×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco Unified Presence (CUPS) external clients

Answered Question
Jan 9th, 2014
User Badges:

Hi All,


I have two questions regarding Cisco Unified Presence.


I have installed CUPS 9.1 in our CUCM 9.1 environment.


All call control, calendering and IM works fine with both CUPC and Jabber Clients


We would like to open our presence server up to be allowed to service our external support clients from outside of our firewall. Is this possible and which ports will need to be allowed through the firewall?


I.e. a Jabber/XMPP Openfire clients external to the organisation to go through the firewall and hit our cisco presence server. Only IM functionality is required.


Federation is out of the equation, as our organisation are security/compliance conscious that gtalk / AOL / iChat have the ability to log messages outside the organisation.


Also, as the external clients are not part of the organisation, is there any way to create a user that is not imported from CUCM.



I would like to utilise CUPS, instead of an open source XMPP server, as we are then able to utilise call control for internal users.


Thanks for your assistance.


ed

Correct Answer by Jaime Valencia about 3 years 7 months ago

Sounds to me that you're really looking for Jabber Guest


HTH

java

if this helps, please rate

www.cisco.com/go/pdihelpdesk

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edip Gumuskaya Fri, 01/10/2014 - 00:46
User Badges:

Hi Jamie,


Thanks for your quick response.


I have requested additional information from our TAM.

Jonathan Schulenberg Sat, 01/11/2014 - 12:44
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

This is a rare occurance but I feel the need to disagree with Jaime here. Jabber Guest is a browser-based (currently a plug-in is required) audio/video client, not chat. It's sole purpose is to allow any unauthenticated party outside the firewall to call a CUCM/VCS endpoint inside the firewall. It can only initiate calls, not receive them.


I.e. a Jabber/XMPP Openfire clients external to the organisation to go through the firewall and hit our cisco presence server. Only IM functionality is required.

The thread originator specifically called out that only XMPP (i.e. chat) is required, not voice/video calls and Jabber Guest does not help you address this objective. In fact, there is no native Cisco product that does. Here are the options that I can imagine:

  • Open TCP 5222 (xmpp-client), and probably ensure your IM&P server(s) DNS FQDN matches your public domain. Use an XMPP client of your choosing. I'm uncertain whether any application-layer NAT inspection is required for XMPP though so this would require some testing.
    This is not recommended by Cisco. While the servers are reasonably hardened with SElinux and iptables, Cisco assumes they are run on trusted internal networks. For example, I am not aware of any protection mechanisms built into the XCP process that would prevent DoS or brute force authentication attacks.
  • Deploy Collaboration Edge (what Jaime was probably meaning to say) which will allow Jabber clients to create a TLS-protected tunnel across the firewall to the internal servers.
  • Use Cisco AnyConnect or another VPN solution.
Federation is out of the equation, as our organisation are security/compliance conscious that gtalk / AOL / iChat have the ability to log messages outside the organisation.

Two comments: 1) unless you have absolute control over the client environment similar to Snap Chat, far-end logging is always possible. Nearly every XMPP client I'm aware of has this feature. 2) You can whitelist specific DNS domains that you want to allow federation with. It's not an all-or-nothing policy. In fact, you could even setup an OSS XMPP server in another domain namespace and federate with it for these "external clients."

Also, as the external clients are not part of the organisation, is there any way to create a user that is not imported from CUCM.

CUCM 9.0(1) and above allow you to have a mixture of local and LDAP-synced user accounts. You would need to use UDS in this design to ensure that Jabber could resolve all accounts, not only those in LDAP.



Please remember to rate helpful responses and identify helpful or correct answers.

Actions

This Discussion

Related Content