CUMA 7 install issue - CUCM Enterprise Adapter fails config test

Answered Question
Jul 1st, 2009

New CUMA 7 install and I can't get the CUCM enterprise adapter to pass config test. It fails with a web services error. I have used numerous ID's for the web services config and verified that the users have the proper access. All other Adapters pass their config tests. The version of CUCM is 7.0(1) right now.

Any Ideas?

Correct Answer by htluo about 7 years 7 months ago

ASA is security option. If you are testing CUMA/CUMC, you don't need ASA.

Check System Management > Network Properties. If you don't have ASA, just put the IP address of CUMA in "Proxy Host Name"

Michael

Correct Answer by htluo about 7 years 7 months ago

How many CUCM servers you configured in the adapter? If you configured two, make sure "AXL Web Service" is running on both.

Michael

http://htluo.blogspot.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
htluo Wed, 07/01/2009 - 15:58

How many CUCM servers you configured in the adapter? If you configured two, make sure "AXL Web Service" is running on both.

Michael

http://htluo.blogspot.com

j.house Thu, 07/02/2009 - 05:23

That did it! Thanks.

Now if I can just get the service to start. I used the basic security config in the install guide witha trust_all security context. Are there other certificates that need to be loaded before the service will run? I also still have to configure my ASA as a proxy...could that be why it doesn't start?

Correct Answer
htluo Fri, 07/03/2009 - 07:38

ASA is security option. If you are testing CUMA/CUMC, you don't need ASA.

Check System Management > Network Properties. If you don't have ASA, just put the IP address of CUMA in "Proxy Host Name"

Michael

j.house Tue, 07/14/2009 - 13:26

So that allowed the server to start. Now I have the client loaded on my BB 8820 and when I launch the client it prompts me to accept provisioning for my user ID, but when I enter my password it says it cannot contact the Mobility server.

Any thoughts?

htluo Tue, 07/14/2009 - 19:19

We need to understand your network topology.

Does BB talk to your CUMA server directly? Or the BB talks to a proxy server/ASA?

Michael

j.house Tue, 07/14/2009 - 19:39

Well at this point I don't have the ASA configured yet, so the proxy is pointing at the mobility server itself. We have a BES server on the inside of our network.

htluo Wed, 07/15/2009 - 04:41

If BB talks to CUMA directly, it should be very straight forward.

From Internet, try to telnet to the CUMA client port (you may find out from CUMA Admin > System Management > Network Properties). See if you can connect to the client port. (by default it's 5443)

BTW, is your CUMA server accessible from Internet?

Michael

j.house Wed, 07/15/2009 - 04:46

No the CUMA server is not accessible from the internet right now. I'm assuming that is where the ASA proxy comes in...right?

Thanks

j.house Wed, 07/15/2009 - 05:51

Also, not sure if it matters but...our BES server can talk to internal servers directly, so would the proxy be needed?

htluo Wed, 07/15/2009 - 09:35

If CUMA server is not accessible from the internet, you'll need an ASA.

BES server is out of the picture when BB connects to CUMA.

Michael

j.house Wed, 07/15/2009 - 10:02

Thanks for the information. So what hostname does the client use to connect from the outside to the CUMA server, and where does it get that information from? Does it come with the install package downloaded from the CUMA server and is it the proxy configuration that it's derived from?

htluo Wed, 07/15/2009 - 13:02

The client connects to the FQDN of the ASA. You manually enter the FQDN on CUMC on BB.

Michael

j.house Wed, 07/15/2009 - 13:32

I see, so after I successfully log into the client on the BB I will be able to enter options (ie. the FQDN of the ASA)? I'm a little confused, I don't see any configuration options available before logging in, and without the options how can it successfully log me in?

htluo Wed, 07/15/2009 - 19:13

It depends on provisioning methods.

If you're using manual provisioning, you'll see a screen like attached. You may enter the FQDN of the ASA.

If you're using BES to provision, the server URL will be auto-populated with the value configured in CUMA > System Management > Network Properties.

Michael

Attachment: 
j.house Mon, 08/17/2009 - 08:19

So my ASA is getting configured. Is it a requirement for the certificates to be signed by verisign or geotrust or can they be signed by our own CA?

Thanks!

htluo Mon, 08/17/2009 - 08:58

Technically, you may use any certificate. However the client (smart phone) has to trust the certificate. Since Verisign and GeoTrust was trusted by many smart phones, Cisco recommend you use those two.

If you used a CA that the smart phone doesn't trust, you'll have to configure the smart phone to trust it. This part is beyond Cisco support.

Michael

j.house Mon, 08/17/2009 - 11:01

the steps outlined in the install guide state that we need to load an intermediate certificate AND the cert received from the CA. If we signed using our own CA, what is the Intermediate cert? thanks for the input.

htluo Mon, 08/17/2009 - 11:08

IF you have intermediate certs, you need to upload the intermediate certs. If you don't, just ignore it.

Michael

j.house Tue, 08/18/2009 - 08:26

I now have the certs loaded and the ASA configured. in CUMA for the Proxy address do I need to put the world routeable IP address for the ASA?

Thanks!

htluo Tue, 08/18/2009 - 09:03

The address here will be used for SSL handshake, which means:

1) The address has to be reachable from CUMA

2) The certificate ASA presents to CUMA needs to have a Common Name (CN) that matches with this name.

Michael

j.house Tue, 08/18/2009 - 09:14

hmmm, so can it be an IP address, or does it need to be a world routable fqdn? The issue is that we have 2 domains (long story, but it is necessary at this point), one domain is reachable form the outside (public), and the other is what all of our internal devices are a member of. Is there a way around this so that I can have the mobility clients just use the IP address of the proxy server?

thanks again for all the input.

j.house Thu, 08/20/2009 - 12:47

Ok, I now have CUMC up and running and registered with CUCM. Presence and Voicemail integrations seem to be working. I am however stumped with DVO - Dial via Office. I have checked my CUMA and CUCM configs and can't see what I'm missing. It doesn't appear to even give me the option for DVO in the client even though I have set CUMA to force DVO.

Any Ideas? Thanks

htluo Thu, 08/20/2009 - 15:04

CUMC 3.x on Blackberry does NOT support DVO. Please wait for CUMC 7.x.

Michael

j.house Thu, 08/20/2009 - 15:05

That would explain it...any idea when 7.x will be released?

dsalamanca Tue, 09/01/2009 - 02:29

Hello, I've been floowing this thread and it has been very useful, but one thing that I don't have completely clear.

We are deploying a CUMA server, but by now it will be only for testing purposes, no internet access. The phones are going to connect through the company's wireless LAN to the CUMA server.

Still it's necessary to have certificates from the ASA? Or can we work without an ASA? In this moment the problem we are facing is that the phones communicate with the CUMA but they return an error message "invalid certificate recevied from the server"

thanks in advance

htluo Tue, 09/01/2009 - 03:56

You may test without ASA.

But the phone needs to have a secure connection (TLS). Thus the phone has to trust the certificate ASA presents to it.

Please refer to your phone's manual to see how to make the phone trust a certificate.

Michael

captainchaos Mon, 11/02/2009 - 09:42

I'm not entirely sure but thought that if connected via wireless you would still need a route to the outside interface of the ASA. As for certificates, you may be able to run without one I'm not entirely as long as the security context in CUMA is correctly set.

Sorry I provide no certain direction.

Mark

dsalamanca Mon, 11/02/2009 - 23:55

Hello,

In the end it worked without an ASA, we are able to see presence and use some features, but not dial via office, we have abandoned this testing for other projects by now but just in case any other asks: yes it works without an ASA through the wireless network.

Thanks for your help

Actions

This Discussion