cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
823
Views
0
Helpful
4
Replies

External Presence Jabber Video

I have looked all over the boards and I did not find an answer for my issue.  I have a VCS Expressway sitting in the DMZ and a Control Sitting Internally along with TMS.  Jabber Video is authenticating using AD through the control whether the client is external or internal.  All of this is working as expected.  My issue comes with external presence status.  I have several clients and vendors listed in my favorites, but under the above scenario I do not receive their presence status.  My Zones are as follows:

VCSE

     Default Zone

          Do not Check Credentials

     Default Sub Zone

          Allow Registration

          Do not Check Credentials

VCSC    

     Default Zone

          Do not Check Credentials

     Default Sub Zone

          Allow Registration

          Do not Check Credentials

I realize that I can change the zones on the VCSE to Treat as Authenticated, but my issue with doing that is that devices that are not provisioned can openly register and that is a security issue.  Is there a method for authenticating Jabber Clients (or any client for that matter) using AD and still allowing external SIP updates for presence services?

4 Replies 4

awinter2
Level 7
Level 7

Justin,

when you add the URI of an external party to your Movi favorites list, for instance 'someone@cisco.com', that means that your Movi client sends a presence SUBSCRIBE request to the VCS Movi is registered to. If your search rules are configured accordingly, this SUBSCRIBE should be routed to your VCS Expressway.

If your Expressway has been configured with a DNS zone and appropriate search rule which match the request-URI of the SUBSCRIBE, in this case 'someone@cisco.com', the VCS Expressway will initiate SIP DNS SRV lookups for the 'cisco.com' domain (_sips._tcp and _sip._tcp as well as a NAPTR lookup for cisco.com)

If these DNS SRV records have been created for the cisco.com domain, your VCS Expressway will proxy this SUBSCRIBE towards the cisco.com Expressway. Once the SUBSCRIBE reaches the cisco.com Expressway, you are relying upon the fact that the cisco.com video environment has been configured to allow this SUBSCRIBE request to reach the cisco.com presence server which may or may not have been configured on one of the cisco.com VCS's.

In other words, this type of presence should work fine across individual organizations assuming that all the required configurations have been made on both sides.

The first step in troubleshooting this from your end would be to start a diagnostics log on your Expressway and then sign in your Movi client (Which should already have 'someone@cisco.com' or the equivalent in the favorites list).

You should then first check if the SUBSCRIBE request from your Movi reaches your own Expressway, and if it does, where it is being sent and most importantly, what the response to this SUBSCRIBE is. The expected response should be '200 OK' which means that the SUBSCRIBE has been received and accepted by the cisco.com presence server.

Following the '200 OK response', you should be receiving a NOTIFY request containing the current presence status of the 'someone@cisco.com' URI.

Since that in your case you are seemingly not receiving this NOTIFY, you should grab the diagnostics log and try to get an idea of where in this process things are failing.

If you're not able to get to the bottom of things yourself, I suggest raising a TAC case for further troubleshooting.

Regards

Andreas

Andreas,

I understand what you are saying and that in order for me to see presence information on others I am subscribing to them.  I do not believe I explained the issue very well.  I am looking for the solution to allowing unauthenticated Presence request messages through the VCSE while still requiring Jabber or whatever client to authenticate.  While your scenario works for me subscribing to the far end, I am still not able to allow my customers or vendors that have added me to their favorites to see my presence status.  The issue is the reverse of what you described.  The presence Subscribe message comes from the third party to my VCSE, but because I am not allowing unauthenticated messages to pass they cannot see my status.  I am just curious as to how others are doing it.  The deployment guide is ambiguous at best on this issue.

Thank you,

Justin Barksdale

Justin,

I don't see why your VCS-E or VCS-C would be challenging your customers' SUBSCRIBE requests as they arrive, since the VCS's will only challenge requests where the originating domain is a SIP domain which exists on your VCS's.

What behaviour exactly do you see as the SUBSCRIBE from the remote party arrives at your VCS-E? If it does not get proxied to your VCS-C, what response does your VCS-E send back to the remote party?

Does your search rule(s) from VCS-E towards VCS-C only match authenticated requests? Or is there another reason why the incoming SUBSCRIBE is not proxied through to your VCS-C?

I assume that your presence server is located on your VCS-C?

- Andreas

heathrw
Level 4
Level 4

May not be relevant but my jabber clients were getting a presence update fail and found on the forums that I had to set the zone as treat as authenticated and that fixed my issue. This was happening internally but might be of assistance. That would also be relevant to the external party you are trying to get status from also.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: