Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16205
Views
5
Helpful
4
Replies

Jabber idbroker.webex.com certificate request during the first start

Go to solution
fedor.solovev
Spotlight
Spotlight

‎11-14-2017 07:25 AM - edited ‎03-19-2019 12:55 PM

Hello, dear support community.
I have CUCM, IMP 10.5 installed. SSO is configured.

A couple of users complain that for some reason their jabber clients pop-up a notification about certificate for idbroker.webex.com with possible actions, - accept, decline and show the certificate (as it is usual when a certificate is untrusted). It is issued by HydrantID SSL ICA G2.

Just too accept this cert and forget about this for the next logins is not a big deal.

 

However, I didn't configure any external connections to webex or other cloud services.
That is why my concerns are why some of jabber clients try to connect idbroker.webex.com ?

and how do prevent/disable it ?

Service Profile is configured only with local services (CTI, IMP, Directory) but it is not assigned to any users.

jabber-config file is almost empty:

<config version="1.0">
<Client>
<Persistent_Chat_Enabled>true</Persistent_Chat_Enabled>
</Client>
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
</Directory>
<Policies>
<Disallowed_File_Transfer_Types>.exe;.msi</Disallowed_File_Transfer_Types>
<EnableSIPURIDialling>true</EnableSIPURIDialling>
</Policies>
</config>

 

4 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-01-2017 02:20 PM

As part of Service Discovery Jabber checks WebEx Messenger (the SaaS alternative to IM&P) to see if the domain is provisioned in the cloud. If not it then looks for DNS SRV records for on-premises gear.

You can disable that check using the installer flag EXCLUDED_SERVICES=WEBEX
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_9/cjab_b_on-premises-deployment-for-cisco-jabber/cjab_b_on-premises-deployment-for-cisco-jabber_chapter_010000.html

Assuming they haven’t deprecated it, Jabber used to also check for a DNS TXT record to see if a domain had a non-standard Service Discovery configuration. I haven’t seen this mentioned in the last few years though.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/iPad/9_x/JABP_BK_J3C828CB_00_jabber-for-ipad-admin_chapter_01000.html#JABP_TK_C2E228F0_00

PS- Jabber also sends Usage telemetry to Cisco so they know which features users are/aren’t using. You might be tempted to say they don’t need that; however, I have seen them pull features out of Jabber multiple times over the years claiming that telemetry shows no one is using it. I suggest leaving it enabled. If you’re really set on cutting Jabber off from “the cloud”:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_01.html#CJAB_RF_C87CBDFA_00

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-01-2017 02:20 PM

As part of Service Discovery Jabber checks WebEx Messenger (the SaaS alternative to IM&P) to see if the domain is provisioned in the cloud. If not it then looks for DNS SRV records for on-premises gear.

You can disable that check using the installer flag EXCLUDED_SERVICES=WEBEX
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_9/cjab_b_on-premises-deployment-for-cisco-jabber/cjab_b_on-premises-deployment-for-cisco-jabber_chapter_010000.html

Assuming they haven’t deprecated it, Jabber used to also check for a DNS TXT record to see if a domain had a non-standard Service Discovery configuration. I haven’t seen this mentioned in the last few years though.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/iPad/9_x/JABP_BK_J3C828CB_00_jabber-for-ipad-admin_chapter_01000.html#JABP_TK_C2E228F0_00

PS- Jabber also sends Usage telemetry to Cisco so they know which features users are/aren’t using. You might be tempted to say they don’t need that; however, I have seen them pull features out of Jabber multiple times over the years claiming that telemetry shows no one is using it. I suggest leaving it enabled. If you’re really set on cutting Jabber off from “the cloud”:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_01.html#CJAB_RF_C87CBDFA_00
0 Helpful

Go to solution
fedor.solovev
Spotlight
Spotlight
In response to Jonathan Schulenberg

‎12-04-2017 02:09 AM

Hello, Jonathan.
You are right - I have already disabled EXCLUDED_SERVICES=WEBEX and it helped.
However, it is odd a little bit, because only several jabber clients faced this exactly request during jabber initiation. DNS and version of jabber are the same for any working stations within a company.
Why do you think others didn't experience the same behavior ?

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to fedor.solovev

‎12-04-2017 04:20 AM - edited ‎12-04-2017 04:21 AM

My only guess is those clients’ operating system (ie Windows, macOS, etc) did not trust the issuing Certificate Authority for some reason.

Go to solution
fedor.solovev
Spotlight
Spotlight
In response to Jonathan Schulenberg

‎12-04-2017 05:03 AM

Yes, it looks like this is a problem.
I guess the question why some work stations don't accept certificates is to MS Admins.
Thank you.
0 Helpful
Customers Also Viewed These Support Documents