Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

First Published: 2020-11-02

Last Modified: 2022-03-03

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2023 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 About 1
About 1
Updated Title for This Lab 1
Limitations/Disclaimer 1
Requirements 1
About This Solution 2
Transition Overview 3
Pre-Transition Steps and Consideration 3
Core Components Overview 5
Cisco Webex Overview 5
Accelerate Teamwork with These Tools 5
Cisco Webex Hybrid Services 6
Available Hybrid Services 7
Cisco Webex Calling Overview 7
Get Started 8
Updated Title for This Lab 8
Topology and Equipment Details 8
Session Users 9
Get Started 10

CHAPTER 2 Phase 0: Unified CM Calling 13

Mapping the Transition: Phase 0 – Unified CM Calling 13

Users in Phase 0 14

Configuring Okta for SSO – OnPrem CUCM and IMP Servers 14

SAML Overview 14
What is SAML SSO? 14

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

iii
Contents

SAML-Based SSO Features 14

Elements of a SAML SSO Solution 15
Module Objectives (Phase 0) 16
Module Notes (Phase 0) 17
Pre-Requisites (Phase 0) 17
Test Basic Functionality before Configuring SSO 18
Review Status Details of Jabber (On-Net) 18
Test Basic Functionality before Configuring SSO 22
Review Status Details of Jabber (Off-Net) over MRA 22
Prepare to Enable SAML SSO for Unified CM and IM and Presence 24
SAML SSO Configuration for Okta 24
Create an Okta Account and Provision AD Server with Okta Directory Connector 24
Download Okta Directory Connector on AD Server 29
Configure an LDAP Synchronized End User with the Administrative Privileges (Optional /
Information ONLY) 39
Obtain Metadata for the Unified CM and Unified IM and Presence 40

Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and
IMP 41
Enable SSO for Unified CM and IM and Presence 47
Verify operation on Unified CM and IMP for SSO functionality 51
Optional Troubleshooting Notes in Case SSO is Not Enabled (OPTIONAL / TroubleShooting) 52
Testing SSO Username/Password Authentication 53
Headset Association to a User – Manual Process 54
Activate the Device Activation Service 54
Pre-Requisites 55
Checking Extension Mobility Service 55
Prepare to Enable SAML SSO for Expressway 57
SAML SSO Configuration for Okta 57
Elements of a SAML SSO Solution 57
Review Status Details of Jabber (Off-Net) over MRA 58
Extending (SSO) Authentication Over the Edge 61
Touchless Headset Extension Mobility Login 61
Module Overview 61
Activate the Device Activation Service 61

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

iv
 Contents

Enable Headset based Pinless Extension Mobility 66

Verify operation on Unified CM and IMP for SSO functionality 66
Prepare to Enable SAML SSO for Unified CM and IM and Presence 67
SAML Overview 67
What is SAML SSO? 67
Set Registration Method to Use Activation Codes 68
Optional Troubleshooting Notes in Case You Can’t Enter 16-digit Code over MRA 68
Device Onboarding with Activation Codes Task Flow in On-prem Mode 69
Obtain Metadata for the Unified CM and Unified IM and Presence 69

Testing SSO Username/Password Authentication 70

Log out User from Extension Mobility Using Headset 70
Device Onboarding via Activation Codes (On-Prem and over MRA) 70
Create an Okta Account and Provision AD Server with Okta Directory Connector 71
Validate PSTN Dialing – Optional Module 76
Testing Calls – Inbound from PSTN to Jabber Users 77
Testing Calls – Outbound to PSTN 77

CHAPTER 3 Mapping the Transition: Phase 1 – Hybrid Services 79

Users in Phase 1 79

User Synchronization 80
Option A: User/Contact Synchronization Using Migration Card (Manual Method) 80
Synchronizing Users from Unified CM to Webex 80
Import Users Using the Bulk Administration Tool in Cisco Unified CM 80
Option B: User Synchronization Using Directory Connector (Recommended Method) 85
Configuring Directory Connector for Identity Synchronization 85
Enable Hybrid Directory Connector 85
Configuring Okta for SSO – Webex Cloud 90
Test Basic Functionality before Configuring SSO 91
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex 91
Testing SSO for KMelby and SMauk 97
Configuring Webex Hybrid Messaging Service 97
Enabling the Message Connector 98
Enabling Hybrid Message Service for Users 101
Testing the Hybrid Message Service 101

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

v
 Contents

Configuring Hybrid Calling for Cisco Webex Devices (Device Connector) 102
Configuring Hybrid Calling for Cisco Webex Devices in Cisco Webex Control Hub (Information
ONLY) 104
Configuring Domain Verification 104
Registering Devices to Control Hub 106
Enabling the Device Connector 109
Configuring Call Service to Connect SIP Destination 110
Configuring Cisco Unified CM for Hybrid Calling 111
Configuring the Expressway-E for Hybrid Call Service 114
Configuring Expressway-E Webex Zone (X8.11 and Later) 115
Configuring a Secure Traversal Server Zone to Expressway-C 116
Creating Search Rules on Expressway-E 116
Call Policy Rules 117
Configuring the Expressway-C for Hybrid Calling 120
Configuring a Secure Traversal Client Zone to Expressway-E 120
Creating a Neighbor Zone for Each Unified CM Cluster 120
Configure Search Rules on Expressway-C 121
Configuring Hybrid Call Service for Cisco Webex Devices 122
Creating a Directory Number for a Workspace 123
Creating a Unified CM Account for a Workspace 123
Creating a Spark-RD for Cisco Webex Devices 124
Updating a Workspace for Hybrid Calling 125
Migrate and Syncing Unified CM and Control Hub with the Webex Device Connector Tool 126
Testing the Hybrid Room Device 128
Phase 2 Options 128

CHAPTER 4 Phase 2 Option: Calling in Webex (Unified CM) 129

Mapping the Transition: Phase 2 - Calling in Webex (Unified CM) 129
Users in Phase 2 129

Migrating Jabber Users from On-Prem UC to Cisco Webex Using Connected UC 130
Creating Agent Install File and On-Prem Cluster Group 130
On-Boarding On-Prem UCM Server by Installing the Agent File 132
Optional: On-Boarding On-Prem IMP Server by Running ucmgmt Commands 136
Migrate Jabber Users Using Cloud Connected UC 139

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

vi
 Contents

Migrate Personal Contacts to Webex App 141

Testing Calling and Contacts Migration 149
Testing Calls – Inbound from PSTN to Webex 150
Testing Calls – Inbound from PSTN to Webex (Unified CM Calling) 150

CHAPTER 5 Phase 2 Option: Webex Calling 153

Mapping the Transition: Phase 2 - Webex Calling 153

Users in Phase 2 153

Configure Local Gateway for PSTN Calling 154

Adding a Telephone Number and Assigning to a Location 156
Configure Premises-Based PSTN 158
Local Gateway 158
Using Trunks 158
Add a Trunk 159
Option A: Add a Trunk Using PowerShell Script 159
Configuring the Local Gateway (Automated Method) 159
Option B: Add a Trunk Using Manual Steps 162
Add a Trunk 162
Local Gateway Configuration 163
Local Gateway Certificate Configuration and Verification 166
Configuring SIP Profile 171
Migrate Calling from On-Prem UCM to Cisco Webex 184
Updating the On-prem Services 192
Updating the DNS SRV Records – Information Only 193
Configuring Webex for All Users 194
Test PSTN Calls via Local Gateway for Migrated Users 195
Testing Calls – Inbound from PSTN to Webex 197
Testing Calls – Outbound to PSTN 198
Configuring MPP Devices Using Global Discovery Service 198
Configuring Room Devices for Webex Calling 199
Migrate Enterprise Phones to Multiplatform (MPP) Firmware 200

CHAPTER 6 Firmware Migration 207

Firmware ONLY Migration from ENT to MPP 207

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

vii
 Contents

Rename This Task 1 207

Rename This Task 2 207

Rename This Task 3 208

Rename This Task 4 208

CHAPTER 7 Appendix 209

Creating and Confirming an Application User 209

Enabling the Users For Webex Calling (Unified CM) 210
Set Calling Behavior in Control Hub (Phase 1) 210

CHAPTER 8 What's Next 213

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

viii
 CHAPTER 1
About
• About, on page 1
• Get Started, on page 8

About
Updated Title for This Lab
This lab was previously titled Transitioning from Unified CM to Webex Calling Lab. We updated the title
to better reflect the lab objectives.

Limitations/Disclaimer
Collaboration Transitions is focused on moving collaboration workloads from existing on-premises, hybrid,
and cloud products and solutions to the latest on-premises, hybrid, and cloud-delivered collaboration services.
As customers transition existing collaboration workloads to the newest collaboration applications and services,
they must understand the implications of this transition and the steps required to make the transition.
There are various ways this can be accomplished, depending on the situation and the customer's
goals/requirements. Please ensure that you consult all current official Cisco documentation before proceeding
with a design or installation. This lab is primarily intended to be a learning tool and may not necessarily follow
best practice recommendation at all times, in order to convey specific information.

Requirements
Required Optional
Cisco AnyConnect® client None
Laptop
Cisco Multiplatform Phone for Webex Calling; alternatively can use Webex clients
For room devices, you need one of the following:
Cisco Webex Desk Series/Room Series/Board Series

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

1
 About
About This Solution

About This Solution

With the growth of cloud-delivered collaboration services, more and more customers are looking to move
their existing collaboration workloads to the cloud given the promises of reduced total cost of ownership,
simplified management, continuous feature delivery, increased scale, and superior reliability inherent in
cloud-based services. As customers look to make the transition from on-premises to cloud collaboration
services, it’s important for them to understand what the transition entails and the steps required to make the
transition.
Customers who wish to start leveraging Cisco cloud calling services should consider Cisco Webex. The cloud
calling service allows the customer to leverage the Cisco Webex global architecture for scale and connectivity.
Participants on the corporate network and remote participants outside the corporate network can communicate
using IP-based hardware endpoints or desktop or mobile soft client applications.
Customers who have an on-premises call control with Unified CM, desk and video IP endpoints have a choice
of transitioning the architecture toward a Cisco Webex Calling cloud architecture.

The decision needs to be made based on customer’s functionality requirements. Customers that have the
following requirements should consider carefully before making this decision and may ultimately decide to
keep call control on-premises:
• Phone models other than Cisco 7800 and 8800 IP phone series.
• Complex or numerous integrations with other on-premises systems.
• Complex dial plan and/or highly granular classes of service.
• Calling predominately within the organization.
• Restrictive, limited, or unreliable Internet access.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

2
 About
Transition Overview

• Stringent data privacy and ownership policies.

• Compliance requirement for on-premises or in-country media recording and storage.

Note More information can be found at https://www.cisco.com/go/ct

Transition Overview
This lab will focus on a phased transition. As shown in below image, the initial transition phase (Phase 1)
results in a hybrid deployment with dual call control where some devices are transitioned to cloud calling and
other devices maintain on-premises call control for registration and call routing.
The final transition phase (Phase 2) results in a pure cloud calling environment where all devices have been
fully transitioned to cloud call control. Notice there are two options. Choose the Phase 2 option that fits your
needs:
• Phase 2: Calling in Webex (Unified CM) Cloud
• Phase 2: Webex Calling

Note It is possible that some organizations may maintain a hybrid dual call control deployment.

Pre-Transition Steps and Consideration

Below is a summary of pre-transition items/steps to consider when performing the transition from Unified
CM on-premises calling to Webex Calling.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

3
 About
Pre-Transition Steps and Consideration

Pre-Transition Consideration Summary

Perform network readiness assessment It is recommended to confirm network bandwidth availability,
ensure QOS requirements are met and FW ports are opened.
Perform initial readiness assessment of Prior to transition, to determine the feasibility and potential
existing deployment. modifications required, it is important to consider each of the
following aspects of your existing deployment. That includes
Licenses, Platform, Devices, Local Gateways, Network
Connectivity, Voicemail, Call Recording.
Understand Webex Calling region selection Cisco Webex Calling operates four regional platforms: North
America, EMEAR, APJC (Japan) and APJC (Australia). Each
Webex Calling instance provides redundant datacentres within
that region.
Each Webex Calling customer is provisioned on one of the
four Webex Calling instances. All provisioning information
of that customer is stored in that Webex Calling instance and
the SIP signalling of all endpoints and Local Gateways
provisioned for that customer is tied to the Webex Calling
instance the customer is provisioned on. Hence it is important
to select the right region for your deployment.

Analyze deployment dial plan
Inventory existing locations/ sites
Understanding PSTN access options
Each user in Webex Calling is provisioned with an extension.
For inter-site dialing use non-overlapping abbreviated dialing
habits. For a smooth transition the set of dialing habits for users
before and after transitioning to Webex ideally should be the
same.
For transitioning the information for Extension Ranges,
DID,PSTN Steering Digit, Site Code ,Main Number VM
number, Concurrent calls during busy hour, Country, Time
Zone, Language, Contact/Address need to be collected.
A local gateway is required to create a connection between
Unified CM and Webex Calling as long as Unified CM and
Webex Calling coexist. PSTN in Webex Calling can either be
facilitated by a (CCP) provider via a Local GW or Cisco PSTN.

Inventory existing endpoints/clients
Before beginning the transition it’s important to inventory your
existing hardware and software endpoints. Having a complete
list of phone types, models, and quantities will ensure you can
adequately plan for transitioning endpoints and mitigating the
impact to your deployment for those devices that cannot be
migrated to cloud calling. The inventory should be used to
determine the endpoints to transition, the endpoints to replace
prior to the transition, and the endpoints that may remain
managed and registered to on-premises call control.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

4
 About
Core Components Overview

Pre-Transition Consideration Summary

Inventory and plan for existing users
transition to Webex Calling.
Determine which users within the existing set of on-premises
calling users will be transitioned to Webex Calling. If all users
will be transitioned, but the number of users is large, it is a
good idea to move users in groups in order to ensure that IT
staff and support personnel are able to handle the transition
and any issues that may arise.

Core Components Overview

The target architecture for this lab migration includes several new components. This includes the Cisco Webex
Calling service for cloud-based calling, Cisco Webex client application, Cisco Directory Connector for identity
integration, Cisco Webex Meetings, OKTA to provide SSO and Local Gateway IOS-XE router for PSTN
access as well as on-premises to cloud calling integration. Cisco PSTN and Cloud Connected PSTN (CCP)
facilitated by a provider partner is another option for PSTN access that will not be covered in this lab guide.

Cisco Webex Overview

Never before have we seen business innovation this rapid, and competition this intense. Businesses will rise
and fall by the strength of the teams that fuel their agility. Teams that include not only internal colleagues,
but ecosystems of external experts and partners as well. To support your teams, you need tools that bring
people together easily and enable them to work together productively. At the same time, you need to meet
increasingly complex security and compliance requirements, which are key to keeping your information safe
and secure. It’s time for you to look at the team collaboration experience enabled by Cisco Webex.
Cisco Webex is an easy-to-use collaboration solution that keeps people and teamwork connected anytime,
anywhere. With Webex, you create secure virtual workspaces for everything, from completing short-term
projects to solving longer-term business opportunities. Simplify day-to-day interactions with messaging and
file sharing that can be enhanced with third party app integrations for a seamless workflow. Increase productivity
and engagement with real-time communications. Start calls instantly, have high-quality video meetings with
screen-sharing at the touch of a button, and stay connected after. Express your ideas on digital whiteboards
that colleagues can add to at any time. When teamwork flows into meeting rooms, bring the Webex experience
with you. Just connect the app to a Webex device to start meetings wirelessly, share your screen, capture
life-size whiteboard drawings, and more. That’s Webex. Moving all your work forward. Are you in?
Communication needs to be agile, mobile, and collaborative—all thanks to mobile devices and evolving
innovations in infrastructure and applications. The Cisco Webex service makes instant communications and
live meetings possible through a deeply integrated set of industry-leading communications tools for an
unmatched collaboration experience—that only the Cisco cloud can deliver. Webex has a continuous delivery
model, which means features are released on a regular basis. Check help.webex.com to keep updated of all
the latest info.

Accelerate Teamwork with These Tools

Messaging and content sharing: Use teams and spaces to easily bring people together. Send messages, meet,
share files, and whiteboard. Spend less time chasing email and instant messaging, more time getting work
done.
Team-based meetings: Maximize productivity. Anyone in a space can schedule, start, and record meetings.
Keep work moving after the meeting in the connected workspace.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

5
 About
Cisco Webex Hybrid Services

Whiteboarding: Collaborate on sketches in the app. Or take Cisco Webex capabilities to the next level with
Cisco Webex Board’s all-in-one wireless presentation, digital whiteboarding, and video conferencing.
Calling: Handle calls where you want—in the app, on an IP phone, or with a conference-room video device.
Deploy in the cloud with Cisco Webex Calling or connect to on-premises or partner-hosted telephony services.
Integrations and bots: Help users rely on fewer systems and apps by bringing them together in Webex. Use
integrations to streamline work flows and bots to automate actions. Visit the Webex App Hub to explore more.

Cisco Webex Hybrid Services

Increase the benefits of your on-premises unified communications and collaboration investment with Cisco
Webex Hybrid Services. They simplify connecting your existing network resources and on-premises unified
communications services to the Cisco Webex platform in the cloud. This provides even greater collaboration
capabilities, along with consistent, unified user and administrator experiences.
More and more, organizations are choosing collaboration services from the cloud. Why? Cloud services:
• Are easier and faster to deploy.
• Don't require the upfront capital investment of on-premises systems.
• Can free up IT staff to focus on other priorities.

Many organizations, however, are unable or unwilling to move all their services to the cloud. Often, they are
not ready to replace everything they have on premises, or they simply want to augment their current

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

6
 About
Available Hybrid Services

collaboration tools with those from the cloud. But having tools from both the cloud and the premises can
create inconsistent, disjointed user experiences and tools that don't work together as one.
Cisco solves this problem with Cisco Webex Hybrid Services. These services connect what you have
on-premises with Cisco Webex in the cloud to provide a single integrated experience. If you like the capabilities
of Webex, you can integrate those capabilities with what you currently deploy for an even better end-user and
administrator experience.

Available Hybrid Services

Hybrid Calendar Service: This service integrates your on-premises Microsoft Exchange, Office 365, or
Google Calendar with Cisco Webex and Cisco Webex Meetings capabilities. Hybrid Calendar Service easily
and automatically creates a Cisco Webex workspace when scheduling meetings. For example, adding the
phrase “@webex” to the invite’s location field automatically populates the meeting join information. Hybrid
Calendar Service also allows Cisco Webex users to press a single button to join almost any upcoming meeting
within the app itself and on a video device.
Hybrid Directory Service:This service connects Active Directory to Cisco Webex and enables a user to see
all company contacts in the Cisco Webex app so that they can click to meet, message, or call. It also provides
user synchronization between Microsoft Active Directory and Cisco Webex user management. Hybrid Directory
Service simplifies the administrative experience by automatically synchronizing Microsoft Active Directory
users with Cisco Webex (creating, updating, deleting) so that users are always current in Cisco Webex.
Cisco Webex Video Mesh: This revolutionary capability removes the deployment decision of premises versus
cloud for Cisco Webex video meetings. It places our Cisco Webex meeting engine on-premises to provide
local media processing. The result is on-premises video quality and optimized Internet bandwidth. And it
delivers this with simplicity, flexibility, and rapid iteration of new functionality of the cloud.
Hybrid Data Security Service: Ideal for security-conscious customers, Cisco Hybrid Data Security Service
takes our industry-defining data security a step further by allowing customers to own and manage their own
keys on premises. You will still experience end-to-end encryption, helping ensure that all messages, files, and
whiteboards remain secure and available at all times, while retaining full access to features such as search.
With Cisco Webex, your data is private. This includes all content, messages, and files—even your whiteboard
drawings.

Cisco Webex Calling Overview

For businesses that have been waiting for a trusted brand to deliver a globally available, multi-tenant cloud-based
alternative to their on-premises PBX, the wait is over. Cisco Webex Calling delivers all the features of a
traditional PBX through a monthly subscription service. Important qualities include:
• An advanced set of enterprise-grade PBX features
• A rich user experience that includes the Cisco Webex app for mobile and desktop users.
• Support for an integrated user experience with Cisco Webex Meetings and Webex devices, including
Cisco IP Phones 6800, 7800, and 8800 Series desk phones and analog ATAs
• Delivery from a set of regionally distributed, geo-redundant data centers around the globe
• Service that is available across a growing list of countries in every region
• Protection of existing investment in any on-premises Cisco Unified Communications Manager (UCM)
licenses, through the Cisco Collaboration Flex Plan

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

7
 About
Get Started

• A smooth migration to the cloud at your pace, through support of cloud and mixed cloud and on-premises
deployments

Get Started
Updated Title for This Lab
This lab was previously titled Transitioning from Unified CM to Webex Calling Lab. We updated the title
to better reflect the lab objectives.

Topology and Equipment Details

This demonstration includes several server virtual machines. Most of the servers are fully configurable using
the administrative level account. Administrative account details are included in the lab guide steps where
relevant and in the server details table.

Name Description Host Name (FQDN) IP Address Username Password

CUCM1 Cisco Unified cucm1.dcloud.cisco.com 198.18.133.3 administrator dCloud123!
Communications
Manager 12.5
IM & P IM & Presence 12.5 cup1.dcloud.cisco.com 198.18.133.4 administrator dCloud123!
Exp-C Expressway-C vcsc.dcloud.cisco.com 198.18.133.152 admin dCloud123!
(Core) X12.5
Exp-E Expressway-E vcse.cbXXX.dc-YY.com Public IP (see admin Session Details
(Edge) X12.5 session details) > AnyConnect
Credentials >
Password*

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

8
 About
Session Users

Name Description Host Name (FQDN) IP Address Username Password

Exp-Base Expressway-C exp-cc.dcloud.cisco.com 198.18.133.223 admin dCloud123!
Connector Host
X12.5
Local CSR1000V N/A 198.18.133.226 admin dCloud123!
Gateway
AD1 Active Directory, ad1.dcloud.cisco.com 198.18.133.1 administrator dCloud123!
DNS, AD FS
Exchange Microsoft Exchange mail1.dcloud.cisco.com 198.18.133.2 administrator dCloud123!
2016
Workstation Windows 10 wkst1.dcloud.cisco.com 198.18.1.36 cholland dCloud123!
1
Workstation Windows 10 wkst2.dcloud.cisco.com 198.18.1.37 aperez dCloud123!
2
Workstation Windows 10 wskt3.dcloud.cisco.com 198.18.1.38 kmelby dCloud123!
3

*You can find your unique Expressway-E password in your dCloud Session Details.

Session Users
This table contains details on preconfigured users available for your session.

Note The ZZZZ portion of the password is the last four digits of our Session ID found in your sessions's Details
tab.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

9
 About
Get Started

User Name User Password Endpoint Internal Deployment

ID Devices Extension Model
Anita Perez aperez dCloud123! Cisco Jabber 6017 OnPrem
Anita Perez aperez dCloudZZZZ! Webex 6017 Cloud
Charles Holland cholland dCloud123! Cisco Jabber 6018 OnPrem
Charles Holland cholland dCloudZZZZ! Webex 6018 Cloud
Taylor Bard tbard dCloud123! Cisco Jabber 6021 OnPrem
Taylor Bard tbard dCloudZZZZ! Webex 6021 Cloud
Kellie Melby kmelby dCloud123! Cisco Jabber 6050 OnPrem
Kellie Melby kmelby dCloudZZZZ! Webex 6050 Cloud
Stefan Mauk Smauk dCloud123! Cisco Webex 6072 OnPrem
Stefan Mauk Smauk dCloudZZZZ! Webex 6072 Cloud
Rebekah rbarretta dCloud123! Cisco Jabber 6088 OnPrem
Barretta
Rebekah rbarretta dCloudZZZZ! Webex 6088 Cloud
Barretta

Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.

Procedure

Step 1 Initiate your dCloud session. [Show Me How] (Skip if you are in a proctored environment.)
Note It may take up to 45 minutes for your session to become active.

Step 2 For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the
local RDP client on your laptop [Show Me How]
Step 3 The lab requires desk phones some to be loaded with latest firmware.
Step 4 The room devices (Webex Desk Series / Webex Room Series / Webex Board Series) also require vCE8.1+
firmware. If you are in a proctored environment, your proctor should have installed the correct firmware on
your room device. Another way to update the room device is to download the .pkg file from cisco.com and
upgrade the device directly. TIP: You can click here to get help with the upgrade process.
Step 5 After confirming the devices have the correct firmware and are not in a factory reset state, perform a factory
reset on each device before starting the lab. (Skip if you are in a proctored environment.)
Note For best results, use either the Chrome or Firefox web browsers.

Step 6 To demonstrate Cisco Webex hybrid services, Cisco Jabber/Webex is used in the lab. You also have the
capability to attach a dCloud router and self-provision any physical phone to demonstrate hybrid services.
Step 7 Check that the Collaboration Edge capabilities are properly provisioned in your session.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

10
About
Get Started

• On Workstation 1, open a browser tab and go to Collaboration Admin Links > Cisco Expressway –
C. Log in with Username: admin and Password: dCloud123! Accept any security message you may be
shown.
• Navigate to Configuration > Zones > Zones tab and confirm all Traversal client zones show SIP status
as Active. DefaultZone should show SIP status as On.

Note If any of these zones do not have an Active SIP Status, the session is corrupted and you will not
be able to proceed. Please End the current session and start up a new one. This does happen
occasionally due to automation errors.

Step 8 In order to run this lab, you need some information from the Session Details tab on your dCloud dashboard
session page. Obtain the Collaboration Edge domain information.
Important Each session has a unique domain. The image below is only an example. Do not use the information
in the image below for your session. It is highly recommended to take note of this information
now so that you can refer to it throughout the lab.

a) Obtain the Webex password. It is highly recommended to take note of this information now so that you
can refer to it throughout the lab.
Important Each session has a unique domain. The image below is only an example of how to discover
your Webex password in the Details section of your dCloud session. Do not use the
information in the image below for your session. When prompted in this lab, replace ZZZZ
with the last four digists of your Session ID.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

11
 About
Get Started

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

12
 CHAPTER 2
Phase 0: Unified CM Calling
• Mapping the Transition: Phase 0 – Unified CM Calling, on page 13
• Users in Phase 0, on page 14
• Configuring Okta for SSO – OnPrem CUCM and IMP Servers, on page 14
• Headset Association to a User – Manual Process, on page 54
• Extending (SSO) Authentication Over the Edge, on page 61
• Set Registration Method to Use Activation Codes, on page 68
• Validate PSTN Dialing – Optional Module, on page 76

Mapping the Transition: Phase 0 – Unified CM Calling

In Phase 0 of this lab guide we will be focusing on on-prem deployments. A typical on-prem deployment
includes different collaboration infrastructure components on the network, a call control platform, and an
edge platform, hardware and software endpoints, and in some cases even conferencing and scheduling platforms.
In the Cisco architecture this would include Cisco Unified CM for call control, Cisco Expressway for remote
access and business-to-business (B2B) edge services, Cisco Meeting Server / Cisco Meeting Management
for on-premises conferencing, Cisco Unity Connection for voice messaging, and user-facing hardware (Cisco
IP Phones and Cisco Webex Room Endpoints) and software (Cisco Jabber/Webex) IP-based endpoints.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

13
 Phase 0: Unified CM Calling
Users in Phase 0

Users in Phase 0
User Name User Password Endpoint Internal Deployment
ID Devices Extension Model
Charles cholland dCloud123! Cisco Jabber 6018 OnPrem
Holland
Anita Perez aperez dCloud123! Cisco Jabber 6017 OnPrem
Kellie Melby kmelby dCloud123! Cisco Jabber 6050 OnPrem

Configuring Okta for SSO – OnPrem CUCM and IMP Servers

SAML Overview
What is SAML SSO?
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco
collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange
of security-related information between trusted business partners. It is an authentication protocol used by
service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML
enables exchange of security authentication information between an Identity Provider (IdP) and a Service
Provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco
collaboration solutions. SAML 2.0 enables SSO across Cisco applications and enables federation between
Cisco applications and an IdP. SAML 2.0 allows Cisco administrative users to access secure web domains to
exchange user authentication and authorization data between an IdP and a Service Provider while maintaining
high security levels. The feature provides secure mechanisms to use common credentials and relevant
information across various applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the
provisioning process between the IdP and the Service Provider. The Service Provider trusts the IdP's user
information to provide access to the various services or applications. In this interaction, the Service Provider
(SP) would be Unified CM and Unified IM and Presence.
The client authenticates against the IdP and the IdP grants an Assertion to the client. The client presents the
Assertion to the Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion
and grants access to the client.

SAML-Based SSO Features

• Reduces password fatigue by removing the need for entering different username and password
combinations.
• Transfers the authentication from your system that hosts the applications to a third-party system. Using
SAML SSO, you can create a circle of trust between an IdP and a service provider. The service provider
trusts and relies on the IdP to authenticate the users.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

14
 Phase 0: Unified CM Calling
Elements of a SAML SSO Solution

• Protects and secures authentication information. It provides encryption functions to protect authentication
information passed between the IdP, service provider, and user. SAML SSO can also hide authentication
messages passed between the IdP and the service provider from any external user.
• Improves productivity because you spend less time re-entering credentials for the same identity.
• Reduces costs as fewer help desk calls are made for password reset, thereby leading to more savings.

Elements of a SAML SSO Solution

• Client (the user’s client): This is a browser-based client or software client that can leverage a browser
instance for authentication. For example, a system administrator’s browser.
• Service Provider: This is the application or service that the client is trying to access. For example, Cisco
Unified Communications Manager.
• An Identity Provider (IdP) Server: This is the entity that authenticates user credentials and issues
SAML Assertions.
• SAML Assertion: It consists of pieces of security information that are transferred from IdPs to the
service provider for user authentication. An assertion is an XML document that contains trusted statements
about a subject including, username and privileges. SAML assertions are usually digitally signed to
ensure their authenticity.
• SAML Request: This is an authentication request that is generated by a Unified Communications
application. To authenticate the LDAP user, the Unified Communications application delegates an
authentication request to the IdP.
• Circle of Trust (CoT): The various service providers that share and authenticate against one IdP in
common.
• Metadata: An XML file generated by an SSO-enabled Unified Communications application, such as
Cisco Unified Communications Manager as well as an IdP. The exchange of SAML metadata builds a
trust relationship between the IdP and the service provider.
• Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The
ACS URL tells the IdP to post the final SAML response to a particular URL.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

15
 Phase 0: Unified CM Calling
Module Objectives (Phase 0)

Module Objectives (Phase 0)

In this module, we will perform the following tasks:
• Log in into Jabber client as Charles Holland and Anita Perez to see the sign in process before configuring
SSO
• Create a Circle of Trust (CoT) between OKTA (IdP) , Unified CM and IM and Presence (SP)
• Enable SSO for Unified Communications Manager and Unified IM and Presence
• Test Username/Password authentication by accessing Web Interfaces and Cisco Jabber
• Download OKTA Directory Connector on the AD server
• Create OKTA account and provision users in on-premises products using OKTA Directory Connector

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

16
 Phase 0: Unified CM Calling
Module Notes (Phase 0)

Module Notes (Phase 0)

Note Because of the lab environment, we will be using LDAP to sync users between CUCM and Active Directory.
In the interest of time, this step has already been configured. The sync users can be viewed by selecting the
end-user option in CUCM portal. The image below gives an overview of the integration.
*Provision can work with LDAPS to Okta cloud directly, but it’s not recommended and not covered in this
lab guide.

Pre-Requisites (Phase 0)
These are the dependencies that must be in place and functional prior to the implementation of SAML SSO
for Cisco Unified Communications.

Important ALL of these pre-requisite requirements have been met during lab configuration activities or as part of the
pre-configuration of the lab environment.

• NTP – All components of the solution must be configured to use a reliable NTP source for clock
synchronization. This requirement is already provisioned across all installed Cisco Collaboration
Applications (Services Providers).
• DNS – All hosts involved in SSO transactions must be fully resolvable by FQDN via DNS. All of the
Service Providers (cucm1.dcloud.cisco.com, cup1.dcloud.cisco.com) have DNS A (Host) records
and are resolvable by FQDN.
• Directory Setup – LDAP directory synchronization is a prerequisite and a mandatory step to enable
SAML SSO across various Unified Communications applications in this Lab guide. Synchronization of
Unified Communications applications with an LDAP directory allows the administrator to provision
users easily by mapping Unified Communications applications data fields to directory attributes. This
requirement is already been met.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

17
 Phase 0: Unified CM Calling
Test Basic Functionality before Configuring SSO

• Certificates signed by a CA – In SAML SSO, the IdP and service providers must have CA signed
certificates with the correct domains in the CN or SAN. If the correct CA certificates are not validated,
the browser issues a pop up warning. We have performed the certificate management required to meet
this pre-requisite as part of our deployment activities. All Tomcat certificates are signed using multi
SAN entries.

Test Basic Functionality before Configuring SSO

Note CUCM/IMP/Expressway servers are pre-configured with all the basic configuration, including partitions,
calling search spaces, CSF, SIP trunks, service profiles, zones, Search Rules, etc. The following section will
test basic Jabber connectivity from on-prem and MRA before we proceed further in this lab guide.

Review Status Details of Jabber (On-Net)

Procedure

Step 1 From your dCloud session connect to wkst1.dcloud.cisco.com (Charles Holland) and wkst2.dcloud.cisco.com
(Anita Perez).
Step 2 On WKST1, open Cisco Jabber enter [email protected] and click Continue. Enter cholland
for username and dCloud123! for the password. Click Login.
Step 3 On WKST2, open Cisco Jabber enter [email protected] and click Continue. Enter aperez for
username and dCloud123! for the password. Click Login.
Note Remember to replace XXX and YY from your Session Details page. The images below are taken
from signing in on a windows machine.

Step 4 Observe that Charles Holland and Anita Perez are logged in to the Jabber client. You will be able to call and
send messages between the clients.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

18
Phase 0: Unified CM Calling
Review Status Details of Jabber (On-Net)

Step 5 Click the picture icon

[ ]
and choose My profile to display and confirm information about Charles Holland. Click Cancel to close.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

19
 Phase 0: Unified CM Calling
Review Status Details of Jabber (On-Net)

Step 6 To test Directory lookup, type Ani in the Search or Call field (not case sensitive).
Step 7 Observe the contact record for Anita Perez is displayed.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

20
Phase 0: Unified CM Calling
Review Status Details of Jabber (On-Net)

Step 8 Click the Menu icon

[ ]
on the top right if using windows and choose Help > Show connection status to confirm the Jabber client
has active connectivity to provisioned services.
• Softphone
Status: Connected
Address: cucm1.dcloud.cisco.com
• Presence
Status: Connected
Address: cup1.dcloud.cisco.com
• Outlook address book
Status: Last connection successful
• Directory
Status: Last connection successful
Address: cucm1.dcloud.cisco.com (Automatically discovered through service discovery)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

21
 Phase 0: Unified CM Calling
Test Basic Functionality before Configuring SSO

Step 9 Click Close to exit the Connection Status window. This completes service discovery validation and Jabber
client connectivity.
Step 10 Open a browser session.
Step 11 From the dCloud homepage, choose Collaboration Admin Links > Cisco Unified Communications
Manager or enter https://cucm1.dcloud.cisco.com
Step 12 Log in with username Administrator and password dCloud123!
Step 13 From the menu, choose Device > Phone.
Step 14 Click Find.
Step 15 Observe the Client Services Framework device (Jabber softphone) named CSFCHOLLAND and CSFAPEREZ
is actively registered with the IP address of wkst1.dcloud.cisco.com (198.18.1.36) and wkst2.dcloud.cisco.com
(198.18.1.37).

Step 16 Quit Jabber by choosing Menu > Exit or simply sign-out of Jabber.

Test Basic Functionality before Configuring SSO

Note CUCM/IMP/Expressway servers are pre-configured with all the basic configuration, including partitions,
calling search spaces, CSF, SIP trunks, service profiles, zones, Search Rules, etc. The following section will
test basic Jabber connectivity from on-prem and MRA before we proceed further in this lab guide.

Review Status Details of Jabber (Off-Net) over MRA

Note Please connect to Jabber client on your mobile or remote device that is not part of/connected to this session.

Procedure

Step 1 On your mobile or remote device, open Cisco Jabber and enter [email protected].
Step 2 Click Continue. Enter cholland for username and dCloud123! for the password and click Login.
Note If you get a warning for Voicemail credentials, please ignore the message as Unity Connection
is not part of this lab guide.

Step 3 Test contact search by typing Ani in the search window and confirm that the lookup returns a contact record
for Anita Perez.

Step 4 If connected using a remote laptop, click the Menu icon [ ] on the top right if using windows and choose
Help > Show connection status to confirm the Jabber client has active connectivity to provisioned services.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

22
Phase 0: Unified CM Calling
Review Status Details of Jabber (Off-Net) over MRA

Note Depending on your remote Jabber client the below image might be different for your session.
For the MRA test we are using Jabber on Mac. You will notice Desk Phone Server and Voicemail
Server as Disconnected. Please ignore as it is not part of this lab guide.

Step 5 From the dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified Communications
Manager or enter https://cucm1.dcloud.cisco.com
Step 6 Log in with username Administrator and password dCloud123!
Step 7 From the menu, navigate Device > Phone.
Step 8 Click Find.
Step 9 Observe that the Client Services Framework device (Jabber softphone) named CSFCHOLLAND is actively
registered with the IP address of Expressway-C (198.18.133.152). This is because Expressway-C serves is
the anchor point for SIP Registration with Unified CM for all MRA sessions.

Note Depending on the remote device you logged into, the Expressway-C information can be seen
under BOT- or TCT-registered device.

Step 10 You can test chat and calling between MRA registered client (cholland on your remote device) and ON-Prem
registered client (aperez on WKST2).
Step 11 Quit Jabber by choosing Menu > Exit.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

23
 Phase 0: Unified CM Calling
Prepare to Enable SAML SSO for Unified CM and IM and Presence

Prepare to Enable SAML SSO for Unified CM and IM and Presence

SAML SSO Configuration for Okta
This section describes the steps to configure SAML SSO using Okta as the Identity Provider (IdP).

Create an Okta Account and Provision AD Server with Okta Directory Connector

Procedure

Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.
Step 2 Open Microsoft Outlook using the icon in the taskbar

[ .]
Step 3 For profile name, enter Charles and click OK.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

24
Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 4 In the Inbox, you should see an email with the subject line CLOUD TRIALS EMAIL ADDRESS. Capture
the email address that begins with trial, this will ensure a unique email address is used when creating Okta
account. This email address will route to Charles Holland’s email box.

Step 5 We will create an Okta account. Open the browser and browse to the following url: https://okta.com/free-trial/
. Fill in the required information and click Get Started.
Step 6 You will receive a success message from Okta and an email will be send to Charles Holland inbox. On the
same page, you will get a unique url that will be used when we configure SSO and to access our Okta account
later. Please keep a note of that url and login info.
Note The Org URL is the one you will use when accessing the Okta page. If you don't receive an email
from Okta with account information, go through the above step again to create the account.

Note The URL and the login info generated above will be different and unique for each session. Please
keep a note of your session url and login info.

Step 7 Click the Org URL for the Okta homepage. Log in using the email ID you created the trial with (also on this
screen) and the temporary password. (Both the email ID and the temporary password are provided in the
Welcome email you received.) Click Sign In.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

25
 Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 8 You will be prompted to set a new password. Set the password to dCloud123!. Click Change Password.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

26
Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 9 Once logged in, click Admin on the top-right corner.

Step 10 Okta requires you to select a multifactor authentication to add an additional layer of security. Under Okta
Verify, click Setup and follow the on-screen steps to set up the multifactor authentication. (You can choose
either to Enter the Code option for next sign in or the Push Notification.) Once you scan the QR code and set
up the Okta Verify app on your mobile, click Finish.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

27
 Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Note You have to use your iPhone or Android device to receive a single-use code. You can download
the Okta Verify app or Cisco DUO from Appstore (iPhone) or from Google Play Store (Android).

Step 11 Using your authenticator app (such as DUO), scan the barcode. Click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

28
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 12 Log in to Okta and click Admin at the top-right corner. Either enter the code or verify with push notification
from mobile to complete the login. You will be logged into Okta as an administrator and your account is
created.

Download Okta Directory Connector on AD Server

Okta integrates with Active Directory using lightweight agents that run on any Windows machine with read
access to the domain controller, and requires no changes to firewall settings. Okta supports delegated
authentication, provisioning and deprovisioning, directory sync, and AD password management. Whenever
a change occurs in either direction between Active Directory or Okta, those changes are synchronized
incrementally. To enable AD integration and configure SSO for our users, we will install the Okta Directory
Connector and import AD users and groups into Okta.

Note Make sure you download the Okta Directory Connector on the AD server, not WKST1.

Procedure

Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session
to the AD server (198.18.133.1) and log in as dcloud\administrator with password dCloud123! Ignore/accept
any security warnings.
Step 2 Open the browser. Log in into the Okta admin portal on the AD server by using the URL created earlier (when
creating the Okta account). After entering credentials, click Admin in the top-right corner. Choose either to
Enter a Code from Okta Verify app on your mobile or Get a Push Notification and complete the process.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

29
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Note The URL and username will be different for your session. Use the account information for your
Okta session.

Step 3 Once logged in, click Settings and then Downloads. Download the Ad Agent Installer on your AD
(198.18.133.1) desktop by clicking Download Latest.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

30
Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 4 Once downloaded, run the installer by clicking the OktaADAgentSetup-3.5.9.exe file.
Step 5 Click Next. Click Install.
Step 6 The next screen will allow us to Select AD Domain. Leave default dcloud.cisco.com and click Next.
Step 7 Okta need to configure a read only agent on AD server. In the following step we will configure the local user
for Okta. By default, Okta creates a local user named [email protected]. Keep the default user
and click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

31
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 8 Define dCloud123! as the password for the local OktaService user and click Next.
Step 9 The Okta AD Agent Proxy Configuration page displays. Leave everything default and click Next.
Step 10 For the org URL, enter the Okta homepage URL or Sign-in here URL from the Welcome email. It
will be in the format of https://trial-6813249.okta.com (this is an example only, your org URL will be
different). Click Next.
Note Juan P. – Need a new screenshot, please.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

32
Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 11 You will be asked to sign in to Okta. Use the admin account username
([email protected]) and password (dCloud123!) you created earlier and click
Sign In.
Note Replace the XXXXXXX and YY with the account info you created earlier.

Step 12 Click Allow Access when prompted.

Step 13 Click Finish. Your Okta agent will be up and running.
Step 14 You can now switch back to WKST1. If not already open from earlier, open a new browser tab to your Okta
web page by using the Okta url created earlier and log in with the trial account.
Step 15 Click Directory and then select Directory Integration.
Step 16 Click Active Directory.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

33
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 17 Under Select the OUs that you’d like to sync users from uncheck the box for dc=dcloud,dc=cisco,dc=com
and select dCloud. Leave everything default, including the information under Group OUs connected to Okta.
Click Next at the bottom of the page.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

34
Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 18 A pop up will display confirming Active Directory Agent Configured. Click Next.
Step 19 In the attribute builder page leave, everything default and click Next.
Step 20 You will receive a message saying Your Active Directory domain is now integrated with Okta. Click
Done.
Step 21 We will now sync our users from AD server to Okta.
Step 22 Click Provisioning. Select To Okta and click Edit.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

35
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 23 For Schedule import, select every hour. Change Okta username format to Custom and use the following
string: appuser.userName. For Activation emails, check the box for Don’t send new user activation emails
for this domain.
Step 24 Click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

36
Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 25 Under User Creation & Matching, click Edit. Make sure Okta username format matches option is selected
and click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

37
 Phase 0: Unified CM Calling
Download Okta Directory Connector on AD Server

Step 26 While on the same page, click Import. Check the box next to Okta User Assignment and then click Import
Now.

Step 27 In the pop up window, select Full Import and click Import. It might take few seconds for all your users to
get imported into Okta. Once done, click OK.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

38
 Phase 0: Unified CM Calling
Configure an LDAP Synchronized End User with the Administrative Privileges (Optional / Information ONLY)

Step 28 Check the box for Okta User Assignment, click Confirm Assignments. In the pop up window, select
Auto-activate users after confirmation and click Confirm.
Step 29 Once imported, you will be able to see all your users from AD under the Assignments tab. There will be a
total of 10 users.

ConfigureanLDAPSynchronizedEndUserwiththeAdministrativePrivileges(Optional/Information
ONLY)
Once SSO is enabled, access to the Unified CM and IM and Presence administrative interfaces will be limited
to End Users synchronized from LDAP. Therefore at least one End User account must be delegated
administrative access.

Note There is a recovery URL that may be used in case of SSO failure that is accessed with the default administration
account, if needed. The credentials are administrator/dCloud123!
This below steps are for INFORMATION ONLY as they are already configured for you in the lab. Please
go to Obtain Metadata for the Unified CM and Unified IM and Presence section.

Procedure

Step 1 Connect via VPN or switch to the RDP session for wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch a browser.
Step 3 Browse to https://cucm1.dcloud.cisco.com in the address bar.
Step 4 Select Cisco Unified Communications Manager.
Step 5 Enter username Administrator and password dCloud123!
Step 6 Click Login.
Step 7 Use the menu to choose User Management > End User.
Step 8 Click Find.
Step 9 Click the hyperlink for user cholland (Charles Holland) to open the End User configuration page.
Step 10 Scroll to the bottom of the page and locate the Permissions Information section. Notice that Charles Holland
is currently assigned to the Standard CCM End Users, and Standard CTI Enabled groups.

Step 11 Click Add to Access Control Group.

Step 12 In the Find tool, use the drop-down menu to choose contains and type Super.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

39
 Phase 0: Unified CM Calling
Obtain Metadata for the Unified CM and Unified IM and Presence

Step 13 Click Find.

Step 14 Choose Standard CCM Super Users. Click Add Selected.

Step 15 Confirm that the Standard CCM Super Users group has been added to the Groups field.

Step 16 Click Save.

Obtain Metadata for the Unified CM and Unified IM and Presence

Note Okta is a cloud-hosted IDP. SAML SSO mode can be enabled using Okta IdP with the cluster-wide option
only. The per node option is not available for Okta.

As part of the CoT (Circle of Trust) configuration between ADFS and Unified CM and Unified IM and
Presence, the Metadata from deployed Unified Collaboration nodes must be obtained. This will be used to
create a Relying Party Trust on the IdP.

Procedure

Step 1 If not already, sign in to Cisco Unified Communications Manager (https://cucm1.dcloud.cisco.com) as

administrator/dCloud123! on WKST1.
Step 2 Navigate to System > SAML Single Sign-On.
Step 3 Select Use Tomcat certificate under Certificate and click Export All Metadata.

Step 4 The file will be downloaded on the desktop of WKST1 as cucm1.dcloud.cisco.com-single-agreement.xml.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

40
 Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 5 Open the downloaded file using Notepad++. The contents in the file define the parameters that will be used
for the authorization process between the SP (Unified CM and Unified IM and Presence) and the IdP (Okta).

Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP
A relying party trust will be added to Okta for every node in the deployment on which SSO will be enabled.
Follow these steps to add a Relying Party Trust for cucm1.dcloud.cisco.com and imp1.dcloud.cisco.com.

Procedure

Step 1 If not already open from earlier, open a new browser tab to the Okta webpage (using your unique url created
in earlier steps) and log in on WKST1.
Step 2 From the Okta dashboard, select Applications > Applications.
Step 3 Click Create App Integration to use wizard to create new application integration.
Step 4 On the Create a New Application Integration window, from the Platform drop-down list, choose Web. Choose
the radio button for SAML 2.0 and click Next.

Step 5 Enter a name for the application, e.g. CUCM, and click Next.
Step 6 On the Create SAML Integration window, you will enter details for mandatory fields for SAML Settings.
These details are available in the metadata XML file that you downloaded earlier from the Service Provider
(CUCM). Open the file using Notepad++ that you have downloaded earlier
(cucm1.dcloud.cisco.com-single-agreement.xml) on WKST1.
Step 7 Single sign on URL: From the metadata file, enter the SSO URL of the publisher node. You can find this by
searching for the information on index 0 of the AssertionConsumerService and enter the contents of the
location field. In our case, it is
https://cucm1.dcloud.cisco.com:8443/ssosp/saml/SSO/alias/cucm1.dcloud.cisco.com

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

41
 Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 8 Check the box for Use this for Recipient URL and Destination URL—it allows matching of the recipient
and destination URLs.
Step 9 Allow this app to request other SSO URLs—Check this option as we have IMP servers in our deployment.
Step 10 Requestable SSO URLs—This field appears only if you check the request other SSO URLs check box.
You can enter SSO URLS for your other nodes. Click the Add Another button to add IMP URL and under
index make sure you write 2.
Step 11 You can find this info by searching for the information on index 2 on themetadata file. In our case, the url is
https://cup1.dcloud.cisco.com:8443/ssosp/saml/SSO/alias/cup1.dcloud.cisco.com

Step 12 Audience URI (SP Identity ID): From the metadata file, search for the entityID address and enter the details
for this field. In our case, it is cucm1.dcloud.cisco.com

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

42
Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 13 Name ID Format: Choose Transient from this drop-down list.

Step 14 Application username: Choose Okta username prefix from the drop-down list.
Step 15 Under Attribute Statements, enter the attribute uid to the Cisco Unified Communications Manager cluster.
The attribute ui value matches the userID field value that is available in Cisco Unified CM Administration
on the User Management page. The following will map the userID to sAMAccountName:
String.substringBefore(user.email, "@")

Step 16 This is how the overall config page should be configured:

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

43
 Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 17 Click Next.

Step 18 On the Feedback tab, select I'm a software vendor. I'd like to integrate my app with Okta and click Finish.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

44
Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 19 We will now assign users to our app. There are two ways we can assign, either to individual people or assign
to groups. In the steps below, we can cover both scenarios.
Step 20 Click the Assignments tab. Click the Assign drop-drop and choose Assign to People.

Step 21 Select your account that was created when provisioning Okta. Click Assign.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

45
 Phase 0: Unified CM Calling
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Unified CM and IMP

Step 22 Click Save and Go Back. Click Done.

Step 23 In the following steps, we will assign our app to groups. Click the Assignments tab again. Click the Assign
drop-down and choose Assign to Groups.
Step 24 In the pop up window, search for Domain Users and click Assign. Click Done. You will see your Domain
Users group on the Assignments tab.
Step 25 While on the same page, click the Sign On tab. Click View Setup Instructions to download the Okta metadata
file.

Step 26 In the View Setup instructions window, scroll down to Optional. Copy and save the metadata information
from under Optional as CUCM1.xml on WKST1. This will be loaded on CUCM cluster.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

46
 Phase 0: Unified CM Calling
Enable SSO for Unified CM and IM and Presence

Step 27 Before uploading the metadata file on CUCM, open the saved metadata file (CUCM1.xml). Search for
NameIDFormat. You will find this info at the bottom of the file. If the value for NameIDFormat is already
set to Transient, you can skip this step. If not, change the line of NameIDFormat from
md:NameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> to
md:NameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:transient</md:NameIDFormat>.
Step 28 Save the file.

Enable SSO for Unified CM and IM and Presence

The following exercise will detail the process for enabling SSO from the Unified Communications Manager
interface.

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36), open Firefox
and choose the tab connected to cucm1.dcloud.cisco.com.
Step 2 It is likely that the logon timer has expired. If so, login with Username: Administrator and Password:
dCloud123!.
Step 3 Navigate to System > SAML Single Sign-On.
Note Okta is a cloud hosted IdP. SAML SSO mode can be enabled using Okta IdP with the cluster-wide
option only. The per node option is not available for Okta.

Step 4 Under SSO Mode select Cluster wide. Also for Certificate select Use Tomcat Certificate.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

47
 Phase 0: Unified CM Calling
Enable SSO for Unified CM and IM and Presence

Step 5 Click Enable SAML SSO.

Step 6 On the warning popup, click Continue.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

48
Phase 0: Unified CM Calling
Enable SSO for Unified CM and IM and Presence

Step 7 Click Test for Multi-Server tomcat certificate.

Step 8 Once success message displays, click Next.

Step 9 Click Next. The IdP Metadata Trust File has already been obtained from Okta and saved on WKST1 as
(CUCM1.xml).
Step 10 Click Choose File.
Step 11 Browse to the WKST1 where you saved file and choose the file CUCM1.xml.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

49
 Phase 0: Unified CM Calling
Enable SSO for Unified CM and IM and Presence

Step 12 Click Import IdP Metadata.

Step 13 Confirm the import is successful.
Step 14 Click Next.
Step 15 Click Next on the next screen of the wizard. This screen is not relevant as we have already exported the SP
Metadata file cucm1.dcloud.cisco.com-single-agreement.xml and used it to create a trust on the IdP.
Step 16 The next process will verify the SAML Assertion with ADFS2.0. Click the user cholland and then click Run
SSO Test.

Note There is a 60-second timer running to complete the next few steps. If you do not enter the username
and password in time, then you will get an error on the SSO Test.

Step 17 As we have imported and synched all users in Okta. In the new window that pops up, enter the admin account
username (cholland) and password (dCloud123!) and click Sign In. Don't worry about the secondary
email; just click the Skip option at the bottom right.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

50
 Phase 0: Unified CM Calling
Verify operation on Unified CM and IMP for SSO functionality

Note You can also use the [email protected] account in the above step.
Please replace the XXXXXXX and YY with the account info you created earlier.

Step 18 Check if the output message indicates a successful result: SSO Test Succeeded.
Step 19 Click Close.
Step 20 Click Finish.
Step 21 You will see the message stating SAML SSO enablement process initiated on all servers. You have now
successfully completed the configuration tasks to enable SSO using Okta IdP.
Step 22 Close the web browser so it clears all of the session cookies.
Important Please make sure to CLOSE your web browser so it clears all of the session cookies. When signing
in to CUCM again, remember to use cholland / dCloud123! to sign-in.
Caution It is VERY important to close and reopen your browser. You are asked to do this several times
in this lab. Please be sure to perform this step, as it will clear the cookies from the browser and
will make a request for new login information from the server.

Verify operation on Unified CM and IMP for SSO functionality

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

51
 Phase 0: Unified CM Calling
Optional Troubleshooting Notes in Case SSO is Not Enabled (OPTIONAL / TroubleShooting)

Step 2 If the Cisco Jabber client is open from any previous activity, close it by choosing Menu > Exit.
Step 3 If either Internet Explorer and/or Firefox are open from a previous activity, close them as well.
Step 4 Launch Firefox from the Cisco dCloud homepage and navigate to Collaboration Admin Links > Cisco
Unified Communications Manager. Optionally, you can navigate to https://cucm1.dcloud.cisco.com.
Step 5 Notice under Installed Applications, there is a new option for Recovery URL to bypass Single Sign On
(SSO). If the new link is not visible, continue to refresh your browser until it appears.

Step 6 The SSO recovery link may be used in cases where the SSO IdP (Okta) has failed. This allows for authentication
with the default administrative application user, providing a mechanism for administration and recovery.
Step 7 Click the hyperlink for Cisco Unified Communications Manager under Installed Applications.
Note If you get a 404 error, this means the Tomcat service is still restarting. Refresh your browser until
you get a login screen.

Step 8 Observe that in place of the Unified Communications Manager Administration webpage, you are now presented
with an Okta authentication prompt. If you do NOT see an authentication prompt, move to the Troubleshooting
notes below, complete the steps to disable, and re-enable SSO. Otherwise Proceed to step 9 of this activity.
Step 9 Log in as cholland with password dCloud123! and click Sign In to continue.
Step 10 Confirm authentication succeeds and you are presented with the Unified Communications Manager
administration page.
Step 11 Before enabling SSO, the Unified CM admin page prompted you with a HTML form for username and
password. After enabling SSO, Unified CM is no longer responsible for handling Authentication; rather,
Unified CM redirects the client request to the IdP (Okta). It is the IdP prompting you with username and
password.

Optional Troubleshooting Notes in Case SSO is Not Enabled (OPTIONAL /

TroubleShooting)

Important Follow these instructions only if you did not receive an Okta authentication prompt.

In rare instances, the first time you enable SSO on Unified CM, it will not work on the Administration page
initially but it will work on the Self Care Portal. The quick fix for this is to disable and then re-enable SSO.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

52
 Phase 0: Unified CM Calling
Testing SSO Username/Password Authentication

Procedure

Step 1 Click Home to go back to the Cisco dCloud links page.

Step 2 Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified
Communications Manager and click Cisco Unified Communications Manager.
Step 3 Log in with username administrator and password dCloud123!
Step 4 Navigate to System > SAML Single Sign-On.
Step 5 Click Disable SAML SSO and then Continue.
Step 6 Close the browser and then reopen it.
Step 7 Navigate back to the Unified CM administration page at Collaboration Admin Links > Cisco Unified
Communications Manager.
Step 8 If you still see the Recovery URL to bypass Single Sign On (SSO) link, then SSO is still disabled. Keep
refreshing your page until that link disappears.
Step 9 Once the link disappears, click Cisco Unified Communications Manager and log in with username
administrator and password dCloud123!
Step 10 Navigate to System > SAML Single Sign-On.
Step 11 Follow the steps in Verify operation on Unified CM and IMP for SSO functionality to run through the
steps and re-enable SSO. You should then have a successful SSO test and continue with the rest of this lab.

Testing SSO Username/Password Authentication

In this activity, we will confirm the end-user experience in terms of SSO with username and password
authentication and Cisco Jabber.

Note Jabber clients are already configured in this lab. If not already signed out please do it now.

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch Cisco Jabber by double clicking on the desktop icon. Sign out and reset Jabber.
Step 3 Enter [email protected] and click Continue.
Note Remember to replace XXX and YY with the info on your session's Details tab.

Step 4 In the new window that pops up, enter username cholland and password (dCloud123!) you created earlier
and click Sign In.
Step 5 Confirm Jabber is authenticated successfully, and the interface displays as expected for user Charles Holland.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

53
 Phase 0: Unified CM Calling
Headset Association to a User – Manual Process

Headset Association to a User – Manual Process

Procedure

Step 1 From Cisco Unified CM Administration, choose User Management > End User.
Step 2 Click Find and choose cholland to whom you want to associate the headset.
Step 3 In the Associated Headsets section, enter the serial number of the headset that you want to assign and click
Save.

Note When you connect the headset via USB at the back of the Cisco IP Phone (depending on the
model), you might get an option to run the Setup. By clicking the Setup > Associate User, you
can associate the headset to cholland by entering his userid (cholland) and 4-digit pin. In our lab,
the pin for each user is the last 4 digits of their extension number. So for cholland, the pin is 6018.
Also, remember you can associate a maximum of 15 headsets to a specific user. The headset
serial number is unique for each individual headset. The same headset can’t be associated to two
users.

Step 4 Connect the headset to the back of Cisco IP Phone.

Step 5 As we are using pinless headset association, a message will display on the phone showing, “Sign in as Charles
Holland. You will be signed in automatically within a minute.”

Activate the Device Activation Service

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch Firefox. From the Cisco dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified
Communications Manager. Optionally, you may navigate to https://cucm1.dcloud.cisco.com.
Step 3 Select Cisco Unified Serviceability and click Go.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

54
 Phase 0: Unified CM Calling
Pre-Requisites

Step 4 From Cisco Unified Serviceability, choose Tools > Service Activation.
Step 5 From the Server drop-down, choose the cucm1.dcloud.cisco.com [UCM] and click Go.
Step 6 Under CM Services, confirm that the Status of the Cisco Device Activation Service says Activated.
Step 7 If the service is not running, check the adjacent check box and click Save.

Pre-Requisites
To complete this module, you will need your router to be connected to a dCloud session, your own
Cisco-compatible SIP IP phone, and Cisco headset.
The Cisco IP phone must be registered with CUCM. To connect your Cisco SIP phone to CUCM, you can
connect your router with the dCloud session.
Extension Mobility service is already configured as part of this lab.
For this lab, we will be using Cisco the 561 headset with Cisco8861 IP Phone. You still could go through
the steps in this module without actually using pin-less extension mobility if you just want to learn how to
configure the feature.

Checking Extension Mobility Service

Procedure

Step 1 If not already connected, connect to the RDP session on wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch Firefox. From the Cisco dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified
Communications Manager. Optionally, you may navigate to https://cucm1.dcloud.cisco.com.
Note As auto-registration is enabled, once you connect your Cisco IP Phone, it will get an extension
number.

Step 3 Go to Device and click Phones. Click on your CISCO IP Phone that is auto registered with the session.
Step 4 Scroll down to Extension Information and make sure Enable Extension Mobility is checked. If not select
Enable Extension Mobility and click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

55
 Phase 0: Unified CM Calling
Checking Extension Mobility Service

Step 5 While on the Device page, select Subscribe /Unsubscribe Services and click Go.

Step 6 Make sure its subscribed to dCloud EM service and click Close. If not from Select a Service dropdown select
dCloud EM and subscribe to that service. Once done, click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

56
 Phase 0: Unified CM Calling
Prepare to Enable SAML SSO for Expressway

Prepare to Enable SAML SSO for Expressway

SAML SSO Configuration for Okta

This section describes the steps to configure SAML SSO using Okta as the Identity Provider (IdP).

Elements of a SAML SSO Solution

• Client (the user’s client): This is a browser-based client or software client that can leverage a browser
instance for authentication. For example, a system administrator’s browser.
• Service Provider: This is the application or service that the client is trying to access. For example, Cisco
Unified Communications Manager.
• An Identity Provider (IdP) Server: This is the entity that authenticates user credentials and issues
SAML Assertions.
• SAML Assertion: It consists of pieces of security information that are transferred from IdPs to the
service provider for user authentication. An assertion is an XML document that contains trusted statements
about a subject including, username and privileges. SAML assertions are usually digitally signed to
ensure their authenticity.
• SAML Request: This is an authentication request that is generated by a Unified Communications
application. To authenticate the LDAP user, the Unified Communications application delegates an
authentication request to the IdP.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

57
 Phase 0: Unified CM Calling
Review Status Details of Jabber (Off-Net) over MRA

• Circle of Trust (CoT): The various service providers that share and authenticate against one IdP in
common.
• Metadata: An XML file generated by an SSO-enabled Unified Communications application, such as
Cisco Unified Communications Manager as well as an IdP. The exchange of SAML metadata builds a
trust relationship between the IdP and the service provider.
• Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The
ACS URL tells the IdP to post the final SAML response to a particular URL.

Review Status Details of Jabber (Off-Net) over MRA

Note Please connect to Jabber client on your mobile or remote device that is not part of/connected to this session.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

58
Phase 0: Unified CM Calling
Review Status Details of Jabber (Off-Net) over MRA

Procedure

Step 1 On your mobile or remote device, open Cisco Jabber and enter [email protected].
Step 2 Click Continue. Enter cholland for username and dCloud123! for the password and click Login.
Note If you get a warning for Voicemail credentials, please ignore the message as Unity Connection
is not part of this lab guide.

Step 3 Test contact search by typing Ani in the search window and confirm that the lookup returns a contact record
for Anita Perez.
Step 4 If connected using a remote laptop, click the Menu icon

[ ]
on the top right if using windows and choose Help > Show connection status to confirm the Jabber client
has active connectivity to provisioned services.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

59
 Phase 0: Unified CM Calling
Review Status Details of Jabber (Off-Net) over MRA

Note Depending on your remote Jabber client the below image might be different for your session.
For the MRA test we are using Jabber on Mac. You will notice Desk Phone Server and Voicemail
Server as Disconnected. Please ignore as it is not part of this lab

gdue.i

Step 5 From the dCloud homepage, navigate to Collaboration Admin Links > Cisco Unified Communications
Manager or enter https://cucm1.dcloud.cisco.com
Step 6 Log in with username Administrator and password dCloud123!
Step 7 From the menu, navigate Device > Phone.
Step 8 Click Find.
Step 9 Observe that the Client Services Framework device (Jabber softphone) named CSFCHOLLAND is actively
registered with the IP address of Expressway-C (198.18.133.152). This is because Expressway-C serves is
the anchor point for SIP Registration with Unified CM for all MRA sessions.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

60
 Phase 0: Unified CM Calling
Extending (SSO) Authentication Over the Edge

Note Depending on the remote device you logged into, the Expressway-C information can be seen
under BOT- or TCT-registered device.

Step 10 You can test chat and calling between MRA registered client (cholland on your remote device) and ON-Prem
registered client (aperez on WKST2).
Step 11 Quit Jabber by choosing Menu > Exit.

Extending (SSO) Authentication Over the Edge

Note This module requires a fully functional Mobile and Remote Access (MRA) solution, which is already configured
for your lab. Before proceeding, please sign-in Jabber client on your mobile or remote device. The device
should not be connected to your session VPN. Try to connect and make sure MRA is working.

Touchless Headset Extension Mobility Login

Module Overview

Note This module/scenario is only valid for Phase 0 UCM-registered endpoints. At the time of writing this lab
guide, this feature was not available for Webex Calling.

Headset Services allow you to connect the Cisco headset into its supported devices to provide simple and
integrated user experiences such as Headset-based Extension Mobility and many more in the future.
Headset-based Extension Mobility is the first feature introduced under the Headset Services. When you connect
your Cisco headset to Extension Mobility-enabled devices, it provides a seamless login experience for extension
mobility log in and log out.
Headset Services allow the administrator and end user to associate headset(s) from any devices such as a
self-owned device, shared space, and common area device. This association helps in authentications and
creating a customized experience for its users. This feature supports both wired and wireless headsets.

Activate the Device Activation Service

Note We will configure Anita Perez's phone over MRA. Remember you will need your own Cisco IP phone that
supports Activation Code Based Device Onboarding. Also please ensure your phone runs the latest firmware
before you can proceed with this section. You can upgrade your phone by following the instructions at
https://upgrade.cisco.com. You still could go through the steps in this module if you want to learn how to
configure the feature.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

61
 Phase 0: Unified CM Calling
Activate the Device Activation Service

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch Firefox. Navigate to Expressway C (https://vcsc.dcloud.cisco.com). Log in as admin/dCloudZZZZ!
Note The ZZZZ portion of the password is the last four digits of our Session ID found in your sessions's
Details tab.

Step 3 Click Configuration. Select Unified Communications. Click Configuration.

Step 4 Under MRA Access Control section, ensure that following two parameters are set correctly. If not, change
to the correct value. Click Save at the bottom of the page.
• Authorize by OAuth token with refresh: On
• Allow activation code onboarding: Yes

Step 5 Navigate to Expressway E (https://198.18.1.5).

Step 6 Log in with these credentials:
• Username: admin
• Password: You can find your unique Expressway-E password in your dCloud session details: Session
Details > AnyConnect Credentials > Password

Step 7 Once logged in, click Maintenance > Security, then Trusted CA certificate. It could take some time to go
to the page.
Step 8 On Trusted CAcertificate page, go towards the bottom of the page and click Activation code on boarding
trusted CA certificates
Step 9 There should be a new dedicated trusted CA list for activation code onboarding that is pre-populated with
Cisco manufacturing root and intermediate CAs.
Step 10 On a new tab, navigate to https://cucm1.dcloud.cisco.com.
Step 11 Click Advanced Features menu to select Cisco Cloud Onboarding.
Step 12 You will see two error messages, one for the required voucher and the other for certificate. These will go
away as we complete our configurations.
Step 13 Click Generate Voucher. Ensure the voucher is successfully generated.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

62
Phase 0: Unified CM Calling
Activate the Device Activation Service

Step 14 Scroll down the page until you find Activation Code Onboarding Settings and Cluster Cloud Onboarding
Settings sections. Configure the following. When done, click Save.
• Tick the box for Enable Activation Code Onboarding with Cisco Cloud and enter your session domain.
• Tick the box for I want Cisco to manage the Cisco Cloud Service CA certificates required for this
trust.

Note Replace the below MRA activation domain with your session domain.

Step 15 Ensure the status says Cisco Cloud Onboarding Completed.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

63
 Phase 0: Unified CM Calling
Activate the Device Activation Service

Step 16 Click Advanced Features and select MRA Service Domain. You will notice service domain is already
created.

Step 17 Let’s define a phone for Aperez. Click Device and then Phone. Click Add New. You can add any phone
model. In this lab guide, we select Cisco 8861 from the drop-down list and click Next.
Step 18 In our case, we will leave the MAC Address field blank and will select the option for Require Activation
Code for Onboarding and Allow Activation Code via MRA.

Step 19 Select the options from the below table and click Save.

Name Selected Options Notes

Device Pool dCloud_DP
Phone Button Standard 8861 SIP Please change the value based on your
Template phone model
Calling Search Space Call_Everyone
Owner User ID Aperez
Device Security Profile Cisco 8861 – Standard SIP Non-Secure Please change the value based on your
Profile phone model
Sip Profile Standard SIP profile

Step 20 You will notice after you save a random MAC address will be filled in. It will be replaced once our device is
registered.

Step 21 We will also make sure that DN is assigned. Click Line[1] – Add a new DN. Fill in the info from the below
table. Leave the rest to default values. When done, click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

64
Phase 0: Unified CM Calling
Activate the Device Activation Service

Name Selected Notes

Options
Directory Numer 6017 Number assigned to Anita Perez; preconfigured in the lab.
Route Partition Base_PT
Calling Search Call_Everyone Please change the value based on your phone model
Space

Step 22 Once saved, navigate back to the phone by clicking Go on the top right.
Step 23 You will now see the View Activation code option on the screen. Click View Activation Code. Take a photo
or write down the 16-digit activation code.

Caution Ensure your phone runs the latest firmware before you can proceed with this section. You
can upgrade your phone by following the instructions on https://upgrade.cisco.com

Step 24 Make sure your SIP phone is not on the same network as CUCM as you register over MRA. The generated
code can be entered on the device manually to register with Call Manager. Or, the QR code can be scanned
from phone camera, if applicable, to register with CUCM.
Step 25 Once done, you can see your device registered with CUCM via MRA. The same can be seen by going to
Device > Phone. Under IP, you can see the IP Address for Expressway-C.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

65
 Phase 0: Unified CM Calling
Enable Headset based Pinless Extension Mobility

Enable Headset based Pinless Extension Mobility

Note This feature is supported from release 12.5(1)SU3 onwards.

Procedure

Step 1 From Cisco Unified CM Administration, choose System > Service Parameters.
Step 2 From the Server field, choose cucm1.dcloud.cisco.com.
Step 3 From the Service field, choose Cisco Extension Mobility.
Step 4 In the PIN entry for headset-based sign in field, choose Not Required to automatically sign in the user.
Step 5 In the Auto logout timer after headset disconnect field, enter 1 and press Save.
Note Maximum of 15 minutes can be set as default timer for Auto logout.

Verify operation on Unified CM and IMP for SSO functionality

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 If the Cisco Jabber client is open from any previous activity, close it by choosing Menu > Exit.
Step 3 If either Internet Explorer and/or Firefox are open from a previous activity, close them as well.
Step 4 Launch Firefox from the Cisco dCloud homepage and navigate to Collaboration Admin Links > Cisco
Unified Communications Manager. Optionally, you can navigate to https://cucm1.dcloud.cisco.com.
Step 5 Notice under Installed Applications, there is a new option for Recovery URL to bypass Single Sign On
(SSO). If the new link is not visible, continue to refresh your browser until it appears.

Step 6 The SSO recovery link may be used in cases where the SSO IdP (Okta) has failed. This allows for authentication
with the default administrative application user, providing a mechanism for administration and recovery.
Step 7 Click the hyperlink for Cisco Unified Communications Manager under Installed Applications.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

66
 Phase 0: Unified CM Calling
Prepare to Enable SAML SSO for Unified CM and IM and Presence

Note If you get a 404 error, this means the Tomcat service is still restarting. Refresh your browser until
you get a login screen.

Step 8 Observe that in place of the Unified Communications Manager Administration webpage, you are now presented
with an Okta authentication prompt. If you do NOT see an authentication prompt, move to the Troubleshooting
notes below, complete the steps to disable, and re-enable SSO. Otherwise Proceed to step 9 of this activity.
Step 9 Log in as cholland with password dCloud123! and click Sign In to continue.
Step 10 Confirm authentication succeeds and you are presented with the Unified Communications Manager
administration page.
Step 11 Before enabling SSO, the Unified CM admin page prompted you with a HTML form for username and
password. After enabling SSO, Unified CM is no longer responsible for handling Authentication; rather,
Unified CM redirects the client request to the IdP (Okta). It is the IdP prompting you with username and
password.

Prepare to Enable SAML SSO for Unified CM and IM and Presence

SAML Overview

What is SAML SSO?

SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco
collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange
of security-related information between trusted business partners. It is an authentication protocol used by
service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML
enables exchange of security authentication information between an Identity Provider (IdP) and a Service
Provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco
collaboration solutions. SAML 2.0 enables SSO across Cisco applications and enables federation between
Cisco applications and an IdP. SAML 2.0 allows Cisco administrative users to access secure web domains to
exchange user authentication and authorization data between an IdP and a Service Provider while maintaining
high security levels. The feature provides secure mechanisms to use common credentials and relevant
information across various applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the
provisioning process between the IdP and the Service Provider. The Service Provider trusts the IdP's user
information to provide access to the various services or applications. In this interaction, the Service Provider
(SP) would be Unified CM and Unified IM and Presence.
The client authenticates against the IdP and the IdP grants an Assertion to the client. The client presents the
Assertion to the Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion
and grants access to the client.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

67
 Phase 0: Unified CM Calling
Set Registration Method to Use Activation Codes

Set Registration Method to Use Activation Codes

We will use this procedure to configure the system defaults so that phones of a specific model type will use
activation codes to register with Cisco Unified Communications Manager.

Procedure

Step 1 Log back into CM Administration by selecting Cisco Unified CM Administration and then click Go.

Note Phone users can obtain their activation codes through the self-care portal, provided the Show
Phones Ready to Activate enterprise parameter is set to True. Otherwise, Administrators must
provide the code to phone users.
Remember, phones need to be running 12.5.1 or higher version of firmware.

Step 2 From Cisco Unified CM Administration, choose Device > Device Settings > Device Defaults.
Step 3 Find the matching device type for the IP Phone you are using for the lab. Set On-premise Onboarding
Method to Activation Code. In the example shown below, we are using Cisco 8861 IP Phone, but the same
steps can be used for any supported model. Once done, click Save.

Step 4 If not already reset, please reset your existing phone that is registered. You will be able to see the Welcome
screen for activation code on your phone. Phones can be reset by going to Device > Phone and click Reset.
Note As this is a lab environment, if you don’t get the activation code option when resetting, delete
your existing phone by going to Device > Phone and clicking Delete Selected.

Optional Troubleshooting Notes in Case You Can’t Enter 16-digit Code over
MRA
In rare instances, when you enter the 16-digit code, you might get an error message saying Contact
Administrator. Please follow the following steps.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

68
 Phase 0: Unified CM Calling
Device Onboarding with Activation Codes Task Flow in On-prem Mode

Procedure

Step 1 On your device, go to Admin Settings > Reset Settings and reset your device.
Step 2 Log in to Expressway-C on WKST1.
Step 3 Click Configuration. Select Unified Communications and then Unified CM Servers.
Step 4 Delete the server cucm1.dcloud.cisco.com and re-add the UCM server.
Step 5 While re-adding the UCM server, make sure SIP Update for session refresh and ICE Passthrough support
is On.

Device Onboarding with Activation Codes Task Flow in On-prem Mode

Obtain Metadata for the Unified CM and Unified IM and Presence

Note Okta is a cloud-hosted IDP. SAML SSO mode can be enabled using Okta IdP with the cluster-wide option
only. The per node option is not available for Okta.

As part of the CoT (Circle of Trust) configuration between ADFS and Unified CM and Unified IM and
Presence, the Metadata from deployed Unified Collaboration nodes must be obtained. This will be used to
create a Relying Party Trust on the IdP.

Procedure

Step 1 If not already, sign in to Cisco Unified Communications Manager (https://cucm1.dcloud.cisco.com) as

administrator/dCloud123! on WKST1.
Step 2 Navigate to System > SAML Single Sign-On.
Step 3 Select Use Tomcat certificate under Certificate and click Export All Metadata.

Step 4 The file will be downloaded on the desktop of WKST1 as cucm1.dcloud.cisco.com-single-agreement.xml.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

69
 Phase 0: Unified CM Calling
Testing SSO Username/Password Authentication

Step 5 Open the downloaded file using Notepad++. The contents in the file define the parameters that will be used
for the authorization process between the SP (Unified CM and Unified IM and Presence) and the IdP (Okta).

Testing SSO Username/Password Authentication

In this activity, we will confirm the end-user experience in terms of SSO with username and password
authentication and Cisco Jabber.

Note Jabber clients are already configured in this lab. If not already signed out please do it now.

Procedure

Step 1 If not already connected, connect to the RDP session wkst1.dcloud.cisco.com (198.18.1.36).
Step 2 Launch Cisco Jabber by double clicking on the desktop icon. Sign out and reset Jabber.
Step 3 Enter [email protected] and click Continue.
Note Remember to replace XXX and YY with the info on your session's Details tab.

Step 4 In the new window that pops up, enter username cholland and password (dCloud123!) you created earlier
and click Sign In.
Step 5 Confirm Jabber is authenticated successfully, and the interface displays as expected for user Charles Holland.

Log out User from Extension Mobility Using Headset

Procedure

Step 1 In the interest of time and as part of this lab, disconnect the headset from the back of Cisco IP Phone.
Step 2 The Cisco IP Phone will reset and the device profile will change to the original device profile.

Device Onboarding via Activation Codes (On-Prem and over MRA)

Module Overview
Activation codes make onboarding newly provisioned phones easy. An activation code is a single-use, 16-digit
value that a user must enter on a phone while registering the phone. Activation codes provide a simple method
for provisioning and onboarding phones without requiring an administrator to collect and input the MAC
Address for each phone manually. This method is a simple alternative to auto-registration, that you can use
to provision a large number of phones, a single phone, or even to re-register existing phones.
You can also use MRA-compliant devices to easily and securely register over MRA using an activation code.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

70
 Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Once activated, phone users must enter the activation code on their phone in order to use their phones. After
a phone user enters the correct activation code on the phone, the following occurs:
• Their phone authenticates with Cisco Unified Communications Manager.
• The phone configuration in Cisco Unified Communications Manager updates with the actual MAC
address of the phone.
• The phone downloads the configuration file and any other relevant files from the TFTP server and registers
with Cisco Unified Communications Manager.

Pre-Requisites
To complete this module, you will need your router to be connected to dCloud session and your own Cisco
IP Phone that supports Activation Code Based Device Onboarding feature. As of release Cisco Unified CM
12.5(1), the following Cisco IP Phone models support onboarding via activation codes: 7811, 7821, 7832,
7841, 7861, 8811, 8841, 8845, 8851, 8851NR, 8861, 8865, and 8865NR.
Ensure you upgrade your phone to run the latest firmware to use it for this lab. You can upgrade your IP phone
by following the instructions on https://upgrade.cisco.com. You still can go through the steps in this module
without actually registering the phone if you don’t have a Cisco IP Phone but just want to learn how to
configure the feature.
Also, your Cisco IP phone should be able to reach CUCM. To connect your Cisco SIP phone to CUCM, you
can connect your router with the dCloud session.
Module Objectives
In this module, we will perform the following tasks:
• Enable the onboarding process flow for on-prem devices.
• Enable the onboarding process in MRA mode.

Create an Okta Account and Provision AD Server with Okta Directory Connector

Procedure

Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

71
 Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 2 Open Microsoft Outlook using the icon in the taskbar

[ .]
Step 3 For profile name, enter Charles and click OK.
Step 4 In the Inbox, you should see an email with the subject line CLOUD TRIALS EMAIL ADDRESS. Capture
the email address that begins with trial, this will ensure a unique email address is used when creating Okta
account. This email address will route to Charles Holland’s email box.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

72
Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 5 We will create an Okta account. Open the browser and browse to the following url: https://okta.com/free-trial/
. Fill in the required information and click Get Started.
Step 6 You will receive a success message from Okta and an email will be send to Charles Holland inbox. On the
same page, you will get a unique url that will be used when we configure SSO and to access our Okta account
later. Please keep a note of that url and login info.
Note The Org URL is the one you will use when accessing the Okta page. If you don't receive an email
from Okta with account information, go through the above step again to create the account.

Note The URL and the login info generated above will be different and unique for each session. Please
keep a note of your session url and login info.

Step 7 Click the Org URL for the Okta homepage. Log in using the email ID you created the trial with (also on this
screen) and the temporary password. (Both the email ID and the temporary password are provided in the
Welcome email you received.) Click Sign In.

Step 8 You will be prompted to set a new password. Set the password to dCloud123!. Click Change Password.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

73
 Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Step 9 Once logged in, click Admin on the top-right corner.

Step 10 Okta requires you to select a multifactor authentication to add an additional layer of security. Under Okta
Verify, click Setup and follow the on-screen steps to set up the multifactor authentication. (You can choose
either to Enter the Code option for next sign in or the Push Notification.) Once you scan the QR code and set
up the Okta Verify app on your mobile, click Finish.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

74
Phase 0: Unified CM Calling
Create an Okta Account and Provision AD Server with Okta Directory Connector

Note You have to use your iPhone or Android device to receive a single-use code. You can download
the Okta Verify app or Cisco DUO from Appstore (iPhone) or from Google Play Store (Android).

Step 11 Using your authenticator app (such as DUO), scan the barcode. Click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

75
 Phase 0: Unified CM Calling
Validate PSTN Dialing – Optional Module

Step 12 Log in to Okta and click Admin at the top-right corner. Either enter the code or verify with push notification
from mobile to complete the login. You will be logged into Okta as an administrator and your account is
created.

Validate PSTN Dialing – Optional Module

Module Overview
We will do inbound/outbound calls to make sure PSTN is working .
Pre-Requisites
For outbound dialing rules and patterns, visit Outbound Dialing Patterns and Blocked International Dialing
online.
Module Objectives
In this module, we will perform the following tasks either via physical phone or Webex/Jabber soft client:
• Test inbound calls to our users
• Test Outbound Calls

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

76
 Phase 0: Unified CM Calling
Testing Calls – Inbound from PSTN to Jabber Users

Testing Calls – Inbound from PSTN to Jabber Users

Procedure

Step 1 For dialing inbound PSTN calls to your pod’s phones, information can be found in your dCloud session's
Details tab or in a text document found on the desktop of Workstation 1 named DN_to_DID.txt.
Step 2 Those DID can be dialed from your mobile numbers.
Step 3 With the DID number, dial one of your user's using a cell or desk phone, such as dial cholland DID number.
Step 4 Answer the call on your Jabber app/device.
Step 5 The call flow in dCloud is as follows:
a) Incoming DID comes into dCloud.
b) Platform gateways translate that DID into a four-digit extension (6XXX or 7XXX).
c) Call is routed through the local gateway into Unified CM and to the extension of the user.

Testing Calls – Outbound to PSTN

In dCloud, national calls are allowed to the datacenter region your session is located in. US West/East
datacenters are dc-05 or dc-01. EMEAR datacenter is dc-03. APJ datacenter is dc-02.
In the US datacenters you should be able to call any national number. Remember since the location is built
for the United States, Webex will add a +1 to any dialed number if needed. So a 10 digit number can be called
or a 1 + 10 digit number.
Dialing from an EMEAR or APJ session will be just a little different than US. Every session, no matter the
datacenter, the Webex Calling location is built for United States. Because of this, in the lab, dialing a national
number for the UK (EMEAR) or Singapore (APJ) requires you to dial a 00 + Country Code and then the
number (10 digit for UK and 8 digit for Singapore). For the EMEAR datacenter the country code is 44. For
the APJ datacenter the country code is 65.
When you dial 00 and the number, Webex Calling will route the number as is and not add +1. Then the call
flow for EMEAR and APJ sessions is as follows:
• Call comes into Local Gateway, sent to dCloud Gateway, which delivers it to the IP PSTN.
• The dCloud GW will strip the 00 off the number and add a plus (+) or localize it.
• The +E.164 or the localized number is now routed by the IP PSTN and rings the PSTN number.

Procedure

Step 1 With the dialing explanation above, dial a PSTN number.

Step 2 Answer the call.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

77
 Phase 0: Unified CM Calling
Testing Calls – Outbound to PSTN

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

78
 CHAPTER 3
Mapping the Transition: Phase 1 – Hybrid
Services
In Phase 1 of this lab guide, we focus on hybrid deployments. The Phase1 transition results in a hybrid
deployment with dual call control where some devices are transitioned to cloud calling and other devices
maintain on-premises call control for registration and call routing. For the users, we will be using Cisco Webex
to log in. Users can log in on the Workstations provided in the demo or their personal devices.
• Users in Phase 1, on page 79
• User Synchronization, on page 80
• Configuring Okta for SSO – Webex Cloud, on page 90
• Configuring Webex Hybrid Messaging Service, on page 97
• Configuring Hybrid Calling for Cisco Webex Devices (Device Connector), on page 102
• Phase 2 Options, on page 128

Users in Phase 1
User Name User ID Password Endpoint Devices Internal Deployment
Extension Model
Kellie Melby kmelby dCloud123! Cisco Jabber 6050 Hybrid
Stefan Mauk smauk dCloud123! Cisco Jabber 6072 Hybrid
Adam amckenzie dCloud123! Cisco 6016 Hybrid
McKenzie Jabber/Webex

Monica Cheng mcheng dCloud123! Cisco 6020 Hybrid

Jabber/Webex

Anita Perez aperez dCloud123! Cisco 6017 Hybrid

Jabber/Webex

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

79
 Mapping the Transition: Phase 1 – Hybrid Services
User Synchronization

User Synchronization
OptionA:User/ContactSynchronizationUsingMigrationCard(ManualMethod)
Synchronizing Users from Unified CM to Webex
Perform the new user synchronization from Control Hub, to migrate your users in Unified CM. Use this
migration tool when you are not using the existing Webex methods to provision users such as Cisco Directory
Connector, adding users manually or using bulk import in Control Hub.

Note If you have used any of the methods in previous section to synchronize users (like Directory Connector) you
might have already synchronized all users from AD so this scenario would not work for you. So, either
disconnect directory connector and clean up synchronized users or just get a new dCloud session.

The benefits of user synchronization are:

• Provides seamless user search experience. By synchronizing users and contacts to cloud, this feature
helps Webex app to provide search functionality like Jabber.
• Automates the task of synchronizing users from Unified CM database into Webex. This feature facilitates
synchronization and simplifies migration task as sync done manually is error prone and time consuming.

Note This release does not support contact synchronization.

This objective of this scenario is to synchronize two users, Adam McKenzie and Monica Cheng, to Webex
from Cisco UCM using the new migration card.

Import Users Using the Bulk Administration Tool in Cisco Unified CM

Important Ensure you have synchronized all of your users into Cisco Unified CM using the LDAP directory before
moving forward.

Procedure

Step 1 Open RDP connection to Workstation 1 at 198.18.1.36. Log in with dcloud\cholland and dCloud123!.
Step 2 Open the Chrome browser from taskbar.
Step 3 Drop down Collaboration Admin Links and select Cisco Unified Communications Manager. Log in with
administrator and dCloud123! If you have configured Single Sign-On using Okta or Azure in the
previous scenarios/phases, you will use those credentials to log in.
Step 4 Once logged in, navigate to Bulk Administration > Import/Export > Export.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

80
Mapping the Transition: Phase 1 – Hybrid Services
Import Users Using the Bulk Administration Tool in Cisco Unified CM

Step 5 Click Select All and add a name for Tar File Name (it can be anything you want, example:
UnifiedCM_Data_Export). Scroll down the page and select the Run Immediately radio button. Click Submit.

Step 6 Cisco Unified CM will start exporting the data. Navigate to Bulk Administration > Job Scheduler to check
the status. It takes around 5 minutes for the data to be exported. Click Find to see a complete list of jobs
running. It will list all current/past jobs and their status. Please wait for the job status to change to Completed.
Step 7 Once the job is completed, navigate to Bulk Administration > Upload/Download Files. Click Find. You
will see the exported data tar file. Add a checkmark beside the file and select Download Selected. The file
will be downloaded to the Workstation 1 desktop.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

81
 Mapping the Transition: Phase 1 – Hybrid Services
Import Users Using the Bulk Administration Tool in Cisco Unified CM

Step 8 Open a new tab on the Chrome browser. Click to dropdown Cisco Webex Links and choose Cisco Webex
Control Hub.
Step 9 Login as [email protected] and dCloud123!
Remember Your XXX.dc-YY domain can be found under the session Details tab in your dCloud session

Step 10 Once logged into Webex Control Hub, go to Migrations under Services on the left side pane.
Step 11 Scroll down on the Migrations page. On the User/contact Synchronisation card under Unified CM upgrade
utilities, select click Get Started.

Step 12 On the User/contact Synchronization page, click [ ] to get more information. It will open a new
browser tab with more information about this migration card. Close this browser tab when finished reading
through the info.
Step 13 Click Go to Settings under the Prerequisite section. Ensure to de-select all boxes for Rules to Identify
Contacts from Unified CM Endusers. Click Save and Proceed.

Step 14 You will be taken back to the Migrations tab. Notice the Prerequisite section is marked green.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

82
Mapping the Transition: Phase 1 – Hybrid Services
Import Users Using the Bulk Administration Tool in Cisco Unified CM

Step 15 Scroll down to the Pending for Synchronization section. Click browse for files to import the TAR file we
exported from the Unified CM. Select the TAR file (exported in a step above) and click Open.

Step 16 Webex Control Hub will start uploading the data (please wait until it loads the data). Once the data has been
loaded, it lists the total imported users, any users that are already existing in Webex, and users that need to
be synced, etc. Click [ ] to continue.
Step 17 On the review users page, you will notice there is an error under Already Exist in Webex. This means a few
users out of the exported data file already exist in the Control Hub. We can quickly fix that with a simple
filter. Drop down the Filters option and add a checkmark for Already Exist in Webex.

Step 18 Select all of the users (who are in Webex already) and choose Remove from sync list. Click Remove on the
pop-up window to confirm.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

83
 Mapping the Transition: Phase 1 – Hybrid Services
Import Users Using the Bulk Administration Tool in Cisco Unified CM

Step 19 Once the users are removed, drop down the Filters option again and uncheck the filter you selected before
(Already Exist in Webex). Now you will notice all of the errors are gone. Click Next (bottom-right corner).

Step 20 Click Next again on the following page.

Step 21 On the Summary page, it will show you two users that are ready to be synchronized. Click [ ].
Step 22 It will take you back you to the Migration page and shows the synchronization status. Once the synchronization
is complete, you will see the number of synchronized users (two in this lab). You can click View all logs for
any additional information or if you run into any issues.

Step 23 Open a new browser tab. From the home page, click to drop down Collaboration User Links and choose
dCloud Outlook Web Access. Log in with dcloud\amckenzie and C1sco12345.
Step 24 There will be an email from Cisco with the subject, “Your Webex account has been created!” Open the email
and click Activate. It will open a new browser tab and prompt you to set your password and name, etc. Follow
the prompts and set the password to dCloud123! and enter the name as Adam McKenzie. Click Next.
Adam McKenzie’s account is set up and ready to be used. Close the browser tab.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

84
 Mapping the Transition: Phase 1 – Hybrid Services
Option B: User Synchronization Using Directory Connector (Recommended Method)

Step 25 If not already open, open the Webex app on the desktop. Log in with Adam McKenzie's credentials:
[email protected] and password dCloud123! If Webex is already open and logged in
as any other user, log out and log in again with Adam's credentials.
Step 26 On Workstation 2 (logged in as dcloud\aperez and dCloud123!), follow steps 24 to 26 and log in as Monica.
Credentials for Outlook are dcloud\mcheng and C1sco12345. Credentials for Webex are
[email protected] and password is dCloud123!
This completes user synchronization from Cisco UCM to Webex using the migration card.

Option B: User Synchronization Using Directory Connector (Recommended

Method)
Configuring Directory Connector for Identity Synchronization
What is Directory Connector?
Cisco Directory Connector is an on-premises application for identity synchronization in dcloud. Directory
Connector is an essential tool for synchronizing your Active Directory with the back-end Cisco identity store
and allows users to seamlessly use Cisco services such as Cisco Webex Meetings and Teams.
With Cisco Directory Connector, you can maintain your user accounts and data in the Active Directory, so
Active Directory becomes the single source of truth. When you make a change on-premises, it is replicated
to the cloud.
Module Objectives
In this module, we will replicate user accounts from On-prem AD server to the cloud using directory connector.
Module Notes

Note Because of the lab environment we will be installing directory connector on WKST1. In a production
environment, it is highly recommended to follow the Directory Connector Deployment Guide and install it
on a recommended machine. In the interest of time, this step has already been configured. The install file
for Directory Connector can be downloaded from customer management portal (Control Hub) in Users >
Manage Users > Turn on Directory Synchronization screens.

Pre-Requisites and Requirements

Important The Requirements for Directory Connector need to be followed in production deployments.

Enable Hybrid Directory Connector

Procedure

Step 1 Go to the RDP session on WKST1 (cholland / dCloud123!).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

85
 Mapping the Transition: Phase 1 – Hybrid Services
Enable Hybrid Directory Connector

Step 2 Click the Search icon

[ ]
in the taskbar. Search for Cisco Directory Connector. When found, click the application icon

[ .]
Step 3 At the Webex sign in screen, enter [email protected] and click Next.
Note Replace the XXX and YY with your session information.

Step 4 Enter dCloud123! as the password in the next box and click Sign In.
Step 5 Keep the radio button for AD DS selected and click Load Domains.
Step 6 In the drop-down list, choose dcloud.cisco.com and click Confirm.
Step 7 Click Yes on the automatically upgrade pop-up window. If you get the option to do Dry Run, click Not Now.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

86
Mapping the Transition: Phase 1 – Hybrid Services
Enable Hybrid Directory Connector

Step 8 Now that the Directory Connector is open, configure it to synchronize the users along with their pictures
(avatars).
Step 9 Click the Configuration tab at the top.
Step 10 Click the Object Selection tab so you can specify the users to synchronize. The connector synchronizes the
entire domain’s users and groups by default. For the purposes of the lab, you only synchronize a set of users
in a specific Organizational Unit (OU).
Step 11 Uncheck the box next to Groups.
Step 12 Click Select located in the On Premises Base DNs to Synchronize section.
Step 13 Uncheck the top box next to DC=dcloud,DC=cisco,DC=com to de-select all the check boxes.
Step 14 Check the box next to dCloud and click Select. (You must ONLY select the dCloud container.)

Step 15 With exception to the Cloud Organization name, the Object Selection page should look like the image below.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

87
 Mapping the Transition: Phase 1 – Hybrid Services
Enable Hybrid Directory Connector

Step 16 Click the Avatar tab and check the box next to Enabled.

Step 17 In the Avatar URI Pattern box, enter the following URI:
http://ad1.dcloud.cisco.com/dCloud/directory/{mail: .*?(?=@.*)}.jpg
Note On the desktop, there is a text document named Pattern.txt that you can copy the pattern from.

Step 18 Click Apply at the bottom of the screen.

Step 19 On the pop-up, click Apply Config Changes. Now you can complete a Sync Dry Run to verify the correct
users synchronize.
Step 20 Click the Dashboard tab at the top.
Step 21 Click the Sync Dry Run icon

[ ]
and click OK. You should see the eight users that will be added to your organization. Click Done.
Step 22 Now enable the synchronization. Click the Actions menu and choose Synchronization Mode > Enable
Synchronization.
Step 23 Click No on the pop-up since you already performed a dry run.
Step 24 Click Enable Now on the pop-up to enable synchronization.
Step 25 Now complete a full sync. Click the Actions menu and choose Sync Now > Full.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

88
Mapping the Transition: Phase 1 – Hybrid Services
Enable Hybrid Directory Connector

Step 26 Click Yes on the pop-up.

Step 27 In the Current Synchronization section, you can see the progress of user creation and avatar uploads. After
the sync completes, in the Last Synchronization section, you should see a status of No Errors.
Note If you received any Sync errors/warnings, try completing another full sync. You can also view
the errors/warnings in the Event view by clicking Launch Event Viewer in the directory connector.
Then navigate to Applications and Services Logs > Cisco Directory Connector to view all the
events.

Step 28 Verify the users have synchronized by opening the Web browser on WKST1. Browse to Webex Control Hub
(https://admin.webex.com). Log in as [email protected] with the password of dCloud123!
Note Remember to replace XXX and YY with the info in your session detail page.

Step 29 In the Control Hub portal, click the Users tab

[ .]
(Refresh the page, if you are already there.)
Step 30 You should see a list of eight users along with their avatars and user information such as email address and
name.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

89
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta for SSO – Webex Cloud

You have now successfully synchronized the customer’s on-premises Active Directory and configured users
to their Cisco Webex Control Hub Organization.

Configuring Okta for SSO – Webex Cloud

Module Objectives
In Phase1, we will be migrating users from on-prem infrastructure to Cisco Webex. Kellie Melby and Stefan
Mauk will be used to sign into Cisco Webex. As in earlier steps, we configured SSO for on-prem. Now we
will be configuring the same experience for users on Cisco Webex. In this module, we will perform the
following tasks:
• Log in to Webex teams client as Kellie Melby and Stefan Mauk
• Experience the sign in process using Okta
• Create a Circle of Trust (CoT) between Okta (IdP) and Webex Control Hub
• Configure Webex Control Hub for SSO
• Modify Okta configuration from above sections and enable Webex for SSO

Module Notes
The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO
authentication between the Cisco Webex cloud and your Okta.
The SAML 2.0 Protocol supports several NameID formats for communicating about a specific user. Cisco
Webex supports the following NameID formats:
• urn:oasis:names:tc:SAML:2.0:nameid-format:transient
• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Note We will be using the same Okta account that was provisioned in the earlier steps when configuring On-prem
infrastructure.

Pre-Requisites
• To complete this module, you will need to have the Okta account that was provisioned in earlier steps.
If you are only configuring SSO for Webex, then please follow steps in the on-prem section to create the
Okta account.
• You are able to use your personal devices to log in to Cisco Webex as Kellie Melby or Stefan Mauk.
• Disable any popup blockers in your browser.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

90
 Mapping the Transition: Phase 1 – Hybrid Services
Test Basic Functionality before Configuring SSO

Test Basic Functionality before Configuring SSO

As in the earlier module, we configured the Directory Connector that allows for synchronizing Active Directory
with the back-end Cisco identity store. It allows users to seamlessly use Cisco services such as Webex and
Meetings.

Procedure

Step 1 If not already connected, connect to the RDP session wkst3.dcloud.cisco.com (198.18.1.38).
Step 2 Click to open Webex. Sign in as [email protected] with password dCloud123!
Step 3 On your personal device, open Webex. Enter [email protected] and click Next. On the next screen,
enter dCloud123!
Step 4 You will notice that both users are logged into Webex and you be able to send messages and call each other.
Note Remember to replace XXX and YY with the info in your session detail page. You will be able
to use your own personal devices to log in to Webex as well.

Configuring Okta as Identity Provider and Adding a Relying Party Trust for
Webex
Procedure

Step 1 If not already open, log in to WKST1. Open a new browser tab to https://admin.webex.com. Log in using
[email protected] / dCloud123!
Note Remember to replace XXX and YY with the info in your session detail page.

Step 2 Go to Organization Settings. Scroll to Authentication.

Step 3 Toggle the softkey under Single Sign-On. On the new pop window select Signed by a Public Certificate
Authority. Click Download Metadata. Once the metadata file is downloaded, click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

91
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex

Step 4 Download the metadata file on WKST1.

Step 5 If not already open from earlier on WKST1, open a browser tab to the Okta webpage (url from account creation
steps) and log in using the account details created from earlier steps.
Note Once logged in, if you see Charles on the top right of your browser screen, click on Admin. You
might be asked to enter the code from your Authenticator App.

Step 6 From the Okta dashboard, select Applications > Applications.

Step 7 Go to Browse to App Catalog.
Step 8 Search for Webex. Choose Cisco Webex under search options to start configuring. Click Add. Click Next.

Step 9 Click Next. Select SAML2.0. Leave Default Relay State blank.
Step 10 On WKST1, use Notepad++ to open the metadata file you downloaded from Cisco Webex Control Hub.
Copy the URLs for the entityID (at the top of the file) and the assertionConsumerService location (at the
bottom of the file).
• entityID: The value should look like this: https://idbroker.webex.com/1a2b3c4d...

• AssertionConsumerService: The value should look like this:

https://idbroker.webex.com/idb/Consumer/metaAlias/1a2b3c4d.../sp

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

92
Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex

Step 11 On the Cisco Webex tab in Okta, scroll to Advanced Sign-On Settings. Paste the Entity ID and Assertion
Consumer Service values that you copied from the Control Hub metadata file. Once copied, click Done.
Step 12 We will now assign users to our app. There are two ways we can assign, either to individual people or assign
to groups. In the following steps, we cover both scenarios.
Step 13 Click the Assignments tab. Click Assign and then Assign to People.
Step 14 Select your account that was created when provisioning Okta. Click Assign. Once done, click Save and Go
Back. Click Done.

Step 15 In the following steps, we will assign our app to groups. Click the Assignments tab. Click on Assign and
then Assign to Groups.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

93
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex

Step 16 In the pop up window, search for Domain Users and click Assign. Click Done. You will see your Domain
Users group under the Assignments tab.
Step 17 On the Sign On tab, click the View Setup Instructions link to download the Okta metadata file.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

94
Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex

Step 18 In the View Setup Instructions windows, scroll down to where it says Copy and paste the following IDP
into a file and save as metadata.xml. Copy and save the metadata file as metadata.xml on WKST1. This
will be loaded on Webex Control Hub.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

95
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Okta as Identity Provider and Adding a Relying Party Trust for Webex

Step 19 Return to Webex Control Hub. Choose one of the following options:
• While on Export Directory Metadata page in your browser, click Next.
• If Control Hub is no longer open in the browser tab, from the customer view in https://admin.webex.com,
go to Organisation Settings. Scroll to Authentication. Toggle on the softkey under Single Sign-On.
On the popup window, select Signed by a public certificate authority and click Next.

Step 20 On the Import IdP Metadata page, select Less Secure: Not signed, self-signed or private CA signed IdP
metadata file and then either drag and drop the IdP metadata file (metadata.xml) onto the page or use the file
browser option to locate and upload the metadata file. Click Next.
Note Okta doesn’t sign the metadata, so you must choose less secure for an Okta SSO integration.

Step 21 Select Test SSO Connection. When a new browser tab opens, authenticate with the IdP by signing in.
Step 22 In the new window that pops up, enter the account username ([email protected]) or just (cholland)
and password (dCloud123!) you enabled earlier. Click Sign In.
Note Replace the XXXXXXX and YY with the account info you have created earlier. Also, if you
prefer, you can enter cholland without a domain part as the username .

Step 23 Check if the output message indicates a successful result: Single Sign-On Succeeded.
Step 24 Browse back to the Webex Control Hub tab. Click Next. Select the option Successful text. Turn on SSO.
Click Save.
Step 25 Sign out of Control Hub and close all the browser windows. Sign back in. You will be prompted to log in
using SSO with credentials cholland / dCloud123!

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

96
 Mapping the Transition: Phase 1 – Hybrid Services
Testing SSO for KMelby and SMauk

Testing SSO for KMelby and SMauk

If you recall, when we signed into Webex teams client earlier as kmelby and Smauk there was no option for
SSO. Lets try signing into those clients again either from WKST3 or your personal device.

Procedure

Step 1 Launch Cisco Webex. Enter [email protected] and click Next.

Note Remember to replace XXX and YY with the info in your session detail page.

Step 2 In the new Okta window that pops up, enter the username smauk and password dCloud123! and click Sign
In.
Note As this is the first time you logging in using Okta you might be asked to select an image. Once
selected click on Create My Account.

Step 3 Use the above steps to login into kmelby account as well.
Step 4 Once logged in, you be able to send messages between kmelby and smauk. This concludes this scenario as
you can login using SSO on Webex Teams client.

Configuring Webex Hybrid Messaging Service

Module Overview
Cisco Webex Hybrid Message Service connects your Cisco Unified Communications Manager, IM and
Presence Service (IM and Presence Service) to Cisco Webex to enable interoperability with Cisco Webex.
This service is ideal for organizations that have users on Cisco Webex who need to exchange messages with
users on Cisco Unified Communications Manager IM and Presence (UCM IM&P) Service. Hybrid Message
Service enables exchange of instant messages between Cisco Webex and Cisco Jabber registered to Unified
CM IM and Presence service. Hybrid Message Service enables Cisco Jabber users to see the presence status
of Cisco Webex users based on their Webex client activity.
You can find the full Webex Hybrid Messaging overview and setup guide here.
Pre-Requisites
• To complete this module, you will need to have CUCM and IMP with minimum version of 11.5(1) SU3
or later.
• All publisher nodes to be running AXL service.
• If you have multiple IMP clusters, you must have ICSA working across them. (Not part of this lab.)

Module Objectives
In this module, we will perform the following tasks:
• A requirement for the Message Connector is to have an application user created with the role of Standard
AXL API Access. The Message Connector will use this account to communicate with Unified CM IM
and Presence Service. For this lab, this user has been created for you. In the Appendix, you will find the

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

97
 Mapping the Transition: Phase 1 – Hybrid Services
Enabling the Message Connector

necessary steps to create this user and assign permissions. The user is also configured with other roles
that can be used with future updates. Only the one role mentioned above is necessary for the hybrid
messaging service.
• Enable Hybrid Messaging for kmelby and smauk.
• Send messages between on-prem-registered (Jabber) users (cholland and Aperez) and
Webex-registered (cloud) users (kmelby and smauk).

Enabling the Message Connector

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open a new browser tab to https://admin.webex.com. Log
in using [email protected] / dCloud123!
Step 2 SSO was configured in the previous steps. In the new window that pops up, enter username (cholland) and
password (dCloud123!) and click Sign In.
Step 3 Under Services on the left-hand menu within the portal, select Hybrid.
Step 4 Click Setup on the Hybrid Message Service Setup tile. In the popup window, click Next.
Step 5 At the first radio button, select and enter exp-cc.dcloud.cisco.com into the box and click Next.
Note The DNS entry for exp-cc.dcloud.cisco.com is already created as part of this lab.

Step 6 For a display name for Expressway cluster, enter HS Cluster 1.

Step 7 Click Next again.
Step 8 Click Next once more to open a new browser tab to the Expressway. Ignore/accept/proceed through any
security warnings.
Step 9 If prompted, log into the Expressway as admin with password dCloud123! (Should be prepopulated.)
Step 10 Check the box for I want Cisco to manage the Expressway CA certificates required for this trust.
Step 11 Click Update software & verify connection.
Step 12 After successful verification, click Register. (If prompted to log in into Webex, enter
[email protected] / dCloud123! for the username / password.)
Step 13 On the next screen, check the box next to Allow Access to the Expressway and then click Continue. In a
few moments, you return to the Expressway and two Hybrid Services connectors will download and install.
These connectors are Management and Message Connector. The Service Status for Message Connector will
go from Not Installed, to Installing, to Not Configured. When the Service Status of the Expressway host reads
Not configured. That status tells you the Message Connector was successfully downloaded and installed.
Step 14 If not already logged in, from WKST1 log in into expressway connector(exp-cc.dcloud.cisco.com).
Step 15 Log in with:
• Username: admin
• Password: dCloud123!

Step 16 On the Connector Management page, click Configure IM and Presence Servers. You can also navigate to
Applications > Hybrid Services > Message Services > Message Service Configuration.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

98
Mapping the Transition: Phase 1 – Hybrid Services
Enabling the Message Connector

Step 17 Click New.

Step 18 Configure the following parameters from the table below.

Setting Configuration
IM and Presence Publisher node address cup1.dcloud.cisco.com
Message Connector AXL account name webex
Message Connector AXL account password dCloud123!

Step 19 Click Add.

Step 20 Click Message Connector is not running, No status info available, (also found at Applications > Hybrid
Services > Message Service > Message Service Overview).
Step 21 Choose Enabled for the Active setting and then click Save.
Step 22 Navigate to Applications > Hybrid Services > Message Service > Message Service Status. The Node
Status should be Operational. If it is not, wait until the service goes operational. You might need to refresh
the page to view the updated status.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

99
 Mapping the Transition: Phase 1 – Hybrid Services
Enabling the Message Connector

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

100
 Mapping the Transition: Phase 1 – Hybrid Services
Enabling Hybrid Message Service for Users

Enabling Hybrid Message Service for Users

Users will need to be enabled for the Hybrid Message Service. For lab purposes, we will enable one user,
Kellie Melby, for this service. In production, you can enable multiple users in bulk through an CSV template.

Procedure

Step 1 Open the tab for the Control Hub and log in, if needed ([email protected] / dCloudZZZZ!).
Note The ZZZZ portion of the password is the last four digits of our Session ID found in your sessions's
Details tab.

Step 2 Click the Users tab and select Kellie Melby, Stefan Mauk, and Anita Perez one by one from the list.
Step 3 Under Hybrid Services, click Message Service.
Step 4 Toggle the Hybrid Message Service on

[ ]
and click Save.
Step 5 On the main user page, wait for Messaging Service to change its status to Activated.

Testing the Hybrid Message Service

In the lab environment, be aware users could experience a delay of up to one hour before reliably being able
to send messages from Webex Teams to Cisco Jabber. In this case, you might want to skip testing for now if
it’s not working and come back later to test again.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

101
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Hybrid Calling for Cisco Webex Devices (Device Connector)

Procedure

Step 1 Connect to Workstation 2 (198.18.1.37) with these credentials:

• Username: dcloud\aperez
• Password: dCloud123!

Step 2 On Workstation 2, open Jabber client and log in with these credentials (Sign out other users if logged on
from earlier):
• Username: [email protected]
• Password: dCloud123!

Step 3 On Workstation 3 or your personal device, open the Webex Teams client if it’s not already. Use
[email protected] for the email and kmelby/dCloud123! for the username/password.
Step 4 Start a conversation between Anita (on-premises registered Jabber client) and Kellie (cloud registered Webex
client).
This concludes the scenario.

Configuring Hybrid Calling for Cisco Webex Devices (Device

Connector)
Module Overview
Hybrid Calling for Cisco Webex Devices provides hybrid call functionality for room, desk, and Cisco Webex
board devices that are added to Workspaces in Control Hub. Cisco Webex devices are registered to the cloud,
and when they are enabled, they also connect to the enterprise. Cisco Webex devices in the workspace become
a part of your existing on-premises dial plan, allowing these devices to call user extensions or the PSTN and
receive incoming calls.
Cisco Webex Device Connector is a lightweight piece of software that connects your Unified CM configuration
with cloud configuration and Webex devices registered to the cloud. You can use the software automate
synchronizing Unified CM configuration to device in your Control Hub-managed organization. You get the
software from Control Hub and install it on a Windows or Mac device or virtual machine in your network
that can access your premises environment and the devices themselves.
This diagram shows the on-premises and cloud components that comprise the Hybrid Calling for Cisco Webex
Devices architecture. This architecture provides call connectivity to Cisco Webex cloud-registered devices
in a Workspace (created in Control Hub), so that these devices can use the Unified CM dial plan. You manually
synchronize configuration between premises and cloud by running a sync in the Cisco Webex Device Connector
software.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

102
Mapping the Transition: Phase 1 – Hybrid Services
Configuring Hybrid Calling for Cisco Webex Devices (Device Connector)

You can find the Hybrid Calling for Webex Devices (Device Connector) guide here.

Note Hybrid Calling calls are classified the same as MRA, B2B calls, and the calls traverse the existing Expressway
C and E pairs. Calls that include the *.webex.com in the route path don’t count towards the traversal license
cost.

Pre-Requisites
• A requirement for the device Connector is to have an application user created with the role of Standard
AXL API Access. The device Connector will use this account to communicate with Unified CM. For
this lab, this user has been created for you. In the Appendix, you will find the necessary steps to create
this user and assign permissions. The user is also configured with other roles that can be used with future
updates. Only the Standard AXL API Access role is necessary for the Webex device connector.
• A Webex room device.
• Install the Device Connector software. It can be installed on Windows 10 or MacOS Mojave (10.14) or
High Sierra (10.13). The Webex Edge for Devices Connector tool provides support for three different
operations:
1. Mass migration of on-premises registered Webex devices to the Webex Cloud
2. Linking of on-premises registered Webex devices to Webex Control Hub to allow access to Webex
Cloud features
3. Adding hybrid calling for cloud-registered devices through Unified CM (replaces the hybrid calling
connector through Expressway)

• In production, the Unified CM user account that will represent the Workspace account must have a
minimum Enhanced UCL license

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

103
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Hybrid Calling for Cisco Webex Devices in Cisco Webex Control Hub (Information ONLY)

• CUCM version 11.5(1) SU3 and later

• Expressway version X8.11.4 or later

Module Objectives
In this module, we will perform the following tasks:
• Register a Webex device to Control Hub
• Although the devices in a workspace are registered to the cloud, we will provide them with a line and
PSTN service that is served through your Unified CM deployments
• From Webex, smauk or kmelby can call phone numbers while connected to a cloud-registered Webex
device using proximity (if available)

Configuring Hybrid Calling for Cisco Webex Devices in Cisco Webex Control
Hub (Information ONLY)

Important The following steps are for your reference only and do not need to be completed in the lab.

In this section, you will begin the initial set up in Cisco Webex Control Hub. This includes specifying the
desired site name for your company to create SIP addresses for all users, enable Call Service Connect, and
then specify the SIP destination to point to your Expressway-E with mutual TLS. In this lab, we have a working
Expressway-C/E pair that handles B2B and MRA. There is also a requirement for a DNS SRV record that
points to the SIP mutual TLS port on your Expressway-E server. This SRV has been pre-configured for you
and is publicly available on the internet for your session.
The first task is to configure a custom SIP domain for your organisation so your users can be directly dialed.
The below step is for information only, it is already configured as part of this lab guide:
1. Open Webex Control Hub again. On the left-hand menu, click Organisation Settings. Scroll to the SIP
Address for Cisco Webex Calling section to view the Control Hub configuration.
As you can see, the prefix for your SIP domain is displayed. This was configured for you already during
the base setup. In the lab, we have used the @cbXXX.dc-YY.com domain assigned to your session. The
lab had you shorten it to cbXXXYY to make it easier to dial users. After it is configured, the platform
will create real SIP addresses and DNS records that are reachable on the Internet.

Configuring Domain Verification

Important The following steps are for your reference only and do not need to be completed in the lab.

Domain verification is essential to the security and integrity of your organization. Verification proves to us
that you own a particular domain and is required for some services to work, such as Call Service Aware and
Call Service Connect.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

104
Mapping the Transition: Phase 1 – Hybrid Services
Configuring Domain Verification

If your company has multiple domains, add each domain one at a time. For example, if you have users in
sales.example.com and in support.example.com, you must add both domains.
If your organization enforces email addresses, you are presented with warnings about possible user lockout.
You are forced to verify and remove domains in a particular order to prevent administrator lockout. When
adding domains, for example, you must add the administrator domain first followed by all other domains.
For every domain that you add, you receive a verification token that you must add to your DNS TXT record.
If you add multiple domains and therefore receive multiple tokens, we recommend you keep each token in a
separate DNS TXT record. If that is not possible (for example, if your private domain does not support more
than one DNS TXT record or you can only edit SPF or custom records), please contact Cisco Technical
Support for manual verification.
When adding a verification token to a DNS TXT record, we recommend two things:
• Enter the token as a separate line at the beginning of your DNS TXT record.
• Enter the token with the following prefix: cisco-ci-domain-verification=<token>. This unique identifier
helps you with search functions in the future and distinguishes Cisco verification tokens from other
information presented in your DNS TXT record.

The previous explanation was for your information only. In the lab, the DNS TXT record has already been
created for your session. The domain verification should have been pre-configured for you, but let’s verify.

Important On the Settings page (above SIP Address for Cisco Webex Calling), there is a Domains section. During the
base setup, the domain was pre-configured for you and verified. Therefore, the following steps are for your
reference only and do not need to be completed in the lab.

Procedure

For Information ONLY as the below steps already configured in the lab.

Step 1 Click Add Domain.

Step 2 The domain that was assigned to your session is listed in the box. If it is not, enter it now.
Step 3 Click Add.
Step 4 The status will now register as pending.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

105
 Mapping the Transition: Phase 1 – Hybrid Services
Registering Devices to Control Hub

Step 5 Click ellipse

[ ]
and choose Verify Domain from the menu.
Step 6 Click Verify. Your status should show as verified

[ .]

Registering Devices to Control Hub

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open a new browser tab to https://admin.webex.com.
Log in using [email protected] / dCloud123!
Step 2 SSO was configured in the previous steps. In the new window that pops up, enter the username (cholland)
and password (dCloud123!) and click Sign In.
Step 3 On the left-hand menu within the portal, click Devices and then click Add Device.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

106
Mapping the Transition: Phase 1 – Hybrid Services
Registering Devices to Control Hub

Step 4 Choose Workspace and then click Next.

Step 5 Choose New Workspace. In the box that appears, enter a workspace name, such as OmerDevice.
Step 6 Click Next.
Step 7 Choose Cisco Webex Rooms device and then click Next.
Step 8 Keep Free Calling selected and click Next.
Step 9 The next screen will show a 16-digit code to put into your DX/SX/Room Kit/Room 55-70/MX/Webex Board,
which you will use in the next steps. The following instructions start from a factory reset condition, which is
recommended for this lab.
Step 10 On the Welcome screen of the room device, tap Start.
Step 11 On the Network screen, tap the blue right arrow.
Step 12 On the Choose a Call Service screen, click Cisco Webex.
Step 13 Enter the 16-digit code provided by the management portal and tap the blue right arrow. Continue through
the rest of the set up until you reach the home screen on your device.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

107
 Mapping the Transition: Phase 1 – Hybrid Services
Registering Devices to Control Hub

Step 14 To go back to the management portal, click the

[ ]
on the Activation Code page.
Step 15 The room device should be registered to Cisco Webex. You can now see it listed online on the Devices page
on the Cisco Webex Control Hub (you might need to refresh the page).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

108
 Mapping the Transition: Phase 1 – Hybrid Services
Enabling the Device Connector

Enabling the Device Connector

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open a new browser tab to https://admin.webex.com.
Log in using [email protected] / dCloud123!
Step 2 As SSO was configured in the previous steps. In the new window that pops up enter username (cholland)
and password (dCloud123!) and click Sign In.
Step 3 On the left-hand menu within the portal, click Devices. On the top of the screen, click Resources. From the
Resources page under Tools, select Download for Cisco Webex Device Connector and save on WKST1.
Click Done once the file is downloaded.

Step 4 Open the downloaded devicetool.msi file by clicking it and running the install wizard. You can leave all the
options to default. Once installed, click Finish on the installer file.
Step 5 If the Webex Device Connector tool is not already open, click the Windows Start button on Workstation 1.
Click Cisco Webex Device Connector under Recently Added.
Step 6 The starting page of the tool will ask for your Cisco Webex Administrator username and password. Enter the
following:
a) Username: [email protected]
b) Click Sign In. As SSO is configured, you will be asked to enter SSO credentials and then click Sign In.
c) Username: cholland
d) Password: dCloudZZZZ!
Note The ZZZZ portion of the password is the last four digits of our Session ID found in your
sessions's Details tab.

Note Remember to replace the XXX and YY with your session information.

Step 7 From the What would you like help with? screen, select I want to add on-premises calling to my cloud
registered devices.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

109
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Call Service to Connect SIP Destination

Step 8 From the Configure Hybrid Calling under Connect to Cisco Unified Communications Manager, enter
the following.
a) Host: cucm1.dcloud.cisco.com
b) Username (Standard AXL API Access): webex
c) Password: dCloud123!
Note The Webex user is already been created for you in this lab. More information about creating a
user can be found in the Appendix.

Step 9 Click Connect.

Step 10 From the error page, click Proceed without certificate validation.
Note We are using Self Signed Certificates in the lab and these have not been added to the users
Certificate directory for the Webex Device Connector tool. This is the reason for the ‘Failed to
connect’ message.

Configuring Call Service to Connect SIP Destination

Procedure

Step 1 Back on the Control Hub, under Services select Hybrid tab. Click Set Up on the Hybrid Calling for Webex
Devices card and then click Enable Edit Settings.
Step 2 In the SIP Destination box that appears after turning the services on, enter mtls.cbXXX.dc-YY.com and
click Save. (Remember to replace the XXX and YY with the specific numbers assigned to your session.)

Step 3 Notice this now points to the DNS SRV record that was created for your session, which is
_sips._tcp.mtls.cbXXX.dc-YY.com.
Note If you were to click Test, you might get a warning stating Your SIP Destination is not configured
correctly. Please ignore this as we be enabling mutual TLS mode on Expressway-E in the coming
steps.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

110
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Cisco Unified CM for Hybrid Calling

Configuring Cisco Unified CM for Hybrid Calling

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open a new browser tab to Unified CM
(https://198.18.133.3/ccmadmin) and log in, if needed, with these credentials:
• Username: administrator
• Password: dCloud123!

Step 2 Navigate to System > Enterprise Parameters.

Step 3 Search (CTRL+F) for “fully", which will bring you to the setting Cluster Fully Qualified Domain Name.
Step 4 There will already be an FQDN of cucm1.dcloud.cisco.com. Leave that FQDN in the box and enter your
session's domain name at the beginning, cbXXX.dc-YY.com, and then leave a space in between the two
domains.
Note Remembeer to replace the XXX and YY with your specific domain information.

Note The domain name that you are using for Webex must be the first in the list. The Cisco Webex
Control Hub uses the first entry and ignores any other ones.

Step 5 Click Save.

Step 6 Navigate to Device > Device Settings > SIP Profile and then click Find.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

111
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Cisco Unified CM for Hybrid Calling

Step 7 Click the Copy icon

[ ]
next to the existing profile called Standard SIP Profile for Cisco VCS.
Step 8 Change the Name to Standard SIP Profile For Cisco Webex Hybrid Call. Also, change the description if
you would like.
Step 9 Toward the bottom of the page, for the Early Offer support for voice and video calls setting in the Trunk
Specific Configuration section, choose the option Best Effort (no MTP inserted).
Step 10 Click Save.
Note Because the lab has an existing Expressway-C/E pair that runs MRA and B2B, you will need to
create a separate SIP Trunk Security Profile that uses a different port. The C/E pair currently uses
port 5560. It is recommended to use 5561 for hybrid services.

Step 11 Navigate to System > Security > SIP Trunk Security Profile and then click Find.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

112
Mapping the Transition: Phase 1 – Hybrid Services
Configuring Cisco Unified CM for Hybrid Calling

Step 12 Click the Copy icon

[ ]
next to the existing profile called Non Secure SIP Trunk Profile.
Step 13 Change the Name to Non Secure SIP Trunk Profile for Webex Hybrid Call and add a Description, if you
would like.
Step 14 Change the Incoming Port to 5561 and click Save.
Step 15 Navigate to Device > Trunk and click Add New.
Step 16 Change the Trunk Type to SIP Trunk. Leaving the rest as default, click Next.
Step 17 Configure the following settings from the table below.

Setting Configuration
Device Information > Device Name Webex_Hybrid_Call
Device Information > Device Pool dCloud_DP

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

113
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring the Expressway-E for Hybrid Call Service

Setting Configuration
Inbound Calls > Calling Search Space Call_Everyone
Outbound Calls > Calling and Connected Party Deliver URI and DN in connected party, if available
Info Format
SIP Information > Destination Address 198.18.133.152 (This is the existing Expressway-C
used for B2B/MRA)
SIP Information > SIP Trunk Security Profile Non Secure SIP Trunk Profile for Webex Hybrid
Call
SIP Information > SIP Profile Standard SIP Profile For Cisco Webex Hybrid Call

Step 18 Click Save, OK, Reset, Reset, and Close.

Step 19 Lastly, configure a SIP route pattern that matches the cloud URI IPv4 pattern sent out this new SIP trunk to
the Expressway-C server. Navigate to Call Routing > SIP Route Pattern. Click Add New.
Step 20 Configure the following settings from the table below.

Setting Configuration
IPv4 Pattern *.rooms.webex.com
Description Routing to Cisco
Webex
SIP Trunk/Route Webex_Hybrid_Call
List

Step 21 Click Save.

Configuring the Expressway-E for Hybrid Call Service

Enterprise calls are routed over the Expressway-C/E pair. In the lab, this pair is currently fully functional to
support MRA and B2B, so some of the configured traversal zones already exists. You will modify this existing
traversal configuration as well as create a new configuration to support Call Service Connect.

Procedure

Step 1 In a new browser tab, navigate from the WKST1 homepage to Collaboration Admin Links > Cisco
Expressway-E.
Step 2 Log in with these credentials:
• Username: admin
• Password: You can find your unique Expressway-E password in your dCloud session details: Session
Details > AnyConnect Credentials > Password

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

114
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Expressway-E Webex Zone (X8.11 and Later)

Step 3 Now, you will configure mutual TLS. Navigate to Configuration > Protocols > SIP.
Step 4 For Mutual TLS Mode, select On from the drop-down menu.
Step 5 Keep the Mutual TLS port at 5062.
Step 6 Click Save.
Step 7 Navigate to Configuration > Zones > Zones and click the link for DefaultZone.
Step 8 Since this is an existing Expressway-E server, you need to set Enable Mutual TLS on Default Zone to Off.
This is currently the default setting, so there is nothing to configure. However, if this were a new Expressway-E
server dedicated to Call Service Connect, this setting would need to be changed to On.

Configuring Expressway-E Webex Zone (X8.11 and Later)

At this point, you need to create a new DNS Zone that allows your Expressway-E server to identify and route
calls between Cisco Unified CM and the Cisco Webex Control Hub.

Procedure

Step 1 On the Expressway-E server, navigate to Configuration > Zones > Zones and click New.
Note In the lab, the Expressways are at version X12.x. In earlier versions, this zone is not available to
be configured so a regular DNS zone must be used.

Step 2 On the Zones page, click New.

Step 3 For Type, select Webex.
Step 4 Click Create zone.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

115
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring a Secure Traversal Server Zone to Expressway-C

Configuring a Secure Traversal Server Zone to Expressway-C

Create a dedicated traversal server zone on Expressway-E. Though Cisco Webex traffic can coexist on the
same traversal zone with MRA or B2B, we recommend you create a dedicated traversal server zone on
Expressway-E, specifically for handling Hybrid Call signaling and media. That way, any settings for B2B or
MRA won't affect Cisco Webex traffic and vice versa.

Procedure

Step 1 On the Zones page, click New.

Step 2 Configure the following settings from the table below.

Setting Configuration
Configuration > Name Traversal Server for Webex Hybrid Call
Configuration > Type Traversal server
Connection credentials > Username cisco
H.323 > Mode Off
SIP > Port 7005
SIP > TLS verify mode On
SIP > TLS verify subject name vcsc.dcloud.cisco.com
SIP > Media encryption mode Force encrypted
SIP > Preloaded SIP routes support On
SIP > SIP parameter preservation On

Step 3 Click Create zone.

Creating Search Rules on Expressway-E

You will now create two search rules that will perform the following:
• Identify calls from the Cisco Webex Control Hub and route them through the traversal zone to
Expressway-C.
• Identify calls from Cisco Unified CM and route them through the DNS zone to Cisco Webex Control
Hub.

Procedure

Step 1 Navigate to Configuration > Dial plan > Search rules and click New.
Step 2 Configure the following settings from the table below.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

116
 Mapping the Transition: Phase 1 – Hybrid Services
Call Policy Rules

Setting Configuration
Configuration > Rule name Inbound Webex Hybrid Call
Configuration > Description Route traffic from Webex to Exp-C
Configuration > Priority 99
Configuration > Protocol SIP
Configuration > Source Named
Configuration > Source name Webex Zone
Configuration > On successful match Stop
Configuration > Target Traversal Server for Webex Hybrid Call

Step 3 Click Create search rule.

Step 4 Click New.
Step 5 Configure the following settings from the table below.

Setting Configuration
Configuration > Rule name Outbound Webex Hybrid Call
Configuration > Description Route traffic from Unified CM to Webex
Configuration > Priority 99
Configuration > Protocol SIP
Configuration > Source Named
Configuration > Source name Traversal Server for Webex Hybrid Call
Configuration > Mode Alias pattern match
Configuration > Pattern type Regex
Configuration > Pattern string .+@.+\.(calls|rooms)\.webex\.com.*
Configuration > Pattern behavior Leave
Configuration > On successful match Stop
Configuration > Target Webex Zone

Step 6 Click Create search rule.

Call Policy Rules

Now you will create a new policy rule to allow incoming Webex calls.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

117
 Mapping the Transition: Phase 1 – Hybrid Services
Call Policy Rules

Procedure

Step 1 On the Expressway-E, navigate to Configuration > Call Policy > Rules and click New.
Step 2 Change the following parameters from the table below.

Setting Configuration
Source type Zone
Originating Zone Webex Zone
Destination .*
pattern
Action Allow

Step 3 Click Add.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

118
Mapping the Transition: Phase 1 – Hybrid Services
Call Policy Rules

Step 4 Find the new Webex Zone rule at the bottom of the list and use the up arrows

[ ]
to move it up to the top of the call policy list

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

119
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring the Expressway-C for Hybrid Calling

Configuring the Expressway-C for Hybrid Calling

Next, you will configure the Expressway-C pair to support Hybrid Calling. Just like the Expressway-E server
you modified earlier, you will modify an existing configuration as well as make new configurations.

Configuring a Secure Traversal Client Zone to Expressway-E

Just like the zones on the Expressway-E server, it is recommended to create a dedicated traversal zone for
Cisco Webex on the Expressway-C.

Procedure

Step 1 If not already open from earlier, open a new browser tab to the Expressway-C server (vcsc.dcloud.cisco.com)
and log in as admin with password dCloud123!
Step 2 Navigate to Configuration > Zones > Zones.
Step 3 On the Zones page, click New.
Step 4 Configure the following settings from the table below.

Setting Configuration
Configuration > Name Traversal Client for Webex Hybrid Call
Configuration > Type Traversal client
Connection credentials > Username cisco
Connection credentials > Password dCloud123!
H.323 > Mode Off
SIP > Port 7005
SIP > TLS verify mode On
SIP > Accept proxied registrations Deny
SIP > Media Encryption Mode Force encrypted
SIP > Preloaded SIP routes support On
SIP > SIP parameter preservation On
Authentication > Authentication policy Check credentials
Location > Peer 1 address vcse.cbXXX.dc-YY.com

Step 5 Click Create zone.

Creating a Neighbor Zone for Each Unified CM Cluster

You will now configure the zone to the Cisco Unified CM cluster to which you want to route. Each zone can
accommodate six peer addresses, which supports a Cisco Unified Communications Manager cluster with six

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

120
 Mapping the Transition: Phase 1 – Hybrid Services
Configure Search Rules on Expressway-C

nodes. The Cisco Unified Communications Manager cluster to which this zone will route must be a home
cluster. It cannot be an SME or other intermediate routing agent.
The exact port to use for each zone depends on the SIP trunk security profile configured on Cisco Unified
CM. Because you have B2B and MRA configured on these Expressways, it is recommended to use a different
port so the new configuration does not interfere with your existing setup. Port 5062 is what is recommended
but any port can be used. In this lab, you will be using Port 5561 as you configured earlier on the SIP Trunk
Security profile on CUCM. We will not re-use any existing neighbor zones to Cisco Unified CM for Jabber
MRA.

Procedure

Step 1 On the Expressway-C Zones page, click New.

Step 2 Configure the following settings from the table below.

Setting Configuration
Configuration > Name UCM Neighbor for Webex Hybrid Call
Configuration > Type Neighbor
H.323 > Mode Off
SIP > Port 5561
SIP > Transport TCP
SIP > Preloaded SIP routes support On
SIP > AES GCM support On
Location > Peer 1 address cucm1.dcloud.cisco.com
Advanced > Zone profile Custom
Advanced > Call signaling routed mode Always
Advanced > SIP parameter preservation On

Step 3 Click Create zone.

Configure Search Rules on Expressway-C

Now, you will create two search rules, as you did on the Expressway-E server, to route traffic between Unified
CM and the cloud.

Procedure

Step 1 Navigate to Configuration > Dial plan > Search rules and click New.
Step 2 Configure the following settings from the table below.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

121
 Mapping the Transition: Phase 1 – Hybrid Services
Configuring Hybrid Call Service for Cisco Webex Devices

Setting Configuration
Configuration > Rule name Inbound Webex Hybrid Call
Configuration > Description Route traffic from Exp-E to Unified CM
Configuration > Priority 99
Configuration > Protocol SIP
Configuration > Source Named
Configuration > Source name Traversal Client for Webex Hybrid Call
Configuration > On successful match Stop
Configuration > Target UCM Neighbor for Webex Hybrid Call

Step 3 Click Create search rule.

Step 4 Click New.
Step 5 Configure the following settings from the table below.

Setting Configuration
Configuration > Rule name Outbound Webex Hybrid Call
Configuration > Description Route traffic from Unified CM to Exp-E
Configuration > Priority 99
Configuration > Protocol SIP
Configuration > Source Named
Configuration > Source name UCM Neighbor for Webex Hybrid Call
Configuration > Mode Alias pattern match
Configuration > Pattern type Regex
Configuration > Pattern string .+@.+\.(calls|rooms)\.webex\.com.*
Configuration > Pattern behavior Leave
Configuration > On successful match Stop
Configuration > Target Traversal Client for Webex Hybrid Call

Step 6 Click Create search rule.

Configuring Hybrid Call Service for Cisco Webex Devices

The following points provide a functional overview of the feature.
• Hybrid Call Services for Cisco Webex Devices will create and use a Cisco Webex Remote Device (Cisco
Webex-RD) in on-premises Unified CM to route calls to enterprise extensions, users, and PSTN.
• Features from on-premises phones (such as hold, transfer, and conference) can include the Cisco Webex
device.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

122
 Mapping the Transition: Phase 1 – Hybrid Services
Creating a Directory Number for a Workspace

• Any calls from Workspaces to PSTN or on-premises extensions are anchored to the Cisco Webex-RD
in Unified CM.

Creating a Directory Number for a Workspace

Use Cisco Unified CM Administration to configure directory numbers that you want to later assign to devices
in a workspace. You'll also assign directory URIs to the directory numbers.

Procedure

Step 1 Go to the tab Unified CM and log in, if needed, with administrator / dCloud123!
Step 2 Navigate to Call Routing > Directory Number and click Add New.
Step 3 For the new directory, enter the details from the table below.

Setting Configuration
Directory Number Information > Directory Number 7800
Directory Number Information > Route Partition Base_PT
Directory Number Information > Alerting Name Hybrid
Device
Directory Number Information > ASCII Alerting Name Hybrid
Device
Directory Number Setting > Calling Search Space Call_Everyone

Step 4 Click Save.

Step 5 After the page refreshes, in the Directory URIs section, enter [email protected] in the URI box.
Step 6 Choose Base_PT for the partition.
Step 7 Click Save.

Creating a Unified CM Account for a Workspace

Even though the devices are registered to the cloud, you can associate a number to them from an on-premises
Cisco Unified Communications Manager (Unified CM). You can use a Unified CM end-user account to
represent a workspace. The workspace contains Cisco Webex-registered devices in a physical location.
This account is not tied to a real user. Instead, the account stands in for the devices and provides a PSTN
number or extension from the Unified CM dial pool to the devices in the workspace.
The device connector for your hybrid call environment associates the workspace with the account for the
device. The connector identifies the Unified CM cluster that can service that particular workspace, assigns a
directory number and URI, and assigns a Cisco Webex SIP address. Behind the scenes, the Cisco Webex
Remote Device (Cisco Webex - RD) ties together activity in the cloud and the premises.
Some points to consider:
• The email address domain must be one of your verified domain entries in the Cisco Webex Control Hub.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

123
 Mapping the Transition: Phase 1 – Hybrid Services
Creating a Spark-RD for Cisco Webex Devices

• The Mail ID must be an exact match between both Cisco Webex and on-premises.
• Email address must be unique. Do not use the same account for multiple Cisco Webex workspaces or
a Cisco Webex user and a workspace.
• The Directory URI for the user must match the Directory URI for the directory number that you created
for the workspace.
• The Telephone Number is the number that will show up on your hybrid-enabled workspace. You could
also use an internal number or extension. If you have multiple devices in the workspace, the directory
number is assigned to all of them, like shared lines. From a technical standpoint, a call to this number is
sent to the assigned Cisco Webex SIP address, which Cisco Webex forks to all the devices in the
workspace.

Procedure

Step 1 Navigate to User Management > End User.

Step 2 Click Add New.
Step 3 For the new directory, enter the following settings from the table below.

Setting Configuration
User Information > User ID hdevice
User Information > Password Clear box if populated
User Information > Last Name Device
User Information > First Name Hybrid
User Information > Directory URI [email protected]
User Information > Telephone Number See the dCloud session details for the Hybrid
Device DID that translates to the 7800 DN. Also the number can be
found on the desktop of workstation 1 in the text document named
DN_to_DID.txt.

User Information > Mail ID [email protected]

Step 4 Click Save.

Creating a Spark-RD for Cisco Webex Devices

Now you will configure the Spark-RD to do the call routing.

Procedure

Step 1 In Unified CM navigate to Device > Phone and click Add New.
Step 2 Choose Cisco Spark Remote Device from the drop-down list and click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

124
 Mapping the Transition: Phase 1 – Hybrid Services
Updating a Workspace for Hybrid Calling

Step 3 Configure the Spark-RD using the table below.

Setting Configuration
Device Information > Owner User ID hdevice
Device Information > Device Name SparkRDhdevice
Device Information > Device Pool dCloud_DP
Device Information > Calling Search Space Call_Everyone
Protocol Specific Information > Rerouting Calling Search Space Call_Everyone
>

Step 4 Click Save then OK.

Step 5 Click Line [1] – Add a new DN.
Step 6 For Directory Number, enter 7800.
Step 7 For Route Partition, choose Base_PT. Click in the Description field to make the page refresh.
Step 8 Click Save.
Step 9 Navigate to User Management > End User.
Step 10 Click Find and select the hdevice.
Step 11 Scroll down to Controlled Devices and click Device Association.
Step 12 Click Find. Search for SparkRDhdevice.
Step 13 Check the box next to SparkRDhdevice and click Save Selected/Changes.
Step 14 Click Go next to Back to User at the top right of the page.
Step 15 Scroll down to Directory Number Associations and select 7800 in Base_PT from the drop-down list for
Primary Extension.
Step 16 Click Save.

Updating a Workspace for Hybrid Calling

Procedure

Step 1 Go back to the Cisco Webex Control Hub (https://admin.webex.com) and navigate to Workspaces.
Step 2 Select the workspace you created earlier.
Step 3 On the Calling card, click the cog wheel.
Step 4 Select the Hybrid Calling radio button and click Next.
Step 5 Enter [email protected] for Mail ID from Unified CM and click Save. You will see a warning
about it not being synchronized. You will do this next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

125
 Mapping the Transition: Phase 1 – Hybrid Services
Migrate and Syncing Unified CM and Control Hub with the Webex Device Connector Tool

Migrate and Syncing Unified CM and Control Hub with the Webex Device
Connector Tool
Next you will migrate your organization to the new hybrid calling model.

Procedure

Step 1 Go back to Workstation 1 and open the Cisco Webex Device Connector tool.
Step 2 Please skip to step 3 , if you are already logged to the Device Connector tool. If not already connected, you
will be asked to enter the Cisco Webex Administrator username and password. Enter the following:
• Username: [email protected]
• Click Sign In. As SSO is configured, you will be asked to enter SSO credentials and then click SignIn.
• Username:cholland
• Password:dCloudZZZZ!
Note The ZZZZ portion of the password is the last four digits of our Session ID found in your
sessions's Details tab.

Note Remember to replace the XXX and YY with your session information.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

126
Mapping the Transition: Phase 1 – Hybrid Services
Migrate and Syncing Unified CM and Control Hub with the Webex Device Connector Tool

Step 3 If not at the home screen, click the home icon

[ ]
at the top right corver of the page.
Step 4 Click I want to add on-premises calling to my cloud registered devices.
Step 5 Since you updated the Enterprise fully qualified domain settings earlier after you connected to Unified CM
with the tool, you will need to reconnect to get the updated settings.
Step 6 The host (cucm1.dcloud.cisco.com) and user name (webex) should be prepopulated, so enter dCloudZZZZ!
as the password and click Connect.
Step 7 Click Proceed without certificate validation.
Step 8 You should see your device listed. Click Sync. Within a few seconds the status should show as synced.
Step 9 Go back to Control Hub and refresh your workspace page. You should see the Calling card populate with all
the information about your device.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

127
 Mapping the Transition: Phase 1 – Hybrid Services
Testing the Hybrid Room Device

Testing the Hybrid Room Device

Once the call service activates, depending on your room device you should see the DID/DN displayed on the
screen. You can now dial this number from any PSTN phone and it will ring the room device. You can also
dial outbound to the PSTN as well. For outbound dialing rules and patterns, visit Outbound Dialing Patterns
and Blocked International Dialing online. The DN can also be dialed from Jabber clients (cholland and aperez)
registered with on-prem resources.

Note To make inbound calls to your room device, make sure you dial the full e.164 number configured earlier.
The DID might not show up immediately if you registered the room device before the call service showed as
activated. If the call service has activated and you don’t want to wait for the number to show up, you can
restart the device. It should display after restart.

Phase 2 Options
The final transition phase (Phase 2) results in a pure cloud calling environment where all devices have been
fully transitioned to cloud call control. Notice there are two options. Choose the Phase 2 option that fits your
needs:
• Phase 2: Calling in Webex (Unified CM) Cloud
• Phase 2: Webex Calling

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

128
 CHAPTER 4
Phase 2 Option: Calling in Webex (Unified CM)
• Mapping the Transition: Phase 2 - Calling in Webex (Unified CM), on page 129
• Users in Phase 2, on page 129
• Migrating Jabber Users from On-Prem UC to Cisco Webex Using Connected UC, on page 130
• Testing Calling and Contacts Migration, on page 149

Mapping the Transition: Phase 2 - Calling in Webex (Unified

CM)

Note Notice there are two options for Phase 2 (for Calling):
• The first option is Calling in Webex (Unified CM).
• The second option is Webex Calling.

Follow the instructions for repsective Phase 2 option that meets your needs.

We focus on Cloud deployments. The final transition phase (Phase 2) results in a pure cloud calling environment
where all devices have been fully transitioned to cloud call control.
All users will be moved to Webex and we will be shutting down on-prem servers.

Users in Phase 2
User Name User Password Endpoint Internal Deployment
ID Devices Extension Model
Charles cholland dCloud123! Cisco Jabber 6018 Cloud
Holland
Anita Perez aperez dCloud123! Cisco Jabber 6017 Cloud
Kellie Melby kmelby dCloud123! Cisco Jabber 6050 Cloud
Stefan Mauk smauk dCloud123! Cisco Jabber 6072 Cloud

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

129
 Phase 2 Option: Calling in Webex (Unified CM)
Migrating Jabber Users from On-Prem UC to Cisco Webex Using Connected UC

Migrating Jabber Users from On-Prem UC to Cisco Webex Using

Connected UC
The migration card helps you to migrate Jabber users (with UCM calling) or Jabber messenger users (with
Cloud-Connected UC) to Webex app. The migration wizard on Webex Control Hub allows you to migrate
Jabber users to Webex app. After you migrate, the Webex app provides users with an easy-to-use experience
that allows them to make calls, send messages, share files, schedule meetings, display availability status, and
so on.
This tool currently migrates/updates Calling Behavior (to UCM calling under Calling Behavior) ONLY.
Contact list migration and other tools will be added to cloud-connected UC later. So, once you have completed
this section, please continue to use the Jabber migration tool (from Jabber – presented in next section) to move
contact lists etc.

Creating Agent Install File and On-Prem Cluster Group

Procedure

Step 1 Open RDP connection to Workstation 1 at 198.18.1.36. Log in with dcloud\cholland and dCloud123!
Step 2 Open Chrome browser from the task bar.
Step 3 From the home page, select Cisco Webex Links > Cisco Webex Control Hub. Log in with
[email protected] and dCloud123!
Step 4 Go to navigate to Services > Connected UC. On Connected UC page, click Enable Connected UC. Under
the UC Management card, click Get Started.

Step 5 Click Next on the Welcome to Cisco Control Hub page. Read the information for Create an Agent Install
File. Give the filename dCloud-CCUC. Click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

130
Phase 2 Option: Calling in Webex (Unified CM)
Creating Agent Install File and On-Prem Cluster Group

Step 6 Webex Control Hub will create an agent install file that needs to be installed on each Unified Communications
Manager and IM&P instance. The file creation will take a few minutes. Once it is created, click Download.
The file will be downloaded to desktop on Workstation 1. Click Next.

Step 7 On the Create Cluster Group page, give a name of your choice for Cluster Group Name, for example,
dCloud-UCM. Enter the Description as dCloud-UCM. Click Next. It will create the Cluster Group. Click
Next again. Click Finish.
Step 8 Navigate to Management > Account. Click to copy the Organization ID and save it in a Note Pad file or
some other progam. We will user it later in this section.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

131
 Phase 2 Option: Calling in Webex (Unified CM)
On-Boarding On-Prem UCM Server by Installing the Agent File

There are two ways to on-board on-prem UC cluster to Connected UC.

• Install the Agent File (that we created above) on the UC server
• Using ucmgmt (Unified Communications Management) commands on CLI of the UC server

In this lab, we have one on-prem cluster with one UCM server and one IMP server. We will on-board both
servers each using one of the methods listed above to experience both methods. However, you can use any
method you prefer for any server.
Also, in this lab we are running UCM and IMP servers 12.5 (SU3). If you are using another version of the
UCM/IMP server, please refer to the respective version documentation as the on-boarding procedure may
differ.

On-Boarding On-Prem UCM Server by Installing the Agent File

Procedure

Step 1 Continuing on Workstation 1 (as dcloud\cholland and dCloud123!), go to the search option on the bottom-left
corner of the Workstation 1 desktop and search for freeFTPd. Double-click the application to launch/open.
Note If the app doesn't open, click the small Show Hidden Icons up arrow next to the workstation
time (bottom-right corner) and choose the freeFTPd application.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

132
Phase 2 Option: Calling in Webex (Unified CM)
On-Boarding On-Prem UCM Server by Installing the Agent File

Step 2 On the freeFTPd app, click the FTP server (on left-side pane) and make sure it is running. If not, click to Start
the service.
Note If the FTP server does not start, reboot Workstation 1. Once rebooted, log in to Workstation 1
and start with Step 1 above again.

Step 3 Open Putty [ ] from the taskbar.

Step 4 Open SSH connection to Cisco Unified Communication Manager at 198.18.133.3 and log in with
administrator and dCloud123!
Step 5 Once logged in, enter the command utils system upgrade initiate at cli.
Step 6 After a few seconds, it will give you options available for upgrade. Choose the options as follows:
Note Any option that is already chosen will be indicated inside the square brackets. If you are not
changing these options, you can just press Enter to continue to the next setting.

• Please select an option (Source): Option 2 (Remote Filesystem via FTP)

• Directory: /
• Server: 198.18.1.36
• Username: demo
• User Password: dCloudZZZZ!

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

133
 Phase 2 Option: Calling in Webex (Unified CM)
On-Boarding On-Prem UCM Server by Installing the Agent File

• Please enter SMTP Host Server: Press Enter

• Continue with upgrade after download (yes/no): Yes
• Switch-version server after upgrade: no

Step 7 It will connect to the FTP server (the freeFTPd application) and find the installer file (and others if there are
any) we downloaded above (located on the Workstation 1 desktop).
Step 8 Select option 1 to install the file.

Step 9 It will take around one to two minutes for the installation to complete. You will get a completion message,
as shown below.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

134
Phase 2 Option: Calling in Webex (Unified CM)
On-Boarding On-Prem UCM Server by Installing the Agent File

Step 10 Go back to the Chrome browser tab where Cisco Webex Control Hub is open. If logged out, log in again with
[email protected]/dCloudZZZZ!
Step 11 Navigate to Services > Connected UC. Under UC Management, choose Inventory.
Step 12 On the UC Management page, you will notice there are Unassigned nodes/cluster. If you do not see Unassigned
under Cluster Group, refresh the page. Click Resolve.

Step 13 On the Unverified Cluster Group page, click Verify.

Step 14 On the Verify and Assign Cluster pop up, click to drop down Change Cluster Group. Choose the cluster
group we created above (for example, dCloud-UCM) and click on the checkmark for Node Name
cucm1.dcloud.cisco.com. It will mark the node Green. Click Save.

Step 15 It will successfully verify the UCM node that you installed the Agent file and complete the on-board process.
To verify, on the Control Hub, go to Connected UC > Inventory. On UC Management page, click Details
for the cluster group you created.
Step 16 On the Inventory page of Cluster Group, you will see the number of nodes, service type, and summary status
all nodes. You will notice, we have two nodes in this cluster--CUCM and UNKNOWN with Status as No
Agent Running.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

135
 Phase 2 Option: Calling in Webex (Unified CM)
Optional: On-Boarding On-Prem IMP Server by Running ucmgmt Commands

Step 17 Click the Details page to see the details about which node is UNKNOWN or not running the agent file. You
will see the second node is cup1.dcloud.cisco.com and Status as No Agent Running.

Optional: On-Boarding On-Prem IMP Server by Running ucmgmt Commands

Important Installing the Agent file with CLI takes longer (around 15 min). You can follow same procedure that you
followed for Cisco UCM to install to make it faster or If you do not want to install Agent file on IMP server,
you can skip and move Step 10.

Procedure

Step 1 Continuing Workstation1 (as dcloud\cholland and dCloud123!), open Putty [ ] located on
taskbar.
Step 2 Open SSH connection to Cisco IMP at 198.18.133.4. Log in with administrator and dCloud123!
Accept any security warnings, if prompted.
Step 3 Run the following commands one by one:
• utils ucmgmt organization Organization ID you copied above (example:
22dfdcf1-528e-4071-b4fb-c56f10e4875d)
• utils ucmgmt agent enable

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

136
Phase 2 Option: Calling in Webex (Unified CM)
Optional: On-Boarding On-Prem IMP Server by Running ucmgmt Commands

Step 4 The response message on Putty says it will take around 2 minutes, but it takes longer to complete the IMP
server on boarding process from IMP server side. Wait for 10 minutes and go back to Webex Control Hub
and verify the node.
Step 5 While waiting, you can check the ucmgmt agent status by running the below command at the IMP server
CLI: utils ucmgmt agent status

Step 6 We need to verify the IMP server on Control Hub to complete the on-boarding process. Go back to the browser
tab where you have Webex Control Hub page open. If time out, log in with [email protected]
and dCloudZZZZ!
Step 7 To verify IMP server, on the Control Hub go to Connected UC > Inventory. On the UC Management page,
notice the status says “Needs Verification,” which indicates Connected UC detected the Cisco IMP server
and it needs verification. (If you do not see any node that requires verification, refresh/reload the browser.)
Click Resolve.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

137
 Phase 2 Option: Calling in Webex (Unified CM)
Optional: On-Boarding On-Prem IMP Server by Running ucmgmt Commands

Step 8 On the Unverified Cluster Group page, click Verify. It will open a new pop up window for Verify and Assign
Cluster. On the pop up window, click the Change Cluster Group drop-down and choose dCloud-UCM (or
the name you assigned). Click to add a check mark for the cup1.dcloud.cisco.com server. Click Save.

Step 9 Refresh the page to verify the cluster status. It will show the on-prem cluster (example: dCloud-UCM) is
Online.

Step 10 On the UC Management page, click Details.

Step 11 On the Inventory page, click Details again.
Step 12 On cucm1.dcloud.cisco.com page, click the three dots (next to Events History) in the top-right corner and
choose Service Management.
Step 13 On the Service Management pop up window, toggle the option for Deployment Insights and other options,
as needed, to enable the features. Add a check mark for the option, Yes I agree. Click Submit.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

138
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Jabber Users Using Cloud Connected UC

Step 14 This completes the on-boarding process of the on-rem UC servers Cisco UCM and Cisco IMP.
Note Once you have onboarded the On-Prem devices (UCM/IMP), it takes around 6 to 8 hours for the
data to be uploaded to Webex cloud. Once onboarded you can try to run through other parts of
the lab and come back here to continue. This amount of time is a standard practice of data
synchronization for cloud and everyone needs to wait for it.

Migrate Jabber Users Using Cloud Connected UC

Procedure

Step 1 Continuing Workstation1 (as dcloud\cholland and dCloud123!), go back to the browser tab where
you have Cisco Webex Control Hub open. If logged out, log in with [email protected] and
dCloud123!
Step 2 Under Services, click Updates & Migrations. On the Migrations page, you will find different migration
cards. Click Get Started for Migrate Jabber to the New Webex (the first card).
Step 3 On the Migrations page, you will see information Step 1: Prerequisites (you can review them) and Step 2:
Review user counts. You will see 10 users in UCM and eight of those users are in CI (Webex). Under step 3:
Migrate Jabber to Webex App, click Create a New Task.
Note If you used a directory connector setup in previous sections, the user count will be different.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

139
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Jabber Users Using Cloud Connected UC

Step 4 On the Enable Users for Webex App with UCM Calling Service page, input the following information. When
done, click Next.
• Task Name: My First Migration
• Add check marks for all options under Prerequisites.

Step 5 On the Cluster Selection page, click StandAloneCluster. Click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

140
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 6 On the Settings page, select the radio buttons for Calling in Webex (Unified CM) and Use my users’ email
domain for Call Behavior. Click Next.
Step 7 On the User list page, select (check mark) users Kellie and Stefan. Click Add to Migration List in the top
right. Click Next.
Note In this task we are showing to migrate two users but you can choose all users at once.

Step 8 Look around on the Review page. Here you can review all options you selected in previous steps and it will
alert you of any issues if found. If all looks good, click Migrate Now. Click Migrate Now again on the pop
up confirmation window to start migrating the users. Click Done on the next page after the migration task
was successfully submitted the migration task.
Note Ignore the warning about the Missing Voicemail issue. We do not have a Voicemail server in
this lab.

Step 9 On the Updates page, Notice is now it shows 2 under Migrated Users. The status will display as Completed
when the migration is done. Also

Step 10 This completes user’s calling behavior update using Cloud Connected UC. Continue to the next section to
move the Jabber users and their contacts to Webex.

Migrate Personal Contacts to Webex App

Understanding Personal Contacts

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

141
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Use Control Hub to migrate your end users' Jabber contacts, both directory contacts and custom contacts to
Webex personal contacts. Contact migration to cloud is a one-time import that enables you to search, look
up, call, message, or invite your contacts like Jabber.
End users define Webex Personal Contacts in the Webex app.
Jabber Custom Contacts refer to non-directory contacts who are outside of your organization and contacts
that are stored in the database of Cisco Unified Communications Manager - IM and Presence Service.
Before you start a real-life migration of your users' personal contacts, make sure you meet the following
requirements:
• Get familiar with Control Hub.
Webex Control Hub is the management interface for the Webex platform. For more information, see Get
Started with Webex Control Hub.
• Access Control Hub with full administrator privileges.
With full administrator privileges, you can assign one or more roles to any user in your organization.
Ensure to assign a user with administrator privilege so you can migrate the rest of your Jabber custom
contacts. For more information, see Assign Organizational Account Roles in Webex Control Hub.
• Ensure the on-premises applications from where you plan to migrate the personal contacts, such as Cisco
Unified Communications Manager (Unified CM), Unified CM - IM and Presence Service is at version
11.5 or later to use the Control Hub migration wizard.
• Use Bulk Administration to download the end users file from Cisco Unified Communications Manager
(Unified CM) and the contacts file from Unified CM - IM and Presence.
Use the Import/Export menu in the Cisco Unified Communications Manager application to import the
users. See the Import Contacts Using the Bulk Administration for detailed information.
• Ensure your migration task conforms to a maximum of 500 contacts per user and a maximum of 10,000
contacts in a single file. We recommend listing the same type of contacts in a single file.

Procedure

Step 1 Navigate to the RDP session for WKST3. (Kellie Melby: dcloud\kmelby and dCloud123!
Step 2 Open Cisco Jabber from the desktop and log in with [email protected] and dCloud123!
Step 3 Make sure you have a few contacts in Jabber so you can validate them being migrated to Webex after migration.
You can add some directory/custom contacts, if you'd like, in addition to existing contacts.
Step 4 You can log out of Jabber and log back in as [email protected] and dCloud123! to verify
if Stefan has some contacts. You can choose to add some contacts for him also for testing purpose.
Step 5 You can repeat Step 4 for any other users in the demo to have some contacts available for them on Jabber
before migration.
Step 6 Switch to WKST1. (Charles Holland: dcloud\cholland and dCloud123!)
Step 7 Open a new browser tab. Navigate to Collaboration Admin Links > Cisco Unified CM IM/Presence Admin.
Log in with administrator and dCloud123!
Step 8 Navigate to Bulk Administration > Contact List > Export Contact List. Click Find. It will list all the users
on the current IM and Presence server.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

142
Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 9 Click Next.

Step 10 On the following screen, give a File Name of your choice for the contacts lists file, leave the Job Description
as is, and select the radio button for Run Immediately and click Submit.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

143
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 11 Do this step ONLY if you have any of your contacts without IM addresses. Go to Bulk Administration >
Non-Presence Contact List. Choose Export Non-Presence Contact. On the export page, give a File Name
of your choice and select the radio button for Run Immediately under Job Description and click Submit. It
will export the contacts lists of all users.

Step 12 Go to Bulk Administration > Upload/Download Files and click Find.

Step 13 Look for the file name you chose above. Select the file and download it. It will download the contacts file in
.csv format to the Workstation 1 desktop. If you also exported non-presence contact list, you will download
this file separately (one file after the other, so it won't zip the files).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

144
Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 14 Once the files are downloaded, go back to the previous tab where you have the Webex Control Hub page
opened. If timed out, log in again with [email protected] and dCloud123!
Step 15 Go to Services > Updates & Migrations.
Step 16 Click Get Started on the Migrate Personal Contacts to Webex App migration card.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

145
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 17 Under the Import On-premises Date, click to drop down the option and choose Directory URI IM Address
Scheme. Click Choose a File to upload the contact list exported file (which you performed in the steps above).
On the file explorer, choose the exported file and click Open.

Step 18 Wait until the file is uploaded to Webex.

Step 19 Once the file is uploaded, you will find the contacts information under Import On-premises Data. ((your
numbers may vary from the image below depending on the number of users/contacts you added.) Click Review
for Sync.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

146
Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 20 If there are any contacts that could not be migrated, they will be listed on the Migrate page.
Step 21 You can click Bulk Edit and download the XLSX file to see/fix the issues. You might need to scroll all they
way to the right to see the Failure reason.

Step 22 For now, we can ignore the issue and click Migrate Contacts on the Migrate page.
Step 23 Enter any Task Name of your choice for this migration. Click Confirm and Migrate.
Step 24 Once the task has been submitted, you can see the status of the task under Updates and Migrations.
Step 25 Once the status shows as Completed, the contacts migration is done. You can download the migration summary
report from the same status indicator row.
Step 26 Switch to WKST5 (dcloud\kmelby & dCloud123!). Quit/close the Cisco Jabber if it is logged in.
Step 27 Open Cisco Webex from the desktop and log in with [email protected] and dCloud123!

Step 28 Once logged in, click the contacts [ ] on the left-side pane. Observe that your contacts from Jabber have
been migrated. If you had any unresolved warnings/issues during migration, you will see those contacts will
not migrate until you fix them before attempting migration again.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

147
 Phase 2 Option: Calling in Webex (Unified CM)
Migrate Personal Contacts to Webex App

Step 29 Go through this step only if you have exported non-presence contacts.
a. Switch back to WKST1 (dcloud\cholland & dCloud123!).
b. Go to the browser tab where you had Webex Control Hub page opened. If logged out, log in with
[email protected] and dCloud123!
c. Go to Services > Updates & Migrations. Choose Migrate Personal Contacts to Webex App.
d. As we have uploaded a contacts exported file in the steps above, we need to delete that file before you
can upload a new file for non-presence contacts exported file.
e. Click the three dots towards the right for Import On-premises Data and choose Delete to delete the
previously uploaded file. On the pop-up window, add check marks to agree for both options that the data
will be deleted and click Delete again.

f. Under Import On-premises Data dropdown, choose Directory URI IM Address Scheme. Click Choose
a File to upload the non-presence contact list exported file (in steps above). On the file explorer, choose
the exported file and click Open. (It takes around two minutes to upload the file. Then it will populate
the contacts information.)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

148
 Phase 2 Option: Calling in Webex (Unified CM)
Testing Calling and Contacts Migration

g. Click Review for Sync and verify if there are any warnings or issues. Click Migrate Contacts. On the
new pop-up window, give a Task Name of your choice and click Confirm and Migrate.
h. You can monitor the status of migration on the main Updates & Migrations page like before.

Testing Calling and Contacts Migration

Procedure

Step 1 Once you see the task has been completed, switch to WKST5 (dcloud\kmelby and dCloud123!). Sign out of
Cisco Webex and sign back in with [email protected] and dCloud123! Make sure your non-presence
contacts are migrated as well.

Step 2 Click Phone Services on the bottom or click the profile picture in Webex and choose Settings > Phone
Service and log in to phone services as kmelby (WITHOUT the domain) and password dCloud123!
Note If you have configured SSO you will be prompted for SSO credentials.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

149
 Phase 2 Option: Calling in Webex (Unified CM)
Testing Calls – Inbound from PSTN to Webex

m
iage_new

Testing Calls – Inbound from PSTN to Webex

Procedure

Step 1 For dialing inbound PSTN calls to your pod’s phones, information can be found in your dCloud session details
page or in a text document found on the desktop of Workstation 1 named DN_to_DID.txt.
Step 2 Those DID can be dialed from your mobile numbers.
Step 3 With the DID number, dial one of your users (that are logged into Webex) using a real cell or desk phone.
Step 4 Answer the call on Webex.
Step 5 The call flow in dCloud is as follows:
a) Incoming DID comes into dCloud.
b) Platform gateways translate that DID into a four digit extension (6XXX or 7XXX).
c) Call is routed through the local gateway to the extension of the user.

Testing Calls – Inbound from PSTN to Webex (Unified CM Calling)

Procedure

Step 1 For dialing inbound PSTN calls to your pod’s phones, information can be found in your dCloud session details
page or in a text document found on the desktop of Workstation 1 named DN_to_DID.txt.
Step 2 Those DID can be dialed from your mobile numbers.
Step 3 With the DID number, dial one of your users (that are logged into Webex) using a real cell or desk phone.
Step 4 Answer the call on Webex (Unified CM Calling).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

150
Phase 2 Option: Calling in Webex (Unified CM)
Testing Calls – Inbound from PSTN to Webex (Unified CM Calling)

Step 5 Keep the call open a few seconds and then hang up the call.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

151
 Phase 2 Option: Calling in Webex (Unified CM)
Testing Calls – Inbound from PSTN to Webex (Unified CM Calling)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

152
 CHAPTER 5
Phase 2 Option: Webex Calling
• Mapping the Transition: Phase 2 - Webex Calling, on page 153
• Users in Phase 2, on page 153
• Configure Local Gateway for PSTN Calling, on page 154
• Configure Premises-Based PSTN, on page 158
• Add a Trunk, on page 159
• Local Gateway Configuration, on page 163
• Local Gateway Certificate Configuration and Verification, on page 166
• Configuring SIP Profile, on page 171
• Migrate Calling from On-Prem UCM to Cisco Webex, on page 184
• Migrate Enterprise Phones to Multiplatform (MPP) Firmware, on page 200

Mapping the Transition: Phase 2 - Webex Calling

Note Notice there are two Phase 2 options:

• Phase 2: Calling in Webex (Unified CM) Cloud
• Phase 2: Webex Calling

Follow the instructions for the Phase 2 option that meets your needs.

We focus on Cloud deployments. The final transition phase (Phase 2) results in a pure cloud calling environment
where all devices have been fully transitioned to cloud call control.
All users will be moved to Webex and we will be shutting down on-prem servers.

Users in Phase 2
User Name User Password Endpoint Internal Deployment
ID Devices Extension Model
Charles cholland dCloud123! Cisco Jabber 6018 Cloud
Holland

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

153
 Phase 2 Option: Webex Calling
Configure Local Gateway for PSTN Calling

User Name User Password Endpoint Internal Deployment

ID Devices Extension Model
Anita Perez aperez dCloud123! Cisco Jabber 6017 Cloud
Kellie Melby kmelby dCloud123! Cisco Jabber 6050 Cloud
Stefan Mauk smauk dCloud123! Cisco Jabber 6072 Cloud

Configure Local Gateway for PSTN Calling

Module Overview
In this section, we will configure a local gateway for a single customer site to route calls from/to Webex
Calling endpoints and the PSTN SIP Provider without CUCM in the call path. The figure below is applicable
to a single or a multi-site deployment.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

154
Phase 2 Option: Webex Calling
Configure Local Gateway for PSTN Calling

Pre-Requisites
• ISR 4321, 4331, 4351, 4431, 4451, 4461, CSR 1000v (vCUBE) – (Latest of IOS-XE 16.12 or 17.3)
• Catalyst 8300 series
• ISR 1100 (IOS-XE 16.12+)

Reference:
htps:/www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudColaboration/broadcloud/webexcaling/customers/cisco-webex-caling-configuration-guide/cisco-webex-caling-configuration-guide_chapter_0100.html
Module Objectives
In this module, we will perform the following tasks:
• Register a local gateway to Control Hub

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

155
 Phase 2 Option: Webex Calling
Adding a Telephone Number and Assigning to a Location

• Configure a local gateway to route PSTN calls

• We will not be doing any test calls till after the UCM is shut down

Adding a Telephone Number and Assigning to a Location

Procedure

Step 1 On Workstation 1, open the Webex Control Hub (https://admin.webex.com). (If not logged in already, use
[email protected] and password dCloudZZZZ!)
Note The ZZZZ portion of the password is the last four digits of our Session ID found in your sesions's
Details tab.

Step 2 Navigate to Services > Calling from the left-hand menu.

Step 3 Click Add Numbers (on the Numbers tab).

Step 4 Before we can add numbers, we need to add the PSTN connection type. Under Choose a Location to Add
Numbers, click Edit PSTN.
Step 5 Under Connection Type, choose the Premises-based PSTN card and click Next.
Step 6 Click the Routing Choice drop-down and choose None. Click to add a check mark to confirm the routing
changes. Click Next.
Step 7 Click Add Numbers Now.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

156
Phase 2 Option: Webex Calling
Adding a Telephone Number and Assigning to a Location

Step 8 This time the PSTN connection type should be loaded as you set up above (Premises-based PSTN). Click
Next.
Step 9 In the Enter phone numbers separated by commas box, add one unique number starting with 417555 and
a random string of four numbers at the end (such as 4175550123. Press Enter/Return on your keyboard.
Click Save. Click Close.

Step 10 At the top of the page, click Locations and select the dCloud location.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

157
 Phase 2 Option: Webex Calling
Configure Premises-Based PSTN

Step 11 In the fly-out window, select the drop-down menu for Main Number and choose the fake number you created
in the previous steps. Click Save.

Configure Premises-Based PSTN

Local Gateway

The figure above displays a Webex Calling deployment without any existing IP PBX and is applicable to a
single or a multi-site deployment. For all calls that do not match the customer’s Webex destinations, Webex
sends those calls to the Local Gateway assigned to the site for processing. Local Gateway routes all calls
coming from Webex to the PSTN and vice versa. The PSTN gateway may be a dedicated platform or co-resident
with the Local Gateway (the focus of this Scenario). The dedicated PSTN gateway variant of this deployment
is a preferred option for Webex Calling deployments.
The first task is creating the local gateway in the Control Hub. You will need the information provided after
creation to build your local gateway.

Using Trunks
The benefits of using dialplans, route groups, and trunks are as below:
• It allows load balancing and failovers across trunks to premises (scale, redundancy)
• Communication between cloud connected PSTN users and premises users
• Ability to route calls to different premises PBXs based on:
• E.164s/DIDs
• ESNs (e.g., 8+site code+extension)
• SIP URIs (Webex Calling to PBX only)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

158
 Phase 2 Option: Webex Calling
Add a Trunk

• “Tandem” functionality to route calls between premises PBXs

• Broader range of migration and co-existence scenarios with premises PBXs, including “mixed” sites
with premises users and Webex Calling users
• Better visibility of call routing decisions

Add a Trunk
Option A: Add a Trunk Using PowerShell Script
Configuring the Local Gateway (Automated Method)
If you want to explore the Local Gateway configuration, review commands, or show your customer on how
to configure you can continue to next section (Next section would be existing steps under Add a Trunk).
However, if you are ONLY interested migration scenario and would prefer to have Local Gateway configured
automatically continue with this session.

Procedure

Step 1 Open RDP connection to Workstation 1 at 198.18.1.36. Log in with dcloud\cholland and dCloud123!
Step 2 There will be a PowerShell script located on desktop with name Add_Trunk.ps1. Right-click on the file
and choose Edit.
Step 3 The file/script will be open in PowerShell. Click [ ] to run the script.

Note The script will run and add a new trunk (dCloud-GW) to Webex Control Hub using the APIs.
While adding this trunk the Webex Control Hub generates some important information that needs
to be added/configured on the Cube. This script captures that information and automatically
updates the gateway configuration file (LGW_Config.txt) located on the desktop. This way, the
file is ready be copied and pasted on to the Cube and alleviates you from having to manually
enter those commands and saves you time.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

159
 Phase 2 Option: Webex Calling
Configuring the Local Gateway (Automated Method)

Step 4 Open the LGW_Config.txt file on the desktop. Scroll down to the sections voice class sip-profiles 200 and
voice class tenant 200. Notice this file is updated with newly added trunk information that is required to
configure the cube.

Step 5 Open Putty from the task bar or desktop. (If you used VPN to connect to dCloud session, you could use your
local SSH client as an alternative.)
Step 6 Double-click the saved Local Gateway session to load the host name or manually enter IP address
198.18.133.226.
Step 7 Log in with admin/dCloud123!
Step 8 Go back to the LGW_Config.txt file you opened before and copy all the information from the file. (Tip:
Ctrl + A to select all and right-click to select Copy). Go to the Putty session and right-click anywhere on the
window. This will load the configuration to the Cube.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

160
Phase 2 Option: Webex Calling
Configuring the Local Gateway (Automated Method)

Step 9 Give around two to three minutes for the Local Gateway/Trunk to become active.
Step 10 Open a Chrome browser (or go back to browser tab where you had Webex Control Hub opened previously).
Click the Cisco Webex Links drop-down on the home page and choose Cisco Webex Control Hub.
Step 11 Log in using the credentials [email protected] and dCloud123! (Your session domain
cbXXX.dc-YY.com is found under your Session Details tab.)
Step 12 Go to Services > Calling and click the Locations tab on Calling page.
Step 13 On the Locations tab, click the location name dCloud. In the fly-out window, select PSTN Connection,
which is in Unassigned stage as shown below.

Step 14 On the next page (Connection Type), choose Premises-based PSTN and click Next.
Step 15 Click the Routing Choice drop-down and choose the newly added trunk dCloud_GW. Add a check mark to
confirm the effects of the change. Click Save.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

161
 Phase 2 Option: Webex Calling
Option B: Add a Trunk Using Manual Steps

Step 16 Click the Call Routing tab. Select the available trunk dCloud_GW. On the fly-out window, click Trunk
Info under Details. Notice that status of the Trunk is Online as shown below.

Option B: Add a Trunk Using Manual Steps

Add a Trunk

Procedure

Step 1 In Webex Control Hub under Services, click Calling. Click the Call Routing tab.
Note Each location can be assigned a trunk. In the lab, you have one location that you will be configuring
a trunk for that will connect to the local gateway in your dCloud session.

Step 2 Click Add Trunk. Select the dCloud location. For trunk name, enter Hussain. Click Save.
Step 3 After a few moments, information will be displayed on the page. You will need this information to configure
the local gateway. Capture the information now. It is recommended to create the Lab_info.txt document
on Workstation 1 and copy the information there. You will need the Registrar Domain, Trunk Group
OTG/DTG, Line/Port, and Outbound Proxy Address.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

162
 Phase 2 Option: Webex Calling
Local Gateway Configuration

Step 4 Click the X to close out the window after capturing the information.
Step 5 Click the Locations tab, and click the dCloud location.
Step 6 In the flyout window, click Manage.
Step 7 Click the box for Premises-based PSTN. Click Next.
Step 8 Choose the Hussain trunk from the list and check the box to confirm changing the PSTN routing.
Step 9 Click Save.

Local Gateway Configuration

Now you will configure your local gateway with the information you received in the previous section.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

163
 Phase 2 Option: Webex Calling
Local Gateway Configuration

Note All the commands can also be found in a file on the desktop of Workstation 1 named LGW_Config.txt. Please
open LGW_Config.txt with Notepad++ or Wordpad.

Procedure

Step 1 Connect to Workstation 1 and open PuTTY using the icon on the desktop

[ .]
(If you used VPN to connect to the dCloud session, you can also use your local SSH client.)
Step 2 Double-click the LocalGateway saved session to SSH to the local gateway at 198.18.133.226.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

164
Phase 2 Option: Webex Calling
Local Gateway Configuration

Step 3 Log in with admin / dCloud123!

Step 4 Before we proceed with the Local Gateway configuration, we need to ensure that a master key must be
pre-configured for the password with the commands shown below before it can be used in the credentials
and/or shared secrets. Type 6 passwords are encrypted using AES cipher and user-defined master key. We
will use Password123 as our master key.

Configuration
configure terminal
key config-key password-encrypt Password123
password encryption aes
end

Step 5 Using the configuration below, create a dummy PKI Trustpoint and call it dummyTp.
Step 6 Assign the trustpoint as the default signaling trustpoint under sip-ua. The cn-san-validate server is needed
to ensure LGW establishes the connection only if the outbound proxy configured on the tenant 200 (described
later) matches with CN-SAN list received from the server. The crypto trustpoint is needed for TLS to work
even though a local client certificate (i.e. mTLS) is not required for the connection to be set up.
Step 7 Finally disable TLS v1.0 and v1.1 by enabling v1.2 exclusivity and set tcp-retry count to 1000 (5 seconds),
as shown below.

Configuration
configure terminal
crypto pki trustpoint dummyTp
revocation-check crl
exit
sip-ua
crypto signaling default trustpoint dummyTp cn-san-validate server
transport tcp tls v1.2
tcp-retry 1000
end

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

165
 Phase 2 Option: Webex Calling
Local Gateway Certificate Configuration and Verification

Local Gateway Certificate Configuration and Verification

Procedure

Step 1 The default trust pool bundle does not include the DigiCert Root CA certificate needed for validating the
server-side certificate during TLS connection establishment to Webex. The trustpool bundle must be updated
by downloading the latest Cisco Trusted Core Root Bundle from http://www.cisco.com/security/pki, as
shown below.

Configuration
! Check if the DigiCert Root CA certificate exists
show crypto pki trustpool | include DigiCert
! – If not, update as shown below
configure terminal
crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios_core.p7b
end
! Verify
show crypto pki trustpool | include DigiCert

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

166
Phase 2 Option: Webex Calling
Local Gateway Certificate Configuration and Verification

Step 2 Enter the following commands to turn on the Local Gateway/CUBE application on the platform.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

167
 Phase 2 Option: Webex Calling
Local Gateway Certificate Configuration and Verification

Configuration

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

168
Phase 2 Option: Webex Calling
Local Gateway Certificate Configuration and Verification

Configuration
configure terminal
voice service voip
ip address trusted list
ipv4 85.119.56.128 255.255.255.192
ipv4 85.119.57.128 255.255.255.192
ipv4 185.115.196.0 255.255.255.128
ipv4 185.115.197.0 255.255.255.128
ipv4 128.177.14.0 255.255.255.128
ipv4 128.177.36.0 255.255.255.192
ipv4 135.84.169.0 255.255.255.128
ipv4 135.84.170.0 255.255.255.128
ipv4 135.84.171.0 255.255.255.128
ipv4 135.84.172.0 255.255.255.192
ipv4 199.59.64.0 255.255.255.128
ipv4 199.59.65.0 255.255.255.128
ipv4 199.59.66.0 255.255.255.128
ipv4 199.59.67.0 255.255.255.128
ipv4 199.59.70.0 255.255.255.128
ipv4 199.59.71.0 255.255.255.128
ipv4 135.84.172.0 255.255.255.128
ipv4 135.84.173.0 255.255.255.128
ipv4 135.84.174.0 255.255.255.128
ipv4 199.19.197.0 255.255.255.0
ipv4 199.19.199.0 255.255.255.0
ipv4 139.177.64.0 255.255.255.0
ipv4 139.177.65.0 255.255.255.0
ipv4 139.177.66.0 255.255.255.0
ipv4 139.177.67.0 255.255.255.0
ipv4 139.177.68.0 255.255.255.0
ipv4 139.177.69.0 255.255.255.0
ipv4 139.177.70.0 255.255.255.0
ipv4 139.177.71.0 255.255.255.0
ipv4 139.177.72.0 255.255.255.0

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

169
 Phase 2 Option: Webex Calling
Local Gateway Certificate Configuration and Verification

Configuration
ipv4 139.177.73.0 255.255.255.0
exit
allow-connections sip to sip
media statistics
media bulk-stats
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$
sip
g729 annexb-all
early-offer forced
end

Explanation of Commands above.

ip address trusted list – Toll Fraud Prevention

This is to explicitly enable the source IP addresses of entities from which Local Gateway expects legitimate
VoIP calls, for example, Webex peers, Unified CM nodes, IP PSTN. By default, LGW blocks all incoming
VoIP call setups from IP addresses not in its trusted list. IP Addresses from dial-peers with session target ip
or Server Group are trusted by default and need not be populated here.
IP addresses in this list need to match the IP subnets from the Port Reference section of the Configuration
Guide for Cisco Webex Calling Customers document
(https://help.webex.com/en-us/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling#id_119637).
The configuration on the previous page includes all the existing Webex data centers as of the writing of this
document.
media statistics

Enables media monitoring on the LGW.

media bulk-stats

Enables the control plane to poll the data plane for bulk call statistics.
allow-connections sip to sip

Allows this platform to bridge two VoIP SIP call legs. It is disabled by default.
no supplementary-service sip referand no supplementary-service sip handle-replaces

Disables REFER and replaces the Dialog ID in the Replaces header with the peer dialog ID.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

170
 Phase 2 Option: Webex Calling
Configuring SIP Profile

fax protocol pass-through g711ulaw

Enables audio codec for fax transport.

stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$

Enables STUN globally. When a call is forwarded back to a Webex user (such as when both the called and
calling parties are Webex subscribers and have the media anchored at the Webex SBC), the media cannot
flow to the local gateway as the pin hole is not opened.
The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the
negotiated media path. The shared secret is arbitrary as STUN is only used to open the pinhole in the firewall
and allow media latching to take place in the Webex Access SBC.
STUN password is a pre-requisite for LGW/CUBE to send STUN message out. IOS/IOS-XE-based firewalls
can be configured to check for this password and open pin-holes dynamically (i.e. without explicit in-out
rules). But for the LGW deployment case, the firewall is statically configured to open pin-holes in the outbound
direction based on Webex SBC subnets, so the firewall should just treat this as any inbound UDP packet,
which will trigger the pin-hole opening without explicitly looking at the packet contents.
sip
g729 annexb-all

Allows all variants of G729.

early-offer forced

This command forces the LGW/CUBE to send the SDP information in the initial INVITE message itself
instead of waiting to send the information till it gets an acknowledgement from the neighboring peer.

Configuring SIP Profile

In this section, we will configure only the SIP profile 200 as shown in the figure below, using only the trunk
group OTG/DTG parameter for rule 20.

Procedure

Step 1 Configure the following SIP profile required to convert SIPS URIs back to SIP as Webex does not support
SIPS URI in the request/response messages (but needs them for SRV query, for example,
_sips._tcp.<outbound-proxy>).
rule 20 modifies the From header to include the Trunk Group OTG/DTG parameter from Control Hub to
uniquely identify a LGW site within an enterprise. In the example below, hussain3350_lgu is used. Make sure
you replace the example with your respective Trunk Group OTG/DTG information.
Note Do not use the example hussain3350_lgu; it is shown for reference in the table below. Use your
respective Trunk Group OTG/DTG information.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

171
 Phase 2 Option: Webex Calling
Configuring SIP Profile

Local gateway SIP profile Configuration

configure terminal
voice class sip-profiles 200
rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 11 request ANY sip-header From modify "<sips:" "<sip:\1"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
rule 20 request ANY sip-header From modify ">" ";otg=hussain3350_lgu>"
rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

172
Phase 2 Option: Webex Calling
Configuring SIP Profile

Step 2 Configure Codec Profile, STUN definition, and SRTP Crypto suite as shown and explained below.

Configuration
voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g711alaw
exit
voice class srtp-crypto 200
crypto 1 AES_CM_128_HMAC_SHA1_80
exit
voice class stun-usage 200
stun usage firewall-traversal flowdata
exit

Explanation of commands above:

voice class codec 99

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

173
 Phase 2 Option: Webex Calling
Configuring SIP Profile

Allows both g711(mu and a-law) codecs for sessions. Will be applied to all the dial-peers.
voice class srtp-crypto 200

Specifies SHA1_80 as the only SRTP cipher-suite that will be offered by LGW/CUBE in the SDP in offer
and answer. Webex only supports SHA1_80. This command will be applied to voice class tenant 200 (discussed
later) facing Webex.
voice class stun-usage 200

Defines STUN usage. Will be applied to all Webex facing (2XX tag) dial-peers to avoid no-way audio when
a Unified CM Phone forwards the call to another Webex phone.

Step 3 Configure voice class tenant 200 as shown below. However, be sure to use the parameters obtained from the
Control Hub as shown in the mapping below and not as displayed under the voice class tenant 200 in this
document.

Note Do not use these examples as they are only shown here for reference. Use the configuration
gathered earlier in Control Hub when adding the Local Gateway.
• Registrar Domain: 40462196.cisco-bcld.com
• Trunk Group OTG/DTG: hussain3350_lgu
• Line/Port: [email protected]
• Outbound Proxy Address: la01.sipconnect-us10.cisco-bcld.com
• Username: Hussain3350_LGU
• Password: bjljJ2VQji

Local gateway tenant configuration: Configuration

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

174
Phase 2 Option: Webex Calling
Configuring SIP Profile

voice class tenant 200

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
credentials number Hussain8789_LGU username Hussain3350_LGU password 0 bjljJ2VQji realm
BroadWorks
authentication usernameHussain3350_LGU password 0 bjljJ2VQji realm BroadWorks
authentication usernameHussain3350_LGU password 0 bjljJ2VQji realm 40462196.cisco-bcld.com
no remote-party-id
sip-server dns:40462196.cisco-bcld.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
asserted-id pai
bind control source-interface GigabitEthernet1
bind media source-interface GigabitEthernet1
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
privacy-policy passthru

Explanation of Commands above:

voice class tenant 200

This CUBE multi-tenant feature enables specific global configurations for multiple tenants on SIP trunks that
allow differentiated services for tenants.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

175
 Phase 2 Option: Webex Calling
Configuring SIP Profile

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls

Registrar server for the Local Gateway with the registration set to refresh every two minutes (50% of 240
seconds).
credentials number Hussain8789_LGU username Hussain3350_LGU password bjljJ2VQji realm
BroadWorks

Credentials for Trunk Registration challenge.

authentication username Hussain3350_LGU password bjljJ2VQji realm BroadWorks
authentication username Hussain3350_LGU password bjljJ2VQji realm 40462196.cisco-bcld.com

Authentication challenge for calls.

no remote-party-id

Disable SIP Remote-Party-ID (RPID) header as Webex supports PAI, which is enabled using CLI asserted-id
pai (see below).
sip-server dns:40462196.cisco-bcld.com

Webex servers.
connection-reuse

To use the same persistent connection for registration and call processing.
srtp-crypto 200

Specifying SHA1_80 defined in voice class srtp-crypto 200.

session transport tcp tls

Setting transport to TLS.

url sips

SRV query has to be SIPS as supported by the access SBC; all other messages will be changed to SIP by
sip-profile 200.
error-passthru

SIP error response pass-thru functionality.

asserted-id pai

Turn on PAI processing in LGW/CUBE.

bind control source-interface GigabitEthernet1

Signaling source interface facing Webex Calling

bind media source-interface GigabitEthernet1

Media source interface facing Webex Calling

no pass-thru content custom-sdp

Default command under tenant.

sip-profiles 200

To change SIPS to SIP and modify Line/Port for INVITE and REGISTER messages as defined in voice class
sip-profiles 200.
outbound-proxy dns:la01.sipconnect-us90.cisco-bcld.com

Webex Calling Access SBC.

privacy-policy passthru

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

176
Phase 2 Option: Webex Calling
Configuring SIP Profile

Transparently pass across privacy header values from incoming to the outgoing leg.

Step 4 Next, configure the following voice class tenants.

Local Gateway Voice Class Tenant Configuration

! Voice class tenant 100 will be applied on all OUTBOUND dial-peers facing the IP PSTN
voice class tenant 100
session transport udp
url sip
error-passthru
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
no pass-thru content custom-sdp
! Voice class tenant 300 will be applied on all INBOUND dial-peers from the IP PSTN
voice class tenant 300
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
no pass-thru content custom-sdp

Step 5 Configure the following voice class URIs for URI-based dialing.

Configuration
! - Defines ITSP’s host IP address
voice class uri 100 sip
host ipv4:198.18.133.3

Step 6 Configure voice class uri 200 as shown.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

177
 Phase 2 Option: Webex Calling
Configuring SIP Profile

Configuration
! - Defines pattern to uniquely identify a Local gateway site within an Enterprise
voice class uri 200 sip
pattern dtg=XXXXXXXX.lgu

Important Use the parameters obtained from the Control Hub as shown in the mapping below and not as
displayed under the voice class uri 200 in this document.
The pattern defined within voice class uri 200 is configured to match the unique Trunk Group OTG/DTG
parameter obtained from the Control Hub earlier and also defined in rule 20 of the voice class sip-profiles
200.
Note Local Gateway today doesn’t support the underscore “_” in the match pattern. As a workaround,
we used the dot wildcard “.” (match any) to match the underscore “_” within hussain3350_lgu
(example displayed in this document).

Step 7 Configure the following outbound dial-peers shown below.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

178
Phase 2 Option: Webex Calling
Configuring SIP Profile

Configuration
! - Outbound dial-peer towards IP PSTN
dial-peer voice 101 voip
description Outgoing dial-peer to IP PSTN
destination-pattern BAD.BAD
session protocol sipv2
session target ipv4:198.18.133.3
voice-class codec 99
voice-class sip tenant 100
dtmf-relay rtp-nte
no vad
! - Outbound dial-peer towards Webex
dial-peer voice 200201 voip
description Inbound/Outbound Webex Calling
destination-pattern BAD.BAD
session protocol sipv2
session target sip-server
voice-class codec 99
voice-class stun-usage 200
no voice-class sip localhost
voice-class sip tenant 200
dtmf-relay rtp-nte
srtp
no vad

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

179
 Phase 2 Option: Webex Calling
Configuring SIP Profile

Step 8 Configure the following dial-peer groups (DPG).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

180
Phase 2 Option: Webex Calling
Configuring SIP Profile

Configuration
! - Defines dial-peer group 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking
dial-peer group 100. We will apply DPG 100 to
! - incoming dial-peer 200 defined later for Webex Calling --> LGW --> PSTN path
voice class dpg 100
description Incoming WxC(DP200) to IP PSTN(DP101)
dial-peer 101 preference 1
! - Define dial-peer group 200. Outbound dial-peer 201 is the target for any incoming dial-peer invoking
dial-peer group 200. We will apply DPG 200 to
!- incoming dial-peer 100 defined later for the IP PSTN --> LGW --> Webex Calling path.
voice class dpg 200
description Incoming IP PSTN(DP100) to WxC(DP201)
dial-peer 201 preference 1

Step 9 Configure the following inbound dial-peers.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

181
 Phase 2 Option: Webex Calling
Configuring SIP Profile

Configuration
! - Inbound dial-peer for incoming IP PSTN call legs
dial-peer voice 100 voip
description Incoming dial-peer from IP PSTN
session protocol sipv2
destination dpg 200
incoming uri via 100
voice-class codec 99
voice-class sip tenant 300
dtmf-relay rtp-nte
no vad
! - Inbound dial-peer for incoming Webex Calling call legs, with the call destined for IP PSTN
dial-peer voice 200201 voip
description Inbound/Outbound Webex Calling
max-conn 150
destination dpg 100
incoming uri request 200

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

182
Phase 2 Option: Webex Calling
Configuring SIP Profile

That completes the local gateway configuration. Now you will save.

Step 10 Type end at the command prompt.

Step 11 To save, type copy run start and press Enter/Return twice.
Step 12 Before testing the configuration, verify the local gateway shows online in Control Hub. Go back to the Control
Hub and log in, if needed ([email protected] / dCloud123!).
Step 13 Navigate to Services > Calling > Call Routing. Click your trunk defined Hussain. On the fly-out window
under Details click Manage.
Step 14 For Status, it should read Online. After verifying the status, click the X to close the window.
Step 15 Finally, need to set the calling behavior between Webex Calling and on-premises. Go to Services > Calling
and select Service Settings on the Calling page. Scroll down to find Call Routing between Webex Calling
and Premises and choose the radio button for Legacy behavior. Click Save. It says not recommended but,
as this is a lab environment, that is okay.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

183
 Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Migrate Calling from On-Prem UCM to Cisco Webex

Attention The Migration Card in Webex Control Hub covers both migrating Calling and migrating Enterprise Phones
to multiplatform (MPP) firmware. If you are planning to migrate both calling and phones, continue with this
section.
If you want to skip the Calling migration and just try out the Phone migration (Enterprise to MPP), you can
skip this section and move to the stand-alone section entitled Migrate Enterprise Phones to Multiplatform
(MPP) Firmware.
If you are planning to migrate physical phones (Cisco 88XX or 78XX, etc.) register them with Cisco UCM.
When you connect the phones to the dCloud router, they will auto-register with 12XXXX series extensions.
You can assign those auto-registered phones to a particular user (such as Charles, Anita, etc.) using the
self-provisioning tool. Dial 1111 or press Self Provisioning on auto-registered phone and choose option 1.
Enter the extension number of the user (60XX) that you want to register the phone to and follow the rest of
the prompts. ALTERNATIVELY, there are already a few devices (88XX and 78XX) that have been added
with dummy MAC addresses to Cisco UCM. You can just log in to UCM and update the MAC with your
respective phone and they will be provided. In this lab, we will register physical phones to Charles Holland
and Anita Perez, but you can register the phones to any other user as well.

Migrate Unified CM settings for users, devices, numbers, and locations to Webex Calling platform for a better
user experience and to leverage the enterprise-grade Cisco Webex cloud calling, mobility, messaging, and
calling services. The migration automates the firmware license generation, verifies the device eligibility, and
assigns phone numbers to users and devices for Webex calling services.
Prerequisites
Before you start your migration, make sure that you meet the following requirements:
• Access Cisco Webex Control Hub as an organization administrator. For more information, see Assign
Organizational Account Roles in Cisco Webex Control Hub.
• Create Webex Locations with PSTN assigned for each Location. For more information, see Configure
Cisco Webex Calling for Your Organization.
• Obtain the BAT/CSV files for the Unified CM users and devices. For more information, see Cisco Unified
Communications Manager Bulk Administration Tool (BAT).
• Ensure phones on Unified CM that you are migrating are using Phone Load version 12.5 or later. For
more information, see Install or Upgrade Cisco IP Phone Firmware.
• Identify any DNs from Unified CM that are mapped to multiple Device Pools in Unified CM. This tool
cannot migrate these DNs. You can use Add and Assign Devices in Bulk for migration.
• Ensure all your end users from Unified CM are provisioned as Webex Users via Cisco Directory Connector
or other means. For more information, see User and Contact Synchronization and Install Cisco Directory
Connector.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

184
Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Procedure

Step 1 Open RDP connection to Workstation 1 at 198.18.1.36. Log in with dcloud\cholland and dCloud123!
Step 2 Open the Chrome browser from the taskbar.
Step 3 Click the Collaboration Admin Links drop-down and select Cisco Unified Communications Manager. If
you have configured Single Sign-On using Okta or Azure in a previous scenario, you will use those credentials
to login; otherwise, log in with administrator and dCloud123!
Step 4 Navigate to Bulk Administration > Import/Export > Export. If you are planning to migrate phones too,
ensure you have registered physical phones.

Step 5 Click Select All and give your choice of name for the Tare File Name (for example, UnifiedCM_Data_Export).
Scroll down to the Job Information section and select the radio button for Run Immediately. Click Submit.

Step 6 Cisco Unified CM will start exporting the data. Go to Bulk Administration > Job Scheduler to check the
status of your submitted job in the previous step. It takes around five minutes for the data to be exported. You
can click Find to see a list of all jobs running. It will display all current/past jobs and their status. Please wait
for the job status to change to Completed.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

185
 Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 7 Once the job is completed, go to Bulk Administration > Upload/Download Files. Click Find. You will see
the exported data tar file. Click to add a checkmark next to the file and select Download Selected. The file
will be downloaded to the Workstation 1 desktop.

Important As part of this Migration of Calling from Cisco UCM to Webex lab, we will shut down the Cisco
UCM in an upcoming step. Before proceeding, please make sure you have exported all UCM
data after registering physical phones to Cisco UCM.

Step 8 Open a new tab on Chrome. Click Cisco Webex Links and choose Cisco Webex Control Hub.
Step 9 Log in with [email protected] and dCloud123! (Your unique cbXXX.dc-YY.com domain
can be found under the Session Details tab of your dCloud session.)
Step 10 Once logged into Webex Control Hub, go to Services in the left-side pane and choose Migrations.
Step 11 On the Migrations page, find Update to the new Webex. In the Migrate Calling from On-prem UCM to
Cisco Webex Cloud card, select Get Started.

Step 12 Click to drop down Step 1: Review the Prerequisites and give it a quick read. This talks about configuring
the PSTN gateway, which we completed above with the E.164 number assignment, having the tar file generated
from UCM, phone load versions, etc.
Step 13 Minimize Step 1 and click to drop down Step 2 Import Data. Here we will import the data we exported from
UCM. Click Choose a File and choose the file you exported/downloaded in the steps above. Click Open.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

186
Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 14 Webex Control Hub will start importing data. Once the import is completed, information will populate. Click
Start New Task to start the migration.
Step 15 On Migrate to Webex Calling, give the task a name of your choice, for example, Migrate_Calling-0920.
Click Next.
Step 16 On the Map Unified CM Device Pools to a Webex Calling Location page, click the Webex Calling Loctaion
drop-down option and choose dCloud. Click Next.

Step 17 It will take a minute to process. Once completed, click to add a check mark for dCloud and select the numbers
assigned to a Webex Calling location. Click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

187
 Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 18 Click Next on the Manage Numbers in Selected Webex Calling Locations page. It will list all users from the
UCM and their extension number. Click Next.

Note If you encounter any issue in migrating after clicking next, select edit for the phone number field
and change the first three digits of the phone numbers to random numbers.

Step 19 Click Next on the Assign Numbers to Webex Users or Workspaces page. If any of the devices is a workspace,
such as a common cubicle or huddle room, you can click the Edit icon (pencil) on the right side of the respective
row and toggle the option for Workspace. We have only users in this lab so we don’t have to do this. Also,
if you do not want to migrate any users/devices, you can click the Delete option for that specific row, as shown
below. Click Next.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

188
Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 20 On the Manage Devices to be Migrated to Webex Calling page, you will see users, extensions, their physical
devices such as IP phones and soft clients, etc. Webex Control Hub will highlight any device that is incompatible
with Webex Calling due to the firmware version, model type, etc., as shown below. The device highlighted
in with the color orange is for informational purpose only; there is no action needed. Click Next.

Step 21 On the Review page summarizes the migration, lists any known issues, etc. Once you look over and verify
that information, click Prepare to Migrate.
Step 22 It will give a warning messaging saying proceeding will exclude records with errors and prepare the rest of
the phones for this Webex Calling migration task. Click Accept and Continue.
Step 23 It will start preparing the migration task and give you status summary. Give a quick read of those steps. Click
Done to close the summary page.
Step 24 It will take you back to the home overview page. Go to Services in the left-side pane and choose Migrations.
It lists the migration task we just created and shows its current status. Wait until the status reads either Ready
for Migration or Ready with Errors. (If errors, you can click on the task and review the error messages.
Those error messages are just for review purposes only and will not alter the migration in this lab. Go back
to the Migrations page.) Click Complete Migration. It opens a new pop-up window with the next steps that
required to execute to complete the migration. Read them and click Download Files.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

189
 Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 25 It will download a zip file to the desktop of the workstation. The filename starts with the task name you gave
it while creating the migration task. Minimize the browser window and locate the zip file we just downloaded.
Right-click on the file and select Extract All…. Click Extract on the new window. The extracted file will
have loads, models, and README.txt files. The loads/models folder contains the phone devices that are being
migrated and README.txt (use Word Pad to read this file) and also contains the instructions for triggering
migration of phone firmware from UCM to MPP/Webex phone load and where to connect for download. The
Models folder contains the list of devices that we need to upgrade to Webex. This folder also contains one
.txt file for each model of the phone that needs to be uploaded to Cisco UCM.

Step 26 Open a new browser tab. Click to drop down Collaboration Admin Links and choose Cisco Unified
Communications Manager. If you configured Single Sign On in the previous scenarios, log in with SSO
credentials; otherwise, log in with administrator/dCloud123!.
Step 27 Once logged in, navigate to Bulk Administration > Upload/Download Files. Click Add New.
Step 28 On File Upload Configuration, click Choose File. Browse to the file we extracted above (the migration file
we downloaded above) > models > text file in that folder for respective type of phone. Click Open. For
Select Target, choose Phones. For Select Transaction Type, choose Update Phones – Custom File. Click
Save.
Note If you are migrating different models of phones together, the models folder will have multiple
.txt files, one for each model of the phone. In this lab, we are migrating only one 8861 phone so
we have only one .txt file.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

190
Phase 2 Option: Webex Calling
Migrate Calling from On-Prem UCM to Cisco Webex

Step 29 Navigate to Bulk Administration > Phones > Update Phones > Custom File.
Step 30 On the Update Phones Custom Configuration page, click to drop down Custom Fileand choose the file you
uploaded above. Click Find. It will list all of the devices in that uploaded file. Click Next.

Step 31 On the Update Phones page, select the radio button for Restart Phones. Scroll down and add a check mark
for Phone Load Name. Enter the value sip88xx.TLexE2M-11-3-3C-369. Scroll further down to locate
Product Specific Configuration Layout and add a check mark for Load Server. Enter
cloudupgrader.webex.com. Scroll towards the bottom of the page and choose the radio button Run
Immediately. Click Submit.
Note For any other supported model phones, the Phone Load Name can be found in the README.txt
file that is part of the downloaded zipped file from Webex Control Hub (Step 17).

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

191
 Phase 2 Option: Webex Calling
Updating the On-prem Services

Step 32 Now the phone will be upgraded to MMP firmware, and all necessary licenses for Webex Calling will be
applied. Please wait around 3 to 5 minutes for the phone to be ready.
Step 33 Once the phone is registered, go back to the Webex Control Hub tab. If timed out, log in with
[email protected] and dCloudZZZZ! Navigate to Management > Users. Choose the user
you had the physical phone registered to (for instance, Lab Anita Perez). On the flyout window, notice that
for Calling, the Webex Calling Professional license has been assigned as part of the migration. Scroll down
to Devices and notice Anita has a new device (Cisco 8861 that you just migrated) and it shows with a green
light indicating is registered to Cisco Webex.

Step 34 Click the device to get more information about the device, such as the MAC address, host address, IP address
of the device, etc.
Note If a user does not have a physical phone to be migrated, their license would not be updated to
Webex Calling Professional.

Updating the On-prem Services

As we will be transitioning all users to Webex Calling and all endpoints will be transitioned to cloud registration,
we will update appropriate on-premises infrastructure now that cloud calling is in use. Updates to the
infrastructure include the following steps.

Note As this is the lab environment, we will SSH into CUCM and IMP servers to issue shutdown command. Or
you can click on your dCloud session page and shutdown the CUCM and IMP from Servers tab.

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open PuTTY sessions to cucm1.dcloud.cisco. Log in
using administrator / dCloud123!
Step 2 Issue the following command to shut down the CUCM server: Utils system shutdown. You will be prompted
Do you really want to shutdown? Type Yes and press Enter/Return.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

192
 Phase 2 Option: Webex Calling
Updating the DNS SRV Records – Information Only

Step 3 Open a new PuTTY session to cup1.dcloud.cisco. Log in using administrator / dCloud123!
Step 4 Issue the following command to shut down the IMP server: Utils system shutdown. You will be prompted
Do you really want to shutdown? Type Yes and press Enter/Return.

Updating the DNS SRV Records – Information Only

Important This section is for information only. As this is the lab environment, we will not be deleting any SRV records.
Do no perform these steps.

Procedure

Step 1 (Information Only) Remove on-premises call control and messaging DNS SRV records from the on-premises
DNS server(s) including cisco_uds._tcp.<domain>, cup_login._tcp.<domain>. These SRV records are no
longer required for Webex Teams client service discovery.
Step 2 (Information Only) Remove edge-related DNS SRV records from the public DNS system including
collab_edge._tls.<domain>. These SRV records are no longer required for client service discovery of
collaboration edge services.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

193
 Phase 2 Option: Webex Calling
Configuring Webex for All Users

Configuring Webex for All Users

Procedure

Step 1 We can now use Webex to log in for all of our users in the org. We can also make and receive calls between
those users.
Note At this stage, we can log in into Webex on our personal devices or can use workstations provided
in the demo. Please sign out of all Jabber clients.

Step 2 If using workstation in this demo. Open Webex on WKST1.

Step 3 Sign in as [email protected]. As SSO is configured you will be prompted to enter the credentials.
Enter cholland as username and dCloud123! as password. Once done, click Sign in.
Step 4 Use the same steps to log in into another user example: [email protected].
Note As SSO is enabled, if you are logging in for the first time, you might have to select an image for
your Okta account.

Step 5 Now that you have the clients installed and logged into, you will be able to send messages between users, set
Presence status, and make internal calls. You can see users using Webex Calling service by clicking the user
image and selecting Phone Service.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

194
 Phase 2 Option: Webex Calling
Test PSTN Calls via Local Gateway for Migrated Users

Test PSTN Calls via Local Gateway for Migrated Users

Prior to testing PSTN calls via the local gateway for the newly migrated users, the following change needs
to be done to allow PSTN calling in this lab environment.

Note As this is the lab environment make sure at this stage your CUCM and IMP servers are shut down. Don’t
proceed with the steps below if your CUCM or IMP servers are still shutting down.

Procedure

Step 1 If using workstation in this demo, go to https://198.18.133.5 (advance through security warnings). Enter admin
as username and dCloud123! as the password. Click LOGIN NOW.
Step 2 Go to Configuration > Interface and click Ethernet.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

195
 Phase 2 Option: Webex Calling
Test PSTN Calls via Local Gateway for Migrated Users

Step 3 Select GigabitEthernet1.

Step 4 Under Configure Interface GigabitEthernet1, click Port Configuration. Change the IP Address* to
198.18.133.3 and click Update & Apply to Device.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

196
 Phase 2 Option: Webex Calling
Testing Calls – Inbound from PSTN to Webex

Step 5 Once you see a configuration successfully applied notification, you can test PSTN calls for the migrated user
the same way you dialled/tested PSTN calling using Jabber.
Step 6 Open Webex Teams on WKST1, which should already be logged in as [email protected]. Recall
from earlier modules that this user was setup to use Jabber for PSTN calls prior to migration. We will now
place calls to and receive calls from PSTN for this user using Webex Teams (registered to Webex Calling)
and via the local gateway as the PSTN option.

Testing Calls – Inbound from PSTN to Webex

Procedure

Step 1 For dialing inbound PSTN calls to your pod’s phones, information can be found in your dCloud session details
page or in a text document found on the desktop of Workstation 1 named DN_to_DID.txt.
Step 2 Those DID can be dialed from your mobile numbers.
Step 3 With the DID number, dial one of your users (that are logged into Webex) using a real cell or desk phone.
Step 4 Answer the call on Webex.
Step 5 The call flow in dCloud is as follows:
a) Incoming DID comes into dCloud.
b) Platform gateways translate that DID into a four digit extension (6XXX or 7XXX).
c) Call is routed through the local gateway to the extension of the user.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

197
 Phase 2 Option: Webex Calling
Testing Calls – Outbound to PSTN

Testing Calls – Outbound to PSTN

In dCloud, national calls are allowed to the datacenter region your session is located in. US West/East
datacenters are dc-05 or dc-01. EMEAR datacenter is dc-03. APJ datacenter is dc-02.
In the US datacenters you should be able to call any national number. Remember since the location is built
for the United States, Webex will add a +1 to any dialed number if needed. So a 10 digit number can be called
or a 1 + 10 digit number.
Dialing from an EMEAR or APJ session will be just a little different than US. Every session, no matter the
datacenter, the Webex Calling location is built for United States. Because of this, in the lab, dialing a national
number for the UK (EMEAR) or Singapore (APJ) requires you to dial a 00 + Country Code and then the
number (10 digit for UK and 8 digit for Singapore). For the EMEAR datacenter the country code is 44. For
the APJ datacenter the country code is 65.
When you dial 00 and the number, Webex Calling will route the number as is and not add +1. Then the call
flow for EMEAR and APJ sessions is as follows:
• Call comes into Local Gateway, sent to dCloud Gateway, which delivers it to the IP PSTN.
• The dCloud GW will strip the 00 off the number and add a plus (+) or localize it.
• The +E.164 or the localized number is now routed by the IP PSTN and rings the PSTN number.

Procedure

Step 1 With the dialing explanation above, dial a PSTN number.

Step 2 Answer the call.

Configuring MPP Devices Using Global Discovery Service

This feature uses a 16-digit activation code that is generated by Cisco Global Discovery Service (GDS) and
the Webex Calling Platform to onboard and provision the device with the associated Webex Platform. When
the code is provided to a user/administrator, the code is entered into the MPP Phone. The MPP phone
communicates with GDS and redirects the phone to the hosting platform. The MPP phone communicates with
the Webex Platform and uses the activation code to authenticate with the platform. If authentication is
successful, the MPP MAC address is stored onto the platform and the phone is provided with the provisioning
server location. The phone reboots and downloads the user configuration from Device Management.
This feature is supported on the following Cisco MPP devices:
• 6821, 6841, 6851
• 7811, 7821, 7832, 7841, 7861
• 8811, 8832, 8841, 8845, 8851, 8861, 8865

If you have a physical MPP phone, use the following instructions to register it along with other phones you
would like to use. If you do not have a physical MPP phone then the Webex Teams app will suffice for this
lab. You can skip to the next section if you just want to use Webex Teams to make calls.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

198
 Phase 2 Option: Webex Calling
Configuring Room Devices for Webex Calling

Procedure

Step 1 On the Control Hub, click Devices.

Step 2 Click Add Device and Next.
Step 3 Choose Existing User and click Next.
Step 4 Search for any user you want to associate device with. Select Charles Holland, and click Next. Choose your
Device type and select How would you like to set up this device?
Step 5 Copy the 16-digit Activation Code code.
Note If your phone has not been factory reset, do that now. If the phone has already been factory reset
and powered on, reboot the phone to have it attempt the registering process again.
A minimum firmware version of 11-3-1MES-5 is required to onboard a device via an activation
code.

Step 6 Once the phone boots after a factory reset, enter the activation code onto the phone and click Continue.
Step 7 After a few minutes, the phone should reboot and register. It may take a few minutes before the device is
listed on the devices page in Control Hub after registering.

Configuring Room Devices for Webex Calling

If you have a physical Room Device, use the following instructions to register it. If you do not have a physical
Room Device then the Webex Teams app will suffice for this lab. You can skip to the next section if you
just want to use Webex Teams to make calls.

Procedure

Step 1 Navigate to Devices.

Step 2 Click Add Device.
Step 3 Choose Workspace and then click Next.
Step 4 Choose New Workspace. In the box that appears, enter a workspace name.
Step 5 Click Next.
Step 6 Choose Cisco Webex Rooms device and then click Next.
Step 7 Select Cisco Webex Calling and click Next. Assign 6025 as an extension.
Step 8 On the next screen you will receive a single use Activation code. Enter the code on your endpoint and it will
register. Your endpoint might upgrade after registering. You will be able to dial the extensions of other users
from your room device or even call PSTN numbers.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

199
 Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Procedure

Step 1 Note Complete this section only if you want to migrate phones without migrating Calling

Open a new tab on the Chrome browser. Click to drop down Cisco Webex Links and choose Cisco Webex
Control Hub.
Step 2 Log in with [email protected] and dCloudZZZZ! (Your unique cbXXX.dc-YY.com
domain can be found under the Session Details tab of your dCloud session. The ZZZZ portion of the password
is the last four digits of our Session ID found in your sessions's Details tab.)
Step 3 Once logged into Webex Control Hub, go to Services on the left-side pane and choose Migrations.
Step 4 On Migrate Enterprise Phones to Multiplatform (MPP) Firmware, click Get Started.

Step 5 Click to expand Step 1. Review and complete the three prerequisites.
• Assuming licensing will be taken care by this migration itself
• Add PSTN gateway using previous session
• Import Users either using AD or User/Contact Sync card or Manually Add them

Step 6 Once you verify the prerequisites are met, minimize Step 1. Go to Step 2 and choose Create a New Task.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

200
Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Step 7 On the Migrate Enterprise Phones to Multiplatform (MPP) Firmware page, enter a Task Name that we are
going to create and click Next.
Step 8 On the Add Enterprise Devices page, we need to upload a CSV file with the list of the Enterprise phones that
need to be migrated from Cisco UCM to Webex. Click Download CSV Template. It will download a template
on to desktop with name devices.csv. We are going to use this file to modify the details of the lab phones that
we are going to migrate
Step 9 Locate the file devices.csv on the desktop and open it.
Step 10 Update the .csv file with the phone details used in this lab. Below is an example/reference. Fill out the CSV
file with your actual phone details and delete the rows that are not being used.
• Username: [email protected] (replace username with the user you assigned the phone
with and replace XXX/YY with your unique domain)
• Type: User or Place (phone belongs to a user or a place, such as a meeting room)
• Directory Number: For User, you don’t need to provide the Directory Number but instead the Place it
has to be specified
• Direct Line: External Phone Number Mask from UCM for that user. You can ignore that in
this lab.
• Device Type: IP or Webex
• Model: Cisco Phone model
• MAC Address: MAC address of the device being migrated
• Location: dCloud

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

201
 Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Step 11 Once the devices.csv file has been modified, save the file, and close it.
Step 12 Go back to the Webex Control Hub page. If timed out, log in with
[email protected]/dCloudZZZZ!
Step 13 Navigate to Migrations > Migrate Enterprise Phones to Multiplatform (MPP) Firmware. Click Get
Started.
Step 14 Select the migration you created above. It will directly take you to Add Enterprise Devices.
Step 15 Click Upload. Browse to the desktop, choose the devices.csv file you just modified with lab phone
details. Click Open.

Step 16 It will show upload status and if there are any errors. Click Next.
Step 17 On the following screen Webex Control Hub verifies if the phones are eligible to be migrated and provide a
status, as shown below. If any phone is not eligible to be migrated, it will give a warning. Click Prepare for
Migration. Click OK on the pop-up window for confirming.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

202
Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Step 18 It will start the process to migration. Once the process is prepared, it shows the status Ready for Migration
on the MigrationsMigrate Enterprise Phones to Multiplatform (MPP) Firmware page. Click Complete
Migration. When prompted with the steps to be executed to complete the migration, click Download Files.

Step 19 It will download a zip file to the desktop of the workstation. The filename starts with the task name you gave
it while creating the migration task. Minimize the browser window and locate the zip file we just downloaded.
Right-click on the file and select Extract All…. Click Extract on the new window. The extracted file will
have loads, models, and README.txt files. The loads/models folder contains the phone devices that are being
migrated and README.txt (use Word Pad to read this file) and also contains the instructions for triggering
migration of phone firmware from UCM to MPP/Webex phone load and where to connect for download. The
Models folder contains the list of devices that we need to upgrade to Webex. This folder also contains one
.txt file for each model of the phone that needs to be uploaded to Cisco UCM.
Step 20 Open a new browser tab. Click to drop down Collaboration Admin Links and choose Cisco Unified
Communications Manager. If you configured Single Sign On in the previous scenarios, log in with SSO
credentials; otherwise, log in with administrator/dCloud123!.
Step 21 Once logged in, navigate to Bulk Administration > Upload/Download Files. Click Add New.
Step 22 On File Upload Configuration, click Choose File. Browse to the file we extracted above (the migration file
we downloaded above) > models > text file in that folder for respective type of phone. Remember as we
are migrating two different model phones, we need to upload both .txt files one by one. Click Open. For

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

203
 Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Select Target, choose Phones. For Select Transaction Type, choose Update Phones – Custom File. Click
Save.

Step 23 Repeat the step above for another phone model or other .txt file in the models folder.
Step 24 Navigate to Bulk Administration > Phones > Update Phones > Custom File.
Step 25 On the Update Phones Custom Configuration page, click to drop down Custom Fileand choose the file you
uploaded above. Click Find. It will list all of the devices in that uploaded file. Click Next.

Step 26 On the Update Phones page, select the radio button for Restart Phones. Scroll down and add a check mark
for Phone Load Name. Enter the value sip88xx.TLexE2M-11-3-3C-369. Scroll further down to locate
Product Specific Configuration Layout and add a check mark for Load Server. Enter
cloudupgrader.webex.com. Scroll towards the bottom of the page and choose the radio button Run
Immediately. Click Submit.
Step 27 Repeat step 27 and 28 for the other phone model (second .txt file in models folder)
Note README.txt file lists all the latest firmware load names for all the supported phone models that
you can upgrade to instead of using sip88xx.TLexE2M-11-3-3C-369 (say for 88XX series phones)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

204
Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Step 28 Now the phone will be upgraded to MMP firmware, and all necessary licenses for Webex Calling will be
applied. Please wait around 3 to 5 minutes for the phone to be ready.
Step 29 Once the phone is registered, go back to the Webex Control Hub tab and, if timed out, log in with
[email protected] and dCloudZZZZ!. Go to Management > Users and choose the user
you had a physical phone registered to (in this lab this is Anita Perez and Charles Holland). On the flyout
window, notice for Calling the Webex Calling Professional license has been assigned as part of the migration.
Scroll down to Devices. Notice Anita has a new device, Cisco 8841, that you just migrated. (For Charles, his
new device is Cisco 8861.) The device has a green light indicating it is registered to Cisco Webex.

Step 30 Click on the device to get more information about the device, such as MAC address, host address, IP address
of the device, etc.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

205
 Phase 2 Option: Webex Calling
Migrate Enterprise Phones to Multiplatform (MPP) Firmware

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

206
 CHAPTER 6
Firmware Migration
• Firmware ONLY Migration from ENT to MPP, on page 207

Firmware ONLY Migration from ENT to MPP

Venky - This is where you can add overview info for this scenario. This isn't where you'll add step-by-step
instruction though. In here, you can use bullet points or numbered steps for overview info.

Rename This Task 1

Overview text for this step goes here, if you have any.

Procedure

Step 1 Note

Step 2
Step 3
Step 4
Step 5
Step 6

Rename This Task 2

Overview text for this step goes here, if you have any.

Procedure

Step 1 Note

Step 2

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

207
 Firmware Migration
Rename This Task 3

Step 3
Step 4
Step 5
Step 6

Rename This Task 3

Overview text for this step goes here, if you have any.

Procedure

Step 1 Note

Step 2
Step 3
Step 4
Step 5
Step 6

Rename This Task 4

Overview text for this step goes here, if you have any.

Procedure

Step 1 Note

Step 2
Step 3
Step 4
Step 5
Step 6 Note Venky ? If you have any more tasks for this scenario, you can just keep adding them here at the
end of this task.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

208
 CHAPTER 7
Appendix
• Creating and Confirming an Application User, on page 209
• Enabling the Users For Webex Calling (Unified CM), on page 210
• Set Calling Behavior in Control Hub (Phase 1), on page 210

Creating and Confirming an Application User

The following steps show how to create an application user for use with the Cisco Webex Call connector on
the Expressway and device connector tool.

Procedure

Step 1 Browse to https://198.18.133.3/ccmadmin.

Step 2 Log in as administrator with password dCloud123!
Step 3 Navigate to User Management > User Settings > Access Control Group and click Add New.
Step 4 For name, enter Webex Call Connector and click Save.
Step 5 In the Related Links drop-down menu, choose Assign Role to Access Control Group and click Go.

Step 6 Click Assign Role to Group and then click Find.

Step 7 Check the boxes next to:
• Standard AXL API Access
• Standard CTI Allow Control of all Devices
• Standard CTI Allow Control of Phones supporting Connected Xfer and conf
• Standard CTI Allow Control of Phones supporting Rollover Mode
• Standard CTI Enabled

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

209
 Appendix
Enabling the Users For Webex Calling (Unified CM)

Step 8 After clicking those boxes, click Add Selected and then click Save.

Step 9 Navigate to User Management > Application User and click Add New.
Step 10 For User ID, enter webex.
Step 11 Enter dCloud123! in the Password and Confirm Password fields.
Step 12 Scroll to the bottom of the page and click Add to Access Control Group. Click Find.
Step 13 Check the box next to Webex Call Connector and then click Add Selected.
Step 14 Click Save.

Enabling the Users For Webex Calling (Unified CM)

Procedure

Step 1 If not already open from earlier, log in to WKST1. Open a new browser tab to https://admin.webex.com.
Log in using [email protected] / dCloud123!
Step 2 SSO was configured in the previous steps. Enter the username cholland and password dCloud123! and click
Sign In.

Set Calling Behavior in Control Hub (Phase 1)

You can use Control Hub to set the calling behavior for specific users in your organization or for your entire
organization. In our lab, we will enable Calling in Webex (Unified CM) for kmelby and smauk so that they
can use the calling feature set.
When you select Calling in Webex (Unified CM), you can also specify a UC profile—either your organization's
default or one that you manually configured if you want to specify a different domain for users. For more
information about the calling behavior and UC profile options in Control Hub, see Set Up Calling Behavior
for Cisco Webex.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

210
Appendix
Set Calling Behavior in Control Hub (Phase 1)

Procedure

Step 1 Go to Users. Locate and open a user account for Kellie Melby. In the fly-out window, scroll to Settings and
select Calling Behavior (you'll see the user set up with an organization-wide default). Choose Calling in
Webex (Unified CM). Click Save.
Step 2 Follow the step above to configure Calling in Webex (Unified CM) for smauk as well.
Note To change the calling behavior at an organization level, you can go to Settings > Calling Behavior
and can choose Calling in Webex (Unified CM). This is for informational purpose only; we are
not configuring this in this lab.

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

211
 Appendix
Set Calling Behavior in Control Hub (Phase 1)

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

212
 CHAPTER 8
What's Next
• Learn more about Webex with Webex Enablement Lab v7.
• Check out the latest Collaboration demos and labs available on dCloud.
• Peruse Collaboration Collections on dCloud

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

213
 What's Next

Full Lab Guide: Migrating On-Premises Calling to Cisco Webex Lab v4

214