[cisco-voip] UCCX 11 Finesse HAoW Island Mode

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Feb 5 17:13:11 EST 2016


Great point about LDAP over SSL and certs.  Thank you for mentioning this.

On Fri, Feb 5, 2016 at 2:10 PM, Brian V <bvanbens at gmail.com> wrote:

> common mistake that can happen and makes it "look like" only the publisher
> can provide LDAP authentication is if you're doing secure LDAP (over SSL)
> and didn't distribute the root CA/chain for the SSL encryption to all the
> CUCM nodes.  More of an issue with older CUCM but thought i'd mention it.
> Each CUCM node can perform the LDAP authentication (not the sync).  Also
> make sure any firewalls and such allow the LDAP requests from the
> subscriber nodes as well as the publisher.
>
>
>
>
> On 2/5/2016 3:49 PM, Justin Steinberg wrote:
>
> This isn't the full answer you're looking for, but I'll still throw it out
> there...
>
> I know LDAP enabled agents can login to Finesse when the UCM publisher is
> down as that happened to me last week.  The UCM LDAP auth component doesn't
> rely on the Dirsync service, so the UCM LDAP auth runs on all UCM nodes.
>
>
> I had a UCS blade failure that took down the UCM pub, but the UCCX pub and
> all the primary AD servers were still online for the UCM subs to
> authenticate.
>
> On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
>> UCCXers,
>>
>> I'm trying to avoid spinning up an entire lab to answer a simple question
>> that the SRND is glossing over.  "Can Agents login to Finesse on the Island
>> Mode side opposite the CUCM Publisher if using LDAP Authentication?"
>>
>> What the SRND has to say about failover and Island Mode:
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00
>>
>> A little further down in the SRND it talks about Finesse in Island Mode,
>> and it states that Agents can work on both sides, but it does not state, if
>> that is: A) for only already logged in Agents, or B) for CUCM local
>> authentication or LDAP authentication or otherwise.
>>
>>
>> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00
>>
>> This is a very shallow description on what I consider to be a very deep
>> topic, so I'm asking here for real world experience.
>>
>> Assume that we have two Data Centers: DC-A and DC-B.
>>
>> *DC-A Contains:*
>>
>>    - LDAP Server A
>>    - CUCM Publisher
>>    - UCCX Publisher (Currently Engine Master)
>>    - Agents
>>
>>
>> *DC-B Contains*
>>
>>    - LDAP Server B
>>    - CUCM Subscriber
>>    - UCCX Subscriber (Currently Engine Slave)
>>    - Agents
>>
>>
>> *Assumed Config*
>>
>>    - Call flows are internal, no voice gateways to worry about
>>    - CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP
>>    Server B second
>>    - UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and
>>    CUCM Sub second
>>    - UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and
>>    CUCM Pub second
>>    - UCCX CTI Route Points have Device Pool with CMG pointing at CUCM
>>    Pub first and CUCM Sub second
>>    - UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM
>>    Pub first and CUCM Sub second
>>    - UCCX Subscriber CTI Ports have Device Pool with CMG pointing at
>>    CUCM Sub first and CUCM Pub second
>>
>>
>> *Question*
>>
>>    1. Can an Agent in DC-B, who was not logged in before Island Mode
>>    happened, now log in, while in Island mode?  Does CUCM's authentication
>>    method change the answer?  E.g., LDAP integrated user versus local user.
>>
>> Thank you.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
> _______________________________________________
> cisco-voip mailing listcisco-voip at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160205/69186b2d/attachment.html>


More information about the cisco-voip mailing list