Fun times with Cisco Jabber

I’m often heard giving praise to the Cisco Jabber product line, and rightly so. I feel that Cisco has done an amazing job at creating a useful enterprise collaboration suite of tools, but they’ve not created the perfect Frankenstein either.  I first got started using ‘On-Premise Presence’ back in the Unified Communications Manager 7.x days, but didn’t really gain a lot of exposure to the products (Cisco Unified Presence Services or CUPS, and Jabber) until the CUCM 8.6 time, which is really when I started focusing strictly on voice again; I’ve done Cisco UC for a decade give or take, but only recently, over the past 4 years, has it become  my sole focus.  Under CUCM/CUPS 8.6, a Cisco on-premise presence solution wasn’t too challenging to deploy; sure there were logistics issues such as deploying 1200 soft phone devices with shared line appearances across the enterprise, but all in all the solution was solid.  Since the time when Cisco acquired the Jabber technology platform, there has been a race to get to a point where feature parity between platforms (Windows, iPad, Android, etc) existed.  We’re getting pretty close to that point again finally, but it’s been a little bit of a journey.   But I digress…

From the 8.6 deployment days, through 9, and into 10.x and 10.5 now (CUCM versions) Cisco has constantly drawn in the IM and Presence services (what we previously called CUPS) closer and closer into the CUCM administrative interface . IN 10.x we saw major changes that even included making the presence servers part of the actual CUCM cluster, whereas before they were a separate cluster of their own. As this progression has taken place, configuration and integration of Jabber and presence as a whole has gotten easier and easier.

Somewhere roundabouts Jabber 9.6 (I don’t feel like opening datasheets to cite an exact version), Cisco had this ‘great idea’ of incorporating SSL certificate usage into the Jabber client process.  I get it, we want to add security, it’ll be just a little painful, fine lets do it…. Yeah right.   What was once a trivial deployment process has now become certificate hell.  The number 1 Jabber platform that Cisco TAC is supporting today (by a huge margin) is Jabber for Windows, and the number 1 support case topic on Jabber revolves around Certificate issues.   Let me make this short and sweet for you… If you’re going to deploy Jabber in your environment, consider the following suggetions to avoid completley pulling your hair out.

1) Use certificates provided by Verisign.   Just do it. Don’t argue with me about provider X being a quarter of the price…. Trust me… Verisign… Just do it. (Insert Nike swoosh here).

2) Configure your IM and presence servers, and your CUCM, using hostnames/FQDN as appropriate.  The days of us using IP addresses as a best practice are coming to an end, and reliable enterprise-class DNS is now key.   Best practices evolve, the time has come to embrace DNS wherever possible.

3) If you can get to CUCM 10.5, consider the use of multiserver certificates.   The short version – you’re going to have to generate a heck of a lot fewer certs if you use multiserver certificates, which in essence are cluster-assigned certificates with each of the cluster nodes identified as a Subject Alternate Name (SAN).  If you don’t, you’re going to have to issue a certificate for each process (think Tomcat, xmpp, etc) for each and every node. Thats a lot of certs (and a lot of hard-earned ‘real American Dollars’ to quote one of my recent clients).  Yep. I get it. Budget accordingly. Be aware that there is a bug in the current release of CUCM related to multiserver certificates, but by the time SU1 is released, it should be resolved (and it has an easy workaround, so don’t sweat it).  Use them.

4) Make sure your firewall/web filter rules permit for connectivity to the certificate revocation servers.

5) Wireshark is your friend.  Trust nothing until you first Prove it.

I’m not trying to make this a play by play installation guide, so I’m going to stop here, but suffice it to say, Jabber isn’t turn-key anymore.


In summary – Am I giving Cisco a hard time about Jabber?  No, I’m really not.   I totally get where they’re coming from, I understand their motivations, and I can see that they’re doing everything they can to make this as painless as it can be without sacrificing security.  They’ve come a very long way with Jabber since its acquisition, and I’m really excited when I get to pitch it to a client and share my enthusiasm about the product. It’s the real deal, and it rocks.  I just think that as a deployment engineer, or somebody responsible for supporting a Jabber deployment you need to go into this with the right mindset and have an idea of what you’re up against.   I’m certain it’s going to keep getting better and better.

….And remember – at least you’re not supporting Lync… :)