1: Accessing the Lab Equipment

This section is for students This section is for students that

Cisco AnyConnect Pre-Installed Install and Connect with Cisco

Step 2 Enter uctraining.cisco.com/jabber Step 2 Download and install Cisco AnyConnect

Step 3 Click Connect

Step 3 Continue to left side of

The password will be assigned by the

Step 5 Click OK to login

Step 6 Click Accept on the connection banner

Step 7 Continue to Task 2

Step 8 Click Start All Programs Accessories Remote Desktop

Step 9 Click Options

Step 10 Select Local Resource Tab

Step 12 Select Play on this computer & Do Not Record

X = you pod number (for example pod 5 = 172.19.5.220)

Step 15 172.19.x.220 172.19.x.120 172.19.x.201 172.19.x.202

Step 16 siteb\Administrator siteb\Administrator siteb\aace siteb\bbad

Step 19 Click Connect

Step 20 Enter Cisc0123 in the password field

Step 24 Repeat steps 8 - 23 three more times to

If you accidentally close CIPC during this lab or it was closed

Double click on the WorkStation Reboot icon on the desktop of the

Section 2: System Preparation

In this activity, you will learn the methods to:

Changing the CUCM Server Name

Section 3: Jabber Specialist Features

The primary benefits to using service discovery are:

Access Microsoft DNS Administrator

Configure DNS Service Records on a Microsoft Windows 2008 R2 server

Configure DNS Service Records

Cisco would recommend this method of configuration a best practice.

Step 28 Select siteb.com to highlight it

Step 30 Select Other New Records, from the pop-up menu

Step 31 Scroll down and select Service Location (SRV)

Due to time constraints during the

Step 32 Click Create Record

Step 33 Fill in the following information:

b. Service _cisco-uds (underscore cisco)