IX Workplace - Messaging / Presence

[RedTech443]

What backend servers are needed for IX Workplace Instant Messaging and presence?

Avaya Breeze with the presence snap-in?

I already have the following
CM 8.1
SMGR 8.1
SM 8.1
AADS 8.1
SBC 8.1

LDAP is configured to all with autologin from Email address on IX Workplace, only thing I am missing now is Presence and Messaging. But I have never set those up before.

 

[kyle555]

On 8.1, the messaging is in Presence, so, yes, you need 1 Breeze with presence.
In the snap-in attributes, you can set authentication to be via LDAP, so just do whatever you did in the LDAP setup page in AADS in Breeze for IM and it'll work.

There's more to it than that obviously, but you're on the right track.

 

[RedTech443]

Thanks again Kyle.
I got presence installed and the snap in installed. Just need to find a good document on the steps from there to get ix working with messaging. I'll dig some more tomorrow.

 

[kyle555]

Honestly, the presence snap-in reference is all you need.

If it's all internal, no SBC, 1 Breeze, you need 2 entity links to the breeze and to configure the AMM part in the attributes with LDAP stuff you clearly already have in AADS and it'll work internally.

For the SBC stuff, it's not too hard. Especially if you're on 8.1. You can make the whole thing work with 2 IPs - 1 for SM/PPM and 1 for AMM/Presence/AADS.

If you're not using multiple breezes, then the only FQDN you need is the SM100 of the breeze.

When I do my SBC certs from LetsEncrypt, I add subjectAltNames for everything - sm1-sm100.mylab.com, aads.mylab.com, brz-sm100.mylab.com, etc and use that single cert on a single server profile for all the SBC reverse proxies and outward facing signaling interfaces.

 

[RedTech443]

2 Things.

1.
I have what I think is a correct configuration for Breeze with the presence snapin inatalled. I am using TCP for everything just to make sure it works then I want to switch to TLS. Not sure what I am missing but I am still getting messages are not avail on IX. I am using port 8443 which I think is wrong for TCP but cannot find documentation on what else to use. As far as my SIP entities and everything go I have green checks and replications. I also enabled the one required setting in the attributes for IX to work "Conversations Enabled". I am not using LDAP yet to keep it simple for now as well.

Not sure what I am missing here. See pictures below.



2. I just started reading about letsencrypt and using it for my inernal certs, I like the idea of multiple SANS on the cert, I will need to look into creating a cert on LE for my lab servers. Thanks for the tip!

 

[kyle555]

Yeah, they lied. Messaging is on port 443. Had to root the box and netstat to figure that one out.

Make sure you're using the sm100 FQDN for your messaging server in your IX Workplace

 

[RedTech443]

No luck with port 443 on IX. I am wondering if this is because I am using TCP. My Breeze is 10.1.30.18, my asm100 for breeze is 10.1.30.19, I am pointing IX to 10.1.30.19 manually over port 443.


Going to go through my settings again to verify

 

[kyle555]

Use TLS and FQDNs for everything!

 

[RedTech443]

Yeah that is what I figured, I was in the process of doing that now. Only one giving my a problem is the media-server and TLS. I will post back when I get it all to TLS.

 

[RedTech443]

Got all TLS links up, but I am unable to change the dynamic configuration of my users in AADS to use 5061, even though I have published it and I can see it correct on the test. When I go to

https://lab-aads.domain.int:8443/acs/resources/configurations

I still see the following in the dynamic settings not changing for some reason?


## File Generation Notes
## Avaya Dynamic Configuration Service does not recognize User-Agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

SET SIP_CONTROLLER_LIST 10.1.30.15:5060;transport=TCP
SET SIPPROXYSRVR 10.1.30.15
SET SIPPORT 5060
SET SIPSECURE 0
SET SIPENABLED 1
SET SIPDOMAIN domain.int
SET SIPUSERNAME 10000
SET SIPHA1 1e2b6503527c43935d8c45433740cfd0
SET ENFORCE_SIPS_URI 1
SET ENABLE_PRESENCE 0
SET SIPREGPROXYPOLICY simultaneous
SET LOCKED_PREFERENCES "SIP_CONTROLLER_LIST,SIPPROXYSRVR,SIPPORT,SIPSECURE,SIPENABLED,SIPDOMAIN,SIPUSERNAME,SIPHA1,ENFORCE_SIPS_URI,ENABLE_PRESENCE,SIPREGPROXYPOLICY"
SET OBSCURE_PREFERENCES "SIP_CONTROLLER_LIST,SIPPROXYSRVR,SIPPORT,SIPSECURE,SIPENABLED,SIPDOMAIN,SIPUSERNAME,SIPHA1,ENFORCE_SIPS_URI,ENABLE_PRESENCE,SIPREGPROXYPOLICY"

 

[kyle555]

Did you configure that at the global or group level? The more granular, the more it overrides. So, settings specific to a user override group settings and group settings override globals.

 

[RedTech443]

I set at the user group level. I have nothing set in global. Also rebooted server no luck

 

[kyle555]

is 5061 a listen port with endpoint enabled on the SM sip entity?

 

[RedTech443]

lol, missed that check box. That fixed it.
Now back to figuring out messaging.

 

[RedTech443]

What trace on the breeze can I look at to see what is happening when I attempt to sign into messaging from IX Workplace?

I see traceHTTP, traceCM, traceSIP etc... Not sure what one to use for this?

 

[kyle555]

Should be easy now.
I used the SSO option. You're pretty good with AADS giving you your SIP username and password - that means your AADS login has a mapping of something to your SMGRLoginName - like maybe userPrincipalName or mail. You'd just need to set those attributes for Presence and put in the same stuff like AADS and it should happily let you authenticate with your AD account.

SET ESMSRVR breeze-sm100.yourlab.com
SET ESMPORT 443
SET ESMSSO 1
SET ESMREFRESH 0
SET ESMENABLED 1
SET ESMSECURE 1

 

[RedTech443]

I think I smell what you are stepping in but not sure..

in my AADS I have it set with mail to authenticate to SMGR username for login. But I can only have one attribute in AADS for that. Are you talking about adding an attribute to the SMGR LDAP Datasource Attribute Parameters or adding something to my LDAP user in AD?


Also added the following

SET SIP_CONTROLLER_LIST 10.1.30.15:5061;transport=TLS
SET SIPPROXYSRVR 10.1.30.15
SET SIPPORT 5061
SET SIPSECURE 1
SET SIPENABLED 1
SET SIPDOMAIN domain.int
SET SIPUSERNAME 10000
SET SIPHA1 ab10d2ac6dbb9f4168b28a78d4d96ba0
SET ESMSSO 1
SET ESMREFRESH 0
SET ACSSECURE 1
SET ESMSRVR 10.1.30.19
SET ACSSRVR 10.1.30.16
SET ESMPORT 443
SET ACSPORT 443
SET ESMENABLED 1
SET ESMSECURE 1
SET ENFORCE_SIPS_URI 1
SET ACSENABLED 1
SET ACSSSO 1
SET ENABLE_PRESENCE 1
SET PRESENCE_SERVER 10.1.30.19
SET LOCKED_PREFERENCES ""
SET OBSCURE_PREFERENCES ""

 

[kyle555]

Only use FQDNs! And I mean in Breeze-->Configuration-->Attributes for the cluster hosting Presence that there's a spot to configure authentication - with SMGRLoginName and Avaya communication profile password, or with LDAP. If you do it with LDAP, you need to pop in your LDAP server and a service account and a search base DN - like CN=Users,DC=yourlab,DC=com and then identity mapping - and mail would work just fine.


* as a matter of fact, that's what the ESMSSO =1 means - it means it's expecting the same singular login for AADS to also be equivalent to be passed to AMM inside Preence for authentication. So, your Presence snapin must be configured to point at LDAP and authenticate the same way.

 

[RedTech443]

Still not joy.

I changed everything I could to use FQDN.
Here are my current settings.

SET SIP_CONTROLLER_LIST 10.1.30.15:5061;transport=TLS
SET SIPPROXYSRVR 10.1.30.15
SET SIPPORT 5061
SET SIPSECURE 1
SET SIPENABLED 1
SET SIPDOMAIN domain.int
SET SIPUSERNAME 10000
SET SIPHA1 ab10d2ac6dbb9f4168b28a78d4d96ba0
SET ESMSSO 1
SET DISABLE_PASSWORD_STORAGE 0
SET ESMREFRESH 0
SET ACSSECURE 1
SET ESMSRVR lab-breezeasm01.domain.int
SET ACSSRVR lab-aads.domain.int
SET ESMPORT 443
SET FORCE_LOGOUT_AFTER 0
SET ACSPORT 443
SET ESMENABLED 1
SET ESMSECURE 1
SET ENFORCE_SIPS_URI 1
SET ACSENABLED 1
SET ACSSSO 1
SET ENABLE_PRESENCE 1
SET VOIPCALLINGENABLED 1
SET IOS10CALLKIT_ENABLED 1
SET LOCKED_PREFERENCES ""
SET OBSCURE_PREFERENCES ""

 

[kyle555]

SET ESMSRVR lab-breezeasm01-sm100.domain.int !!!

Go in inventory, breeze, manage identity certs, look at the SM100, look at the FQDN it's for - probably the management FQDN with "-sm100" at the end.

Make sure that's in DNS and that's your EMSSRVR.

Client REST
Auth Mechanism Enterprise
Realmomain
Directory user DN: CN=Administrator,CN=Users,DC=domain,DC=int
Password - the AD domain admin password (you don't have to use domain admin, but wtv)
search base: CN=Users,DC=domain,DC=int
User mapping attribute - mail
Identity attribute - mail

Just plug in the same stuff you did in AADS.

You'll need to stop/start the service after, and give it a solid 10-15

traceCE on the breeze and you'll see what's up