[cisco-voip] Cisco UCM with Skype for Business

daniel at ohnesorge.me daniel at ohnesorge.me
Thu Apr 7 02:07:01 EDT 2016 

 

Hi KiWi, 

Intra-domain federation definitely covers the scenario where some users
are on 1 system while others are on another. In-fact it was designed
more as a migration tool to eventually migrate everyone to Cisco. If
user kiwi is IM enabled on SfB/Lync, he/she must not be IM enabled on
Cisco IM/Presence. If the hard phone is controlled by CUCI-Lync, then
CUCI-Lync can instruct Lync to change to status to Orange/Busy but that
is coming from Lync and nothing to do with CUPS. 

MFA on ADFS 3.0 works really well as does OpenAM - you could have 1st
factor as username/password, 2nd factor as TOTP time based token code
(like Google Authenticator). With regards to Client Certificates, they
themselves should be treated as a 2nd factor as if you were to logon to
another device that did not have the cert, login would fail. But more
traditional 2FA would use TOTP which can be integrated with both ADFS
and OpenAM. 

On 2016-04-07 15:48, Ki Wi wrote: 

> Daniel, 
> for 2 ways intra-domain federation. I suppose if covers scenario whereby some users are on Jabber and some users are on SfB as documented. 
> 
> For example user "Ki Wi, kiwi at mycompany.com" uses SfB clients and uses cisco hardphone. I answered on my hardphone. Will IM&P update SfB that Ki Wi is busy/on the phone? 
> 
> If everyone is using SfB clients only then it will be fine but most of the time, the client already have a lot of hard phones deployed or they simply prefers hardphone. 
> 
> Multi-factor authentication via ADFS 3.0 . Anyone tried it? What is choosen? 
> I believe on mobile client, it might be a challenge to present additional "factor" such as client certificate. 
> 
> Regards, 
> Ki Wi 
> 
> On Thu, Apr 7, 2016 at 12:01 PM, <daniel at ohnesorge.me> wrote:
> 
> No Worries KiWi 
> 
> Regarding Presence, Partitioned Intra-Domain Federation supports two-way IM and Presence so you should be covered there. Regarding your security concerns, this can also be done. For example, you can achieve Multi-Factor Authentication out of the box using SAML SSO products (ADFS 3.0 and OpenAM both support MFA) which is supported over Expressway. If using Client Certificates for said authentication, you could have an MDM solution like Mobile Iron be the only way to distribute the certificates using SCEP. DDoS protection can always be achieved by ASA or 3rd Party Firewall. 
> 
> On 2016-04-07 13:08, Ki Wi wrote: 
> 
> Hi Matt, Alastair & Daniel, 
> thanks! 
> 
> Looks like the deployment choices doesn't change much since OCS days except the additional of VCS option now only. 
> For presence, seems like there's this product but I'm not sure it is 1 way or 2 way sync. Seems like UCM to Lync only. 
> 
> http://www.bridgeoc.com/products/licc/licc.htm [1] 
> 
> Jabber is a fantastic application which client is using now. However, when it comes to Jabber on mobile via expressway. It is lacking of security measures in place. 
> 
> The client I have is very concern about identify theft for higher management. Therefore, single factor authentication is not sufficient. They wanted every client authenticating via expressway to be MDM managed. This is not available today and SFB apparently have a lot of 3rd party applications doing this. One of them is skypeshield which I found online. 
> 
> Jabber for everyone users are able to use expressway for free right? I saw on other threads here. Someone answered yes. 
> 
> Regards,
> Ki Wi 
> 
> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) <matt.slaga at dimensiondata.com> wrote:
> 
> Another option, although not perfect, is using a hardware device like a Kuandobox. 
> 
> http://www.plenom.com/products/kuandobox/ 
> 
> Works well in cube environments, but not so well in offices, or places where users use speakerphone often. 
> 
> FROM: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] ON BEHALF OF Alastair Watts
> SENT: Wednesday, April 6, 2016 8:28 AM
> TO: kiwi.voice at gmail.com; daniel at ohnesorge.me
> CC: cisco-voip at puck.nether.net
> SUBJECT: Re: [cisco-voip] Cisco UCM with Skype for Business 
> 
> I echo Daniel's comments below regarding the Lync/SfB integration, and recommend that you look at the reasons why you're choosing to integrate SfB - particularly with voice/video or with SfB mobile clients. 
> 
> In the last few months, Cisco acquired Acano, whose portfolio of products can assist with bridging SfB and CUCM when joining the two is required. 
> 
> I strongly recommend reviewing the Cisco Live talk that was presented earlier this year in Melbourne (available at https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886 [2]) , which goes into integration options between Lync/SfB and Cisco, including limitations, and includes the Acano product set and how it can assist with the integration. 
> 
> Al 
> 
> On 6 Apr 2016, at 17:10, Daniel Ohnesorge via cisco-voip <cisco-voip at puck.nether.net> wrote: 
> 
> You have a few options but none will suit your needs: 
> 
> - Partitioned Intra-Domain Federation from CUPS to Lync will provide IM/Presence  
> 
> - Direct SIP Trunk to Lync Mediation Server will provide the ability to call Enterprise Voice enabled Lync clients (no video) 
> 
> - VCS/Expressway to Lync Mediation Server with/without Media Bypass will provide voice and video to Enterprise Voice enabled Lync clients 
> 
> - RCC (with Enterprise Voice disabled) will give you deskphone control of your Cisco phones from Lync client 
> 
> - CUCILync (with Enterprise Voice disabled) will give you voice/video softphone as well as deskphone control 
> 
> All of the above solutions cater different needs but you are limited with mobile support. You can run Jabber on mobile devices in Phone-only mode and then have separate Lync client for IM but that would be a bad user experience. 
> 
> Unless there is a specific reason to use Lync/SFB, if you already have a CUCM you may want to go Jabber and choose one of the above options. 
> 
> This is always a good read: https://social.technet.microsoft.com/Forums/office/en-US/cef0dd13-1092-46ec-9d1c-6679511d2206/lync-cisco-cucm-rcc?forum=ocsvoice 
> 
> and: http://www.justin-morris.net/cuci-lync-and-why-you-should-think-twice/ 
> 
> and finally: https://supportforums.cisco.com/discussion/11500646/cupsjabberlynccucilynciphoneandriod-head-spinning 
> 
> Sent from my iPhone 
> 
> On 6 Apr 2016, at 17:06, Ki Wi <kiwi.voice at gmail.com> wrote: 
> 
> Hi Group, 
> 
> anyone have experience integrating ? 
> 
> The objective is to use Skype for business client for IM & voice/video call. 
> 
> It seems like the legacy approach is to use CUCILYNC. However, that's for windows desktop. If we use Skype for mobile clients, there's no such plug in. 
> 
> Is there a way to achieve presence synchronization between UCM and Skype presence service? 
> 
> Assuming they are using the same URI ? 
> 
> + 
> 
> Able to leverage on UCM to receive and initial calls. 
> 
> Regards, 
> 
> Ki Wi 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

itevomcid 

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip 

  

Links:
------
[1] http://www.bridgeoc.com/products/licc/licc.htm
[2]
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160407/4feaa6cb/attachment.html>

More information about the cisco-voip mailing list