Saturday, 23 September 2017

SQL 2014 Express based Jabber IM Compliance Option

SQL 2014 Express based Jabber IM Compliance
Option
Legal compliance of internal and external communications are vital in regulated industries like the finance sector. When management and the compliance team asks for a Jabber IM compliance solution, the rarely mean ’we need to store chats somewhere’.
They require a complete solution that supports the legal compliance team and ensures that the Compliance Officer in the company can reasonably demonstrate to any regulator. That safeguards, audits, privacy controls and effective search and analysis capabilities are in place, and therefore regulatory requests can be answered timely.
When you need Jabber IM compliance, you have essentially two options to achieve that. Both are Cisco supported standard design:
Database based – sending IM transactions into a database.
Compliance Server based – using a third-party Compliance Server that connects to the Cisco IM and Presence Server.


Database
Using the database solution is useful and when it is done, you are one step closer to IM compliance: you can point to a database that stores all your IM messages. However, that is how far you got. There a couple of more bases to cover inmost organizations. Some highlights of the database solution:
  • Requires an external database( cisco provides help for setting up PostgreSQL on a Linux server in Database Setup Guide for Cisco Unified Presence)
  • You configure one or more external database per Cisco cluster(see Configuring an External Database on Cisco Unified Presence chapter in the above database setup guide)
When you connect Presence Server to database it will create the correct database schema automatically. Accessing the database requires direct access to database. There are web-based solution to access database, however those are providing low level access and is not really suitable for your compliance team.

Install SQL 2014 Express

Restart


Create databases



External database in Presence server



Compliance settings



Group Chat and Persistent Chat Settings

Activate Cisco XCP Message Archiver

Cisco XCP Message Archiver – Started



Add snippet to jabber-config.xml

  <Persistent_Chat_Enabled>true</Persistent_Chat_Enabled>
  <pChatShare>true</pChatShare>
  <pChatMeeting>true</pChatMeeting>

Monday, 18 September 2017

Cisco Meeting Server – Integrating Core and Edge CMA and WebRTC

Cisco Meeting Server – Integrating Core and Edge CMA and WebRTC

How’s call flow going to work in a diagram

In this Lab, services work in Core server:
  • XMPP
  • Call Bridge
  • Webadmin
In the Edge, there is no license required:
  • Loadbalancer
  • TURN
  • Web Bridge
  • SIP Edge


Certificates

CMS-Edge


CMS-Core

Enable Loadbalancer on CMS-Edge

edge1.voicelab.ca> loadbalancer create Edge1toLB
edge1.voicelab.ca> loadbalancer auth Edge1toLB voicelab.key voicelab.cer voicelab.cer
edge1.voicelab.ca> loadbalancer trunk Edge1toLB a:4999
edge1.voicelab.ca> loadbalancer public Edge1toLB a:5222 lo:5222
edge1.voicelab.ca> loadbalancer enable Edge1toLB
edge1.voicelab.ca>  loadbalancer list
*** Edge1toLB
Trunk interface         : a:4999
Public interface        : a:5222
Public interface        : lo:5222
Enabled                 : true
TLS private key         : voicelab.key
TLS public cert         : voicelab.cer
TLS trusted certs       : voicelab.cer


Enable TURN on CMS-Edge

edge1.voicelab.ca> turn credentials turnuser PASSWORD voicelab.ca
edge1.voicelab.ca> turn list a
edge1.voicelab.ca> turn public-ip PUBLIC_IP
edge1.voicelab.ca> turn enable
edge1.voicelab.ca> turn
Enabled       : true
Username      : turnuser
Password      : YOUR_TURN_PASSWORD
Realm         : voicelab.ca
Public IP     : PUBLIC_IP
Relay address : 10.38.0.41
Listen interface a


If the credential is incorrect, the debug message will show on the Core Server
call 1353: ICE failure 4 (unauthorized - check credentials)

Enable Webbridge on CMS-Edge

edge1.voicelab.ca> webbridge certs voicelab.key voicelab.cer voicelab_root.cer
edge1.voicelab.ca> webbridge trust voicelab.cer
edge1.voicelab.ca> webbridge listen a
edge1.voicelab.ca> webbridge http-redirect enable
edge1.voicelab.ca> webbridge
Enabled                 : true
Interface whitelist     : a:443
Key file                : voicelab.key
Certificate file        : voicelab.cer
CA Bundle file          : voicelab_root.cer
Trust bundle            : voicelab.cer
HTTP redirect           : Enabled
Clickonce URL           : none
MSI download URL        : none
DMG download URL        : none
iOS download URL        : none


Enable SIPEdge on CMS-Edge

edge1.voicelab.ca> sipedge public a:5061
edge1.voicelab.ca> sipedge public-ip EDGE_PUBLIC_IP
edge1.voicelab.ca> sipedge private a:3061
edge1.voicelab.ca> sipedge certs voicelab.key voicelab.cer
edge1.voicelab.ca> sipedge
Enabled                 : true
Public interface        : a:5061 (NAT address XXX.XXX.XXX)
Private interfaces      : a:3061
Certificate             : voicelab.cer
Key                     : voicelab.key
Trusted certificates    : voicelab_root.cer

Enable Trunk on CMS-Core

callbridge1.voicelab.ca> trunk create trunktoEdge1 xmpp
callbridge1.voicelab.ca> trunk auth trunktoEdge1 voicelab.key voicelab.cer voicelab.cer
callbridge1.voicelab.ca> trunk edge trunktoEdge1 edge1.voicelab.ca 4999
callbridge1.voicelab.ca> trunk enable trunktoEdge1
callbridge1.voicelab.ca> trunk list
*** trunktoEdge1
Enabled                 : true
Edge name               : edge1.voicelab.ca
Edge port               : 4999
Local port              : 5222
TLS private key         : voicelab.key
TLS public cert         : voicelab.cer
TLS trusted certs       : voicelab.cer
callbridge1.voicelab.ca> trunk debug trunktoEdge1
Trying to connect to trunk local service, port 5222
Success
Resolved name edge1.voicelab.ca to the following:
10.38.0.41:4999
Trying to connect to 10.38.0.41:4999
Connection created [10.38.0.41:4999 -> 10.41.40.116:60116]
Diagnostics request written to edge
Reading diagnostics
{
   "0": {
       "core": {
           "connection": "[::ffff:10.41.40.116:60112 -> ::ffff:10.38.0.41:4999]"
       }
   },
   "process": {
       "memory": {
           "size": "11875",
           "resident": "1817",
           "share": "1581",
           "text": "196",
           "lib": "0",
           "data": "345",
           "dt": "0"
       }
   }
}

Enable XMPP on CMS-Core

callbridge1.voicelab.ca> xmpp
Enabled                 : true
Clustered               : false
Domain                  : voicelab.ca
Listening interfaces    : a
Key file                : voicelab.key
Certificate file        : voicelab.cer
CA Bundle file          : voicelab_root.cer
Max sessions per user   : unlimited
STATUS                  : XMPP server running


Public DNS

Loadbalancer A record:
XMPP to loadbalancer
Webbridge


Thursday, 14 September 2017

Cisco Meeting Server 2.2.7 - Single Combined Server - WebRTC & CMA over Expressway or Independet

Cisco Meeting Server 2.2.7 Single Combined Server and WebRTC over Expressway
This development is done in single domain environment.

Certificates in CUCM & IMP

Certificate in CMS

callbridge1.voicelab.ca> pki csr voicelab CN:*.voicelab.ca subjectAltName:*.voicelab.ca,voicelab.ca
sign it with ClientServer template
Upload root cert and signed cert


How to create CA Bundle

You have root ca and intermediate ca certs


Create you bundle like this format:
copy intermediateCA2 + intermediateCA1 + ROOTCA.cer yourname-bundle.cer


Activate CMS components



Webadmin
callbridge1.voicelab.ca> webadmin certs voicelab.key voicelab.cer voicelab_root.cer
callbridge1.voicelab.ca> webadmin enable
SUCCESS: TLS interface and port configured
SUCCESS: Key and certificate pair match
SUCCESS: certificate verified against CA bundle


callbridge1.voicelab.ca> webadmin
Enabled                 : true
TLS listening interface : a
TLS listening port      : 445


CallBridge
callbridge1.voicelab.ca> callbridge certs voicelab.key voicelab.cer voicelab_root.cer
callbridge1.voicelab.ca> callbridge restart
SUCCESS: listen interface configured
SUCCESS: Key and certificate pair match
SUCCESS: certificate verified against CA bundle


callbridge1.voicelab.ca> callbridge
Listening interfaces  : a
Preferred interface   : none
Key file              : voicelab.key
Certificate file      : voicelab.cer
Address               : none
CA Bundle file        : voicelab_root.cer


Webbridge
callbridge1.voicelab.ca> webbridge certs voicelab.key voicelab.cer voicelab_root.cer
callbridge1.voicelab.ca> webbridge trust voicelab.cer
callbridge1.voicelab.ca> webbridge enable
SUCCESS: Key and certificate pair match
SUCCESS: certificate verified against CA bundle
SUCCESS: Webbridge enabled
callbridge1.voicelab.ca> webbridge

Enabled                 : false
Interface whitelist     : a:443
Key file                : voicelab.key
Certificate file        : voicelab.cer
CA Bundle file          : voicelab_root.cer
Trust bundle            : voicelab.cer     <--- callbridge's certificate, otherwise there is no guest login
HTTP redirect           : Enabled
Clickonce URL           : none
MSI download URL        : none
DMG download URL        : none

iOS download URL        : none

Xmpp
callbridge1.voicelab.ca> xmpp certs voicelab.key voicelab.cer voicelab_root.cer
callbridge1.voicelab.ca> xmpp domain voicelab.ca
callbridge1.voicelab.ca> xmpp callbridge add ca_voicelab
callbridge1.voicelab.ca> xmpp callbridge list
***
Callbridge : ca_voicelab
Domain     : voicelab.ca
Secret     : 7Ldig3t9WnEo0m3LAb1


Connect to XMPP





Active Directory

Filter out users that only have a number in pager field:


(&(objectCategory=Person)(sAMAccountName=*)(ipPhone=*)(mail=*)(pager=*))


CMS SIP Trunk

Route group, List, Pattern

88 is a dialed prefix


Creating spaces

WebCRT through Expressway



Public A record join.voicelab.ca to Expressway
Expressway CSRs on both C and E have to be signed with ClientServer template

Change port number on E



MRA Zone



Enable Meeting Server Web proxy

Enable TURN on Expressway-E

Add WebBridge FQDN onto E certificate SAN



Sign with ClientServer template and upload

Add E as TURN Server for media NAT traversal onto CMS

Add TURN Client user account




Create XMPP SRV in the public DNS



Enable TURN on Single combined without Expressway



callbridge1.voicelab.ca> turn certs voicelab.key voicelab.cer voicelab_root.cer
callbridge1.voicelab.ca> turn a lo
callbridge1.voicelab.ca> turn tls 447
callbridge1.voicelab.ca> turn credentials turnuser YOURPASSWORD voicelab.ca
callbridge1.voicelab.ca> turn public-ip PUBLIC_IP
callbridge1.voicelab.ca> turn
Enabled       : true
Username      : turnuser
Password      : YOURPASSWORD
Realm         : voicelab.ca
Public IP     : PUBLIC_IP
Relay address :  PRIVATE_IP
TLS port      : 447
TLS cert      : voicelab.cer
TLS key       : voicelab.key
TLS bundle    : voicelab_root.cer
Listen interface a
Listen interface lo