cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2050
Views
5
Helpful
6
Replies

VCSE Jabber presence not working

jarrod sousa
Level 1
Level 1

Hello,

i am having some issues with presence passing through the VCSE for a jabber client registered to a subzone OTHER than the default subzone of the VCSE.  In addition the environment is using AD for client authentication so the VCSE has the default zone, default subzone, and traversal zone set to "Do not check credentials" for the auth policy.  when the client registers to the default subzone, presence works correctly.  when i create a subzone to isolate a specific group of jabber clients, the clients register using their AD credentials (verified that wrong password causes failures) but i get a 403 policy error on the presence updates.  i need to create this subzone so i can use a search rule that matches the subzone as the source and then replaces the target alias with a non-routable one so this specific group of clients can only recieve calls.  i tried using the local CPL list to do this, but again because the VCSE is not performing any authentication the CPL rules dont apply.  could it be that this is a bug in X7.2?

1 Accepted Solution

Accepted Solutions

Adam Wamsley
Cisco Employee
Cisco Employee

Hey Jarrod,

You can do this by implementing the following:

The below information should help you to get Jabber to authenticate properly on the expressway even though you are pushing to the control. Jabber needs to properly authenticate for presence to work. After this is implemented your search rule should work as desired along with presence and authentication.

 

In a secure design, the VCS (Control and Expressway) would require credentials for registration. Here is a design that is not described in the admin guides, but has been used quite successfully.

The VCS Control would have Active Directory Service enabled and joined to the Active Directory Domain. For the VCS to authenticate Movi/Jabber credentials against Active Directory before the SUBSCRIBE for provisioning is sent to the provisioning service, the Default Zone would be set for Check Credentials. For the SUBSCRIBE requests coming from the Expressway, the Traversal Zone on the VCS Control would also be set for Check Credentials. This will handle the authentication for provisioning.

The next part is the registration of the Movi/Jabber client. The subzone that the client will register to also needs to be set for Check Credentials. This is all you need for internal registrations (registration at the VCS Control).

For the Expressway, things get a little more complicated. For the provisioning subscription, the SUBSCRIBE is forwarded to the VCS Control. With the Traversal Zone on the VCS Control set for Check Credentials, you are all set. Now on to the registration to the Expressway. The subzone that the client will register to will need to be set for Check Credentials. Since the VCS Expressway does not have direct access to Active Directory, we need to utilize local credentials on the Expressway. A set of credentials will need to be configured in VCS Configuration > Authentication > Devices > Local Database. You will create a single name and password that all Movi/Jabber clients will use. The end user does NOT need to know of these credentials. The username and password is supplied to the Movi/Jabber client through the provisioning data that it has received. To configure that data, on the TMS, you need to configure a SIP Authentication Username and SIP Authentication Password in the provisioning configuration. For these options to be available, you need to make sure that you have uploaded the xml configuration template for the version of Movi/Jabber that you are using. The xml file is included with the full zip package of the client that can be downloaded from www.cisco.com. So that will take care of the Expressway registration. Now this creates an interesting situation with the VCS Control. The internal Movi/Jabber client will receive the same provisioning configuration, and will attempt to use those same credentials when registering to the VCS Control. The VCS Control is already set to authenticate the registration request against Active Directory, and ONLY Active Directory.

You will need to create an Active Directory account that matches those credentials. The Active Directory account does not need any special access. It is used for authentication purposes only. A few things to keep in mind: the SIP Authentication Username and SIP Authentication Password are stored in the provisioning configuration in clear text. That means that the data is sent in clear text. To be sure that this data is not compromised on the wire, be sure that you are using TLS for your Movi/Jabber SIP communication.

Thanks, Adam

View solution in original post

6 Replies 6

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi jarrod,

for presence to work properly the subzone where movi/jabber clients register has to be set as "treat as authenticated" or "check credentials".

since you are creating a specific subzone for the movi/jabber please ensure you keep that subzone either one of the above.

Also since you are playing with search rules i would recommend you to check the search rules properly and see the search rule its matching is not removing the domain from the URI.

i think here your search rule could be blocking the presnece information to pass correctly.

Rgds,

Alok

Adam Wamsley
Cisco Employee
Cisco Employee

Hey Jarrod,

You can do this by implementing the following:

The below information should help you to get Jabber to authenticate properly on the expressway even though you are pushing to the control. Jabber needs to properly authenticate for presence to work. After this is implemented your search rule should work as desired along with presence and authentication.

 

In a secure design, the VCS (Control and Expressway) would require credentials for registration. Here is a design that is not described in the admin guides, but has been used quite successfully.

The VCS Control would have Active Directory Service enabled and joined to the Active Directory Domain. For the VCS to authenticate Movi/Jabber credentials against Active Directory before the SUBSCRIBE for provisioning is sent to the provisioning service, the Default Zone would be set for Check Credentials. For the SUBSCRIBE requests coming from the Expressway, the Traversal Zone on the VCS Control would also be set for Check Credentials. This will handle the authentication for provisioning.

The next part is the registration of the Movi/Jabber client. The subzone that the client will register to also needs to be set for Check Credentials. This is all you need for internal registrations (registration at the VCS Control).

For the Expressway, things get a little more complicated. For the provisioning subscription, the SUBSCRIBE is forwarded to the VCS Control. With the Traversal Zone on the VCS Control set for Check Credentials, you are all set. Now on to the registration to the Expressway. The subzone that the client will register to will need to be set for Check Credentials. Since the VCS Expressway does not have direct access to Active Directory, we need to utilize local credentials on the Expressway. A set of credentials will need to be configured in VCS Configuration > Authentication > Devices > Local Database. You will create a single name and password that all Movi/Jabber clients will use. The end user does NOT need to know of these credentials. The username and password is supplied to the Movi/Jabber client through the provisioning data that it has received. To configure that data, on the TMS, you need to configure a SIP Authentication Username and SIP Authentication Password in the provisioning configuration. For these options to be available, you need to make sure that you have uploaded the xml configuration template for the version of Movi/Jabber that you are using. The xml file is included with the full zip package of the client that can be downloaded from www.cisco.com. So that will take care of the Expressway registration. Now this creates an interesting situation with the VCS Control. The internal Movi/Jabber client will receive the same provisioning configuration, and will attempt to use those same credentials when registering to the VCS Control. The VCS Control is already set to authenticate the registration request against Active Directory, and ONLY Active Directory.

You will need to create an Active Directory account that matches those credentials. The Active Directory account does not need any special access. It is used for authentication purposes only. A few things to keep in mind: the SIP Authentication Username and SIP Authentication Password are stored in the provisioning configuration in clear text. That means that the data is sent in clear text. To be sure that this data is not compromised on the wire, be sure that you are using TLS for your Movi/Jabber SIP communication.

Thanks, Adam

Thanks Adam!  this worked out perfectly.

Hi Adam, i tought of this solution myself already, but there is one problem. Jabber Ipad template (1.0 / 1.0.2.0) does not have the following fields:

SIP Authentication Username

SIP Authentication Password

Even tough they are mentioned in the Ipad Jabber release notes:

https://www.cisco.com/en/US/docs/voice_ip_comm/jabber/iPad/9_1/RN/JABP_BK_J0B0DA17_00_jabber-for-ipad-rn-9-1-1.pdf

This is why we cannot enable this feature for the ipad version.

br. Tom

Hey Tom,

Thanks for pointing this out, I see the same thing. I'll open a defect on this and get them to sort it out.

Thanks, Adam

Hey Tom,

There is one out there to get this resolved. For your reference CSCub08827.

Adam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: