Cisco Telepresence Management Suite Clustering With F5 BIG-IP Part 1

Network Setting Configuration of Cisco Meeting Server

Log into HQ-CMS with default user admin and admin as password. After you log in, it asks you to change the password.

Change the hostname.

acano>hostname hq-cms

After this command, the CMS will ask you to reboot CMS in order to activate new hostname. You can reboot the CMS with the reboot command.

acano>reboot

hq-cms>

Configure a static IP address and a gateway. In this command, a is the name of a interface.

hq-cms>ipv4 a add 10.1.5.20/24 10.1.5.1

You need DNS and NTP servers for CMS to work properly. Considering that they are already up and running.

hq-cms>ntp server add 10.1.5.29

hq-cms>dns add forwardzone 10.1.5.27

Certificate Preparation for Cisco Meeting Server

Certificate configuration is required for the Call Bridge, XMPP, Web Bridge and Web Admin services. Certificates should be signed by internal or external certificate authorities.

To generate a Certificate Signing Request (CSR) and private key locally, the following command is used, I give the name cmscert.

hq-cms>pki csr cmscert CN:collab.com OU:CCNP O:Collaboration L:Hydra ST:Algiers C:AL subjectAltName:webbridge.collab.com,xmpp.collab.com,callbridge.collab.com,join.collab.com,webadmin.collab.com,hq-cms.collab.com,*.lab.local,10.1.5.20

To retrieve the CSR, login to HQ-CMS using WinSCP.

Access the CA server 10.1.6.27.

Start the Certification Authority console, select Certificate Template. Right-click the Certificate Template and select Manage.

Duplicate the Web Server template and configure the duplicate template to allow server and client authentication.

Configure the Template Name and Template display name of the duplicate template to CMS and Cisco Meeting Server respectively.

On the Certificate Console, issue a new certificate template named CMS.

Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Request a certificate and the click advanced request certificate.

Edit the CSR in notepade and past the content. In the Certificate Template, select Cisco Meeting Server.

Select Base 64 Encoded and click Download certificate.

Below the Certificate named cmscert after submitting the CSR to the CA.

A chain certificate is required to trust the cmscert certificate when you will enable webadmin, callbridge.

A chain certificate is a single file (with an extension of .pem, .cer or.crt) holding a copy of the Root CA’s certificate and all intermediate certificates in the chain.

To create a chain certificate, you need the Root CA or the CA’s certificate and a Subordinate CA’s certificate with the Common Name : collab.com.

To get a Subordinate CA’s certificate, we need to generate a CSR.

You can use openssl tool to generate a CSR with Common Name : collab.com.

If you did not install openssl, you can generate the CSR on Cisco Meeting Server.

Access the HQ-CMS GUI using the url https://10.1.5.20:445.

From the CLI, type the following command, the name of the CSR is adcert and the Common Name is collab.com.

hq-cms>pki csr adcert CN:collab.com OU:CCNP O:Collaboration L:Hydra ST:Algiers C:AL

Retrieve the CSR named adcert using WinSCP, access HQ-CMS using WinSCP, then copy the adcert CSR into your PC.

Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Request a certificate and the click advanced request certificate.

Edit the CSR in notepade and past the content. In the Certificate Template, select Subordinate Certification Authority.

Select Base 64 Encoded and click Download certificate.

Below the the Certificate named adcert after submitting the CSR to the CA.

Access the CA server 10.1.6.27 GUI using the url http://10.1.6.27/certsrv.

Click Download a CA certificate, certificate chain, or CRL.

Select Base 64, then click Download CA certificate, name it Root-CA.

Below the CA’s certificate.

Now the CA’s certificate and the Subordinate CA’s certificate with the Common Name : collab.com are ready, we can create a chain certificate.

To create a chain certificate, use a plain text editor such as notepad. All of the characters including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags need to be inserted into the document. There should be no space between the certificates, for example no spaces or extra lines between —–END CERTIFICATE—– of certificate 1 and —–BEGIN CERTIFICATE—– of certificate 2. Certificate 1 will end with —–END CERTIFICATE—– and the very next line will have —–BEGIN CERTIFICATE—- for certificate 2. At the end of the file there should be 1 extra line. Save the file with an extension of .pem, .cer, or .crt.

Edit the certificate named adcert created previously with nodepad.

Edit the Root-CA certificate with nodepad.

Past the adcert certificate first and then past the Root-CA certificate at the end, save the file with .cer extension. Name it CA-Chain.cer.

Below the Chain Certificate named CA-Chain.

A chain certificate is also required for Webbridge3 in version 3.

Edit the certificate named cmscert created previously with nodepad.

Edit the CA-Chain certificate created previously with nodepad.

Past the cmscert certificate first and then past the CA-Chain certificate at the end, save the file with .cer extension. Name it CMS-Chain.cer.

Below the Chain Certificate named CMS-Chain.

Copy the three certificates cmscert, CA-Chain and CMS-Chain to hq-cms using WinSCP.

You can use the pki list command to verify that the three certificates are present.

Enabling the Web Admin Service

By default, Web Admin listens on HTTPS port of 443. However, we will enable the Web Bridge for conference users and this service will be available on the default HTTPS port 443. To enable both services to co-exist, we will configure Web Admin to listen on port 445.

On CMS-A, specify the interface and HTTPS port 445 for the web interface.

hq-cms>webadmin listen a 445

For the certificate to be used, specify the certificate cmscert created in previously with the relevant key.

hq-cms>webadmin certs cmscert.key cmscert.cer CA-Chain.cer

Route HTTP requests to HTTPS

hq-cms>webadmin http-redirect enable

Finally activate the web admin service.

Verify that the webadmin service is running is using the webadmin command.

License Activation using Cisco Meeting Management

Access the Cisco Meeting Management GUI hq-cmm.

In the Settings at the right, go to License, click Change and select Smart Licensing option.

Click Save.

Add a CallBridge to CM

Click Servers to add a Callbridge to CMM. Click Add Call Bridge.

Add the following information:

a. Server Address: 10.1.5.50

b. Port: 445

c. Username: admin

d. Password: (password of CMS)

e. Display name: hq-cms

Check the Use Trusted Certificate Chain boxes. Upload the chain certificate CA-Chain created previously.

Navigate to License at the right, and click the Start Trial button at the left. Make sure the CMM has internet connectity to register for Trial Mode.