· Security. Let's face it. Software has holes. And hackers love to exploit them. New vulnerabilities appear almost daily. If you have software - we all do - you need to. Cisco UCS Integrated Infrastructure for Big Data with Splunk Enterprise. NOTE: Works with document’s Advanced Properties “First Published” property. · My team and I have been struggling to overcome a major hurdle: Letting end users that we support have admin rights on their machines. All of our point of contacts. Easily Shadow Remote Desktop Sessions. We just released Remote Control 5. One of the toughest to build (for us), but most interesting additions to this version is the ability to jump into a remote desktop session. What does this mean? Lets say you have a user that is logged into your terminal server, and you need to help them with something. Usually you would need to use the Microsoft Shadow program: If you have ever used it, you know it is a pain to use. Especially if you have a user on the phone waiting for help. With Remote Control 5. Even better, on Windows 7, XP, or Vista machines you can see those remote desktop sessions too. This is not even possible with the tools provided by MS. We also had to work real hard to fix an issue that has been around for a while. If you have fast user switching enabled on XP: Sometimes you would get a blank screen when connecting to the machine. The same is true on 2. XP) if you use Remote Desktop to connect to it with the /console flag. Why? It is because of a bug in a Windows API call. Install Webex Without Admin Rights Command PromptWe fought and fought with this. Even contacted MS. A new maintenance release for Cisco WebEx Meetings Server 2.6 has been made available on CCO for download today. The build number for the CWMS is 2.6.1.39. They replied that it was not going to be fixed in those versions of windows…but it did work in Vista/2. Windows 7 ?Our solution? We re- created the MS API inside our code, and fixed the bug. So now if you have fast user switching turned on, or someone has used RDP – you won’t get a blank screen. Recently it has become common for users to have more than one monitor. In previous versions of Remote Control, all the monitors were shown in one big window: Many times, it is really hard to work this way. So we gave you the ability to show all monitors, or select an individual monitor to control: I know some of you have quite a few computers you remote into all the time. A new feature in the viewer lets you position each one where you want them, and it will remember the next time you connect: That feature is not enabled by default, so go into the viewer settings if you want to turn it on. And finally, we have done a considerable amount of work improving performance. We tested on all types of slow and intermittent internet connections to make it snappy in every type of situation. Take it for a spin by downloading the trial from here: http: //www. One more thing…Subscribe to my newsletter and get 1. Click Here to get your free tools. UC Pro Blog | Everything's Unified.Hello folks!For those of you who are in charge of a large Vo.IP environment with multiple CUCM clusters, I dedicate this post. Busch Vacuum Pump Parts Manual . Microsoft Report Viewer Controls Download Minecraft . The Environment. We are dealing with two CUCM clusters that have SIP trunks to Cisco SME cluster. Allen Bradley Current Transformer Installation Diagram . In reality, the environment is a much larger one, consisting of 1. CUCM clusters scattered around the globe. I have intentionally simplified the topology to include just three CUCM clusters, with one of them being used as SME. The Challenge. In this particular case, the client would like to implement end- to- end phone security (signalling and media encryption) on all endpoints that support it. Because the traffic is traversing SME, we need to make sure that the SIP trunks between CUCM and SME clusters are secure. In a traditional two- cluster scenario, all you need to do is to follow this awesome guide by Jason Burns, where we exchange Call. Manager. pem self- signed certificates between all nodes, configure SIP Trunk Security Profile and off we go. But imagine doing that certificate exchange with 1. The Solution. We are going to use our own Enterprise CA to issue new Call. Manager certificates for all CUCM clusters and import the Root CA certs only to trust the issuer. Here’s the detailed guide on how to achieve just that. Part 1: Preparing Enterprise CA and Issuing the Certs. Note: it is assumed that you have all the necessary rights to work with your Windows Server- based Certificate Authority. Step 1: Using Certificate Authority Add- In, connect to your Root or Subordinate CA, navigate to ‘Certificate Templates’, right- click and select ‘Manage’: Step 2: In the ‘Certificate Templates Console’ that will open, right- click on any existing certificate and select ‘Duplicate Template’. When prompted, select ‘Windows Server 2. Enterprise’ version for the duplicate. Step 3: In the ‘Properties of New Template’ window, give certificate template a name (e. Call. Manager”), choose validity period (higher is good, but note that the certificate validity period should be less than of the issuing CA’s), and put a check mark on ‘Publish certificate in Active Directory’ box: Step 4: Under ‘Request Handling’ tab, make sure that ‘Signature and encryption’ is selected for the certificate purpose and the minimum key size is 2. Step 5: Under ‘Subject Name’ tab, select the ‘Supply in request’ radio button: Step 6: Under ‘Extensions’ tab, click on the ‘Edit…’ button and ensure that ‘Client Authentication’ and ‘Server Authentication’ application policies are selected: Step 7: Under ‘Security’ tab, make sure that your user account has the necessary permissions, allowing you to Read, Write, and Enroll certificates using this template. Step 8: Leave all other values at their default and click “OK” to create the new certificate template. Close the ‘Certificate Template Management’ window and return to the ‘Certification Authority’ console. Step 9: Back in the ‘Certification Authority’ console, right- click on the “Certificate Templates” and select ‘New’ - > ‘Certificate Template to Issue”. Select the new template that was created in the previous steps (“Call. Manager”): Now you are ready to issue the actual certificate for your Call. Manager clusters using CA’s web- based AD Certificate Services (https: //your- CA- FQDN/certsrv). Part 2: Requesting, Issuing and Installing Call. Manager Certificates. The following steps are required to be completed on all CUCM nodes, including the SME ones. Step 1: Navigate to Cisco Unified OS Administration site of your first cluster’s publisher node (https: //CUCM- 1/cmplatform). Step 2: Go to Security - > Certificate Management and click ‘Find’ to display a list of current certificates. Step 3: To enable SIP trunk encryption, we are going to generate a new certificate request file (CSR) for Call. Manager certificate type, so click on ‘Generate CSR’, select ‘Call. Manager’ for the certificate purpose, select ‘Multi- server (SAN)’ for distribution type: Note: for my Multi- Server (SAN) certificates, I typically edit the CN (Common Name) to match the Publisher’s FQDN. Why? This reduces the required number of SANs, which is important if you are using third- party CA that limits the number of alternative names for the cert. Step 4: Download the newly- generated CSR, open it in notepad and copy the generated Base- 6. Step 5: Navigate to your CA’s Active Directory Certificate Services web- based UI (https: //FQDN- of- your- CA/certsrv/), click on “Request a certificate” - > “Advanced certificate request” and paste the certificate request in the textbox. Select “Call. Manager” certificate template that was created in Part 1 of this guide and then click “Submit > ”: Step 6: Once the certificate has been generated, download it in Base- 6. Encoded format. Step 7: Back to CA AD Certificate Services Web GUI, click on “Home” link in the upper- right corner to return to the main page and click on “Download a CA certificate, certificate chain, or CRL” link. Select the current CA certificate, and ‘Base 6. Download CA certificate”. Important: If the certificate has been issued by your subordinate CA, you need to separate your Root CA certificate from Subordinate CA certificate. Here’s how: Open the CA certificate that was downloaded in Step 7 above and navigate to “Certification Path” tab. Select the “Root CA for [yourdomain]”, then click “View Certificate”: In the new ‘Certificate’ window that will open, click on “Details” tab and then click “Copy to File…” button that would open Certificate Export Wizard. In the ‘Certificate Export Wizard’, click “Next” - > select “Base- 6. X. 5. 09 (. CER)” format and provide a path to save the file. Step 8: Back to your Call. Manager’s OS Administration page, click on “Upload Certificate/Certificate Chain”. Upload the Root CA certificate as “Call. Manager- trust” type. If applicable, upload the Subordinate CA certificate as “Call. Manager- trust” type. Upload the CA- generated certificate as “Call. Manager” certificate. Step 9: You will need to restart Cisco TFTP and Call. Manager services under Cisco Unified Serviceability page on all Call. Manager nodes in the cluster for the new certificate to take effect. Hold on to that just for now. Part 3: Switching the cluster to Mixed- Mode. For the encryption to work on Call. Manager endpoints and trunks, you need to ensure that your CUCM clusters are switched from the default “Non- secure” mode to “Mixed- mode”. First, verify the cluster mode on all of your Call. Manager clusters by navigating to System - > Enterprise Parameters - > ‘Cluster Security Mode’: If the value is “0”, then the cluster is in “Non- secure” mode and need to be switched to “Mixed- mode” by following these steps. Step 1: Open an SSH session with your Call. Manager Publisher in Cluster 1. Step 2: Issue “utils ctl set- cluster mixed- mode” command: admin: utils ctl set- cluster mixed- mode. This operation will set the cluster to Mixed mode. Do you want to continue? Moving Cluster to Mixed Mode. Cluster set to Mixed Mode. Please Restart Cisco Tftp, Cisco Call. Manager and Cisco CTIManager services on all nodes in the cluster that run these services. Step 3: Restart Cisco TFTP, Cisco Call. Manager and Cisco CTI Manager on all nodes in the cluster. Important: If your cluster was already in Mixed- mode, you need to regenerate CTL certificates after replacing Call. Manager certificates on your Call. Manager cluster that we did in Part 2. CTLFile. This operation will update the CTLFile. Do you want to continue? Updating CTL file. CTL file Updated. Please Restart the TFTP and Cisco Call. Manager services on all nodes in the cluster that run these services. If you are using Cisco Jabber in your environment and you omit the above step, the first indication that something went wrong after Call. Manager certificate replacement would be your Jabber’s phone services not working for any device types (CSF, TCT, etc.). If you review the jabber. Jabber’s PRT report, you may see the following errors: 2. ERROR [0x. 00. 00. Telephony. Adapter. Server. Health. cpp(6. CSFUnified: :Telephony. Adapter: :get. Connection. Ip. Protocol] - No connected Connection. Info of type: [e. SIP]. Could not determine connection IP Protocol. DEBUG [0x. 00. 00. Telephony. Server. Health. Impl. cpp(2. CSFUnified: :Telephony. Server. Health. Impl: :update. Health] - updating health with server. Type [Cucm. Softphone] server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |