About

Mike White

Bio:

View complete profile

 

33 thoughts on “About

  1. Hey Mike – your site has been great for us to get our Expressway working in the lab. But we also have a WebEx Messenger service with multiple kinds of integrations. We tried our best to figure out what to put into that portal to get Jabber hitting the expressway with no luck. We only did changes to the cluster config on WebEx Messenger admin portal. Is there anything you have that could help us? thanks.

    • Hi Joshua,

      I don’t have any hands-on with your deployment model, but I believe the CollabEdge MRA is independent of any WebexConnect/Messenger configuration. CollabEdge all works based on CUCM UC Services and Service Profiles in conjunction with the SRV records. Cisco’s corporate deployment uses Webex Messenger as the IM&P so I know that it is possible.

      -Mike

  2. Thanks Mike. We tried using the SRV entry as the CUCM target on the WebEx Messenger cluster integration but no luck. Then we tried using it on a Telepresence Cluster integration. No luck. Finally we tried the actual external IP of the Expressway. Nothin. Basically no matter what we put in at the WebEx Messenger portal for an integration, the Expressway never saw any requests. If you hear of anything please drop a note. Thanks. I’ll reach out to Cisco BU and see if they can help. Your point about how it works for them internally is spot on. There must be a way to do it.

    • Hi Josh, please don’t contact TAC or the BU yet (unless you’ve already got a contact at the BU that you’re already working with), as Collab Edge is not officially supported until VCS 8.1.1 releases in a couple weeks.

  3. Mike, I just want to say thanks for writing an excellent blog! I have found it as a wonderful resource while trying to get my own Collaboration Edge environment going. What a process!! I am 99.9% there, I have almost everything working it seems, but I still cannot get “Phone Services” to register through the system. Voicemail connects with no issue, but no dice with call control. I am at the point, having followed all of your blogs and the documents from Cisco, that I am leaning towards opening a TAC case. I am running 8.1.1, so hopefully they can help. At any rate, please keep posting as your blog is great! It is great to have fellow Collab professionals helping each other out!

  4. What is the Product ID for the option key to enable Expressway-C? I cannot find that information anywhere.

      • Mike,
        Great write up. I have been having an issue with 2-way audio/video through the ASA. I have the E in the dmz dual NIC setup. Lan 1 internal same subnet as the C second NIC Lan2 in the DMZ behind nat. I have the Static Nat option turned on with the real IP to make sure the C-Line is sent with the public IP. I have disable inspect for sip, h323 and RTP still no luck receiving audio/video. I can send audio/video to the remote end no issues. The traversal zone is using TLS and MRA works great I have 2 way audio/video using the MRA. I just can’t get our SX to receive any video/audio calling via URI. I have a Tac case open for the ASA and they are claiming the ASA is configured correctly. I know it has something to do with the ASA if I take the asa out of the picture I get 2-way communication. Do you have any ideas.

      • Do you have SIP inspection (aka ALG or fixup) enabled? I’d try turning that off to see if it fixes it. It may be rewriting the IPs on the SIP signalling and screwing it up. I have do have it working in my environment with SX and C-series endpoints inside the network (as well as one registered via MRA), Jabber users coming in over MRA and some users over Anyconnect.

      • Hi Mike,

        I have inspection of SIP and RTP on the ASA. Still experiencing the same issue. Which version of ASA are you running. Tac seems to think it is the TLS issue since they see it coming out on port 5061. I am not buying their reasoning with this. Hopefully Cisco cross trains a few engineers on ASA and TP. I see the finger pointing already happening. Again it has to be something on the ASA by-passing it works no issues.

  5. Mike
    First: You are the man! Some of the stuff here is bleeding edge and you are taking the guess work out of a lot of it.

    I am a TelePresence guy and really had not used CUCM since version 2 & 3 when the phones still said celsius! I have done some small CME stuff but now I am implementing a full CUCM 10.5 and we are at the point of deciding how our external phones will connect. We are suing Jabber inside and out and replacing our Jabber for TelePresence.

    I have an ASA 5510, VCS Edge, and a CUBE router and would like to know if I should use VPN through the ASA or the line side Cube you have talked about. Which one do you think will end up being the best practice?

    • Thanks!

      So the issue I have with lineside CUBE is that there is no good way (that I can see) to dictate which phones can connect and which can’t like you can with VPN Phone via the ASA. (With VPN Phone you can decide which phones would be allowed to connect from outside.) CUBE just does it’s thing and proxies any phone through. This might not be a big deal for you, but some of the cusotmer I work with want to lock down who can take a phone home and have it work. So at this point, I’d probably lean to VPN Phone if that is a concern.

  6. Hi Mike,
    Looking for sample configuration for setting up expressway with geo DNS wherein every site has their own VCS-C & E. While login from the client end , end user will use common scheme “username@domain.com”. Based upon the location of the end user the priority will be end user register with the local VCS-C and E set-up inturn to the local IM/Presence plus CUCM server..
    If the local VCS/C set-up is not available or the end user is in roaming mode his/her login will contact the nearest VCS-C and E for resolution which inturn will route him/her to the correct IM/Presence plus CUCM towards registration.

    I am not sure whether I am asking the right question or whether it is possible ?? But in case you come across something like this do share your thought.

    thanks for all the good work and making this Blog full of all great information.

  7. Hi Mike,

    With support of your blog I have managed to get MRA to work using Expressway C and E completely fine. Thanks for this great blog. It helped me a lot

    But recently we have changed the Expressway E IP address and now the IM&P service and directory is working fine but phone service is not registering. Traversal zone is active. Do you have any idea about this problem? I have completely stuck on this problem, I have tried everything I could to fix this. I done a factory-reset to Expressway C and E and created traversal zone again. But still the problem is same. Pls let me know any solution to this or how to troubleshoot this

    Thanks
    Sachintha

  8. Hi Mike,

    First of all very thanks you make very good MRA documnets , it was very helpfull in my last MRA deployement .
    I have a question about Cisco jabber Guest Deployement , I am going to deploy this feature in my client Place .But i am confused we need to advertised any srv records in case of jabber guest deployement , please explain me jabber guest deployement . its very helpfull for me.

    Thanks and Regards,
    Sushant Sharma
    Email:sushantcisco@gmail.com

    • Are you trying to register the 8861 to non-Cisco call control? If so, there are certain model 8800 phones that support this. You can’t take a normal 8800 phone that is meant for CallManager to third-party SIP call control

  9. Mike,

    I posted this to the EDUCAUSE NETMAN list, I was wondering if I could get your thoughts?

    For our CUPS server in order to have the ‘cup-xmpp’ certificate signed correctly, it requires a SAN of our root domain (uvm.edu) be added to the certificate in addition to the hostname (cups01.uvm.edu) of the cup(s) servers.

    Has anyone run into issues getting the SAN of their root domain? If so what was your workaround and or alternate solution?

    Any Ideas or thoughts would be nice.

    -Mike

  10. Mike, as always it’s a pleasure to work with you and to read the experience you bring to those of us thrust into the UC Community. Thanks for teaching so much, and helping me pass on what I learn to others.

  11. Hi Mike,

    I love your site and I was hoping you could help. I am trying to get multi-stream working but I am having issues. It worked after I followed the instructions listed in your how to guide but after I upgraded the TS and the Conductor, everything just stopped working. Standard calls are fine, but I can’t get multistream to work.

    The endpoints are running code 8.2; CUCM 11.0.1; Conductor & TS 4.3.

    Any assistance would be greatly appreciated.

    Thank you.

  12. Hey Mike,

    I just wanted to pass along a major issue we discovered between Expressway and WebEx that had driven us crazy for the better part of 2 months.

    As part of our vulnerability assessment, it was discovered that Expressway uses 1024 Diffie-Hellman for Secure SIP. This has been reported for some time as weak and vulnerable. The recommendation is to move to 2048. (https://weakdh.org/) We ran the “SIP Advanced SipTlsDhKeySize: ” command on our Expressway E and set it to 2048 to be more secure. According to the documentation, this is for inbound connections.

    Everything was working great, until we started trying to use a new subscription to WebEx CMR. We could dial into the CMR no issue, but would get disconnected when it tired to connect us to the video bridge. We spent days with an extremely smart team over at WebEx who was able to get us into a lab bridge and do some in depth packet captures and logs from deep within the code that runs WebEx.

    What it turned out to be was that after dialining to the SIP Proxy over at WebEx that handles inbound calls, it does a SIP re-invite to the bridge you will be using, which causes an outbound connection from WebEx to the Expressway E for that invite. However, WebEx does not support DH 2048 keys, only a maximum of 1024. The TLS setup would fail and caused a Java exception to be generated within the WebEx code and I would get disconnected.

    Going back to DH 1024 (less secure and vulnerable) fixed the issue.

    My hope is that 1. Somone else having this issue will find this helpful and 2. WebEx will at least support the higher encryption level.

    Thanks,
    Daryl

    • I’ve seen a very similar issue with outbound calls from WebEx CMR. It currently only supports TLS 1.0. If you shut 1.0 off on your Expressway (so that it only does 1.1 and 1.2) you won’t be able to receive a call. This is being fixed in May/June. I’m guessing the key length will also get fixed at that time too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s