|
0:00:14
|
Let’s go ahead and begin looking at our tasks for the day.
|
|
0:00:21
|
So we’ve got, the beginning task and I’ve actually gone ahead and performed the existing
|
|
0:00:35
|
configuration start-up, I’ve reset the servers from yesterday but re-imported most of the configuration.
|
|
0:00:42
|
I would actually say all of the configuration from yesterday and then activated the services
|
|
0:00:50
|
and made sure everything’s running and restarted RIS on both servers.
|
|
0:00:54
|
If you're studying for CCIE voice exam, you should just go ahead and plan,
|
|
0:00:58
|
but as soon as you start and activate all the services, you're probably just better off
|
|
0:01:03
|
going ahead and restarting the RIS data base collector on both servers
|
|
0:01:08
|
and remember those are not a part of the feature services, they are part
|
|
0:01:14
|
of the network services. Those aren’t part that you activate, so it’s not like
|
|
0:01:20
|
you activated them, they started and then already need restarting.
|
|
0:01:23
|
Those were ones that were running before you got into the lab.
|
|
0:01:27
|
OK, and as someone mentioned yesterday, if services were already running when you got into
|
|
0:01:34
|
the lab before you, I wouldn’t just trust that they're all running in proper,
|
|
0:01:38
|
you might just want to make sure that all of them are activated
|
|
0:01:42
|
and it might not even be a bad idea to reset all of them
|
|
0:01:46
|
which could take a very long time. You have to do them one at a time,
|
|
0:01:49
|
so it’s a much faster way, rebooting the server, so I had to do them at once.
|
|
0:01:59
|
OK, so CUCM credentials, we’re told to change all users default pin to 99999
|
|
0:02:11
|
and do this with one click of the Save button. OK?
|
|
0:02:16
|
Ensure that each user must change that pin once they log in for the first time.
|
|
0:02:21
|
Alright, so let’s look over here and we know that we have a user
|
|
0:02:25
|
that we can log in with to begin with we’re told just from any documentation
|
|
0:02:32
|
pertaining to in this case, INE is rack rental or in the real lab,
|
|
0:02:37
|
based on what they instructed us is the username and password with which
|
|
0:02:42
|
to log in with, so that end in itself is a username, right?
|
|
0:02:48
|
It has to have certain permissions and we´re going to talk about all of those. OK?
|
|
0:02:54
|
So we´ve logged in for the first time with the user that was essentially created
|
|
0:02:59
|
and the password given at the initial CUCM disc spin in the EDDs
|
|
0:03:09
|
with which to install the CUCM, Cisco Unified Communications Manager Server on to a piece
|
|
0:03:18
|
of hardware, we´re actually spun up for the first time. OK? So User Management
|
|
0:03:26
|
is the section that we´re going to be focusing on a lot today.
|
|
0:03:29
|
We see something called Credential Policy Default, Credential Policies, Application User, End User,
|
|
0:03:38
|
Role, User Group and then other various things like User Phone Add which we´re not so
|
|
0:03:45
|
concerned about adding, Application User CAPF or Certificate Authority Proxy Function profile and
|
|
0:03:54
|
End User Certificate Authority Proxy Function Profile. We´re not going to be dealing with these
|
|
0:04:00
|
today because those specifically CAPF deal with security, so when we have the module
|
|
0:04:06
|
all to itself just on voice security, that´s when we´ll cover those entities,
|
|
0:04:14
|
just go ahead and note that we do have phones in the system and they
|
|
0:04:22
|
all are registered. OK? So based on the task, it sounds like a credential policy
|
|
0:04:34
|
is something we might want to look at and we were told to change
|
|
0:04:40
|
all users default pin to 9999. Well, first of all we need to ask the question
|
|
0:04:50
|
or the question begs to be asked, what type of a user and what´s the difference?
|
|
0:04:55
|
What´s the difference between an Application User and an End User? I don´t know,
|
|
0:05:00
|
let´s take a look at both. Let´s look at an end user first,
|
|
0:05:04
|
we already had one created from yesterday an hq phone 2, first name User last
|
|
0:05:09
|
name hq phone 2 user ID, the only thing we have to have,
|
|
0:05:15
|
as we can see if we click on this is User ID and last name
|
|
0:05:21
|
we actually do need a pin and a password as well but we don´t have to
|
|
0:05:26
|
fill in first name or any of the other ancillary information
|
|
0:05:30
|
but of course that´s what we´ll be talking about today. So, we see that
|
|
0:05:35
|
End User has a user ID, password, has a pin, last name, middle name optional,
|
|
0:05:45
|
first name optional, a lot of optional fields like telephone number, mail ID, manager´s user ID,
|
|
0:05:53
|
although it doesn´t look like there´s any place to set up a hierarchy
|
|
0:05:56
|
so this is just an informative field, not really for creating any sort
|
|
0:06:01
|
of organizational chart or hierarchy, department again informational, user locale, so what language and
|
|
0:06:11
|
area, geographic locale are they in, associated PC, this is actually a very old field
|
|
0:06:18
|
something that used to be called Cisco SoftPhone because SoftPhone is not IP communicator or
|
|
0:06:24
|
any of the other SoftPhone, it´s something very old. I believed it´s still configurable on 7
|
|
0:06:31
|
but honestly I haven´t used it since free.x so I really couldn´t tell you
|
|
0:06:36
|
because I haven´t used it forever. Digest credentials and Confirm based with the Digest
|
|
0:06:42
|
and of a hash value devices that we´re associated to.
|
|
0:06:50
|
So we can click on Device Association, find the list of devices, show the devices
|
|
0:06:55
|
already associated with the use, we unclick that, we don´t see the one device
|
|
0:06:59
|
we’re already associated to, we click it, it will refresh and show us this device as well.
|
|
0:07:06
|
OK? And so we can choose to associate to multiple devices from Save Selected Changes,
|
|
0:07:13
|
well remember that D7 was our primary, A93 is now a secondary phone that we´re associated to.
|
|
0:07:23
|
So we can be associated to multiple devices, not a problem.
|
|
0:07:28
|
We can really still only have one primary phone number, this is a phone number
|
|
0:07:32
|
that will show up in the Corporate Directory. In fact, let´s just mention what
|
|
0:07:37
|
will show up in the Corporate Directory, the first name and last name and
|
|
0:07:45
|
and telephone number. OK? Extension Mobility, if we were setting up Extension Mobility
|
|
0:07:51
|
we would create user device profiles, and this user device profiles would be
|
|
0:07:58
|
all of the ones that were available on the system would be listed here in this box
|
|
0:08:03
|
and then we could choose which one we wanted and hit the down arrow
|
|
0:08:06
|
and select it, and put those in to the Controlled Profiles, so this fax
|
|
0:08:12
|
is the profiles that are controlled by this particular user.
|
|
0:08:17
|
And then we can have a Default Profile because just like we can be associated
|
|
0:08:21
|
to multiple phones, we can also be associated to multiple user device profiles
|
|
0:08:27
|
and you know maybe we´re CEO of 4 or 5 medium size companies
|
|
0:08:33
|
and we want to use different user device profiles when we log in at different phones,
|
|
0:08:43
|
depending on where we are or maybe even the same phone for the different companies
|
|
0:08:48
|
they´re all using the same you know UC, Unified Communications Manager Cluster
|
|
0:08:53
|
to save some money. OK? Not a large environment probably not a typical usage of that,
|
|
0:09:01
|
but certainly it could be use in a small or even medium size environment.
|
|
0:09:09
|
So presence group will talk a little bit about presence, we won’t talk about
|
|
0:09:13
|
presence group or anything like this because that will actually be in the module
|
|
0:09:19
|
all to its own for presence however, I will just go ahead and save this about
|
|
0:09:25
|
the presence information on this page. These two attributes are if this one particular
|
|
0:09:29
|
is being used for essentially third party application so maybe our company had
|
|
0:09:39
|
or has web developer or just application developers in general, maybe they build some sort
|
|
0:09:45
|
of a web app for us and when we photo log in,
|
|
0:09:48
|
we want to see certain users status or presence status and our Presence group and
|
|
0:09:57
|
Subscribe Calling search phase associated here with our user are what we would use to,
|
|
0:10:05
|
to use in terms of a control or permissions and we´ll talk again like I said
|
|
0:10:14
|
about how those permissions work, how the group interactions subscribe and
|
|
0:10:20
|
allow and disallow subscription, how that works in the presence module but those were the
|
|
0:10:26
|
attributes that we would use associated to the user when we´re using maybe
|
|
0:10:29
|
a third party web application. OK? This checkbox, a lot of these are all in
|
|
0:10:36
|
the same area like presence and subscribes, this is an extension mobility,
|
|
0:10:40
|
this is also going to be used for extension mobility. So it´s not only going to
|
|
0:10:44
|
be used by third party applications but extension mobility itself, if we want to do presence
|
|
0:10:53
|
and subscribe because, essentially an extension mobility user device profile takes effect
|
|
0:11:01
|
over top of the device configuration on the device we´re logging in to.
|
|
0:11:08
|
And we´re allowed to control the device from CTI or Computer Telephony Integration,
|
|
0:11:15
|
so it´s important that if we´re u using Extension Mobility anything that
|
|
0:11:23
|
anything that requires some sort of direct interaction with the phone that has to be
|
|
0:11:29
|
authenticated through the use of a CTI. In fact, when we´ve been using the application
|
|
0:11:37
|
for remote phone, we can use a CM user associated with the device.
|
|
0:11:47
|
Let´s just go ahead and illustrate this here since we are already,
|
|
0:11:51
|
make sure this is saved, we are already associated to two devices here,
|
|
0:11:58
|
as this user, just go ahead and make sure the password Cisco won´t need the pin
|
|
0:12:10
|
but let´s just make sure it´s 12345. OK, and we have Allow Control of Device from CTI.
|
|
0:12:23
|
We would also need to get with a group and we´ll be talking a lot more
|
|
0:12:28
|
about these groups, so let´s just do contain CTI and let´s do Standard CTI Enabled,
|
|
0:12:35
|
add selected, again we´ll be talking about these, by these we should see
|
|
0:12:44
|
that we have not only the group but the role of Standard CTI Enabled. OK?
|
|
0:12:49
|
So, let´s go ahead and take a look at this phone and save the user.
|
|
0:12:53
|
So, previously what we´re using is just a Call Manager Administrator User which maybe
|
|
0:12:59
|
could better be put, a user with AXL and CTI rights, which the administrator super user
|
|
0:13:07
|
does happen to have that but we can create unique one and all things
|
|
0:13:11
|
we´ll talk about today. And that´s just the way that we can control
|
|
0:13:15
|
pretty much any device on the cluster, but here we´ll do a CUCM End User
|
|
0:13:21
|
so hq phone 2, this is the phone IP address that we want to control
|
|
0:13:29
|
so it´ll be a good idea to find out, let´s see 6 delta 7 or alpha 93
|
|
0:13:34
|
are the two that we´re looking at. 6 delta 7, we look at that one is
|
|
0:13:40
|
192 168 044 hq phone 3 and the password of Cisco, save and connect.
|
|
0:13:56
|
Also I should mentioned that this phone needs to have on it, while waiting
|
|
0:14:03
|
for this to load, it actually it said invalid username, we´ll come back and look at it.
|
|
0:14:08
|
Allow Control of Device from CTI which it does have, check, back and look
|
|
0:14:14
|
at the End User, make sure, LDAP Authentication. Go back and look at the user,
|
|
0:14:25
|
maybe I keyed it in wrong or something. I did, I said phone 3 and
|
|
0:14:30
|
it´s phone 2, now we´ll try to connect. OK? Let´s just copy and paste
|
|
0:14:39
|
and then let´s go ahead and just say Cisco, tap that, paste it here,
|
|
0:14:50
|
paste it here, paste it here, save, username or password is invalid. OK.
|
|
0:15:04
|
Well, this isn´t exactly we expect to see. OK. Device Association, just make sure
|
|
0:15:13
|
this is the right phone, this is 1001 go here to our phones. Yes d7,
|
|
0:15:25
|
should be in fact, yes 1001. OK, we do have CTI there, uncheck the other,
|
|
0:15:40
|
selected, back to the user,put a Cisco, you have a primary extension
|
|
0:15:53
|
let's see if that has, I´m not sure why it's not letting us in,
|
|
0:16:03
|
let´s just make sure that everything works in general, 177.1.10.10, I´m in, cc by Cisco.
|
|
0:16:26
|
OK, that is working. Can anyone see what I´m not doing, right here?
|
|
0:16:43
|
He´s asking for the password not the pin, user ID. I guess that was hq phone
|
|
0:16:55
|
1 at some point, last name, but the last name shouldn´t really matter too much.
|
|
0:17:08
|
Is the Credential Policies set to require a password change at the first log in?
|
|
0:17:15
|
Very possible that it is, which is where we were going.
|
|
0:17:22
|
Yes, that´s exactly what it is, perfect. OK, good. Glad I could help.
|
|
0:17:33
|
I should have just stuck, instead of varying off, I should have stuck with the
|
|
0:17:39
|
what we´re going to do which was go to solve the task, which dealt with Credentials,
|
|
0:17:45
|
oh well, with trouble shooting thanks for reaction. OK. So now, phone IP is back to,
|
|
0:17:56
|
it´s private, be in pace whenever possible, hqph1, connect. It´s still saying invalid,
|
|
0:18:16
|
Let´s see, we may not have updated this afterwards just key this in one more time,
|
|
0:18:25
|
save, Credential, does not expire, must not, doesn´t require changing at the next log in.
|
|
0:18:35
|
Actually, I´m not sure if it did because this was the, this was the credential
|
|
0:18:40
|
and what I had checked on was the Credential Policy Default for creating new ones but
|
|
0:18:46
|
not a bad idea for troubleshooting, very good idea so d7, allow control,
|
|
0:18:56
|
primary extension, we have Standard CTI enabled, move this one just, I don´t think that
|
|
0:19:09
|
has anything to do with it, actually it really should not. To be honest,
|
|
0:19:20
|
I haven´t tried this client with an end user associated with the device because the
|
|
0:19:26
|
fact that it allows the AXL immigration for all the devices is just so much simpler
|
|
0:19:30
|
so I would assume that it should work properly but let´s come back
|
|
0:19:36
|
and take a look at this one later because it could be this actual client.
|
|
0:19:40
|
OK. So, we will come back and take a look at that, we won´t forget it.
|
|
0:19:52
|
OK. So let´s go on with the task that we were instructed to change all users
|
|
0:19:58
|
default pin to 99999. Do this with one click of the save button.
|
|
0:20:03
|
Ensure that each user must change the pin once they login for the first time.
|
|
0:20:07
|
Then close our second window, so that doesn´t time us out and
|
|
0:20:11
|
if we look under Credential Policy Defaults and then also under Credential policy,
|
|
0:20:17
|
so here´s our kind of interesting the way they´re named this is Find and List
|
|
0:20:22
|
Credential Policy Default and they´re called the Default Credential Policy and
|
|
0:20:27
|
then this is Credential Policies and it also called the Default Credential Policy,
|
|
0:20:31
|
little confusing possibly. Look at each one. First of all, this Default Credential Policy
|
|
0:20:39
|
has most of what we might consider Policy Information; each of these as we can see
|
|
0:20:46
|
is specific to either end user or application user both for the type of password
|
|
0:20:54
|
and then the End User as it relates to Pin, that´s why there´s three separate ones
|
|
0:20:59
|
that are all named the same thing. OK. So, let´s open the End User for password,
|
|
0:21:05
|
see that we can´t change the User whether it´s End or Application or password
|
|
0:21:13
|
and that credential policy is set to Default Credential Policy, that is this module here.
|
|
0:21:21
|
So that´s how these two interact, naming them a bit differently might be advantageous,
|
|
0:21:28
|
creating some sort of intuitive naming system. OK. So, we can see that the Credential Policy
|
|
0:21:35
|
for End Users as it pertains to password other than the three things that
|
|
0:21:39
|
we can override and the change credential. OK. What credential? In this case, password.
|
|
0:21:47
|
If we were on End User Pin then these two fields would be related to Pin,
|
|
0:21:51
|
which is as the task asks us where we are going next. OK? So what´s
|
|
0:21:57
|
the policy relating to passwords for End Users? Here it is,
|
|
0:22:02
|
reset the failed login every so often, Lockout duration, Minimum Duration between credential changes,
|
|
0:22:10
|
we´re actually going to go over this and a little bit more detail
|
|
0:22:12
|
in a little while with later task but we can see these are things that were typically
|
|
0:22:16
|
fairly familiar with the most sort of LDAP type systems, fact of directory or otherwise,
|
|
0:22:25
|
OK? But why did they say stored number of previous credentials?
|
|
0:22:29
|
Why doesn't it say store the number of previous passwords, well because it is
|
|
0:22:34
|
passwords when it is related to the user, end user and the typed password or
|
|
0:22:41
|
user application user and the typed password but stored number of previous credentials is related
|
|
0:22:50
|
to pins when we happen to go back and look at end user associated with pin,
|
|
0:22:58
|
and the exact same credential policy, in fact let´s just rename this from Default to Overarching
|
|
0:23:09
|
Credential Policy Criteria file this and then actually we have to do a copy.
|
|
0:23:27
|
We´ll just copy, save, you can change values later and now we can hit refresh
|
|
0:23:35
|
on this page since it already loaded and now we can choose something related,
|
|
0:23:41
|
so end user pin ask to log at next log-in which that was we were told
|
|
0:23:47
|
and the Default pin to 99999, leave that and say 9999 actually 9,
|
|
0:23:54
|
so five 9s, 12345 of the 9s. Say here´s our one button, Save. OK.
|
|
0:24:08
|
OK. It doesn´t show up, it´s taken and hashed. OK? So that´s the solution
|
|
0:24:17
|
for this particular task and we started to talk about what the difference was
|
|
0:24:22
|
and we took a little bit of an in depth look at End Users.
|
|
0:24:26
|
Let´s see if there´s anything we didn´t cover, Primary Extension we configure but we´ll talk about
|
|
0:24:32
|
where that´s applicable. Mobility Information, again this relates to, this is unified mobility for
|
|
0:24:40
|
single number reach and for Mobile Voice Access. OK? We won´t talk about all the specifics
|
|
0:24:48
|
but just keep in mind that it does relate to the mobility information
|
|
0:24:51
|
and we do need to come back here on the mobility module and really
|
|
0:24:55
|
hash out with each and all of these do. CAPF, Certificate Authority Proxy Function
|
|
0:25:02
|
this is for security or securing voice and then permissions, we´re certainly going to talk
|
|
0:25:09
|
a lot about these today because this gets in to the roles and groups,
|
|
0:25:14
|
so then going back and looking at the other kind of user was Application user,
|
|
0:25:19
|
notice that there are a number of application users already created by default
|
|
0:25:27
|
and you can certainly see that there is one that has been created dynamically
|
|
0:25:35
|
most likely by VIOP Integration Software and we can see that it´s dynamic
|
|
0:25:44
|
or not default because it actually has a checkbox to be able to delete,
|
|
0:25:48
|
all the rest of them we cannot delete. So like for instance admin is the one that
|
|
0:25:54
|
we use to login to the main system, so let´s take a look at that.
|
|
0:25:57
|
Notice that it´s got a user ID, but no first or last name, no telephone,
|
|
0:26:01
|
manager, it´s not an end user. It doesn´t need all of that fluff informative
|
|
0:26:07
|
like attributes, just have presence group and attributes relating to presence
|
|
0:26:14
|
because when we´ll talk about presence and zip, actually most of these are zips specific,
|
|
0:26:20
|
presence as a zip function, out of dialogue unsolicited notifications and replaces headers
|
|
0:26:25
|
as well as well zip functions and those are zip security features, more specifically
|
|
0:26:32
|
I should say security in generals particular authority proxy function and then permissions.
|
|
0:26:37
|
So this is really all that this needs, there´s a User ID and a password,
|
|
0:26:41
|
possibly things related to zip and also possibly more specific zip presence
|
|
0:26:49
|
but could just be zip in general. Obviously security about certificate authority,
|
|
0:26:55
|
information and profiles but then most importantly permissions, so groups are going to always be
|
|
0:27:03
|
groups full of roles, and we´ll get in to what not every single role,
|
|
0:27:08
|
we won´t read through just for the sake of preventing you from sheer boredom
|
|
0:27:12
|
but we´ll look at the number of the roles and certainly get a good idea
|
|
0:27:15
|
of what´s there and what we can do. But whenever we add a user to a group,
|
|
0:27:23
|
not get too far ahead of ourselves here, we can let´s say,
|
|
0:27:27
|
we already have a number of roles there but notice we don´t remove roles,
|
|
0:27:34
|
we add and removed groups and those add and remove the roles that
|
|
0:27:39
|
already associated with that group, again we´ll take a look at those more
|
|
0:27:42
|
in depth in a bit. Let´s look back in our tasks, next for CUCM credentials,
|
|
0:27:49
|
ensure that any users authenticating to the CUCM pub server directly only have the ability
|
|
0:27:56
|
to attempt authentication five times before being locked out, of this before we read
|
|
0:28:03
|
all of these information, this sounds like what we were looking at with Credential Policy itself.
|
|
0:28:11
|
Notice that with Credential Policy Default, there´s no place to add or delete
|
|
0:28:20
|
that´s because these are really the things that need assigned attributes as they pertain to credentials.
|
|
0:28:28
|
OK? And user password and user pin and then application user password,
|
|
0:28:34
|
application users don´t have pins as we just saw. So there´s really nothing to change here,
|
|
0:28:40
|
other than we can change as we noted. We didn´t changed that one, we changed,
|
|
0:28:46
|
we might as well. Let´s go ahead and do that, let´s change this here,
|
|
0:28:50
|
we´ll need this, save for the end user password and then Credential Policy Default,
|
|
0:28:58
|
we will not change the application user password, we´ll leave that on Default Credential Policy
|
|
0:29:09
|
but we changed the End User password and End User pin to overarching Credential Policy Criteria
|
|
0:29:18
|
so those are the fields or attributes that those type of credentials are using,
|
|
0:29:27
|
so now we´ll go and actually modify that Overarching Credential Policy Criteria that we copied.
|
|
0:29:34
|
OK? So let´s go back and see, any users authenticating the CUCM pub server directly
|
|
0:29:41
|
should only have the ability to attempt the authentication five times before being locked out,
|
|
0:29:46
|
here we see failed login and right now it´s set to no limit,
|
|
0:29:51
|
we´re going to uncheck this which will ungray this box and we can say
|
|
0:29:56
|
five field logins will essentially lock you out however, they should automatically
|
|
0:30:04
|
be able to try again in 15 minutes, OK? So let’s look at the next field,
|
|
0:30:09
|
reset failed log-in every, that’s 15 minutes and then the counter should reset every hour
|
|
0:30:18
|
against their five log-in attempts, so if they try to log-in now and they wait five minutes,
|
|
0:30:26
|
let’s say they fail and then they wait five minutes, they haven’t waited long enough,
|
|
0:30:35
|
they have to wait every hour against their five log-in attempts.
|
|
0:30:40
|
So if I try to log-in five times within 60 minutes, it’s going fail, however
|
|
0:30:49
|
if I try to log-in four times within 60 minutes and then I wait an hour,
|
|
0:30:53
|
an hour from my last, it will, the lockout will reset after an hour.
|
|
0:31:08
|
Ensure that every user authenticating the CUCM pub server must change their credentials
|
|
0:31:17
|
every six months and they may not use any of the three previous
|
|
0:31:20
|
and that users logging in should be warned at least seven days in advance of their
|
|
0:31:26
|
expiring. There's a really good reason why we’re using the word credentials versus password
|
|
0:31:34
|
and pin, and you'll see that when we get to the next step, OK?
|
|
0:31:42
|
So actually two steps, so we we’re told to make sure they change every six months
|
|
0:31:48
|
and they can’t use any of the three previous, so credentials expire after how many days,
|
|
0:31:55
|
what we said, we said what? Every six months.
|
|
0:32:00
|
OK, so we’ll just bring up a calculator and do what, 30 times 6, 180 right?
|
|
0:32:09
|
So 180, we weren’t told anything about minimum credential link, stored number of previous
|
|
0:32:15
|
credentials, they can’t use any of their three previous passwords. OK?
|
|
0:32:21
|
So let’s use three there and they should be warned seven days in advance, so an expiry
|
|
0:32:29
|
to their password or credentials warning in days should be warned seven days in advance.
|
|
0:32:27
|
OK? The minimum link for credentials of users authenticating directly to the CUCM pub must
|
|
0:32:43
|
be at least five characters and they should not be permitted to use trivial passwords.
|
|
0:32:48
|
Alright, so the minimum credential link we’ll change to five and check for trivial passwords
|
|
0:32:54
|
and then if a user does not authenticate directly with the CUCM pub within three months,
|
|
0:33:03
|
that user should be locked out and require administrative assistance,
|
|
0:33:07
|
so this is the inactive days allowed. Three months, six times three, which is
|
|
0:33:14
|
a 180 over here. Thirty times three, is everyone knows 90, make sure we put
|
|
0:33:25
|
the right value in the right field and it looks like we’ve completed everything
|
|
0:33:34
|
for this particular task. Great, any questions so far?
|
|
0:33:39
|
Is everyone able to see my screen? Joe? I’ll take your question, but let me just ask
|
|
0:33:51
|
while you're asking is that, is everyone able to see my screen
|
|
0:33:53
|
and are the refreshes happening fast enough? I just want to make sure the room
|
|
0:33:56
|
is performing properly. I’ve got plenty of good latency but I want to make sure
|
|
0:34:01
|
everyone else is fine as well and then Joe, go ahead with your question.
|
|
0:34:11
|
Oh, you meant to hit the check mark that everything’s understood.
|
|
0:34:13
|
OK, are there any questions at all? OK, everyone’s understanding everything great.
|
|
0:34:19
|
OK, I was hoping for more questions in these classes. You guys are too good
|
|
0:34:25
|
with the easy understanding. OK, so let’s move on. We’re next told to integrate
|
|
0:34:36
|
the unified contact center express server with the CUCM cluster. We’re only going to be doing,
|
|
0:34:42
|
you will have more, yes I’m sure, no problem. I actually do see someone’s
|
|
0:34:51
|
hand raised and again I don’t know how to pronounce your name,
|
|
0:34:54
|
you can speak up on the microphone if you like. Is it Alaulu?
|
|
0:35:03
|
Go ahead if you like or you can key it in the questions if you
|
|
0:35:06
|
have a question or if you were just raising your hand as a checkbox instead.
|
|
0:35:13
|
Yes? Alaulu, I see your hand raised. You have a question?
|
|
0:35:31
|
Oh, it wasn’t intentional. OK, no problem. I just wanted to make sure.
|
|
0:35:42
|
So we’re going to do a basic integration with the CUCCX. You'll understand the reason
|
|
0:35:47
|
for this in a little while. So ensure that the AXL authentication is challenged
|
|
0:35:53
|
against the CUCM pub server only and that both CTI roles are authenticated against the sub
|
|
0:36:00
|
and pub in that respective order. Now note this, friendly note, you may want to
|
|
0:36:07
|
read ahead to the next task before performing this task and then another friendly note,
|
|
0:36:11
|
you would not have been given the previous friendly note in an actual
|
|
0:36:15
|
CCI practical exam or lab exam, as I have been mentioning throughout
|
|
0:36:20
|
the other days of the modules. I just thought I’d explicitly put it there
|
|
0:36:28
|
on the screen and then in the volume one just as a bit of humor levity,
|
|
0:36:33
|
but then also kind of reminding you of the fact, solemn fact that you probably
|
|
0:36:38
|
wouldn’t be even be given these nice clear headings of what it is we’re doing
|
|
0:36:42
|
and actually this heading doesn’t really jive with all these,
|
|
0:36:48
|
but it does have to do with the friendly note in why you may want
|
|
0:36:51
|
to read ahead and the fact that eventually, this task of ensuring that the ASL authentication
|
|
0:36:58
|
is challenged against the CUCM pub server only, will not be able to prevail long term.
|
|
0:37:04
|
Now let me just stop and say something very quickly.
|
|
0:37:08
|
In a CCIE actual lab exam and in any of our volume 2 or mock lab workshops,
|
|
0:37:20
|
so 10 day classes week #2, any of the mock labs that you'll take
|
|
0:37:26
|
from us and or, well hopefully if any vendor as well and I certainly encourage,
|
|
0:37:32
|
you know multiple vendors products, everyone has different points of view and it’s good
|
|
0:37:35
|
to see different points of view, but whether you're using a mock lab or
|
|
0:37:43
|
taking the real exam, you will not have any sort of tasks that conflict with each other,
|
|
0:37:49
|
they may seem to, but they ultimately will not, they will ultimately be a way
|
|
0:37:54
|
to perform everything, but this task, stating AXL authentication is challenged against CUCM pub
|
|
0:38:02
|
well will that be able to prevail is, OK I’ll ask you,
|
|
0:38:12
|
OK I’ll answer that question, just about the mock lab in a bit,
|
|
0:38:16
|
if I may and take that offline. So in short, the AXL is challenged against the
|
|
0:38:23
|
CUCM pub server only, now wait a minute, didn’t we just get done saying,
|
|
0:38:32
|
bring this drawing back up, didn’t we just get done saying that all authentication
|
|
0:38:41
|
will go through the pub, but not bring it back up, not only against the pub,
|
|
0:38:57
|
but didn’t we say that it will actually be sent really through the pub
|
|
0:39:06
|
as a proxy on to the AD? Well we said for end users that was true,
|
|
0:39:21
|
not necessarily for application users, so two things in keeping with what I was saying,
|
|
0:39:30
|
which is that, one, tasks may seem in a mock lab or the real lab exam,
|
|
0:39:45
|
may seem to conflict with one another, but in fact,
|
|
0:39:49
|
there will never be a conflict that can’t be overcome, in other words, all of
|
|
0:39:53
|
the configuration will be able to be configured in a proper meeting the requirements,
|
|
0:40:01
|
meeting the proctor, and designer of the labs expectations in order to achieve
|
|
0:40:05
|
a passing grade, all of it, in that format for a mock or actual lab exam
|
|
0:40:14
|
but sometimes they may seem to however, it should be noted that in any sort
|
|
0:40:18
|
of like a volume one which are some of the task that we´ve created new
|
|
0:40:22
|
and are working through and you know any sort of a technology focus lab,
|
|
0:40:29
|
there may be tasks that will ask you to do and you´ll see this certainly
|
|
0:40:34
|
with let´s see, probably gateways maybe a little bit the module, module for that
|
|
0:40:40
|
or the media might be another one, there will be things that we´ll ask you to do
|
|
0:40:47
|
and then later will actually ask you, you know later on in the task section,
|
|
0:40:52
|
we´ll ask you to undo. OK? And the reason is, is that we want to
|
|
0:40:56
|
try to explore during this volume one or during this any technology focus or
|
|
0:41:04
|
technology specific focus, rather than a all together holistic mock lab and then the technology
|
|
0:41:12
|
focused ones, we want to try to cover all of the possible permutations
|
|
0:41:17
|
for at least a good number of them, may be not for all of our secrets
|
|
0:41:21
|
out right away and cover some of those in mock labs. But a good number of
|
|
0:41:24
|
them certainly to give the candidate or student a full understanding of it,
|
|
0:41:29
|
so some things will be overwritten but that´s actually one that just seemingly going
|
|
0:41:35
|
to be unachievable ultimately but it actually will be achievable ultimately.
|
|
0:41:39
|
OK. So, let´s go ahead and look on as we were given the friendly task
|
|
0:41:46
|
We could go ahead and do this right now and it does pertainin to users
|
|
0:41:50
|
and we will accomplish this but let´s just go ahead and for the sake
|
|
0:41:54
|
of our sanity and the sake of a long time in resetting everything
|
|
0:42:00
|
because if we mess up, guess what it´s back to reset the VM or servers
|
|
0:42:04
|
in the lab it´s you´re done with UCCX for today. OK. For the sake of that,
|
|
0:42:12
|
we´ll go ahead and move on and see where that possible trip up might be
|
|
0:42:17
|
and it´s here, with task 1.4. Let´s read through one task 1.4 and
|
|
0:42:24
|
it´s a big one so as soon as we read through it and
|
|
0:42:27
|
get a general understanding of what we are to do, we´ll take a break.
|
|
0:42:32
|
So now, we actually are going to perform LDAP synchronization, we´re instructed to
|
|
0:42:38
|
pub server to synchronize users from the island natural exports LDAP INE that
|
|
0:42:46
|
reside on the active directory, INE Active Directory Domain Controller which is known
|
|
0:42:51
|
as Win2k8 DC1, we are using a Windows 2008 advance server,
|
|
0:42:59
|
whatever the kitchen sink server is, Microsoft has so many different versions of their servers
|
|
0:43:06
|
and operating systems. Anyone else get, just take a real quick levity break and pull this,
|
|
0:43:16
|
and does anyone else get any overwhelmed or confused might be a better word at
|
|
0:43:23
|
all the various versions of Windows 7? And sometimes I think that they just named certain
|
|
0:43:30
|
things like business edition just so that you'll, you know you´ll buy that
|
|
0:43:36
|
if you are a business person but don´t actually know IT.
|
|
0:43:38
|
My father-in-law for instance was getting a new computer and kept assuring me,
|
|
0:43:44
|
well I´m pretty positive Mark, I need Windows 7 Business Edition or whatever it´s called,
|
|
0:43:49
|
you know specifically for business. And I´m looking through all the features and I´m like,
|
|
0:43:53
|
work in a you know that rather large company, not large, medium size
|
|
0:43:59
|
or president really, of partner and owner of a rather decently sized,
|
|
0:44:11
|
you know maybe 500 person moving company and warehouse and forwarding
|
|
0:44:15
|
storaging logistics, but he works in an office of you know, I don´t know 50 people
|
|
0:44:21
|
with small I.T. server firm and he´s sitting there using Windows and wanting to upgrade
|
|
0:44:27
|
and I´m looking through all the things and I must take that a large active directory,
|
|
0:44:30
|
they don´t need Business Edition. Does anyone else get at all, use by all the various features
|
|
0:44:36
|
or think that they´re unnecessary for the Microsoft OS or am I just going
|
|
0:44:41
|
off on a rant on my own just to see if anyone´s awake?
|
|
0:44:44
|
I do see some checkboxes, good. I finally look back in from a window,
|
|
0:44:51
|
look at the screen. Is exchange built in?
|
|
0:44:58
|
Well that's actually a function of the office platform that you buy,
|
|
0:45:02
|
if you buy Office Business. You mean like the small, I was talking about
|
|
0:45:07
|
the end user not the server but I see in a small business server has exchange
|
|
0:45:11
|
built in, sure that makes sense. Talking about just a regular end user like you know,
|
|
0:45:18
|
home or basic, basic then home then professional, then business, then e-i-e-i-o,
|
|
0:45:24
|
then international space station version. I mean it´s just interesting.
|
|
0:45:28
|
Buckle up, so just buy it, it´s got everything. Anyway, alright when you use
|
|
0:45:32
|
the AD Schema to garner information about the server and about the LDAP schema.
|
|
0:45:37
|
OK. By the way, that is going to be, this year they will be taking to
|
|
0:45:42
|
at so here´s our island natural exports company that we´ve set up, top level is com.
|
|
0:45:53
|
Anyone know what the top domain name is in all of the world and I don´t
|
|
0:46:01
|
mean like top number one used domain but does anyone know what the top level domain,
|
|
0:46:05
|
the TLD is? Here´s another bit of trivia. As it pertains to DNS,
|
|
0:46:15
|
does anyone know what the top level domain is? It's actually dot,
|
|
0:46:20
|
after if you had like .com or .net or .org or .gov or whatever,
|
|
0:46:27
|
there´s another dot afterwards that nobody ever puts in and you don´t need to
|
|
0:46:31
|
that´s actually the top level domain is dot. So anyway, we´ve got the dc
|
|
0:46:39
|
at com as the top level, and then ine or island natural exports and
|
|
0:46:46
|
then our organizational unit and then a number of other organizational units like executive,
|
|
0:46:51
|
sales, right and d, it, operations, and security, and the directory is actually built out
|
|
0:47:00
|
much much more advanced and beyond that maybe we´ll take a look at some of that
|
|
0:47:04
|
but actually let´s go ahead and pull that up but we´ll only be using those
|
|
0:47:12
|
sort of a second level ou´s, the first and second level ou´s today.
|
|
0:47:19
|
OK. Can everyone still see the screen, now that I full screen the remote desktop?
|
|
0:47:29
|
OK, great. We´re going to go up to active directory users and computers,
|
|
0:47:39
|
here we´ve got our island natural exports, we´re not using the good old fashioned
|
|
0:47:45
|
container CN canonical name of users. We´ve got our island natural exports
|
|
0:47:51
|
organizational unit, we´ve got the executive level with users in it,
|
|
0:47:55
|
we´ve got many sublevels, administration finance, HR, legal, some of those have even subunits.
|
|
0:47:57
|
OK. We´ve got our IT, Desktop, Lan, Software, Telephony and Wan subunits, operations for core
|
|
0:48:12
|
and new products, research and development. Got to rename this, so I´ll do that
|
|
0:48:18
|
real quick so it works. r and d, marketing, public relations, strategy,
|
|
0:48:26
|
we´ve got sales through channels, education and government and then security with
|
|
0:48:32
|
asset protection, personal security and physical security built out.
|
|
0:48:37
|
I believe that´s all the sublevels that we have, nope, finance of course
|
|
0:48:41
|
we´ve got accounts payable, receivable, budgeting office, purchasing, taxes. OK.
|
|
0:48:47
|
So we´ve got a whole big directory set up and we´ve got various users
|
|
0:48:52
|
at various levels. So that´s all we´re going to be using to look through,
|
|
0:48:58
|
going on full screen this, that´s what we´re going to be using to go ahead
|
|
0:49:04
|
and look through our LDAP. OK? So we'll go ahead and read through the requirements,
|
|
0:49:16
|
only synchronized users from “executive” sales, ”it”, and “security” organizational units.
|
|
0:49:24
|
OK? So, this one, this one, “it” and “security” were not synchronizing operations or
|
|
0:49:31
|
r and d. Ensure that each user has his/her phone number synchronized
|
|
0:49:38
|
and we´re told, we would not again be told in the lab,
|
|
0:49:42
|
but this may take some experimentation so experiment. So, by the way,
|
|
0:49:46
|
in the lab you´d be given what you need to know in terms of,
|
|
0:49:49
|
you might not be given pretty pictures like this but you´d be given what you need
|
|
0:49:52
|
to know in terms of at least IP address of the domain controller, user name, password
|
|
0:49:58
|
and the basic search phases, and the basic hierarchy and lay out,
|
|
0:50:04
|
you would have to be given that. However, they might not necessarily tell you
|
|
0:50:10
|
certain things like, how to deal with phone numbers and
|
|
0:50:14
|
we´ll take a look at that again when we get to the configuration.
|
|
0:50:16
|
So you´ll see what I mean, in terms of how do we deal with things like that.
|
|
0:50:20
|
We might not be told anything so it might require experimenting,
|
|
0:50:24
|
I´m just going ahead and telling you ahead of time as a kindness, again kind
|
|
0:50:30
|
of like the friendly note up here above. It may take some experimentation, so experiment.
|
