cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9923
Views
5
Helpful
20
Replies

CSCuq99941 - CUCM web interface does not work with internet explorer 11.

mdavidcarroll
Level 1
Level 1

Add web page to compatibility view in IE 11. This has worked for me when I've had the same issue, version 9.1(2) of CUCM.

20 Replies 20

Hi!

The following 2 alternatives worked for us on Win 10 clients, unfortunately we can't yet tell how many web sites won't work from now on:

a) Disable only TLS1.0 under Advanced, have TLS 1.2, TLS 1.1, SSL 3.0 enabled.

b) Modify the Registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000

Then IE can have all TLS and SSL Versions turned on (I believe SSL 2.0 is not turned on in Win 10 anyway).

Solution b is also necessary if you work e.g. with PhoneRemote from VOIP Connection

Hi!

We found that the above Method b) causes issues with AnyConnect, at least in our current setup of the ASA. Method a) also causes the SSL VPN WebUI to not be displayed.

So we're afraid right now the only solution is to make temporary settings while using IE and CUCM 9.1 (in our case) console. Or temporarily use b) if we want to e.g. use PhoneRemote.

Sorry, it looked a bit more promising yesterday.

This solution works. Thanks a lot.

I ran into this issue a few months ago with my organization. I know this post is a few months old, but figured I would add on. The issue is with Windows Update KB3172605, the depreciation of SHA1 certificates. This blocked IE from accessing any CUCM, CU, or UCCX sites. I initially thought this was because the tomcat cert that the systems used were self-signed certs. We had other systems that were SHA1 but still worked, but also were using our wildcard corporate cert. I retrieved an internal Microsoft CA cert and uploaded it but was still unsuccessful. I opened a TAC case but they stated that they don't support the versions we were running (8.0.3) and the only option was to upgrade to at least version 10.0 since it is the earliest release that supports SHA2. Our versions doesn't support SHA2 at all or wildcard certs. That isn't an option for us. So I have found two ways to get around it besides just removing that update. 

a) Get websites to work in Chrome. The site would allow us to access it, but the drop down menu's didn't work. So using a GPO you can force install the Chrome Add-In "IE Tabs". This allows the drop down menus to function

b) Change the GPO for the SSL Cipher Suite Order. I found another Cisco Support page of others having the same issue. Their proposed resolution was to change this specific Windows GPO. I have tested this option and was able to get it to work. The only issue I ran into is my org uses Direct Access for remote users and the provided order broke DA. So after a little modification I was able to restore the DA issue, and still have the sites accessible. 

http://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express-1061/200556-UCCX-10-6-Pages-Does-not-Load-in-IE11-Af.html  

I hope this helps others. I am still looking/hoping for a more permanent solution to this issue. As of January 1st, 2017 none of the major browsers will support SHA1 so I fear these work-arounds will no longer be effective. 

Thanks,

Matt

ali nasser
Level 1
Level 1

Guys, i am having the same issue, i tried the workaround it works for me, but as group policy this is not acceptable and they need to disable the SSLv3, they need to use only TLS, is there anything we can do from the call manager side (CUCM version 8.0.3).

Please advice.

Ali

russell.sage
Level 3
Level 3

The problem appears to be CUCM Tomcat cipher key lengths are 128bit - Modern browsers are set to automatically reject this and 256 and 512 as the have been proven to be crackable.

 

see this link for details and fix in Firefox

http://eltonoverip.com/blog/2015/07/firefox-39-0-ssl-error-weak-ephemeral-diffie-hellman-key/

I am using Firefox version 53 and CUCM8.6