- Home
- /
- Article
Thanks for your feedback.
Deployment guide for Serviceability Connector
In this article
Feedback?Change history
Change history
|
Date |
Change |
Section |
|---|---|---|
| July 2024 | Added information about Blocked External DNS Resolution mode. |
In Overview section:
|
| May 2024 | Clarified the wording of two tasks to open the Serviceability platform interface and the Serviceability Connector application interface. |
In Manage Serviceability Service:
|
|
March 2024 |
Added topics to help you access the web interface of the host node or application. |
In Manage Serviceability Service:
|
|
September 2023 |
Added local logging and problem report collection. |
|
|
April 2022 |
Changed the way that you add Unified publishers and subscribers on an ECP connector host. |
(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs (Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters |
|
November 2021 |
You can now use the Serviceability Connector to collect logs from your Cloud-Connected UC deployment. This capability enables you, rather than TAC, to gather logs for your Unified CM clusters. |
Throughout |
|
September 2021 |
Removed mentions of the deprecated Customer Service Central upload option. |
Configure Upload Settings |
|
March 2021 |
You can now collect logs from Broadworks XSP nodes. |
Throughout |
|
December 2020 |
Added information on using an ECP node for the Serviceability Connector. |
Throughout |
|
Clarified connectivity requirements for registering Expressway connector host. |
Register the Expressway Connector Host to Cisco Webex |
|
|
September 2020 |
Use of Cisco account with Serviceability Connector deprecated. Only CXD supported now. |
Throughout |
|
November 2017 |
Initial Publication |
|
Serviceability Connector Overview
Serviceability Connector Overview
You can ease the collection of logs with the Webex Serviceability service. The service automates the tasks of finding, retrieving, and storing diagnostic logs and information.
This capability uses the Serviceability Connector deployed on your premises. Serviceability Connector runs on a dedicated host in your network ('connector host'). You can install the connector on either of these components:
-
Enterprise Compute Platform (ECP)—Recommended
ECP uses Docker containers to isolate, secure, and manage its services. The host and the Serviceability Connector application install from the cloud. You don’t need to manually upgrade them to stay current and secure.
We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.
-
Cisco Expressway
You can use the Servicability Connector for these purposes:
-
Automated log and system information retrieval for service requests
-
Log collection of your Unified CM clusters in a Cloud-Connected UC deployment
You can use the same Serviceability Connector for both use cases.
Use in Service Request Cases
You can use the Webex Serviceability service to aid Cisco technical assistance staff in diagnosing issues with your infrastructure. The service automates the tasks of finding, retrieving, and storing diagnostic logs and information into an SR case. The service also triggers analysis against diagnostic signatures so that TAC can identify problems and resolve cases faster.
When you open a case with TAC, TAC engineers can retrieve relevant logs as they perform the diagnosis of the problem. We can collect the needed logs without coming back to you each time. The engineer sends requests to the Serviceability Connector. The connector collects the information and securely transfers it to the Customer eXperience Drive (CXD). The sytem then appends the information to your SR.
When we have the information, we can use the Collaboration Solution Analyzer and its database of diagnostic signatures. The system automatically analyses logs, identifies known issues, and recommends known fixes or workarounds.
You deploy and manage Serviceability Connectors through Control Hub like other Hybrid Services, such as Hybrid Calendar Service and Hybrid Call Service. You can use it along with other Hybrid Services, but they aren't required.
If you already have your organization configured in Control Hub, you can enable the service through your existing organization administrator account.
In this deployment, the Serviceability Connector is always available, so that TAC can collect data when necessary. But, it doesn’t have a steady load over time. The TAC engineers manually initiate data collection. They negotiate an appropriate time for the collection to minimize the impact on other services provided by the same infrastructure.
How it works
-
You work with Cisco TAC to deploy the Serviceability service. See Deployment Architecture for TAC Case.
-
You open a case to alert TAC to a problem with one of your Cisco devices.
-
TAC representative uses the Collaborations Solution Analyzer (CSA) web interface to request Serviceability Connector to collect data from relevant devices.
-
Your Serviceability Connector translates the request into API commands to collect the requested data from the managed devices.
-
Your Serviceability Connector collects, encrypts, and uploads that data over an encrypted link to Customer eXperience Drive (CXD). CXD then associates the data with your Service Request.
-
The system analyes the data against the TAC database of more than 1000 diagnostic signatures.
-
The TAC representative reviews the results, checking the original logs if necessary.
Deployment Architecture for TAC Case
|
Element |
Description |
|---|---|
|
Managed devices |
Includes any devices that you want to supply logs from to Serviceability Service. You can add up to 150 locally managed devices with one Serviceability connector. You can import information from HCM-F (Hosted Collaboration Mediation Fulfillment) about HCS customers' managed devices and clusters (with larger numbers of devices, see https://help.webex.com/en-us/142g9e/Limits-and-Bounds-of-Serviceability-Service). The service currently works with the following devices:
|
|
Your administrator |
Uses Control Hub to register a connector host and enable Serviceability Service. The URL is https://admin.webex.com and you need your “organization administrator” credentials. |
|
Connector host |
An Enterprise Compute Platform (ECP) or Expressway that hosts the Management connector and the Serviceability Connector.
|
|
Proxy |
(Optional) If you change the proxy configuration after starting Serviceability Connector, then also restart the Serviceability Connector. |
|
Webex cloud |
Hosts Webex, Webex calling, Webex meetings, and Webex Hybrid Services. |
|
Technical Assistance Center |
Contains:
|
Use in Cloud-Connected UC Deployments
You can use the Serviceability service through Control Hub to monitor your Unified CM clusters in a Cloud-Connected UC deployment.
How it works
-
You deploy a Serviceability Connector instance for your Unified CM clusters.
-
To troubleshoot a Unified CM call signalling issue, you trigger a data collection request in Control Hub.
-
Your Serviceability Connector translates the request into API commands to collect the requested data from the managed devices.
-
Your Serviceability Connector collects, encrypts, and uploads that data over an encrypted link to Customer eXperience Drive (CXD).
Deployment Architecture for Cloud-Connected UC
|
Element |
Description |
|---|---|
|
Managed devices |
Includes any devices from which you want to supply logs to Serviceability Service. You can add up to 150 locally managed devices with one Serviceability connector. You can import information from HCM-F (Hosted Collaboration Mediation Fulfillment) about HCS customers' managed devices and clusters (with larger numbers of devices, see https://help.webex.com/en-us/142g9e/Limits-and-Bounds-of-Serviceability-Service). With Cloud-Connected UC, the service works with the following devices:
|
|
Your administrator |
Uses Control Hub to register a connector host and enable Serviceability Service. The URL is https://admin.webex.com and you need your “organization administrator” credentials. |
|
Connector host |
An Enterprise Compute Platform (ECP) or Expressway that hosts the Management connector and the Serviceability Connector.
|
|
Proxy |
(Optional) If you change the proxy configuration after starting Serviceability Connector, then also restart the Serviceability Connector. |
|
Webex cloud |
Hosts Webex, Webex calling, Webex meetings, and Webex Hybrid Services. |
Serviceability Connector Limitations
For a current list of limitations, see the Known Issues with Serviceability Service article.
People and Roles
The diagram shows the required accounts to deliver Serviceability Service. Many of these accounts aren’t for users. The Serviceability Connector needs permission to retrieve data from several devices.
The following tables lists people and accounts, and their roles in deploying and using the service:
|
Person / Device |
Roles in delivering Serviceability Service |
|---|---|
|
Your network administrator |
|
|
Cisco Technical Assistance Center representatives |
Only for the TAC use case.
|
|
Your administrator of managed devices, such as Unified CM, IM & Presence Service, and BW Application Server |
|
|
Your Connector host administrator |
|
|
“Organization administrator” This account could be your Connector host administrator or network admin, or a Cisco partner. That person uses this account to sign in to Control Hub and manage your organization’s cloud configuration. |
|
|
Serviceability Connector |
|
|
Account type |
Scope / specific privileges |
Notes |
|---|---|---|
|
Cisco Connector Host Administrator |
Access level = Read-write API access = Yes (Expressway only) Web access = Yes (Expressway only) |
This account on the Connector Host reads the Serviceability Connector configuration. |
|
Managed device API and SSH accounts (all of the following rows) |
Send API calls to, or perform SSH commands on, the managed device. For example, to collect logs. |
These accounts reside on the managed devices. You enter their credentials in the Serviceability Connector configuration on the Connector host. |
|
API account for HCM-F API |
Read |
This account authenticates the connector when it polls HCM-F for information about customers, their clusters and devices, and credentials to access them. |
|
Application User for Voice Operating System (VOS) Products |
|
VOS products include Unified CM, IM and Presence, and UCCX. If the SSH account is different to the Application User account, enter credentials for both accounts in the Serviceability Connector UI. |
|
SSH user for Voice Operating System (VOS) Products |
|
If the Application User account is different to the SSH account, enter credentials for both accounts in the Serviceability Connector UI. |
|
Cisco Expressway or VCS Administrator |
Access level = Read-write API access = Yes Web access = Yes |
Only for TAC use case. This account for the managed VCS or Expressway, rather than for the connector host. |
|
CUBE SSH user account |
Privilege Level 15 |
Only for TAC use case. |
|
BroadWorks CLI user account |
|
Only for TAC use case. Ensure that the CLI account has privileges to run commands on the managed BroadWorks device; that is, Xtended Services Platform, Application Server, Profile Server, Execution Server, or Messaging Server. |
Data Movement
|
Data Operation |
Transport Mechanism |
Account Used |
|---|---|---|
|
Read data from managed devices |
HTTPS |
API access or SSH account on the managed device |
|
Write to case management system |
HTTPS |
Service Request number and associated unique token |
When a command is entered, Webex sends the request to the Serviceability Connector, which acts on it to collect the required data.
This request has no directly identifiable data about the managed device. It has a device ID or cluster ID, so it knows from which devices to get the data. The Serviceability Connector translates this device/cluster ID. The ID can't by itself identify your infrastructure. Also, the connection between the cloud and the connector uses HTTPS transport.
The Serviceability Connector translates the request as follows:
-
It finds the devices for the device/cluster ID in its list of managed devices and clusters and obtains the addresses.
-
It recreates the request and parameters as API or SSH calls to the addresses, using the appropriate API or command for the devices.
-
To authorize the commands, the connector uses the pre-configured device credentials for the target devices.
The connector temporarily stores the resulting data files on the connector host (Expressway or ECP).
The connector chunks the temporary file, encrypts the chunks, and transmits them over HTTPS to the Customer eXperience Drive. If the request came from TAC, the TAC case file store reassembles the log data and stores it against your Service Request.
Serviceability Connector writes the following data about the transaction to the command history on the Connector host:
-
Unique identifiers for the command issued and the issuer of the command. You can trace the ID of the issuer back to the person who issued the command, but not on the connector host.
-
The issued command and parameters (not the resulting data).
-
The connector-generated alias of the devices to which the command was issued (not the address or hostname).
-
The status of the requested command (success/failure).
TAC case
TAC representatives use their own accounts to access Collaboration Solutions Analyzer (CSA), a web application that interacts with Cisco Webex to communicate requests to Serviceability Connector.
In CSA, the TAC person selects a particular Serviceability Connector from those that are in your organization, and then scopes the command with the following:
-
The ID of the TAC case in which to store the logs(service request number).
-
The target device (known by an alias that Serviceability Connector created when the device was first added as a managed device) or a cluster of devices.
-
A data collection command and any necessary parameters.
CSA determines the type of device from the Serviceability Connector and is aware of the capabilities of each type of managed device. For example, it knows that to collect service logs from Unified CM, the TAC user should provide start and end date/times.
Cloud-Connected UC case
In LogAdvisor, your administrator selects a particular Serviceability Connector from those that are in your organization, and then scopes the command with the following:
-
The target device (known by an alias that Serviceability Connector created when the device was first added as a managed device) or a cluster of devices.
-
A data collection command and any necessary parameters.
LogAdvisor prompts for the appropriate parameters.
Security
Managed devices:
-
You keep the data at rest on your managed devices secure by using the measures available on those devices and your own policies.
-
You create and maintain the API or SSH access accounts on those devices. You enter the credentials on the connector host; Cisco personnel and third parties don't need to and can't access those credentials.
-
The accounts might not need full administrative privileges, but do need authorization for typical logging APIs (See People and Roles). The Serviceability Service uses the minimum permissions required to retrieve log information.
Connector host:
-
Management Connector creates a TLS connection with Webex when you first register the Connector host (ECP or Expressway). To do this, the Management Connector needs to trust the certificates that Webex presents. You can opt to manage the host trust list yourself, or allow the host to download and install the required root CA list from Cisco.
-
The Management Connector maintains a connection to Webex, for reporting and alarms. The Serviceability Connector uses a similar persistent connection for receiving serviceability requests.
-
Only your administrators need to access the host to configure the Serviceability Connector. Cisco personnel don't need to access the host.
Serviceability Connector (on connector host):
-
Makes HTTPS or SSH connections to your managed devices, to execute API commands.
-
You can configure the Serviceability Connector to request and verify server certificates from the managed devices.
-
Makes outbound HTTPS connections to the Cisco TAC case management system storage.
-
Doesn't log any of your personally identifiable information (PII).
The connector itself doesn't log any PII. However, the connector doesn't inspect or clean the data that it transfers from the managed devices.
-
Doesn't permanently store any of your diagnostic data.
-
Keeps a record of the transactions that it makes in the connector’s command history (Applications > Hybrid Services > Serviceability > Command History). The records don't directly identify any of your devices.
-
Only stores the addresses of devices and the credentials to their API accounts in the Connector configuration store.
-
Encrypts data for transfer to the Customer eXprerience Drive using a dynamically generated 128-bit AES key.
Proxy:
-
If you use a proxy to go out to the internet, the Serviceability Connector needs credentials to use the proxy. The Connector host supports basic authentication.
-
If you deploy a TLS inspecting device, then it must present a certificate that the Connector host trusts. You may need to add a CA certificate to the host trust list.
Firewalls:
-
Open TCP port 443 outbound from the connector host to a number of Cisco service URLs. See External Connections Made by the Serviceability Connector ( https://help.webex.com/article/xbcr37/).
-
Open the required ports into protected networks that contain the managed devices. See Serviceability Connector Ports which lists ports required by the managed devices. For example, open TCP 443 into your DMZ to collect logs through an Expressway-E's inward facing address.
-
Don't open any additional ports inbound to the connector host.
Webex:
-
Doesn't make unsolicited inbound calls to your on-premises equipment. The Management Connector on the connector host persists the TLS connection.
-
All traffic between your connector host and Webex is HTTPS or secure web sockets.
Technical Assistance Center:
When you enable the Serviceability Service for the TAC use case:
-
Has developed comprehensive and secure data storage tools and protocols to safeguard customer device data.
-
Employees are bound by Code of Business Conduct not to share customer data unnecessarily.
-
Stores diagnostic data in encrypted form in the TAC case management system.
-
Only the personnel who are working on the resolution of your case may access that data.
-
You can access your own cases and see what data was collected.
Serviceability Connections
Serviceability Connector Ports
This table includes the ports that are used between the Serviceability Connector and managed devices. If there are firewalls protecting your managed devices, open the listed ports towards those devices. Internal firewalls aren’t required for successful deployment and aren’t shown in the preceding diagram.
|
Purpose |
Src. IP |
Src. Ports |
Protocol |
Dst. IP |
Dst. Ports |
|---|---|---|---|---|---|
|
Persistent HTTPS registration |
VMware host |
30000-35999 |
TLS |
Webex hosts See External Connections made by the Serviceability Connector ( https://help.webex.com/article/xbcr37) |
443 |
|
Log data upload |
VMware host |
30000-35999 |
TLS |
Cisco TAC SR datastore See External Connections made by the Serviceability Connector ( https://help.webex.com/article/xbcr37) |
443 |
|
API requests to HCM-F |
VMware host |
30000-35999 |
TLS |
HCM-F Northbound interface (NBI) |
8443 |
|
AXL (Administrative XML Layer) for log collection |
VMware host |
30000-35999 |
TLS |
VOS devices (Unified CM, IM and Presence, UCCX) |
8443 |
|
SSH access |
VMware host |
30000-35999 |
TCP |
VOS devices (Unified CM, IM and Presence, UCCX) |
22 |
|
SSH access, log collection |
VMware host |
30000-35999 |
TCP |
CUBE |
22 |
|
SSH access, log collection |
VMware host |
30000-35999 |
TCP |
BroadWorks Servers (AS, PS, UMS, XS, XSP) |
22 |
|
Log collection |
VMware host |
30000-35999 |
TLS |
ECP or Expressway or VCS |
443 |
|
Log collection |
VMware host |
30000-35999 |
TLS |
DMZ Expressway-E (or VCS Expressway) |
443 |
Blocked External DNS Resolution mode
When you register a node or check its proxy configuration, the process tests DNS lookup and connectivity to Webex.
If the node's DNS server can't resolve public DNS names, the node automatically goes into Blocked External DNS Resolution mode.
In this mode, the node establishes the connection through the proxy, which resolves the external DNS records through its configured DNS server.
This mode is only possible if you are using an explicit proxy.
Enable Blocked External DNS Resolution mode
| 1 |
Configure an explicit proxy. |
| 2 |
Run the Check Proxy Connection test. If the node's DNS server can't resolve public DNS entries, the node goes into
Blocked External DNS Resolution mode.
|
Disable External DNS Resolution Blocked mode
| 1 |
Sign in to the Serviceability Connector platform web interface. |
| 2 |
On the Overview page, check the status of Blocked External DNS Resolution If the status is No, you don't need to continue this procedure. |
| 3 |
Go to the Trust Store & Proxy page, and click Check Proxy Connection. |
| 4 |
Reboot the node and check the Overview page.
Blocked External DNS Resolution Mode status is
No.
|
What to do next
Repeat this procedure for any other nodes that failed DNS connectivity check.
Prepare Your Environment
Requirements for Serviceability Connector
|
On-Premises Servers |
Version |
|---|---|
|
Cisco Hosted Collaboration Media Fulfillment (HCM-F) |
HCM-F 10.6(3) and later |
|
Cisco Unified Communications Manager |
10.x and later |
|
Cisco Unified Communications Manager IM and Presence Service |
10.x and later |
|
Cisco Unified Border Element |
15.x and later |
|
Cisco TelePresence Video Communication Server or Cisco Expressway Series |
X8.9 and later |
|
Cisco Unified Contact Center Express (UCCX) |
10.x and later |
|
Cisco BroadWorks Application Server (AS) |
Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later. |
|
Cisco BroadWorks Profile Server (PS) |
Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later. |
|
Cisco BroadWorks Messaging Server (UMS) |
Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later. |
|
Cisco BroadWorks Execution Server (XS) |
Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later. |
|
Cisco BroadWorks Xtended Services Platform (XSP) |
Latest release and the two earlier major versions. For example, R23 is current at the time of writing, so we support managed devices running R21 and later. |
Unified CM is the only server that you can monitor in the Cloud-Connected UC case.
|
Requirements |
Version |
|---|---|
|
Enterprise Compute Platform (ECP) |
Use VMware vSphere client 6.0 or later to host the ECP VM. Deploy ECP on a dedicated virtual machine of either specification:
You can download the software image from https://binaries.webex.com/serabecpaws/serab_ecp.ova. If you don't install and configure the VM first, the registration wizard prompts you to do so. Always download a fresh copy of the OVA to install or reinstall the Serviceability Connector VM. An outdated OVA can lead to problems. We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway. |
|
Cisco Expressway Connector Host |
If you host the Connector on Expressway, use a virtual Expressway. Provide the virtual machine with enough resources to support at least the Medium Expressway. Don't use a Small Expressway. See the Cisco Expressway on Virtual Machine Installation Guide at https://www.cisco.com/c/en/us/support/unified-communications/expressway-series/products-installation-guides-list.html. You can download the software image from https://software.cisco.com/download/home/286255326/type/280886992 at no charge. We recommend the latest released version of Expressway for connector host purposes. See Expressway Connector Host Support for Cisco Webex Hybrid Services for more information. For Cloud-Connect UC, you can deploy the Serviceability Connector on an Expressway. But, you can't monitor the Expressway through the connector. |
Complete Managed Device Prerequisites
| 1 |
Ensure that these services are running to enable the connector to manage Voice Operating System (VOS) products like Unified CM, IM and Presence Service, and UCCX:
These services are enabled by default. If you stopped any of them, restart the services by using Cisco Unified Serviceability. |
| 2 |
Make these configurations to enable Serviceability Connector to manage CUBE: You don't need to do this for the Cloud-Connected UC case.
|
Complete the ECP Connector Host Prerequisites
Complete these tasks before you deploy the Serviceability service:
Before you begin
If you choose to use ECP for the Connector host, we require that you deploy the Serviceability Connector on a dedicated ECP.
We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.
As an administrator of hybrid services, you retain control over the software running on your on-premises equipment. You’re responsible for all necessary security measures to protect your servers from physical and electronic attacks.
| 1 |
Obtain full organization administrator rights to access the customer view in Control Hub ( https://admin.webex.com). |
| 2 |
Create a VM for the new ECP node. See Create a VM for the ECP Connector Host. |
| 3 |
Open the required ports on your firewall. See Serviceability Connections and Serviceability Connector Ports. The Serviceability Connector on ECP uses port 8443 outbound to the Cisco Webex cloud. See https://help.webex.com/article/WBX000028782/ for details of the cloud domains that ECP requests. The Serviceability Connector also makes the outbound connections listed in https://help.webex.com/article/xbcr37/. |
| 4 |
If your deployment uses a proxy to access the internet, get the address and port for the proxy. If the proxy uses basic authentication, you also need those credentials. If your organization uses a TLS proxy, the ECP node must trust the TLS proxy. The proxy's CA root certificate must be in the trust store of the node. You can check if you need to add it at . |
| 5 |
Review these points about certificate trust. You can choose the type of secure connection when you begin the main setup steps.
|
Create a VM for the ECP Connector Host
Create a VM for the ECP node.
When you first sign in to a new ECP node, use the default credentials. The username is "admin" and the password is "cisco". Change the credentials after signing on for the first time.
| 1 |
Download the OVA from https://binaries.webex.com/serabecpaws/serab_ecp.ova to your local computer. | ||||||||||||||||
| 2 |
Choose in the VMware vCenter. | ||||||||||||||||
| 3 |
On the Select template page, choose Local
File, select your | ||||||||||||||||
| 4 |
On the Select name and location page, enter a name for
your VM, such as, | ||||||||||||||||
| 5 |
Select the datacenter or folder to host the VM and click Next. | ||||||||||||||||
| 6 |
(Optional) You might need to select a resource, such as a host, that the VM can use and click Next. The VM installer runs a validation check and displays the template
details.
| ||||||||||||||||
| 7 |
Review the template details and make any necessary changes, then click Next. | ||||||||||||||||
| 8 |
Choose which configuration to use for the VM and click Next. We recommend the larger option with 4 CPU, 8GB RAM, and 20GB HDD. If you have limited resources, you can choose the smaller option. | ||||||||||||||||
| 9 |
On the Select storage page, choose these settings:
| ||||||||||||||||
| 10 |
On the Select networks page, choose the target network for the VM and click Next. The connector needs to make outbound connections to Webex. For these connections, the VM requires a static IPv4 address. | ||||||||||||||||
| 11 |
On the Customize template page, edit the network properties for the VM, as follows:
| ||||||||||||||||
| 12 |
Click Next. The Ready to Complete page displays the details
of the OVF template.
| ||||||||||||||||
| 13 |
Review the configuration and click Finish. The VM installs and then appears in your list of VMs.
| ||||||||||||||||
| 14 |
Power on your new VM. The ECP software installs as a guest on the VM host. Expect a delay of a
few minutes while the containers start on the node.
|
What to do next
If your site proxies outbound traffic, integrate the ECP node with the proxy.
After you configure the network settings and you can reach the node, you can access it through secure shell (SSH).
(Optional) Configure ECP Node for Proxy Integration
If your deployment proxies outbound traffic, use this procedure to specify the type of proxy to integrate with your ECP node. For a transparent inspecting proxy or an explicit proxy, you can use the node interface to do the following:
-
Upload and install the root certificate.
-
Check the proxy connection.
-
Troubleshoot issues.
| 1 |
Go to the web interface of your Serviceability Connector at
| ||||||||||
| 2 |
Go to Trust Store & Proxy, and then choose an option:
| ||||||||||
| 3 |
For a transparent inspecting or explicit proxy, click Upload a Root Certificate or End Entity Certificate. Then, choose the root certificate for the explicit or transparent inspecting proxy. The client uploads the certificate but doesn't install it yet. The node installs the certificate after its next reboot. Click the arrow by the certificate issuer name to get more details. Click Delete if you want to reupload the file. | ||||||||||
| 4 |
For a transparent inspecting or explicit proxy, click Check Proxy Connection to test the network connectivity between the ECP node and the proxy. If the connection test fails, you see an error message with the reason and how to correct the issue. | ||||||||||
| 5 |
For an explicit proxy, after the connection test passes, select Route all port 443/444 https requests from this node through the explicit proxy. This setting requires 15 seconds to take effect. | ||||||||||
| 6 |
Click Install All Certificates Into the Trust Store (appears whenever the proxy setup adds a root certificate) or Reboot (appears if the setup doesn't add a root certificate). Read the prompt and then click Install if you're ready. The node reboots within a few minutes. | ||||||||||
| 7 |
After the node reboots, sign in again if needed and open the Overview page. Review the connectivity checks to ensure that they are all in green status. The proxy connection check only tests a subdomain of webex.com. If there are connectivity problems, a common issue is that the proxy blocks some of the cloud domains listed in the install instructions. | ||||||||||
Complete the Expressway Connector Host Prerequisites
Use this checklist to prepare an Expressway for hosting connectors, before you register it to the Webex.
Before you begin
If you choose to use Expressway to host the Serviceability Connector, we require that you use a dedicated Expressway for the host.
We recommend use of ECP. Our future development will focus on this platform. Some new features won't be available if you install the Serviceability Connector on an Expressway.
As an administrator of hybrid services, you retain control over the software running on your on-premises equipment. You’re responsible for all necessary security measures to protect your servers from physical and electronic attacks.
| 1 |
Obtain full organization administrator rights before you register any Expressways, and use these credentials when you access the customer view in Control Hub ( https://admin.webex.com). |
| 2 |
Follow these requirements for the Expressway-C connector host.
|
| 3 |
If this is your first time running Expressway, you get a first-time setup wizard to help you configure it for Hybrid Services. If you previously skipped the wizard, you can run it from the page. |
| 4 |
If you haven’t checked already, check the following configuration of the Expressway-C connector host. You normally check during installation. You can also confirm the configuration when you use Service Setup wizard.
Expressway-C connector hosts don’t support dual NIC deployments. Your Expressway is now ready to register to Cisco Webex. The remaining
steps in this task are about the network conditions and items to be aware of
before you attempt to register the Expressway.
|
| 5 |
If you haven’t already done so, open required ports on your firewall.
|
| 6 |
Get the details of your HTTP proxy (address, port) if your organization uses one to access the internet. You also need a username and password for the proxy if it requires basic authentication. The Expressway can’t use other methods to authenticate with the proxy. If your organization uses a TLS proxy, the Expressway-C must trust the TLS proxy. The proxy's CA root certificate must be in the trust store of the Expressway. You can check if you need to add it at . |
| 7 |
Review these points about certificate trust. You can choose the type of secure connection when you begin the main setup steps.
|
Deploy Serviceability Connector
Serviceability Connector Deployment Task Flow
| 1 |
(Recommended) If you deploy the Serviceability Connector on ECP, Register the ECP Connector Host to Cisco Webex. After you complete the registration steps, the connector software automatically deploys on your on-premises connector host. |
| 2 |
(Alternate) If you deploy the Serviceability Connector on Expressway, Register the Expressway Connector Host to Cisco Webex. After you complete the registration steps, the connector software automatically deploys on your on-premises connector host. |
| 3 |
Configure the Serviceability Connector on ECP or Configure the Serviceability Connector on Expressway, as appropriate. Name your Serviceability Connector. |
| 4 |
Create Accounts on Managed Devices Configure accounts on each product that the Connector can manage. The connector uses these accounts to authenticate data requests to the managed devices. If you import all your managed devices and clusters from HCM-F, you don't need to do this task. You must do it if the Connector manages devices that aren't in the HCM-F database. |
| 5 |
(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs or (Optional) Configure Serviceability Connector with Locally Managed Devices If you import all your managed devices and clusters from HCM-F, you don't need to do this task. You must do it if the Connector manages devices that aren't in the HCM-F database. If your connector host is an Expressway, we strongly recommend that you configure the connector host as a locally managed device for the TAC use case. But, an ECP connector host has no logs that TAC would request through the Serviceability Service. |
| 6 |
(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters or (Optional) Configure Serviceability Connector with Locally Managed Clusters You can associate locally managed devices of the same type as a managed cluster on the Connector configuration. Clusters enable data collection from multiple devices with one request. |
| 7 |
(Optional) Import Devices from Hosted Collaboration Mediation Fulfillment We recommend importing from the Connector to automatically maintain a list of customer devices and clusters from HCM-F. You could manually add the devices, but integrating with HCM-F saves you time. |
| 8 |
This task is only needed for the TAC case. Customer eXperience Drive (CXD) is the default and only option. |
| 9 |
Start the Serviceability Connector Expressway only task |
| 10 |
Validate the Serviceability Connector Configuration Expressway only task. Use this procedure to test the data collection and transfer to your service request. |
Register the ECP Connector Host to Cisco Webex
Hybrid Services use software connectors to securely connect your organization's environment to Webex. Use this procedure to register your ECP connector host.
After you complete the registration steps, the connector software automatically deploys on your on-premises connector host.
Before you begin
-
You must be on the enterprise network where you installed the Serviceability Connector node when you run the registration wizard. That network requires access to the Connector and to the
admin.webex.comcloud. (See Prepare Your Environment for links to the relevant addresses and ports). You're opening browser windows to both sides to establish a more permanent connection between them. -
If your deployment proxies outbound traffic, enter the details of your proxy. See (Optional) Configure ECP Node for Proxy Integration.
-
If the registration process times out or fails for some reason, you can restart registration in Control Hub.
| 1 |
In Control Hub ( https://admin.webex.com), select . |
| 2 |
Choose . |
| 3 |
Click View All on the Serviceability Service card. If you haven't deployed a Serviceability Connector before, scroll to the bottom of the page to find the card. Click Set Up to launch the wizard. |
| 4 |
Click Add Resource. |
| 5 |
Select Enterprise Compute Platform and click Next. The wizard shows the Register Serviceability Service on ECP Node page. If you haven’t installed and configured the VM, you can download the software from this page. You must install and configure the ECP VM before continuing with this wizard. (See Create a VM for the ECP Connector Host.) |
| 6 |
Enter a cluster name (arbitrary, and only used by Webex) and the FQDN or IP Address of the ECP node, then click Next.
|
| 7 |
Define an upgrade schedule. When we release an upgrade to the Serviceability Connector software, your node waits until the defined time before it upgrades. To avoid interrupting TAC’s work on your issues, choose a day and time when TAC is unlikely to use the connector. When an upgrade is available, you can intervene to Upgrade Now or Postpone (defers until the next scheduled time). |
| 8 |
Select a release channel and click Next. Choose the stable release channel unless you’re working with the Cisco trials team. |
| 9 |
Review the node details and click Go to Node to register the node to the Cisco Webex cloud. Your browser tries to open the node in a new tab; add the IP address for the node to your organization’s allow list. |
| 10 |
Review the notice about allowing access to this node. |
| 11 |
Check the box that allows Webex to access this node, then click Continue. The Registration Complete window appears when the node finishes registering. |
| 12 |
Go back to the Control Hub window. |
| 13 |
Click View All on the Serviceability Services page. You should see your new cluster in the list of Enterprise Compute Platform Clusters. The Service Status is "Not Operational" because the node needs to upgrade itself. |
| 14 |
Click Open nodes list. You should see the available upgrade for your node. |
| 15 |
Click Install now.... |
| 16 |
Review the release notes and click Upgrade Now. The upgrade can take a few minutes. The cluster status switches to operational after the upgrade completes. |
Register the Expressway Connector Host to Cisco Webex
Hybrid Services use software connectors to securely connect your organization's environment to Webex. Use this procedure to register your connector host Expressway.
After you complete the registration steps, the connector software automatically deploys on your on-premises Expressway connector host.
Before you begin
-
Sign out of any other connections to this Expressway.
-
If your on-premises environment proxies the outbound traffic, enter the details of the proxy server on before completing this procedure. For a TLS proxy, add the root CA certificate that is signed by the proxy server certificate to the CA trust store on the Expressway. Doing so is necessary for successful registration.
-
Webex rejects any attempt at registration from the Expressway web interface. Register your Expressway through Control Hub.
-
If the registration process times out or fails for some reason, you can restart registration in Control Hub.
| 1 |
In Control Hub ( https://admin.webex.com), select . |
| 2 |
Choose . |
| 3 |
Click View All on the Serviceability Service card. If you haven't deployed a Serviceability Connector before, scroll to the bottom of the page to find the card. Click Set Up to launch the wizard. |
| 4 |
For new registrations, choose the first radio button and click Next. |
| 5 |
Enter your connector host's IP address or FQDN. Webex creates a record of that Expressway and establishes trust. |
| 6 |
Enter a meaningful display name for the connector host and click Next. |
| 7 |
Click the link to open your Expressway web interface. This link uses the FQDN from Control Hub. Make sure that the PC that you use for the registration can access the Expressway interface using that FQDN. |
| 8 |
Sign in to the Expressway web interface, which opens the Connector Management page. |
| 9 |
Decide how you want to update the Expressway trust list:
|
| 10 |
Click Register. Control Hub launches. Read the on-screen text to verify that Webex identified the correct Expressway. |
| 11 |
Click Allow to register the Expressway for Hybrid Services.
If registration fails and your on-premises environment proxies the outbound traffic, review the prerequisites of this procedure. |
Configure the Serviceability Connector on ECP
Before you begin
You must register the ECP node to Cisco Webex before you can configure the Serviceability Connector.
When you first sign in to a new ECP node, use the default credentials. The username is "admin" and the password is "cisco". Change the credentials after signing on for the first time.
| 1 |
Sign in to the connector host and go to Config Settings. |
| 2 |
Enter a name for this connector. Choose a meaningful name for the connector that helps you discuss it. |
| 3 |
Click Save. |
Configure the Serviceability Connector on Expressway
Before you begin
You must register the Expressway to Cisco Webex before you can configure the Serviceability Connector.
| 1 |
Sign in to the Expressway connector host and go to . |
| 2 |
Check that Serviceability Connector is listed, it should not be running. Do not start it yet. |
| 3 |
Go to . |
| 4 |
Enter a name for this connector. Choose a name that is meaningful to you and represents the Expressway's purpose. |
| 5 |
Click Save. |
(Optional) Import Devices from Hosted Collaboration Mediation Fulfillment
If you use the Serviceability Service with Cisco Hosted Collaboration Solution (HCS), we recommend importing the devices from HCM-F. Then, you can avoid manually adding all those customers, clusters, and devices from the HCM-F inventory.
If your deployment isn't an HCS environment, you can ignore this task.
Integrate each Serviceability Connector with one HCM-F inventory. If you have multiple inventories, you need multiple connectors.
Before you begin
Create an administrative account on Hosted Collaboration Mediation Fulfillment (HCM-F) to use with Serviceability Service. You need the address of HCM-F and it must be reachable from the Serviceability host.
| 1 |
Sign into your connector host and go to Managed Devices, as follows:
|
| 2 |
Click New. |
| 3 |
Select Hosted Collaboration Mediation Fulfillment from the Type dropdown. The interface generates a unique Device Name, based on the selected Type. |
| 4 |
Edit the Device Name. The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device. |
| 5 |
Enter the Address, FQDN or IP address, of the HCM-F northbound API interface (NBI). |
| 6 |
Enter the Username and Password of the HCM-F administrative account. |
| 7 |
Choose a Polling Frequency, between 1 hour and 24 hours. This setting governs how often the service checks your inventory for changes to the imported devices. We recommend one day unless you make frequent changes to your inventory. You can choose Never to disable the import from HCM-F. The setting takes effect when you save the page. This setting removes from the serviceability connector the data that was previously imported from HCM-F. |
| 8 |
Click Verify to test that the account can authenticate itself with HCM-F. |
| 9 |
Click Add to save your changes. |
The Serviceability connector connects to HCM-F, and populates the Customers, Managed Devices, and Managed Clusters pages with read-only copies of that information.
You can click Update Now to force an immediate refresh of the data from HCM-F.
What to do next
The Customers page is always visible in the connector UI, even in non-HCM-F deployments. The page is empty unless you import data from HCM-F.
Create Accounts on Managed Devices
Configure an account on each device so that Serviceability Connector can authenticate itself to the devices when requesting data.
| 1 |
For Cisco Unified Communications Manager, IM and Presence Service, UCCX, and other VOS (Voice Operating System) products: |
| 2 |
For Cisco TelePresence Video Communication Server, or Cisco Expressway Series: |
| 3 |
For Cisco Unified Border Element: |
| 4 |
For Cisco BroadWorks Application Server, Profile Server, Messaging Server, Xtended Services Platform, and Execution Server: Use the system administrator account that you created when you installed the server. |
(Optional) Configure an ECP Connector Host with Locally Managed Unified CMs
If your connector host is an Expressway, you add each Unified CM publisher and subscriber separately. But, the ECP connector host automates adding the subscribers for each Unified CM publisher.
Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.
Before you begin
This task doesn't apply if you:
-
Run the connector host on an Expressway.
-
Use the HCM-F inventory to add devices to an ECP connector host.
| 1 |
On an ECP connector host, go to the web interface of your Serviceability Connector at After you install the Serviceability Connector, it prompts you to change your password when you first sign in. Change the default password, | ||||||||||||||
| 2 |
Click New. | ||||||||||||||
| 3 |
Select the Unified CM Type. You can only add a Unified CM publisher. The interface generates a unique Device Name using the selected type. | ||||||||||||||
| 4 |
Edit the Device Name. The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device. | ||||||||||||||
| 5 |
Enter the following information for the Unified CM publisher:
| ||||||||||||||
| 6 |
Click Verify to test that the account can authenticate itself to the managed device. | ||||||||||||||
| 7 |
Click Add. | ||||||||||||||
| 8 |
Repeat this task to add other Unified CM publishers to the Serviceability Connector configuration. |
You can now create a managed cluster for the publisher. That cluster automatically populates with the subscribers for the publisher. You can then add any of the subscribers from the cluster.
If you previously configured Unified CM subscribers on the connector, the Managed Devices page still lists them. But, the Alarms displays an alarm for each subscriber. Delete the old subscriber entries and then add the subscribers back through the managed cluster.
What to do next
(Optional) Configure Serviceability Connector with Locally Managed Devices
To get logs from your managed devices, you first specify the devices in the Serviceability Connector.
If your connector host is an Expressway, we strongly recommend that you configure the connector host as a locally managed device in the TAC use case. Then, TAC can help if your Serviceability Connector isn’t working as expected. But, an ECP connector host has no logs that TAC would request through the Serviceability Service.
When you add devices, include both the publisher and all subscribers for each Unified CM cluster.
Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.
Before you begin
| 1 |
Sign into your connector host and go to Managed Devices, as follows:
After you install the Serviceability Connector, it prompts you to change
your password when you first sign in. Change the default password,
|
| 2 |
Click New. |
| 3 |
Select the device Type. The interface generates a unique Device Name, based on the selected Type. |
| 4 |
Edit the Device Name. The default name identifies the device type and gives it a unique number. Modify the name to make it meaningful during conversations about this device. |
| 5 |
Enter the Address, FQDN or IP address, of the managed device. The remaining fields on the configuration page change depending on the type of device. Skip to the step that is relevant for your device, as follows: |
| 6 |
[VOS devices] Enter the details of the VOS device: |
| 7 |
[Expressway/VCS] Enter the details of an Expressway or VCS: |
| 8 |
[CUBE] Enter the details of a CUBE: |
| 9 |
[BroadWorks] Enter the details of a BroadWorks Server: |
| 10 |
Click Verify to test that the account can authenticate itself to the managed device. |
| 11 |
Click Add. |
| 12 |
Repeat this task to add other devices to the Serviceability Connector configuration. |
What to do next
(Optional) Configure an ECP Connector Host with Locally Managed Unified CM Clusters
Locally managed clusters in the connector configuration are groups of locally managed devices of the same type. When you configure a cluster on the Serviceability Connector, it doesn't create connections between the devices. The clusters only aid in sending a single command to a group of similar devices.
If your connector host is an Expressway, you create a cluster and add each Unified CM publisher and subscriber to it separately. But, the ECP connector host automates adding the subscribers to the cluster for each Unified CM publisher.
Remember to enable appropriate logging on all devices. The Serviceability Connector only collects logs, it doesn't enable the actual logging.
Before you begin
This task doesn't apply if you:
-
Run the connector host on an Expressway.
-
Use the HCM-F inventory to add devices to an ECP connector host.
| 1 |
On an ECP connector host, go to the web interface of your Serviceability Connector at |
| 2 |
Create a cluster for each Unified CM publisher: The connector polls the publisher and populates a list of its subscribers in the cluster.
|
| 3 |
Toggle the check box for each subscriber to add or remove it in the Managed Devices. For security reasons, the connector can't retrieve the sign-in credentials for the subscribers when it polls the publisher. When it creates the record for each subscriber, it defaults to the username and password for the publisher instead. If your subscribers have different sign-in credentials from your publisher, you must update the subscriber records. Unchecking the subscriber in the cluster automatically removes its record from the Managed Devices page. |
| 4 |
If necessary, change the default username and password for each subscriber on the Managed Devices page. |
| 5 |
Repeat this procedure for each managed cluster that you want to add. |
(Optional) Configure Serviceability Connector with Locally Managed Clusters
Locally managed clusters in the connector configuration are groups of locally managed devices of the same type. When you configure a cluster on the Serviceability Connector, it doesn't create connections between the devices. The clusters only aid in sending a single command to a group of similar devices.
You don't need to arrange locally managed devices into clusters.
If you’re importing clusters from HCM-F, the Clusters page shows read-only information about those clusters.
| 1 |
Sign into your connector host and go to Managed Clusters, as follows:
|
| 2 |
For each cluster of managed devices: The page shows the list of clusters, including your new cluster.
|
| 3 |
Repeat this procedure for each managed cluster that you want to add. |
(Optional) Configure local logging and problem report collection
| 1 |
Sign in to the Serviceability node and click Config Settings. |
| 2 |
(Optional) Set Keep a copy of collected logs locally to Allow and select the number of files to save. This allows the node to keep local copies of the logs that were remotely collected through it. |
| 3 |
(Optional) Change Enable endpoint prt log collection to Allow and select the number of files to save. |
| 4 |
(Optional) Change Restrict prt log collection from configured subnets to True if you want to restrict the networks this connector can see for collecting problem reports. You must enter the subnets you want to use. Use commas to separate multiple ranges. |
| 5 |
Click Save. |
Configure Upload Settings
To upload files to a case, use "Customer eXperience Drive" (CXD). This setting is the default when you configure Upload Settings for the first time.
If you need further assistance, call the Cisco Technical Assistance Center.
This task is only for the TAC use case.
In Cloud-Connected UC, the destination is preset. See the Cisco TAC Delivery Services Privacy Data Sheet for information on where this feature processes and stores data.
| 1 |
Sign into your connector host and go to Upload Settings, as follows:
|
| 2 |
For the TAC use case, check that the connector's Upload authentication method is Customer eXperience Drive. This setting is the default selection for new installations. |
| 3 |
Click Save. |
Configure remote collections on this Connector
The Service Connector allows remote collections by default. You can check to ensure that TAC has your permission to collect logs from your managed devices:
| 1 |
Sign into your connector host and go to Configuration, as follows:
|
| 2 |
For the TAC use case, change Collect data to store with Service Requests to Allow. This switch is set to Allow by default. If you change it to Deny, then you no longer receive the benefits of the Serviceability Connector. |
| 3 |
For the Cloud-Connected UC use case, ensure that Collect data for CCUC troubleshooting is Allow (the default). |
| 4 |
Click Save. |
What to do next
Start the Serviceability Connector
Before you begin
| 1 |
On an Expressway connector host, sign in and go to and click Serviceability. |
| 2 |
Click Serviceability Connector. |
| 3 |
Change the Active field to Enabled. |
| 4 |
Click Save. The connector starts and the status changes to Running on the Connector Management page. |
What to do next
Validate the Serviceability Connector Configuration
| 1 |
On an Expressway connector host, sign in and go to and click Serviceability. |
| 2 |
Check that Serviceability Connector is Running with No alarms. |
| 3 |
Check that managed device accounts can connect: |
Manage Serviceability Service
Access the Serviceability Connector platform web interface
You can open the web interface of the platform in the following ways:
- In a browser tab, navigate to
https://<IP address>/setup, for examplehttps://192.0.2.0/setup. Enter the admin credentials for that node and click Sign In. - If you are a Full Administrator and you already registered the node to the cloud, you can access the node from Control Hub (see following steps).
| 1 |
From the customer view in Control Hub, Go to . |
| 2 |
Under Resources on the Serviceability Service card, click View all. |
| 3 |
Click on the configured/registered connector and select Go to node. The browser opens the web admin interface of that node (the platform itself, not
the Serviceability Connector application).
|
What to do next
Access the Serviceability Connector application web interface
|
In a browser tab, navigate to The browser opens the web interface of the Serviceability Connector
application.
|
https://192.0.2.0:8443
Manage local logs
| 1 |
Sign in to the Serviceability node and click Collected Logs. This page lists logs that have been collected by this serviceability node. The list shows where the log came from (which managed device or cluster), the date and time it was collected, and the service that requested the log. |
| 2 |
(Optional) Sort or filter the logs using the controls in the column headers. |
| 3 |
Select the log that interests you and choose:
|
What to do next
When you are finished analyzing or archiving your logs, you should delete them from the Serviceability node. This reduces the local disk usage, so there is enough storage to collect future logs.
We added a disk usage monitor to protect the Serviceability node from becoming too full. The monitor raises an alarm when a log is collected but the disk does not have enough space to keep a copy. The monitor is configured to raise the alarm if utilization reaches 80%.
When this threshold is reached, the monitor also deletes all previously collected logs, to ensure there is enough capacity to store the next log collected by this node.
Collect problem reports
| 1 |
Sign in to the Serviceability node and click PRT Collector. This page lists problem reports previously collected by this node. The list shows the device name and the date of the problem report. You can search, sort, and filter the reports.
|
| 2 |
Click Generate to collect a report from a specific device. Supply the device name or MAC address, then click Generate. The device name must match the value as registered on the Unified CM. The serviceability connector queries its list of Unified CM nodes for the given device name. The dialog box shows progress and then a success message. The new problem report appears in the list.
|
| 3 |
Select the report and choose:
|
