500-444 Cisco Contact Center Enterprise Implementation and Troubleshooting Question and Answers

To build VXML applications, you need to use the Call Studio development platform. Call Studio is an Eclipse-based graphical tool that allows you to create, edit, debug, and test voice applications that run on the VXML Server. Call Studio provides a drag-and-drop interface to design the call flow logic, define the prompts and grammars, and configure the application settings. Call Studio also supports custom elements, Java code, and web services integration to extend the functionality of the voice applications12. References: Cisco Unified Customer Voice Portal Getting Started Guide, Release 12.5(1)1, Cisco Unified Customer Voice Portal Developer Guide, Release 12.5(1)2.

UC on UCS Spec Based is a deployment option for Cisco Unified Communications (UC) applications on Cisco Unified Computing System (UCS) servers that allows customers to choose their own hardware configuration based on a set of rules and guidelines1. The two descriptions that apply to UC on UCS Spec Based are:

• A: may be available as a packaged offer such as the Cisco Business Edition 7000 Platform. This is true because Cisco Business Edition 7000 (BE7000) is a packaged solution that includes a UCS server and preloaded UC applications that can be configured according to the customer’s needs. The UCS server can be either a Tested Reference Configuration (TRC) or a Specs-based configuration, depending on the customer’s preference and requirements2.
• C: defined as Rule Based. This is true because UC on UCS Specs-based deployments follow a set of rules and guidelines that define the minimum and maximum hardware specifications, such as CPU, memory, disk, network, and power supply, that are required to support the UC applications. The rules and guidelines also specify the supported virtualization software versions, co-residency policies, and performance expectations1.

The other options are incorrect because:

• B: VMware vCenter is required. This is false because VMware vCenter is not mandatory for UC on UCS Specs-based deployments, although it is recommended for managing multiple UCS servers and VMs. VMware vCenter is only required for certain UC applications, such as Cisco Unified Contact Center Enterprise (CCE) and Cisco Unified Intelligence Center (CUIC), or for certain features, such as VMware High Availability (HA) and VMware Distributed Resource Scheduler (DRS)13.
• D: defined as Configuration Based. This is false because UC on UCS Specs-based deployments are not defined by a fixed hardware configuration, but rather by a range of hardware specifications that can be customized by the customer. Configuration Based is a term that applies to UC on UCS TRC deployments, which are predefined and validated hardware configurations that are supported by Cisco1.
• E: VMware vSphere is optional. This is false because VMware vSphere is the only supported virtualization software for UC on UCS Specs-based deployments. VMware vSphere includes the VMware ESXi hypervisor and the VMware vCenter Server, which provide the virtualization platform and management tools for the UC applications. VMware vSphere is not optional, but rather mandatory for UC on UCS Specs-based deployments1.

References:

1: Cisco Collaboration Virtualization - Unified Communications in a Virtualized Environment 2: Cisco Business Edition 7000 Version 12.5 Ordering Guide 3: Cisco Collaboration Virtualization - VMware Requirements

Two upgrades for Common Ground are includes migration of windows registry and includes database migration. Common Ground is a type of upgrade that allows you to upgrade your Cisco Unified Contact Center Enterprise (CCE) components from one release to another without changing the hardware or operating system1. Common Ground upgrade is supported for virtualized deployments on VMware ESXi hosts1. Common Ground upgrade involves the following steps1:

• Back up the existing configuration and data using the Disaster Recovery System (DRS).
• Run the User Migration Tool to export the user accounts from the source domain to a file.
• Run the Enhanced Database Migration Tool (EDMT) to migrate the Historical Data Server (HDS), Logger, and Business Analytics (BA) databases from the source servers to the destination servers.
• Run the Regutil Tool to export the Cisco Systems, Inc. registry from the source servers to a file.
• Run the Unified CCE Installer on the destination servers to install the new release of Unified CCE software.
• Import the user accounts from the file using the User Migration Tool.
• Import the Cisco Systems, Inc. registry from the file using the Regutil Tool.
• Restore the configuration and data from the DRS backup.

The Common Ground upgrade includes migration of windows registry because the Regutil Tool is used to export and import the Cisco Systems, Inc. registry from the source servers to the destination servers. The registry contains important information about the Unified CCE configuration, such as the instance name, the peripheral ID, the system ID, and the license key2. The registry migration ensures that the destination servers have the same settings as the source servers after the upgrade2.

The Common Ground upgrade includes database migration because the EDMT is used to migrate the HDS, Logger, and BA databases from the source servers to the destination servers. The databases contain historical and real-time data about the Unified CCE system, such as the call records, the agent statistics, the skill group statistics, and the reporting data3. The database migration ensures that the destination servers have the same data as the source servers after the upgrade3.

The Common Ground upgrade does not update IP address as appropriate because the IP addresses of the source and destination servers are not changed during the upgrade. The IP addresses are configured during the initial installation of the Unified CCE software and are not modified by the upgrade process1.

The Common Ground upgrade does not update Hostname as appropriate because the hostnames of the source and destination servers are not changed during the upgrade. The hostnames are configured during the initial installation of the Unified CCE software and are not modified by the upgrade process

• Option A is correct because if one side of the ICM Logger fails, the other side can still receive historical data from both sides of the ICM Router. However, the failed side will not be able to receive any data until it is restored1.
• Option B is correct because the Peripheral Gateways (PGs) are connected to both sides of the ICM Router through the private LAN and the visible network. If the private LAN fails, the PGs can use the visible network to communicate with the active ICM Router and determine which side is the master2.
• Option D is correct because the ICM Router uses heartbeats to monitor the status of its duplex pair. If one side does not receive a heartbeat from the other side within a specified time interval, it assumes that the other side has failed and initiates a failover process3.
• Option C is incorrect because if one side of the ICM Logger fails, the impact of call processing is not limited to the corresponding side of the ICM Router. The ICM Router can still process calls using the data from the surviving ICM Logger side1.
• Option E is incorrect because there is some impact on call processing during an ICM Logger failure. For example, some historical reports may not be available, some configuration changes may not be replicated, and some call data may be lost4.
• Option F is incorrect because during an ICM Router failover, calls in progress in Cisco Unified Customer Voice Portal (CVP) are not disconnected. The CVP uses the Survivable Remote Site Telephony (SRST) feature to maintain the calls until the failover is completed5.

References:

• 1: Troubleshooting Cisco Contact Center Enterprise (CCET), page 2-4
• 2: Troubleshooting Cisco Contact Center Enterprise (CCET), page 2-6
• 3: Troubleshooting Cisco Contact Center Enterprise (CCET), page 2-8
• 4: Troubleshooting Cisco Contact Center Enterprise (CCET), page 2-10
• 5: Troubleshooting Cisco Contact Center Enterprise (CCET), page 2-12

 = In order to configure SAML SSO for PCCE, you need to create claim rules that specify the claims sent from ADFS to Cisco Identity Service as part of a successful SAML assertion. The claim rules define how to transform the incoming claims from the AD FS identity provider into the outgoing claims that are expected by the Cisco Identity Service relying party. The two claim rules that are required for PCCE are:

• sAMAccountName - Logon names maintained for backward compatibility. This claim rule maps the sAMAccountName attribute from the AD FS identity provider to the uid attribute in the outgoing claim. The uid attribute is used to identify the authenticated user in the claim sent to the applications. The sAMAccountName attribute is the logon name used to support clients and servers from a previous version of Windows1.
• E-Mail Address - For the Outgoing claim type. This claim rule maps the E-Mail-Addresses attribute from the AD FS identity provider to the mail attribute in the outgoing claim. The mail attribute is used to provide the email address of the authenticated user in the claim sent to the applications. The E-Mail-Addresses attribute is the primary email address of the user2.

The other options are not valid claim rules for PCCE. The user_principal option is not a valid attribute name in AD FS. The Unspecified option is not a valid claim type in AD FS. The uid option is not a valid attribute name in AD FS, but it is the outgoing claim type that is mapped from the sAMAccountName attribute.

References :=

• AD FS 2.0 Setup for SAML SSO Configuration Example
• Configure Single Sign-On with CUCM and AD FS 2.0
• Checklist - Creating Claim Rules for a Claims Provider Trust
• Notes on ADFS as SAML IdP for ISE User Portals

 Cisco Unified Border Element (CUBE) is a session border controller that provides session control, security, interworking, and demarcation for voice and video calls between the enterprise IP network and service provider SIP trunks1. When CUBE is used with CCE and CVP, it provides the following three features:

• Silent Monitor inbound voice calls: CUBE supports the silent monitoring feature for inbound voice calls from the PSTN to the CCE agents. This feature allows supervisors to listen to the agent-customer conversations without being noticed by either party. CUBE uses the built-in-bridge (BIB) capability of the agent phone to fork the media stream and send it to the monitoring server2.
• Secure communication using flow around mode: CUBE supports secure communication using Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) for SIP signaling and media streams. CUBE can operate in flow around mode, where it terminates the TLS/SRTP sessions from the service provider and the enterprise, but does not perform any media processing or transcoding. This mode reduces the CPU load on CUBE and preserves the end-to-end media encryption3.
• Normalize SIP messages using SIP profiles: CUBE supports SIP normalization using SIP profiles, which are collections of parameters that modify the SIP messages that pass through CUBE. SIP profiles can be used to resolve interoperability issues between different SIP implementations, such as service providers, CVP, and CCE. SIP profiles can also be used to enhance the functionality of CUBE, such as adding or removing headers, modifying timers, and enabling features4.

References: Cisco Unified Border Element data sheet1, Cisco Unified Border Element Configuration Guide234.

The CLI command that manages the Java Keystore Certificate in Windows CCE servers is keytool. Keytool is a utility that is included in the Java Runtime Environment (JRE) and allows you to create, import, export, list, and delete certificates, keys, and keystores. A keystore is a repository of security certificates that can be used for SSL/TLS communication. The Java Keystore Certificate is the default keystore that is used by the Java applications running on the Windows CCE servers, such as the Web Setup tool, the Diagnostic Framework Portico, and the Unified Intelligence Center12. To use keytool, you need to open a command prompt window and navigate to the JRE bin directory, which is typically located at C:\Program Files\Java\jre\bin. Then, you can use the keytool command with various options and parameters to perform the desired operations on the Java Keystore Certificate34. References: Security Guide for Cisco Unified ICM/Contact Center Enterprise, Release 12.5 (1) and 12.5 (2)1, Implement CA Signed Certificates in a CCE 12.6 Solution2, SSL Certificate Installation - Java Based Web Servers - DigiCert3, Keytool - Oracle Help Center4.

The PCCE production deployment model on an ESXi server requires two validations: ensuring that the correct servers are on the correct sides and verifying that the correct RAM and CPU are being deployed. These validations are necessary to ensure that the PCCE components are configured properly and have sufficient resources to run smoothly. The other options are not relevant for the PCCE production deployment model on an ESXi server. Linux verification for containers is not applicable because PCCE does not use containers. The hypervisor provides enough power is not a validation step, but a prerequisite for the ESXi server. The lab is deployed properly is not a validation for the production deployment model, but for the lab deployment model. References: Virtualization for Cisco Packaged CCE Release 11.6(x)1, Deployment Type Info API2.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/pcce/pcce_12_5_1/release/guide/pcce_b_1251_pcce-release-notes/pcce_b_1251_pcce-release-notes_chapter_010.pdf

According to the Cisco documentation12, single sign-on (SSO) in PCCE can be implemented in one of these three modes:

• SSO - Enable all agents and supervisors in the deployment for SSO. This mode requires the use of SAML assertions to exchange authentication and authorization details between an identity provider (IdP) and an identity service (IdS)1.
• SAML - Security Assertion Markup Language (SAML) is an XML-based standard that allows the IdP to issue SAML assertions, which are packages of security information transferred from the IdP to the service provider for user authentication1. SAML is the underlying technology that enables SSO in PCCE2.
• Hybrid - Enable agents and supervisors selectively in the deployment for SSO. Hybrid mode allows you to phase in the migration of agents from a non-SSO deployment to an SSO deployment and enable SSO for local PGs. Hybrid mode is useful if you have third-party applications that don’t support SSO, and some agents and supervisors must be SSO-disabled to sign in to those applications1.

Option A is incorrect because Non-SSO is the opposite of SSO, and it means continuing to use existing Active Directory-based and local authentication, without SSO1. Option C is incorrect because ldS is a typo for IdS, which is not a mode but a component of SSO. Option D is incorrect because ldP is a typo for IdP, which is also not a mode but a component of SSO.

References:

• 1: Single Sign-On - Cisco3
• 2: Cisco Packaged Contact Center Enterprise Features Guide Release 11.6 (1) - Single Sign-On [Cisco Packaged Contact Center Enterprise] - Cisco

• SSO - Enable all agents and supervisors in the deployment for SSO.
• Hybrid - Enable agents and supervisors selectively in the deployment for SSO. ...
• Non-SSO - Continue to use existing Active Directory-based and local authentication, without SSO.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/pcce/pcce_12_6_1/maintenance/guide/pcce_b_features-guide-1261/pcce_b_features-guide-1261_chapter_01110.html

 The keytool command that lists certificates in the cacerts file is B: keytool -list -keystore cacerts. This command will display the aliases and fingerprints of all the certificates in the cacerts file, which is the default truststore for Java applications1. The cacerts file contains the root and intermediate certificates of various certificate authorities (CAs) that are trusted by Java2.

The other options are incorrect because:

• A: keytool -list -showinfo is not a valid keytool command, as the -showinfo option does not exist. The closest option is -v or -verbose, which will display more details about each certificate, such as the owner, issuer, serial number, validity period, signature algorithm, and extensions1.
• C: keytool -list cacerts is not a complete keytool command, as it is missing the -keystore option, which is required to specify the name or path of the keystore file to be listed. Without the -keystore option, the keytool command will assume the default keystore file, which is usually named .keystore in the user’s home directory1.
• D: keytool -list -alias is also not a complete keytool command, as it is missing the value of the -alias option, which is used to specify the alias of a particular entry in the keystore file to be listed. Without the value of the -alias option, the keytool command will display an error message, such as "keytool error: java.lang.Exception: Alias does not exist"1.

References:

1: keytool - Key and Certificate Management Tool 2: How to check a Certificate is in default cacerts 3: java - How to view and edit cacerts file? - Stack Overflow 4: HOW TO: Import or list certificates from Java cacerts file using … 5: Keytool: List Certificate - Java Certs - ShellHacks

 Active Directory (AD) is a directory service that provides centralized authentication, authorization, and management of users, computers, and resources in a network. AD is based on a hierarchical structure of domains, trees, and forests, where each domain represents a logical administrative unit with its own security policies and replication scope. AD also supports site topology, which defines the physical structure of the network based on locations and network links. Some of the considerations for AD are:

• Read-Only Domain Controllers (RODC) are supported. An RODC is a domain controller that hosts a read-only copy of the AD database and does not accept any changes from clients. RODCs are useful for improving security and performance in remote or branch offices that have unreliable or slow network connections to the main office. RODCs can also cache credentials for specific users and groups, and provide local authentication services without exposing the entire AD database12.
• Supports multi-domain, single AD Forest topology. A forest is a collection of one or more AD domains that share a common schema, configuration, and global catalog. A forest can have multiple domains that are organized in a tree structure, where each domain has a trust relationship with its parent domain. A multi-domain, single forest topology allows for administrative autonomy, scalability, and flexibility in managing different domains within the same organization. For example, a company can have separate domains for different regions, departments, or business units, and still share common resources and services across the forest34.

References:

• What is a Read-Only Domain Controller?
• Read-Only Domain Controller (RODC) Best Practices
• Designing the Site Topology
• Active Directory Domain Services Overview

The correct tools to download logs for CCE troubleshooting are:

• Diagnostic framework portico: This is a web-based interface that allows you to access various diagnostic tools and logs for CCE components. You can use it to run diagnostic tests, collect logs, view system status, and troubleshoot issues1.
• Unified System CLI: This is a command-line interface that allows you to access diagnostic tools and logs for CCE components from a single point of entry. You can use it to run diagnostic tests, collect logs, view system status, and troubleshoot issues2.
• RTTEST: This is a command-line tool that allows you to monitor the real-time status of CCE components and processes. You can use it to view the state of calls, agents, peripherals, routes, and scripts3.

References:

1: Diagnostic Framework Portico 2: Unified System CLI 3: RTTEST