1. You need to create a zone on the VCS for the CMS.

Create the zone with the following:

 H.323 Mode = Off.

 SIP Mode = On

SIP Port = 5060 (5061 if using TLS)

SIP Transport = TCP or TLS, as appropriate

 SIP Accept Proxied Registrations = Allow

Authentication Policy = Treat as authenticated

SIP Authentication Trust Mode = Off

Peer 1 Address = the IP address of the Call Bridg

2> Create a VCS search rule:

3>Make sure you have a cospace created on the CMS

4>Ad a dial-plan rule on the meeting server

=============================================================

TCS recording will be a vast part to explain here. Please go through the below link.

http://www.cisco.com/c/en/us/td/docs/telepresence/tcs/5_0/administration/guide/tcs_5_0/recording_aliases.html

=============================================================

CMS Recording 

It wil lrequired a seperate licence. It is recomended to have a seperate VM for recording with minimum specs of 4 vCPU and 4GB. which simultaneous support 8 recordings.

To get the licences u ll required the number simultaneous recordings and the mac address of interface A for the call bridge (core)

==============================================================

To use the cisco meeting app you will required the AD or LDAP server. If customer dont have it you need to deploy one.

Thanks Prasad,

Can't we create users locally for Logging in CMS App. Without AD?

All of the Cisco Meeting Apps (Windows, OS X, iOS, and WebRTC) use the XMPP Server on the Cisco Meeting Server for login. When you perform an AD sync to populate users, user names and the domain you chose on the import filter are imported and saved locally. Then when a user logs in, the Meeting Server queries AD for password verification; it does not store these AD passwords. 

===================================================

Siva as per my understanding its mandatory. 

Thanks Prasad,

I am trying to create Rendezvous conference esacaltion.. The steps which i followd:

1)Created a neighbour zone in VCS.

2) Created a Search rule in VCS and Target zone as CMS

Calrification needed on CMS Side

 IN CMS What are the configuration required?

To Run the Secure call between VCS (expressway C or VCS C) and CMS you will required below certificates.

TURN Server

Web Bridge

Call Bridge

Note: No cert required from VCS side.

SIP endpoint dial-in to the CMS through VCS

•      Go To VCS configured a Zone à New (CMS_Zone)
•      Create a Zone with the following details

H323 mode – OFF

SIP Mode – ON

SIP Port – 5060 (5061 for TLS)

SIP transport – TCP or TLS as appropriate

SIP accept Proxied registrations – Allow

Authenticate policy – Treat as Authenticated

SIP authentication Trust Mode – OFF

Peer 1 address – The IP address of a call bridge

•      VCS Search Rule configuration

Route a VC endpoint call through a prefix 88 or any other number

For the Rendezvous conference you can use a fixed number. Like 88001  

1.      VCS Configuration à Dial Plan àsearch rules
2.      Give a name to the search rule like VC calls to the CMS
3.      Set the following

Source = Any

Request Must Be Authenticated = No

Mode = Alias pattern match

Pattern Type = Regex

Pattern String = .*@meetingserver.example.com (this domain can be as per ur org.)

Pattern Behavior = Leave

On Successful Match = Stop

Target = the zone you created for the Meeting Server. (CMS_Zone)

•      Create a space on the meeting server:

1.      Go to the web Admin interface
2.      Go to Configuration à Space
3.      Add space with name Rendezvous conference 1
4.      URI 88001

•      Adding a Dial-plan rule on the meeting server

Go to configuration à outbound calls and add a dial-plan rule with below details,

Domain = VC.example.com

SIP proxy to use – this will be the IP or FQDN of VCS

Local Contact domain – this will be blank in our case

Local Domain name – meetingserver.example.com (same as one mention in the VCS)

Trunk type – Standard SIP

•      Adding an incoming dial rule

Configured an incoming dial rule to match our space 88001

Domain name – 88001@meetingserver.example.com

Priority – 10 (highest priority for

 Target Space – yes

 Targets user – yes

 Targets IVR – yes

 Targets Lync – No

•      No you can reach the rendezvous conference by dialling 88001@meetingserver.example.com
•      On CMS web admin interface go to Configuration > Call settings page and allows encryption to be Required for all media going out.
•       So now the CMS will send encrypted media towards VCS for SIP calls and VCS will fwd the same.

Thanks Prasad,

It worked for Me. I sucessfully tested Rendezvous calls from all the endpoints.  But i have few more questions:

I didnt enable turnserver and webbridge. When its required?

How to enable Meeting App what configuration required?

WIill i able to use default certificate for Turnserver and Webbridge?

Hi Shiva,

If you have a split infra you will required a TURN server.

The TURN server provides firewall traversal technology, allowing the Meeting Server to be deployed behind a Firewall or NAT. To connect to the deployment from external Cisco Meeting Apps or SIP endpoints you need to enable the TURN server, refer to the section on Deploying the TURN Servers . If you are usingCisco Meeting Apps you also need to configure the Web Admin interface to allow the Call Bridge and external clients to access the TURN server. Using the TURN server does not require an activation key.

First do let me know which type of deployement you are looking for Single server or Split ?

Dear Prasad,

Thanks for your wonderful explaination.

Currenlty  we have single server. We are doing on premises deployment, We have VCS server and CMS 1000. We require a meeting app only internally. So i need to know what are the services to be turned on .  When i try to enable Callbridge and Webridge its getting error , listening interface is getting invalid?

Note: My rendezvous is working fine ,as per your instruction.

If you are using a CMA (app) you need to enable XMPP server on the bridge. The XMPP licences comes with the software it does not required any separate key for activation. The XMPP server handles the signalling to and from Cisco Meeting Apps, including the WebRTC. The Media will come in through TURN server (for external app users only) for internal it can directly terminate on call bridge. In your case you are suing it for internal purpose only call bridge is enough no need of Turn server.

Steps to activate XMPP:

Port requirement:

Internal clients connect directly to the XMPP server on port 5222 and media connects directly between the Cisco Meeting App and the Call Bridge.

Steps:

1.        Create a DNS A and SRV record for the meeting server:

•     Create DNS A record for the fully qualified domain name (FQDN) of the server that will be used to host the XMPP Server and set it to the IP address of the interface that the XMPP server is listening on.
•     Create DNS SRV record for _xmpp-server._tcp for port 5269 resolving to the DNS A record created in step above.
•      Create DNS SRV record for _xmpp-client._tcp for port 5222 resolving to the DNS A record created in step above.
•      Test the above by running the following commands from a PC. They should return the correct IP addresses for these

domains: nslookup -querytype=srv _xmpp-server._tcp.example.com

nslookup -querytype=srv _xmpp-client._tcp.example.com

2. CSR for the XMPP server:

CMA looks for SubjectAltName and CN field to determine the XMPP domain. To avoid the client certificate error, ensure that the CSR for the XMPP server specifies: the DNS record for the XMPP server in the CN field or the SubjectAltName field, the XMPP server domain name in SubjectAltName field.

For example, if the XMPP domain is configured as example.com and DNS is xmpp.example.com, the CN should be xmpp.example.com and within the SAN list you must add xmpp.example.com and example.com. . Note: pki csr will automatically append the CN to the SAN list if a SAN list exists.

pki csr xmppserver CN:xmpp.example.com O:”Example Inc.” subjectAltName:example.com or using the wildcard: pki csr xmppserver CN:*.example.com O:”Example Inc.”

subjectAltName:example.com generates two files: xmppserver.key and xmppserver.csr, for the XMPP server in domain example.com. Submit the .csr file to a internal CA for signing.(as you don’t have any outsider CMA users you can use internal signed CA certificate.

3.       Go to CLI of CMA and to configure the XMPP server to use one or more interfaces enter the following command: xmpp listen The following is an example where interface is set to interface A and B.

xmpp listen a b

4.       Assign the certificate and private key files that were uploaded earlier, using the command: xmpp certs <keyfield> <certificatefile> [<certbundle>]

where keyfile and certificatefile are the filenames of the matching private key and certificate .If your CA provides a certificate bundle then also include the bundle as a separate file to the certificate (not applicable for you). See the Certificate Guidelines for further information

5.       Configure the XMPP server with the following command:

xmpp domain <domain name>

The following is an example where the domain name is example.com.

xmpp domain example.com

6.       Enable the XMPP service: xmpp enable
7.       To allow a Call Bridge to access the XMPP server securely (after configuration), provide a component name for the Call Bridge to use to authenticate e.g. cb_london:

xmpp callbridge add <component name>

xmpp callbridge add cb_london

A secret is generated; for example, you see:

cms>xmpp callbridge add cb_london Added callbridge: Secret: aB45d98asdf9gabgAb1

8.       Make a note of the domain, component and secret generated in the previous steps because they are required when you use the Web Admin interface to configure the Call Bridge access to the XMPP server (so that the Call Bridge will present the authentication details to the XMPP server).

Thanks Lot Prasad [+5]

I don't have Microsoft certificate server. Will default certificate will workout?

I am not sure what do you mean by default certificate? How u got the call bridge cert?

Dear Prasad,

With default certificate is it possible to loging meeting app.?

Hi Shiva,

If you are using the app internally in your organization and no one is going to get logged in from public internet, then internal signed certificate can be used.

Internal CA signed certificates can be generated by a local or organizational Certificate Authority, such as an Active Directory server with the Active Directory Certificate Services Role installed.

If you mean you have a internal signed certificate (which you calling as default certificate) then that is enough for running the service on the Access side.

Reagrds,

Prasad Paradkar