Chapter 18. Configure Webex Hybrid Calendar Service

This chapter covers the following topics:

Images Calendar Service Operation: This topic will explain an overview of the Hybrid Calendar Service and its operation.

Images Expressway-Based Calendar Connector: This topic will describe how to deploy the Expressway-based Calendar Connector to your environment.

Images Google Calendar Deployment in the Cloud: This topic will recapitulate the deployment process of the Google Calendar integration.

Images Office 365: This topic covers the deployment of cloud Office 365 with the Hybrid Calendar Service.

Images One Button to Push (OBTP): This topic covers the One Button to Push feature and its integration with the Hybrid Calendar Service.

This chapter covers the following objectives from the Implementing Cisco Collaboration Cloud and Edge Solutions (CLCEI) exam 300-820:

Images 4.2.a Calendar Service (Office 365, Microsoft Exchange, One Button to Push)

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 18-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Table 18-1 ”Do I Know This Already?” Section-to-Question Mapping

Images

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


1. Under the meeting list in Cisco Webex, how long in advance can users see upcoming meetings if using?

a. 1 Week

b. 2 Weeks

c. 4 Weeks

d. 8 Weeks

2. Which of the following is a micro-service on the Expressway-C is the on-premises component of the Hybrid Calendar Service?

a. Calendar Connector

b. Management Connector

c. Directory Connector

d. Call Connector

3. True or False? The Expressway-C connector hosts supports dual NIC deployments.

a. True

b. False

4. How many user emails can be associated with a single Hybrid Calendar integration?

a. Unlimited

b. Three

c. Ten

d. One

5. Which API service does the Cisco Hybrid Calendar Service utilize with Microsoft Office 365 environment?

a. Microsoft Graph API

b. Microsoft Edge

c. Microsoft Stream API

d. Microsoft Discovery Service API

6. To deploy the One Button to Push feature on video devices, what Hybrid Service is required?

a. Webex Hybrid Directory Service

b. Webex Hybrid Calendar Service

c. Webex On-premises Service

d. Webex Hybrid Message Service

Foundation Topics

Calendar Service Operation

Cisco Webex Hybrid Calendar Service leverages information from users’ Microsoft Exchange, Office 365, or Google Calendar to make meetings and their workflow more efficient. With one of the simplest meeting scheduling on the market, this benefit applies to all users, whether they are in the office or on a mobile device. However, it especially makes scheduling from mobile devices easier. As more and more users become mobile, they want to schedule meetings from their mobile phones. Modern built-in mobile calendar applications do not allow plug-ins. Consequently, there is no easy way to add a Cisco Webex Space or meeting join information in a mobile app. Using a web-based calendar for scheduling, such as Microsoft Outlook Web Access (OWA), is difficult and forces users to manually copy and paste the meeting join information. This problem is so significant that many users wait until they get to the office to open their laptop and schedule meetings.

Cisco Webex Hybrid Calendar Service overcomes these issues so that you can schedule meetings and create a Cisco Webex Space on any device, anywhere. Adding the phrase “@webex:space” to the location line of the meeting invitation automatically opens a new Cisco Webex workspace with the invitees, allowing that team to begin the conversation and share documents and ideas before the meeting even starts. It also automatically populates the body of the invitation with the meeting join information and adds an artifact to the team workspace so the team knows a meeting has been scheduled. Attendees can then join the meeting from the Cisco Webex workspace. If users do not need a workspace and just need to meet, they can add the phrase “@webex” to the location field of the invitation. The invitation is automatically populated with the meeting join information, allowing the users to enjoy Cisco Webex Meetings. These capabilities do not require any plug-ins. No manual cutting and pasting of information is necessary. Simply adding “@webex:space” or “@webex” to a meeting invitation allows people to schedule meetings from any device.

In addition to the scheduling keywords, the Hybrid Calendar Service can parse a SIP URI or other video address from the body of a calendar invitation, even if it is not a Webex standard meeting, Webex Personal Room meeting, or Webex team meeting address. When the address matches a supported format, the meeting appears in invitees’ meetings lists and meeting notifications in the Webex app. The meeting also appears in the list on any scheduled room or desk devices that are enabled for the Hybrid Calendar Service, and the devices show the green Join button (One Button to Push) just before the meeting starts.

The meetings list in Cisco Webex lets users see upcoming meetings for the next 4 weeks. Users see a Join button in the meetings list and a scheduled meeting notification 5 minutes before the meeting starts.

Users can add Cisco Webex room and desk devices and Webex Boards to a meeting to make conferencing resources available. If the device is enabled for the Hybrid Calendar Service, the green Join button appears on the device. (The Join button is also known as One Button to Push and is also available to devices that are registered to Cisco Unified Communications Manager and managed by Cisco TelePresence Management Suite.) Hybrid Calendar Service-enabled room and desk devices can also show meetings to which they have been invited in the meetings list.

Expressway-Based Calendar Connector

The Cisco Expressway-C Connector Host is a standard Cisco Expressway-C server deployed within the customer’s organization to provide an integration point between the on-premises and cloud collaboration services. The integration between the Cisco Expressway-C server and Cisco Webex is facilitated via micro-services installed and managed on the Expressway-C Connector Host by Webex. These micro-services enable hybrid services integration. The Management Connector is included in the Expressway-C base. You use it to register an Expressway to the cloud and link the Expressway interface with Cisco Webex Control Hub. The Management Connector plays an important role as the coordinator of all connectors running on the Expressway server or cluster. It provides you with a single point of control for connector activities. The Management Connector enables cloud-based management of the on-premises connectors, handles initial registration with the cloud, manages the connector software lifecycle, and provides status and alarms.

For an HTTPS connection to be established between the Management Connector and the cloud, you must update the trust list on the Expressway-C connector host with certificates that were signed by certificate authorities (CA) in use by the Cisco Webex cloud. You can allow the Cisco Webex cloud to upload CA certificates to the Expressway-C trust store. Or, in the case where security policies prevent the Cisco Webex cloud from uploading trusted certificate authority certificates on Expressway-C, you may upload them manually.

Figure 18-1 shows the components of Hybrid Calendar Service architecture and where the Expressway-based connectors integrate the on-premises components with the cloud.

Images

Figure 18-1 Hybrid Calendar Service Architecture

Images

The Calendar Connector is the on-premises component of the Hybrid Calendar Service. The connector runs on an Expressway-C host that you register to the Cisco Webex cloud. The Calendar Connector acts like a broker between the cloud and your Microsoft Exchange (on-premises), Office 365 (cloud), or both (Hybrid Exchange deployment). The connector acts on behalf of users, similar to the way a client application would access a user’s calendar information. The connector uses the impersonation role (which you can restrict to a subset of users) and uses Exchange Web Services to:

Images Autodiscover where users are homed.

Images Listen for notifications on a user’s calendar.

Images Retrieve information on a user’s calendar items and Out-of-Office status.

Images Populate meeting invitations with details of Cisco Webex spaces and Webex personal rooms.

The Hybrid Calendar Service is designed to minimize security concerns in a hybrid environment:

Images The cloud cannot retrieve or access the Exchange credentials from the connector.

Images The cloud has no direct access to Exchange through the connector.

Images The connector does not access any user email or contacts.

Images The connector does not create search folders or other extra folders for the user.

Images The connector is not an Exchange Foreign connector.

Images The connector does not interact with the Exchange Hub transport server.

Images No AD schema extensions are required.

In production Exchange, the Calendar Connector increases the CPU usage and load on the CAS and MBX servers. The impact on your Exchange environment depends on:

Images Your Exchange deployment.

Images The number of configured users.

Images The number of meetings that the Hybrid Calendar Service updates per user per hour.

Images The size of calendars.

With the release of the cloud-based service for Office 365 users, you can now choose whether to deploy only the Expressway-based Calendar Connector, a combination of the Calendar Connector and the cloud-based service, or, if you have no Microsoft Exchange users, deploy only the cloud-based service. The cloud-based service can scale beyond the 1000 user limit for Office 365 users and is simpler to deploy and maintain. It does not service Microsoft Exchange users. If you deploy it alongside the Calendar Connector, your Office 365 users automatically move to the cloud-based service (unless they are in resource groups).

The cloud-based service supports the Cisco TelePresence Management Suite (Cisco TMS) scheduling option. This integration allows the service to leverage your on-premises resource management and conference hosting environment for simplified meeting scheduling. The integration also extends the One Button to Push (OBTP) meeting join experience to a wide range of video devices. The cloud-based service links to the on-premises Cisco TMS by using the Calendar Connector. For this reason, you cannot deploy the Cisco TMS integration in the same organization with a Calendar Connector that is configured for Microsoft Exchange or Office 365.

Each user’s email address in the calendar system (Microsoft Exchange or Office 365) must match their Cisco Webex login address. To use @webex, the address should also match the user’s Cisco Webex account address. If it does not, users must associate their Webex Personal Room with in the Cisco Webex app to use @webex. Each Webex user can only have one email address associated with only one Hybrid Calendar Service integration. In other words, the Hybrid Calendar Service will only process meetings from a single address for creating spaces, decorating meetings, showing the meetings list and join button, and sending One Button to Push (OTBP) to video devices.

Images

Calendar Connector integrates Cisco Webex with Microsoft Exchange 2013, 2016, 2019 or Office 365 through an impersonation account. The application impersonation management role in Exchange enables applications to impersonate users in an organization to perform tasks on behalf of the user. The application impersonation role must be configured in Exchange and is used in the Calendar Connector as part of the Exchange configuration on the Expressway-C interface. The Exchange impersonation account is Microsoft’s recommended method for this task. Expressway-C administrators do not need to know the password, because the value can be entered in the Expressway-C interface by an Exchange administrator. The password is not clearly shown, even if the Expressway-C administrator has root access to the Expressway-C box. The password is stored encrypted using the same credential encryption mechanism as other passwords on the Expressway-C.

Before you begin to set up an impersonation account for on-premises Microsoft Exchange, you must choose a mail-enabled account to use as the service account. The account does not have to be an administrator, but it must have a mailbox. Do not use an impersonation account that is used by other services such as Cisco Unity Connection, Cisco TMSXE and so on. If you limited the set of users that are synchronized with Active Directory using LDAP filters, you may want to limit the impersonation by using a new or existing management scope in Exchange. For instructions and more detailed information from Microsoft on management scopes and impersonation, see the Microsoft Docs ApplicationImpersonation role article.

Step 1. Sign into a server on which Exchange Management Shell is installed. Sign in with one of the following accounts:

Images An account that is a member of the Enterprise Admins group.

Images An account that can grant permissions on Exchange objects in the configuration container.

Step 2. Run the following command in Exchange Management Shell:

new-ManagementRoleAssignment -Name:RoleName -Role:ApplicationImpersonation -User ‘ServiceUserName’

where:

Images RoleName is the name that you want to give the assignment, for example, CalendarConnectorAcct. The name that you enter for RoleName appears when you run get-ManagementRoleAssignment.

Images ServiceUserName is the name of the account you selected, in domainalias format.

Next, you may set up an impersonation account for Office 365. Give impersonation permissions to the service account that the Calendar Connector will use with Office 365. Do not use an impersonation account that is used by other services such as Cisco Unity Connection, Cisco TMSXE and so on. You must choose a mail-enabled account for this task. The account does not have to be an administrator, but it must have a mailbox. Ensure that the service account can authenticate with the authentication service or directory that is used in your deployment. For a hybrid Exchange on-premises and Office 365 integration, you can use a simplified configuration with a single impersonation account if your deployment meets all the following criteria:

Images You synchronize your on-premises Exchange accounts to the Office 365 cloud.

Images The impersonation account that you use must also be synchronized the Office 365 cloud, and the account’s userPrincipalName must match one of its SMTP addresses.

Images You administer all users in the on-premises Active Directory, including users whose mailboxes have been migrated to the Office 365 cloud.

Images You synchronize passwords or have a configured a federation so that users have a single password both on-premises and in the cloud.

Images Your Exchange is configured such that all autodiscovery requests reach the on-premises environment. (If a mailbox has been migrated, the response indicates the relocation and provides the cloud email address.)

In the simplified configuration, you use a single impersonation account to service all users. Because ApplicationImpersonation privileges that you assign on-premises do not automatically apply to mailboxes homed in the Office 365 cloud, you must still explicitly assign these privileges.

For a hybrid integration that does not meet these criteria, follow this procedure, and use a different service account for impersonation than you used in set up an impersonation account for on-premises Microsoft Exchange. Later, you will set up two Exchange configuration records on the Expressway-C: one for the Exchange on-premises integration, and one for the Office 365 integration.

Step 1. Log in to the Office 365 Admin Center using the administrator account.

Step 2. Under Admin, select Exchange.

Step 3. Select Permissions.

Step 4. Under Admin Roles, create a new role group and enter a descriptive name, such as ImpersonationGroup.

Step 5. Under Roles, add a new role. Select ApplicationImpersonation role.

Step 6. Add the role to the group, and then select OK.

Step 7. Add the service account to be used for impersonation to the group.

Complete the Prerequisites for Hybrid Calendar Service

Step 1. Allow time to configure the impersonation account.

Step 2. Install or make sure you are running a supported calendar environment.

Step 3. Ensure that users are listed in Active Directory and have a discoverable mailbox in the organization’s Exchange server.

Step 4. (Optional) Download the latest Directory Connector software from Cisco Webex Control Hub (https://admin.webex.com) and use it to import user attributes from your Active Directory.

Step 5. Provide the following port access:

Images Port access for HTTPS or secure web sockets outbound from Expressway to *.rackcdn.com, *.ciscospark.com, *.wbx2.com, *.webex.com, and *.clouddrive.com: TCP port 443 (secure)

Images Port access for EWS outbound from Expressway to Exchange: TCP port 443 (secure) or TCP port 80 (nonsecure)

Images Port access for LDAP outbound from Expressway to Active Directory: TCP port 636 (secure) or TCP port 389 (nonsecure)

Images Port access for Microsoft Global Catalog search: TCP port 3269 (for Global Catalog search secured by SSL) or TCP port 3268 (for unsecured Global Catalog search).

Step 6. For @webex functionality, configure or use a Cisco Webex Meetings site. You must enable the Personal Room feature for the site and for the individual users.

Step 7. To make One Button to Push (OBTP) available for Unified CM-registered endpoints managed by TMS:

Images Set up Cisco TMS 15.0 and Cisco TMSXE 5.0 or higher with Microsoft Exchange integration. See the Cisco Collaboration Meeting Rooms (CMR) Hybrid Configuration Guide (TMS 15.0 - Webex Meeting Center WBS30). TMS and XE require no additional configuration to support Hybrid Calendar Service.

Images To make conference rooms schedulable in Microsoft Outlook/Exchange, configure them in XE as if you were using on-premises conferencing. To configure rooms in Exchange, use the Cisco TelePresence Management Suite Extension for Microsoft Exchange Administration Guide.

Images Understand the licensing requirements:

• TMS and XE Licensing is the same as if using on-premises resources. You require enough licenses to cover the number of endpoints that will use OBTP. A TMS license is needed to manage the endpoint and to push the speed dial button on the touchpad at the time of the scheduled conference. A TMS-XE license is needed for the endpoint to be scheduled in Exchange.

• For Unified CM-registered endpoints, OBTP works with Hybrid Calendar Service and Productivity Tools plugin for meeting invitations:

• Hybrid Calendar Service (scheduling keywords or supported video address) populates the user attribute “TMS:ExternalConferenceData” with the SIP URI for TMS to set the OBTP dial string.

• Productivity Tools plugin populates the attribute “UCCapabilities” attribute with the SIP URI for TMS to set the OBTP dial string.

Images If you plan to deploy a hybrid Exchange environment with Office 365, you must enable TNEF for remote domains in Exchange Online. Having TNEF disabled causes Exchange Online to strip the TMS:ExternalConferenceData and UCCapabilities attributes, breaking OBTP for Unified CM-registered endpoints. For more information on TNEF, see https://docs.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion.

If you have on-premises conferencing, you can add OBTP with Cisco Webex Meetings and run both at same time. We support OBTP functionality only; auto connect is not available.

For Cisco Webex Hybrid Services, Cisco recommend that the Expressway-C be dedicated to hosting connectors for Cisco Webex Hybrid Services. You can use the Expressway-C connector host for other purposes, but that can change the supported number of users. As an administrator of hybrid services, you retain control over the software running on your on-premises equipment. You are responsible for all necessary security measures to protect your servers from physical and electronic attacks. Use this following checklist to prepare an Expressway-C for Cisco Webex Hybrid Services before you register it to the Cisco Webex cloud to host hybrid services connector software.

Step 1. Obtain full organization administrator rights before you register any Expressways and use these credentials when you access the customer view in Cisco Webex Control Hub (https://admin.webex.com).

Step 2. Plan your connector capacity by referring to User Capacity Limits for Expressway-based Hybrid Services (https://help.webex.com/en-us/nv5p67g/User-Capacity-Limits-for-Expressway-Based-Hybrid-Services).

Step 3. Deploy the Expressway-C connector host in a cluster to account for redundancy. Follow the supported Expressway scalability recommendations:

Images For Hybrid Calendar Service (Exchange or Office 365) on a dedicated Expressway-C:

• Calendar Connector supports a single cluster with up to 2 Expressway-C nodes.

• Calendar Connector can under-provision users. If a single node fails, the system has extra capacity for all users to fail over to the working node. If one of the nodes fails in the cluster, the discovery and assignment services move users to the working node in approximately 30 seconds.

• The service catches up on any missed notifications if there is an outage.

Hybrid Calendar Service is highly available if Exchange and Cisco Expressways are deployed in a cluster. The same guidelines apply for the Expressway-C connector host clustering.

Step 4. Follow these requirements for the Expressway-C connector host.

Images Install at least the minimum supported Expressway software version.

Images Install the virtual Expressway OVA file according to the Cisco Expressway Virtual Machine Installation Guide on cisco.com, after which you can access the user interface by browsing to its IP address. You can find the document in the list of Cisco Expressway Install and Upgrade Guides on cisco.com.

The serial number of a virtual Expressway is based on the virtual machine’s MAC address. The serial number is used to validate Expressway licenses and to identify Expressways that are registered to the Cisco Webex cloud. Do not change the MAC address of the Expressway virtual machine when using VMware tools, or you risk losing service.

Images You do not require a release key, or an Expressway series key, to use the virtual Expressway-C for Cisco Webex Hybrid Services. You may see an alarm about the release key. You can acknowledge it to remove it from the interface.

Images Use the Expressway web interface in a supported browser. The interface may or may not work in unsupported browsers. You must enable JavaScript and cookies to use the Expressway web interface.

Step 5. If this is your first time running the Expressway, you get a first-time setup wizard to help you configure it for Cisco Webex Hybrid Services. If this is not the first-time setup, select Cisco Webex Hybrid Services. This ensures that you will not require a release key.

Step 6. Check that the following requirements are met for the Expressway-C connector host. You would normally do this during installation. See the Cisco Expressway Basic Configuration Deployment Guide, in the list of Cisco Expressway Configuration Guides on cisco.com, for more details.

Images Basic IP configuration (System > Network interfaces > IP)

Images System name (System > Administration settings)

Images DNS settings (System > DNS)

Images NTP settings (System > Time)

Images New password for admin account (Users > Administrator accounts, click Admin user then Change password link)

Images New password for root account (Log on to CLI as root and run the passwd command)

Note that the Expressway-C connector hosts do not support dual NIC deployments.

Step 7. Configure the Expressway-C as a “cluster of one”:

Images We recommend that you configure the Expressway as a primary peer before you register it, even if you do not currently intend to install an extra peer.

• When you change clustering settings on X8.11 and later, be aware that removing all peer addresses from the System > Clustering page signals to the Expressway that you want to remove it from the cluster. This causes the Expressway to factory reset itself on its next restart. If you want to remove all peers but keep configuration on the remaining Expressway, leave its address on the clustering page and make it the primary in a “cluster of one”.

Images Here are the minimum clustering settings required, but the Cisco Expressway Cluster Creation and Maintenance Deployment Guide has more detail:

• Enable H.323 protocol. On Configuration > Protocols > H.323 page, set H.323 Mode to On. H.323 mode is required for clustering, even if the Expressway does not process H.323 calls. You may not see the H.323 menu item if you used the Service Select wizard to configure the Expressway for Hybrid Services. You can work around this problem by signing in to the Expressway console and issuing the command: xconfig H323 Mode: “On”.

System > Clustering > Cluster name should be an FQDN. Typically this FQDN is mapped by an SRV record in DNS that resolves to A/AAAA records for the cluster peers.

• System > Clustering > Configuration primary should be 1.

System > Clustering > TLS verification mode should be Permissive, at least until you add a second peer. Select Enforce if you want cluster peers to validate each other’s certificates before allowing intercluster communications.

System > Clustering > Cluster IP version should match the type of IP address of this Expressway-C.

System > Clustering > Peer 1 address should be the IP address or FQDN of this Expressway.

• Each peer FQDN must match that Expressway’s certificate if you are enforcing Transport Layer Security (TLS) verification.

To ensure a successful registration to the cloud, use only lowercase characters in the hostname that you set for the Expressway-C. Capitalization is not supported at this time.

Step 1. If you have not already done so, open required ports on your firewall.

Images All traffic between Expressway-C and the Cisco Webex cloud is HTTPS or secure web sockets.

Images TCP port 443 must be open outbound from the Expressway-C. See https://collaborationhelp.cisco.com/article/WBX000028782 for details of the cloud domains that are requested by the Expressway-C.

Step 2. Get the details of your HTTP proxy (address, port) if your organization uses one to access the internet. You will also need a username and password for the proxy if it requires basic authentication. The Expressway cannot use other methods to authenticate with the proxy.

Images We tested and verified Squid 3.1.19 on Ubuntu 12.04.5.

Images We have not tested auth-based proxies.

Images If your organization uses a TLS proxy, the Expressway-C must trust the TLS proxy. The proxy’s CA root certificate must be in the trust store of the Expressway. You can check if you need to add it at Maintenance > Security > Trusted CA certificate.

Images The details of the proxy, as configured on the primary Expressway in the connector host cluster, are shared throughout the Expressway cluster. You cannot configure different proxies for different nodes in the cluster.

Step 3. Review these points about certificate trust. You can choose the type of secure connection when you begin the main setup steps.

Images Cisco Webex Hybrid Services requires a secure connection between Expressway-C and Cisco Webex.

Images You can let Cisco Webex manage the root CA certificates for you. However, if you choose to manage them yourself, be aware of certificate authorities and trust chains; you must also be authorized to make changes to the Expressway-C trust list.

Images Access to the Expressway CA trust list may also be required if you want to secure the connections between Expressway-C and Microsoft Exchange, or between Expressway-C and Microsoft Active Directory, when configuring the Calendar Connector.

Next, we will configure a throttling policy and apply it to the impersonation account. A custom throttling policy helps the Calendar Connector work smoothly:

Images The custom policy removes EWS limits from the impersonation account, to avoid issues such as maxconcurrency.

Images The custom policy is tailored for an enterprise application. (The default policy is tailored for user load.)

This procedure is not required for Office 365.

Step 1. In Exchange Management Shell, create the policy.

New-ThrottlingPolicy -Name “CalendarConnectorPolicy” -EWSMaxConcurrency unlimited -EWSMaxBurst unlimited -EWSRechargeRate unlimited -EWSCutOffBalance unlimited -EWSMaxSubscriptions 5000

Step 2. If the impersonation account does not have a mailbox, run the following command:

Enable-Mailbox “impersonation account” -Database “database name”

Step 3. Apply the new policy to the impersonation account:

Set-ThrottlingPolicyAssociation -Identity “impersonation account” -ThrottlingPolicy “CalendarConnectorPolicy”

Imagesimpersonation account” is the name of the impersonation account you are using as the service account for the Calendar Connector.

Images CalendarConnectorPolicy is the name of the policy that you created in the previous steps.

Step 4. Confirm that the mailbox is using the new policy:

Get-ThrottlingPolicyAssociation -Identity “impersonation account” | findstr “ThrottlingPolicy

Next, we will register Expressway-C Connector Hosts to the Cisco Webex Cloud. Cisco Webex Hybrid Services use software connectors hosted on Expressway-C to securely connect Cisco Webex to your organization’s environment. Use this procedure to register Expressway-C resources to the cloud. After you complete the registration steps, the connector software is automatically deployed on your on-premises Expressway-C.

Before you begin, make sure your Expressway-C is running on a version that is supported for hybrid services. See the Supported Versions of Expressway for Cisco Webex Hybrid Services Connectors documentation (https://help.webex.com/article/ruyceab) for more information about which versions are supported for new and existing registrations to the cloud. Then, sign out of any open connections to the Expressway-C interface that are open in other browser tabs. Also, if your on-premises environment proxies the outbound traffic, you must first enter the details of the proxy server on Applications > Hybrid Services > Connector Proxy before you complete this procedure. Doing so is necessary for successful registration.

Step 1. From the customer view in https://admin.webex.com, go to Services, and then choose one:

Images If this is the first connector host you are registering, click Set up on the card for the hybrid service you are deploying, and then click Next.

Images If you have already registered one or more connector hosts, click View all on the card for the hybrid service you are deploying, and then click Add Resource.

The Cisco Webex cloud rejects any attempt at registration from the Expressway web interface. You must first register your Expressway through Cisco Webex Control Hub because the Control Hub needs to hand out a token to the Expressway to establish trust between premises and cloud to complete the secure registration.

Step 2. Choose a method to register the Expressway-C:

Images New Expressways – choose Register a new Expressway with its Fully Qualified Domain Name (FQDN), enter your Expressway-C IP address or fully qualified domain name (FQDN) so that Cisco Webex creates a record of that Expressway-C and establishes trust, and then click Next. You can also enter a display name to identify the resource in Cisco Webex Control Hub. Caution to ensure a successful registration to the cloud, use only lowercase characters in the hostname that you set for the Expressway-C. Capitalization is not supported at this time.

Images Existing Expressways – choose Select an existing Expressway cluster to add resources to this service, and then choose the node or cluster from the drop-down that you previously registered. You can use it to run more than one hybrid service.

If you are registering a cluster, register the primary peer. You do not need to register any other peers, because they register automatically when the primary registers. If you start with one node set up as a primary, subsequent additions do not require a system reboot.

Step 3. Click Next, and for new registrations, click the link to open your Expressway-C. You can then sign in to load the Connector Management window.

Step 4. Decide how you want to update the Expressway-C trust list:

Images A check box on the welcome page determines whether you will manually append the required CA certificates to the Expressway-C trust list, or whether you allow Cisco Webex to add those certificates for you. Choose one of the following options:

• When you register, the root certificates for the authorities that signed the Cisco Webex cloud certificates are installed automatically on the Expressway-C. This means that the Expressway-C should automatically trust the certificates and be able to set up the secure connection. Check the box if you want Cisco Webex to add the required CA certificates to the Expressway-C trust list. If you change your mind, you can use the Connector Management window to remove the Cisco Webex cloud CA root certificates and manually install root certificates.

• Uncheck the box if you want to manually update the Expressway-C trust list.

Step 5. Click Register. (When you register, you will get certificate trust errors if the trust list does not currently have the correct CA certificates.) After you are redirected to Cisco Webex Control Hub, read the on-screen text to confirm that Cisco Webex identified the correct Expressway-C.

Step 6. After you verify the information, click Allow to register the Expressway-C for Cisco Webex Hybrid Services.

Images Registration can take up to 5 minutes depending on the configuration of the Expressway and whether it is a first-time registration.

Images After the Expressway-C registers successfully, the Cisco Webex Hybrid Services window on the Expressway-C shows the connectors downloading and installing. The management connector automatically upgrades itself if there is a newer version available, and then installs any other connectors that you selected for the Expressway-C connector host.

Images Each connector installs the interface pages that you need to configure and activate that connector.

This process can take a few minutes. When the connectors are installed, you can see new menu items on the Applications > Hybrid Services menu on your Expressway-C connector host. If registration fails and your on-premises environment proxies the outbound traffic, review the paragraph at the beginning of this procedure. If the registration process times out or fails (for example, you must fix certificate errors or enter proxy details), you can restart registration in Cisco Webex Control Hub.

If you want to verify the certificates presented by the Exchange Server, then the Expressway trust list must contain the certificate of the CA that signed the Exchange Server certificate. The CA certificate may already be in the trust list; use this procedure on each Expressway cluster to check the list and append the certificate if necessary.

If you are using a custom domain, make sure that you add the CA certificate for the domain certificate issuer to the Expressways. Also, you must import certificates to each Expressway-C.

Step 1. On the Expressway-C connector host, go to Maintenance > Security certificates > Trusted CA certificate.

Step 2. Review the CA certificates in the trust list to check if the correct CA certificate is already trusted.

Step 3. To append any new CA certificates:

a. Click Browse (or the equivalent in your browser) to locate and select the PEM file.

b. Click Append CA certificate. The newly appended CA certificate appears in the list of CA certificates.

Step 4. To replace an existing CA certificate with an updated one, for a particular issuer and subject:

a. Check the check box next to the Issuer details.

b. Click Delete.

c. Append the replacement certificate as described previously.

Table 18-2, lists the Certificate Authorities that your on-premises or existing environment must trust when using Cisco Webex Hybrid Services. If you opted to have Cisco Webex manage the required certificates, then you do not need to manually append CA certificates to the Expressway-C trust list.

Note that the issuers used to sign the Cisco Webex host certificates may change in future, and Table 18-2 may then be inaccurate. If you are manually managing the CA certificates, you must append the CA certificates of the issuing authorities that signed the currently valid certificates for the hosts listed (and remove expired/revoked CA certificates).

Table 18-2 Certificate Authorities for Hybrid Services

Images

The Calendar Connector installs automatically after you register your Expressway connector host for Cisco Webex Hybrid Services. The connector does not start automatically and requires some configuration to link to your calendar environment.

Step 1. From the Expressway connector host, go to Applications > Hybrid Services > Calendar Service > Microsoft Exchange Configuration, and then click New. Make sure you choose Microsoft Exchange Configuration, not Cisco Conferencing Services Configuration. You cannot configure the Calendar Connector for Microsoft Exchange or Office 365 in the same organization with the conferencing services (integration with Cisco TelePresence Management Suite).

Step 2. Enter the credentials of the service account that you want the Calendar Connector to use to connect to Exchange. The service account queries calendars on behalf of your users, using the impersonation role. You can use these formats:

Images [email protected] – The userPrincipalName. Typically, this value matches the user’s primary email address, but the properties are separate. userPrincipalName consists of the User Logon Name (not always the same as sAMAccountName) and the UPN suffix, which is based on the Active Directory domain (not always the same as the NetBIOS domain). Use this format whenever possible. If you used the simplified configuration with a single impersonation account to prepare a hybrid Exchange on-premises and Office 365 integration, you must use this format. Also, make sure that the impersonation account that you use is synchronized to the Office 365 cloud, and that its userPrincipalName matches one of the account’s SMTP addresses.

Images DOMAINusernameDOMAIN is the NetBIOS domain (the pre-Windows 2000 domain); “username” is the sAMAccountName (the legacy username or pre-Windows 2000 username). If you are unsure about what to use for these formats, use Active Directory Users and Computers on a Windows machine to view the Account tab of the Properties pane for the user in question. The correct values to use are displayed as:

• User logon name for the first format.

• User logon name (pre-Windows 2000) for the second format.

Step 3. Enter a unique Display Name for this Exchange Server.

Step 4. For the Type:

Images Select Exchange On-Premises for Exchange 2013, 2016, or 2019. (Select this type even if you are preparing a hybrid Exchange on-premises.)

Images Select Office365 for Office 365 integration

Step 5. For Need Proxy for Connection?, select Yes if https access goes through a web proxy to your Exchange environment.

Step 6. For Enable this Exchange server?, select Yes. You can select No for debugging purposes, but users will not be subscribed to this Exchange.

Step 7. Check a value for the Authentication Type:

Images For added security, we recommend NTLM for on-premises Exchange servers.

Images For Hybrid Exchange (on-premises and Office 365) deployments, check both NTLM and Basic authentication types. If one method fails, then the other method is used.

Step 8. Leave TLS Verify Mode as the default value On so that this Expressway-C verifies the certificate that the Exchange Server presents. You may need to update the trust stores on both servers to ensure that each one trusts the CA that signed the other’s certificate.

Step 9. Under Discovery, select Use Autodiscover to enable autodiscovery. The Calendar Connector queries to find one or more Exchange servers. You must use autodiscovery for deployments of Microsoft Exchange 2013 and later. Use Provide Exchange Address directly only for troubleshooting or testing purposes. This option does not use autodiscovery. If you select it, enter the IPv4 address, IPv6, or FQDN of the Exchange server.

Step 10. Configure the extra fields that are related to autodiscovery.

a. Choose whether to Enable SCP record lookup. If you set this field to Yes, the first autodiscover step that the Calendar Connector takes is an Active Directory Service Connection Point (SCP) record lookup to get a list of autodiscover URLs. The Calendar Connector uses the Active Directory domain, Active Directory site, Query mode, and LDAP TLS Verify Mode fields only if you enable this step. These fields provide the information necessary to find and query an LDAP server in Active Directory. Even if this step fails, autodiscovery may succeed at a later step.

b. Enter the Active Directory domain to query for the SCP record.

c. (Optional) Enter the Active Directory site that is geographically closest to the Calendar Connector, to optimize the query response time.

d. Select a Query mode to control which directory access protocol that Calendar Connector uses to query Active Directory. If you select ldaps (secure LDAP), the Domain Controller must authenticate itself by presenting a server certificate to this Expressway-C.

e. Enable LDAP TLS Verify Mode if you want the Expressway-C to validate the certificate that the Domain Controller presents. This option checks the server name against the CN or SANs in the received certificate and checks that the issuing authority is in the local trusted CA list.

f. Enter an Email Address so that Calendar Connector can test the autodiscover process (other than SCP record lookup, which uses the Active Directory domain instead). Use the email address of a user that you will enable for the Hybrid Calendar Service, as it appears in Cisco Webex Control Hub. If the test fails, then your settings are not saved. If you omit the email address, then your settings are saved without verifying the autodiscover process (other than SCP record lookup, if enabled).

g. (Optional) To manually configure any Autodiscover redirect URLs that the Calendar Connector should trust, click Configure Trust List. Once you click Add, the Calendar Connector automatically populates any missing Autodiscover redirect URLs that it finds while contacting the Autodiscover service. URLs from unauthenticated sources are placed in pending state and blocked unless you choose to allow them. If you skip this step now, you can still manually add URLs later, or explicitly accept or deny the pending URLs.

Step 11. Click Add to store the Exchange Server configuration on the Expressway connector host. The Calendar Connector tests the connection to the Exchange environment and notifies you if there are pending Autodiscover redirect URLs to review.

Step 12. (Optional) If your organization has multiple user email domains, we recommend that you test the autodiscover configuration with a user address from each email domain to ensure that the process works for all of them. To test another address, change the value of the Email Address field to a different address, and then click Save.

After you configure the Exchange settings, configure the details for your Cisco Webex Meetings sites. If you have more than one Webex site, do these steps for each site, and set the default to the site with the most users. Users who are not on the default site, or who want to use a different site, must associate their Cisco Webex Personal Room with Cisco Webex in the app.

For the @webex functionality to work for users, verify the following:

Images You have at least one Cisco Webex Meetings site, with the Personal Room feature enabled for the site and for the individual users.

Images The email address in each user’s Webex account matches the user’s Exchange email address and Cisco Webex login address. If it does not, users must associate their Cisco Webex Personal Room with the Cisco Webex app.

Gather the Webex user account email address of a valid user on your site. The Calendar Connector uses this account to access the Webex Personal Room details for users who schedule meetings with @webex.

Step 1. From the Expressway-C connector host, go to Applications > Hybrid Services > Calendar Service > Cisco Conferencing Services Configuration, and then click New.

Step 2. Select Type as Webex under Conferencing Services Type.

Step 3. Enter the Fully Qualified Site Name for this Cisco Webex Meetings site. For example: If your site is accessed at site-example.webex.com, you would enter site-example.webex.com.

Step 4. Enter a valid Webex user account email address, leave the password field blank, and then click Test Connection to validate the site information that you entered. If testing the connection fails, you can save the configuration with both the user name and password fields blank.

Step 5. Indicate whether this site is the default. The default site is used for @webex unless the user has a different site configured in their My Personal Room setting in the Webex app (either because the user’s Webex site has been linked to Webex by an administrator, or because the user configured the setting with a different site).

Step 6. Click Save to save the configuration.

In Cisco Webex Control Hub, the Default Language setting controls the language of the join details that the Hybrid Calendar Service adds to invitations. If you leave the setting at its default, the service uses the language from the item.Culture property of each meeting invitation. (Typically, the scheduler’s operating system controls the value of item.Culture.)

To override choosing languages on a meeting-by-meeting basis from item.Culture, choose a specific language to use for join details for all meetings across your organization.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. From the Hybrid Calendar card for Exchange, click Edit settings.

Step 3. Choose a language from the Default Language drop-down list and select Save.

After you save the change, the Hybrid Calendar Service uses the language you choose each time it adds join to details a meeting. It does not change the language for existing join details.

By default, when users add @webex to a meeting location, the calendar service updates the meeting with their Cisco Webex Personal Room details. When users add @meet, by default the service updates the meeting with Cisco Webex space details. As an administrator, you can change these default actions for either keyword.

Regardless of how you set these actions, power users can add the modifier :space or :myroom to specify the action for either keyword. For example, adding @webex:space causes the service to update the meeting with Webex space details.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. From the Hybrid Calendar card for your calendar environment, click Edit settings. If you have the Hybrid Calendar Service set up for multiple calendar environments, you can access the keywords settings from multiple pages in Control Hub, but the values that you set apply to all environments.

Step 3. In the Keywords section, select the default action that you want for each keyword.

Step 4. Click Save.

You can do this task before you configure the Calendar Connector links to your Exchange environment and Webex environment, but all tests will fail until the Calendar Connector is Running and you may need to restart the connector after configuration.

Step 1. From Expressway, go to Applications > Hybrid Services > Connector Management. The Connector management section of the page has a list of connectors and the status of each. The Management Connector is Running and the Calendar Connector is Not enabled.

Step 2. Click Calendar Connector.

Step 3. Select Enabled from the Active drop-down list.

Step 4. Click Save. The Calendar Connector starts and the status changes to Running.

Any of these methods requires that users have signed in to the Cisco Webex app to be fully activated. To enable @webex for users who have never signed in to the app, add and verify the users’ domain using the add, verify, and claim domains process. (You must own a domain for it to be verifiable. You do not need to claim the domain.) Use this procedure to enable a small number of Cisco Webex users for Hybrid Calendar Service with Microsoft Exchange or Office 365.

Step 1. From the customer view in https://admin.webex.com, go to Users.

Step 2. Choose a specific user from the list, or use the search to narrow the list, and then click the row to open an overview of the user.

Step 3. Click Edit, and then ensure that the user is assigned at least one paid service under Licensed Collaboration Services. Make necessary changes, and then click Save.

Step 4. Click Calendar Service, toggle on Calendar, choose Microsoft Exchange, and then save your changes. After you activate the service, the user status changes from Pending Activation to Activated. The length of time for this change depends on the number of users that you are enabling for the service. Users receive an email that indicates the feature is enabled.

Google Calendar Deployment in the Cloud

Figure 18-2 shows the components of Hybrid Calendar Service and Google Calendar architecture and lists a high-level process of the scheduling flow.

Images

Figure 18-2 Hybrid Calendar Service and Google Calendar Architecture

1. A user creates a meeting in Google Calendar, putting a scheduling keyword or video address in the location field.

2. Google sends a notification to the Hybrid Calendar Service.

3. The Hybrid Calendar Service requests and receives the encryption key, and then uses it to encrypt the meeting information.

4. The Hybrid Calendar Service validates meeting creation and recipients, and then creates a Webex team space, if applicable.

5. The Hybrid Calendar Service calls the Application Programmer Interface (API) service and maps the meeting to the space.

6. The Hybrid Calendar Service retrieves the meeting join information, including the Personal Room if applicable.

7. The Hybrid Calendar Service updates the meeting invite with the meeting join information and, if applicable, the space ID.

8. The updated meeting information appears in Google Calendar.

For more information on how the cloud-based Hybrid Calendar Service integrates with Google’s G Suite Calendar, see the Cisco Webex Hybrid Calendar Service with Google Calendar Integration Reference on help.webex.com.

We do not currently support deploying both Google Calendar and Office 365 with the cloud-based Hybrid Calendar Service in the same Cisco Webex organization. As a requirement, a Google G Suite organization (formerly Google Apps for Work) with Google accounts for all users in your Webex organization. Each user in your Webex organization can only have one email address associated with only one Hybrid Calendar Service integration. In other words, the Hybrid Calendar Service will only process meetings from a single address for creating spaces, decorating meetings, showing the meetings list and join button, and sending One Button to Push (OTBP) to video devices.

Images

Enable and Configure Hybrid Calendar Service with Google Calendar by following these steps to register your Google Calendar environment to the Cisco Webex cloud, enable API access, test the connection, and set the default Webex site. The setup wizard in admin.webex.com will also guide you through the process.

Step 1. From https://admin.webex.com go to Services, and then choose one:

Images For a new environment, click Set Up on the hybrid calendar card. Choose the Google logo, and then click Next.

Images If you have an existing Exchange environment registered for Hybrid Calendar Service and want to add Google Calendar, click Set Up under the Google section of the card, and then click Next.

Step 2. Follow the steps to authorize Cisco Webex cloud access on your G Suite account. You need to copy information from https://admin.webex.com, so keep it open in a browser tab.

a. Click the link to open https://admin.google.com, and then select Menu (3 bar icon)> Security > Show more > Advanced settings.

b. In the Authentication section, click Manage API client access.

c. Copy the value for Client Name, from the tab you have open on https://admin.webex.com, and paste it into the corresponding field in your G Suite settings tab.

d. Copy all the text from One or More API Scopes, from the tab you have open on https://admin.webex.com, and paste it into the corresponding field in your G Suite settings tab.

e. Click Authorize.

f. Return to https://admin.webex.com, and then click Next.

Step 3. Fill out account information for a test G Suite account. This is used to test the connection with Google Calendar. The site, (admin.webex.com) may incorrectly state that the test account is automatically enabled for Hybrid Calendar Service. You can enable this test account and more users in your organization after you finish the initial setup wizard.

Step 4. (Optional) If you use meeting room resources, access control list (ACL) changes to their calendars may be required. For Hybrid Calendar Service to perform this change, check the box and then provide the name of an authorized account. Click Next.

Step 5. After the set up completed prompt appears, click Done.

Step 6. From the hybrid calendar card, go to the Google Calendar Settings.

Step 7. Choose or type the default Cisco Webex Meetings site that you want to use for @webex scheduling and save your changes. The default site is used for @webex unless the user has a different site configured in their My Personal Room setting in the Webex app (either because the user’s Webex site has been linked to Webex by an administrator, or because the user configured the setting with a different site).

Step 8. Confirm that an event called “Hybrid Calendar setup validated” was added to the test account that you provided, scheduled at the current time. You can safely remove this test event.

In Cisco Webex Control Hub, the Default Language setting controls the language of the join details that the Hybrid Calendar Service adds to invitations. If you leave the setting at its default, the service uses the language from the locale setting from user’s calendar settings.

To override choosing languages on a per-user basis from the locale, choose a specific language to use for joining details for all meetings across your organization.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. From the Hybrid Calendar card for Google, click Edit settings.

Step 3. Choose a language from the Default Language drop-down list and click Save.

After you save the change, the Hybrid Calendar Service uses the language you choose each time it adds join to details a meeting. It does not change the language for existing join details.

By default, when users add @webex to a meeting location, the calendar service updates the meeting with their Cisco Webex Personal Room details. When users add @meet, by default the service updates the meeting with Cisco Webex space details. As an administrator, you can change these default actions for either keyword.

Regardless of how you set these actions, power users can add the modifier :space or :myroom to specify the action for either keyword. For example, adding @webex:space causes the service to update the meeting with Webex space details.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. From the Hybrid Calendar card for your calendar environment, click Edit settings. If you have the Hybrid Calendar Service set up for multiple calendar environments, you can access the keywords settings from multiple pages in Control Hub, but the values that you set apply to all environments.

Step 3. In the Keywords section, select the default action that you want for each keyword.

Step 4. Click Save.

Use this procedure to enable a small number of Cisco Webex users for Hybrid Calendar Service with Google Calendar. Any of these methods requires that users have signed in to the Cisco Webex app to be fully activated. To enable @webex for users who have never signed in to the app, add and verify the users’ domain using the Add, Verify, and Claim Domains process. (You must own a domain for it to be verifiable. You do not need to claim the domain.)

Before you begin to successfully activate a user for calendar access, the following conditions must be met:

Images The user’s email address in Control Hub must match their Google calendar account in the organization’s Google G Suite tenant.

Images The administrator must have verified the domain in the user’s email address, OR the user needs to have verified their email address by successfully signing into Webex.

Successful validation is a requirement for using the Hybrid Calendar Service functionality. If the service cannot validate a user, it puts the user in error state. The service enforces a policy to access only the calendars of successfully activated users for ongoing processing.

Step 1. From the customer view in https://admin.webex.com, go to Users, and then choose a specific user from the list. You can use the search function to narrow down the list of users.

Step 2. Click the row to open an overview of the user.

Step 3. Choose one and then save your changes:

Images In a new environment, click Calendar Service, toggle on Calendar, and ensure that the Google Calendar is selected.

Images In an existing environment with Exchange, click Calendar Service, and under calendar type, ensure that the Google Calendar is selected.

After you activate the service, the Cisco Webex user status changes from Pending Activation to Activated. The length of time for this change depends on the number of users that you are enabling for the service. Users receive an email that indicates the feature is enabled. If you want to disable email notifications, you can do so under Services > Edit settings > General and scroll to User Email Notifications, and then toggle on or off the email notification to set whether users receive email notifications about new Hybrid Calendar Service features as they are released. You can test the calendar features by simply scheduling a Cisco Webex Meeting from Your Calendar.

Next, we will look at how to add the Hybrid Calendar Service to Workspaces with Webex Room, Desk, and Board Devices. This task assumes that you have already created places for the Webex Room, Desk, or Board devices. If you need to create the workspace, see Add Shared Devices to a Workspaces on help.webex.com. Before you begin:

Images Webex room devices must have email addresses that match the Google room resource format, @resource.calendar.google.com.

Images If your room device email format uses a domain prefix, you must verify the domain in the prefix. For example, verify company.com (if you did not already do so when verifying the domain of the account that manages access control lists) for devices that have email addresses such as:

Images [email protected]

Images Newer resource email addresses may not include a domain prefix, as in the following example:

Images [email protected]

Step 1. From the customer view in https://admin.webex.com, go to Workspaces, and then select the workspace that you want to update.

Step 2. Go to Calendar and click Add Calendar so that people can use One Button to Push (OBTP) from their Cisco Webex devices.

Step 3. Select calendar service from the drop-down menu.

Step 4. Enter or paste the Google resource email address from G Suite (Calendar > Resources). This is the email address that will be used to schedule meetings.

Step 5. Click Save.

Have Users Associate Their Personal Rooms with Cisco Webex. To provide OBTP to Cisco Webex room and desk devices and Webex Boards when scheduling Webex Personal Room meetings, users must have their Personal Room associated with their Cisco Webex account. This can happen in one of the following ways:

Images The Webex site is managed on Cisco Webex Control Hub.

Images The users on your Webex site have been Cisco Webex linked. (For site linking steps, see Link Cisco Webex Sites to Control Hub.)

Images Users associate their Personal Room with Cisco Webex for themselves.

Do this task for the test user account that you will use to verify the setup, to check whether the Personal Room association needs to be added.

Step 1. Sign into the Cisco Webex app.

Step 2. Go to Meetings.

Step 3. Under My Personal Room, if the Personal Room link is missing, enter it in the format https://company.webex.com/meet/username or company.webex.com/meet/username, enter your host PIN, and select Save.

Step 4. If the link was missing, have users who will schedule meetings that include room, desk devices, or boards associate their Personal Rooms with the Webex app for themselves.

Use these steps to set up a test meeting and verify the Google Calendar integration. Direct users to the documentation below for how to schedule meetings.

Step 1. Sign in to https://calendar.google.com with one of the test Google user accounts enabled for Hybrid Calendar Service.

Step 2. Click Create to start an event, and then add a space scheduling keyword (such as @webex:space or @meet) to the Where field. Fill out other meeting information, as needed, and then click Save.

Step 3. Open https://web.webex.com, and sign in with the test user account.

Step 4. Verify whether a new Cisco Webex space was created and contains the calendar invite card.

Step 5. To test out-of-office status, in https://calendar.google.com, navigate to Settings and turn on Vacation responder. Within 20 minutes, you should see the test account’s profile picture display an out-of-office overlay in the Webex app. The display picture update is triggered when others see your presence in a space. If the test user does not interact with other active users, you may need to use another account to verify the update.

Step 6. To test One Button to Push (OBTP) with a Cisco Webex room or desk device or Webex Board:

a. In https://calendar.google.com, click Create to start an event, and then add a scheduling keyword (such as @webex) to the Location field.

b. Select Rooms, and choose the device you want to add.

c. Fill out other meeting information, as needed, and then click Save.

d. When the meeting is scheduled to begin, verify that the Join button appears on the device.

Another option that is outside of the scope of this book is the Cisco TelePresence Management Suite (Cisco TMS) scheduling option that allows the Hybrid Calendar Service to leverage your on-premises resource management and conference hosting environment for simplified meeting scheduling. This integration also extends the One Button to Push (OBTP) meeting join experience to a wide range of video devices. The integration currently works with the cloud-based Hybrid Calendar Service for Office 365 or the cloud-based Hybrid Calendar Service for Google Calendar. To deploy the integration, you first set up the cloud-based service. Then you install the Calendar Connector on your on-premises Expressway-C and configure the connector for the Cisco TMS scheduling option. However, you cannot deploy the Cisco TMS scheduling option if your Cisco Webex organization already has the Calendar Connector configured for the Hybrid Calendar Service. The Cisco TMS integration must be the only Calendar Connector in the organization.

Office 365

When you first set up the Hybrid Calendar Service, the setup asks you to have your organization’s Office 365 tenant Global administrator account log in to the Office 365 portal to agree to allow the Hybrid Calendar Service to access Office 365 on behalf of your users.

The Hybrid Calendar Service needs the permissions shown in Table 18-3 to do the following actions:

Table 18-3 Office 365 Required Permissions

Images

When the administrator grants permission for the Hybrid Calendar Service on behalf of the Office 365 tenant, Cisco Webex is notified. This permission enables the Hybrid Calendar Service to get access tokens from Azure Active Directory (Azure AD) using OAuth 2.0, to authenticate and access user calendars. The Cisco Webex cloud does not see or store the administrator login credentials at any point in the process. For more information, see https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service.

The Hybrid Calendar Service uses the Microsoft Graph API to subscribe to changes in users’ calendars, receive notifications for changes made in subscribed users’ calendars, and update meeting invitations with scheduling information when the meeting location field contains keywords such as @webex or @meet, or the meeting body contains a supported video address. The Hybrid Calendar Service accesses only the calendars of the users that you enable for Hybrid Calendar Service in the Cisco Webex Control Hub.

Cisco Webex follows industry-standard best practices to securely store the Private Key for the application. All meeting details that the service stores are encrypted using Webex end-to-end encryption. This ensures that only those who are invited to the meeting can see the details. For more information on Webex encryption, see the Cisco Webex Security and Privacy white paper. If needed, your Exchange administrator can revoke the Hybrid Calendar Service access to your Office 365 tenant user calendars from Enterprise Applications in the Azure AD management portal.

If you have already deployed the Expressway-based Calendar Connector to serve Microsoft Exchange users, Office 365 users or a hybrid of Microsoft Exchange and Office 365 users, you can add the cloud-based Hybrid Calendar Service with Office 365, running both at the same time. Once you enable the cloud-based service, any Office 365 users who are not a part of a resource group automatically migrate from your Calendar Connector to the new cloud-based service within 24 hours. (The Hybrid Calendar Service checks for Office 365 users to migrate from Calendar Connectors once a day.)

The Expressway-based Calendar Connector that you deploy with the Hybrid Calendar Service for Microsoft Exchange or Office 365 has a capacity limit of 1,000 Office 365 users and requires on-premises equipment. The cloud-based service allows you to scale past the capacity limit.

Images Both options (Calendar Connector and cloud-based service) can be enabled at the same time.

Images All Office 365 users NOT in a resource group migrate to the cloud-based service automatically.

Images To enable some users on the cloud service first for testing, put other users who must stay homed on the on-premises Connector into a resource group before turning on the cloud-based service.

Requirements for Hybrid Calendar Service with Microsoft Office 365:

Images An Office 365 tenant with Exchange Online accounts for users in the organization. During setup, you must be able to sign in as a Global administrator for the tenant to grant application permissions. Note the following considerations for your Office 365 tenant:

Images We currently only support a single Office 365 tenant per Cisco Webex organization.

Images We only support the Worldwide and Germany instances of Office 365. (Other instances which we do not support include USGovDoD, USGovGCCHigh, and China.)

Images Although your tenant may use Multi-Geo Capabilities in Office 365 to store data in a chosen geography, Cisco Webex stores data according to its own data residency specifications based on the country designated for the customer organization. For more information, see the Data Residency in Webex article on help.webex.com.

Images For @webex scheduling, any supported Cisco Webex Meetings release. You must enable the Personal Room feature for the Webex site and for the individual users.

Images A Cisco Webex organization with a paid subscription. Currently, we do not support deploying both Google Calendar and Office 365 with the cloud-based Hybrid Calendar Service in the same Cisco Webex organization.

Images Users must have activated Cisco Webex accounts, with email addresses that are exact matches in Cisco Webex Meetings, Webex, and Exchange Online (the Primary Email Address). Each Webex user can only have one email address associated with only one Hybrid Calendar Service integration. In other words, the Hybrid Calendar Service will only process meetings from a single address for creating spaces, decorating meetings, showing the meetings list and join button, and sending One Button to Push (OTBP) to video devices.

Previously, to serve Office 365 users, you had to install the Calendar Connector on an on-premises Expressway. This on-premises deployment was required even if you did not have a hybrid Exchange environment (on-premises Microsoft Exchange and an Office 365 tenant organization). You can now choose to enable the cloud-based Hybrid Calendar Service for Office 365. With this service, hybrid Exchange environments have extra considerations:

Images You can run the Expressway-based Calendar Connector and the cloud-based Office 365 service at the same time.

Images Once you enable the cloud-based service, all Office 365 users who are not in any resource group automatically migrate to it.

Images To test the migration on a subset of users, make sure that the rest of the Office 365 users are in a resource group. Then enable the cloud-based Office 365 service.

Figure 18-3 depicts the hybrid exchange environment with the Cisco Webex Hybrid Calendar Service.

Images

Figure 18-3 Hybrid Exchange Environment with the Cisco Webex Hybrid Calendar Service

The Calendar Connector on the Expressway-C serves both Exchange users and Office 365 users, in Resource Group A and Resource Group B. The cloud-based service serves any Office 365 users who are not in a resource group.

Figure 18-4 illustrates the scheduling flow of cloud-based Hybrid Calendar Service with Office 365.

Images

Figure 18-4 Cloud-based Hybrid Calendar Service with Office 365 Scheduling Flow

1. A user creates a meeting in the Office 365 calendar, putting a scheduling keyword or video address in the Location field.

2. Exchange Online sends a notification to the Hybrid Calendar Service.

3. The Hybrid Calendar Service requests and receives the encryption key, and then uses it to encrypt the meeting information.

4. The Hybrid Calendar Service validates meeting creation and recipients, and then creates a Webex team space, if applicable.

5. The Hybrid Calendar Service calls the API service and, if applicable, maps the meeting to the space.

6. The Hybrid Calendar Service retrieves the meeting join information, including the Webex Personal Room if applicable.

7. The Hybrid Calendar Service updates the meeting invite with the meeting join information and, if applicable, the space ID.

8. The invitees and the organizer get the updated meeting invitation.

Images

To provide full @webex functionality, the Hybrid Calendar Service needs access to user scheduling information from your Cisco Webex Meetings site. If your Webex site is managed in Cisco Webex Control Hub, you do not need do anything to make the information available. Otherwise, the preferred method for making this information available is to have an administrator link the site to Webex. If you have not yet linked the sites, your users can associate their Cisco Webex Personal Rooms with Cisco Webex themselves in the app. Follow these steps to register your Office 365 environment to the Cisco Webex cloud, test the connection, and set the default Webex site. The setup wizard in https://admin.webex.com guides you through the process. Before you begin, you should either be the Global administrator for the Office 365 tenant or have the administrator with you when you begin the setup process.

Step 1. From https://admin.webex.com, go to Services.

Step 2. On the hybrid calendar card with the Office 365 logo, click Set Up.

Step 3. Follow the steps to choose an Office 365 instance (Worldwide or Germany) and authorize Cisco Webex cloud access on your Office 365 Global administrator account. The browser should redirect you to https://admin.webex.com when you have finished the authorization steps. If it does not, try these steps again.

Step 4. In the Hybrid Calendar setup window, enter the email address of an account in Office 365 to test the connection, and click Test. The Hybrid Calendar Service tests by creating an event in the user’s calendar to validate access and provisioning.

Step 5. When the setup finishes, click Done.

Step 6. On the hybrid calendar card with the Office 365 logo, click Edit settings.

Step 7. Choose or type the Cisco Webex Meetings site to use for @webex scheduling. Save your changes.

Step 8. If there are users with error status, click User Status Report to view the error details.

In Cisco Webex Control Hub, the Default Language setting controls the language of the join details that the Hybrid Calendar Service adds to invitations. If you leave the setting at its default, the service uses the language in the “language”:{“locale”} setting from the user’s mailbox settings. To override choosing languages on a per-user basis from the “language”:{“locale”}, choose a specific language to use for join details for all meetings across your organization.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. On the hybrid calendar card with the Office 365 logo, click Edit settings.

Step 3. Choose a language from the Default Language drop-down list and click Save. After you save the change, the Hybrid Calendar Service uses the language you choose each time it adds join to details a meeting. It does not change the language for existing join details.

By default, when users add @webex to a meeting location, the calendar service updates the meeting with their Cisco Webex Personal Room details. When users add @meet, by default the service updates the meeting with Cisco Webex space details. As an administrator, you can change these default actions for either keyword. Regardless of how you set these actions, power users can add the modifier :space or :myroom to specify the action for either keyword. For example, adding @webex:space causes the service to update the meeting with Webex space details.

Step 1. From the customer view in https://admin.webex.com, go to Services.

Step 2. From the Hybrid Calendar card for your calendar environment, click Edit settings. If you have the Hybrid Calendar Service set up for multiple calendar environments, you can access the keywords settings from multiple pages in Control Hub, but the values that you set apply to all environments.

Step 3. In the Keywords section, select the default action that you want for each keyword.

Step 4. Click Save.

Use this procedure to enable individual Cisco Webex users for Hybrid Calendar Service with Office 365. Any of these methods requires that users have signed in to the Webex app to be fully activated. To enable @webex for users who have never signed in to the app, add and verify the users’ domain using the Add, Verify, and Claim Domains process. (You must own a domain for it to be verifiable. You do not need to claim the domain.)

Before you begin users must have licensed Exchange Online mailboxes and users must have activated Cisco Webex accounts, with email addresses that are exact matches in Cisco Webex Meetings, Webex, and Exchange Online (the Primary Email Address).

Step 1. From the customer view in https://admin.webex.com, go to Users, and then choose a specific user from the list. You can use the search function to narrow down the list of users.

Step 2. Click the row to open an overview of the user.

Step 3. In the Hybrid Services area, click Calendar Service.

Step 4. Toggle Calendar on, ensure that Microsoft Exchange/Office 365 is selected, and save your changes.

After you activate the service, the user’s calendar service status changes to Pending Activation and then to Activated. The length of time for this change depends on the number of users that you are enabling for the service. Users receive an email that indicates the feature is enabled. See the documentation below if you want to disable email notifications.

The Hybrid Calendar Service automatically moves any Office 365 users who are not part of a resource group from your Expressway-based Calendar Connector to the cloud-based service. This process can take up to an hour because the service checks for users to move once an hour. (If you are also moving the user’s mailbox from Microsoft Exchange to Office 365, it can take up to 40 minutes longer.) If you want to have users activated faster, use the following procedure to toggle the Hybrid Calendar Service for users, thereby forcing the activation within minutes. Also, you must remove Office 365 users from a resource group for them to move off the Calendar Connector. This procedure also covers that process.

Step 1. If applicable, move the user mailbox from Microsoft Exchange to Office 365.

Step 1. From the customer view in https://admin.webex.com, go to Users.

Step 3. To modify an individual user, do the following sub-steps:

a. Search for the user in the list and click the row for that user.

b. In the panel that opens on the right, click Calendar Service.

c. From the Resource Group drop-down list, click None.

d. Next to Calendar, toggle the service off.

e. Wait a minute, and then toggle the service back on. The user should be activated within a few minutes.

Step 4. To modify users in bulk, do the following sub-steps:

a. Click Manage Users, and choose CSV Add or Modify User.

b. Click Export to download the file.

c. Edit the exported_users.csv file.

d. For any users that you want to move, delete the value in the Hybrid Calendar Service Resource Group column.

e. Save a first copy of the file in this state, for use later.

f. To speed the move, set Hybrid Calendar Service (Exchange) to FALSE.

g. Save a second copy of the file.

h. Click Import, select the second file copy that you saved, and click Open.

i. Choose Add and remove services and click Submit. If you also add new users in this process and do not suppress admin invite emails, new users receive activation emails.

j. Wait several minutes, and then re-import the first copy of the file. The users should be activated within a few minutes.

One Button to Push (OBTP)

Users can schedule meetings and include video devices and Webex Boards that display the Join button by using any of these methods:

Images Cisco Webex meetings

• From a space.

• From the calendar, by entering a scheduling keyword in the meeting location field.

• From the calendar, using Cisco Webex Productivity Tools.

• From the calendar, by entering a scheduling keyword in the meeting location field.

• From the calendar, by entering a URL in the meeting location or body

• Using the Cisco Webex Meetings Scheduler for Google Chrome

Images Other types of meetings

• From the calendar, by entering a supported video address format in the meeting location or body

To provide One Button to Push on video devices, you deploy the Cisco Webex Hybrid Calendar Service. The details of the deployment depend on the type of calendar environment that you have, and on the type of device. To register devices for calendar scheduling, understand the requirements of Cisco Webex Calling and Hybrid Call Service:

Images After you add a Cisco Webex Calling (formerly Spark Call) phone number to a Cisco Webex room device or board, there is a 24-hour delay before the room device caller ID is seen by others.

Images Shared desk phones support all available call features except voicemail and single number reach. Room devices and Webex Boards only support basic call functions with a single line.

Images For PSTN service, be aware of the following points:

Images Cloud PSTN service for room devices and boards is available in the United States and Canada.

Images You must request that your Cisco partner purchase PSTN service. If you are no longer in a trial, you must then sign the PSTN contract by DocuSign that is emailed to you.

Images Your partner must add new or port over PSTN numbers.

Images To use Cisco Unified Communications Manager call control for devices in a place, you must first configure Hybrid Call Service Connect for your organization. For more information, see the Deployment Guide for Cisco Webex Hybrid Call Service.

First, we will create a workspace and then add shared devices and services:

Step 1. From the customer view in https://admin.webex.com, go to Workspaces, and then click Add Workspace.

Step 2. Enter a name for the workspace (such as the name of the physical room), select room type and add capacity. Then click Next.

Step 3. Choose Cisco Webex Room Device, and then click Next. You can only have one type of device in a single space. For example, you can add up to 10 desk phones to a lobby or a single Cisco Webex Room Device or a Webex Board, but not a combination of the two. The exception is Companion Mode, where you can have one Webex Board and one Room Series device in a workspace.

Step 4. Choose a call service to assign to devices in the workspace and click Next:

Images Free Calling (default) – For Cisco Webex app and SIP address calling.

Images Webex Calling – To add PSTN service through a cloud preferred media provider for Webex Calling (formerly Spark Call). Assign a phone number and extension to the device, and then click Next.

Images Hybrid Calling – To use call service (PSTN access or internal extension access) through your on-premises call control. Unified CM provides the phone number or extension for the devices in the workspace. If you chose Hybrid Calling, enter the Unified CM mail ID for the account that you created earlier. Then download the Device Connector to synchronize the Unified CM configurations to the cloud. Then click Next.

The service discovers where the email address is located on a Unified CM cluster. Once discovered, the service creates the Cisco Spark-RD and identifies the directory number and SIP URI associated with the account.

Step 5. (Optional) Toggle on the calendar service so that people can use One Button to Push (OBTP) on this device and click Next. Then select calendar service from the drop-down menu and add Email Address and select Resource Group. Enter or paste the email address of the room device. This is the email address that will be used to schedule meetings:

Images For devices that will be scheduled in Google Calendar, enter the Google resource email address from G Suites (Calendar > Resources).

Images For devices that will be scheduled in Microsoft Exchange or Office 365, enter the email address of the room mailbox. This option requires the Hybrid Calendar Service. To configure the service, see the Deployment Guide for Cisco Webex Hybrid Calendar Service.

Step 6. Click Next, and then activate the device with the code provided. Workspaces that you added Hybrid Call Service to may take approximately 5–10 minutes to activate while the email address, directory URI, and directory number are discovered on a Cisco Unified Communications Manager cluster. After activation, the phone number is displayed on Cisco Webex devices in the hybrid-enabled Workspace.

To provide OBTP to Cisco Webex room and desk devices and Webex Boards when scheduling Webex Personal Room meetings, users must have their Personal Room associated with their Cisco Webex account. This can happen in one of the following ways:

Images The Webex site is managed on Cisco Webex Control Hub.

Images The users on your Webex site have been Cisco Webex linked. (For site linking steps, see Link Cisco Webex Sites to Control Hub.)

Images Users associate their Personal Room with Cisco Webex for themselves.

Do this task for the test user account that you will use to verify the setup, to check whether the Personal Room association needs to be added.

Step 1. Sign into the Cisco Webex app.

Step 2. Go to Meetings.

Step 3. Under My Personal Room, if the Personal Room link is missing, enter it in the format https://company.webex.com/meet/username or company.webex.com/meet/username, enter your host PIN, and select Save.

Step 4. If the link was missing, have users who will schedule meetings that include room, desk devices, or boards associate their Personal Rooms with the Webex app for themselves.

To test OBTP, use these steps to set up a test meeting and verify OBTP on registered Room, Desk Devices or Webex Boards.

Step 1. To test a Webex team meeting in Exchange or Office 365:

a. In Outlook, Outlook Web Access, or https://mail.office365.com, create a new meeting, and then add a keyword such as @webex:space or @meet to the Location field.

b. Go to the Scheduling Assistant, then click Add room and choose the device you want to add.

c. Fill out other meeting information as needed and send the invitation.

d. When the meeting is scheduled to begin, verify that the Join button appears on the device.

Step 2. To test a Personal Room meeting in Exchange or Office 365:

a. In Outlook, Outlook Web Access, or https://mail.office365.com, create a new meeting, and then add @webex (or the scheduler’s Personal Room URL) to the Location field.

b. Go to the Scheduling Assistant and click Add room and choose the device you want to add.

c. Fill out other meeting information as needed and send the invitation.

d. When the meeting is scheduled to begin, verify that the Join button appears on the device.

If there is no Join button, a possible cause In hybrid Exchange environments, disabling TNEF for remote domains causes Exchange Online to strip the TMS:ExternalConferenceData and UCCapabilities user attributes for the meeting. This breaks OBTP for Unified CM-registered endpoints. Without these attributes, Cisco TMSXE cannot update the meeting in Cisco TMS, and Cisco TMS cannot set the OBTP dial string for the meeting.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 18-4 lists a reference of these key topics and the page numbers on which each is found.

Images

Table 18-4 Key Topics for Chapter 18

Images

Complete Tables and Lists from Memory

Print a copy of Appendix C, “Memory Tables” (found on the companion website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix D, “Memory Tables Answer Key,” also on the companion website includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

Application Programmer Interface (API)

Certificate Authority (CA)

Cisco Webex Cloud

Cisco Webex Control Hub

Google Calendar

Secure HyperText Transfer Protocol (HTTPS)

Hybrid Calendar Service

Microsoft Exchange

One Button to Push (OBTP)

Office 365

Transport Layer Security (TLS)

Telepresence Management Suite (TMS)

Q&A

The answers to these questions appear in Appendix A. For more practice with exam format questions, use the Pearson Test Prep Software Online.

1. Describe the high-level process of the scheduling flow for the cloud-based Hybrid Calendar Service with Google Calendar.

2. Describe the high-level process of the scheduling flow for the cloud-based Hybrid Calendar Service with Office 365.

Answers

1. Hybrid Calendar Service with Google Calendar scheduling flow:

1. A user creates a meeting in Google Calendar, putting a scheduling keyword or video address in the location field.

2. Google sends a notification to the Hybrid Calendar Service.

3. The Hybrid Calendar Service requests and receives the encryption key, and then uses it to encrypt the meeting information.

4. The Hybrid Calendar Service validates meeting creation and recipients, and then creates a Webex team space, if applicable.

5. The Hybrid Calendar Service calls the API service and maps the meeting to the space.

6. The Hybrid Calendar Service retrieves the meeting join information, including the Personal Room if applicable.

7. The Hybrid Calendar Service updates the meeting invite with the meeting join information and, if applicable, the space ID.

8. The updated meeting information appears in Google Calendar.

2. Cloud-based Hybrid Calendar Service with Office 365 scheduling flow:

1. A user creates a meeting in the Office 365 calendar, putting a scheduling keyword or video address in the Location field.

2. Exchange Online sends a notification to the Hybrid Calendar Service.

3. The Hybrid Calendar Service requests and receives the encryption key, and then uses it to encrypt the meeting information.

4. The Hybrid Calendar Service validates meeting creation and recipients, and then creates a Webex team space, if applicable.

5. The Hybrid Calendar Service calls the API service and, if applicable, maps the meeting to the space.

6. The Hybrid Calendar Service retrieves the meeting join information, including the Webex Personal Room if applicable.

7. The Hybrid Calendar Service updates the meeting invite with the meeting join information and, if applicable, the space ID.

8. The invitees and the organizer get the updated meeting invitation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.209.66.87