Cisco Jabber 10.6 Planning Guide

Cisco Jabber 10.6 Planning Guide

Cisco Jabber 10.6 Planning Guide

First Published: 2015-01-27

Last Modified: 2015-11-30

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright

©

1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks

. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

©

2017 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

C H A P T E R 1

C H A P T E R 2

C H A P T E R 3

Cisco Jabber Overview 1

Purpose of this Guide

1

About Cisco Jabber

1

Cisco Jabber Planning Checklist

2

Deployment Scenarios 3

On-Premises Deployment

3

On-Premises Deployment with Cisco Unified Communications Manager IM and Presence

Service

3

On-Premises Deployment with Cisco Unified Presence

4

On-Premises Deployment in Phone Mode

5

Cloud-Based Deployments

6

Cloud-Based Deployment

7

Hybrid Cloud-Based Deployment

7

Deployment with Single Sign-On

8

Single Sign-On Requirements

9

Single Sign-On and Remote Access

10

Enable SAML SSO in the Client

11

Deployment in a Virtual Environment

12

Virtual Environment and Roaming Profiles

12

Requirements

15

On-Premises Servers for Cisco Jabber for Windows and Cisco Jabber for Mac

15

On-Premises and Cloud Servers for Cisco Jabber for Android and iOS

16

On-Premises Servers for Cisco Jabber for iPhone and iPad

18

Hardware Requirements for Desktop Clients

20

Operating Systems for Cisco Jabber for Windows

21

Operating Systems for Cisco Jabber for Mac

21

Cisco Jabber 10.6 Planning Guide iii

Contents

C H A P T E R 4

C H A P T E R 5

C H A P T E R 6

CTI Supported Devices

22

Hardware Requirements for Cisco Jabber for Android

22

Hardware Requirements for Cisco Jabber for iPhone and iPad

27

Network Requirements

27

Ports and Protocols for Desktop Clients

28

Ports and Protocols for Cisco Jabber for Android, iPhone, and iPad

30

Supported Codecs for Cisco Jabber for Windows and Cisco Jabber for Mac

32

Supported Codecs for Cisco Jabber for Android, iPhone, and iPad

32

Virtual Environment Requirements

33

Contact Source

35

On-Premises Contact Source Options

35

IM Address Scheme

35

Directory Servers

36

Contact Photo Formats and Dimensions

37

Contact Photo Formats

37

Contact Photo Dimensions

37

Contact Photo Adjustments

38

Certificates 39

Certificate Validation

39

Required Certificates for On-Premises Servers

40

Certificate Signing Request Formats and Requirements

41

Revocation Servers

41

Server Identity in Certificates

41

Certificate Requirements for Cloud-Based Servers

42

Service Discovery 45

About Service Discovery

45

How the Client Locates Services

46

Cisco UDS SRV Record

48

CUP Login SRV Record

50

Collaboration Edge SRV Record

51

Security 53

C H A P T E R 7 iv

Cisco Jabber 10.6 Planning Guide

Contents

C H A P T E R 8

Federal Information Processing Standards

53

Compliance and Policy Control for File Transfer and Screen Capture

54

Instant Message Encryption

54

On-Premises Encryption

54

Cloud-Based Encryption

56

Client-to-Client Encryption

57

Encryption Icons

58

Lock Icon for Client to Server Encryption

58

Padlock Icon for Client to Client Encryption

58

Local Chat History

58

Planning Considerations

59

DNS Configuration

59

How the Client Uses DNS

59

How the Client Finds a Name Server

59

How the Client Gets a Services Domain

60

How the Client Discovers Available Services

61

Client Issues an HTTP Query

62

Client Queries the Name Server

63

Client Connects to Internal Services

64

Client Connects through Expressway for Mobile and Remote Access

66

Domain Name System Designs

66

Separate Domain Design

67

Deploy SRV Records in a Separate Domain Structure

67

Use an Internal Zone for a Services Domain

68

Same Domain Design

68

Single Domain, Split-Brain

68

Single Domain, Not Split-Brain

69

How the Client Connects to Services

69

Recommended Connection Methods

70

Sources of Authentication

73

High Availability

74

High Availability for Instant Messaging and Presence

74

Client Behavior During a Failover

75

High Availability for Voice and Video

76

Cisco Jabber 10.6 Planning Guide v

Contents

Computer Telephony Integration

76

vi

Cisco Jabber 10.6 Planning Guide

C H A P T E R

1

Cisco Jabber Overview

Purpose of this Guide, page 1

About Cisco Jabber, page 1

Cisco Jabber Planning Checklist, page 2

Purpose of this Guide

The Cisco Jabber Planning Guide includes the following information to assist you in planning the deployment and installation of Cisco Jabber.

• A product overview describing the features available in the product for this release

• Planning considerations for service discovery, encryption, and contact sources (Enhanced Directory

Integration [EDI] and Basic Directory Integration [BDI]).

• Information about how you are going to deploy the client, whether it's an on-premises or cloud deployment.

• Requirements for hardware, software, network, and certificates.

To deploy and install Cisco Jabber, use the Cisco Jabber Deployment and Installation Guide.

About Cisco Jabber

Cisco Jabber is a suite of Unified Communications applications that allow seamless interaction with your contacts from anywhere. Cisco Jabber offers IM, presence, audio and video calling, voicemail, and conferencing.

The applications in the Cisco Jabber family of products are:

• Cisco Jabber for Android

• Cisco Jabber for iPhone and iPad

• Cisco Jabber for Mac

• Cisco Jabber for Windows

Cisco Jabber 10.6 Planning Guide

1

Cisco Jabber Overview

Cisco Jabber Planning Checklist

For more information about the Cisco Jabber suite of products, see http://www.cisco.com/go/jabber .

Cisco Jabber Planning Checklist

Use this checklist to plan your Cisco Jabber Deployment.

Task

Determine how you plan to deploy Cisco Jabber.

See

Deployment Scenarios, on page

3

Completed?

Confirm that your servers, hardware, and network comply with the requirements.

Determine how you plan to configure your contact source.

Requirements, on page 15

Contact Source , on page 35

Confirm that you have the required certificates based on the deployment option you select.

Certificates, on page 39

Review Service Discovery to determine if you plan to configure service discovery and to determine which service discovery records you require.

Service Discovery, on page 45

Review the security information

Security, on page 53

Review remaining planning considerations.

Planning Considerations, on page

59

2

Cisco Jabber 10.6 Planning Guide

C H A P T E R

2

Deployment Scenarios

On-Premises Deployment, page 3

Cloud-Based Deployments, page 6

Deployment with Single Sign-On, page 8

Deployment in a Virtual Environment, page 12

On-Premises Deployment

An on-premises deployment is one in which you set up, manage, and maintain all services on your corporate network.

You can deploy Cisco Jabber in the following modes:

Full UC—To deploy full UC mode, enable instant messaging and presence capabilities, provision voicemail and conferencing capabilities, and provision users with devices for audio and video.

IM-Only—To deploy IM-only mode, enable instant messaging and presence capabilities. Do not provision users with devices.

Phone Mode—In Phone mode, the user's primary authentication is to Cisco Unified Communications

Manager. To deploy phone mode, provision users with devices for audio and video capabilities. You can also provision users with additional services such as voicemail.

The default product mode is one in which the user's primary authentication is to an IM and presence server.

On-Premises Deployment with Cisco Unified Communications Manager IM and Presence Service

The following services are available in an on-premises deployment with Cisco Unified Communications

Manager IM and Presence Service:

Presence—Publish availability and subscribe to other users' availability through Cisco Unified

Communications Manager IM and Presence Service.

IM—Send and receive IMs through Cisco Unified Communications Manager IM and Presence Service.

Cisco Jabber 10.6 Planning Guide

3

Deployment Scenarios

On-Premises Deployment with Cisco Unified Presence

File Transfers—Send and receive files and screenshots through Cisco Unified Communications Manager

IM and Presence Service.

Audio Calls—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

◦Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

◦Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

The following figure shows the architecture of an on-premises deployment with Cisco Unified Communications

Manager IM and Presence Service.

Figure 1: On-Premises Deployment with Cisco Unified Communications Manager IM and Presence Service

On-Premises Deployment with Cisco Unified Presence

The following services are available in an on-premises deployment with Cisco Unified Presence:

4

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

On-Premises Deployment in Phone Mode

Presence—Publish availability and subscribe to other users' availability through Cisco Unified Presence.

IM—Send and receive IMs through Cisco Unified Presence.

Audio Calls—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

Note

Cisco Jabber does not support conferencing for mobile clients in phone mode.

The following figure shows the architecture of an on-premises deployment with Cisco Unified Presence.

Figure 2: On-Premises Deployment with Cisco Unified Presence

On-Premises Deployment in Phone Mode

The following services are available in a phone mode deployment:

Contact—This is applicable for mobile clients only. Cisco Jabber updates the contact information from the phone's contact address book.

Cisco Jabber 10.6 Planning Guide

5

Deployment Scenarios

Cloud-Based Deployments

Audio Calls—Place audio calls through desk phone devices or on computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

Note

Cisco Jabber for Android and Cisco Jabber for iPhone and iPad do not support conferencing in phone mode.

The following figure shows the architecture of an on-premises deployment in phone mode.

Figure 3: On-Premises Deployment in Phone Mode

Cloud-Based Deployments

A cloud-based deployment is one in which Cisco WebEx hosts services. You manage and monitor your cloud-based deployment with the Cisco WebEx Administration Tool.

6

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Cloud-Based Deployment

Cloud-Based Deployment

The following services are available in a cloud-based deployment:

Contact Source—The Cisco WebEx Messenger service provides contact resolution.

Presence—The Cisco WebEx Messenger service lets users publish their availability and subscribe to other users' availability.

Instant Messaging—The Cisco WebEx Messenger service lets users send and receive instant messages.

Conferencing—Cisco WebEx Meeting Center provides hosted meeting capabilities.

The following figure shows the architecture of a cloud-based deployment.

Figure 4: Cloud-Based Deployment

Hybrid Cloud-Based Deployment

The following services are available in a hybrid cloud-based deployment:

Cisco Jabber 10.6 Planning Guide

7

Deployment Scenarios

Deployment with Single Sign-On

Contact Source—The Cisco WebEx Messenger service provides contact resolution.

Presence—The Cisco WebEx Messenger service allows users to publish their availability and subscribe to other users' availability.

Instant Messaging—The Cisco WebEx Messenger service allows users to send and receive instant messages.

Audio—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Conferencing—Cisco WebEx Meeting Center provides hosted meeting capabilities.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

The following figure shows the architecture of a hybrid cloud-based deployment.

Figure 5: Hybrid Cloud-Based Deployment

Deployment with Single Sign-On

You can enable your services with Security Assertion Markup Language (SAML) single sign-on (SSO).

SAML SSO can be used in on-premises, cloud, or hybrid deployments.

The following steps describe the sign-in flow for SAML SSO after your users start their Cisco Jabber client:

1

The user starts the Cisco Jabber client. If you configure your Identity Provider (IdP) to prompt your users to sign in using a web form, the form is displayed within the client.

2

The Cisco Jabber client sends an authorization request to the service that it is connecting to, such as Cisco

WebEx Messenger service, Cisco Unified Communications Manager, or Cisco Unity Connection.

8

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Single Sign-On Requirements

3

The service redirects the client to request authentication from the IdP.

4

The IdP requests credentials. Credentials can be supplied in one of the following methods:

• Form-based authentication that contains username and password fields.

• Kerberos for Integrated Windows Authentication (IWA) (Windows only)

• Smart card authentication (Windows only)

• Basic HTTP authentication method in which client offers the username and password when making an HTTP request.

5

The IdP provides a cookie to the browser or other authentication method. The IdP authenticates the identity using SAML, which allows the service to provide the client with a token.

6

The client uses the token for authentication to log in to the service.

Authentication Methods

The authentication mechanism impacts how a user signs on. For example, if you use Kerberos, the client does not prompt users for credentials, because your users already provided authentication to gain access to the desktop.

User Sessions

Users sign in for a session, which gives them a predefined period to use Cisco Jabber services. To control how long sessions last, you configure cookie and token timeout parameters.

Configure the IdP timeout parameters with an appropriate amount of time to ensure that users are not prompted to log in. For example, when Jabber users switch to an external Wi-Fi, are roaming, their laptops hibernate, or their laptop goes to sleep due to user inactivity. Users will not have to log in after resuming the connection, provided the IdP session is still active.

When a session has expired and Jabber is not able to silently renew it, because user input is required, the user is prompted to reauthenticate. This can occur when the authorization cookie is no longer valid.

If Kerberos or a Smart card is used, no action is needed to reauthenticate, unless a PIN is required for the

Smart card; there is no risk of interruption to services, such as voicemail, incoming calls, or instant messaging.

Single Sign-On Requirements

SAML 2.0

You must use SAML 2.0 to enable single sign-on (SSO) for Cisco Jabber clients using Cisco Unified

Communications Manager services. SAML 2.0 is not compatible with SAML 1.1. You must select an IdP that uses the SAML 2.0 standard. The supported identity providers have been tested to be compliant with

SAML 2.0 and can be used to implement SSO.

Supported Identity Providers

The IdP must be Security Assertion Markup Language (SAML) compliant. The clients support the following identity providers:

• Ping Federate 6.10.0.4

• Microsoft Active Directory Federation Services (ADFS) 2.0

Cisco Jabber 10.6 Planning Guide

9

Deployment Scenarios

Single Sign-On and Remote Access

• Open Access Manager (OpenAM) 10.1

Note

Ensure that you configure Globally Persistent cookies for use with OpenAM.

When you configure the IdP, the configured settings impact how you sign into the client. Some parameters, such as the type of cookie (persistent or session), or the authentication mechanism (Kerberos or Web form), determine how often you have to be authenticated.

Cookies

To enable cookie sharing with the browser, you must use persistent cookies and not session cookies. Persistent cookies prompt the user to enter credentials one time in the client or in any other desktop application that uses

Internet Explorer. Session cookies require that users enter their credentials every time the client is launched.

You configure persistent cookies as a setting on the IdP. If you are using Open Access Manager as your IdP, you must configure Globally Persistent cookies (and not Realm Specific Persistent Cookies).

Required Browsers

To share the authentication cookie (issued by IdP) between the browser and the client, you must specify one of the following browsers as your default browser:

Product Required Browser

Cisco Jabber for Windows Internet Explorer

Cisco Jabber for Mac Safari

Cisco Jabber for iPhone and iPad

Cisco Jabber for Android

Safari

Chrome or Internet Explorer

Note

An embedded browser cannot share a cookie with an external browser when using SSO with Cisco Jabber for Android.

Single Sign-On and Remote Access

For users that provide their credentials from outside the corporate firewall using Expressway Mobile and

Remote Access, single sign-on has the following restrictions:

• Single sign-on (SSO) is available with Cisco Expressway 8.5 and Cisco Unified Communications

Manager release 10.5.2 or later.

• You cannot use SSO over the Expressway for Mobile and Remote Access on a secure phone.

• The Identity Provider used must have the same internal and external URL. If the URL is different, the user may be prompted to sign in again when changing from inside to outside the corporate firewall and vice versa.

10

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Enable SAML SSO in the Client

Enable SAML SSO in the Client

Before You Begin

• If you do not use Cisco WebEx Messenger, enable SSO on Cisco Unified Communications Applications

10.5.1 Service Update 1—For information about enabling SAML SSO on this service, read the SAML

SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.5.

• Enable SSO on Cisco Unity Connection version 10.5—For more information about enabling SAML

SSO on this service, read Managing SAML SSO in Cisco Unity Connection.

• If you use Cisco WebEx Messenger, enable SSO on Cisco WebEx Messenger Services to support Cisco

Unified Communications Applications and Cisco Unity Connection—For more information about enabling SAML SSO on this service, read about Single Sign-On in the Cisco WebEx Messenger

Administrator's Guide.

For more information about enabling SAML SSO on this service, read about Single Sign-On in the Cisco WebEx Messenger Administrator's Guide.

Procedure

Step 1

Deploy certificates on all servers so that the certificate can be validated by a web browser, otherwise users receive warning messages about invalid certificates. For more information about certificate validation, see

Certificate Validation.

Step 2

Ensure Service Discovery of SAML SSO in the client. The client uses standard service discovery to enable

SAML SSO in the client. Enable service discovery by using the following configuration parameters:

ServicesDomain,VoiceServicesDomain, and ServiceDiscoveryExcludedServices. For more information about how to enable service discovery, see Configure Service Discovery for Remote Access.

Step 3

Define how long a session lasts.

A session is comprised of cookie and token values. A cookie usually lasts longer than a token. The life of the cookie is defined in the Identity Provider, and the duration of the token is defined in the service.

Step 4

When SSO is enabled, by default all Cisco Jabber users sign in using SSO. Administrators can change this on a per user basis so that certain users do not use SSO and instead sign in with their Cisco Jabber username and password. To disable SSO for a Cisco Jabber user, set the value of the SSO_Enabled parameter to FALSE.

If you have configured Cisco Jabber not to ask users for their email address, their first sign in to Cisco Jabber may be non-SSO. In some deployments, the parameter ServicesDomainSsoEmailPrompt needs to be set to

ON. This ensures that Cisco Jabber has the information required to perform a first-time SSO sign in. If users signed in to Cisco Jabber previously, this prompt is not needed because the required information is available.

Related Topics

Single Sign-On

Managing SAML SSO in Cisco Unity Connection

SAML SSO Deployment Guide for Cisco Unified Communications Applications

Cisco Jabber 10.6 Planning Guide

11

Deployment Scenarios

Deployment in a Virtual Environment

Deployment in a Virtual Environment

You can deploy Cisco Jabber for Windows in a virtual environment.

The following features are supported in a virtual environment:

• Instant messaging and presence with other Cisco Jabber clients

• Desk phone control

• Voicemail

• Presence integration with Microsoft Outlook 2007, 2010 and 2013

Virtual Environment and Roaming Profiles

In a virtual environment, users do not always access the same virtual desktop. To guarantee a consistent user experience, these files must be accessible every time that the client is launched. Cisco Jabber stores user data in the following locations:

• C:\Users\username\AppData\Local\Cisco\Unified Communications\Jabber\CSF

Contacts—Contact cache files

History—Call and chat history

Photo cache—Caches the directory photos locally

• C:\Users\username\AppData\Roaming\Cisco\Unified

Communications\Jabber\CSF

Config—Maintains user configuration files and stores configuration store cache

Credentials—Stores encrypted username and password file

Note

Cisco Jabber credentials caching is not supported when using Cisco Jabber in non-persistent virtual deployment infrastructure (VDI) mode.

If required, you can exclude files and folders from synchronization by adding them to an exclusion list. To synchronize a subfolder that is in an excluded folder, add the subfolder to an inclusion list.

To preserve personal user settings, you should do the following:

• Do not exclude the following directories:

• AppData\Local\Cisco

• AppData\Local\JabberWerxCPP

• AppData\Roaming\Cisco

• AppData\Roaming\JabberWerxCPP

12

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Virtual Environment and Roaming Profiles

• Use the following dedicated profile management solutions:

Citrix Profile Management—Provides a profile solution for Citrix environments. In deployments with random hosted virtual desktop assignments, Citrix profile management synchronizes each user's entire profile between the system it is installed on and the user store.

VMware View Persona Management—Preserves user profiles and dynamically synchronizes them with a remote profile repository. VMware View Persona Management does not require the configuration of Windows roaming profiles and can bypass Windows Active Directory in the management of VMware Horizon View user profiles. Persona Management enhances the functionality of existing roaming profiles.

Cisco Jabber 10.6 Planning Guide

13

Virtual Environment and Roaming Profiles

Deployment Scenarios

14

Cisco Jabber 10.6 Planning Guide

C H A P T E R

3

Requirements

On-Premises Servers for Cisco Jabber for Windows and Cisco Jabber for Mac, page 15

On-Premises and Cloud Servers for Cisco Jabber for Android and iOS, page 16

On-Premises Servers for Cisco Jabber for iPhone and iPad, page 18

Hardware Requirements for Desktop Clients, page 20

Hardware Requirements for Cisco Jabber for Android, page 22

Hardware Requirements for Cisco Jabber for iPhone and iPad, page 27

Network Requirements, page 27

Virtual Environment Requirements, page 33

On-Premises Servers for Cisco Jabber for Windows and Cisco

Jabber for Mac

Cisco Jabber uses domain name system (DNS) servers during startup. DNS servers are mandatory for Cisco

Jabber.

Cisco Jabber supports the following on-premises servers:

• Cisco Unified Communications Manager, release 8.6(2) or later

• Cisco Unified Presence, release 8.6(2) or later

• Cisco Unity Connection, release 8.6(2) or later

• Cisco WebEx Meetings Server, version 1.5 or later (Windows only)

• Cisco WebEx Meetings Server, version 2.0 or later (Mac only)

• Cisco Expressway Series for Cisco Unified Communications Manager

◦Cisco Expressway-E, version 8.1.1 or later

◦Cisco Expressway-C, version 8.1.1 or later

• Cisco TelePresence Video Communications Server

Cisco Jabber 10.6 Planning Guide

15

Requirements

On-Premises and Cloud Servers for Cisco Jabber for Android and iOS

◦Cisco VCS Expressway, version 8.1.1 or later

◦Cisco VCS Control, version 8.1.1 or later

Cisco Jabber supports the following features with Cisco Unified Survivable Remote Site Telephony, Version

8.5:

• Basic call functionality

• Ability to hold and resume calls

Refer to the Cisco Unified SCCP and SIP SRST System Administrator Guide for information about configuring

Cisco Unified Survivable Remote Site Telephony at: http://www.cisco.com/en/US/docs/voice_ip_comm/ cusrst/admin/sccp_sip_srst/configuration/guide/SCCP_and_SIP_SRST_Admin_Guide.html

.

For Cisco Unified Communications Manager Express support details, refer to the Cisco Unified CME documentation: http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_device_support_tables_ list.html

On-Premises and Cloud Servers for Cisco Jabber for Android and iOS

Cisco Jabber uses domain name system (DNS) servers during startup. DNS servers are mandatory for Cisco

Jabber.

Cisco Jabber for mobile clients supports the following cloud servers:

WebEx Meeting Center

WebEx Meeting Center WBS28+

Cisco Jabber for mobile clients supports the following on-premises nodes and servers:

Cisco Unified Communications Manager

• Cisco Unified Communications Manager, Release 8.6(2) or later

Cisco Unified Presence

• Cisco Unified Presence, Release 8.6(2)

Cisco Unified Communications Manager IM and Presence Service

Note

Cisco Unified Communications Manager IM and Presence Service is formerly known as Cisco Unified

Presence.

• Cisco Unified Communications Manager IM and Presence Service, Release 9.1(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 9.1(2)

16

Cisco Jabber 10.6 Planning Guide

Requirements

On-Premises and Cloud Servers for Cisco Jabber for Android and iOS

• Cisco Unified Communications Manager IM and Presence Service, Release 10.0(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 10.5(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 10.5(2)

• Cisco Unified Communications Manager IM and Presence Service, Release 11.0

Video Conferencing Bridge

• Cisco TelePresence MCU 5310

• Cisco TelePresence Server 7010

• Cisco TelePresence Server MSE 8710

• Cisco Integrated Services Router (with Packet Voice/Data Module [PVDM3])

Note

Expressway for Mobile and Remote Access is not supported with Cisco Integrated

Services Router (with PVDM3).

Cisco Unity Connection

• Cisco Unity Connection, Release 8.6(2) or later

Cisco WebEx Meetings Server

• Cisco WebEx Meetings Server, version 2.0 or later

Cisco WebEx Meetings Client

Cisco WebEx Meetings client, later than version 4.5

Note

This Cisco WebEx Meetings Server client, version 8.0 supports Collaboration Meeting Room and Personal

Meeting Room.

Cisco Unified Survivable Remote Site Telephony

Cisco Jabber for mobile clients support the following features with Cisco Unified Survivable Remote Site

Telephony, version 8.5.

Cisco Expressway Series for Cisco Unified Communications Manager (Optional)

Use the following servers to set up mobile and remote access for the client. The Expressway servers do not provide call control for Cisco Jabber. The client uses Cisco Unified Communications Manager for call control.

• Cisco Expressway-E, version 8.5

• Cisco Expressway-C, version 8.5

• Cisco Expressway, version 8.2

Cisco Jabber 10.6 Planning Guide

17

Requirements

On-Premises Servers for Cisco Jabber for iPhone and iPad

• Cisco Expressway, version 8.2.1

If you currently deploy a Cisco TelePresence Video Communications Server (VCS) environment, you can set up Cisco Expressway for Mobile and Remote Access. A VCS environment requires Cisco VCS Expressway, version 8.1.1 and Cisco VCS Control, version 8.1.1.

Cisco Adaptive Security Appliance (Optional)

• Cisco Adaptive Security Appliance (ASA) 5500 Series, version 8.4(1) or later.

• Cisco Adaptive Security Device Manager (ASDM), version 6.4 or later.

• Cisco AnyConnect Secure Mobility Client Integration (Optional)—Android devices must run the latest version of Cisco AnyConnect Secure Mobility Client, which is available from the Google Play Store.

Note

When you are using AnyConnect with Samsung, the supported version is 4.0.01128.

• ASA license requirements—Use one of the following combinations:

◦AnyConnect Essentials and AnyConnect Mobile licenses

◦AnyConnect Premium and AnyConnect Mobile licenses

• Certificate authority (CA) if using certificate-based authentication—Cisco IOS Certificate Server,

Microsoft Windows Server 2008 R2 Enterprise Certificate Authority, or Microsoft Windows Server

2003 Enterprise Certificate Authority.

On-Premises Servers for Cisco Jabber for iPhone and iPad

Cisco Jabber for iPhone and iPad supports the following on-premises servers:

Cisco Jabber uses domain name system (DNS) servers during startup. DNS servers are mandatory for Cisco

Jabber.

Cisco Unified Communications Manager

• Cisco Unified Communications Manager, Release 8.6(2)

• Cisco Unified Communications Manager, Release 9.1(2)

• Cisco Unified Communications Manager, Release 10.0(1)

• Cisco Unified Communications Manager, Release 10.5(1)

• Cisco Unified Communications Manager, Release 10.5(2)

Cisco Unified Presence

• Cisco Unified Presence, Release 8.6(1)

• Cisco Unified Presence, Release 8.6(2)

18

Cisco Jabber 10.6 Planning Guide

Requirements

On-Premises Servers for Cisco Jabber for iPhone and iPad

Cisco Unified Communications Manager Release IM and Presence Service

Note

Cisco Unified Communications Manager IM and Presence Service is formerly known as Cisco Unified

Presence.

• Cisco Unified Communications Manager IM and Presence Service, Release 9.1(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 9.1(2)

• Cisco Unified Communications Manager IM and Presence Service, Release 10.0(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 10.5(1)

• Cisco Unified Communications Manager IM and Presence Service, Release 10.5(2)

Cisco Unity Connection

• Cisco Unity Connection, Release 8.5

• Cisco Unity Connection, Release 8.6(1)

• Cisco Unity Connection, Release 8.6(2)

• Cisco Unity Connection, Release 9.1(1)

• Cisco Unity Connection, Release 9.1(2)

• Cisco Unity Connection, Release 10.0(1)

• Cisco Unity Connection, Release 10.5(1)

• Cisco Unity Connection, Release 10.5(2)

Cisco WebEx Meetings Server

• Cisco WebEx Meetings Server, version 1.5

• Cisco WebEx Meetings Server, version 2.0

• Cisco WebEx Meetings Server, version 2.5

• Cisco WebEx Meetings Client, version 4.5 to 6.5

Cisco Adaptive Security Appliance (Optional)

• VPN On Demand (Optional)—The Apple iOS On-Demand VPN feature requires certificate-only authentication. If you set up an ASA without certificate-only authentication, the user must manually initiate the AnyConnect VPN connection as needed.

The iOS device must be able to access the corporate network, servers, and telephony endpoints using a

VPN client, such as Cisco AnyConnect Secure Mobility Client.

• Cisco AnyConnect Secure Mobility Client Integration (Optional)

• iOS devices must run Cisco AnyConnect Secure Mobility Client version 3.0.09115, which is available from the Apple App Store

Cisco Jabber 10.6 Planning Guide

19

Requirements

Hardware Requirements for Desktop Clients

• Cisco ASA 5500 Series Adaptive Security Appliance (ASA), version 8.4(1) or later

• Cisco Adaptive Security Device Manager (ASDM), version 6.4 or later

• ASA license requirements—Use one of the following combinations:

• AnyConnect Essentials and AnyConnect Mobile licenses

• AnyConnect Premium and AnyConnect Mobile licenses

Note

For more information about Cisco AnyConnect license requirements, see VPN License

and Feature Compatibility.

• Certificate authority (CA) if using certificate-based authentication: Cisco IOS Certificate Server,

Cisco IOS Certificate Server or Microsoft Windows Server 2003 Enterprise Certificate Authority

Cisco Jabber supports the following features with Cisco Unified Survivable Remote Site Telephony, version

8.6:

• Basic call functionality

• Ability to hold and resume calls on different clients with the shared line.

Hardware Requirements for Desktop Clients

Requirement

Installed RAM

Cisco Jabber for Windows Cisco Jabber for Mac

2-GB RAM on Microsoft Windows 7 and

Windows 8

2-GB RAM

Free physical memory

128 MB 1 GB

Free disk space

CPU speed and type

256 MB 300 MB

AMD Mobile Sempron Processor 3600+

2 GHz

Intel Core 2 Duo or later processors in any of the following Apple hardware:

Intel Core 2 Duo Processor T7400 @ 2.

16 GHz

• Mac Pro

• MacBook Pro (including Retina

Display model)

• MacBook

• MacBook Air

• iMac

• Mac Mini

20

Cisco Jabber 10.6 Planning Guide

Requirements

Operating Systems for Cisco Jabber for Windows

Requirement

GPU

I/O ports

Cisco Jabber for Windows

DirectX11 on Microsoft Windows 7

USB 2.0 for USB camera and audio devices.

Cisco Jabber for Mac

N/A

USB 2.0 for USB camera and audio devices

Operating Systems for Cisco Jabber for Windows

You can install Cisco Jabber for Windows on the following operating systems:

• Microsoft Windows 10 (desktop mode)

• Microsoft Windows 8.1 (desktop mode)

• Microsoft Windows 8 (desktop mode)

• Microsoft Windows 7

Cisco Jabber for Windows does not require the Microsoft .NET Framework or any Java modules.

For Microsoft Windows 7 or 8.x, you can download Cisco Media Services Interface (MSI) 4.1.2 for use with deskphone video.

Windows 10 Servicing Options

Cisco Jabber for Windows supports the following Windows 10 servicing options:

• Current Branch (CB)

• Current Branch for Business (CBB)

• Long-Term Servicing Branch (LTSB)—with this option, it is your responsibility to ensure that any relevant service updates are deployed.

For more information about Windows 10 servicing options, see the following Microsoft documentation: https:/

/technet.microsoft.com/en-us/library/mt598226(v=vs.85).aspx

.

Operating Systems for Cisco Jabber for Mac

You can install Cisco Jabber for Mac on the following operating systems:

• Apple OS X Yosemite 10.10 (or later)

• Apple OS X Mavericks 10.9 (or later)

• Apple OS X Mountain Lion 10.8.1 (or later)

Cisco Jabber 10.6 Planning Guide

21

Requirements

CTI Supported Devices

CTI Supported Devices

To view the list of Computer Telephony Integration (CTI) supported devices: From Cisco Unified Reporting, select Unified CM Phone Feature List. From the Feature drop-down list, select CTI controlled.

Hardware Requirements for Cisco Jabber for Android

Note

Cisco Jabber for Android is tested with the Android devices listed here. Although other Android devices are not officially supported, you might be able to use Cisco Jabber for Android on other Android devices.

The minimum CPU and display requirements for the Android devices are:

• Chipset—Android devices that are based on an Intel chipset are not supported.

• Android Operating System—4.1.2 or later.

• CPU—1.5 GHz dual-core, 1.2 GHz quad-core or higher (quad-core recommended).

• Display—For two-way video, the minimum display resolution requirement is 480 x 800 or higher.

Note

• Cisco Jabber for Android does not support the Tegra 2 chipset.

• Due to an Android kernel issue, Cisco Jabber cannot register to the Cisco Unified

Communications Manager on some Android devices. If this problem occurs, see the Troubleshooting chapter of the Cisco Jabber for Android User Guide.

Cisco Jabber for Android supports IM only mode on the Android devices that meet the following minimum specifications:

• Chipset — Android devices that are based on an Intel chipset are not supported.

• Android OS — 4.1.2 or higher

• CPU — 1.5 GHz dual-core, 1.2 GHz quad-core or higher (quad-core recommended).

• Display — 320 x 480 or higher

Cisco Jabber for Android supports Audio and Video Enabled mode in the following devices with respective version of Operating System provided in the table:

Device

Cisco DX

Device Model

70

Operating System

10.2.x version

80

650

10.2.x version

10.2.x version

22

Cisco Jabber 10.6 Planning Guide

Requirements

Device

HTC

Google Nexus

LG

Motorola

7

9

10

G2

G3

Moto G

MC40

Device Model

M7

M8

One Max

5

6

Hardware Requirements for Cisco Jabber for Android

Operating System

Android OS 4.4.2 or later

Android OS 4.4.2 or later

Android OS 4.4.2 or later

Android OS 4.4 or later

Android OS 5.0.2 or later

Android OS 4.4 or later

Android OS 5.0.2 or later

Android OS 4.4 or later

Android OS 4.2.2 or later

Android OS 4.4.2 or later

Android OS 4.4.2 or later

Android OS 4.1.1

1

Cisco Jabber 10.6 Planning Guide

23

Requirements

Hardware Requirements for Cisco Jabber for Android

Device

Samsung Galaxy

Device Model

Note II

Note III

Note IV

Note Edge

Note Pro 12.2

Rugby Pro

SII

SIII

S4

S4 mini

S5

S5 mini

Operating System

Android OS 4.2 or later

Android OS 4.3 or later

Android OS 4.4.4 or later

Android OS 4.4.4 or later

Android OS 4.4.2 or later

Android OS 4.2.2 or later

Android OS 4.1.2 or later

Android OS 4.2.2 or later

Android OS 4.2.2 or later

Android OS 4.2.2 or later

Android OS 4.2.2 or later

Android OS 4.2.2 or later

Tab 3 8-inch

S6

Android OS 4.4 or later

Android OS 5.0.2 or later

S6 Edge Android OS 5.0.2 or later

Tab 4 7-inch, 8-inch, and 10.1-inch Android OS 4.4.2 or later

Tab PRO 8.4-inch and 10.1-inch Android OS 4.4.2 or later

Tab S 8.4-inch & 10.5-inch

Note 10.1-inch 2014 Edition

Android OS 4.4.2 or later

Android OS 4.4.2 or later

24

Cisco Jabber 10.6 Planning Guide

Requirements

Hardware Requirements for Cisco Jabber for Android

Device

Sony Xperia

Huawei

Sonim

Xiaomi

Device Model

ZR/A

M2

Z1

Z2

Z2 tablet

Z3

Z3 Tablet Compact

G6

Mate 7

XP7

Mi 4

Operating System

Android OS 4.1.2 or later

Android OS 4.3 or later

Android OS 4.2 or later

Android OS 4.4.2 or later

Android OS 4.4.2 or later

Android OS 4.4.2 or later

Android OS 4.4.4 or later

Android OS 4.2.2 or later

Android OS 4.4 or later

Android OS 4.4.4

Android OS 4.4 or later

1 Cisco Jabber supports only audio mode with MC40 device.

Android Version Support Policy for Cisco Jabber for Android

Due to an Android kernel issue, Cisco Jabber cannot register to the Cisco Unified Communications Manager on some Android devices. To resolve this problem, try the following:

• Upgrade the Android kernel to 3.10 or later version.

• Set the Cisco Unified Communications Manager to use mixed mode security, enable secure SIP call signaling, and use port 5061. See the Cisco Unified Communications Manager Security Guide for your release for instructions on configuring mixed mode with the Cisco CTL Client. You can locate the security guides in the Cisco Unified Communications Manager Maintain and Operate Guides . This solution applies to the following supported devices:

◦HTC M8 (Android OS 4.4.2 or later)

◦HTC M7 (Android OS 4.4.2 or later)

◦HTC One Max (Android OS 4.4.2 or later)

◦Sony Xperia M2 (Android OS 4.3 or later)

◦Sony Xperia Z1 (Android OS 4.2 or later)

◦Sony Xperia ZR/A (Android OS 4.1.2 or later)

◦Sony Xperia Z2 (Android OS 4.4.2 or later)

◦Sony Xperia Z2 tablet (Android OS 4.4.2 or later)

Cisco Jabber 10.6 Planning Guide

25

Requirements

Hardware Requirements for Cisco Jabber for Android

◦Sony Xperia Z3 (Android OS 4.4.2 or later)

◦Sony Xperia Z3 Tablet Compact (Android OS 4.4.4 or later)

◦Huawei Ascend G6 (Android OS 4.2.2 or later)

◦Huawei Ascend Mate 7 (Android OS 4.4 or later)

◦Sonim XP7 (Android OS 4.4.4)

◦Xiaomi 4 (Android OS 4.4 or later)

Supported Bluetooth Devices

Bluetooth Devices

Jabra Motion

Jawbone ICON for Cisco Bluetooth Headset

Plantronics BackBeat 903+

Useful Information

Upgrade firmware to firmware 3.72 or later

If you use a Samsung Galaxy S4, you can experience problems due to compatibility issues between these devices.

If you use a Samsung Galaxy S4, you can experience problems due to compatibility issues between these devices.

Jabra Wave+

Jabra Biz 2400

Jabra Easygo

Jabra PRO 9470

Jabra Speak 510

Jabra Supreme UC

Jabra Stealth

Jabra Evolve 65 UC Stereo

Plantronics Voyager Legend

Plantronics Voyager Legend UC

Plantronics Voyager edge UC

Plantronics Voyager edge

26

Cisco Jabber 10.6 Planning Guide

Requirements

Hardware Requirements for Cisco Jabber for iPhone and iPad

Note

Using a Bluetooth device on a Samsung Galaxy SIII can cause distorted ringtone and call audio.

Hardware Requirements for Cisco Jabber for iPhone and iPad

The following Apple devices are supported for Cisco Jabber for iPhone and iPad on iOS 8 and later:

Apple Device

iPod touch

Generation

5 iPhone 5, 5c, 5s, 6, 6 Plus, iPad iPad mini iPad Air

Second, third, fourth, and

Mini 1, mini 2, mini 3, and mini 4

Air1 and Air 2

The following Bluetooth headsets are supported on iPhone and iPad:

Jabra Easygo Jabra Speak 510

Jabra EXTREME 2

Jabra Speak 450 for Cisco

Jabra Supreme UC

Jabra Wave +

Jabra Motion

2

Jawbone ICON for Cisco Bluetooth Headset

Jabra Stealth

Jabra Evolve 65 UC Stereo

Plantronics Voyager Legend

Plantronics Voyager Legend UC

Sony Ericsson Bluetooth Headset BW600

Jabra PRO 9470

Jabra BIZ 2400

Plantronics Voyager Edge

Plantronics Voyager Edge UC

Network Requirements

When using Cisco Jabber over your corporate Wi-Fi network, we recommend that you do the following:

2 Supports Bluetooth control for Cisco Jabber calls. This feature is only supported with firmware version 3.72.

Cisco Jabber 10.6 Planning Guide

27

Requirements

Ports and Protocols for Desktop Clients

• Design your Wi-Fi network to eliminate gaps in coverage as much as possible, including in areas such as elevators, stairways, and outside corridors.

• Ensure that all access points assign the same IP address to the mobile device. Calls are dropped if the

IP address changes during the call.

• Ensure that all access points have the same service set identifier (SSID). Hand-off may be much slower if the SSIDs do not match.

• Ensure that all access points broadcast their SSID. If the access points do not broadcast their SSID, the mobile device may prompt the user to join another Wi-Fi network, which interrupts the call.

Conduct a thorough site survey to minimize network problems that could affect voice quality. We recommend that you do the following:

• Verify nonoverlapping channel configurations, access point coverage, and required data and traffic rates.

• Eliminate rogue access points.

• Identify and mitigate the impact of potential interference sources.

For more information, see the following documentation:

• The “VoWLAN Design Recommendations” section in the Enterprise Mobility Design Guide.

• The Cisco Unified Wireless IP Phone 7925G Deployment Guide.

• The Capacity Coverage & Deployment Considerations for IEEE 802.11g white paper.

• The Solutions Reference Network Design (SRND) for your Cisco Unified Communications Manager release.

Ports and Protocols for Desktop Clients

The following table lists outbound ports and protocols that Cisco Jabber uses.

Port

443

Protocol Description

TCP

(Extensible Messaging and Presence Protocol

[XMPP] and HTTPS)

XMPP traffic to the WebEx Messenger service.

The client sends XMPP through this port in cloud-based deployments only. If port 443 is blocked, the client falls back to port 5222.

Note

Cisco Jabber can also use this port for:

• HTTPS traffic to Cisco Unity Connection and

Cisco WebEx Meetings Server.

• Saving chats to the Microsoft Exchange server.

30000 to 39999

389

UDP

UDP/TCP

The client uses this port for far end camera control.

Lightweight Directory Access Protocol (LDAP) directory server.

28

Cisco Jabber 10.6 Planning Guide

Requirements

Ports and Protocols for Desktop Clients

Cisco Jabber 10.6 Planning Guide

29

Requirements

Ports and Protocols for Cisco Jabber for Android, iPhone, and iPad

Ports for Additional Services and Protocols

In addition to the ports listed in this section, you should review the required ports for all protocols and services in your deployment. See to the appropriate documentation for your server version. You can find the port and protocol requirements for different servers in the following documents:

• For Cisco Unified Communications Manager, Cisco Unified Communications Manager IM and Presence

Service, and Cisco Unified Presence, see the TCP and UDP Port Usage Guide.

• For Cisco Unity Connection, see the System Administration Guide.

• For Cisco WebEx Meetings Server, see the Administration Guide.

• For Cisco WebEx services, see the Administrator's Guide.

• Expressway for Mobile and Remote Access, refer to Cisco Expressway IP Port Usage for Firewall

Traversal.

Ports and Protocols for Cisco Jabber for Android, iPhone, and iPad

The client uses the ports and protocols listed in the following table. If you plan to deploy a firewall between the client and a server, you must configure the firewall to allow these ports and protocols.

Note

No TCP/IP services are enabled in the client.

Port Application

Layer Protocol

Inbound

16384 to 32766 RTP

Transport Layer

Protocol

Description

UDP Receives Real-Time Transport Protocol (RTP) media streams for audio and video. You set these ports in

Cisco Unified Communications Manager.

Outbound

7080 HTTPS TCP

6970 HTTP TCP

Used for Cisco Unity Connection to receive notifications of voice messages (new message, message update, and message deleted).

Connects to the TFTP server to download client configuration files.

80

389

HTTP

LDAP

TCP

TCP (UDP)

Connects to services such as Cisco WebEx Meeting

Center for meetings or Cisco Unity Connection for voicemail.

Connects to an LDAP directory service.

30

Cisco Jabber 10.6 Planning Guide

Requirements

Ports and Protocols for Cisco Jabber for Android, iPhone, and iPad

Port

3268

443

636

3269

5060

5061

5222

5269

8191

8443

Application

Layer Protocol

LDAP

Transport Layer

Protocol

TCP

Description

Connects to a Global Catalog server for contact searches.

HTTPS TCP Connects to services such as such as Cisco WebEx

Meeting Center for meetings or Cisco Unity

Connection for voicemail.

LDAPS

LDAPS

SIP

TCP

TCP

TCP

SIP over

Transport Layer

Security (TLS)

TCP

XMPP TCP

Connects securely to an LDAP directory service.

Connects securely to the Global Catalog server.

Provides Session Initiation Protocol (SIP) call signaling.

Provides secure SIP call signaling.

XMPP

SOAP

HTTPS

TCP

TCP

TCP

Connects to Cisco Unified Presence or Cisco Unified

Communications Manager IM and Presence Service for instant messaging and presence.

Enables XMPP federation.

Connects to the local port to provide Simple Object

Access Protocol (SOAP) web services.

Is the port for web access to Cisco Unified

Communications Manager and includes connections for the following:

• Cisco Unified Communications Manager IP

Phone (CCMCIP) server for assigned devices.

• User Data Service (UDS) for contact resolution.

16384 to 32766 RTP

53 DNS

3804 CAPF

UDP

UDP

TCP

Sends RTP media streams for audio and video.

Provides hostname resolution.

Issues Locally Significant Certificates (LSC) to IP phones. This port is the listening port for Cisco

Unified Communications Manager Certificate

Authority Proxy Function (CAPF) enrollment.

For information about port usage for Expressway for Mobile and Remote Access, see Cisco Expressway IP

Port Usage for Firewall Traversal.

Cisco Jabber 10.6 Planning Guide

31

Requirements

Supported Codecs for Cisco Jabber for Windows and Cisco Jabber for Mac

For information about file transfer port usage see the Managed File Transfer chapter of the Configuration and

Administration of IM and Presence Service on Cisco Unified Communications Manager, Release 10.5(2).

Supported Codecs for Cisco Jabber for Windows and Cisco Jabber for Mac

Supported Audio Codecs

• G.722

• G.722.1—32k and 24k. G.722.1 is supported on Cisco Unified Communications Manager 8.6.1 or later.

• G.711—a-law and u-law

• G.729a

Supported Video Codec

• H.264/AVC

Supported Codecs for Cisco Jabber for Android, iPhone, and iPad

Supported Audio Codecs

Codec

G.711

Codec type

mu-law a-law

G.722.1

G.729a

Notes

Supports normal mode.

Supports normal mode.

Minimum requirement for low-bandwidth availability.

Only codec that supports low bandwidth mode.

Supports normal mode.

G.722

Opus

Users can turn low bandwidth mode on and off in the client settings if they experience voice quality issues.

Supported Video Codecs

H.264/AVC

Users can turn low bandwidth mode on to improve the video quality issue.

32

Cisco Jabber 10.6 Planning Guide

Requirements

Virtual Environment Requirements

Supported Voicemail Codecs

• PCM linear

• G.711—mu-law (default)

• G.711—a-law

• GSM 6.10

Note

Cisco Jabber for mobile does not support visual voicemail with G.729. However, you can access voice messages using G.729 and the Call Voicemail feature.

Virtual Environment Requirements

Software Requirements

To deploy Cisco Jabber for Windows in a virtual environment, select from the following supported software versions:

Software Supported Versions

Citrix XenDesktop 7.6, 7.5, 7.1

Citrix XenApp 7.6, published desktop

7.5, published desktop

6.5, published desktop

VMware Horizon View 6.1, 6.0, 5.3

Softphone Requirements

For softphone calls, use Cisco Virtualization Experience Media Engine (VXME).

Cisco Jabber 10.6 Planning Guide

33

Virtual Environment Requirements

Requirements

34

Cisco Jabber 10.6 Planning Guide

C H A P T E R

4

Contact Source

On-Premises Contact Source Options, page 35

On-Premises Contact Source Options

In on-premises deployments, the client requires one of the following contact sources to resolve directory look ups for user information:

• Lightweight Directory Access Protocol (LDAP)—If you have a corporate directory, you can use the following LDAP-based contact source options to configure your directory as the contact source:

• Enhanced Directory Integration (EDI)—Select this option to deploy Cisco Jabber for Windows.

• Basic Directory Integration (BDI)—Select this option to deploy Cisco Jabber for Mac, iOS, and

Android.

• Cisco Unified Communications Manager User Data Service (UDS)—If you do not have a corporate directory, you can use this option.

IM Address Scheme

Cisco Jabber 10.6 and later supports multiple presence domain architecture models for on premises deployments when the domains are on the same presence architecture, for example users in example-us.com and example-uk.com. Cisco Jabber supports flexible IM Address Scheme using Cisco Unified Communications

Manager IM and Presence 10.x or later. The IM Address scheme is the Jabber ID that identifies the Cisco

Jabber users.

To support multi domain models, all components of the deployment require the following versions:

• Cisco Unified Communications IM and Presence server nodes and call control nodes version 10.x or later.

• All clients running on Windows, Mac, IOS and Android version 10.6 or later.

Only deploy Cisco Jabber with multiple domain architecture in the following scenarios:

Cisco Jabber 10.6 Planning Guide

35

Contact Source

Directory Servers

• Cisco Jabber 10.6 or later is deployed as a new installation to all users in your organization on all platforms (Windows, Mac, IOS and Android, including Android based IP Phones such as the DX series).

• Before making any domain or IM address changes on the presence server, Cisco Jabber is upgraded to version 10.6 or later for all users on all platforms (Windows, Mac, IOS and Android, including Android based IP Phones such as the DX series).

The available IM address schemes in the Advanced Presence Settings are:

[email protected][Default Domain]

• Directory URI

[email protected][Default Domain]

The User ID field is mapped to an LDAP field. This is the default IM Address Scheme.

For example, user Anita Perez has an account name aperez and the User ID field is mapped to the sAMAccountName LDAP field. The address scheme used is [email protected]

Directory URI

The Directory URI is mapped to the mail or msRTCSIP-primaryuseraddress LDAP fields. This option provides a scheme that is independent of the user ID for authentication.

For example, user Anita Perez has an account name aperez, the mail field is [email protected], the address scheme used is [email protected]

Directory Servers

You can use the following directory servers with Cisco Jabber:

Note

Cisco Jabber for Windows, Cisco Jabber for Mac, Cisco Jabber for iPhone and iPad, and Cisco Jabber for

Android support the LDAPv3 standard for directory integration. Any directory server that supports this standard should be compatible with these clients.

• Active Directory Domain Services for Windows Server 2012 R2

• Active Directory Domain Services for Windows Server 2008 R2

• Cisco Unified Communications Manager User Data Server (UDS)

Cisco Jabber supports UDS using the following Cisco Unified Communications Manager versions:

Cisco Unified Communications Manager, version 9.1(2), with the following Cisco Options Package

(COP) file: cmterm-cucm-uds-912-5.cop.sgn.

Cisco Unified Communications Manager, version 10.0(1). No COP file is required.

• OpenLDAP

• Active Directory Lightweight Directory Service (AD LDS) or Active Directory Application Mode

(ADAM)

36

Cisco Jabber 10.6 Planning Guide

Contact Source

Contact Photo Formats and Dimensions

Restriction

Directory integration with OpenLDAP, AD LDS, or ADAM requires that you define specific parameters in a Cisco Jabber configuration file.

Contact Photo Formats and Dimensions

To achieve the best result with Cisco Jabber, your contact photos should have specific formats and dimensions.

Review supported formats and optimal dimensions. Learn about adjustments the client makes to contact photos.

Contact Photo Formats

Cisco Jabber supports the following formats for contact photos in your directory:

• JPG

• PNG

• BMP

Important

Cisco Jabber does not apply any modifications to enhance rendering for contact photos in GIF format. As a result, contact photos in GIF format might render incorrectly or with less than optimal quality. To obtain the best quality, use PNG format for your contact photos.

Contact Photo Dimensions

Tip

The optimum dimensions for contact photos are 128 pixels by 128 pixels with an aspect ratio of 1:1.

The following table lists the different dimensions for contact photos in Cisco Jabber.

Location Dimensions

Audio call window 128 pixels by 128 pixels

Invitations and reminders, for example:

• Incoming call windows

• Meeting reminder windows

64 pixels by 64 pixels

Cisco Jabber 10.6 Planning Guide

37

Contact Source

Contact Photo Formats and Dimensions

Location

Lists of contacts, for example:

• Contact lists

• Participant rosters

• Call history

• Voicemail messages

Dimensions

32 pixels by 32 pixels

Contact Photo Adjustments

Cisco Jabber adjusts contact photos as follows:

• Resizing—If contact photos in your directory are smaller or larger than 128 pixels by 128 pixels, the client automatically resizes the photos. For example, contact photos in your directory are 64 pixels by

64 pixels. When Cisco Jabber retrieves the contact photos from your directory, it resizes the photos to

128 pixels by 128 pixels.

Tip

Resizing contact photos can result in less than optimal resolution. For this reason, use contact photos that are 128 pixels by 128 pixels so that the client does not automatically resize them.

• Cropping—Cisco Jabber automatically crops nonsquare contact photos to a square aspect ratio, or an aspect ratio of 1:1 where the width is the same as the height.

• Portrait orientation—If contact photos in your directory have portrait orientation, the client crops 30 percent from the top and 70 percent from the bottom.

For example, if contact photos in your directory have a width of 100 pixels and a height of 200 pixels,

Cisco Jabber needs to crop 100 pixels from the height to achieve an aspect ratio of 1:1. In this case, the client crops 30 pixels from the top of the photos and 70 pixels from the bottom of the photos.

• Landscape orientation—If contact photos in your directory have landscape orientation, the client crops

50 percent from each side.

For example, if contact photos in your directory have a width of 200 pixels and a height of 100 pixels,

Cisco Jabber needs to crop 100 pixels from the width to achieve an aspect ratio of 1:1. In this case, the client crops 50 pixels from the right side of the photos and 50 pixels from the left side of the photos.

38

Cisco Jabber 10.6 Planning Guide

C H A P T E R

5

Certificates

Certificate Validation, page 39

Required Certificates for On-Premises Servers, page 40

Certificate Requirements for Cloud-Based Servers, page 42

Certificate Validation

The Certificate Validation Process

Cisco Jabber validates server certificates when authenticating to services. When attempting to establish secure connections, the services present Cisco Jabber with certificates. Cisco Jabber validates the presented certificate against what is in the client device's local certificate store. If the certificate is not in the certificate store, the certificate is deemed untrusted and Cisco Jabber prompts the user to accept or decline the certificate.

If the user accepts the certificate, Cisco Jabber connects to the service and saves the certificate in the certificate store or keychain of the device . If the user declines the certificate, Cisco Jabber does not connect to the service and the certificate is not saved to the certificate store or keychain of the device.

If the certificate is in the local certificate store of the device, Cisco Jabber trusts the certificate. Cisco Jabber connects to the service without prompting the user to accept or decline the certificate.

Cisco Jabber authenticates to two services on the Cisco Unified Communications Manager server. The service names are Cisco Tomcat and Extensible Messaging and Presence Protocol (XMPP). A certificate signing request (CSR) must be generated for each service. Some public certificate authorities do not accept more than one CSR per fully qualified domain name (FQDN). Which means that the CSR for each service may need to be sent to separate public certificate authorities.

Ensure that you specify FQDN in the service profile for each service, instead of the IP address or hostname.

Signed Certificates

Certificates can be signed by the certificate authority (CA) or self-signed.

• CA-signed certificates—Users are not prompted because you are installing the certificate on the devices yourself. CA-signed certificates can be signed by a Private CA or a Public CA. Many certificates that are signed by a Public CA are stored in the certificate store or keychain of the device.

Cisco Jabber 10.6 Planning Guide

39

Certificates

Required Certificates for On-Premises Servers

• Self-signed certificates—Certificates are signed by the services that are presenting the certificates, and users are always prompted to accept or decline the certificate.

Note

We recommend that you don't use self-signed certificates.

Certificate Validation Options

Before setting up certificate validation, you must decide how you want the certificates to be validated:

• Whether you are deploying certificates for on-premises or cloud-based deployments.

• What method you are using to sign the certificates.

• If are you deploying CA-signed certificates, whether you are going to use public CA or private CA.

• Which services you need to get certificates for.

Required Certificates for On-Premises Servers

On-premises servers present the following certificates to establish a secure connection with Cisco Jabber:

Server Certificate

Cisco Unified Communications Manager IM and

Presence Service

HTTP (Tomcat)

XMPP

Cisco Unified Communications Manager HTTP (Tomcat) and CallManager certificate (secure

SIP call signaling for secure phone)

Cisco Unity Connection

Cisco WebEx Meetings Server

Cisco VCS Expressway

Cisco Expressway-E

HTTP (Tomcat)

HTTP (Tomcat)

Server certificate (used for HTTP, XMPP, and SIP call signaling)

Important Notes

• Security Assertion Markup Language (SAML) single sign-on (SSO) and the Identity Provider (IdP) require an X.509 certificate.

• You should apply the most recent Service Update (SU) for Cisco Unified Communications Manager

IM and Presence Service before you begin the certificate signing process.

• The required certificates apply to all server versions.

• Each cluster node, subscriber, and publisher, runs a Tomcat service and can present the client with an

HTTP certificate.

You should plan to sign the certificates for each node in the cluster.

40

Cisco Jabber 10.6 Planning Guide

Certificates

Certificate Signing Request Formats and Requirements

• To secure SIP signaling between the client and Cisco Unified Communications Manager, you should use Certification Authority Proxy Function (CAPF) enrollment.

Certificate Signing Request Formats and Requirements

A public certificate authority (CA) typically requires a certificate signing request (CSR) to conform to specific formats. For example, a public CA might only accept CSRs that have the following requirements:

• Are Base64-encoded.

• Do not contain certain characters, such as @&!, in the Organization, OU, or other fields.

• Use specific bit lengths in the server's public key.

If you submit CSRs from multiple nodes, public CAs might require that the information is consistent in all

CSRs.

To prevent issues with your CSRs, you should review the format requirements from the public CA to which you plan to submit the CSRs. You should then ensure that the information you enter when configuring your server conforms to the format that the public CA requires.

One Certificate Per FQDN—Some public CAs sign only one certificate per fully qualified domain name

(FQDN).

For example, to sign the HTTP and XMPP certificates for a single Cisco Unified Communications Manager

IM and Presence Service node, you might need to submit each CSR to different public CAs.

Revocation Servers

To validate certificates, the certificate must contain an HTTP URL in the CDP or AIA fields for a reachable server that can provide revocation information. If a certificate authority (CA) revokes a certificate, the client does not allow users to connect to that server.

Users are not notified of the following outcomes:

• The certificates do not contain revocation information.

• The revocation server cannot be reached.

To ensure that your certificates are validated when you get a certificate issued by a CA, you must meet one of the following requirements:

• Ensure that the CRL Distribution Point (CDP) field contains an HTTP URL to a certificate revocation list (CRL) on a revocation server.

• Ensure that the Authority Information Access (AIA) field contains an HTTP URL for an Online

Certificate Status Protocol (OCSP) server.

Server Identity in Certificates

As part of the signing process, the CA specifies the server identity in the certificate. When the client validates that certificate, it checks that:

Cisco Jabber 10.6 Planning Guide

41

Certificates

Certificate Requirements for Cloud-Based Servers

• A trusted authority has issued the certificate.

• The identity of the server that presents the certificate matches the identity of the server specified in the certificate.

Note

Public CAs generally require a fully qualified domain name (FQDN) as the server identity, not an IP address.

Identifier Fields

The client checks the following identifier fields in server certificates for an identity match:

• XMPP certificates

• SubjectAltName\OtherName\xmppAddr

• SubjectAltName\OtherName\srvName

• SubjectAltName\dnsNames

• Subject CN

• HTTP certificates

• SubjectAltName\dnsNames

• Subject CN

Tip

The Subject CN field can contain a wildcard (*) as the leftmost character, for example, *.cisco.com.

Prevent Identity Mismatch

If users attempt to connect to a server with an IP address or hostname, and the server certificate identifies the server with an FQDN, the client cannot identify the server as trusted and prompts the user.

If your server certificates identify the servers with FQDNs, you should plan to specify each server name as

FQDN in many places on your servers. For more information, see Prevent Identity Mismatch section in

Troubleshooting TechNotes .

Certificate Requirements for Cloud-Based Servers

Cisco WebEx Messenger and Cisco WebEx Meeting Center present the following certificates to the client:

• Central Authentication Service (CAS)

• WLAN Authentication and Privacy Infrastructure (WAPI)

42

Cisco Jabber 10.6 Planning Guide

Certificates

Certificate Requirements for Cloud-Based Servers

Important

Cisco WebEx certificates are signed by a public certificate authority (CA). Cisco Jabber validates these certificates to establish secure connections with cloud-based services.

As of Cisco Jabber for Windows 9.7.2 and Cisco Jabber for Mac 9.6.1, Cisco Jabber validates the XMPP certificate received from Cisco WebEx Messenger. If your operating system does not contain the following certificates for Cisco WebEx Messenger, you must provide them:

• VeriSign Class 3 Public Primary Certification Authority—G5 (stored in the Trusted Root Certificate

Authority)

• VeriSign Class 3 Secure Server CA—G3 (stored in the Intermediate Certificate Authority)

The same set of certificates are applicable for Cisco Jabber for Android, iPhone and iPad.

The certificate that is stored in the Intermediate Certificate Authority validates the Cisco WebEx Messenger server identity.

For Cisco Jabber for Windows 9.7.2 or later, you can find more information and installation instructions for the root certificate at http://www.identrust.co.uk/certificates/trustid/install-nes36.html

.

For Cisco Jabber for Mac 9.6.1 or later and iOS, you can find more information for the root certificate on the

Apple support website at https://support.apple.com

.

Cisco Jabber 10.6 Planning Guide

43

Certificate Requirements for Cloud-Based Servers

Certificates

44

Cisco Jabber 10.6 Planning Guide

C H A P T E R

6

Service Discovery

About Service Discovery, page 45

How the Client Locates Services, page 46

Cisco UDS SRV Record, page 48

CUP Login SRV Record, page 50

Collaboration Edge SRV Record, page 51

About Service Discovery

Service discovery enables clients to automatically detect and locate services on your enterprise network.

Clients query domain name servers to retrieve service (SRV) records that provide the location of servers.

The primary benefits to using service discovery are as follows:

• Speeds time to deployment.

• Allows you to centrally manage server locations.

Important

If you are migrating from Cisco Unified Presence 8.x to Cisco Unified Communications Manager IM and

Presence Service 9.0 or later, you must specify the Cisco Unified Presence server FQDN in the migrated

UC service on Cisco Unified Communications Manager. Open Cisco Unified Communications Manager

Administration interface. Select User Management > User Settings > UC Service.

For UC services with type IM and Presence, when you migrate from Cisco Unified Presence 8.x to Cisco

Unified Communications Manager IM and Presence Service the Host Name/IP Address field is populated with a domain name and you must change this to the Cisco Unified Presence server FQDN.

However, the client can retrieve different SRV records that indicate to the client different servers are present and different services are available. In this way, the client derives specific information about your environment when it retrieves each SRV record.

The following table lists the SRV records that you can deploy and explains the purpose and benefits of each record:

Cisco Jabber 10.6 Planning Guide

45

Service Discovery

How the Client Locates Services

SRV Record

_cisco-uds

Purpose

Provides the location of Cisco

Unified Communications Manager version 9.0 and later.

The client can retrieve service profiles from Cisco Unified

Communications Manager to determine the authenticator.

Why You Deploy

• Eliminates the need to specify installation arguments.

• Lets you centrally manage configuration in

UC service profiles.

• Enables the client to discover the user's home cluster.

As a result, the client can automatically get the user's device configuration and register the devices. You do not need to provision users with Cisco Unified Communications

Manager IP Phone (CCMCIP) profiles or

Trivial File Transfer Protocol (TFTP) server addresses.

• Supports mixed product modes.

You can easily deploy users with full UC,

IM only, or phone mode capabilities.

• Supports Expressway for Mobile and

Remote Access.

_cuplogin

Provides the location of Cisco

Unified Presence.

Sets Cisco Unified Presence as the authenticator.

• Supports deployments with Cisco Unified

Communications Manager and Cisco

Unified Presence version 8.x.

• Supports deployments where all clusters have not yet been upgraded to Cisco Unified

Communications Manager 9.

_collab-edge

Provides the location of Cisco VCS

Expressway or Cisco Expressway-E.

The client can retrieve service profiles from Cisco Unified

Communications Manager to determine the authenticator.

• Supports deployments with Expressway for

Mobile and Remote Access.

How the Client Locates Services

The following steps describe how the client locates services with SRV records:

1

The client's host computer or device gets a network connection.

When the client's host computer gets a network connection, it also gets the address of a Domain Name

System (DNS) name server from the DHCP settings.

46

Cisco Jabber 10.6 Planning Guide

Service Discovery

How the Client Locates Services

2

The user employs one of the following methods to discover the service during the first sign in:

• Manual—The user starts Cisco Jabber and then inputs an email-like address on the welcome screen.

• URL configuration—URL configuration allows users to click on a link to cross-launch Cisco Jabber without manually inputting an email.

• Mobile Configuration Using Enterprise Mobility Management—As an alternative to URL configuration, you can configure Cisco Jabber using Enterprise Mobility Management (EMM) with

Android for Work on Cisco Jabber for Android and with Apple Managed App Configuration on

Cisco Jabber for iPhone and iPad. You need to configure the same parameters in the EMM console that are used for creating URL configuration link.

To create a URL configuration link, you include the following:

• ServicesDomain—The domain that Cisco Jabber uses for service discovery.

• VoiceServicesDomain—For a hybrid deployment, the domain that Cisco Jabber uses to retrieve the

DNS SRV records can be different from the ServicesDomain that is used to discover the Cisco Jabber domain.

• ServiceDiscoveryExcludedServices—In certain deployment scenarios, services can be excluded from the service discovery process. These values can be a combination of the following:

• WEBEX

• CUCM

• CUP

Note

When all three parameters are included, service discovery does not happen and the user is prompted to manually enter connection settings.

Create the link in the following format: ciscojabber://provision?ServicesDomain=<domain_for_service_discover>

&VoiceServicesDomain=<domain_for_voice_services>

&ServiceDiscoveryExcludedServices=<services_to_exclude_from_service_discover>

Examples:

• ciscojabber://provision?servicesdomain=example.com

• ciscojabber://provision?servicesdomain=example.com

&VoiceServicesDomain=VoiceServices.example.com

• ciscojabber://provision?servicesdomain=example.com

&ServiceDiscoveryExcludeServices=WEBEX,CUCM

Provide the link to users using email or a website.

Note

If your organization uses a mail application that supports cross-launching proprietary protocols or custom links, you can provide the link to users using email, otherwise provide the link to users using a website.

3

The client gets the address of the DNS name server from the DHCP settings.

Cisco Jabber 10.6 Planning Guide

47

Service Discovery

Cisco UDS SRV Record

4

The client issues an HTTP query to a Central Authentication Service (CAS) URL for the Cisco WebEx

Messenger service.

This query enables the client to determine if the domain is a valid Cisco WebEx domain.

5

The client queries the name server for the following SRV records in order of priority:

• _cisco-uds

• _cuplogin

• _collab-edge

The client caches the results of the DNS query to load on subsequent launches.

The following is an example of an SRV record entry:

_cisco_uds._tcp.DOMAIN SRV service location: priority = 0 weight = 0 port = 8443 svr hostname=192.168.0.26

Cisco UDS SRV Record

In deployments with Cisco Unified Communications Manager version 9 and later, the client can automatically discover services and configuration with the _cisco-uds SRV record.

48

Cisco Jabber 10.6 Planning Guide

Service Discovery

The following figure shows how the client uses the _cisco-uds SRV record.

Figure 6: UDS SRV Record Login Flow

Cisco UDS SRV Record

1

The client queries the domain name server for SRV records.

2

The domain name server returns the _cisco-uds SRV record.

3

The client locates the user's home cluster.

As a result, the client can retrieve the device configuration for the user and automatically register telephony services.

Important

In an environment with multiple Cisco Unified Communications Manager clusters, you can configure the

Intercluster Lookup Service (ILS). ILS enables the client to find the user's home cluster and discover services.

If you do not configure ILS, you must manually configure remote cluster information, similar to the

Extension Mobility Cross Cluster (EMCC) remote cluster setup. For more information on remote cluster configurations, see the Cisco Unified Communications Manager Features and Services Guide.

4

The client retrieves the user's service profile.

The user's service profile contains the addresses and settings for UC services and client configuration.

The client also determines the authenticator from the service profile.

Cisco Jabber 10.6 Planning Guide

49

Service Discovery

CUP Login SRV Record

5

The client signs the user in to the authenticator.

The following is an example of the _cisco-uds SRV record:

_cisco-uds._tcp.example.com

priority = 6 weight = 30

SRV service location: port = 8443 svr hostname = cucm3.example.com

_cisco-uds._tcp.example.com

priority = 2

SRV service location: weight port

= 20

= 8443 svr hostname = cucm2.example.com

_cisco-uds._tcp.example.com

priority = 1

SRV service location: weight port

= 5

= 8443 svr hostname = cucm1.example.com

CUP Login SRV Record

Cisco Jabber can automatically discover and connect to Cisco Unified Presence or Cisco Unified

Communications Manager IM and Presence Service with the _cuplogin SRV record.

The following figure shows how the client uses the _cuplogin SRV record.

Figure 7: CUP SRV Record Login Flow

1

The client queries the domain name server for SRV records.

2

The name server returns the _cuplogin SRV record.

As a result, Cisco Jabber can locate the presence server and determine that Cisco Unified Presence is the authenticator.

50

Cisco Jabber 10.6 Planning Guide

Service Discovery

Collaboration Edge SRV Record

3

The client prompts the user for credentials and authenticates to the presence server.

4

The client retrieves service profiles from the presence server.

Tip

The _cuplogin SRV record also sets the default server address on the Advanced Settings window.

The following is an example of the _cuplogin SRV record:

_cuplogin._tcp.example.com

priority = 8 weight port

= 50

= 8443

SRV service location: svr hostname = cup3.example.com

_cuplogin._tcp.example.com

SRV service location: priority weight port

= 5

= 100

= 8443 svr hostname = cup1.example.com

_cuplogin._tcp.example.com

SRV service location: priority weight

= 7

= 4 port = 8443 svr hostname = cup2.example.com

Collaboration Edge SRV Record

Cisco Jabber can attempt to connect to internal servers through Expressway for Mobile and Remote Access to discover services with the following _collab-edge SRV record.

Cisco Jabber 10.6 Planning Guide

51

Collaboration Edge SRV Record

The following figure shows how the client uses the _collab-edge SRV record.

Figure 8: Collaboration Edge Record Login Flow

Service Discovery

1

The client queries the external domain name server for SRV records.

2

The name server returns the _collab-edge SRV record and does not return the _cuplogin or

_cisco-uds

SRV records.

As a result, Cisco Jabber can locate the Cisco Expressway-E server.

3

The client requests the internal SRV records (through Expressway) from the internal domain name server.

These SRV records must include the _cisco-uds SRV record.

4

The client obtains the internal SRV records (through Expressway).

As a result, the client can locate the Cisco Unified Communications Manager server.

5

The client requests the service profiles (through Expressway) from Cisco Unified Communications Manager.

6

The client retrieves the service profiles (through Expressway) from Cisco Unified Communications

Manager.

The service profile contains the user's home cluster, the primary source of authentication, and the client configuration.

52

Cisco Jabber 10.6 Planning Guide

C H A P T E R

7

Security

Federal Information Processing Standards, page 53

Compliance and Policy Control for File Transfer and Screen Capture, page 54

Instant Message Encryption, page 54

Federal Information Processing Standards

Note

This section applies to Cisco Jabber for Windows only.

The Federal Information Processing Standard (FIPS) 140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. These cryptographic modules include the set of hardware, software, and firmware that implements approved security functions and is contained within the cryptographic boundary.

FIPS requires that all encryption, key exchange, digital signatures, and hash and random number generation functions used within the client are compliant with the FIPS 140.2 requirements for the security of cryptographic modules.

FIPS mode results in the client managing certificates more strictly. Users in FIPS mode may see certificate errors in the client if a certificate for a service expires and they haven't reentered their credentials. Users also see a FIPS icon in their hub window to indicate that the client is running in FIPS mode.

Enable FIPS for Cisco Jabber for Windows

Cisco Jabber for Windows supports two methods of enabling FIPS:

• Operating system enabled—The Windows operating system is in FIPS mode.

• Cisco Jabber bootstrap setting—Configure the FIPS_MODE installer switch. Cisco Jabber can be in

FIPS mode on an operating system that is not FIPS enabled. In this scenario, only connections with non-Windows APIs are in FIPS mode.

Cisco Jabber 10.6 Planning Guide

53

Security

Compliance and Policy Control for File Transfer and Screen Capture

Table 1: Cisco Jabber for Windows Setting for FIPS

Platform Mode

FIPS Enabled

FIPS Enabled

FIPS Enabled

FIPS Disabled

FIPS Disabled

FIPS Disabled

Bootstrap Setting

FIPS Enabled

FIPS Disabled

No setting

FIPS Enabled

FIPS Disabled

No setting

Cisco Jabber Client Setting

FIPS Enabled—Bootstrap setting.

FIPS Disabled—Bootstrap setting.

FIPS Enabled—Platform setting.

FIPS Enabled—Bootstrap setting.

FIPS Disabled—Bootstrap setting.

FIPS Disabled—Platform setting.

Compliance and Policy Control for File Transfer and Screen

Capture

If you send file transfers and screen captures using the Managed file transfer option on Cisco Unified

Communications Manager IM and Presence 10.5(2) or later, you can send the files to a compliance server for audit and policy enforcement.

For more information about compliance, see the Instant Messaging Compliance for IM and Presence Service

on Cisco Unified Communications Manager guide.

For more information about configuring file transfer and screen capture, see the Cisco Unified Communications

Manager IM and Presence Deployment and Installation Guide.

Instant Message Encryption

Cisco Jabber uses Transport Layer Security (TLS) to secure Extensible Messaging and Presence Protocol

(XMPP) traffic over the network between the client and server. Cisco Jabber encrypts point to point instant messages.

On-Premises Encryption

The following table summarizes the details for instant message encryption in on-premises deployments.

Connection Protocol Negotiation Certificate Expected Encryption

Algorithm

Client to server XMPP over TLS v1.2

X.509 public key infrastructure certificate

AES 256 bit

54

Cisco Jabber 10.6 Planning Guide

Security

On-Premises Encryption

Server and Client Negotiation

The following servers negotiate TLS encryption with Cisco Jabber using X.509 public key infrastructure

(PKI) certificates with the following:

• Cisco Unified Communications Manager IM and Presence

• Cisco Unified Communications Manager

After the server and client negotiate TLS encryption, both the client and server generate and exchange session keys to encrypt instant messaging traffic.

The following table lists the PKI certificate key lengths for Cisco Unified Communications Manager IM and

Presence Service.

Version Key Length

Cisco Unified Communications Manager IM and

Presence Service versions 9.0.1 and higher

2048 bit

Cisco Unified Presence version 8.6.4

Cisco Unified Presence versions lower than 8.6.4

2048 bit

1024 bit

XMPP Encryption

Cisco Unified Communications Manager IM and Presence Service uses 256-bit length session keys that are encrypted with the AES algorithm to secure instant message traffic between Cisco Jabber and the presence server.

If you require additional security for traffic between server nodes, you can configure XMPP security settings on Cisco Unified Communications Manager IM and Presence Service. See the following for more information about security settings:

• Cisco Unified Presence—Configuring Security on Cisco Unified Presence

• Cisco Unified Communications Manager IM and Presence Service—Security configuration on IM and

Presence

Instant Message Logging

You can log and archive instant messages for compliance with regulatory guidelines. To log instant messages, you either configure an external database or integrate with a third-party compliance server. Cisco Unified

Communications Manager IM and Presence Service does not encrypt instant messages that you log in external databases or in third party compliance servers. You must configure your external database or third party compliance server as appropriate to protect the instant messages that you log.

See the following for more information about compliance:

• Cisco Unified Presence— Instant Messaging Compliance Guide

• Cisco Unified Communications Manager IM and Presence Service—Instant Messaging Compliance for

IM and Presence Service

Cisco Jabber 10.6 Planning Guide

55

Security

Cloud-Based Encryption

For more information about encryption levels and cryptographic algorithms, including symmetric key algorithms such as AES or public key algorithms such as RSA, see Next Generation Encryption at this link http:// www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

.

For more information about X.509 public key infrastructure certificates, see the Internet X.509 Public Key

Infrastructure Certificate and CRL Profile document at this link https://www.ietf.org/rfc/rfc2459.txt

.

Cloud-Based Encryption

The following table summarizes the details for instant message encryption in cloud-based deployments:

Connection Protocol Negotiation Certificate Expected Encryption

Algorithm

Client to server XMPP within TLS X.509 public key infrastructure certificate

AES 128 bit

Client to client XMPP within TLS X.509 public key infrastructure certificate

AES 256 bit

Server and Client Negotiation

The following servers negotiate TLS encryption with Cisco Jabber using X.509 public key infrastructure

(PKI) certificates with the Cisco WebEx Messenger service.

After the server and client negotiate TLS encryption, both the client and server generate and exchange session keys to encrypt instant messaging traffic.

XMPP Encryption

The Cisco WebEx Messenger service uses 128-bit session keys that are encrypted with the AES algorithm to secure instant message traffic between Cisco Jabber and the Cisco WebEx Messenger service.

You can optionally enable 256-bit client-to-client AES encryption to secure the traffic between clients.

Instant Message Logging

The Cisco WebEx Messenger service can log instant messages, but it does not archive those instant messages in an encrypted format. However, the Cisco WebEx Messenger service uses stringent data center security, including SAE-16 and ISO-27001 audits, to protect the instant messages that it logs.

The Cisco WebEx Messenger service cannot log instant messages if you enable AES 256 bit client-to-client encryption.

For more information about encryption levels and cryptographic algorithms, including symmetric key algorithms such as AES or public key algorithms such as RSA, see Next Generation Encryption at this link http:// www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

.

For more information about X.509 public key infrastructure certificates, see the Internet X.509 Public Key

Infrastructure Certificate and CRL Profile document at this link https://www.ietf.org/rfc/rfc2459.txt

.

56

Cisco Jabber 10.6 Planning Guide

Security

Cloud-Based Encryption

Client-to-Client Encryption

By default, instant messaging traffic between the client and the Cisco WebEx Messenger service is secure.

You can optionally specify policies in the Cisco WebEx Administration Tool to secure instant messaging traffic between clients.

The following policies specify client-to-client encryption of instant messages:

Support AES Encoding For IM—Sending clients encrypt instant messages with the AES 256-bit algorithm. Receiving clients decrypt instant messages.

Support No Encoding For IM—Clients can send and receive instant messages to and from other clients that do not support encryption.

The following table describes the different combinations that you can set with these policies.

Policy Combination Client-to-Client

Encryption

When the Remote Client

Supports AES Encryption

When the Remote Client

Does not Support AES

Encryption

Support AES Encoding For IM =

false

Support No Encoding For IM = true

No Cisco Jabber sends unencrypted instant messages.

Cisco Jabber does not negotiate a key exchange.

As a result, other clients do not send Cisco Jabber encrypted instant messages.

Cisco Jabber sends and receives unencrypted instant messages.

Support AES Encoding For IM =

true

Support No Encoding For IM = true

Yes

Support AES Encoding For IM =

true

Support No Encoding For IM =

false

Yes

Cisco Jabber sends and receives encrypted instant messages.

Cisco Jabber sends encrypted instant messages.

Cisco Jabber displays an icon to indicate instant messages are encrypted.

Cisco Jabber receives unencrypted instant messages.

Cisco Jabber sends and receives encrypted instant messages.

Cisco Jabber does not send or receive instant messages to the remote client.

Cisco Jabber displays an icon to indicate instant messages are encrypted.

Cisco Jabber displays an error message when users attempt to send instant messages to the remote client.

Cisco Jabber 10.6 Planning Guide

57

Security

Encryption Icons

Note

Cisco Jabber does not support client-to-client encryption with group chats. Cisco Jabber uses client-to-client encryption for point-to-point chats only.

For more information about encryption and Cisco WebEx policies, see About Encryption Levels in the Cisco

WebEx documentation.

Encryption Icons

Review the icons that the client displays to indicate encryption levels.

Lock Icon for Client to Server Encryption

In both on-premises and cloud-based deployments, Cisco Jabber displays the following icon to indicate client to server encryption:

Padlock Icon for Client to Client Encryption

In cloud-based deployments, Cisco Jabber displays the following icon to indicate client to client encryption:

Local Chat History

Chat history is retained after participants close the chat window and until participants sign out. If you do not want to retain chat history after participants close the chat window, set the Disable_IM_History parameter to true. This parameter is available to all clients except IM-only users.

For on-premises deployment of Cisco Jabber for Mac, if you select the Save chat archives to: option in the

Chat Preferences window of Cisco Jabber for Mac, chat history is stored locally in the Mac file system and

can be searched using Spotlight.

Cisco Jabber does not encrypt archived instant messages when local chat history is enabled.

For mobile clients, you can disable local chat history if you do not want unencrypted instant messages to be stored locally.

For desktop clients, you can restrict access to chat history by savings archives to the following directories:

• Windows, %USERPROFILE%\AppData\Local\Cisco\Unified

Communications\Jabber\CSF\History\uri.db

• Mac: ~/Library/Application Support/Cisco/Unified

Communications/Jabber/CSF/History/uri.db

.

58

Cisco Jabber 10.6 Planning Guide

C H A P T E R

8

Planning Considerations

DNS Configuration, page 59

How the Client Connects to Services, page 69

High Availability, page 74

Computer Telephony Integration, page 76

DNS Configuration

How the Client Uses DNS

Cisco Jabber uses domain name servers to do the following:

• Determine whether the client is inside or outside the corporate network.

• Automatically discover on-premises servers inside the corporate network.

• Locate access points for Expressway for Mobile and Remote Access on the public Internet.

How the Client Finds a Name Server

Cisco Jabber looks for DNS records from:

• Internal name servers inside the corporate network.

• External name servers on the public Internet.

When the client’s host computer or device gets a network connection, the host computer or device also gets the address of a DNS name server from the DHCP settings. Depending on the network connection, that name server might be internal or external to the corporate network.

Cisco Jabber queries the name server that the host computer or device gets from the DHCP settings.

Cisco Jabber 10.6 Planning Guide

59

Planning Considerations

How the Client Uses DNS

How the Client Gets a Services Domain

The services domain is discovered by the Cisco Jabber client in different ways.

New installation:

• User enters an address in the format [email protected]

in the client user interface.

• User clicks on a configuration URL that includes the service domain. This option is only available in the following versions of the client:

• Cisco Jabber for Android release 9.6 or later

• Cisco Jabber for Mac release 9.6 or later

• Cisco Jabber for iPhone and iPad release 9.6.1 or later

• The client uses installation switches in bootstrap files. This option is only available in the following version of the client:

◦Cisco Jabber for Windows release 9.6 or later

Existing installation:

• The client uses the cached configuration.

• User manually enters an address in the client user interface.

In hybrid deployments the domain required to discover Cisco WebEx domain through Central Authentication

Service (CAS) lookup may be different to the domain where the DNS records are deployed. In this scenario you set the ServicesDomain to be the domain used to discover Cisco WebEx and set the VoiceServicesDomain to be the domain where DNS records are deployed. The voice services domain is configured as follows:

• The client uses the VoiceServicesDomain parameter in the configuration file. This option is available in clients that support the jabber-config.xml file.

• User clicks on a configuration URL that includes the VoiceServicesDomain. This option is available in the following clients:

◦Cisco Jabber for Android release 9.6 or later

◦Cisco Jabber for Mac release 9.6 or later

◦Cisco Jabber for iPhone and iPad release 9.6.1 or later

• The client uses the Voice_Services_Domain installation switch in the bootstrap files. This option is only available in the following version of the client:

◦Cisco Jabber for Windows release 9.6 or later

After Cisco Jabber gets the services domain, it queries the name server that is configured to the client computer or device.

60

Cisco Jabber 10.6 Planning Guide

Planning Considerations

How the Client Discovers Available Services

The following figure shows the flow that the client uses to connect to services.

Figure 9: Login Flow for Service Discovery

How the Client Uses DNS

To discover available services, the client does the following:

1

Checks if the network is inside or outside the firewall and if Expressway for Mobile and Remote Access is deployed. The client sends a query to the name server to get DNS Service (SRV) records.

2

Starts monitoring for network changes.

When Expressway for Mobile and Remote Access is deployed, the client monitors the network to ensure that it can reconnect if the network changes from inside or outside the firewall.

3

Issues an HTTP query to a CAS URL for the Cisco WebEx Messenger service.

This query enables the client to determine if the domain is a valid Cisco WebEx domain.

When Expressway for Mobile and Remote Access is deployed, the client connects to Cisco WebEx

Messenger Service and uses Expressway for Mobile and Remote Access to connect to Cisco Unified

Cisco Jabber 10.6 Planning Guide

61

Planning Considerations

How the Client Uses DNS

Communications Manager. When the client launches for the first time the user will see a Phone Services

Connection Error and will have to enter their credentials in the client options screen, subsequent launches will use the cached information.

4

Queries the name server to get DNS Service (SRV) records, unless the records exist in the cache from a previous query.

This query enables the client to do the following:

• Determine which services are available.

• Determine if it can connect to the corporate network through Expressway for Mobile and Remote

Access.

Client Issues an HTTP Query

In addition to querying the name server for SRV records to locate available services, Cisco Jabber sends an

HTTP query to the CAS URL for the Cisco WebEx Messenger service. This request enables the client to determine cloud-based deployments and authenticate users to the Cisco WebEx Messenger service.

When the client gets a services domain from the user, it appends that domain to the following HTTP query: http://loginp.webexconnect.com/cas/FederatedSSO?org=

For example, if the client gets example.com as the services domain from the user, it issues the following query: http://loginp.webexconnect.com/cas/FederatedSSO?org=example.com

That query returns an XML response that the client uses to determine if the services domain is a valid Cisco

WebEx domain.

If the client determines the services domain is a valid Cisco WebEx domain, it prompts users to enter their

Cisco WebEx credentials. The client then authenticates to the Cisco WebEx Messenger service and retrieves the configuration and UC services that are configured in Cisco WebEx Org Admin.

If the client determines the services domain is not a valid Cisco WebEx domain, it uses the results of the query to the name server to locate available services.

When the client sends the HTTP request to the CAS URL, it uses configured system proxies.

For the desktop clients, to configure a proxy in the LAN Settings of Internet Explorer, you must specify a

.pac

file URL as the automatic configuration script or specify an explicit proxy address under Proxy server.

For iOS clients, you can configure a proxy in the Wi-Fi settings of an iOS device, using one of the following methods:

1

Go to Wi-Fi > HTTP PROXY > Auto tab and use Web Proxy Auto-Discovery (WPAD) protocol lookup.

Do not specify .pac file URL.

2

Specify a.pac file URL as the automatic configuration script in Wi-Fi > HTTP PROXY > Auto tab.

3

Specify an explicit proxy address in Wi-Fi > HTTP PROXY > Manual tab.

For Android clients, you can configure a proxy in the Wi-Fi settings of a Android device using one of the following methods:

1

Specify a.pac file URL as the automatic configuration script in Wi-Fi Networks > Modify Network

> Show Advanced Options > Proxy Settings > Auto tab.

62

Cisco Jabber 10.6 Planning Guide

Planning Considerations

How the Client Uses DNS

Note

This method is only supported on devices with Android OS 5.0 and higher, and Cisco DX series devices.

2

Specify an explicit proxy address in Wi-Fi Networks > Modify Network > Show Advanced Options

> Proxy Settings > Auto tab.

The following limitations apply when using a proxy for these HTTP requests:

• Proxy Authentication is not supported.

• Wildcards in the bypass list are not supported. Use example.com instead of *.example.com.

• Web Proxy Auto-Discovery (WPAD) protocol lookup is only supported for iOS devices.

• Cisco Jabber supports proxy for HTTP request using HTTP CONNECT, but does not support proxy when using HTTPS CONNECT.

Client Queries the Name Server

When the client queries a name server, it sends separate, simultaneous requests to the name server for SRV records.

The client requests the following SRV records in the following order:

• _cisco-uds

• _cuplogin

• _collab-edge

If the name server returns:

• _cisco-uds—The client detects it is inside the corporate network and connects to Cisco Unified

Communications Manager.

• _cuplogin—The client detects it is inside the corporate network and connects to Cisco Unified

Presence.

• _collab-edge—The client attempts to connect to the internal network through Expressway for

Mobile and Remote Access and discover services

• None of the SRV records—The client prompts users to manually enter setup and sign-in details.

Cisco Jabber 10.6 Planning Guide

63

How the Client Uses DNS

Client Connects to Internal Services

The following figure shows how the client connects to internal services:

Figure 10: Client Connecting to Internal Services

Planning Considerations

When connecting to internal services, the goals are to determine the authenticator, sign users in, and connect to available services.

Three possible authenticators can get users past the sign-in screen, as follows:

• Cisco WebEx Messenger service—Cloud-based or hybrid cloud-based deployments.

• Cisco Unified Presence—On-premises deployments in the default product mode. The default product mode can be either full UC or IM only.

• Cisco Unified Communications Manager—On-premises deployments in phone mode.

The client connects to any services it discovers, which varies depending on the deployment.

1

If the client discovers that the CAS URL lookup indicates a Cisco WebEx user, the client does the following:

a

Determines that the Cisco WebEx Messenger service is the primary source of authentication.

b

Automatically connects to the Cisco WebEx Messenger service.

c

Prompts the user for credentials.

d

Retrieves client and service configuration.

64

Cisco Jabber 10.6 Planning Guide

Planning Considerations

How the Client Uses DNS

2

If the client discovers a

_cisco-uds

SRV record, the client does the following:

1

Prompts the user for credentials to authenticate with Cisco Unified Communications Manager.

2

Locates the user's home cluster.

Locating the home cluster enables the client to automatically get the user's device list and register with

Cisco Unified Communications Manager.

Important

In an environment with multiple Cisco Unified Communications Manager clusters, you must configure the Intercluster Lookup Service (ILS). ILS enables the client to find the user's home cluster.

See the appropriate version of the Cisco Unified Communications Manager Features and Services Guide to learn how to configure ILS.

3

Retrieves the service profile.

The service profile provides the client with the authenticator as well as client and UC service configuration.

The client determines the authenticator from the value of the Product type field in the IM and presence profile, as follows:

• Cisco Unified Communications Manager —Cisco Unified Presence or Cisco Unified

Communications Manager IM and Presence Service is the authenticator.

• WebEx (IM and Presence)—Cisco WebEx Messenger service is the authenticator.

Note

As of this release, the client issues an HTTP query in addition to the query for SRV records. The HTTP query allows the client to determine if it should authenticate to the

Cisco WebEx Messenger service.

As a result of the HTTP query, the client connects to the Cisco WebEx Messenger service in cloud-based deployments. Setting the value of the Product type field to

WebEx does not effect if the client has already discovered the WebEx service using a

CAS lookup.

• Not set—If the service profile does not contain an IM and Presence Service configuration, the authenticator is Cisco Unified Communications Manager.

4

Sign in to the authenticator.

After the client signs in, it can determine the product mode.

3

If the client discovers a _cuplogin SRV record, the client does the following:

1

Determines that Cisco Unified Presence is the primary source of authentication.

2

Automatically connects to the server.

3

Prompts the user for credentials.

4

Retrieves client and service configuration.

Cisco Jabber 10.6 Planning Guide

65

Planning Considerations

Domain Name System Designs

Client Connects through Expressway for Mobile and Remote Access

If the name server returns the _collab-edge SRV record, the client attempts to connect to internal servers through Expressway for Mobile and Remote Access.

The following figure shows how the client connects to internal services when the client is connected to the network through Expressway for Mobile and Remote Access:

Figure 11: Client Connects through Expressway for Mobile and Remote Access

When the name server returns the _collab-edge SRV record, the client gets the location of the Cisco

Expressway-E server. The Cisco Expressway-E server then provides the client with the results of the query to the internal name server.

Note

The Cisco Expressway-C server looks up the internal SRV records and provides the records to the Cisco

Expressway-E server.

After the client gets the internal SRV records, which must include the _cisco-udsSRV record, it retrieves service profiles from Cisco Unified Communications Manager. The service profiles then provide the client with the user's home cluster, the primary source of authentication, and configuration.

Domain Name System Designs

Where you deploy DNS service (SRV) records depends on the design of your DNS namespace. Typically there are two DNS designs:

• Separate domain names outside and inside the corporate network.

66

Cisco Jabber 10.6 Planning Guide

Planning Considerations

• Same domain name outside and inside the corporate network.

Separate Domain Design

The following figure shows a separate domain design:

Figure 12: Separate Domain Design

Domain Name System Designs

An example of a separate domain design is one where your organization registers the following external domain with an Internet name authority: example.com.

Your company also uses an internal domain that is one of the following:

• A subdomain of the external domain, for example, example.local.

• A different domain to the external domain, for example, exampledomain.com.

Separate domain designs have the following characteristics:

• The internal name server has zones that contain resource records for internal domains. The internal name server is authoritative for the internal domains.

• The internal name server forwards requests to the external name server when a DNS client queries for external domains.

• The external name server has a zone that contains resource records for your organization’s external domain. The external name server is authoritative for that domain.

• The external name server can forward requests to other external name servers. However, the external name server cannot forward requests to the internal name server.

Deploy SRV Records in a Separate Domain Structure

In a separate name design there are two domains, an internal domain and an external domain. The client queries for SRV records in the services domain. The internal name server must serve records for the services domain. However in a separate name design, a zone for the services domain might not exist on the internal name server.

If the services domain is not currently served by the internal name server, you can:

• Deploy records within an internal zone for the services domain.

• Deploy records within a pinpoint subdomain zone on the internal name server.

Cisco Jabber 10.6 Planning Guide

67

Planning Considerations

Domain Name System Designs

Use an Internal Zone for a Services Domain

If you do not already have a zone for the services domain on the internal name server, you can create one.

This method makes the internal name server authoritative for the services domain. Because it is authoritative, the internal name server does not forward queries to any other name server.

This method changes the forwarding relationship for the entire domain and has the potential to disrupt your internal DNS structure. If you cannot create an internal zone for the services domain, you can create a pinpoint subdomain zone on the internal name server.

Same Domain Design

An example of a same domain design is one where your organization registers example.com as an external domain with an Internet name authority. Your organization also uses example.com as the name of the internal domain.

Single Domain, Split-Brain

The following figure shows a single domain with a split-brain domain design.

Figure 13: Single Domain, Split-Brain

Two DNS zones represent the single domain; one DNS zone in the internal name server and one DNS zone in the external name server.

Both the internal name server and the external name server are authoritative for the single domain but serve different communities of hosts.

• Hosts inside the corporate network access only the internal name server.

• Hosts on the public Internet access only the external name server.

• Hosts that move between the corporate network and the public Internet access different name servers at different times.

68

Cisco Jabber 10.6 Planning Guide

Planning Considerations

How the Client Connects to Services

Single Domain, Not Split-Brain

The following figure shows a single domain that does not have a split-brain domain design.

Figure 14: Single Domain, Not Split-Brain

In the single domain, not split-brain design, internal and external hosts are served by one set of name servers and can access the same DNS information.

Important

This design is not common because it exposes more information about the internal network to potential attackers.

How the Client Connects to Services

To connect to services, Cisco Jabber requires the following information:

• Source of authentication that enables users to sign in to the client.

• Location of services.

You can provide that information to the client with the following methods:

URL Configuration

Users are sent an email from their administrators. The email contains a URL that will configure the domain needed for service discovery.

Service Discovery

The client automatically locates and connects to services.

Manual Connection Settings

Users manually enter connection settings in the client user interface.

Cisco Jabber 10.6 Planning Guide

69

Planning Considerations

Recommended Connection Methods

Recommended Connection Methods

The method that you should use to provide the client with the information it needs to connect to services depends on your deployment type, server versions, and product modes. The following tables highlight various deployment methods and how to provide the client with the necessary information.

Table 2: On-Premises Deployments for Cisco Jabber for Windows

Product

Mode

Full UC

(default mode)

Server Versions

Release 9.1.2 and later:

• Cisco Unified

Communications

Manager

• Cisco Unified

Communications

Manager IM and

Presence Service

Discovery Method Non DNS SRV Record Method

A DNS SRV request against

_cisco-uds .<domain>

Use the following installer switches and values:

• AUTHENTICATOR=CUP

• CUP_ADDRESS=

<presence_server_address>

Full UC

(default mode)

Release 8.x:

• Cisco Unified

Communications

Manager

• Cisco Unified

Presence

IM Only

(default mode)

Release 9 and later:

Cisco Unified

Communications

Manager IM and

Presence Service

A DNS SRV request against

_cuplogin.<domain>

Use the following installer switches and values:

• AUTHENTICATOR=CUP

• CUP_ADDRESS=

<presence_server_address>

A DNS SRV request against

_cisco-uds .<domain>

Use the following installer switches and values:

• AUTHENTICATOR=CUP

• CUP_ADDRESS=

<presence_server_address>

IM Only

(default mode)

Release 8.x:

Cisco Unified Presence

A DNS SRV request against

_cuplogin .<domain>

Use the following installer switches and values:

• AUTHENTICATOR=CUP

• CUP_ADDRESS=

<presence_server_address>

70

Cisco Jabber 10.6 Planning Guide

Planning Considerations

Recommended Connection Methods

Product

Mode

Phone

Mode

Server Versions

Release 9 and later:

Cisco Unified

Communications

Manager

Phone

Mode

Release 8.x:

Cisco Unified

Communications

Manager

Discovery Method Non DNS SRV Record Method

A DNS SRV request against

_cisco-uds.<domain>

Use the following installer switches and values:

• AUTHENTICATOR=CUCM

• TFTP=<CUCM_address>

• CCMCIP=<CUCM_address>

• PRODUCT_MODE=phone_mode

High availability is not supported using this method of deployment.

Manual connection settings Use the following installer switches and values:

• AUTHENTICATOR=CUCM

• TFTP=<CUCM_address>

• CCMCIP=<CUCM_address>

• PRODUCT_MODE=phone_mode

High availability is not supported using this method of deployment.

Cisco Unified Communications Manager release 9.x and earlier—If you enable Cisco Extension Mobility, the

Cisco Extension Mobility service must be activated on the Cisco Unified Communications Manager nodes that are used for CCMCIP. For information about Cisco Extension Mobility, see the Feature and

Services guide for your Cisco Unified Communications Manager release.

Note

Cisco Jabber release 9.6 and later can still discover full Unified Communications and IM-only services using the _cuplogin DNS SRV request but a _cisco-uds request will take precedence if it is present.

Use the SERVICES_DOMAIN installer switch to specify the value of the domain where DNS records reside if you want users to bypass the email screen during the first login of a fresh installation.

Note

The services domain is read from a cached configuration if you are upgrading from Cisco Jabber for

Windows 9.2.

Cisco Jabber 10.6 Planning Guide

71

Planning Considerations

Recommended Connection Methods

Table 3: On-Premises Deployments for Cisco Jabber for Mac

Product Mode Server Versions Discovery Method

Full UC (default mode)

Release 9 and later:

• Cisco Unified Communications

Manager

A DNS SRV request against

_cisco-uds.<domain>

• Cisco Unified Communications

Manager IM and Presence

Service

Full UC (default mode)

Release 8.x:

• Cisco Unified Communications

Manager

• Cisco Unified Presence

A DNS SRV request against

_cuplogin.<domain>

Table 4: On-Premises Deployments for Cisco Jabber for Android and Cisco Jabber for iPhone and iPad

Product Mode

Full UC (default mode)

Server Versions

Release 9 and later:

• Cisco Unified

Communications Manager

• Cisco Unified

Communications Manager

IM and Presence Service

Discovery Method

A DNS SRV request against

_cisco-uds .<domain> and

_cuplogin.<domain>

Full UC (default mode)

IM Only (default mode)

IM Only (default mode)

Phone mode

Release 8.x:

• Cisco Unified

Communications Manager

• Cisco Unified Presence

A DNS SRV request against

_cuplogin.<domain>

Release 9 and later: Cisco Unified

Communications Manager IM and

Presence Service

A DNS SRV request against

_cisco-uds .<domain> and

_cuplogin.<domain>

Release 8.x: Cisco Unified

Presence

A DNS SRV request against

_cuplogin .<domain>

Release 9 and later: Cisco Unified

Communications Manager

A DNS SRV request against

_cisco-uds.<domain>

72

Cisco Jabber 10.6 Planning Guide

Planning Considerations

Product Mode

Phone mode

Sources of Authentication

Server Versions

Release 8.x: Cisco Unified

Communications Manager

Discovery Method

Manual connection settings or bootstrap file

Manual connection settings

Note

Cisco Unified Communications Manager version 9 and later can still discover full Unified Communications and IM-only services using the _cuplogin DNS SRV request but a _cisco-uds request will take precedence if it is present.

Table 5: Hybrid Cloud-Based Deployments

Server Versions Connection Method

Cisco WebEx Messenger HTTPS request against http://loginp.webexconnect.com/cas/FederatedSSO?org=<domain>

Table 6: Cloud-Based Deployments

Deployment Type

Enabled for single sign-on (SSO)

Not enabled for SSO

Connection Method

Cisco WebEx Administration Tool

Bootstrap file to set the SSO_ORG_DOMAIN argument.

Cisco WebEx Administration Tool

Sources of Authentication

A source of authentication, or an authenticator, enables users to sign in to the client.

Three possible sources of authentication are as follows:

• Cisco Unified Communications Manager IM and Presence—On-premises deployments in either full

UC or IM only.

• Cisco Unified Communications Manager—On-premises deployments in phone mode.

• Cisco WebEx Messenger Service—Cloud-based or hybrid cloud-based deployments.

Cisco Jabber 10.6 Planning Guide

73

Planning Considerations

High Availability

High Availability

High Availability for Instant Messaging and Presence

High availability refers to an environment in which multiple nodes exist in a subcluster to provide failover capabilities for instant messaging and presence services. If one node in a subcluster becomes unavailable, the instant messaging and presence services from that node failover to another node in the subcluster. In this way, high availability ensures reliable continuity of instant messaging and presence services for Cisco Jabber.

When using an LDAP or UDS contact source on Cisco Jabber for Mac and Cisco Jabber for mobile clients, high availability is not supported. High availability is only supported for LDAP (EDI) on Cisco Jabber for

Windows.

Cisco Jabber supports high availability with the following servers:

Cisco Unified Presence releases 8.5 and 8.6

Use the following Cisco Unified Presence documentation for more information about high availability.

Configuration and Administration of Cisco Unified Presence Release 8.6

Multi-node Deployment Administration

Troubleshooting High Availability

Deployment Guide for Cisco Unified Presence Release 8.0 and 8.5

Planning a Cisco Unified Presence Multi-Node Deployment

Cisco Unified Communications Manager IM and Presence Service release 9.0 and higher

Use the following Cisco Unified Communications Manager IM and Presence Service documentation for more information about high availability.

Configuration and Administration of IM and Presence Service on Cisco Unified Communications

Manager

High Availability Client Login Profiles

Troubleshooting High Availability

Active Calls on Hold During Failover

You cannot place an active call on hold if failover occurs from the primary instance of Cisco Unified

Communications Manager to the secondary instance.

74

Cisco Jabber 10.6 Planning Guide

Planning Considerations

High Availability for Instant Messaging and Presence

High Availability in the Client

Client Behavior During Failover

If high availability is configured on the server, then after the primary server fails over to the secondary server, the client temporarily loses presence states for up to one minute. Configure the re-login parameters to define how long the client waits before attempting to re-login to the server.

Configure Login Parameters

In Cisco Unified Communications Manager IM and Presence Service, you can configure the maximum and minimum number of seconds that Cisco Jabber waits before attempting to re-login to the server.

On the server, you specify the re-login parameters in the following fields:

Client Re-Login Lower Limit

Client Re-Login Upper Limit

Client Behavior During a Failover

The following figure shows the client's behavior when the Cisco Unified Communications Manager IM and

Presence service during a failover.

Figure 15: Client Behavior During a Failover

1

When the client is disconnected from its active server, the client goes from XMPPCONNECTED state to a FAILOVER state.

Cisco Jabber 10.6 Planning Guide

75

Planning Considerations

High Availability for Voice and Video

2

From a FAILOVER state, the client tries to attain a SOAPCONNECTED state by attempting

SOAPCONNECT_SESSION_P (as the primary server), and if that fails, attempts

SOAPCONNECT_SESSION_S (as the secondary server).

• If it is unable to attain SOAPCONNECT_SESSION_P or SOAPCONNECT_SESSION_S, the client re-enters into the FAILOVER state.

• From a FAILOVER state, the clients attempts to attain a SOAPCONNECT_P state, and if that fails, attempts to reach a SOAPCONNECT_S state.

• If the client cannot reach the SOAPCONNECT_P or SOAPCONNECT_S state, then the client does not attempt any more automatic connections to the IM&P server until a user initiates a login attempt.

3

From a SOAPCONNECT_SESSION_P, SOAPCONNECT_SESSION_S, SOAPCONNECT_P, or

SOAPCONNECT_S state, the client retrieves its current primary secondary XMPP server address. This address changes during a failover.

4

From a SOAPCONNECTED state, the client tries to attain an XMPPCONNECTED state by attempting to connect to the XMPPCONNECT_P state, and if that fails, attempts XMPPCONNECT_S state.

• If client cannot reach XMPPCONNECT_P or XMPPCONNECT_S state, then the client does not attempt any more automatic connections to the IM&P server until a user initiates a login attempt.

5

After the client is in an XMPPCONNECTED state, then the client has IM&P capability.

High Availability for Voice and Video

If one node in a subcluster becomes unavailable, voice and video failover to another node in the subcluster.

By default, it takes up to 120 seconds for a software phone device or desk phone to register with another node.

If this timeout period is too long, adjust the value of the SIP Station KeepAlive Interval service parameter for your node. The SIP Station KeepAlive Interval service parameter modifies all phone devices on Cisco Unified

Communications Manager. Before you adjust the interval, analyze the impact on the Cisco Unified

Communications Manager servers.

To configure service parameters for the node, in Cisco Unified Communications Manager Administration, select System > Service Parameters.

For a phone mode deployment using the non-DNS SRV record method, failover isn't possible for Voice and

Video, as there is only one Cisco Unified Communications Manager node specified.

Computer Telephony Integration

Cisco Jabber for Windows and Cisco Jabber for Mac support CTI of Cisco Jabber from a third party application.

Computer Telephony Integration (CTI) enables you to use computer-processing functions while making, receiving, and managing telephone calls. A CTI application can allow you to retrieve customer information from a database on the basis of information that caller ID provides and can enable you to use information that an interactive voice response (IVR) system captures.

For more information on CTI, see the CTI sections in the appropriate release of the Cisco Unified

Communications Manager System Guide. Or you can see the following sites on the Cisco Developer Network

76

Cisco Jabber 10.6 Planning Guide

Planning Considerations

Computer Telephony Integration

for information about creating applications for CTI control through Cisco Unified Communications Manager

APIs:

• Cisco TAPI: https://developer.cisco.com/site/jtapi/overview/

• Cisco JTAPI: https://developer.cisco.com/site/jtapi/overview/

Cisco Jabber 10.6 Planning Guide

77

Computer Telephony Integration

Planning Considerations

78

Cisco Jabber 10.6 Planning Guide

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents