cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10944
Views
4
Helpful
20
Replies

Jabber Secure Connect

Martin2m2
Level 1
Level 1

Hi All,

I have been through loads of presentations and documents, but can't seem to find a definitive answer to my Jabber Secure Connect questions.

Customer of mine has plans to roll out Cisco Jabber for iPhone, Jabber for Android and Jabber for Windows (currently uses IPC since they do not have Presence).

He has CUCM 8.6 (with UCL) on two UCS-C servers and a ASA5510. No Presence server at the moment.

If the user does not require FULL application access on his iPhone or Android phone, but Jabber access only:

Q1: Is it correct that NO Cisco AnyConnect Secure Mobility client is necessary on the phone?

Q2: Is there a minimum version of Jabber for iPhone and Android to have the Secure Connect functionality included?

Q3: On the ASA you need the AnyConnect Mobile ASA5510 license. But do you need AnyConnect Essential or Premium licenses with the Secure Connect?

Q4: When you are not using the AnyConnect Secure Mobility client is it therefore a clientless SSL connection and is Premium required?

For the Jabber for Windows:

Q5: Does the Secure Connect functionality exist in the Jabber for Windows, if so in what version?

I could imagine that a full application access with the AnyConnect Secure Mobility client for a laptop is more logical.

Q6: If so, do you still require the AnyConnect Mobile ASA5510 license? Since it enables mobile OS platform compatibility and a Windows laptop is hardly a Mobile OS.

Q7: Is the AnyConnect Essential sufficient in combination with the AnyConnect Secure Mobility client or when are the Premium licenses needed in this case?

Thanks for any help,

Martin

Message was edited on April 19, 2013:  Lisa Marcyes from the Cisco Collaboration Community Team added community category and tags for greater ease in filtering (no change to content).

- I say what I mean and I do what I say -
20 Replies 20

mbrugge
Level 1
Level 1

Hello Martin,

Looks like I have the pleasure of working another one of your cases! I picked up your case and for the most part what you're assuming is correct. I think the one thing you're missing is the Mobility licenses (Mobile-k9).

For your questions I have some answers but I want to make sure I do the research to make sure I cover all the details you're asking about. As always I'll get you answers as soon as I can, but not sure if I'll get them to you by today. Just want to give you the heads up.

Regards,

CSE Marco Hirschmann

Op Aug 31, 2012 om 16:38 heeft "mkoek" <community@cisco.com<mailto:community@cisco.com>> het volgende geschreven:

Cisco Communities<https://communities.cisco.com/index.jspa>

Jabber Secure Connect

created by mkoek<https://communities.cisco.com/people/mkoek> in Unified Communications - View the full discussion<https://communities.cisco.com/message/101676#101676>

mbrugge
Level 1
Level 1

Hello Martin,

The AnyConnect Mobile and AnyConnect Premium/Essential licences are the licences required on the ASA.

More information in regards to these licences can be found here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

Regards,

Marco

Op Aug 31, 2012 om 16:38 heeft "mkoek" <community@cisco.com<mailto:community@cisco.com>> het volgende geschreven:

Cisco Communities<https://communities.cisco.com/index.jspa>

Jabber Secure Connect

created by mkoek<https://communities.cisco.com/people/mkoek> in Unified Communications - View the full discussion<https://communities.cisco.com/message/101676#101676>

Nice work Marco.

I ran into this a while back, and I was very please to find that Essentials is all thats needed for Jabber Moble clients.  But beware, if you already have Premium (whats used for SSL-VPN Phones), you cant mix the two on the same ASA, so you would be stuck buying more premium (MUCH MORE expensive).

Also Cisco says Jabber Mobile requires a min. of 8.4.1 on the ASA so the more recent the better.

Have HA ASA pair?

AnyConnect Essentials, AnyConnect Mobile (and look at the Botnet Filtering as well) are all shareable licenses.  Buy one for the primary and the HA pair is covered since version 8.3, provided you follow the rules (same subnet).. 

Thank you sdistef for your reply.

So do I have it correctly that (see my Q1): No Cisco AnyConnect Secure Mobility client is necessary on the phone, but only the Jabber client?

And that (see my Q3): On the ASA you need the AnyConnect Mobile ASA5510 license and AnyConnect Essential.

Can you help me with my other questions?

Q2: Is there a minimum version of Jabber for iPhone and Android to have the Secure Connect functionality included?

Q4: When you are not using the AnyConnect Secure Mobility client is it therefore a clientless SSL connection and is Premium required?

For the Jabber for Windows:

Q5: Does the Secure Connect functionality exist in the Jabber for Windows, if so in what version?

I could imagine that a full application access with the AnyConnect Secure Mobility client for a laptop is more logical.

Q6: If so, do you still require the AnyConnect Mobile ASA5510 license? Since it enables mobile OS platform compatibility and a Windows laptop is hardly a Mobile OS.

Q7: Is the AnyConnect Essential sufficient in combination with the AnyConnect Secure Mobility client or when are the Premium licenses needed in this case?

- I say what I mean and I do what I say -

Hello Marco,

The webpage you posted about the ASA licenses is one of the many pages I went through before I made this post. It doesn't address my practical questions about when do you use which one, but only what can it do and leaves the interpretation to the reader.

With all the material I went through nothing has seem to cover the missing link between the UC Jabber clients and what ASA licenses or secure client are needed.

I am stuck with many questions and can't offer the customer any solution so far.

Q2: Is there a minimum version of Jabber for iPhone and Android to have the Secure Connect functionality included?

Q4: When you are not using the AnyConnect Secure Mobility client is it therefore a clientless SSL connection and is Premium required?

For the Jabber for Windows:

Q5: Does the Secure Connect functionality exist in the Jabber for Windows, if so in what version?

I could imagine that a full application access with the AnyConnect Secure Mobility client for a laptop is more logical.

Q6: If so, do you still require the AnyConnect Mobile ASA5510 license? Since it enables mobile OS platform compatibility and a Windows laptop is hardly a Mobile OS.

Q7: Is the AnyConnect Essential sufficient in combination with the AnyConnect Secure Mobility client or when are the Premium licenses needed in this case?

- I say what I mean and I do what I say -

Q5. No. Secure Connect is not included with Jabber for Windows and the current solution is to use the AnyConnect client in conjunction with Jabber for Windows.

I'm hoping others will chime in with appropriate answers to the additional questions.

Hello friends.

Happy Labor Day.

Jabber for Windows simply rides secure connection from the PC to the headend. The PC is not a Mobile device, but the reality is that the corporate network is secure and the PC will have to make a secure connection to access anything on it, including Cisco UC. So Jabber leverages this and you wouldnt be buying anything 'additional' for Jabber or the ASA at the headend.  You can use:

  • Use Cisco VPN Client (for windows) to establish an IPSEC VPN tunnel. 
  • Use Cisco Anyconnect Secure Mobile Client (for Windows) to establish SSL-VPN connectivity

Jabber for iPhone will require its own tunnel for the Phone, UM, and Directory integration to operate. 

(Jabber IM client does not require VPN if you are in hybrid mode (IM/P via WebEx).

After you license the user via UCL or CUWL, you need to address the ASA licensing.  First Essentials.  The size of the chassis determines the number you can cover with the single license (i.e. up to 750 supported on the 5520 for $250):

ASA_Essentials.png

Then you will need the ASA Mobile License.  This will interoperate with Essentials or Premium.  Same theme as above. In my response above I didnt discuss this because I was replying to Marco's response of E and P.  But one license all you need here per chassis:

ASA_Mobile.png

I made a point earlier that I would avoid Premium if you can, cause its much, much, more expensive.  But if you have it already on the ASA, then you have no choice but to buy more, since you can not mix E and P on the same ASA.  Or buy a new smaller ASA for jabber Mobile?

You dont need Premium for Jabber Mobile.  Here is a table showing the difference and what you can do with P that you cant get in E.  But this is more of a security discussion, and I am just saying Jabber mobile only needs E.  I am not a security expert.

ASA_CompareP_E.png

Hope this helps a little more.   CLick images to make them larger.

Hello Marco,

can You give an example configuration for the ASA (for a Jabber client-connection)?

Thanks

Edgar

skilambi
VIP Alumni
VIP Alumni

martin

This deck walks you through the basics of ASA licensing so you at least know where each level fits. Premium is needed for Phone VPN on the UC side among other features that are mentioned in the link. For Jabber, VXI essentials does the job coupled with mobile when you have IPhone/Droid as an example

https://communities.cisco.com/docs/DOC-20044

I agree a comprehensive deck on ASA UC licensing is much needed something I have stressed many times to the various BU. In Fact bundle it with PRO to further drive the value of Cisco any connect with UC

Jabber for android 8.6 was the last client that bundled any connect in it. Check the release notes for android and IPhone for minimum ASA requirements and certificate requirements.

Srini

http://www.cisco.com/web/products/voice/docs/jabber_anyconnect_sales.pptx

This is quite a nice deck, don't know if it has all of you answers but it gives an overview of the process and ordering.

Richard

Thanks for sharing it is a nice deck. This is surprising that a deck like this that has MSFT competitive stuff (or at least some references to it) is accessible without me even trying to login in. I tried it in multiple browsers and it didnt force me to authenticate. Also remember this entire thread is not on the partner side but on the public side of the community open to customers and partners. I know it's confusing but a trick is when you look up and see "Cisco Communities - Technology - Collaboration and so on" if there is no partner word in it, then you are on the public side and anyone can just pull this thread up without logging in.  Maybe we should move it to the partner side for security purposes or have some authentication just for your PPT link..my 2 cents

Srini

It's located in the partner central Cisco.com so surprised the link would work with credentials. 

It sure did ☺

Thanks

Srini

jsteinberg
Level 5
Level 5

I'm confused on the Secure Connect questions as well.     The Jabber for Android 8.6 had the Secure Connect, but the 9.0 version removed the feature.

I've heard that jabber for iPad will have secure connect, but it is a long way away.

Is Cisco still moving towards a Secure Connect model or is the Android 8.6 to 9.0 a sign that the Secure Connect concept is being phased out ?

I believe Secure Connect for Windows Jabber was slated for 9.1, so I guess we will see the answer shortly.