TelePresence FAQ

From DocWiki

Revision as of 16:35, 14 June 2018 by Javalenc (Talk | contribs)
Jump to: navigation, search

Back to Unified Communications FAQ



How to create the CSR for vTS using openSSL??

You can use this handy site for such purpose, it will generate the string you need to input into openssl for your CSR and key

OpenSSL CSR Tool

Go to TelePresence FAQ Content Table


What is the role of Conductor??

TP Conductor is, as the name implies, the equivalent of an orchestra conductor. It will pool your MCUs and TP Servers into resource pools, so you can separate resources depending on what kind of conference they need (ad-hoc, rendezvous or scheduled). It will make sure that your resources are optimized, so that calls get accounted correctly, depending on the resolution they're using. It will be a single point of conference for CUCM for ad-hoc and rendezvous, instead of needing to create two separate configurations per conference resource.

You can go through the data sheet for some more info: Cisco TelePresence Conductor Data Sheet

Go to TelePresence FAQ Content Table

Why do I have a different screen layout for the same conference that is handled by Conductor??

If you're using more than one vTS or MCU, even if it's the same conference, the layout is kept independent per bridge.

Go to TelePresence FAQ Content Table

What options do I have to deploy a Conductor??

The 3 options are:

  • Cisco TelePresence Conductor Essentials
  • Cisco TelePresence Conductor Select
  • Cisco TelePresence Conductor

Full info is here: Cisco TelePresence Conductor Data Sheet

Please notice that even though you can deploy and configure Conductor without a license, this model is NOT TAC supported. Support for this particular Conductor model is via Cisco Support Communities only

Go to TelePresence FAQ Content Table

I'm having problems integrating Conductor as an ad-hoc CFB over HTTPS, what's wrong??

This can manifest in two ways:

  • Conductor will show as Unregistered under CFB
  • Ad-hoc conferences will fail

For Conductor showing as Unregistered, you have the SIP trunk configured using IP address, and Override SIP Trunk Destination as HTTP address is unchecked, but you have Use HTTPS checked

Under such circumstances, you're hitting bug: cscut10254 HTTPS fails between CUCM and Conductor
All you need to do, is uncheck Use HTTPS and it will register.

The second scenario would be that it registers but ad-hoc still fails, as you checked the Override SIP Trunk Destination as HTTP address options and type in the FQDN of Conductor, and it's present in the SAN from Conductor certificate.

Then you're hitting bug: cscut22572 Unable to create HTTPS connection between Conductor and CUCM using FQDN
The problem here is that Conductor is not doing the reverse DNS lookup, and it fails to create the conference.

So, in the end, you will need to rely on IP address to register them both, and also avoid using HTTPS.

Go to TelePresence FAQ Content Table


Can I configure DX series endpoints in TMS??

No, there is an enhancement request for that: CSCup84943 TMS Support for DX series

Go to TelePresence FAQ Content Table

How can I install signed certificates to TMS??

The procedure has been nicely outlined here:

Go to TelePresence FAQ Content Table


Can I use SQL 2012 for TMSAE??

Please review the information from this bug: CSCus73220 Add support for SQL 2012 for TMSAE

Go to TelePresence FAQ Content Table


What is the RTT requirements if I'm going to deploy the DB server in a separate location for TMSXE to work??

It follows the same guideline as TMS:

Network The latency between the Cisco TMS server and the SQL server must not exceed 20 ms.
Cisco TMS Installation and Upgrade Guide

Go to TelePresence FAQ Content Table

VCS & Expressways

Where can I download the Expressway images for install??

There are no Expressway images, the same installation file for VCS, is used to create both VCSs and both Expressways, what product, and capabilities it ends up with, depends completely in the licenses that you will upload to them

Go to TelePresence FAQ Content Table

What is the difference between VCS and Expressways??

The expressways are a subset of the features offered by the VCSs, the main difference is that EXP-C does not allow for registration of devices, it only works as a proxy for CUCM registration, and that Expressways always need to be deployed in pairs to work, whereas you can use VCS-C without a VCS-E.

UPDATED 6/11/2018
Starting with x8.8 the SIP registration to EXP-C has been enabled
x8.9 enabled H.323 registration
Currently the feature gap between VCS and expressway is not so large as it used to be.

Go to TelePresence FAQ Content Table

How to configure a secure SIP trunk to CUCM??

This is really a very basic procedure, specially if you have already signed all your CSRs with a public CA, or an internal CA, all steps are outlined here:
Secure SIP Trunk between CUCM and VCS Configuration Example

Go to TelePresence FAQ Content Table

Where can I find the MRA configuration guides??

They're all under the VCS documentation, under Configuration Guides

Go to TelePresence FAQ Content Table

How can I configure B2B??

I will part from the point in which you already have MRA configured and working, then we will add B2B on top of that configuration.
I will use the terms VCS and Expressways as the same thing over this explanation.
As this is not a basic feature from CUCM or VCS, I assume a good level of familiarity and experience is in place before doing this, if not, then I strongly suggest you to review the MRA configuration guides and VCS guides here: VCS

The first step, will be to create a SIP trunk from CUCM to your VCS-C, since you have MRA configured, ports 5060 and 5061 are already taken by that configuration, so make sure to use another set of ports for the SIP trunk from CUCM to VCS-C, we'll use 6060 and 6061.
In CUCM create a new SIP trunk security profile for non-secure with settings:

  • Device security mode = Non Secure
  • Incoming Transport Type = TCP+UDP
  • Outgoing Transport Type = TCP
  • Incoming port = 6060
  • Accept unsolicited notification = checked
  • Accept replaces header = checked

And create a secure profile with settings:

  • Device security mode = Encrypted
  • Incoming Transport Type = TLS
  • Outgoing Transport Type = TLS
  • X.509 Subject Name = FQDN of EXP-C
  • Incoming port = 6061

You can use either one, then you need to configure a SIP trunk to VCS-C using one of the above SIP profiles, this will only secure the communication between VCS-C and CUCM, nothing else, either can be used. It's up to personal preference, and / or business requirements.

On your VCS-C configure a neighbor zone to CUCM, make sure to change the port according to the transport type you choose, 6060 or 6061, if you fail to do so, and leave 5060 or 5061 this will fail. If you will be using TLS, if you set TLS verify mode to ON, the Peer address will need to be the FQDN, if you set it to Off, then you can use IP address. For non-secure zones, you can use either one, usually IP is the preferred option.

Now, a separate traversal zone will be required between EXP-C and EXP-E, additional to the one that was created for MRA, once again, you need to set another port for this, or you will break the MRA configuration. The default port is 7001, we will be using 7003

Create your new traversal zone between the VCS servers, and make sure to set the port as 7003.

One EXP-E a DNS zone will be required for the outbound routing, create a new DNS zone, choose whether you want H.323 and SIP, or only SIP. If SIP, which most likely will be the one you want, choose the TLS verify mode as you require, remember that if you want to set it to on, you will need to have Public CA signed certificates. Same for media encryption, that will depend on business needs, and the configuration from the other end, as they will ultimately dictate whether the call fails or is established.

Now, to the required routing for this to work

On CUCM, you will configure a SIP route pattern, that matches anything (*.*), and sends it towards the SIP trunk you created. Make sure you have properly configure the Cluster Fully Qualified Domain Name under the Service Parameters.
On VCS-C, configure whatever transform rules you want to be applied, and the search rule pointing to the traversal zone
On VCS-E, configure a catch all search rule that points to the DNS zone

Very important, this calls will consume Rich Media Session licenses (or traversal calls licenses), you will consume 1 license per call, on each server, so make sure you have the same amount of licenses on both.

The SRV records that will be used for B2B are: port 5081 port 5080 port 5080 port 1719 port 1720

If you're a partner, you can review:

UPDATED 6/11/2018
I'll try to find if any of the above training sessions are still available, or post any newer material that is available.

Go to TelePresence FAQ Content Table

Is SSO over MRA supported??

Yes, but you require VCS 8.5.2, CUCM / IM&P / CUC 10.5(2) and Jabber 10.6 for this to work.
Page 29 Single Sign-On (SSO) over the Collaboration Edge

Go to TelePresence FAQ Content Table

Is it possible to use both Jabber MRA and Jabber guest in an existing VCS cluster?

A: No, the Jabber Guest and MRA are two separate entities. As long as you are using two separate VCS pairs for each, then you should be good. There is no design guide that includes both. Below are links for each.

Jabber Guest:


Go to TelePresence FAQ Content Table

What can I do if I need a VCS-E / EXP-E for my DMZ, but want a dedicated appliance??

Unfortunately since x8.5 there are no longer appliances you can physically place in the DMZ. From a configuration point of view, you can simply use different NICs from the same server to have servers in your internal network, and others with access to the DMZ, however, many customers have a dedicated physical space which is separated from the internal network for the DMZ and won't allow that, on those scenarios, a dedicated virtualization server (or an existing one) would be required to deploy them.

Go to TelePresence FAQ Content Table


What is the recommended MRA deployment, single NIC or dual NIC??

The recommendation is to use dual NIC to avoid NAT reflection and using more resources per call, compared to a dual NIC deployment where the call flow is simplified as it only traverses from the external NIC to the internal NIC. Any deployment should look in first place to do a dual NIC deployment.

Go to TelePresence FAQ Content Table

Are there any tools to troubleshoot MRA calls??

Yes, it was recently made available an Expressway SIP Call Analyzer, it can be found here:

UPDATED 6/11/2018
Some more material for MRA troubleshooting:

Go to TelePresence FAQ Content Table

Can I configure mutual TLS authentication??

This is not currently possible, not sure when this might happen, but there is an enhancement request for that:

  • CSCuu05976 Expressway doesn't verify the Mobile Remote Access client certificate.

UPDATED 6/11/2018
The only way in which you can perform dual factor authentication is when using SSO via an iDP and then using the certificate installed on the device as part of the authentication.

Go to TelePresence FAQ Content Table

Can I limit user access via MRA to just certain users / groups??

This is something that has come up quite often lately, how to limit the users who can use MRA, or how to limit them to just a subset of the features they have internally. For example Full UC on-prem but just IM&P over MRA, or phone-only over MRA.

This is currently not possible, there is already an enhancement request asking for this:

  • CSCux35528 Block some users from having Access to MRA
  • CSCus94318 Support the ability to restrict Collaboration Edge login for given users

UPDATE 7/12/16
The few methods you can use, and this are just workarounds are:

  • Multiple domains

As the name implies, you'd need to configure, at least, two domains in your organization, they will both work internally, but you will only configure one for MRA. This is obviously a very big change, and would mean anyone who is in the domain not configured for MRA on EXP-C, would not be able to login. If you're already running multi-domain and want to prevent users from a certain domain to use MRA, but allow the other ones, this option would be perfect for you.

  • SSO

I know about this method, but I'm not an SSO expert, but if you're using SSO for MRA, you can use security groups to prevent the authentication. (if someone knows how this would work and is willing to explain, reach me). I'm assuming it might be able to do something like split horizon DNS and prevent login from outside the organization, not sure.

  • RemoteAccess parameter

I'll start by saying that this would be a NOT SUPPORTED METHOD and it seems only works halfway.
The RemoteAccess parameter was only meant to be used with Jabber 9.6, but not with any higher release, and since then has stopped being supported:

  • CSCuy21990 Remove RemoteAccess from Jabber Configuration Parameters guide

I have not tested this, but it seems it would only prevent you from registering to CUCM, but you would still get IM&P services, I have not tried this method, I'll try to test this. My assumption was that the Jabber code had removed the ability to parse that parameter, but it seems some releases still use it. I'll confirm that in the logs once I test it.

If you still want to try it:


And once again, the previous method is NOT OFFICIALLY SUPPORTED as the bug states that the parameter is no longer supported.

UPDATED 6/11/2018
CUCM 12.0 has enabled a parameter to allow the users to have either full UC, phone only, or no services over MRA. The necessary Jabber version to do this is yet to be released, but this is already in the works.

Go to TelePresence FAQ Content Table

Cannot connect a 78XX via RMA??

This is probably a bug, but I haven't seen it, if you're running a FW release on the 11 train, it will not work. You just need to download to a 10.x FW release for the device, and MRA should work without any problems.

Go to TelePresence FAQ Content Table

CMS - Cisco Meeting Server

Can I enable DB clustering with just two nodes??

No, that is not possible, the model for DB redundancy of CMS requires odd number of servers, the choices are 3 or 5 servers, any other combo is not supported

Go to TelePresence FAQ Content Table

How can I reset/recover the admin password for CMS??

There is currently no way to do so, there's an enhancement request for it:
Cisco Meeting Server virtual machine needs a password reset procedure

Go to TelePresence FAQ Content Table

Can I configure LDAP redundancy with CMS??

There is no true LDAP redundancy with CMS, some details on how to do something similar are in this bug:
Partial LDAP redundancy via DNS, requires ICMP

Go to TelePresence FAQ Content Table

Can I script LDAP to do a sync every x hours/days??

CMS doesn't provision any method to schedule an LDAP sync, this would need to be performed manually, or create a script to send the commands and do it.

Go to TelePresence FAQ Content Table

I'm using CMS 2.3 and the link to download the CMA client is not available / doesn't work??

That is related to this bug:
Web client doesn't show "download CMA link"
CSCvi32490 There is currently no fixed version listed as I'm writing this (6/11/18)

Go to TelePresence FAQ Content Table

What should be the CMS VM specs on a CMS 1000??

It seems that there have been some instances in which the VM on the CMS 1000 server has not been properly configured, and you get a basic install as if you deployed the OVA from with much less resources (8 vCPU / 16 GB vRAM). In order to fix this, you need to manually modify the specs of the VM.

  1. Upgrade your VM HW, if it shows VM version 8 you won't be able to adjust as required.
  2. After the VM HW upgrade, adjust the specs as follows:
    • 2 sockets * 35 cores
    • 58 GB vRAM

Go to TelePresence FAQ Content Table

CMM - Cisco Meeting Management

Is there an emergency login in case the LDAP configuration doesn't work??

Unfortunately there is no such option, that is the same reason why the first time wizard tells you to make sure to properly configure the user access as otherwise you would need to start from scratch.

Go to TelePresence FAQ Content Table

Back to Unified Communications FAQ

Any comments, questions, suggestions, contributions, etc. please send them to Please make sure the subject is formatted "UC FAQ <anything else>" as I'll have rules in my mail to match them, otherwise, they'll end up in my spam folder.

Rating: 2.3/5 (3 votes cast)

Personal tools