[cisco-voip] Cisco UCM with Skype for Business

Ki Wi kiwi.voice at gmail.com
Thu Apr 7 02:23:53 EDT 2016


Hi Daniel,
I guess the intra-domain federation is not the way to go as long as the
"jabber for everyone" work for field staffs who doesn't need telephony
function. Simple IM function fits their requirement.

Thanks for the tips on MFA. I will explore more on this.

Regards,
Kin Wai

On Thu, Apr 7, 2016 at 2:07 PM, <daniel at ohnesorge.me> wrote:

> Hi KiWi,
>
> Intra-domain federation definitely covers the scenario where some users
> are on 1 system while others are on another. In-fact it was designed more
> as a migration tool to eventually migrate everyone to Cisco. If user kiwi
> is IM enabled on SfB/Lync, he/she must not be IM enabled on Cisco
> IM/Presence. If the hard phone is controlled by CUCI-Lync, then CUCI-Lync
> can instruct Lync to change to status to Orange/Busy but that is coming
> from Lync and nothing to do with CUPS.
>
> MFA on ADFS 3.0 works really well as does OpenAM - you could have 1st
> factor as username/password, 2nd factor as TOTP time based token code (like
> Google Authenticator). With regards to Client Certificates, they themselves
> should be treated as a 2nd factor as if you were to logon to another device
> that did not have the cert, login would fail. But more traditional 2FA
> would use TOTP which can be integrated with both ADFS and OpenAM.
>
>
>
> On 2016-04-07 15:48, Ki Wi wrote:
>
> Daniel,
> for 2 ways intra-domain federation. I suppose if covers scenario whereby
> some users are on Jabber and some users are on SfB as documented.
>
> For example user "Ki Wi, kiwi at mycompany.com" uses SfB clients and uses
> cisco hardphone. I answered on my hardphone. Will IM&P update SfB that Ki
> Wi is busy/on the phone?
>
> If everyone is using SfB clients only then it will be fine but most of the
> time, the client already have a lot of hard phones deployed or they simply
> prefers hardphone.
>
> Multi-factor authentication via ADFS 3.0 . Anyone tried it? What is
> choosen?
> I believe on mobile client, it might be a challenge to present additional
> "factor" such as client certificate.
>
> Regards,
> Ki Wi
>
> On Thu, Apr 7, 2016 at 12:01 PM, <daniel at ohnesorge.me> wrote:
>
>> No Worries KiWi
>>
>> Regarding Presence, Partitioned Intra-Domain Federation supports two-way
>> IM and Presence so you should be covered there. Regarding your security
>> concerns, this can also be done. For example, you can achieve Multi-Factor
>> Authentication out of the box using SAML SSO products (ADFS 3.0 and OpenAM
>> both support MFA) which is supported over Expressway. If using Client
>> Certificates for said authentication, you could have an MDM solution like
>> Mobile Iron be the only way to distribute the certificates using SCEP. DDoS
>> protection can always be achieved by ASA or 3rd Party Firewall.
>>
>> On 2016-04-07 13:08, Ki Wi wrote:
>>
>> Hi Matt, Alastair & Daniel,
>> thanks!
>>
>> Looks like the deployment choices doesn't change much since OCS days
>> except the additional of VCS option now only.
>> For presence, seems like there's this product but I'm not sure it is 1
>> way or 2 way sync. Seems like UCM to Lync only.
>>
>> http://www.bridgeoc.com/products/licc/licc.htm
>>
>> Jabber is a fantastic application which client is using now. However,
>> when it comes to Jabber on mobile via expressway. It is lacking of security
>> measures in place.
>>
>> The client I have is very concern about identify theft for higher
>> management. Therefore, single factor authentication is not sufficient. They
>> wanted every client authenticating via expressway to be MDM managed. This
>> is not available today and SFB apparently have a lot of 3rd party
>> applications doing this. One of them is skypeshield which I found online.
>>
>> Jabber for everyone users are able to use expressway for free right? I
>> saw on other threads here. Someone answered yes.
>>
>> Regards,
>> Ki Wi
>>
>> On Wed, Apr 6, 2016 at 9:15 PM, Matt Slaga (AM) <
>> matt.slaga at dimensiondata.com> wrote:
>>
>>> Another option, although not perfect, is using a hardware device like a
>>> Kuandobox.
>>>
>>>
>>>
>>> http://www.plenom.com/products/kuandobox/
>>>
>>>
>>>
>>> Works well in cube environments, but not so well in offices, or places
>>> where users use speakerphone often.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>>> Behalf Of *Alastair Watts
>>> *Sent:* Wednesday, April 6, 2016 8:28 AM
>>> *To:* kiwi.voice at gmail.com; daniel at ohnesorge.me
>>> *Cc:* cisco-voip at puck.nether.net
>>> *Subject:* Re: [cisco-voip] Cisco UCM with Skype for Business
>>>
>>>
>>>
>>>
>>>
>>> I echo Daniel's comments below regarding the Lync/SfB integration, and
>>> recommend that you look at the reasons why you're choosing to integrate SfB
>>> - particularly with voice/video or with SfB mobile clients.
>>>
>>>
>>>
>>> In the last few months, Cisco acquired Acano, whose portfolio of
>>> products can assist with bridging SfB and CUCM when joining the two is
>>> required.
>>>
>>>
>>>
>>> I strongly recommend reviewing the Cisco Live talk that was presented
>>> earlier this year in Melbourne (available at
>>> https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89886)
>>> , which goes into integration options between Lync/SfB and Cisco, including
>>> limitations, and includes the Acano product set and how it can assist with
>>> the integration.
>>>
>>>
>>>
>>> Al
>>>
>>>
>>>
>>> On 6 Apr 2016, at 17:10, Daniel Ohnesorge via cisco-voip <
>>> cisco-voip at puck.nether.net> wrote:
>>>
>>>
>>>
>>> You have a few options but none will suit your needs:
>>>
>>>
>>>
>>> - Partitioned Intra-Domain Federation from CUPS to Lync will provide
>>> IM/Presence
>>>
>>> - Direct SIP Trunk to Lync Mediation Server will provide the ability to
>>> call Enterprise Voice enabled Lync clients (no video)
>>>
>>> - VCS/Expressway to Lync Mediation Server with/without Media Bypass will
>>> provide voice and video to Enterprise Voice enabled Lync clients
>>>
>>> - RCC (with Enterprise Voice disabled) will give you deskphone control
>>> of your Cisco phones from Lync client
>>>
>>> - CUCILync (with Enterprise Voice disabled) will give you voice/video
>>> softphone as well as deskphone control
>>>
>>>
>>>
>>> All of the above solutions cater different needs but you are limited
>>> with mobile support. You can run Jabber on mobile devices in Phone-only
>>> mode and then have separate Lync client for IM but that would be a bad user
>>> experience.
>>>
>>>
>>>
>>> Unless there is a specific reason to use Lync/SFB, if you already have a
>>> CUCM you may want to go Jabber and choose one of the above options.
>>>
>>>
>>>
>>> This is always a good read:
>>> https://social.technet.microsoft.com/Forums/office/en-US/cef0dd13-1092-46ec-9d1c-6679511d2206/lync-cisco-cucm-rcc?forum=ocsvoice
>>>
>>>
>>>
>>> and:
>>> http://www.justin-morris.net/cuci-lync-and-why-you-should-think-twice/
>>>
>>>
>>>
>>> and finally:
>>> https://supportforums.cisco.com/discussion/11500646/cupsjabberlynccucilynciphoneandriod-head-spinning
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>
>>> On 6 Apr 2016, at 17:06, Ki Wi <kiwi.voice at gmail.com> wrote:
>>>
>>> Hi Group,
>>>
>>> anyone have experience integrating ?
>>>
>>>
>>>
>>> The objective is to use Skype for business client for IM & voice/video
>>> call.
>>>
>>>
>>>
>>> It seems like the legacy approach is to use CUCILYNC. However, that's
>>> for windows desktop. If we use Skype for mobile clients, there's no such
>>> plug in.
>>>
>>>
>>>
>>> Is there a way to achieve presence synchronization between UCM and Skype
>>> presence service?
>>>
>>> Assuming they are using the same URI ?
>>>
>>> +
>>>
>>> Able to leverage on UCM to receive and initial calls.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Ki Wi
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>>
>>>
>>>
>>> itevomcid
>>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160407/b18b3299/attachment.html>


More information about the cisco-voip mailing list