How to Prevent an Outage Between VOSS and Microsoft Active Directory
Adam Furman, Sales Engineer, and Maretha Lindeque, Customer Success Service Manager, VOSS
With the upcoming changes coming to Microsoft Active Directory in March, we figured we would take some time to write this blog post to provide some information about what you need to do to ensure your VOSS-4-UC installation continues to communicate with Active Directory. These changes can be made prior to when Microsoft enforces secure connections to Active Directory. The changes are mandatory, so we would recommend planning ahead of time for this so no outages are caused when it goes into effect. The changes are only needed if you aren’t already communicating with LDAP over secure LDAP.
The reason that Microsoft is implementing these changes is to make sure that any remote connections to Active Directory are secure so none of your data is exposed to people that might want to do harm. More information can be found, here.
Before making any changes to VOSS-4-UC, make sure that VOSS-4-UC and your Cisco UC applications have access to the ports that Secure LDAP runs on. The following ports should be validated on your firewalls and even your customers’ firewall:
636 or 3269
You also need to decide if you want to use certificate validation between Microsoft Active Directory and VOSS-4-UC. If you choose certificate validation, you need to collect the LDAP Server Certificate(s) from the Microsoft Active Directory environment so you can upload them into VOSS-4-UC to make sure you can communicate with Active Directory
The following changes need to be made inside of VOSS-4-UC so you can communicate with Active Directory.
If you use the certificate validation option, start at step 1 and follow the additional certificate validation steps in step 2.
Import the certificate into VOSS-4-UC by following these steps:
- Log into the GUI as a provider admin, and change the breadcrumb to the level where the LDAP server is
- Go to File management (in the default menus this is under Administration Tools)
- Add and browse to the certificate, provide a description and save
- Once the certificate has been added it should look like the screenshot below:
Now, to update the LDAP server port, go to the LDAP Server under LDAP Management, and update the following:
- In the main section update the port
- In the Connection Security section set the Encryption method
- In the certificate validation section you can select “Trust All”, which will establish LDAP connections without a certificate
- If you want to connect using certificate validation, un-check the “Trust All” option and in the “Server Root Certificate” drop down select the certificate which was imported in step 1
- Save and monitor the transaction for any errors
- Ensure that the LDAP sync configuration has been updated successfully
- Run a full LDAP sync
For future reference, here is a link to Cisco Field Notice on the changes that are needed on Cisco Unified Communication Manager (CUCM) and Cisco Unity Connection.
For more information on VOSS-4-UC and Microsoft Active Directory, please contact us.