Webex Cloud-Connected UC Directory Service support


The Limited Availability release of Webex Cloud-Connected UC Directory Service feature includes support for synchronization and management of users.

You can synchronize and manage users from cloud into on-premises or cloud UC infrastructure like Cisco Unified Communications Manager (Unified Communications Manager) and Cisco Unity Connection (Unity Connection) with the Webex Cloud-Connected UC Directory Service. During synchronization, the system imports a list of users and associated user data from the Azure Active Directory (or a similar Cloud Directory service) that is synchronized into the Webex Common Identity Service. You must select the Unity Connection cluster from Control Hub that needs synchronization, select the appropriate Unity Connection User ID field mapping, and then select the required synchronization agreement to perform synchronization.

Activate directory service

You must activate Directory Service for each cluster in Webex Cloud-Connected UC to allow synchronization and management of users from cloud into on-premises UC.


By default, Directory Service is not enabled for all the onboarded clusters.

1

From the customer view in Control Hub, go to Services > Connected UC. On the UC Management card, click Inventory.

The list of cluster groups appears with the description, status, clusters, and nodes.

2

Click Details next to the cluster group to which the node belongs.

The Inventory page appears, showing the list of clusters belonging to the selected cluster group.

3

Click Details next to the cluster to which the particular product node belongs.

The Node name with the version, product, and status appears.

4

Click the ellipsis icon next to Event History and choose Service Management.

The Service Management page appears with the list of services.

5

Use the toggle button to enable the Directory Service.

6

Click Submit.

Directory service

Use the Directory Service card to synchronize users from cloud-based directories into on-premises deployments.

1

From the customer view in Control Hub, go to Services > Connected UC.

2

On the Directory Service card, click View clusters. The Directory Service page appears.

You can view the list of cluster details on this page.

View cluster details

From the Cluster selection page in Directory Service, choose a cluster to which you want to synchronize the user data with.

The Cluster selection page also provides the cluster details, status of provisioning, last synchronized state, the associated product, and the reason for failure, if any. You can also select the local time zone. The default browser time zone is selected.

Cluster Details

Description

Cluster Name

The name of the cluster.

Status

Status of synchronization.

Last synced

Date of the last synchronization.

Product

Details of the product.

Configure directory synchronization

Webex Cloud-Connected UC Directory Service synchronization allows you to import end user data from Azure directory into the Unity Connection database to display in the End User Configuration window.


Sometimes, you might experience additional delays in provisioning a cluster as we work on our fault tolerance and auto scaling capabilities. In such scenarios, the provisioning will still happen though this activity incurs considerable time. This issue will be addressed soon.

Do not schedule any telemetry COP file upgrades between 00:00 UTC and 06:00 UTC and avoid telemetry upgrades between any provisioning operations.

1

From the Cluster selection page in Directory Service, choose a cluster that you want to provision for enabling synchronization.

2

Click Start Provisioning.

3

In the Field Mapping configuration window, ensure that the mapping chosen for the Unity Connection User ID field uniquely identifies the user within the cluster after you start provisioning.

4

Choose the appropriate Unity Connection User ID field mapping for synchronizing the user from Webex:

  • User ID field in Unity Connection maps to email ID of the user in Webex.

  • Mail ID field in Unity Connection maps to email ID of the user in Webex.

  • User ID field in Unity Connection maps to email ID without domain part of the user in Webex.


     
    New user account will be created if the mapping cannot be done successfully for an existing user account in Unity Connection. Email ID of the user will be used as the unique identifier for the newly created user account. This note is applicable for options 1 and 2.
5

Click Next.

6

Select an agreement from the drop-down list for creating a new synchronization agreement.

Once the new synchronization agreement is created, all the existing synchronization agreement(s) pointing to the on-premises directory are deleted. You can make changes to the new synchronization agreement after it’s created.

7

In the Agreement Preview section, review the agreement details (existing external LDAP directory details available in the Unity Connection) before you start the synchronization.

You can view the following details:

  • Group information

  • Applied Feature group template with universal line and device templates

  • Line and mask details to synced phone numbers for inserted users

  • Newly provisioned users and their extensions

  • Standard User Fields to be Synchronized section

  • Hostname or IP address of the directory server


 
Group Information section is not applicable for Unity Connection. So, it will not be visible on the Agreement Preview section for Unity Connection.
8

Click Next to prepare the synchronization process.

9

In the Enable Synchronization window, enable the synchronization once the system successfully copies the user data into a temporary storage space in Unity Connection and a new synchronization agreement is created (after steps 1 and 2 as seen in the below screenshot).

10

The Download report download option allows you to view the results partially. To fetch the complete reports for the Unity Connection cluster, execute the following CLI command: file get activelog /cm/trace/CIService/log4j/DryRunResults.csv. Here, the dry run result for Unity Connection shows the following:

  • New Users—Users aren’t present in Unity Connection but present in Webex Identity Service. Users are created in Unity Connection after enabling synchronization.

  • Matched Users—Users are present in Unity Connection and Webex Identity Service. These users will continue to remain active in Unity Connection after synchronization is complete.

  • Mismatched Users—Users are present in Unity Connection and Webex Identity Service. These users are marked active in Unity Connection after synchronization is complete and will be deleted after 24 hours of inactivity.


 
You can check the report and decide whether you want to retain the same list of users and add or delete users. Based on the decision, you can stop the process and revert the provisioning changes.

 
You will observe 20-hours delay to view the updated information due to caching behavior on Webex Identity Service. This behavior results in a delay in the propagation of the updated user data to the Unity Connection database from when changes are made in the cloud directory. We recommend that you wait for the subsequent periodic synchronization to complete to view the updated information.
11

After the synchronization agreement verification, click Preview in Unity Connection to sign in to your on-premises infrastructure and make changes to the newly created synchronization agreement.


 

VPN access is required.

12

Check the check box to agree to the terms that the synchronization agreement is reviewed and verified in Unity Connection.

13

Click Enable Synchronization to proceed with the synchronization.

During synchronization, you won’t be able to perform any action until completion. Once the synchronization is completed for a particular cluster, the Directory Service page lists this cluster with a Provisioned state. At this point, you've successfully authorized Azure AD to provision and synchronize Webex users into UC infrastructure and completed the steps to set up synchronization.

14

After the initial provisioning is completed, periodic synchronization happens every 24 hours. Any changes made in the cloud directory will be propagated to the clusters during this period.


 

You must enable synchronization within 20 hours from the time the new agreement is created. LDAP synchronized users become inactive and removed after 24 hours of inactivity. Users won’t be able to log in and use the Unity Connection services.

After the Azure AD provisioning is completed for a certain cluster, you cannot create any new synchronization agreements or modify any configuration settings for the same cluster except for the group settings. If you want to create a new synchronization agreement for the same cluster, you should go to the Service Management page and disable the Directory Service. You can then create a new agreement for provisioning.


 
  • If you are using Azure IdP during SSO authentication after successful provisioning, ensure that you configure the right Claims in the Azure IdP. For example, during provisioning, if option 1 is selected for the userid mapping, ensure that user.userprincipalname is set as the UID in the ‘Additional Claims’ section.

  • You will observe 20-hours delay to view the updated information due to caching behavior on Webex Identity Service. This behavior results in a delay in the propagation of the updated user data to the Unity Connection database from when changes are made in the cloud directory. We recommend that you wait for the subsequent periodic synchronization to complete to reprovision a cluster and view the updated information.

Import users for Unity Connection

You can import Azure AD users manually from Import Users in Cisco Unity Connection after cluster provisioning is done from Control Hub.

Two ways of importing Users are as follows:

1

In Cisco Unity Connection Administration, expand Users and select Import Users.

2

On the Import Users page, import the Azure AD user accounts to create Unity Connection users.

  1. Select LDAP Directory in the Find End Users In field.

  2. Select the template on which the new user is based.

  3. Specify the Alias, First Name, or Last Name of the Azure AD user accounts that you want to import.

  4. Check the check boxes against the user accounts that you want to import and select Import Selected.

1

In Cisco Unity Connection Administration, expand Tools and select Bulk Administration Tool.

2

To add Unity Connection users, perform the following steps on the Bulk Administration Tool page:

  1. From Select Operation, select Export.

  2. From Select Object Type, select Users from LDAP Directory.

  3. Enter the values in all the required fields.

  4. Select Submit.

    This creates a CSV file with the Azure AD user data. Open the CSV file in a spreadsheet application or in a text editor and edit the data as applicable. Now, import the data from the CSV file.

  5. From Select Operation, select Create.

  6. From Select Object Type, select Users with Mailbox.

  7. Enter the values in all the required fields.

  8. Select Submit.

3

When import is complete, review the file that you specified in the Failed Objects Filename field to verify that all users are created successfully.

Troubleshooting synchronization issues

This section provides the necessary information and solutions to resolve some of the common issues that you might face during the various stages of synchronizing users from Control Hub into the Unity Connection database.

Mismatched users

Enable synchronization within 20 hours after the new agreement is created. The existing users are marked inactive and are deleted from Unity Connection after 24 hours of inactivity.

Error—Data Copy Failed. Please Retry

  • Communication between Cloud-Connected UC and Webex cloud is disrupted or unable to fetch user data from Webex cloud.

  • Communication between Cloud-Connected UC and Unity Connection is disrupted or unable to push user data to Unity Connection database.

  • User data is not copied to the temporary storage location.

Error—Failed to Create Synchronization Agreement. Please Retry

  • Communication between Cloud-Connected UC and Unity Connection is disrupted or unable to push the synchronization agreement data into the Unity Connection database.

  • Synchronization agreement was not created successfully.

Unable to get Synchronization agreement details. Please try after some time.

Communication between Cloud-Connected UC and Unity Connection is disrupted.

Known issues for Unity Connection

  • If you are migrating from OnPrem AD to Azure AD, then you cannot ‘Abandon’ the synchronization process.

    Unity Connection updates the User Alias at Step 1 of the Enable synchronization page (as per the selected mapping on the Control Hub). If you do not want to take synchronization procedure to completion, you should re-synchronize it with the OnPrem AD to get the user alias back to the original state.