S4B 2015 certificate when connecting to CMS part 2

If, when attempting to establish a call from S4B to CMS, the call fails and all you can find in the logs is;

INFO : SIP trace: connection xxx: read failure, code 104
INFO : SIP trace: connection xxx: shutting down...

…it is due to the CN of the certificate on CMS not matching the CsTrustedApplicationPool Identity. Update that on the S4B-side (remove and re-create) or replace the CMS certificate CN.

S4B 2015 certificate when connecting to CMS

Microsoft documentation points to using the Webserver (default) certificate template for the frontend pool. This WILL NOT WORK when configuring a trusted SIP-trunk to CMS.

This is poorly documented by both Microsoft and Cisco, but the trick is to use a template that contains Client Authentication in addition to Server Authentication as Extended Key Usage (Application Policy in Microsoft CA).

The lack of Client Authentication in the certificate will show in the CMS log as handshake error 336105606.

UCCX Finesse IE Compatibility

Just noticed after an upgrade from UCCX 10.6 to 11.6 that IE11-settings can become troublesome.

Login and call-handling actually worked as expected, but it was impossible to load CUIC-based gadgets.

The resolution:

• Document mode must be set to Edge.
• Compatibility mode must be set to Off.
• If Enterprise Mode is running, the URL(s) should be set to apply Desktop profile.
• Also, if running Chrome instead, remember that recent versions require the CN to be included as a SAN as well in the certificate to avoid warnings.

Modify INVITE (to CMS Space / CMS Space naming)

I have spent serious time considering how I want to address my spaces within CMS. I’m personally not to happy with the idea to utilize prefix/suffix on the userpart, such as cmr-username, username.vmr – whatever name you want to use, or where you place it. My preferred logic there would be to have the CMS-spaces within a specific subdomain, so – to call a user directly you would dial username@domain.tld and to dial the space of the user you would dial username@meet.domain.tld.

Attempting to apply this logic does however introduce a few issues.

If the username should be used to provision the space – guess what, it will not synchronize that user. That causes a conflict with the adressing of the actual user if you were using the MeetingApp. Reachibility for the MeetingApp is way beyond the scope of this post, we are using devices and/or Jabber and will just use the spaces within CMS.

So, to manage this, I do need to provision the space using a prefix (or suffix), such as cmr-username and rewrite the invite on the way. Where should I do that? It would be very easily done in the VCS, a bit more tricky on the CUCM side – but still doable.

I will not argue that this script is perfect at the moment, but it is a start and can surely be developed further down the road. I’ve also argued heavily with myself if the To-header also should be updated, but it seems to work just fine with only updating the INVITE, so I’m happy with that for now.

The script;

M = {}

local cmrDomain = "meet.domain.tld" 

function M.outbound_INVITE(msg)
  local method, ruri, ver = msg:getRequestLine()
  if string.find(ruri, cmrDomain) then
    startTo_str = string.find(ruri, "sip:")
    endTo_str = string.find(ruri, "@", startTo_str+1)
    toUserPart_str = string.sub(ruri, startTo_str+4, endTo_str-1)
    if not string.sub(toUserPart_str, 0,3):match("cmr-") then
      changedToUserPart_str = "cmr-" .. toUserPart_str
      changedRuri_str = string.gsub(ruri, toUserPart_str, changedToUserPart_str)
      msg:setRequestUri(changedRuri_str)
    end
  end
end

return M

Worth mentioning about the script is the parameter for cmrDomain, without a check to make sure we are only applying this script for the actual domain we’re planning to use here – it would for sure break CUCM integration with regards to AdHoc conferences. (CUCM will create a temporary space, using id@fqdn – we don’t want to interfere there). Also, if you use another naming-convention then cmr-…., pay attention to line 11/12 and modify the code accordingly. There is also a check if cmr- is already present, if so we do not want to add it again.

Also, keep in mind – if you create dedicated spaces, configure them within CMS with the prefix of cmr-, or apply logic to exclude them from the script as well. 🙂

Unable to add host to Nexus1K/DVS?

I ran into the issue when trying to add a new host to a Nexus1K that the host selection screen was just empty. This was fairly well documented by VMware in KB2039046, even though the SQL syntax was not really.. ..perfect?! :).

For ESXi 6.x, run the following SQL query against your VC DB (replacing dvSwitch below);

DECLARE @dvs_name varchar(32);
DECLARE @dvs_id int;
SET @dvs_name = 'dvSwitch';
SET @dvs_id = (SELECT ID FROM VPX_ENTITY WHERE NAME = @dvs_name);
INSERT INTO VPX_DVS_COMPATIBLE VALUES
(@dvs_id,'esx','6.0+'),
(@dvs_id,'embeddedEsx','6.0+');

Restart the vCenter service, and voilà!

Modify Diversion history

I ran into a challenge with a customer after upgrade from CUCM 8.6 to 11.0 and Mitel CMG from 7.5 to 8.2.

They have a flow where a caller calls a CTI-Port which during opening hours has a CFUR to a hunt-pilot. The hunt-pilot has a CFNA/CFB to the CMG IVR.

The diversion history becomes quite interesting here;

Diversion: <sip:huntpilotno@10.x.y.z>;reason=no-answer;privacy=off;screen=yes,<sip:ctiportno@10.x.y.z>;reason=out-of-service;privacy=off;screen=yes

The issue that arises is that we will look at the first redirecting number (ctiportno), which – technically speaking, actually has a very correct reason (out-of-service). So, to be able to determine the cause for this forward after hitting the hunt-pilot, we would have to look at the last redirecting information – but, that is another number, and we will run into issues matching that to the subscriber in CMG.

In order to use the last redirecting cause, but still rely on the first redirecting number, I applied a LUA-script to the trunk.

M = {}
 
function M.outbound_INVITE(msg)
    local diversion= msg:getHeader("Diversion")
    if string.find(diversion, "reason=") then
      startDivCause_str = string.find(diversion, "reason=")
      endDivCause_str = string.find(diversion, ";", startDivCause_str+1)
      divCause_str = string.sub(diversion, startDivCause_str, endDivCause_str)
      changedDivCause_str = string.gsub(diversion, "reason=out%-of%-service;", divCause_str)
      msg:modifyHeader("Diversion", changedDivCause_str)
    end
end

return M

This script will look if there is a reason within the Diversion and if so, search for the first occurrence (last redirecting pty) and then make a search and replace for reason=out-of-service with whatever the first reason is.

The diversion header in a call which does not get answered by the hunt will now look like this when hitting the CMG;

Diversion: <sip:huntpilotno@10.x.y.z>;reason=no-answer;privacy=off;screen=yes,<sip:ctiportno@10.x.y.z>;reason=no-answer;privacy=off;screen=yes

Some helpful resources;

• https://repl.it/languages/lua
• https://supportforums.cisco.com/video/12151771/guide-sip-normalization-cucm-and-lua-scripting

FCAL for BR-825

Note to self: To enable FCAL for BR825 from an ESXi-host, download (from QLogic), transfer to ESXi-host and install the BCU ESX CLI-plugin;

esxcli software vib install --no-sig-check --maintenance-mode -d /path/to/bcu_esxXX_X.X.X.X.zip

Run the following commands;

/opt/brocade/bin/bcu port --topology 1/0 loop
/opt/brocade/bin/bcu port --topology 1/1 loop
/opt/brocade/bin/bcu port --disable 1/0
/opt/brocade/bin/bcu port --disable 1/1
/opt/brocade/bin/bcu port --enable 1/0
/opt/brocade/bin/bcu port --enable 1/1

To update firmware, run the following command;

/opt/brocade/bin/bcu boot --update /path/to/brocade_adapter_boot_fw_vX-X-X-X.tar.gz -a

 

Collaboration SSO

After configuring SSO in our internal Collaboration-environment, a few things to remember;

Cross-check time-sync (!!!). It costed me quite some time in troubleshooting when expecting that the AD was synchronized. Don’t do that. Seriously.

Be careful with the Claim Rules. The documentation may be misleading in terms of the namequalifier, probably due to versioning differences between ADFS 2 and 3.

Claim Rules should consist of the following;
1.) Send LDAP Attributes as Claims, store Active Directory and map SAM-Account-Name to uid.
2.) Send Claims Using a Custom Rule, paste the following;

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "Note1*", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "Note2*");

Note1) EntityID of the ADFS (pull from entityID in FederationMetaData.xml, i.e. http://fqdn/adfs/services/trust for ADFS 3.0)
Note2) EntityID of the Collaboration-host (pull from entityID in SPMetadata_fqdn.xml, i.e. fqdn)
…also, be careful with linebreaks when copying the custom rule, it should just be one line.

If needed to debug, the option to modify log-level for SAML is missing in CCMService. Use CLI-command to change level;

admin:set samltrace level DEBUG

Thanks to CSCul45929 for pointing this out.

Next step will be to convince our Netscaler to become an ADFS-proxy and deploy this to the Expressway as well. 🙂

  

NeTS failure on call from Jabber Softphone

NeTS version 5.8.2.9 will not accept calls from Jabber in softphone-mode. Failure from NeTS is a bit cryptic;

|SIP           |SipNclaHandler::ExtractCallInfo          |D0828412 |<-- EXITING METHOD THROUGH NICEEXCEPTION:NICEEXCEPTION: 0XFFFFE052 INVALID SIP ADDRESS, SIPADDRESS=  ||SipNclaHandler.cpp|388
|SIP           |.x1_D0828412-csmState::UpdateContextFrom |         |<-- EXITING METHOD THROUGH NICEEXCEPTION:NICEEXCEPTION: 0XFFFFE052 INVALID SIP ADDRESS, SIPADDRESS=  ||SIPCallCtrlSM.cpp|947
|SIP           |csmsuper::HandleEvent                    |         |CAUGHT EXCEPTION HANDLING SIPREQUEST. NICEEXCEPTION: 0XFFFFE052 INVALID SIP ADDRESS, SIPADDRESS= ||SIPCallCtrlSM.cpp|585
|SIP           |TrProcessSipProviderMessage              |         |_COM_ERROR: _COM_ERROR: HRESULT: 0X80004003(INVALID POINTER  ), INVALID POINTER,  ||TrProcessSipProviderMessage.cpp|85

When comparing the SIP INVITE from a Jabber softphone and a 9951, the following difference was encountered in the header;

Contact: <sip:7009@10.x.y.z:5060;transport=tcp>;video;audio;+u.sip!devicename.ccm.cisco.com="CSFMLUNDBOM";bfcp

The INVITE from the 9951 had only;

Contact: <sip:7009@10.x.y.z:5060;transport=tcp>;video;audio

Most likely, the +-sign is not interpreted correctly. The easy workaround here is to utilize the SIP-normalization rules and clean up the Contact-header (I can’t see any cases where this information would be relevant for NeTS).

Within CCMAdmin, go to Device, Device Settings and SIP Normalization Script. Click Add New. Give it a name, description and enter the following in Content;

M = {}
 
function M.outbound_INVITE(msg)
    local contact = msg:getHeader("Contact")
    local uri = string.match(contact, "(<.+>)")
    msg:modifyHeader("Contact", uri)
end

return M

Apply the script to your SIP-trunk heading to NeTS;

..and reset the trunk.

The result here is that regardless what extra flags is present in your Contact-header, only the content included within <> is sent over the trunk.

With this workaround, NeTS accepted the Jabber calls without issues.

Managed File Transfer in IM&P

From getting MFT to work in IM&P and Jabber, I’ve discovered that it is really important to configure everything in the right order.

DO have the database completely configured before attempting to perform the configuration within cupadmin (See my previous blog-post for notes on Oracle-configuration).

Prepare the file-server (I’m using the same Linux-host that I have for receiving backups, hosting ISOs for upgrade, etc).

Make sure that RSAAuthentication and PubkeyAuthentication is enabled in /etc/ssh/sshd_config. Prepare a user / directory as follows;

[root@HOSTNAME mlundbom]# useradd -m chatfile
[root@HOSTNAME mlundbom]# passwd chatfile
Changing password for user chatfile.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@HOSTNAME mlundbom]# mkdir -p /home/mftFileStore/
[root@HOSTNAME mlundbom]# chown chatfile:chatfile /home/mftFileStore/
[root@HOSTNAME mlundbom]# chmod 700 /home/mftFileStore/
[root@HOSTNAME mlundbom]# su chatfile
[chatfile@HOSTNAME mlundbom]$ mkdir ~/.ssh/
[chatfile@HOSTNAME mlundbom]$ touch ~/.ssh/authorized_keys
[chatfile@HOSTNAME mlundbom]$ chmod 700 ~chatfile
[chatfile@HOSTNAME mlundbom]$ chmod 700 ~/.ssh
[chatfile@HOSTNAME mlundbom]$ chmod 700 ~/.ssh/authorized_keys
[chatfile@HOSTNAME mlundbom]$ mkdir /home/mftFileStore/IMPHOSTNAME
[chatfile@HOSTNAME mlundbom]$ exit
[root@HOSTNAME mlundbom]# ssh-keyscan -t rsa hostname.domain.tld
# hostname.domain.tld SSH-2.0-OpenSSH_6.6.1
hostname.domain.tld ssh-rsa RSA-KEY

Copy the output from the last italic line and head to cupadmin, Messaging, External Server Setup and External File Servers. Click Add New, give the record a name, enter the host/fqdn (be careful here that the format matches the RSA-key) and paste the output from ssh-keyscan;

After saving, continue to Messaging, External Server Setup and External Databases. Click Add New, and be careful to enter the correct information here – the Database name must match with the configured service name on the database server;

Once this has been saved, head to Messaging and select File Transfer. Select Managed File Transfer, select your servers and save.

Click the link for Public Key and copy the contents of the text-box within the popup. Do NOT continue with any other steps regarding IM&P right now, but head back to your fileserver. Edit ~/.ssh/authorized_keys for the configured user (using whatever editor, I’ve heard that there are others then vi, but I refuse to believe it 🙂 ), paste the contents from your clipboard, save the file and go back to cupadmin.

Within cupadmin, by now you should’ve received a notification stating that the XCP Router requires a restart. Proceed with that restart (handy link from within the notification) and when XCP Router is up again, go ahead and try to activate/start Cisco XCP File Transfer Manager.

Pay attention to the service status for Cisco XCP File Transfer Manager, it might attempt a few starts and then end up in “not running”. I poked around a bit with the associations, and everytime you update the server assignment, a new public key gets generated. From the CLI, use

file view activelog epas/trace/xcp/log/AFTStartup.log

to find potential issues. If that log ends up with;

AFT - Passwordless SSH has not been set up correctly. Exiting

…then you have the wrong public key in ~/.ssh/authorized_keys.

If the service starts (and stays running) as expected, head back to cupadmin, Messaging, External Server Setup and External Databases (and External File Servers) and select your file transfer database/server, if everything looks good – you should see the following;

Once everything is green, go ahead and restart your Jabber clients. Try to send a file, and you should see the following in your conversation;

What I really, really like here is that file transfers can be performed with clients that are connecting via MRA.