CUMA 7 install issue - CUCM Enterprise Adapter fails config test

Answered Question
Jul 1st, 2009
User Badges:

New CUMA 7 install and I can't get the CUCM enterprise adapter to pass config test. It fails with a web services error. I have used numerous ID's for the web services config and verified that the users have the proper access. All other Adapters pass their config tests. The version of CUCM is 7.0(1) right now.


Any Ideas?

Correct Answer by htluo about 8 years 2 weeks ago

ASA is security option. If you are testing CUMA/CUMC, you don't need ASA.


Check System Management > Network Properties. If you don't have ASA, just put the IP address of CUMA in "Proxy Host Name"


Michael

Correct Answer by htluo about 8 years 3 weeks ago

How many CUCM servers you configured in the adapter? If you configured two, make sure "AXL Web Service" is running on both.


Michael

http://htluo.blogspot.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
htluo Wed, 07/01/2009 - 15:58
User Badges:
  • Red, 2250 points or more

How many CUCM servers you configured in the adapter? If you configured two, make sure "AXL Web Service" is running on both.


Michael

http://htluo.blogspot.com

j.house Thu, 07/02/2009 - 05:23
User Badges:

That did it! Thanks.


Now if I can just get the service to start. I used the basic security config in the install guide witha trust_all security context. Are there other certificates that need to be loaded before the service will run? I also still have to configure my ASA as a proxy...could that be why it doesn't start?

Correct Answer
htluo Fri, 07/03/2009 - 07:38
User Badges:
  • Red, 2250 points or more

ASA is security option. If you are testing CUMA/CUMC, you don't need ASA.


Check System Management > Network Properties. If you don't have ASA, just put the IP address of CUMA in "Proxy Host Name"


Michael

j.house Tue, 07/14/2009 - 13:26
User Badges:

So that allowed the server to start. Now I have the client loaded on my BB 8820 and when I launch the client it prompts me to accept provisioning for my user ID, but when I enter my password it says it cannot contact the Mobility server.


Any thoughts?

htluo Tue, 07/14/2009 - 19:19
User Badges:
  • Red, 2250 points or more

We need to understand your network topology.


Does BB talk to your CUMA server directly? Or the BB talks to a proxy server/ASA?


Michael

j.house Tue, 07/14/2009 - 19:39
User Badges:

Well at this point I don't have the ASA configured yet, so the proxy is pointing at the mobility server itself. We have a BES server on the inside of our network.

htluo Wed, 07/15/2009 - 04:41
User Badges:
  • Red, 2250 points or more

If BB talks to CUMA directly, it should be very straight forward.


From Internet, try to telnet to the CUMA client port (you may find out from CUMA Admin > System Management > Network Properties). See if you can connect to the client port. (by default it's 5443)


BTW, is your CUMA server accessible from Internet?


Michael

j.house Wed, 07/15/2009 - 04:46
User Badges:

No the CUMA server is not accessible from the internet right now. I'm assuming that is where the ASA proxy comes in...right?


Thanks

j.house Wed, 07/15/2009 - 05:51
User Badges:

Also, not sure if it matters but...our BES server can talk to internal servers directly, so would the proxy be needed?

htluo Wed, 07/15/2009 - 09:35
User Badges:
  • Red, 2250 points or more

If CUMA server is not accessible from the internet, you'll need an ASA.


BES server is out of the picture when BB connects to CUMA.


Michael

j.house Wed, 07/15/2009 - 10:02
User Badges:

Thanks for the information. So what hostname does the client use to connect from the outside to the CUMA server, and where does it get that information from? Does it come with the install package downloaded from the CUMA server and is it the proxy configuration that it's derived from?

htluo Wed, 07/15/2009 - 13:02
User Badges:
  • Red, 2250 points or more

The client connects to the FQDN of the ASA. You manually enter the FQDN on CUMC on BB.


Michael

j.house Wed, 07/15/2009 - 13:32
User Badges:

I see, so after I successfully log into the client on the BB I will be able to enter options (ie. the FQDN of the ASA)? I'm a little confused, I don't see any configuration options available before logging in, and without the options how can it successfully log me in?

htluo Wed, 07/15/2009 - 19:13
User Badges:
  • Red, 2250 points or more

It depends on provisioning methods.


If you're using manual provisioning, you'll see a screen like attached. You may enter the FQDN of the ASA.


If you're using BES to provision, the server URL will be auto-populated with the value configured in CUMA > System Management > Network Properties.


Michael



Attachment: 
j.house Mon, 08/17/2009 - 08:19
User Badges:

So my ASA is getting configured. Is it a requirement for the certificates to be signed by verisign or geotrust or can they be signed by our own CA?


Thanks!

htluo Mon, 08/17/2009 - 08:58
User Badges:
  • Red, 2250 points or more

Technically, you may use any certificate. However the client (smart phone) has to trust the certificate. Since Verisign and GeoTrust was trusted by many smart phones, Cisco recommend you use those two.


If you used a CA that the smart phone doesn't trust, you'll have to configure the smart phone to trust it. This part is beyond Cisco support.


Michael

j.house Mon, 08/17/2009 - 11:01
User Badges:

the steps outlined in the install guide state that we need to load an intermediate certificate AND the cert received from the CA. If we signed using our own CA, what is the Intermediate cert? thanks for the input.

htluo Mon, 08/17/2009 - 11:08
User Badges:
  • Red, 2250 points or more

IF you have intermediate certs, you need to upload the intermediate certs. If you don't, just ignore it.


Michael

j.house Tue, 08/18/2009 - 08:26
User Badges:

I now have the certs loaded and the ASA configured. in CUMA for the Proxy address do I need to put the world routeable IP address for the ASA?

Thanks!

htluo Tue, 08/18/2009 - 09:03
User Badges:
  • Red, 2250 points or more

The address here will be used for SSL handshake, which means:


1) The address has to be reachable from CUMA


2) The certificate ASA presents to CUMA needs to have a Common Name (CN) that matches with this name.


Michael

j.house Tue, 08/18/2009 - 09:14
User Badges:

hmmm, so can it be an IP address, or does it need to be a world routable fqdn? The issue is that we have 2 domains (long story, but it is necessary at this point), one domain is reachable form the outside (public), and the other is what all of our internal devices are a member of. Is there a way around this so that I can have the mobility clients just use the IP address of the proxy server?


thanks again for all the input.

j.house Thu, 08/20/2009 - 12:47
User Badges:

Ok, I now have CUMC up and running and registered with CUCM. Presence and Voicemail integrations seem to be working. I am however stumped with DVO - Dial via Office. I have checked my CUMA and CUCM configs and can't see what I'm missing. It doesn't appear to even give me the option for DVO in the client even though I have set CUMA to force DVO.


Any Ideas? Thanks

htluo Thu, 08/20/2009 - 15:04
User Badges:
  • Red, 2250 points or more

CUMC 3.x on Blackberry does NOT support DVO. Please wait for CUMC 7.x.


Michael

j.house Thu, 08/20/2009 - 15:05
User Badges:

That would explain it...any idea when 7.x will be released?

htluo Thu, 08/20/2009 - 15:33
User Badges:
  • Red, 2250 points or more

Should be around the corner.


Michael

dsalamanca Tue, 09/01/2009 - 02:29
User Badges:

Hello, I've been floowing this thread and it has been very useful, but one thing that I don't have completely clear.


We are deploying a CUMA server, but by now it will be only for testing purposes, no internet access. The phones are going to connect through the company's wireless LAN to the CUMA server.


Still it's necessary to have certificates from the ASA? Or can we work without an ASA? In this moment the problem we are facing is that the phones communicate with the CUMA but they return an error message "invalid certificate recevied from the server"


thanks in advance

htluo Tue, 09/01/2009 - 03:56
User Badges:
  • Red, 2250 points or more

You may test without ASA.


But the phone needs to have a secure connection (TLS). Thus the phone has to trust the certificate ASA presents to it.


Please refer to your phone's manual to see how to make the phone trust a certificate.


Michael

captainchaos Mon, 11/02/2009 - 09:42
User Badges:

I'm not entirely sure but thought that if connected via wireless you would still need a route to the outside interface of the ASA. As for certificates, you may be able to run without one I'm not entirely as long as the security context in CUMA is correctly set.


Sorry I provide no certain direction.


Mark

dsalamanca Mon, 11/02/2009 - 23:55
User Badges:

Hello,

In the end it worked without an ASA, we are able to see presence and use some features, but not dial via office, we have abandoned this testing for other projects by now but just in case any other asks: yes it works without an ASA through the wireless network.

Thanks for your help

Actions

This Discussion