Cisco Jabber 10.6 Planning Guide

Cisco Jabber 10.6 Planning Guide

C H A P T E R

2

Deployment Scenarios

On-Premises Deployment, page 3

Cloud-Based Deployments, page 6

Deployment with Single Sign-On, page 8

Deployment in a Virtual Environment, page 12

On-Premises Deployment

An on-premises deployment is one in which you set up, manage, and maintain all services on your corporate network.

You can deploy Cisco Jabber in the following modes:

Full UC—To deploy full UC mode, enable instant messaging and presence capabilities, provision voicemail and conferencing capabilities, and provision users with devices for audio and video.

IM-Only—To deploy IM-only mode, enable instant messaging and presence capabilities. Do not provision users with devices.

Phone Mode—In Phone mode, the user's primary authentication is to Cisco Unified Communications

Manager. To deploy phone mode, provision users with devices for audio and video capabilities. You can also provision users with additional services such as voicemail.

The default product mode is one in which the user's primary authentication is to an IM and presence server.

On-Premises Deployment with Cisco Unified Communications Manager IM and Presence Service

The following services are available in an on-premises deployment with Cisco Unified Communications

Manager IM and Presence Service:

Presence—Publish availability and subscribe to other users' availability through Cisco Unified

Communications Manager IM and Presence Service.

IM—Send and receive IMs through Cisco Unified Communications Manager IM and Presence Service.

Cisco Jabber 10.6 Planning Guide

3

Deployment Scenarios

On-Premises Deployment with Cisco Unified Presence

File Transfers—Send and receive files and screenshots through Cisco Unified Communications Manager

IM and Presence Service.

Audio Calls—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

◦Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

◦Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

The following figure shows the architecture of an on-premises deployment with Cisco Unified Communications

Manager IM and Presence Service.

Figure 1: On-Premises Deployment with Cisco Unified Communications Manager IM and Presence Service

On-Premises Deployment with Cisco Unified Presence

The following services are available in an on-premises deployment with Cisco Unified Presence:

4

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

On-Premises Deployment in Phone Mode

Presence—Publish availability and subscribe to other users' availability through Cisco Unified Presence.

IM—Send and receive IMs through Cisco Unified Presence.

Audio Calls—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

Note

Cisco Jabber does not support conferencing for mobile clients in phone mode.

The following figure shows the architecture of an on-premises deployment with Cisco Unified Presence.

Figure 2: On-Premises Deployment with Cisco Unified Presence

On-Premises Deployment in Phone Mode

The following services are available in a phone mode deployment:

Contact—This is applicable for mobile clients only. Cisco Jabber updates the contact information from the phone's contact address book.

Cisco Jabber 10.6 Planning Guide

5

Deployment Scenarios

Cloud-Based Deployments

Audio Calls—Place audio calls through desk phone devices or on computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

Conferencing—Integrate with one of the following:

Cisco WebEx Meeting Center—Provides hosted meeting capabilities.

Cisco WebEx Meeting Server—Provides on-premises meeting capabilities.

Note

Cisco Jabber for Android and Cisco Jabber for iPhone and iPad do not support conferencing in phone mode.

The following figure shows the architecture of an on-premises deployment in phone mode.

Figure 3: On-Premises Deployment in Phone Mode

Cloud-Based Deployments

A cloud-based deployment is one in which Cisco WebEx hosts services. You manage and monitor your cloud-based deployment with the Cisco WebEx Administration Tool.

6

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Cloud-Based Deployment

Cloud-Based Deployment

The following services are available in a cloud-based deployment:

Contact Source—The Cisco WebEx Messenger service provides contact resolution.

Presence—The Cisco WebEx Messenger service lets users publish their availability and subscribe to other users' availability.

Instant Messaging—The Cisco WebEx Messenger service lets users send and receive instant messages.

Conferencing—Cisco WebEx Meeting Center provides hosted meeting capabilities.

The following figure shows the architecture of a cloud-based deployment.

Figure 4: Cloud-Based Deployment

Hybrid Cloud-Based Deployment

The following services are available in a hybrid cloud-based deployment:

Cisco Jabber 10.6 Planning Guide

7

Deployment Scenarios

Deployment with Single Sign-On

Contact Source—The Cisco WebEx Messenger service provides contact resolution.

Presence—The Cisco WebEx Messenger service allows users to publish their availability and subscribe to other users' availability.

Instant Messaging—The Cisco WebEx Messenger service allows users to send and receive instant messages.

Audio—Place audio calls through desk phone devices or computers through Cisco Unified

Communications Manager.

Video—Place video calls through Cisco Unified Communications Manager.

Conferencing—Cisco WebEx Meeting Center provides hosted meeting capabilities.

Voicemail—Send and receive voice messages through Cisco Unity Connection.

The following figure shows the architecture of a hybrid cloud-based deployment.

Figure 5: Hybrid Cloud-Based Deployment

Deployment with Single Sign-On

You can enable your services with Security Assertion Markup Language (SAML) single sign-on (SSO).

SAML SSO can be used in on-premises, cloud, or hybrid deployments.

The following steps describe the sign-in flow for SAML SSO after your users start their Cisco Jabber client:

1

The user starts the Cisco Jabber client. If you configure your Identity Provider (IdP) to prompt your users to sign in using a web form, the form is displayed within the client.

2

The Cisco Jabber client sends an authorization request to the service that it is connecting to, such as Cisco

WebEx Messenger service, Cisco Unified Communications Manager, or Cisco Unity Connection.

8

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Single Sign-On Requirements

3

The service redirects the client to request authentication from the IdP.

4

The IdP requests credentials. Credentials can be supplied in one of the following methods:

• Form-based authentication that contains username and password fields.

• Kerberos for Integrated Windows Authentication (IWA) (Windows only)

• Smart card authentication (Windows only)

• Basic HTTP authentication method in which client offers the username and password when making an HTTP request.

5

The IdP provides a cookie to the browser or other authentication method. The IdP authenticates the identity using SAML, which allows the service to provide the client with a token.

6

The client uses the token for authentication to log in to the service.

Authentication Methods

The authentication mechanism impacts how a user signs on. For example, if you use Kerberos, the client does not prompt users for credentials, because your users already provided authentication to gain access to the desktop.

User Sessions

Users sign in for a session, which gives them a predefined period to use Cisco Jabber services. To control how long sessions last, you configure cookie and token timeout parameters.

Configure the IdP timeout parameters with an appropriate amount of time to ensure that users are not prompted to log in. For example, when Jabber users switch to an external Wi-Fi, are roaming, their laptops hibernate, or their laptop goes to sleep due to user inactivity. Users will not have to log in after resuming the connection, provided the IdP session is still active.

When a session has expired and Jabber is not able to silently renew it, because user input is required, the user is prompted to reauthenticate. This can occur when the authorization cookie is no longer valid.

If Kerberos or a Smart card is used, no action is needed to reauthenticate, unless a PIN is required for the

Smart card; there is no risk of interruption to services, such as voicemail, incoming calls, or instant messaging.

Single Sign-On Requirements

SAML 2.0

You must use SAML 2.0 to enable single sign-on (SSO) for Cisco Jabber clients using Cisco Unified

Communications Manager services. SAML 2.0 is not compatible with SAML 1.1. You must select an IdP that uses the SAML 2.0 standard. The supported identity providers have been tested to be compliant with

SAML 2.0 and can be used to implement SSO.

Supported Identity Providers

The IdP must be Security Assertion Markup Language (SAML) compliant. The clients support the following identity providers:

• Ping Federate 6.10.0.4

• Microsoft Active Directory Federation Services (ADFS) 2.0

Cisco Jabber 10.6 Planning Guide

9

Deployment Scenarios

Single Sign-On and Remote Access

• Open Access Manager (OpenAM) 10.1

Note

Ensure that you configure Globally Persistent cookies for use with OpenAM.

When you configure the IdP, the configured settings impact how you sign into the client. Some parameters, such as the type of cookie (persistent or session), or the authentication mechanism (Kerberos or Web form), determine how often you have to be authenticated.

Cookies

To enable cookie sharing with the browser, you must use persistent cookies and not session cookies. Persistent cookies prompt the user to enter credentials one time in the client or in any other desktop application that uses

Internet Explorer. Session cookies require that users enter their credentials every time the client is launched.

You configure persistent cookies as a setting on the IdP. If you are using Open Access Manager as your IdP, you must configure Globally Persistent cookies (and not Realm Specific Persistent Cookies).

Required Browsers

To share the authentication cookie (issued by IdP) between the browser and the client, you must specify one of the following browsers as your default browser:

Product Required Browser

Cisco Jabber for Windows Internet Explorer

Cisco Jabber for Mac Safari

Cisco Jabber for iPhone and iPad

Cisco Jabber for Android

Safari

Chrome or Internet Explorer

Note

An embedded browser cannot share a cookie with an external browser when using SSO with Cisco Jabber for Android.

Single Sign-On and Remote Access

For users that provide their credentials from outside the corporate firewall using Expressway Mobile and

Remote Access, single sign-on has the following restrictions:

• Single sign-on (SSO) is available with Cisco Expressway 8.5 and Cisco Unified Communications

Manager release 10.5.2 or later.

• You cannot use SSO over the Expressway for Mobile and Remote Access on a secure phone.

• The Identity Provider used must have the same internal and external URL. If the URL is different, the user may be prompted to sign in again when changing from inside to outside the corporate firewall and vice versa.

10

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Enable SAML SSO in the Client

Enable SAML SSO in the Client

Before You Begin

• If you do not use Cisco WebEx Messenger, enable SSO on Cisco Unified Communications Applications

10.5.1 Service Update 1—For information about enabling SAML SSO on this service, read the SAML

SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.5.

• Enable SSO on Cisco Unity Connection version 10.5—For more information about enabling SAML

SSO on this service, read Managing SAML SSO in Cisco Unity Connection.

• If you use Cisco WebEx Messenger, enable SSO on Cisco WebEx Messenger Services to support Cisco

Unified Communications Applications and Cisco Unity Connection—For more information about enabling SAML SSO on this service, read about Single Sign-On in the Cisco WebEx Messenger

Administrator's Guide.

For more information about enabling SAML SSO on this service, read about Single Sign-On in the Cisco WebEx Messenger Administrator's Guide.

Procedure

Step 1

Deploy certificates on all servers so that the certificate can be validated by a web browser, otherwise users receive warning messages about invalid certificates. For more information about certificate validation, see

Certificate Validation.

Step 2

Ensure Service Discovery of SAML SSO in the client. The client uses standard service discovery to enable

SAML SSO in the client. Enable service discovery by using the following configuration parameters:

ServicesDomain,VoiceServicesDomain, and ServiceDiscoveryExcludedServices. For more information about how to enable service discovery, see Configure Service Discovery for Remote Access.

Step 3

Define how long a session lasts.

A session is comprised of cookie and token values. A cookie usually lasts longer than a token. The life of the cookie is defined in the Identity Provider, and the duration of the token is defined in the service.

Step 4

When SSO is enabled, by default all Cisco Jabber users sign in using SSO. Administrators can change this on a per user basis so that certain users do not use SSO and instead sign in with their Cisco Jabber username and password. To disable SSO for a Cisco Jabber user, set the value of the SSO_Enabled parameter to FALSE.

If you have configured Cisco Jabber not to ask users for their email address, their first sign in to Cisco Jabber may be non-SSO. In some deployments, the parameter ServicesDomainSsoEmailPrompt needs to be set to

ON. This ensures that Cisco Jabber has the information required to perform a first-time SSO sign in. If users signed in to Cisco Jabber previously, this prompt is not needed because the required information is available.

Related Topics

Single Sign-On

Managing SAML SSO in Cisco Unity Connection

SAML SSO Deployment Guide for Cisco Unified Communications Applications

Cisco Jabber 10.6 Planning Guide

11

Deployment Scenarios

Deployment in a Virtual Environment

Deployment in a Virtual Environment

You can deploy Cisco Jabber for Windows in a virtual environment.

The following features are supported in a virtual environment:

• Instant messaging and presence with other Cisco Jabber clients

• Desk phone control

• Voicemail

• Presence integration with Microsoft Outlook 2007, 2010 and 2013

Virtual Environment and Roaming Profiles

In a virtual environment, users do not always access the same virtual desktop. To guarantee a consistent user experience, these files must be accessible every time that the client is launched. Cisco Jabber stores user data in the following locations:

• C:\Users\username\AppData\Local\Cisco\Unified Communications\Jabber\CSF

Contacts—Contact cache files

History—Call and chat history

Photo cache—Caches the directory photos locally

• C:\Users\username\AppData\Roaming\Cisco\Unified

Communications\Jabber\CSF

Config—Maintains user configuration files and stores configuration store cache

Credentials—Stores encrypted username and password file

Note

Cisco Jabber credentials caching is not supported when using Cisco Jabber in non-persistent virtual deployment infrastructure (VDI) mode.

If required, you can exclude files and folders from synchronization by adding them to an exclusion list. To synchronize a subfolder that is in an excluded folder, add the subfolder to an inclusion list.

To preserve personal user settings, you should do the following:

• Do not exclude the following directories:

• AppData\Local\Cisco

• AppData\Local\JabberWerxCPP

• AppData\Roaming\Cisco

• AppData\Roaming\JabberWerxCPP

12

Cisco Jabber 10.6 Planning Guide

Deployment Scenarios

Virtual Environment and Roaming Profiles

• Use the following dedicated profile management solutions:

Citrix Profile Management—Provides a profile solution for Citrix environments. In deployments with random hosted virtual desktop assignments, Citrix profile management synchronizes each user's entire profile between the system it is installed on and the user store.

VMware View Persona Management—Preserves user profiles and dynamically synchronizes them with a remote profile repository. VMware View Persona Management does not require the configuration of Windows roaming profiles and can bypass Windows Active Directory in the management of VMware Horizon View user profiles. Persona Management enhances the functionality of existing roaming profiles.

Cisco Jabber 10.6 Planning Guide

13

Virtual Environment and Roaming Profiles

Deployment Scenarios

14

Cisco Jabber 10.6 Planning Guide

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents