CCX and Logjam

The latest versions of Firefox and Chrome seem to have fixed the Logjam vulnerability which is causing issues logging into the CCX admin page.

Here’s the workaround:
>> Now for logjam exploit related to the Diffie-Hellman algorithm the workaround in place is as below :
1)    In FireFox, enter “about:config” in the URL field and press enter.
2)     Accept the “This might void your warranty!” warning
3)     In the search field at the top, enter “security.ssl3.dhe_rsa_aes”
4)    Double click each result (128 and 256) to toggle the Value to “false”

After accessing the page and doing what you need, you’ll want to set them back to true or you’ll be vulnerable.

Another option is to keep a copy of the worlds greatest browser ever, Firefox 24, installed for accessing CCX.  😉


CUCM 11 has posted to CCO

Good news.  CUCM 11.0(1) is availabe on CCO:


Unity Connection:


Links are live again as of 6/30.

23:59:60 – The leap second you don’t really want.

It’s that special time when the ER&RSS decides we need an extra leap second.  I’ve not looked into the details, but instead of the clocks going from 23:59:59 to 00:00:00 the night of June 30, 2015, there will be an extra second added: 23:59:60.  Of course computer clocks aren’t going to appreciate a second called “60” that is outside the normal range of 0 to 59.

At the direction of the International Earth Rotation & Reference Systems Service (see their bulletin here), the leap second will be introduced after 23:59:59, 30 June 2015. In effect, the clock will read 23:59:60 before it rolls over to 00:00:00, 1 July 2015. This is a one-time event that occurs simultaneously across the globe.

What products will be affected?  Unfortunately a lot from all kinds of manufacturers.

Cisco has a list of products here —,

I would pay very close attention as the result of this 61st second in many of the bugs listed is the system crashing or hanging. Check your product versions against the bug lists.

A quick glance of products I work with regularly the following products affected:

  • CUCM < 8.0
  • CUC < 10
  • CER < 11
  • VCS/Expressway < 8.5.2
  • UCCX < 10.5
  • UCS-Manager < 2.2(3e)
  • Nexus 9000 = 7.0(3)I1(1.179)

Take a look at the list and implement the various patches or workarounds to avoid undesired outages.  Fun fun!,

8845 and 8865 720p Video Phones Announced

Great News!  The 8845 and 8865 phones have been announced.


Ignore those labels above!  Both the 8845 and 8865 are available in white or black.

These phones follow the 8800 series features and functionality but add 720p video.  I’ve got a customer on the EFT for these phoens and they are fantastic.  The quality is outstanding when calling from the new models into a large telepresence unit in comparison to the VGA output of the 8945.

See the press-release here:

The basic difference between the models is the 8865 having WiFi and the ability to add KEM modules.  The 8845 is indented to be a successor to the 8945 and the 8865 a successor to the 9951/9971.

Datasheets are here –

Collab Edge MRA for 7800/8800/DX Series Endpoints

Cisco recently posted Expressway (and VCS) X8.5.2 and 10.3.1 firmware for the 8800 and 7800 series phones.  The combination of these products allows these phones to register remotely to CUCM utilizing Collaboration Edge MRA.  (The DX-series (650/70/80) is expected to support MRA in the next release of code due out shortly.)

This functionality isn’t TAC supported yet, and has been released in a “feature preview” form.  I’ve set it up and tested it and it works well for the most part.  However, there is not full feature parity for a phone registered via MRA vs directly registered to CUCM, but for testing and basic calls, it works well.

In order to set it up, make sure your Expressway MRA deployment for Jabber is working properly.  MRA for the 7800/800 series phones uses the same service discovery process that Jabber uses, so if you have Jabber working, you’ll have 95% of the work done.

One important piece of information to know is that the phone firmware trusts 100+ public root CA certificates.  If your Expressway-E server does not have a certificate signed by one of these CA’s it’s not going to work for the phones.

Here’s the basic procedure I followed to make it work:

  1. Installed the 8800 10.3.1 COP file via OSadmin and restarted the TFTP service.
  2. Logged in to Jabber via MRA to ensure the correct functionality of my MRA system and my login credentials.
  3. Defined the phone in CUCM and then connected the phone directly to CUCM so that it would pull the version of firmware that supports MRA.  (My 8851 phone shipped with an older version of code that did not have MRA support.)
  4. Took the phone off of the corporate network to an internet-access only network.
  5. I had initial problems with the phone not attempting MRA lookup after being connected to the internet-only network, so I followed the troubleshooting process of resetting the Network settings on the phone.  It then started to try the MRA process.

Steps the phone follows in MRA registration:

1) Phone attempts normal TFTP registration/ lookup process:


This fails because the phone has no direct access to CUCM.

2) Firmware now prompts for MRA credentials (These would be the same credentials you use for Jabber MRA login — in my case it is set to use LDAP/AD for authentication):


Phone now attemps service record lookup (like Jabber does) to discover the Expressway-E/VCS-E host.

3) Phone completes MRA login process


The phone is now registered and usable.

I’ve read conflicting information about the number of calls supported, and number of lines supported via MRA.  In my experience I have two lines on the phone registered and am able to make two calls per line.  (I’ve not tested more than two calls per line.)  The list of features that may work or not is extensive, so be careful as things like Barge or Intercom may not work yet.

The phone also upgraded code via MRA successfully which is good to know.


I’ve noticed some oddities with on-hook vs. off-hook dialing.  I know there are some limitations around KPML currently.  In my experience it seems to off-hook dial fine on the primary line, but on a secondary line or when attempting a second call on the primary line you MUST on-hook dial.

Phone registration isn’t supported via TAC yet so feel free to post here and we can collectively attempt to assist.  Remember the most basic step to troubleshoot is to see if your Jabber can successfully login.

UCCX 10.6 – Running Finesse and CAD simultaneously with Mixed Mode

Prior to today, cutting a contact center over from CAD/CSD to Finesse was not an insignificant task, requiring a flash cut of the system.

It is expected that CCX 11.0 will be a Finesse only release, requiring customers to move to Finesse if they want to upgrade to 11 or newer.  The good news is that UCCX 10.6 has been announced to allow CCX to run both CAD and Finesse simultaneously in what Cisco is calling Mixed Mode. 

The COP file is located here –

I had a customer on the EFT for it for the last month and it worked very well.  There are some limitations to be aware of and installation will require a couple reboots of your CCX environment.

Installation notes are in the readme here –

The release notes mention Appendix A of the Design Guide but I don’t see an updated one posted yet.  The doc or section should have some sort of title like Cisco Finesse Desktop Mixed Mode Deployment when it comes out.  I wouldn’t upgrade until you’ve read ALL the detail in the document, especially for larger contact centers or ones that are doing outbound or chat/email.


Basically you install the COP file from the CLI and restart, then follow the instructions to configure Finesse using the Finesse Administration portal on CCX.  Once you’ve got Finesse configured you can start to migrate agents and supervisors to it.  Keep in mind that you’re going to want to migrate a team at a time because a supervisor can’t be in Finesse and see their agents in CAD, or vice versa.


There are some limitations to be aware of using Mixed Mode, as it won’t support all CCX deployments and features.

Features supported:

  • Inbound and Outbound Voice (Direct preview only on both CAD and Finesse) can be migrated from CAD to Finesse in a phased manner
  • Supervisory features with few limitations
  • Reporting
  • Failover
  • Recording with few limitations

Features not supported:

  • Web chat
  • Email
  • Predictive and Progressive Outbound

Note: The Chat and Email features will not work in a combination of CAD and Finesse and will work only with Finesse once its activated, hence it is recommended to move all chat and email agents at the same time

Other Limitations to note:

  • UCCX On-demand recording is supported only in CAD. Customers will have to use Mediasense or QM for Finesse workflow recording.
  • Migration of CAD configuration to Finesse will have to be done manually
  • Macros are not supported in Cisco Finesse and cannot be migrated. Customers will have to use the Cisco Finesse workflow engine to accomplish tasks previously done by CAD macros.
  • CRM connectors used with CAD will have to be reprogramed to be used with Finesse using API.
  • Barge-in, silent monitoring, and intercept are not supported in mixed mode when CAD and Cisco Finesse agents are participants in the same call (for example, in a transfer/conference).
  • A team led by one or more supervisors should completely use either CAD or Cisco Finesse for e.g. A supervisor who uses CSD cannot supervise a Cisco Finesse team and vice versa.

Hybrid CMR (aka WeT) Certificate Changes

Dear WebEx/CMR-Hybrid/CMR-Cloud Customer,
To enhance security, on January 20, 2015, Cisco changed to a 4096-bit certificate model
under different root certificate authorities, than used previously.  These certificates
are used to secure traffic to and from the Cloud components and your Edge devices (VCS
Expressway or Expressway-E). This is part of a continuing process to maintain meeting
confidentiality and privacy.
Previously, WebEx had used a certificate that was issued under the Root CA 'DST Root CA
X3' to secure traffic between the customer premises and WebEx.  Your VCS Expressway or
Expressway-E stores the root certificate 'DST Root CA X3' that trusts our previously used
certificates on the WebEx cloud servers. We have revoked this certificate and replaced it
with new certificates that will be issued by up to four different Root authorities. We
need to ensure that your Edge device trusts the new Root certificate authorities in order
support the new WebEx certificates.
Based on customer feedback after our initial Certificate Update Communication sent on
January 9th, 2015, we have subsequently determined that a fourth Certificate for customers
was missing from the communication, and that this additional Certificate is indeed
required. This additional Certificate is listed below as "Root 2." To ensure proper and
private/secure operation of CMR Hybrid/CMR Cloud, customers need to ensure that all four
root certificate authorities below are added to their 'Trusted CA Certificate' list.
Details on how to add CA certificates can be found in the 'Cisco TelePresence VCS
Certificate Creation and Use' Page 13

Current CA's Trusted from WebEx:
   Verisign Certificates:

Full Verisign Root Certificate Package Download:

   Specific required Verisign Certificates downloaded from below link:

*       Root 2
o       'VeriSign Class 3 Public Primary CA' -
*       Root 3
o       'VeriSign Class 3 Primary CA - G5' -
*       Root 4
o       'VeriSign Class 3 Public Primary CA - G3' -

   QuoVadis Certificate:

*       QuoVadis Root CA2
o       'QuoVadis Root CA 2' -