Hexwinscpiphone

CiscoMeetingServerCiscoMeetingServerRelease2.
9MMPCommandLineReferenceDecember10,2020CiscoSystems,Inc.
www.
cisco.
comCiscoMeetingServerRelease2.
9:MMPCommandLineReference2ContentsChangeHistory51Introduction71.
1HowtousethisDocument71.
2AccessingtheMMP91.
2.
1CiscoMeetingServer200091.
2.
2Virtualizeddeployments(CiscoMeetingServer1000andspecificationbasedVMservers)91.
2.
3AcanoX-SeriesServers91.
2.
4DifferencesinspecificcommandsbetweenCiscoMeetingServerplatforms91.
3TransferringfilestoandfromtheMMP101.
3.
1WhichfilesyouseeintheSFTPclient101.
4WhatMMPCommandsareAvailable111.
5WritingandCompletingMMPCommands121.
6ReservedPorts121.
7SummaryofMMPadditions131.
7.
1WebBridge3support131.
7.
2OtherMMPchanges142NetworkCommands152.
1NetworkInterface(iface)Commands152.
2IPCommands152.
2.
1IPv4commands152.
2.
2IPv6commands162.
3NetworkDiagnosticCommands172.
3.
1IPv4networkdiagnosticcommands182.
3.
2IPv6networkdiagnosticcommands182.
3.
3Packetcapture182.
4QoS/DSCPCommands183DNSCommands204FirewallCommands225ProvisioningwithCertificates245.
1TLSCertificateVerification29CiscoMeetingServerRelease2.
9:MMPCommandLineReference36CommandsforConfiguringtheCiscoMeetingServer336.
1FederalInformationProcessingStandard366.
2MTUforanInterface367MMPUserAccountCommands387.
1PasswordRules407.
2CommonAccessCard(CAC)Integration427.
2.
1SSHloginconfiguration447.
3Key-basedSSHlogin448ApplicationConfigurationCommands458.
1XMPPServerCommands458.
2CommandsfortheCoretoEdgeTrunk468.
2.
1LoadBalancercommands468.
2.
2Trunkcommands478.
3SupportingXMPPmulti-domains488.
4XMPPresiliencycommands498.
5WebBridgeCommands508.
6WebBridge3Commands528.
7TURNServerCommands538.
8SIPEdgeCommands(BETAfeature)548.
9WebAdminInterfaceCommands558.
10DatabaseClusteringCommands568.
11UploaderCommands598.
12RecorderCommands608.
13StreamerCommands619H.
323Commands6310MiscellaneousCommands6610.
1Model6610.
2MeetingServer'sSerialNumber6610.
3MessageoftheDay6610.
4Pre-loginLegalWarningBanner6610.
5SNMPCommands6710.
5.
1Generalinformation6710.
5.
2SNMPv1/2ccommands6810.
5.
3SNMPv3commands68CiscoMeetingServerRelease2.
9:MMPCommandLineReference410.
5.
4SNMPtrapreceiverconfiguration6910.
6DownloadingtheSystemLogs6910.
7DownloadingtheLogBundle6910.
8DiskSpaceUsage7010.
9BackupandRestoreSystemConfiguration7010.
10UpgradingtheMeetingServer7110.
11ResettingtheMeetingServer7210.
12PasswordRecovery/FirstBootfortheAcanoX-SeriesServer72CiscoLegalInformation74CiscoTrademark75CiscoMeetingServerRelease2.
9:MMPCommandLineReference5ChangeHistoryDateChangeSummaryDecember01,2020AddedsectiononreservedportsOctober15,2020Clarificationnoteaddedre.
MTUinformation.
Otherminorcorrections.
April08,2020Updatedforversion2.
9.
SeeSummaryofMMPadditions.
userevictcommandavailableonCiscoMeetingServer2000January07,2020Minorcorrectiontouserrulemax_failed_loginsDecember20,2019MinorcorrectionNovember22,2019MinorcorrectionOctober25,2019MinorcorrectionOctober15,2019MinorcorrectionSeptember30,2019MinorcorrectionSeptember16,2019Noteaddedconcerningspecialcommandwebbridge3andalsotheuploaderdebugcommandSeptember16,2019NoteaddedconcerningtheuploaderdebugcommandAugust28,2019MinorcorrectionAugust13,2019UpdatedforMeetingServer2.
7,seeJuly19,2019MinorcorrectionJune25,2019MinorcorrectionsincludingdefaultTLScipherstring.
May14,2019MinorcorrectionsApril23,2019Changedtitleto".
.
.
2.
5andlater",nochangesforversion2.
6.
March21,2109CorrectiontocharacterstouseinSNMPcommunityandusername.
March12,2019MinorcorrectionsDecember13,2018MinorcorrectionDecember13,2018UpdatedforCiscoMeetingServer2.
5September20,2018UpdatedforCiscoMeetingServer2.
4,see,addedinformationonFIPScer-tification.
July31,2018Low-latency(XMPP)DSCPtraffictypemarkedasnotcurrentlyused.
July03,2018MiscellaneouscorrectionsChangeHistoryCiscoMeetingServerRelease2.
9:MMPCommandLineReference6DateChangeSummaryJune12,2018MiscellaneouscorrectionsMay23,2018MiscellaneouscorrectionsMarch21,2018Multimedia-streaming(webbridgemedia)DSCPtraffictypemarkedasnotcur-rentlyused.
January17,2018MinoradditionregardingHTTPSservicesinsection5.
1December19,2017UpdatedforCiscoMeetingServer2.
3,changedTLSdefaultcipherstringandaddedtwonewTLScommands.
November01,2017MiscellaneouscorrectionsAugust23,2017MiscellaneouscorrectionsJuly,2017ChangetocipherssupportedfortlsMay03,2017NoadditionsforCiscoMeetingServer2.
2December20,2016Updatedforversion2.
1,addedcommandsfortheStreamerAugust03,2016RebrandedforCiscoMeetingServer2.
0ChangeHistoryCiscoMeetingServerRelease2.
9:MMPCommandLineReference71IntroductionTheCiscoMeetingServersoftwarecanbehostedonspecificserversbasedonCiscoUnifiedComputingServer(UCS)technologyaswellasontheX-Serieshardware,oronaspecification-basedVMserver.
CiscoMeetingServerisreferredtoastheMeetingServerthroughoutthisdocument.
TherearetwolayerstotheCiscoMeetingServer:aplatformandanapplication.
TheplatformisconfiguredthroughtheMainboardManagementProcessor(MMP).
Theapplicationrunsonthismanagedplatformwithconfigurationinterfacesofitsown.
TheMMPisusedforlowlevelbootstrappingandconfiguration.
Itpresentsacommandlineinterface.
OnAcanoX-SeriesServers,theMMPcanbeaccessedviatheserialConsoleportorSSHontheEthernetinterfacelabeledAdmin.
OnCiscoMeetingServer2000,theMMPcommandlineinterfaceisaccessedthroughtheSerialOverLANconnection.
Invirtualizeddeployments(theCiscoMeetingServer1000,andspecificationbasedVMservers)theMMPisaccessedonvirtualinterfaceA.
Applicationleveladministration(callandmediamanagement)isundertakenviatheAPI,orforstraightforwarddeployments,viatheWebAdminInterfacewhichcanbeconfiguredtorunonanyoneoftheavailableEthernetinterfaces.
Note:TheCiscoMeetingServersoftwareisreferredtoastheMeetingServerthroughouttheremainderofthisguide.
1.
1HowtousethisDocumentThisguidedescribestheMMP,andunlessotherwiseindicated,theinformationappliesequallytotheCiscoMeetingServer2000,theCiscoMeetingServer1000,theAcanoX-SeriesServerandvirtualizeddeployments.
Thesedocumentscanbefoundoncisco.
com.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference8Figure1:CiscoMeetingServerdocumentationforversion2.
91IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference91.
2AccessingtheMMP1.
2.
1CiscoMeetingServer2000TheMMPcommandlineinterfaceisaccessedviatheSerialOverLANconnectionontheCiscoMeetingServer2000.
BeforetheMMPcanbeused,theSerialOverLANconnectionmustbeconfiguredwithanIPaddressandcredentials.
RefertotheCiscoMeetingServer2000InstallationGuidefordetailsonconfiguringtheSerialOverLANconnection.
Afterinitialconfiguration,useanSSHclienttoconnecttotheIPaddressoftheSerialOverLANconnectionandlogintotheMMPusingthecredentialsoftheconfiguredadminaccount.
1.
2.
2Virtualizeddeployments(CiscoMeetingServer1000andspecificationbasedVMservers)Invirtualizeddeployments,theMMPisaccessedthroughtheVSphereconsoletab(onvirtualinterfaceA)andrequiresthelogincredentialsofanMMPadminuser(seeMMPUserAccountCommands).
Thesearesetupaspartoftheinstallationprocedure;seetheCiscoMeetingServerInstallationGuideforVirtualizedDeployments.
1.
2.
3AcanoX-SeriesServersOnAcanoX-SeriesServers,theMMPcanbeaccessedviatheserialConsoleportontheserverorSSHontheEthernetinterfacelabeledAdmin,whichrequiresanSSHclient;nootherinterfacescanbeused.
ForWindowsuserspuTTyisapopularchoice.
AccessusingtheConsoleportdoesnotrequireSSH;butbothmethodsrequirethelogincredentialsofanMMPadminuser(seeMMPUserAccountCommands).
Thesearesetupaspartoftheinstallationprocedure;seetheAcanoX-SeriesServerInstallationGuide.
1.
2.
4DifferencesinspecificcommandsbetweenCiscoMeetingServerplatformsThereareafewdifferencesrunningaCiscoMeetingServer2000comparedtoavirtualizedCiscoMeetingServerorAcanoX-Seriesserver.
CommandonCiscoMeetingServer2000onCiscoMeetingServer1000andvirtualizedCiscoMeetingServeronAcanoX-SeriesservershutdownNotavailablethroughMMP.
UseCiscoUCSMan-agertopowerdownbladeserversbeforeremovingpower.
DonotusethevSpherepowerbutton.
Usetheshutdowncommandinstead.
Enter"Y"whenprompted.
Theservercannowbesafelypoweredoff.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference10CommandonCiscoMeetingServer2000onCiscoMeetingServer1000andvirtualizedCiscoMeetingServeronAcanoX-SeriesserverhealthNotavailablethroughMMP.
UseCiscoUCSMan-ager.
NotavailableReturnshealthofserver.
serialReturnsserialnumberofserver.
NotavailableReturnsserialnumberofserver.
dnsDonotspecifyaninterface.
ForexamplednsaddforwardzoneDonotspecifyaninter-face.
ForexamplednsaddforwardzoneMustspecifyaninterface,useeithermmporapp.
ForexamplednsmmpaddforwardzoneuserevictNotavailableAvailablefromversion2.
9AvailableAvailable1.
3TransferringfilestoandfromtheMMPFilescanbetransferredtoandfromtheMMPusingtheSecureFileTransferProtocol(SFTP).
OnWindowswerecommendWinSCP(http://winscp.
net/eng/index.
php),althoughanyclientcanbeused.
SFTPisusedfortransferringthefollowingfiles:nSoftwareupgradeimagesnConfigurationsnapshotsnSecuritycertificatesnLicensefilesnSystemlogfiles(asdirectedbyCiscoSupport)nCrashdiagnosisfiles(asdirectedbyCiscoSupport)ConnectyourSFTPclienttotheIPaddressoftheMMPwhichcanbefoundusingtheipv4MMPoripv6MMPcommand(asappropriate).
LoginusingthecredentialsofanMMPadminuser(seeMMPUserAccountCommands).
1.
3.
1WhichfilesyouseeintheSFTPclientAfterconfigurationyoushouldseethefollowingfileslistedwhenyouaccesstheMMPusingSFTP(bearinmindthatyoumayhavedifferentnamesforeverythingotherthanlicense.
datbutthefollowingaretheexamplefilenamesusedintheinstallationanddeploymentguides):1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference11nServer.
crt,webbridge.
crtandxmpp.
crtnlicense.
dat(requiredname)nboot.
jsonandlive.
jsonnserver.
key,webbridge.
keyandxmpp.
keyncacert.
pem,privkey.
pem,server.
pemandxmpp.
pem1.
4WhatMMPCommandsareAvailableToseealistofcommandsthatareavailableandtheirparameterstype:helpToseemoredetailsaboutonecommandtype:helpThesecommandsaredescribedinthefollowingsections.
AllthecommandsareenteredattheMMPcommandlineinterfaceprompt.
Anexampleis:iface(admin|a|b|c|d)(on|off)where()indicatesachoiceofoptions,useoneofthem–withoutthebracketsindicatesaparameterthatyoumustentertheappropriatevaluefor[]indicatesanoptionalparameterSomecommandsarefollowedbyoneormoreexamplesinbluewithinthesametablecell:Command/ExamplesDescription/NotesifacemmpDisplaysthenetworkinterfaceconfigurationiface(admin|a|b|c|d)Displaysthenetworkinterfaceconfigurationforthespecifiedinterfaceiface(admin|a|b|c|d)(full|on|off)ifaceadmin1000fullSetsthenetworkinterfacespeed(Mbps),duplexandauto-negotiationparametersSetstheMMPpropertiesto1GE,fullduplexiface(admin|a|b|c|d)autoneg(on|off)ifaceadminautonegonEnablesautonegotiationNotethattheA,B,CandDinterfacesarerestrictedtofullduplexautonegotiation.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference121.
5WritingandCompletingMMPCommandsThefollowingfunctionalitycanbeusedinMMPcommands:nTab:presstheTabkeytoauto-completeacommand.
ForexamplepressingTabaftertypinghelpticreateshelptimezone.
However,ifthereismorethanonepossiblecommand,pressingtabasecondtimedoesnotprovideanalternative.
ForexamplepressingTabafterhelpweprovideshelpwebadminandpressingagaindoesnotprovidehelpwebbridgenLeftandrightarrowkeysmovethecursoralongthelineofatypedcommandnUpanddownarrowkeyscyclethroughthecommandhistorynQuotationmarks:toentermultiplewordargumentsuse""forexamplepkicsrdemoCN:"callbridge.
example.
com"OU:"CiscoSupport"O:CiscoL:"NewYork"ST:NYC:USKeyboardshortcutscanbeused:nCTRL-p:displaysthepreviouscommandnCTRL-n:displaysthenextcommandinthecommandhistorynCTRL-d:deletedthecharacterundercursor,orexitswhenusedinanemptylinenCTRL-c:abortthecurrentexecutingcommandnCTRL-a:jumpstothebeginningofthelinenCTRL-e:jumpstotheendofthelinenCTRL-l:clearstheterminalnCTRL-k:deletesfromthecursorpositiontotheendofthelinenCTRL-m:equivalenttotheReturnkeynCTRL-w:deleteswordleftfromcursornCTRL-u:deletescurrentlinenCTRL-f:movesforwardacharacternCTRL-b:movesbackwardacharacternCTRL-t:swapscurrentcharacterwiththepreviouscharacter1.
6ReservedPortsPort8081isreservedonloopbackifthewebadminisenabled,butisnotreservedifthewebadminisdisabled.
Port8080isalwaysopen.
Port5060isalwaysopen,whileport5061isonlyopenifcertificatesareappliedtotheCallBridge.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference131.
7SummaryofMMPadditions1.
7.
1WebBridge3supportVersion2.
9supportstheseMMPchangesforthenewwebappimplementationusingWebBridge3:CommandDescriptionwebbridge3DisplaysthecurrentsetofvaluesforWebBridge3helpwebbridge3Displayshelpwithallthewebbridge3subcommandswebbridge3restartRestartstheWebBridge3webbridge3(enable|disable)EnablesordisablestheWebBridge3webbridge3httpslistenSetsuptheinterface(s)andport(s)fortheWebBridge3tolistenon.
Enabletheservicetostartlisteningwiththecommandwebbridge3enable.
Thereisnodefaultvaluefortheport;itneedstobespecified.
webbridge3httpscertsSetstheHTTPScertificatesfortheWebBridge3.
Thesearethecertificatesthatwillbepresentedtowebbrowserssotheyneedtobesignedbyacertificationauthority(CA)andthehostname/purposeetcneedstomatch.
(Thecertificatefileisthefullchainofcertificatesthatstartswiththeendentitycertificateandfinisheswiththerootcertificate.
)webbridge3httpscertsnoneRemovesHTTPScertificateconfigurationwebbridge3http-redirect(enable[port]|disable)(Optional)Enables/disablesHTTPredirectsbysettingupaportforHTTPconnections.
ThisportwillbeopenedforallMeetingServerinterfacesonwhichthewebapphasbeenconfigured.
IncomingHTTPconnectionswillbeautomaticallyredirectedtothematchingHTTPSportfortheinterfacetheyarrivedon.
Thedefaultport,ifyoudon'tspecifyoneinwebbridge3http-redirectenable[port],is80.
webbridge3c2wlistenConfigurestheC2Wconnection.
Setsuptheinterface(s)andport(s)fortheWebBridge3tolistenon.
Youmustenabletheservicetostartlisteningwiththecommandwebbridge3enable.
Werecommendthatyoumakethisaddress/portaccessiblefromtheCallBridge(s)only.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference14CommandDescriptionwebbridge3c2wcertsConfigurestheC2Wconnectioncertificates—youneedtoconfiguretheSSLServercertificatesusedfortheC2Wconnection.
TheC2WcertificateisonlypresentedtoCallBridgesconnectingtotheC2Wprotocolconnectionport—thehostname/purposeetcneedstomatch.
(Thecertificatefileisthefullchainofcertificatesthatstartswiththeendentitycertificateandfinisheswiththerootcertificate.
)webbridge3c2wcertsnoneRemovesC2Wconnectioncertificateconfiguration.
webbridge3c2wtrustSetsthetrustbundlethatWebBridge3C2WserverwillverifytheCallBridgeclientcertificateagainsttodeterminewhethertotrustthemornot.
webbridge3c2wtrustnoneRemovesC2Wconnectiontrustbundleconfiguration.
webbridge3optionsSwitchesonthespecifiedfeatures,ifmorethanonefeatureistobeenabledthenseparatethefeature_nameswithaspace.
OnlyusethiscommandunderinstructionfromCiscoSupportorCiscoEFT.
Thesefeaturesarenotsuitableforproductionuse.
Thefeatureswillremainenabledacrossreboots,butwillbeautomaticallyclearedwhenusingtheupgradecommand.
(Thiscommandiscurrentlynotsup-ported.
)webbridge3optionsnoneSwitchesoffallfeaturesthatwerepreviouslyswitchedonusingthewebbridgeoptionscommand.
OnlyuseunderinstructionfromCiscoSupportorCiscoEFT.
(Thiscommandiscurrentlynotsupported.
)webbridge3statusDisplaysthecurrentconfigurationforWebBridge31.
7.
2OtherMMPchangesFromversion2.
9.
3allmaster/slavereferencesinMMPresponsesarenowchangedtoprimary/replica.
1IntroductionCiscoMeetingServerRelease2.
9:MMPCommandLineReference152NetworkCommands2.
1NetworkInterface(iface)CommandsCommand/ExamplesDescription/NotesifacemmpDisplaysthenetworkinterfaceconfigurationiface(admin|a|b|c|d)Displaysthenetworkinterfaceconfigurationforthespecifiedinterfaceiface(admin|a|b|c|d)(full|on|off)ifaceadmin1000fullSetsthenetworkinterfacespeed(Mbps),duplexandauto-negotiationparametersSetstheMMPpropertiesto1GE,fullduplexiface(admin|a|b|c|d)autoneg(on|off)ifaceadminautonegonEnablesautonegotiationNotethattheA,B,CandDinterfacesarerestrictedtofullduplexautonegotiation.
2.
2IPCommands2.
2.
1IPv4commandsNote:Inthevirtualizeddeployment,thereisnoadmininterfaceandthereforeadminisnotavalidentryinthefollowingcommands;selectfromA,B,CorD.
Command/ExamplesDescription/Notesipv4(admin|a|b|c|d)Listsconfiguredandobservednetworkvaluesipv4(admin|a|b|c|d)dhcpEnablesdhcponthespecifiedinterfaceipv4(admin|a|b|c|d)(enable|disable)Enables/disablesthespecifiedinterfaceNote:Thiscommanddoesnotcleartheconfiguration,onlydisablesit.
2NetworkCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference16Command/ExamplesDescription/Notesipv4(admin|a|b|c|d)add/ipv4aadd10.
1.
2.
3/1610.
1.
1.
1Configurestheinterfacewithanipv4addresswithspecifiedprefixlengthanddefaultgatewayforegresspackets.
TheexampleconfiguresAwithaddress10.
1.
2.
3onsubnet10.
1.
0.
0/16.
Ifthereisnomorespecificroute,packetsexitingviaAwillbesentviagateway10.
1.
1.
1.
ipv4(admin|a|b|c|d)delRemovestheIPv4addressonthespecifiedinterfaceipv4(a|b|c|d)defaultSelectstheinterfaceoflastresortforoutboundconnections.
Whenconnectingtoremotehostsitisnotalwaysknownfromcontextwhichinterfaceshouldbeused.
Bycomparison,responsestoconnectionsinitiatedbyremotehostswillusetheinterfaceonwhichtheconnectionwasaccepted.
ThisissometimesreferredtoasthestrongIPmodelipv4(admin|a|b|c|d)routeadd/ipv4(admin|a|b|c|d)routedel/Addsastaticroutesoyoucanrouteaspecificsubnetoutofthespecificinterface.
Thisisforuniqueroutingscenarioswheremultipleinterfacesareenabled,andyouwanttoensurethattrafficforaspecificsubnetisroutedouttothegatewayofthatparticularinterfaceNote:Generallymanualconfigurationofadefaultrouteisnotrequiredandmaycauseissues.
ipv4brouteadd192.
168.
100.
0/24Alltrafficdestinedfor192.
168.
100.
xwillgooutofinterfacebtointerfaceb'sgateway2.
2.
2IPv6commandsTheMeetingServersupportsmultipleIPv6addressesperinterface,andautomaticallyconfiguredaddressesandstaticaddresses.
Note:Inthevirtualizeddeployment,thereisnoadmininterfaceandthereforeadminisnotavalidentryinthefollowingcommands;selectfromA,B,CorD.
Command/ExamplesDescription/Notesipv6(admin|a|b|c|d)Listsconfiguredandobservednetworkvalues2NetworkCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference17Command/ExamplesDescription/Notesipv6(admin|a|b|c|d)enableStartsauto-configurationofthespecifiedinterfaceforIPv6.
Alink-localaddressisgenerated.
DuplicateAddressDetection(DAD)iscompletedand,ifSLAACisenabled,thenRouterSolicitationsaresent.
IfaRouterAdvertisementisreceived,thenlanyadvertisedprefixesareusedtoconstructglobaladdresseslanyRDDNSoptionsareusedtoconfigureDNSlifthe"managed"or"other"flagsareset,thenDHCPv6isstarted.
IfRouterAdvertisementsdonothavethe"managed"or"other"bitsset,thenDHCPv6willnotbeusedIfnoRouterAdvertisementisreceivedafterthreeRouterSolicitationsaresent,thenDHCPv6willstart.
ipv6(admin|a|b|c|d)disableDisablesIPv6forthespecifiedinterfaceipv6slaac(enable|disable)Enables/disablesSLAACipv6(admin|a|b|c|d)add/ipv6aadd2001::2/64WhenSLAACisdisabled,itisnecessarytoaddstaticaddressesandstaticrouteraddresses.
Toaddastaticrouter,NotethatSLAACdiscoveredaddressesandrouterscancoexistwithstaticallyconfiguredaddresses.
TheMeetingServersupportsautomaticallyconfiguredaddressesandstaticaddresses.
TostaticallyconfigureanIPv6addressonthespecifiedinterfaceusethiscommandipv6(admin|a|b|c|d)delipv6adel2001::2/64RemovestheIPv6addressipv6routeradd|del2.
3NetworkDiagnosticCommandsThesecommandshelpwithnetworkdiagnostics.
Note:Inavirtualizeddeployment,thereisnoadmininterfacesoisnotrequired.
Forexample,inanAcanoX-SeriesServerdeploymentuse:ping(mmp|app)butinavirtualizeddeploymentuse:ping2NetworkCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference182.
3.
1IPv4networkdiagnosticcommandsAfteryouhaveenabledIPv4,youcanyouusethefollowingcommands.
Command/ExamplesDescription/Notesping(mmp|app)PingfromtheMMPortheapplicationinterfacesoftheMeetingServertothetargetIPaddressorhostnametraceroute(mmp|app)TotraceroutefromtheMMPortheapplicationinterfacesoftheMeetingServertothetargetIPaddressorhostname2.
3.
2IPv6networkdiagnosticcommandsAfteryouhaveenabledIPv6,youcanyouusethefollowingcommands.
Command/ExamplesDescription/Notesping6(mmp|app)PingfromtheMMPortheapplicationinterfacesoftheMeetingServertothetargetIPv6addressorhostnametraceroute6(mmp|app)TotraceroutefromtheMMPortheapplicationinterfacesoftheMeetingServertothetargetIPv6addressorhostname2.
3.
3PacketcaptureNote:AlthoughpacketscanbecapturedbytheMeetingServer,duetothehighpacketratethattheMeetingServeroperatesat,packetsmaybedroppedfromthepacketcaptureratherthandisturbthenormaloperationoftheMeetingServerinhandlingcalls.
Toavoiddroppedpacketsinthepacketcapture,CiscorecommendscapturingpacketsatyournetworkswitchratherthanontheMeetingServer.
Command/ExamplesDescription/Notespcap(admin|a|b|c|d)StartsimmediatepacketcaptureonthespecifiedinterfaceandstopswhenyoupressCtrl-C.
Thenameofthepcapfileisthendisplayed.
ThisfilecanthenbedownloadedviaSFTP.
2.
4QoS/DSCPCommandsTheMeetingServersupportsQoS/DSCPvaluesinDSCPHex(notTOS).
WefollowtherequirementofUSFederalgovernmentinstitutionstoallowanyDSCPvaluebetween0and63forbackwardscompatibilityeventhoughnoteveryvalueisstandard.
Wesupportinputasdecimal,hexadecimal(caseinsensitive)andoctal;enter46,0x2E(or0x2e),or056,respectively,withthesameresult.
Forexample,EFAudio,AF31Signaling/Data,AF41Videois:2NetworkCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference19EF=0x2EDSCPHex,AF31=0x1ADSCPHex,AF41=0x22DSCPHexDSCPsettingscanbedefinedwithindependentvaluesforIPv4andIPv6.
Forexample,settingoa&mto0x4forIPv4and0x6forIPv6resultsinSSHtrafficbeingmarkedwith0x4forIPv4connectionsand0x6forIPv6connections.
Note:Aservicerestartisrequiredforchangestotakeeffect:werecommendrebootingtheCoreserver.
Command/ExamplesDescription/Notesdscp(4|6)(|none)SetstheDSCPtraffic.
DSCPtrafficcategoriesandthetraffictypeswithinthosecategoriesare:nsignaling(SIP,AS-SIPsignaling)nassured-voice(anyaudioforAS-SIP)nvoice(anyotheraudio)nassured-multimedia(videoforAS-SIP)nmultimedia(anyothervideo)nmultimedia-streaming(webbridgemedia)(notcurrentlyused)nlow-latency(XMPP),(notcurrentlyused)noa&m(webadmin,LDAP,SSH,SFTP)(oa&m=operations,administrationandmanagement)dscp4voice0x2Edscp4voice46dscp4oa&m0x22Setsoa&mforIPv4dscp4oa&mnoneRemovesthesettingdscpassured(true|false)Itispossibletoconfigurebothassuredandnon-assuredDSCPvaluesforthe"voice"and"multimedia"traffictypes–seeabove.
Usethiscommandtoforcetheuseoftheassuredornon-assuredvalue.
dscpassuredtrueForexample,toforcetheuseoftheassured-voiceandassured-multimediaDSCPvaluesforallvoiceandvideodata,usethiscommand.
2NetworkCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference203DNSCommandsNote:Inavirtualizeddeployment,thereisnoadmininterfacesoisnotrequired.
Forexample,inanAcanoX-SeriesServerdeploymentuse:dns(mmp|app)addforwardzonebutinavirtualizeddeploymentuse:dnsaddforwardzoneCommand/ExamplesDescription/NotesdnsDisplaysthecurrentDNSconfigurationdetailsdns(mmp|app)addforwardzonednsappaddforwardzoneexample.
org192.
168.
0.
1Configuresaforwardzone.
Aforwardzoneisapairconsistingofadomainnameandatleastoneserveraddress.
IfanameisbelowthegivendomainnameintheDNShierarchy,thentheDNSresolvercanquerythegivenserver.
Multipleserverscanbegivenforanyparticulardomainnametoprovideloadbalancingandfailover.
Acommonusageistospecify".
"asthedomainnamei.
e.
therootoftheDNShierarchy,whichmatcheseverydomainname.
Note:ApplicationandMMPDNSneedstobesetseparately,butapplicationDNSdoesnotneedtobesetseparatelyforA,B,CandD.
dns(mmp|app)delforwardzoneDeletesaspecifiedforwardzonedns(mmp|app)addtrustanchordnsmmpaddtrustanchor".
INDS190368249AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"AddsatrustanchorforDomainNameSystemSecurityExtensions(DNSSEC).
TrustanchorsshouldbespecifiedinDNSResourceRecordforminsidequotationmarks–seetheexample.
See[1]fordetails.
dns(mmp|app)deltrustanchordnsmmpdeltrustanchorRemovesatrustanchor.
ThezonenameisthedomainnameintheResourceRecord(RR)representingtheanchor.
Theexampleremovesthetrustanchorinstalledintheexampleabove.
3DNSCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference21Command/ExamplesDescription/Notesdns(mmp|app)addrrdnsappaddrr"sipserver.
local.
INA172.
16.
48.
1"dnsappaddrr"_sip.
_tcp.
example.
com.
86400INSRV055060sipserver.
local.
"ToconfiguretheDNSresolver(s)toreturnvalueswhicharenotconfiguredinexternalDNSserversorwhichneedtobeoverridden,customResourceRecords(RRs)canbeconfiguredwhichwillbereturnedinsteadofqueryingexternalDNSservers.
WeacceptRRsinquotationmarkswiththefollowingformat:OWNERCLASSTYPETYPE-SPECIFIC-DATAForexample,Arecordssipserver.
local.
INA172.
16.
48.
1AAAArecordsexample.
com.
aaaa3ffe:1900:4545:2:02d0:09ff:fef7:6d2cSRVrecords_sip.
_tcp.
example.
com.
86400INSRV055060sipserver.
localNote:ifyouwishtocreatecreatemultipleRRsforasinglerecordtypethenyouneedtocreatethemusinganexternalDNSserver.
TheMeetingServerdoesnotsupportmultipleRRsforasinglerecordtypeandwillonlysavethelatestRR.
Forexample,theMeetingServerwillonlysave1SRVrecordfor_sipinternaltls.
_tcp,etc.
.
.
itwillnotsave2differentRRsfor_sipinternaltls.
_tcp.
dns(mmp|app)delrrdnsappdelrr_sip.
_tcp.
example.
com.
SRVdnsappdelrrsipserver.
local.
Adns(mmp|app)lookupdnsmmplookupsrv_sip.
_tcp.
example.
comDoesname"lookups"oftypeA,AAAAorSRVfromtheperspectiveofeithertheMMPortheapplication.
Thelookup"drills"throughSRVresults.
Thatis,whenanSRVrecordreturnsadomainnamethisisresolvedbyAandAAAAlookups.
Note:Iftheapplicationmodulesarenotoperational(e.
g.
duringbootingorrebooting),thenDNSlookupsfor"app"willreturnnoresults.
dns(mmp|app)flushThisflushestheDNScacheofeithertheMMPortheapplicationlayer(API)oftheMeetingServer.
dnsflushTheequivalentcommandonavirtualizeddeployment.
3DNSCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference224FirewallCommandsTheMMPsupportsthecreationofsimplefirewallrulesforboththemediaandadmininterfaces.
Aftersettingupthefirewallruleonaninterface,enablethefirewallonthatinterface.
Note:Thisisnotintendedtobeasubstituteforafullstandalonefirewallsolution.
Firewallrulesmustbespecifiedseparatelyforeachinterface.
Eachfirewallruleforaninterfaceisidentifiedbyatag.
Thesecanbeseeninthestatusoutput,forexample:Interface:adminEnabled:falseDefaultpolicy:allowTagRule-------0drop80CAUTION:Werecommendusingtheserialconsole,ifavailable,toconfigurethefirewall,becauseusingSSHmeansthatanerrorintheruleswouldmaketheSSHportinaccessible.
IfyoumustuseSSHthenensureanallowsshruleiscreatedfortheADMINinterfacebeforeenablingthefirewall.
Command/ExamplesDescription/Notesfirewalldefault(allow|deny)firewalladmindefaultdenyBeforethefirewallcanbeenabledonaninterface,adefaultpolicymustbesetusingthiscommand.
Theallowpolicyallowsallpacketsthatdonotmatchanyrule,andthedenypolicydiscardsallpacketsthatdonotmatchanyruleWhennorulesareconfiguredthiswilldropeverypacketontheadmininterface.
firewallenableEnablesthefirewallonthespecifiedinterface.
firewalldisableDisablesthefirewallonthespecifiedinterface.
firewallDisplaysthecurrentfirewallsettingsforagiveninterfacefirewalladminDisplaysthestatusandrulesetfortheADMINinterface4FirewallCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference23Command/ExamplesDescription/Notesfirewallallow[/][from[/]]firewalldeny[/][from[/]]Addruleswiththesecommands.
Theargumentcanbespecifiedeitherasanumber(e.
g.
"80")orasservicenamefromtheIANAservicenameregistry(e.
g.
"http").
Theprotocolargumentiseithertcporudp.
Ifomitted,therulematchesbothTCPandUDPpackets.
firewalladminallowhttp/tcpAllowsTCPpacketsonport80ontheadmininterfacefirewalladeny678Dropsallpacketsonport678onmediainterfaceAAnoptionalfromclauselimitsthehoststowhicharuleapplies.
ThisisspecifiedasanIPv4orIPv6addresswithanoptionalprefixlengthtodenoteasubnet.
firewalladminallowsshfrom192.
168.
1.
0/28AllowsSSHaccesstotheadmininterfacefromthe256IPv4addressbetween192.
168.
1.
0and192.
168.
1.
255firewalldeleteTodeletearule,useitstagwiththiscommand.
firewalladmindelete0Deletesthesingleruleabovethistable.
4FirewallCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference245ProvisioningwithCertificatesUsethefollowingPKI(PublicKeyInfrastructure)commands.
ThekeyfileshouldcontainanRSAorDSAkeyencodedaseitherPEMorDERwiththefilenameextensionbeing.
key,.
pem,or.
der.
Thecertificatefileshouldbeanx509certificateencodedasPEMorDERwiththefilenameextensionbeing.
crt,.
cer,.
pem,or.
der.
Filenamescanincludealphanumericcharacters,hyphensandunderscorecharactersfollowedbyoneoftheextensionsabove.
Youcanchoosetheper-servicecertificateandkeyfilenames;evenusingthesamepairoffilesforeveryservice.
TheprivatekeyandcertificatefilesshouldbeuploadedviaSFTP.
Command/ExamplesDescription/NotespkiDisplayscurrentPKIusage.
pkilistListsPKIfilesi.
e.
privatekeys,certificatesandcer-tificatesigningrequests(CSRs).
pkiinspectInspectafileandshowswhetherthefileisaprivatekey,acertificate,aCSRorunknown.
Inthecaseofcertificates,variousdetailsaredisplayed.
Ifthefilecontainsabundleofcertificates,informationabouteachelementofthebundleisdisplayed.
BothPEMandDERformatfilesarehandled.
pkimatchThiscommandcheckswhetherthespecifiedkeyandacertificateonthesystemmatch.
Aprivatekeyandacer-tificatearetwohalvesofoneusableidentityandmustmatchiftheyaretobeusedforaservicee.
g.
HTTPS.
pkiverify[]pkiverifyserver.
pembundle.
pemrootca.
pempkiverifyserver.
pembundle.
pemAcertificatemaysignedbyacertificateauthority(CA)andtheCAwillprovidea"certificatebundle"ofintermediateCAcertificatesandperhapsaCAcertificateinitsownfile.
TocheckthatthecertificateissignedbytheCAandthatthecertificatebundlecanbeusedtoassertthis,usethiscommand.
pkiunlockPrivatekeysareoftenprovidedwithpassword-protection.
TobeusedintheMeetingServer,thekeymustbeunlocked.
Thiscommandpromptsforapasswordtounlockthetargetfile.
Thelockednamewillbereplacedbyanunlockedkeywiththesamename5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference25Command/ExamplesDescription/Notespkicsr[:]pkicsrdbserverCN:server01.
db.
example.
comsubjectAltName:server02.
db.
example.
comForusershappytotrustthatCiscomeetsrequirementsforgenerationofprivatekeymaterial,privatekeysandassociatedCertificateSigningRequestscanbegenerated.
isastringidentifyingthenewkeyandCSR(e.
g.
"new"resultsin"new.
key"and"new.
csr"files)AttributesfortheCSRcanbespecifiedinpairswiththeattributenameandvalueseparatedbyacolon(":").
Attributesare:CN:commonNamewhichshouldbeonthecertificate.
ThecommonNameshouldbetheDNSnameforthesystem.
OU:OrganizationalUnitO:OrganizationL:LocalityST:StateC:CountryemailAddress:emailaddressTheCSRfilecanbedownloadedbySFTPandgiventoacertificateauthority(CA)tobesigned.
(Alternatively,theCSRfilecanbeusedinthe'pkisign'commandtogenerateacertificatelocally.
)OnreturnitmustbeuploadedviaSFTP.
Itcanthenbeusedasacertificate.
Note:pkicsr[:]takessubjectAltNameasanattribute.
IPaddressesanddomainnamesaresupportedforsubjectAltNameinacommaseparatedlist.
Forexample:pkicsrtest1CN:example.
exampledemo.
comsubjectAltName:exampledemo.
compkicsrtest2CN:example.
exampledemo.
comC:USL:PurcellvilleO:ExampleOU:SupportST:VirginiasubjectAltName:exampledemo.
compkicsrtest3CN:example.
exampledemo.
comC:USL:PurcellvilleO:ExampleOU:SupportST:VirginiasubjectAltName:exampledemo.
com,192.
168.
1.
25,server.
exampledemo.
com,join.
exampledemo.
com,test.
exampledemo.
comKeepthesizeofcertificatesandthenumberofcertificatesinthechaintoaminimum;otherwiseTLShandshakeroundtriptimeswillbecomelong.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference26Command/ExamplesDescription/Notespkiselfsigned[:]pkiselfsigneddbcaCN"MycompanyCA"Youcanusethiscommandtogenerateself-signedcertificates.
identifiesthekeyandcertificatewhichwillbegenerated,e.
g.
"pkiselfsignednew"createsnew.
keyandnew.
crt(whichisself-signed).
Attributesforthecertificatecanbespecifiedinpairswiththeattributenameandvalueseparatedbyacolon(":").
Attributesare:CN:commonName.
Ifthecertificateisusedasend-entitycertificate,thecommonNameshouldbetheDNSnamefortherelevantservice.
.
OU:OrganizationalUnitO:OrganizationL:LocalityST:StateC:CountryemailAddress:emailaddressSelf-signedcertificatescanbeusedtosignCSRs.
Theyareusefultodeployoninternalservicessuchasthedatabasecluster.
ForexternalservicessuchasWebservices,useanexternalCA.
pkisignpkisigndbserverdbcapkisigndbclientdbcaThiscommandsignsthecsridentifiedbyandgeneratesacertificatewiththesamebasename,signedwiththeCAcertificateandkeyidentifiedby.
Thefilesandshouldhavebeengeneratedbythecommands'pkicsr'and'pkiselfsigned'respectively.
pkipkcs12-to-sshPublicSSHkeysstoredinPKCS#12filescanbeusedbutneedtobeprocessedfirst.
ThiscommandextractsauseablepublickeyfromaPKCS#12fileuploadedwiththename.
pub.
Youarepromptedtoenterthepasswordforthepkcs#12file.
Aftercompletion,thepkcs#12fileisreplacedwithauseablekeywithoutpasswordprotection.
Note:Anyotherdatacontainedinthepkcs#12fileislost.
pkipkcs12-to-sshjohnThekeyofanuploadedPKCS#12filejohn.
pubforuserjohncanbemadeuseablebyexecutingthiscommandCommand/ExamplesDescription/NotespkiDisplayscurrentPKIusage.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference27Command/ExamplesDescription/NotespkilistListsPKIfilesi.
e.
privatekeys,certificatesandcertificatesigningrequests(CSRs).
pkiinspectInspectafileandshowswhetherthefileisaprivatekey,acertificate,aCSRorunknown.
Inthecaseofcertificates,variousdetailsaredisplayed.
Ifthefilecontainsabundleofcertificates,informationabouteachelementofthebundleisdisplayed.
BothPEMandDERformatfilesarehandled.
pkimatchThiscommandcheckswhetherthespecifiedkeyandacertificateonthesystemmatch.
Aprivatekeyandacertificatearetwohalvesofoneusableidentityandmustmatchiftheyaretobeusedforaservicee.
g.
callbridge.
pkiverify[]pkiverifyserver.
pembundle.
pemrootca.
pempkiverifyserver.
pembundle.
pemAcertificatemaysignedbyacertificateauthority(CA)andtheCAwillprovidea"certificatebundle"ofintermediateCAcertificatesandperhapsaCAcertificateinitsownfile.
TocheckthatthecertificateissignedbytheCAandthatthecertificatebundlecanbeusedtoassertthis,usethiscommand.
pkiunlockPrivatekeysareoftenprovidedwithpassword-protection.
TobeusedintheMeetingServer,thekeymustbeunlocked.
Thiscommandpromptsforapasswordtounlockthetargetfile.
Thelockednamewillbereplacedbyanunlockedkeywiththesamename5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference28Command/ExamplesDescription/Notespkicsr[:]pkicsrexampleCN:www.
example.
comOU:"MyDesk"O:"MyOffice"L:"SanJose"ST:CaliforniaC:USForusershappytotrustthatCiscomeetsrequirementsforgenerationofprivatekeymaterial,privatekeysandassociatedCertificateSigningRequestscanbegenerated.
isastringidentifyingthenewkeyandCSR(e.
g.
"new"resultsin"new.
key"and"new.
csr"files)AttributesfortheCSRcanbespecifiedinpairswiththeattributenameandvalueseparatedbyacolon(":").
Attributesare:CN:commonNamewhichshouldbeonthecertificate.
ThecommonNameshouldbetheDNSnameforthesystem.
OU:OrganizationalUnitO:OrganizationL:LocalityST:StateC:CountryemailAddress:emailaddressTheCSRfilecanbedownloadedbySFTPandgiventoacertificateauthority(CA)tobesigned.
(Alternatively,theCSRfilecanbeusedinthe'pkisign'commandtogenerateacertificatelocally.
)OnreturnitmustbeuploadedviaSFTP.
Itcanthenbeusedasacertificate.
Note:Since1.
6.
11pkicsr[:]nowtakessubjectAltNameasanattribute.
IPaddressesanddomainnamesaresupportedforsubjectAltNameinacommaseparatedlist.
Forexample:pkicsrtest1CN:example.
exampledemo.
comsubjectAltName:exampledemo.
compkicsrtest2CN:example.
exampledemo.
comC:USL:PurcellvilleO:ExampleOU:SupportST:VirginiasubjectAltName:exampledemo.
compkicsrtest3CN:example.
exampledemo.
comC:USL:PurcellvilleO:ExampleOU:SupportST:VirginiasubjectAltName:exampledemo.
com,192.
168.
1.
25,xmpp.
exampledemo.
com,server.
exampledemo.
com,join.
exampledemo.
com,test.
exampledemo.
comKeepthesizeofcertificatesandthenumberofcertificatesinthechaintoaminimum;otherwiseTLShandshakeroundtriptimeswillbecomelong.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference29Command/ExamplesDescription/Notespkiselfsigned[:]Youcanusethiscommandtogenerateself-signedcertificates.
identifiesthekeyandcertificatewhichwillbegenerated,e.
g.
"pkiselfsignednew"createsnew.
keyandnew.
crt(whichisself-signed).
AttributesfortheCSRcanbespecifiedinpairswiththeattributenameandvalueseparatedbyacolon(":").
Attributesare:CN:commonNamewhichshouldbeonthecertificate.
ThecommonNameshouldbetheDNSnameforthesystem.
OU:OrganizationalUnitO:OrganizationL:LocalityST:StateC:CountryemailAddress:emailaddressTheCSRfilecanbedownloadedbySFTPandgiventoacertificateauthority(CA)tobesigned.
OnreturnitmustbeuploadedviaSFTP.
Itcanthenbeusedasacertificate.
Keepthesizeofcertificatesandthenumberofcertificatesinthechaintoaminimum;otherwiseTLShandshakeroundtriptimeswillbecomelong.
pkisignThiscommandsignsthecsridentifiedbyandgeneratesacertificatewiththesamebasename,signedwiththeCAcertificateandkeyidentifiedby.
Thefilesandshouldhavebeengeneratedbythecommands'pkicsr'and'pkiselfsigned'respectively.
pkipkcs12-to-sshPublicSSHkeysstoredinPKCS#12filescanbeusedbutneedtobeprocessedfirst.
ThiscommandextractsauseablepublickeyfromaPKCS#12fileuploadedwiththename.
pub.
Youarepromptedtoenterthepasswordforthepkcs#12file.
Aftercompletion,thepkcs#12fileisreplacedwithauseablekeywithoutpasswordprotection.
Note:Anyotherdatacontainedinthepkcs#12fileislost.
pkipkcs12-to-sshjohnThekeyofanuploadedPKCS#12filejohn.
pubforuserjohncanbemadeuseablebyexecutingthiscommand5.
1TLSCertificateVerificationNote:IfTLScertificateverificationisenabled,ensurethattheremotedevice'scertificatehasbothServerandClientAuthenticationattributesdefined.
ThiswillensurebothoutgoingandincomingTLSconnectionsareaccepted.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference30Note:WhenLDAPserversareconfiguredwithsecureconnection,connectionsarenotfullysecureuntilTLScertificateverificationhasbeenconfiguredusingthetlsldapcommandontheMMP.
MeetingServerusesaminimumofTLS1.
2andDTLS1.
2bydefaultforallservices:SIP,LDAP,HTTPS(inboundconnections:API,WebAdminandWebBridge;outboundconnections:CDRs)andXMPP.
IfneededforinteropwitholdersoftwarethathasnotimplementedTLS1.
2,alowerversionoftheprotocolcanbesetastheminimumTLSversionfortheSIP,LDAPandHTTPSservices.
Seetlsmin-tls-versionandtlsmin-dtls-versioncommandsbelow.
Note:ACallBridgerestartisrequiredforchangestothetlsconfigurationtobeapplied.
Note:AfutureversionofMeetingServermaycompletelyremoveTLS1.
0.
Com-mand/ExamplesDescription/NotestlsDisplaystheconfigurationforaservice,i.
e.
sip|ldap|dtls|webadmintlsldapDisplaysthesettingforLDAP.
tlstrusttlsldaptrustldap.
crtConfiguresthesystemtouseaparticularbundleofcertificatestovalidatethecertificateofaremoteservicetlsverify(enable|disable)Enables/disablescertificateverification.
Whenenabled,ifthesystemfailstoverifytheremoteservice'scertificate,thentheconnectionwillbeaborted.
tlsverifyocspEnablesverificationwiththeadditionalrequirementthattheremoteservicereturnsastapledOCSPresponsetoascertaincertificaterevocationstatus.
Theconnectiontotheremoteservicewillbeabortedifeitherthesystemfailstoverifythecertificatevalidityorthecertificaterevocationstatusisunknownorrevoked.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference31Com-mand/ExamplesDescription/NotestlssipciphersSeebelowforanexplanationofwhenyoumightneedtousethetlsciphercommand.
ThecipherstringformatisacolonseparatedlistofciphersasusedbyOpenSSL(https://www.
openssl.
org/docs/manmaster/man1/ciphers.
html#CIPHER-LIST-FORMAT).
Thecurrentdefaultforciphersupportis:"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!
aNULL:!
MD5:!
DSS:!
3DES"(uptoVersion2.
4.
2)"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!
aNULL:!
MD5:!
DSS:!
3DES:!
aDH:!
aECDH"(fromversion2.
4.
3onwards)ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!
aNULL:!
MD5:!
DSS:!
3DES:!
aDH:!
aECDHNote:":!
aDH:!
aECDH:!
SEED:!
eNULL:!
aNULL"isautomaticallyappendedtotheconfiguredcipherstringtodisallowveryweakciphers.
tlsmin-tls-versionUsethiscommandtochangethedefaultTLSversionusedbytheMeetingServer.
(Fromversion2.
3).
Note:WhenyouchangetheminimumversionofTLS,youneedtorestarttheCallbridgeserviceusingthecommandcallbridgerestart.
TheMeetingServerusesaminimumofTLS1.
2forallservices.
IfneededforinteropwitholdersoftwarethathasnotimplementedTLS1.
2,theminimumTLSversionforSIP,LDAPandHTTPScanbeconfiguredtoalowerversionoftheprotocol.
Note:theMeetingServeronlyusesTLS1.
2forXMPPservices,theversioncannotbechanged.
tlssipmin-tls-version1.
1UseTLSversion1.
1orlaterforSIPtlsldapmin-tls-version1.
1UseTLSversion1.
1orlaterforLDAPtlsmin-dtls-versiontlsmin-dtls-version1.
1ConfigurestheminimumDTLSversionthatthesystemwilluse.
(Fromversion2.
3).
Note:WhenyouchangetheminimumversionofDTLS,youneedtorestarttheCallbridgeserviceusingthecommandcallbridgerestart.
(Fromversion2.
3)IfneededforinteropwitholdersoftwarethathasnotimplementedDTLS1.
2,configureDTLStousealowerversionoftheprotocol.
Bydefault,theMeetingServeronlyusessecureciphersforanyTLSconnections,includingSIPTLSontcpport5061.
However,thismaymeanthattheMeetingServermaybeunabletomakeTLScallswitholder,lesssecuredevices.
Ifyourdeploymenthasolderkit,usethistlscipherscommandtospecifyalistofciphersthatisacceptabletotheolderdevices.
SeetheOpensslguideformoreinformationonciphers.
Symptomsthatadevicecannothandlesecureciphersinclude:5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference32nSIPTLScallsfailingtothedevice,nHTTPSaccessnotworkingonthedevice,nerrorsappearinginthelogs.
5ProvisioningwithCertificatesCiscoMeetingServerRelease2.
9:MMPCommandLineReference336CommandsforConfiguringtheCiscoMeetingServerNote:TodeterminethehealthoftheCiscoMeetingServer2000usetheCiscoUCSManager.
Command/ExamplesDescription/NoteshealthDisplaystemperatures,voltagesandotherhealthinformationabouttheMeetingServer.
Note:Thehealthcommandisnotavailableonavirtualizeddeployment.
uptimeDisplaysthetimesincetheMeetingServerwaslastrebootedshutdownPowersofftheMeetingServerwhenyouenterYinresponsetotheprompt.
Afterusingtheshutdowncommand,anAcanoX-SeriesServercanthenbepoweredoff.
Note:shutdownisnotavailablethroughtheMMPontheCiscoMeetingServer2000.
UseCiscoUCSManagertopowerdownbladeserversbeforeremovingpower.
hostnamehostnamemybox.
mydomainSetsthehostnamefortheserver.
Note:Arebootisrequiredafterissuingthiscommand.
timezoneDisplaysthecurrentlyconfiguredtimezonetimezonetimezoneEurope/LondonSetsthetimezonefortheMeetingServer.
TheMeetingServerusesthestandardIANAtimezonedatabase.
Seethislinkforalist.
Note:Arebootisrequiredafterissuingthiscommand.
timezonelistPrintsafulllistoftheavailabletimezones.
Note:ifyouchoosetousethetimezonewithoffsetfromGMT,Etc/GMT,theoffsetusesPOSIX-stylesigns.
AsaconsequencethetimezoneforHongKongisEtc/GMT-8,andNOTEtc/GMT+8.
ntpserveradd|delConfigures/deletesanNTPserver.
canbeanameorIPaddressntpstatusChecksthestatusoftheNTPserversntpserverlistDisplayalistofconfiguredNTPserversntpgroupkeyAddsanNTPv4groupkeyforautokeysupportntpautokey(enable|disable)Enablesordisablesautokeysupport6CommandsforConfiguringtheCiscoMeetingServerCiscoMeetingServerRelease2.
9:MMPCommandLineReference34Command/ExamplesDescription/Notesntpgroupkeygroup.
keyntpautokeyenableForexample,agroupkeyfilecanbeuploadedusingSFTPto"group.
key"andconfiguredwiththesecommands.
dateDisplaysthecurrentsystem(inUTC)andlocaltimedatesetSetsthedateandtime.
Thiscommandshouldonlybenecessaryinvirtualizeddeployments,andserverdeploymentsthatdonotuseanNTPserver.
Theacceptedformatsfordateandtimeare:lISO8601format(%Y-%m-%d)plus24-hourtimewithhourseparatedbyaspacel%m/%d/%yplus24hourtimeNote:UsersofsystemswithanNTPservershouldnotneedtousethiscommand.
dateset2013-08-1713:04rebootRebootstheMeetingServer.
Note:RebootingtheMeetingServerwilldisconnectanycalls.
Theprocesstakessomeminutestocomplete.
licenseThiscommandonlyappliesonvirtualizedservers.
ItcheckstheMeetingServerlicensestatusanddisplayslicensedfeatures,e.
g.
:Feature:callbridgestatus:Activatedexpiry:2014-JUl-01(12daysremain)callbridgeDisplaysthecurrentstatuscallbridgelisten(interfaceallowedlist|none)callbridgelistenaConfiguresoneormoreinterfaces(chosenfromA,B,CorD)fortheCallBridgetolistenon.
callbridgelistennoneStopstheCallBridgeanddisableslisteningservices;however,theCallBridgeremainsenabled.
callbridgepreferChosesoneinterfacefromtheinterfaceallowedlistasthe"preferred"SIPinterface:thisinterfaceisusedasthecontactaddresswhenroutingorheuristicscannotbeusedtoselectauniqueinterface.
callbridgecerts[]DefinesthenamesofthekeyfilenameandcertificatefilenamefortheMeetingServerand,optionally,aCAcertificatebundleasprovidedbyyourCA.
(AlsoseeChapter5.
)6CommandsforConfiguringtheCiscoMeetingServerCiscoMeetingServerRelease2.
9:MMPCommandLineReference35Command/ExamplesDescription/NotescallbridgecertsnoneRemovescertificateconfigurationcallbridgetrustclusterConfigurestheCallBridgetouseaparticularbundleofcertificatestovalidatetheidentityoftheCallBridgesinthecluster.
Thebundlecanbeeitheracertificatechain,oranallowedlistoftrustedcertificates.
(Fromversion2.
4).
callbridgetrustclusternoneRemovesthecertificatebundlefortheCallBridgeclusterfromtheCallBridgetruststore.
(Fromversion2.
4).
callbridgetrustxmpp[]syslogserverdelsyslogserveraddtls:syslog.
example.
com514TheMeetingServercansenditslogfilestoaremotesyslogserveroverTCP(notUDP)Theportdefaultsto514TospecifythatTLSshouldbeusedtoprotectthesyslogdataintransit,prefixthehostname/IPaddressoftheremoteserverwith"tls:"syslogListsthecurrentsyslogconfigurationsyslogenablesyslogdisableEnablesthesyslogmechanismsyslogauditaddsyslogauditaddaudit-server.
example.
orgsyslogauditdelDefinestheserverwheretheauditlogswillbesent.
Theauditlogisasubsetofthefullsystemlogandcontainsinformationonsecurityevents(logins,etc.
)andconfigurationchanges.
Note:Thesesyslogauditcommandscanonlyberunbyauserwiththeauditrole.
audithttp(enable|disable)Enables/disablesdetailedauditofHTTPtransactionssyslogtail[]Showsthemostrecentlogmessages.
Bydefaultthisis10messagesbutthenumbercanbechangedwiththeoptionalargumentsyslogpageDisplaysthecompleteloginteractively.
PresstheSpacebartodisplaythenextpageoflogmessages;pressqtoquit.
6CommandsforConfiguringtheCiscoMeetingServerCiscoMeetingServerRelease2.
9:MMPCommandLineReference36Command/ExamplesDescription/NotessyslogfollowDisplayslogmessagesastheyarewritteninreal-time.
Ctrl+Cstopstheoutputandreturnsyoutotheadminshell.
syslogsearchsyslogsearcherrorDisplaysonlythosemessagesthatmatchacertainpatternNote:Ifthecurrentuserhastheauditrolethenthetailandsearchcommandsdisplayauditlogmessages;otherwisetheydisplaymessagefromthesystemlog.
SeeSection10.
6fordetailsondownloadingthesystemlogssyslogrotatesyslogrotatemylogSavesthelogfilepermanentlytothefilewiththespecifiedfilename,andemptiestheactivesystemlog.
ThesavedfilecanbedownloadedusingSFTP.
versionDisplaysthesoftwarereleasecurrentlyinstalledontheMeetingServer.
6.
1FederalInformationProcessingStandardTheMeetingServerprovidesaFIPS140-2level1certifiedsoftwarecryptographicmodule(http://en.
wikipedia.
org/wiki/FIPS_140-2).
ForinformationonwhichCiscoMeetingServersoftwarereleasesareFIPScertified,clickonthislink.
ByenablingFIPSmode,cryptographicoperationsarecarriedoutusingthismoduleandcryptographicoperationsarerestrictedtotheFIPS-approvedcryptographicalgorithms.
Command/ExamplesDescription/NotesfipsDisplayswhetherFIPSmodeisenabledfipsenablefipsdisableEnablestheFIPS-140-2modecryptographyforallcryptographicoperationsfornetworktraffic.
AfterenablingordisablingFIPSmode,arebootisrequiredfipstestTorunthebuilt-inFIPStest6.
2MTUforanInterfaceNote:TheMTUappliestobothincomingandoutgoingpacketsonCiscoMeetingServer2000,butonlyappliestooutgoingpacketsonCiscoMeetingServer1000.
6CommandsforConfiguringtheCiscoMeetingServerCiscoMeetingServerRelease2.
9:MMPCommandLineReference37Command/ExamplesDescription/Notesifacemtuifaceamtu1400Setsthemaximumtransmissionunitsizeinbytesforaninterface6CommandsforConfiguringtheCiscoMeetingServerCiscoMeetingServerRelease2.
9:MMPCommandLineReference387MMPUserAccountCommandsTheMMPuseraccountrolesare:nadmin:MMPadministrator;permittedtodoalltasksncrypto:MMPcryptographyoperator;permittedtodocrypto-relatedtasksnaudit:tosendauditlogstoaSyslogserver(refertotheRemoteSyslogserversectioninthedeploymentguideforguidanceonhowtodothis)nappadmin:CanperformapplicationlevelconfigurationthroughtheWebAdminInterfacenapi:canusetheAPI.
Notethatthe"api"userrolewaspreviouslyconfiguredthroughtheWebAdminInterfaceNote:Donotconfuseuseraccountssetupwiththecommandsinthissection,withaccountswhicharesetupusingActiveDirectoryandwhichletusersloginonaCiscoMeetingAppandmakecalls.
UnlessotherwisementionedthefollowingcommandsrequireyoutobeloggedintoanMMPaccountwithadminrights.
Command/ExamplesDescription/Notesuseradd(admin|crypto|audit|appadmin|api)CreatesanewMMPuserofthespecifiedtype(seeabove)Promptsforapasswordfortheuserwhichmustbeenteredtwicetoensurethattheintendedpasswordisconfigured.
Onfirstlogin,theuserwillbeaskedtoconfigureanewpassword.
CAUTION:userpasswordsexpireafter6months.
userdelDeletesauserfromthesystem.
CAUTION:userdeldoesnotautomaticallyevictusersalreadyloggedin.
Youareadvisedtouseuserlisttocheckwhethertheyareloggedin,andiftheyarethenuseuserevicttoterminatealloftheirsessionsbeforedeletingthem.
userlistDisplaysthelistofusers,theirrole,theexpirydateoftheirpasswordandwhetherornottheyareloggedin.
userinfoDisplaysuserdetailsincludingrole,lastlogin,numberoffailedloginattemptssincelastlogin,lasttimepasswordwaschanged,expirydateofpassword,iftheaccountislockedornot.
7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference39Command/ExamplesDescription/NotesuserevictLogsauseroutfromtheirMMPsession.
Note:ifyouusethiscommandonauserwhoiscurrentlyactiveinaWebAdminsession,yourMMPsessionwillfreezeandyouwillneedtorelogintotheMMP.
Note:Fromversion2.
9,thiscommandisavailableontheCiscoMeetingServer2000.
userunlockRemovesalockonloginsforausercausedbyexceedingthemaximumfailedloginspasswd[]Changesyourpasswordoranotheruserspassword:followtheinstructions.
Theusernameisoptional:itallowsanadmintoresetanotheruser'spassword.
Ifexecutedwithnoargument,thecommandchangesthecurrentuser's(your)password.
Authenticationofthecurrentuserisrequired.
userexpireForcesausertoconfigureanewpasswordonnextlogin.
Note:thiscommanddoesnotapplytousertype"api",theirpasswordsdoexpireovertime,buttheycannotbeforcedtochangetheirpasswordviathiscommand.
userhostadd|delRestrictsremoteaccessforauserfromhostsinanallowedlistgivenasdomainnamesorIPaddresses.
Note:Theuserinfocommanddisplaysthecurrentlistofallowedhosts(ifany)–seeaboveuserhostbobadd192.
168.
1.
3Adds192.
168.
1.
3tothelistofacceptablesourceaddressesforremotehostswhenbobtriestologin7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference40Command/ExamplesDescription/NotesuserdutyuserdutynoneRestrictsthedutyhoursofauserThedutyhoursparameterisusedtoindicatethetimesatwhichausercanaccessthesystem.
Theformatisalistofday/time-rangeentries.
Daysareasequenceoftwo-characterrepresentations:Mo,Tu,We,Th,Fr,Sa,Su.
Allweekdays(daysexcludingSaturdayandSunday)arerepresentedbyWk,theweekenddaysbyWdandalldaysintheweekbyAl.
NotethatrepeateddaysareunsetMoMo=noday,andMoWk=allweekdaysexceptMonday.
Aday/time-rangeprefixedwitha'!
'indicates"anythingbut"e.
g.
!
MoTumeansanythingbutMondayandTuesday.
Thetime-rangeistwo24-hourtimesHHMM,separatedbyahyphen'-',toindicatethestartandfinishtime.
Afinishtimeisearlierthanthestarttimeindicatesthatthedutycontinuesintothenextday.
Multiplerulescanbecombinedwiththe'|'symboltomean'or'e.
g.
MoTu1200-1400|We1400-1500meansMondayorTuesdaybetween1200and1400orWednesdaybetween1400-1500.
userdutybobWk0900-1700|Sa1200-1300Allowsbobaccessduringofficehours(9to5)onweekdaysandbetween1200and1300onaSaturday7.
1PasswordRulesCAUTION:Passwordsexpireafter6months.
CAUTION:Donotreuseyouradmincredentialsforanyotherconfiguration.
Forexample,yourTURNserverusernameandpasswordmustbeunique.
Passwordscanbeenforcedintwoways:nTopreventweakpasswordsyoucanuploadadictionaryagainstwhicheachnewpasswordwillbechecked.
Ifthenewpasswordmatchesanentryinthedictionaryitwillberejected:lThedictionarymustbeatextfilecalleddictionarywithonewordorphrasetoeachlinelEachlinemustendwithasingleline-feedcharacterratherthantheWindowscarriage-returnline-feedsequencelUploadthedictionaryusingSFTPtoenablethecheckinge.
g.
sftp>putpasswordlist.
txtdictionarynThereareanumberofcommandswhichenforcemoresecurepasswordusage.
Alltheseallcommandsrequireadminlevelaccess.
7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference41Command/ExamplesDescription/Notesuserrulemax_historyPreventspasswordreusebycheckingnewpasswordsagainstthatuser'spreviousnumberofpasswordsuserrulepassword_ageEnforcesamaximumageforpasswordsindaysuserrulemin_password_agePreventsthepasswordhistorycontrolsbeingcircumvented,bysettingaminimumintervalbeforeapasswordcanbereset.
Note:Thisintervalisoverriddenwhenanadminentersthe"userexpire"command.
userrulemin_lengthSetstheminimumpasswordlengthuserrulemin_specialSetstheminimumnumberof"special"characters:userrulemin_uppercaseSetstheminimumuppercaselettersinapassworduserrulemin_lowercaseSetstheminimumlowercaselettersinapassworduserrulelongest_digits_runSetsthemaximumconsecutivedigitsallowedinapassworduserrulemin_digitsSetstheminimumnumberofdigitsinapassworduserrulemax_repeated_charSetsthemaximumrunofarepeatedcharacteruserrulemin_changed_charactersSetstheminimumnumberofcharacterpositionsinthenewpasswordwhichmustdifferfromtheolduserruleonly_asciiRestrictspasswordstoASCIIcharactersuserruleno_usernamePreventsapasswordbeingsetthatcontainstheusername.
userruleno_palindromePreventsapasswordbeingsetthatisapalindrome7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference42Command/ExamplesDescription/Notesuserrulemax_failed_loginsSetsthenumberoffailedloginsallowed,beforea15minutelockoutforMMPusersorCiscoMeetingAppusersthatauthenticateviaLDAP.
GuestaccesstomeetingsheldontheMeetingServerareunaffected.
Ifsetto0,thisrulewilllockoutuserswithvalidcredentials.
NotethattheCallBridgeneedstoberestartedforuserrulemax_failed_loginstotakeeffect.
ChangesareimmediatelyappliedtoMMPusers.
LockedMMPuserscanbeunlockedbyanMMPadmin,butitisnotpossibletounlockanLDAPuserbeforethelockouttimerexpires.
Ifnomaximumnumberoffailedloginsisconfigured,thenthelockoutmechanismisdisabledforMMPusers,butitdefaultsto20failedloginattemptsforusersthatauthenticateviaLDAP.
userrulemax_idleSetsthemaximumnumberofdaysthatanaccountcanbeidlebeforeitislocked.
Theminimumvalueis1.
Note:ifnoidletimeisconfigured,thennoneisenforced.
userrulemax_sessionsLimitsanyusertosimultaneousSSHsessions,simultaneouswebadminsessionsand,ifnotanaccountwiththewebadminrole,oneconsolesession.
Note:themaximumnumberofconcurrentsessionsis3,sessionsarecountedacrosswebandssh.
userrulemax_sessionsnoneRemovessessionrestrictions7.
2CommonAccessCard(CAC)IntegrationTheCommonAccessCard(CAC)isusedasanauthenticationtokentoaccesscomputerfacilities.
TheCACcontainsaprivatekeywhichcannotbeextractedbutcanbeusedbyon-cardcryptographichardwaretoprovetheidentityofthecardholder.
TheMeetingServersupportsadministrativeloginstotheSSHandWebAdminInterfaceusingCAC.
7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference43Command/ExamplesDescription/Notescaccacenable|disablecacenablestrictListscurrentconfigurationToenableCAClogins,executecacenableTomakethistheonlyallowedremoteloginmethod(excludingusingtherecoverybutton),usecacenablestrict.
Thiscommanddisablesnormalloginsusingaserialcable.
BeforeenablingCAClogins,checksaremadetoensurethattheservicehasbeenconfigured.
Werecommendusingcacenablewithoutspecifying"strict"totestwhetherthesetupiscorrectbeforeturningoffpasswordloginswiththe"strict"option.
NOTE:Theextensionofcertificatebasedaccesstoclientloginsisabetafeature,onlyuseinatestenvironment,donotuseinaproductionenvironment.
NOTE:-ifcacisenabled,thenitispossibletousecertificatebasedloginsfromsuitableclients.
Usersconnectinginthismannerwillnothavetoenterapasswordtoaccessthesystem.
-ifcacenablestricthasbeenapplied,thenuserswillneedtologinviaCACbeforetheyareabletologintotheCiscoMeetingApp.
cacissuerTovalidateCACusers,anissuercertificatebundleneedstobeuploadedtotheMMPusingSFTP.
Legitimatecredentialswillhavebeencryptographicallysignedbyoneoftheissuercertificates;ifnot,thentheloginwillfail.
Contactyoursitecryptographyofficerformoreinformationcacocspenable|disableOnlineCertificateStatusProtocol(OCSP)isamechanismforcheckingthevalidityandrevocationstatusofcertificates.
TheMMPcanusethistoworkoutwhethertheCACusedforaloginisvalidand,inparticular,hasnotbeenrevoked.
IftheMMPisconfiguredtobein"strict"CACmode(nopasswordloginsallowed–seeabove),thenaccesstotheMMPcanberestrictedcentrallybyrevokingcertificates.
OCSPcanbeenabledwithoutspecialconfiguration.
Inthismode,theURLoftheOCSPresponderwillbereadfromtheCACcredentialspresentedtotheMMPifpresent.
IfanOCSPresponderisnotpresent,ortheOCSPresponderisnotavailable(isdown,can'tberoutedto,etc.
),thenCACloginsfail.
cacocspresponderToconfigureaURLforanOCSPresponder,usethiscommand.
ThisURLwilloverrideanyprovidedbytheCAC.
cacocspcertsSomeOCSPrespondersrequireOCSPrequeststobesignedbytherequestor.
Thiscommandspecifiesaprivatekeyand(matching)publiccertificateforthisoperation:ItislikelythattheOCSPresponderwillrequirethatthesigningcertificateissignedbyaparticularauthority,perhapstheissueroftheCACcertificates.
Thisisasite-localconsideration.
cacocspcertsnoneRemovesthecertificateconfiguration7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference447.
2.
1SSHloginconfigurationSSHloginusingCACrequiresextraconfigurationstepsbecauseX509-basedpublickeyexchangeisnotwidelysupportedbySSHclients.
ThepublicX509certificatefromtheCACneedstobeextractedanduploadedbySFTPtotheMMPasanSSHpublickey.
TherearevariousmethodstogetthepublicX509certificatefromtheCAC;oneoftheeasiestistouseaCAC-enabledwebbrowsertoexportthekey:FirefoxandChrome:InaFirefoxorChromebrowserenteraurlsimilartohttps://ca.
cern.
ch/ca/Help/kbid=040111.
Followtheinstructionstoexportthecredentials.
Afterexport,uploadthepkcs#12fileto.
pubMMPusingSFTP,whereistheusernameoftheassociateduser.
Thenexecutethefollowingcommandasexplainedabove:pkipkcs12-to-sshInternetExplorer:IEcanexporttheCAC(public)credentialsasX509encodedasDER,whichcanbeuploadedandusedwithoutfurthersteps(cf.
pkcs#12)7.
3Key-basedSSHloginItispossibletoinstallanSSHpublickeyonMeetingServersothatSSHloginsbypasspasswordauthenticationifthekey-basedauthenticationissuccessful.
Summarysteps:1.
Nameyourpublickey.
pub(whereisanexistingMeetingServerMMPuserwhoyouwishtograntkeybasedloginto).
2.
sftpthe.
pubkeytothe3.
Trytossh@(itmayaskyouforapasswordfirsttime,butshouldn'tneedapasswordforsubsequentlogins).
7MMPUserAccountCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference458ApplicationConfigurationCommands8.
1XMPPServerCommandsThesecommandsareforsettingupanXMPPserverasdescribedintheDeploymentGuides.
Command/ExamplesDescription/NotesxmppxmppstatusDisplaysthecurrentconfigurationxmpprestartxmppdomainRestartstheXMPPserverCreatesacomponentsecretfortheXMPPserverxmpplistenSetsupanallowedlistofinterfacestolistenon.
YoumustenabletheserviceinordertostartlisteningwiththecommandxmppenableStopstheXMPPserverlisteningxmpplistenabxmpplistennonexmpp(enable|disable)EnablesordisablestheXMMPserverxmppcerts[]DefinesthenameofthekeyfileandcertificatefilefortheXMPPserver,andoptionally,aCAcertificatebundleasprovidedbyyourCA.
(AlsoseethesectionProvisioningwithcertificates.
)xmppcertsnoneRemovescertificateconfigurationxmppmotdaddConfiguresa"messageoftheday"whichwillbedisplayedwhenCiscoMeetingApporXMPPclientslogin.
""xmppmotddelRemovesthemessageoftheday.
Alternatively,amessagenolargerthan2048characterscanbeconfiguredbycopyingafilebySFTPto"xmpp.
motd".
Modifyingthexmpp.
motdinanywaycausestheXMPPservertorestart.
Note:motdcommandsareonlysupportedonMeetingAppversionspriortoversion1.
9.
xmppmax_sessionsLimitsthenumberofsimultaneousXMPPsessionsthatanindividualusercanhavewiththeXMPPserver(andhence,thenumberofsimultaneouslogins).
Thispreventsasingleuserfromexhaustingsystemresources.
xmppmax_sessionsnoneRemovesanyrestrictionontheXMPPsessionsperuser.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference46Command/ExamplesDescription/Notesxmppmax_sessions3IftheexpectationisthatauserwillhaveatmostaniPad,iPhoneandPClogin,thensetthemaximumsessionstothree.
ThesexmppcallbridgecommandsareexplainedintheScalability&ResilienceDeploymentGuidexmppcallbridgeaddConfigurestheXMPPservertoallowconnectionsfromanewCallBridge.
Note:asecretwillbegenerated,thisisrequiredifyousetupXMPPresiliency.
NowgototheWebAdminInterfaceonthatCallBridgeandconfigureittoconnecttotheXMPPserver.
xmppcallbridgedelStopsaCallBridgefromaccessingtheXMPPserver.
xmppcallbridgelistForeachCallBridgeliststhedomain,component_secretandconnectionstatusxmppcallbridgeadd-secretRequiredforXMPPresiliency.
UsedtoaddtotheothernodesintheXMPPcluster,thesecretsgeneratedfromconnectingtheCallBridgestothefirstnodeinthecluster.
SeeSection8.
4forothercommandstodeployXMPPresiliency.
xmppresetReturnsanXMPPservertoastandaloneconfiguration(removesanyCallBridgesthathavebeenadded).
Onlyusethiscommandifyouneedtorestartconfiguration.
8.
2CommandsfortheCoretoEdgeTrunkTheCallBridgeneedstobeaccessibletoclientsonexternalnetworksdespitesittingbehindoneormorefirewallsandevenNAT.
Toavoidcomplexconfigurationinsplitdeployments,TLStrunkscanbecreatedbetweentheCoreandtheLoadBalancerontheEdgeserver.
TheCoreserverandtheEdgeservermutuallyauthenticate,andtheEdgestartstolistenonport5222forincomingclientconnections(XMPP).
Thissectiondescribesthecommandstosetupthistrunk;thisisdividedintocommandsthatneedtoberunintheEdge'sMMPandthosethatarerunintheCore'sMMP.
8.
2.
1LoadBalancercommandsCommand/ExamplesDescription/Notesloadbalancerlist[]Liststhealltheloadbalancerconfigurationsor,iftagisprovided,justthatloadbalancer'sconfiguration8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference47Command/ExamplesDescription/Notesloadbalancer(enable|disable)loadbalancerenableexampleEdgeEnablesordisablestheloadbalancerNotethatthepublicport(seebelow)isnotopeneduntiltherearetrunkstoserviceconnections.
loadbalancercreateloadbalancercreateexampleEdgeCreatesaloadbalancerloadbalancertrunk[:]loadbalancertrunkexampleEdgea:3999loadbalancerpublic[:]loadbalancerpublicexampleEdgeb:5222loadbalancerpublicexampleEdgeb:5222lo:5222ConfiguresthetrunkinterfaceandportConfiguresthepublicinterfaceandport(foracceptingclientconnections)Inacommonedgedeployment,theWebBridgeisalsoenabledandneedstomakeuseofaCoretoEdgetrunk.
Toallowthis,configuretheloopbackinterfaceasapublicinterfaceloadbalancerauthloadbalancerauthexampleEdgeacano.
keyacano.
crttrust.
pemConfigurestheprivatekeyandcertificateusedtoauthenticatetothetrunk,andthetrustedcertificateswhichmaybepresentedbythetrunk.
IfatrunkpresentsanyofthecertificatesinthetrustbundlewhencreatingtheTLSconnectionandthetrunkacceptsthecertificatethattheloadbalancerpresents,thentheconnectionwillsucceed.
Specifically,ifthetrustbundlecontainsavalidchainofcertificates,withthepresentedcertificateissuedbyaCAattheendofthechain,thenauthenticationwillsucceed.
Otherwise,theconnectionwillberejected.
Inparticular,ifself-signedcertificatesareused,thenthepubliccertificatecanbeputintothetrustbundleandauthenticationwillsucceed.
loadbalancerdeleteDeletestheloadbalancerconfiguration.
8.
2.
2TrunkcommandsCommand/ExamplesDescription/Notestrunklist[]ListsthealltheCoreconfigurationsor,iftagisprovided,justthatCore'sconfigurationtrunk(enable|disable)EnablesordisablestheCoretrunkcreatetrunkcreatetrunktoExampleEdgexmppCreatesatrunkinstanceforXMPP.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference48Command/ExamplesDescription/Notestrunkedge[:]ConfiguresthedomainnameorIPaddressoftheEdgetotrunkto.
NotethatthedomainnamecouldresolvetomultipleIPaddresses.
Inthatcase,aconnectionisattemptedtoalladdresses.
Ifnoportisspecified,itisassumedthattheportcanbediscoveredbyaDNSSRVlookupofthedomainnametrunkauthConfigurestheprivatekeyandcertificateusedtoauthenticatetotheEdgeserver,andthetrustedcertificateswhichmaybepresentedbytheEdgeserver.
trunkdeleteDeletestheCoreconfiguration.
trunkdebugThiscommandisonlytobeusedundertheguidanceofCiscoSupport.
Thediagnosticsshow:ltheDNSresultsfortheEdgeservernamelattemptstocreatetheTLSconnectionandauthenticatetoeachaddresslifsuccessful,debuginformationfromtheCoreserver,including:lalistof"Core"connections(trunktoEdgeserverconnections)totheEdgeserverinquestionltheclientconnectionscurrentlybeingservicedbythatEdgeserverlmemoryusagestatisticsfortheEdgeserver8.
3SupportingXMPPmulti-domainsCommand/ExamplesDescription/Notesxmppmulti_domainadd[]AddanotherdomainthattheXMPPserverwilllistento.
Specifytheprivatekey,certificateandoptionalcertificatebundleasprovidedbytheCA.
RestarttheXMPPserverforthischangetotakeeffect.
Note:theXMPPserverwillnotstartiftheprivatekeyorcertificatefilesaremissingorinvalid.
xmppmulti_domaindelDeletethedomainthattheXMPPserverlistensto.
xmppmulti_domainlistListthedomainthattheXMPPserverlistensto.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference498.
4XMPPresiliencycommandsXMPPresiliencyprovidesfail-overprotectionforaclientbeingunabletoreachaspecificXMPPserverinmulti-serverdeployments.
RefertotheScalabilityandResilienceDeploymentGuideforthestepsinsettingupXMPPresiliency.
TheMMPcommandstoconfiguretheMeetingServertodeployXMPPresiliencyarelistedinthetablebelow.
Command/ExamplesDescription/Notesxmppclusterenable|disableEnables/disablesXMPPclustering.
EnablingtheXMPPclustermustbedonebeforeenablingXMPPonanode.
Ifxmppclusterisdisabledandxmppisstarted,thiswillstartthexmppserverinstandalonemode.
xmppclustertrustSpecifiesthebundleofcertificatesthatwillbetrustedbythexmppcluster.
Theshouldcontainallofthecertificatesforthexmppserversinthecluster.
Thecertificatesmustalreadyhavebeenappliedtothexmppserversusingthexmppcertscommand.
Thismechanismensuresthatthedifferentxmppnodesintheclustertrusteachother,andenablesthefailoveroperationandtheforwardingoftrafficbetweennodes.
xmppclusterstatusReportsthelivestateofthexmppcluster.
Iftheclusterhasfailed,thenthiscommandwillreturnthestatisticsofthexmppserverrunningonthisMeetingServeronly.
Usethiscommandtotryandhelpdiagnoseconnectivityproblems.
xmppclusterinitializeInitializesacluster.
Thiscommandwillcreatea1nodelivexmppcluster,youcanjoinothernodes(xmppservers)tothiscluster.
xmppclusterjoinAddthisnodetothecluster.
istheIPaddressofthefirstnodeinthecluster(seecommandxmppclusterinitialize).
xmppclusterremoveRemovethisnodefromthecluster.
Thisrequiresthenodetoberunning.
xmppclusterremoveRemovesthespecifiednodefromthecluster,whereiseithertheIPaddressoradomainnameforthenode.
Thisallowsyoutoremoveanodefromtheclusterifthenodeisunresponsive.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference50Command/ExamplesDescription/Notesxmppcallbridgeadd-secretPleaseenterasecret:AddCallBridgesecrettoXMPPserver.
UsedtoconfiguretheothernodeswiththesecretscreatedwhenconnectingtheCallBridgestothefirstXMPPservernodeinthecluster.
ThiscommandallowsaCallBridgetosharecredentialswithmanyXMPPservers.
8.
5WebBridgeCommandsTheWebBridgeonlysupportsTLS;thereforeyoumustfollowtheinstructionsintheDeploymentGuidestosetuptheWebBridge.
Thissectionprovidesacommandreference.
Note:Fromversion2.
9andtheintroductionofWebBridge3,thisoriginalWebBridgeisalsoreferredtoasWebBridge2todistinguishitfromthenewWebBridge3.
Command/ExamplesDescription/NoteswebbridgerestartRestartstheWebBridgewebbridgestatusDisplaysthecurrentconfigurationwebbridgelisten]allowedlist>webbridgelistenabSetsuptheinterface(s)andport(s)fortheWebBridgetolistenon.
Youmustenabletheservicetostartlisteningwiththecommandwebbridgeenable.
Thedefaultfortheoptionalportargumentis443.
webbridgelistennoneStopstheWebBridgelistening.
webbridge(enable|disable)EnablesordisablestheWebBridgewebbridgecerts[]Providesthenameofthekeyfileand.
crtfilefortheWebBridgeand,optionally,aCAcertificatebundleasprovidedbyyourCAwebbridgecertsnoneRemovescertificateconfigurationwebbridgeclickonceDefinestheclickoncelinklocation.
Theurlmustbeprefixedbyhttp://,https://orftp://andbeavalidurl.
IfauserfollowsacallinvitelinkorcoSpaceweblink(e.
g.
https://www.
join.
cisco.
com/invited.
sfid=1234)usingInternetExplorer(theonlybrowserthatwesupportforclickonce),thenwewillattempttoredirecttheusertotheconfiguredclickoncelocation,ratherthanusingthedefault.
Whenthisredirectoccurs,thePCClientstartsautomatically(orisdownloadedifitisnotalreadyinstalled)andthecall/coSpacewillbedialed.
webbridgeclickoncenoneDisablesallclickonceredirectbehavior8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference51Command/ExamplesDescription/Noteswebbridgemsi(|none)webbridgedmg(|none)webbridgeios(|none)ConfiguresthedownloadlocationsforWindowsmsi,MacOSXdmgandiOSinstallerswhicharepresentedtoWebRTCuserswebbridgeiosnoneTodeconfigure,usetheappropriatecommandwiththepara-meternonewebbridgetrustwebbridgetrustnoneControlswhichCallBridgeinstancesareallowedtoconfigureguestaccountsandcustomizations(likebackgroundimage).
IfthetrustedCallBridgeisrunningonthesameserverastheWebBridge,thenissuingthewebbridgetrustcommandwiththenameoftheCallBridgepubliccertificate/certificatebundleissufficient.
IftheCallBridgeisrunningonanotherserver,thepubliccertificate/certificatebundleoftheCallBridgemustfirstbecopiedtotheWebBridgeserverusingSFTP.
Note:InclusteredCallBridgedeployments,iftheCallBridgeshavedifferentcertificatesthencombinethecertificatesintoonebundle.
webbridgetrustxmppConfigurestheWebBridgetouseaparticularallowedlistofcertificatestovalidatetheidentityoftheXMPPservers.
(Fromversion2.
4)webbridgetrustxmppnoneRemovestheXMPPcertificateallowedlistfromtheWebBridgetruststore.
(Fromversion2.
4)webbridgehttp-redirect(enable|disable)Enables/disablesHTTPredirectswebbridgeurl-redirect(|none)ConfigurestheURLredirectlocation.
Todeconfigure,usethecommandwiththeparameternonewebbridgeoptionswebbridgeoptionscma.
webrtc.
iosSwitchesonthespecifiedfeatures,ifmorethanonefeatureistobeenabledthenseparatethefeature_nameswithaspace.
OnlyusethiscommandunderinstructionfromCiscoSupportorCiscoEFT.
Thesefeaturesarenotsuitableforproductionuse.
Thefeatureswillremainenabledacrossreboots,butwillbeautomaticallyclearedwhenusingtheupgradecommand.
(Fromversion2.
5).
webbridgeoptionsnoneSwitchesoffallfeaturesthatwerepreviouslyswitchedonusingthewebbridgeoptionscom-mand.
OnlyuseunderinstructionfromCiscoSupportorCiscoEFT.
(Fromversion2.
5).
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference528.
6WebBridge3CommandsFollowtheinstructionsintheDeploymentGuidestosetuptheWebBridge3.
Thissectionprovidesacommandreferenceonly.
Note:YoucandeployWebBridge3inparalleltodeployingtheoriginalWebBridge(alsoknownasWebBridge2).
Note:"CallBridgetoWebBridge"protocol(C2W)isthelinkbetweenthecallbridgeandwebbridge3.
TheMMPcommandstodeployWebBridge3touseCiscoMeetingServerwebapp—thenewbrowser-basedclientforCiscoMeetingServerthatletsusersjoinmeetings(audioandvideo)—arelistedinthetablebelow.
CommandDescriptionwebbridge3DisplaysthecurrentsetofvaluesforWebBridge3helpwebbridge3Displayshelpwithallthewebbridge3subcommandswebbridge3restartRestartstheWebBridge3webbridge3(enable|disable)EnablesordisablestheWebBridge3webbridge3httpslistenSetsuptheinterface(s)andport(s)fortheWebBridge3tolistenon.
Enabletheservicetostartlisteningwiththecommandwebbridge3enable.
Thereisnodefaultvaluefortheport;itneedstobespecified.
webbridge3httpscertsSetstheHTTPScertificatesfortheWebBridge3.
Thesearethecertificatesthatwillbepresentedtowebbrowserssotheyneedtobesignedbyacertificationauthority(CA)andthehostname/purposeetcneedstomatch.
(Thecertificatefileisthefullchainofcertificatesthatstartswiththeendentitycertificateandfinisheswiththerootcertificate.
)webbridge3httpscertsnoneRemovesHTTPScertificateconfigurationwebbridge3http-redirect(enable[port]|disable)(Optional)Enables/disablesHTTPredirectsbysettingupaportforHTTPconnections.
ThisportwillbeopenedforallMeetingServerinterfacesonwhichthewebapphasbeenconfigured.
IncomingHTTPconnectionswillbeautomaticallyredirectedtothematchingHTTPSportfortheinterfacetheyarrivedon.
Thedefaultport,ifyoudon'tspecifyoneinwebbridge3http-redirectenable[port],is80.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference53CommandDescriptionwebbridge3c2wlistenConfigurestheC2Wconnection.
Setsuptheinterface(s)andport(s)fortheWebBridge3tolistenon.
Youmustenabletheservicetostartlisteningwiththecommandwebbridge3enable.
Werecommendthatyoumakethisaddress/portaccessiblefromtheCallBridge(s)only.
webbridge3c2wcertsConfigurestheC2Wconnectioncertificates—youneedtoconfiguretheSSLServercertificatesusedfortheC2Wconnection.
TheC2WcertificateisonlypresentedtoCallBridgesconnectingtotheC2Wprotocolconnectionport—thehostname/purposeetcneedstomatch.
(Thecertificatefileisthefullchainofcertificatesthatstartswiththeendentitycertificateandfinisheswiththerootcertificate.
)webbridge3c2wcertsnoneRemovesC2Wconnectioncertificateconfiguration.
webbridge3c2wtrustSetsthetrustbundlethatWebBridge3C2WserverwillverifytheCallBridgeclientcertificateagainsttodeterminewhethertotrustthemornot.
webbridge3c2wtrustnoneRemovesC2Wconnectiontrustbundleconfiguration.
webbridge3optionsSwitchesonthespecifiedfeatures,ifmorethanonefeatureistobeenabledthenseparatethefeature_nameswithaspace.
OnlyusethiscommandunderinstructionfromCiscoSupportorCiscoEFT.
Thesefeaturesarenotsuitableforproductionuse.
Thefeatureswillremainenabledacrossreboots,butwillbeautomaticallyclearedwhenusingtheupgradecommand.
(Thiscommandiscurrentlynotsup-ported.
)webbridge3optionsnoneSwitchesoffallfeaturesthatwerepreviouslyswitchedonusingthewebbridgeoptionscommand.
OnlyuseunderinstructionfromCiscoSupportorCiscoEFT.
(Thiscommandiscurrentlynotsupported.
)webbridge3statusDisplaysthecurrentconfigurationforWebBridge38.
7TURNServerCommandsOverthepreviousfewreleasesofCiscoExpressway,edgefeatureshavebeendevelopedtoenabletheExpresswaytobeusedastheedgedeviceinMeetingServerdeployments.
Note:TheTURNServercomponentisnotavailableontheCiscoMeetingServer2000.
Note:TheTURNservercomponentalwayssupportsthestandardport3478forUDP.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference54SettingupaTURNserverisdescribedintheDeploymentGuides.
Thissectionprovidesacommandreference.
Command/ExamplesDescription/NotesturnrestartRestartstheTURNserver.
turnlistenturnlistenabSetsupanallowedlistofinterfacestolistenon.
Tostartlistening,youmustenabletheservicewiththecommandturnenable.
turnlistennoneStopstheTURNserverlistening.
turntlsSetsanadditionalporttobeusedforTURN,andenablesTCP/TLSusageforTURN.
Note:SetTURNtolistenforTCPandTLStrafficaswellasUDP,ontheportspecifiedaswellasport3478,forallthreeservices.
ThisoptionMUSTbesetforTURNtolistenonanyservicebesideUDP,andforTURNtolistenonanyportbeside3478.
turncerts[]Definesthenameoftheprivatekeyfileand.
crtfilefortheTurnServerapplicationand,optionally,aCAcertificatebundleasprovidedbyyourCA.
(AlsoseethesectionProvisioningwithCertificates.
)Thisoptionisrequiredif'turntls'isinuse.
turncertsnoneRemovescertificateconfiguration.
turn(enable|disable)EnablesordisablestheTURNserver.
turncredentialsturncredentialsmyusernamemypasswordexample.
comSetsthelongtermcredentialsfortheTURNserver.
turnpublic-ipSetsupapublicIPaddressfortheTURNserver.
turndeletepublic-ipDeletestheTURNserverpublicIPaddress.
8.
8SIPEdgeCommands(BETAfeature)OverthepreviousfewreleasesofCiscoExpressway,edgefeatureshavebeendevelopedtoenabletheExpresswaytobeusedastheedgedeviceinMeetingServerdeployments.
Fromversion2.
4,youshouldstartmigratingyourMeetingServerdeploymentsfromusingtheMeetingServerSIPedgecomponent(SIPandLyncCallTraversalfeature)andtheMeetingServerTURNserver,tousingtheExpresswayX8.
11TURNserver.
NoteaboutremovingedgecomponentsfromCiscoMeetingServersoftware:8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference55TheSIPEdgecomponentwillberemovedfromtheCiscoMeetingServersoftwareinversion3.
0.
Itremainsapreviewfeatureuntilitsremoval,andshouldnotbeusedinaproductionenvironment.
Note:TheSIPEdgeisnotavailableontheCiscoMeetingServer2000.
TheSIPEdgecomponentprovidessupportfortraversaloflocalfirewallsforSIPendpointsandLynccallsinsplitserverdeployments.
TheCallBridgeusesaTURNserverwithintheMeetingServertotraversethelocalfirewallandsendtheSIPsignalviaanewSIPEdgecomponent.
.
TheMMPcommandstoconfiguretheSIPEdgecomponentarelistedinthetablebelow.
Command/ExamplesDescription/Notescallbridgeaddedge:AddstheSIPEdgefortheCallBridgetouse.
callbridgedeledgeRemovestheSIPEdgecallbridgetrustedgeSpecifyacertificatefortheCallBridgetotrustforconnectionstoandfromtheSIPEdge.
ThisisthecertificateoftheSIPEdge.
sipedgeprivate:SpecifytheinternalinterfaceandportforconnectionstoandfromtheCallBridgesipedgepublic:Specifytheexternalinterfaceandportforconnectionstoandfromexternalsystemssipedgepublic-ipsipedgepublic-ipnoneConfigureorremovetheNATaddressthattheSIPEdgecanbereachedat.
sipedgecertsConfiguretheprivatekeyandcertificatefortheSIPEdgealongwithabundleoftrustedcertificatesfortheconnectionfromtheCallBridgesipedgeenablesipedgedisableEnablesordisablestheSIPEdgecomponentsipedgerestartRestartstheSIPEdgecomponent.
UsethiscommandafteryouhavechangedthecertificatesontheSIPedge.
Donotusethiscommandwhenimportantcallsareactive.
8.
9WebAdminInterfaceCommandsNote:Port8081isreservedonloopbackifthewebadminisenabled,butisnotreservedifthewebadminisdisabled.
Port8080isalwaysopen.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference56Command/ExamplesDescription/NoteswebadminDisplaystheconfigurationwebadminrestartRestartstheWebAdminInterfacewebadminlisten(admin|a|b|c|d)[]webadminlistenawebadminlistena443SetsuptheinterfacefortheWebAdminInterfacetolistenon.
Tostartlistening,youmustenabletheservicewiththecommandwebadminenable.
Thedefaultisport443.
Note:adminisnotavalidparameterforthiscommandinthevirtualizeddeployment.
webadminlistennoneStopstheWebAdminInterfacelistening.
webadmin(enable|disable)EnablesordisablestheWebAdminInterface.
Whenenablingsomechecksareperformedbeforelaunchingtheservice:thatlisteninginterfacesareconfigured,thatthecertificatesmatchandthatportsdonotclashwithotherservices.
webadmincerts[]Providesthenameofthekeyfileand.
crtfilefortheWebAdminInterfaceand,optionally,aCAcertificatebundleasprovidedbyyourCAwebadmincertsnoneRemovescertificateconfigurationwebadminhttp-redirect(enable|disable)Enables/disablesHTTPredirectsfortheWebAdminInterfacewebadminstatusDisplaystheWebAdminInterfacestatusNote:MMPuseraccountsarealsousedtologintotheWebAdminInterface.
8.
10DatabaseClusteringCommandsThesedatabaseclusteringcommandsareexplainedintheScalability&ResilienceDeploymentGuideandCertificateGuidelines.
Fromversion2.
7,databaseclustersrequireclientandservercertificatessignedbythesameCAconfiguredineachMeetingServerholdingorconnectingtoadatabaseinthecluster.
Enforcingtheuseofcertificatesensuresbothconfidentialityandauthenticationacrossthecluster.
CAUTION:IfadatabaseclusterwasconfiguredwithoutcertificatesusinganearlierversionofMeetingServersoftwarewhichdidnotrequirecertificates,thenonupgradingtoversion2.
7thedatabasewillstopandremainunreachableuntilcertificatesareconfiguredandthedatabaseclusterisrecreated.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference57Note:isthedatabaseclusterCAcertificatebundle.
Thisisalsousedasatruststore,sodatabaseconnectionsthatgiveavalidcertificatenameandacertificatechainthatendswitharootcertificatepresentinthebundlewillbeaccepted.
Command/ExamplesDescription/NotesdatabaseclusterstatusDisplaystheclusteringstatus,fromtheperspectiveofthisdatabaseinstance.
Note:From2.
7thiscommandwillhighlightthelackofconfiguredcertificates.
databaseclusterlocalnodeThiscommandmustberunontheserverthatwillhosttheinitialprimarydatabasebeforeinitialisinganewdatabasecluster.
Thecanbeinthefollowingformats:[a|b|c|d]-thenameoftheinterface(thefirstIPv6addressispreferred,otherwisethefirstIPv4addressischosen)e.
g.
databaseclusterlocalnodeaipv4:[a|b|c|d]-thenameoftheinterface,restrictedtoIPv4(thefirstIPv4addressischosen)e.
g.
databaseclusterlocalnodeipv4:aipv6:[a|b|c|d]-thenameoftheinterfacerestrictedtoIPv6(thefirstIPv6addressischosen)e.
g.
databaseclusterlocalnodeipv6:a-aspecificIPaddress,canbeIPv4orIPv6e.
g.
databaseclusterlocalnode10.
1.
3.
9Note:DonotusetheAdmininterfacefordatabaseclustering.
databaseclusterinitializeCreatesanewdatabasecluster,withthisserver'scurrentdatabasecontentsastheoneandonlydatabaseinstance—theprimary.
Thecommandreconfigurespostgrestoclustermode-i.
e.
listensonexternalinterfaceandusesSSLReconfiguresandrestartsthelocalCallBridge(ifitisenabled)tousethedatabasecluster.
Note:From2.
7thiscommandwillnotrunwithoutvalidcertificates,keysandCAcertificatesuploadedtothedatabaseclientsandservers.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference58Command/ExamplesDescription/NotesdatabaseclusterjoinCreatesanewdatabaseinstanceaspartoftheclustercopyingthecontentsoftheprimarydatabasetothisserveranddestroyingthecurrentcontentsofanydatabaseonit.
canbeforanyexistingdatabaseinthecluster.
ReconfiguresandrestartsthelocalCallBridge(ifitexistsanditisenabled)tousethedatabaseclusterNote:From2.
7thiscommandwillnotrunwithoutvalidcertificates,keysandCAcertificatesuploadedtothedatabaseclientsandservers.
databaseclusterconnectConnectsaCallBridgetoadatabasecluster.
ReconfiguresandrestartstheCallBridge(ifitisenabled)tousethedatabasecluster.
Disablestheuseofanylocaldatabase(onthesamehostserverastheCallBridge),althoughthedatabasecontentispreservedandcanbereadafteradatabaseclusterremovecommandisrunonthishostserver(seebelow).
Note:From2.
7thiscommandwillnotrunwithoutvalidcertificates,keysandCAcertificatesuploadedtothedatabaseclientsandservers.
databaseclustercertsdatabaseclustercertsdbcluster_server.
keydbcluster_server.
crtdbcluster_client.
keydbcluster_client.
crtdbcluster_ca.
crtConfiguresthecertificatesusedtosecuretheconnectionsinadatabasecluster.
Certificatesmustbeconfiguredbeforethedatabaseclustercanbeenabled.
databaseclustercertsdatabaseclustercertsdbcluster_client.
keydbcluster_client.
crtdbcluster_ca.
crtConfiguresthecertificatesusedtosecuretheconnectionsinadatabaseclusterwherethereisnoco-locateddatabaseontheCallBridge.
databaseclustercertsnoneRemovescertificateconfiguration.
Certificateswillneedtobeconfiguredagainbeforethedatabaseclustercanbere-enabled.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference59Command/ExamplesDescription/NotesdatabaseclusterremoveRemovesonedatabasefromtheclusterifrunonadatabasehostserver,"un-connects"aCallBridgeifrunonahostserverwithonlyaCallBridge,orbothiftheserverhostsbothaclustereddatabaseandaCallBridge.
databaseclusterupgrade_schemaUpgradesthedatabaseschemaversionintheclustertotheversionthisnodeexpects.
Werecommendthatyourunthiscommand:lontheprimarydatabase,butitcanberunonanydatabaseinstancelaftereverysoftwareupgradeonanyserverhostingadatabaseinstanceorCallBridgedatabaseclusterclear_errorWhenapreviousoperationsuchasaschemaupgradefailed(seethepreviouscommand),thiscommandmanuallyresetsthestate.
ThiscommandshouldonlyberunwheninstructedtodosobyCiscosupport.
8.
11UploaderCommandsUploadersimplifiesusingVbrickRevforvideocontentmanagement.
ThissectionprovidesacommandreferencefortheUploader.
CommandsDescriptionuploader(enable|disable)Enablesordisablestheuploadercomponent.
BeforeconfiguringtheUploader,ensurethecomponentisdisabled.
uploadernfs:SpecifytheNFSthattheUploaderwillmonitor.
uploader(cms|rev)hostConfiguretheUploaderwiththenameofthehostfortheMeet-ingServer(cms)andthehostfortheVbrickRevserver.
Defaultportis443.
uploader(cms|rev)portConfiguretheUploaderwiththeporttousetoconnecttotheMeetingServer(cms)andtheportfortheVbrickRevserver.
Defaultportis443.
uploader(cms|rev)userConfiguretheUploaderwiththeuserthathasaccesstotheAPIoftheMeetingServerandtheuserwithaccesstotheVbrickRevserver.
uploader(cms|rev)passwordConfiguretheUploaderwiththepasswordforthespecifiedMeet-ingServeruserandtheVbrickRevuser.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference60CommandsDescriptionuploader(cms|rev)trust(|none)UploadthespecifiedcertificatebundletothetruststoreontheMeetingServerortheVbrickRevserver.
noneremovesthecer-tificatebundlefromthespecifiedtruststore.
Note:theUploaderwillnotworkwithoutacertificatebundleintheMeetingServertruststoreandtheVbrickRevtruststore.
uploaderedit(|none)Notsupportedinversion2.
4.
0.
uploaderview(|none)Notsupportedinversion2.
4.
0.
uploaderaccessSetaccesspermissiontothevideorecordingsuploadercospace_member_accessAllowsmembersofthespacetovieworeditthevideorecord-ings.
noneremovesvieworeditpermissionsformembersofthespace.
uploaderrecording_owned_by_cospace_ownertrueselectstheownerofthespaceasthesingleownerofthesevideorecordings.
uploaderfallback_owner(|none)Usethenameduserasthefallbackownerofthevideorecord-ings,iftheownerofthespaceisnotlistedinVbrickRev.
noneremovesthefallbackowner.
uploadercomments(enable|dis-able)Enablesordisablescommentingonvideorecordings.
Defaultisdisabled.
uploaderratings(enable|dis-able)Enablesordisablesvideorecordingratings.
Defaultisdisabled.
uploaderdownloads(enable|dis-able)Setsthedownloadpermission,enablesordisablesdownloadingthevideorecordings.
uploaderinitial_state()SettheinitialstateofthevideorecordingwhenfirstuploadedtoVbrickRev.
Defaultisactive.
uploaderdelete_after_upload()SelectswhethertodeletethevideorecordingfromtheNFSafteruploadiscomplete.
Defaultisfalse.
Note:Theuploaderdebug()commandwasremovedinversion2.
4,debugginginformationisautomaticallysenttothesyslogserver.
8.
12RecorderCommandsThissectionprovidesacommandreferencefortheRecorder.
Followtheinstructionsintheappropriatedeploymentguidetodeploytherecorder.
8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference61Command/ExamplesDescription/NotesrecorderrestartrecorderRestartstheRecorderDisplaysthecurrentconfigurationoftheRecorderrecorderlisten]allowedlist>recorderlistenabSetsuptheinterface(s)andport(s)fortheRecordertolistenon.
Youmustenabletheservicetostartlisteningwiththecommandrecorderenable.
Thedefaultfortheoptionalportargumentis443.
recorderlistennoneStopstheRecorderlistening.
recorder(enable|disable)EnablesordisablestheRecorderrecordercerts[]Providesthenameofthekeyfileand.
crtfilefortheRecorderand,optionally,aCAcertificatebundleasprovidedbyyourCArecordercertsnoneRemovescertificateconfigurationrecordertrustControlswhichCallBridgeinstancesareallowedtoconnecttotheRecorder.
IfthetrustedCallBridgeisrunningonthesameserverastheRecorder,thenissuingtherecordertrustcommandwiththenameoftheCallBridgepubliccertificate/certificatebundleissufficient.
IftheCallBridgeisrunningonanotherserver,thepubliccertificate/certificatebundleoftheCallBridgemustfirstbecopiedtotheserverwiththeenabledRecorderusingSFTP.
recordertrustnoneDeconfiguresanytrustsettings.
recordernfs:ProvidestheRecorderwithdetailsofthenetworkfileserver(nfs)andfoldertosavetherecording.
recorderresolutionSetstheresolutionthattherecorderwillrecordmeetings.
Thedefaultis720p30.
Selecting1080allowstherecordertodop30.
(Fromversion2.
4.
)8.
13StreamerCommandsThissectionprovidesacommandreferencefortheStreamer.
Followtheinstructionsintheappropriatedeploymentguidetodeploythestreamer.
Command/ExamplesDescription/NotesstreamerrestartstreamerRestartstheStreamerDisplaysthecurrentconfigurationoftheStreamer8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference62Command/ExamplesDescription/Notesstreamerlisten]allowedlist>streamerlistenabSetsuptheinterface(s)andport(s)fortheStreamertolistenon.
Youmustenabletheservicetostartlisteningwiththecommandrecorderenable.
Thedefaultfortheoptionalportargumentis443.
streamerlistennoneStopstheStreamerlistening.
streamer(enable|disable)EnablesordisablestheStreamer.
YouneedtodisabletheStreamerbeforeconfiguringit.
Afterconfiguration,youneedtoenabletheStreamer.
streamercerts[]Providesthenameofthekeyfileand.
crtfilefortheStreamerand,optionally,aCAcertificatebundleasprovidedbyyourCAstreamercertsnoneRemovescertificateconfigurationstreamertrustControlswhichCallBridgeinstancesareallowedtoconnecttotheStreamer.
IfthetrustedCallBridgeisrunningonthesameserverastheStreamer,thenissuingthestreamertrustcommandwiththenameoftheCallBridgepubliccertificate/certificatebundleissufficient.
IftheCallBridgeisrunningonanotherserver,thepubliccertificate/certificatebundleoftheCallBridgemustfirstbecopiedtotheserverwiththeenabledStreamerusingSFTP.
streamertrustnoneDeconfiguresanytrustsettings8ApplicationConfigurationCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference639H.
323CommandsOverthepreviousfewreleasesofCiscoExpressway,edgefeatureshavebeendevelopedtoenabletheExpresswaytobeusedastheedgedeviceinMeetingServerdeployments.
Fromversion2.
4,youshouldmigrateyourMeetingServerdeploymentsfromusingtheMeetingServerH.
323Gatewaycomponent,tousingtheExpresswayX8.
11H.
323Gatewaycomponent.
NoteaboutremovingedgecomponentsfromCiscoMeetingServersoftware:TheH.
323GatewaycomponentwillberemovedfromtheCiscoMeetingServersoftwareinversion3.
0.
Nofurtherbugfixeswillbeundertakenfromversion2.
5.
Note:TheH.
323GatewayisnotavailableontheCiscoMeetingServer2000.
TheMMPcommandstoconfiguretheMeetingServertoacceptandsendH.
323callsarelistedinthissection.
Command/ExamplesDescription/Notesh323_gatewayenable/disable/restartThegatewaywillnotstartunlessitisconfiguredproperly.
h323_gatewaycerts[]Definesthenameoftheprivatekeyfileand.
crtfilefortheH.
323Gatewayapplicationand,optionally,aCAcertificatebundleasprovidedbyyourCA.
(AlsoseethesectionProvisioningwithCertificates.
)h323_gatewaycertsnoneRemovescertificateconfigurationh323_gatewayh323_nexthoph323_gatewaydelh323_nexthopConnecttothisIPaddressforalloutgoingH.
323callsandletthedeviceatthisIPaddresshandletherouting.
Ifthisaddressisnotset,onlyIPdialingworks.
TypicallythisIPaddressisaCiscoVCS/PolycomDMA,andanH.
323trunkisestablishedbetweentheCiscoMeetingServerH.
323Gatewayandthethirdpartydevice(H.
323Gatekeeper).
TheH.
323Gatewaydoesnotregisterwiththedevice,justforwardscallstothem–thedevicewillneedtobeconfiguredappropriatelytoacceptthesecalls.
h323_gatewaydefault_urih323_gatewaydeldefault_uriOptional.
IfanincomingH.
323callhasnodestination(normallyonlythecasewhentheH.
323GatewayhasbeendialedbyanIPaddress)theSIPcallismadetowhateverdefault_uriisset.
Thedefault_urimaypointtoanIVR,ordirectlyintoacoSpace.
Ifitisnotset,thecallisrejected.
9H.
323CommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference64Command/ExamplesDescription/Notesh323_gatewaysip_domainh323_gatewaydelsip_domainOptional.
IfanincomingH.
323callismadetothegatewaywithoutadomaininthedestinationaddress,@willbeappendedtothedestinationaddressbeforetheSIPcalltotheCallBridgeismade.
h323_gatewaysip_domain_stripIfsetto"yes"and"h323_gatewaysip_domain"isset,whenaSIPcallismadetothegatewaythe@willbestrippedfromthesourceaddress(ifpresent)beforemakingtheH.
323call.
h323_gatewayh323_domainh323_gatewaydelh323_domainOptional.
IfanH.
323callismadetothegatewaywithoutincludingadomaininthesourceaddress,@willbeappendedtothesourceaddressbeforetheSIPcallismade.
h323_gatewayh323_domain_stripIfsetto"yes"and"h323_gatewayh323_domain"isset,whenaSIPcallismadetothegatewaythe@willbestrippedfromthedestinationaddress(ifpresent)beforemakingtheH.
323call.
h323_gatewayh323_interfacesh323_gatewaysip_interfacesMustbeconfiguredinorderforgatewaytostart,buttheactualsettingiscurrentlyignored.
h323_gatewaysip_portPortsfortheSIPsidetolistenon.
Thedefaultis6061.
Note:ifyouwishtochangethedefaultportfrom6061,andiftheH.
323GatewayandCallBridgeareonthesameserver,makesureyouavoidport5061whichisusedbytheCallBridge.
Changesdonottakeplaceuntilthegatewayisrestarted.
TheH.
323GatewayalwaysexpectsTLSconnections;therefore,"Encrypted"shouldbeselectedonoutbounddialplanrulesontheCallBridgeh323_gatewaysip_proxySetthistotheIPaddressoftheCallBridge,orformultipleCallBridgesusethedomainname(throughDNS).
AllincomingH.
323callswillbedirectedtothisuriIftheCallBridgeandtheH.
323GatewayareonthesamehostthenuseIPaddress127.
0.
0.
1.
IftheCallBridgeandtheH.
323GatewayareondifferenthoststhenusetheIPaddressoftheCallBridge.
h323_gatewayrestrict_codecsIfsettoyes,theH.
323Gatewayislimitedtoasafesetofcodecsthatarelesslikelytocauseinteroperabilityproblems.
CurrentlythissetisG.
711/G.
722/G.
728/H.
261/H.
263/H.
263+/H.
264.
CodecsdisabledbythisfeatureareG.
722.
1andAAC.
9H.
323CommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference65Command/ExamplesDescription/Notesh323_gatewaydisable_contentIfsettoyes,H.
239contentisdisabled.
h323_gatewaytrace_levelProvidesadditionalloggingtoaidtroubleshootingbyCiscosupport.
Youmaybeaskedtoprovidetracesforlevels0,1,2or3.
9H.
323CommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference6610MiscellaneousCommands10.
1ModelCommand/ExamplesDescription/NotesmodelDisplaystheCiscoMeetingServerdeploymentmodel.
ForanAcanoX-seriesserverthepossiblevaluesare:AcanoX1,AcanoX2,orAcanoX3.
VirtualizeddeploymentsshowasCMSVM10.
2MeetingServer'sSerialNumberCommand/ExamplesDescription/NotesserialDisplaystheserialnumberoftheMeetingServer.
Notethatthiscommanddoesnotapplytothevirtualizeddeployment.
10.
3MessageoftheDayMMPuserswithadminrightscanissuethecommandsinthissection.
Note:motdcommandsareonlysupportedonMeetingAppversionspriortoversion1.
9.
Command/ExamplesDescription/NotesmotdDisplaysthecurrentmessageoftheday,ifany.
motdadd""DisplaysabannerwithafterloginAlternatively,amessagenolargerthan2048characterscanbeconfiguredbycopyingafilebySFTPto"motd".
motddelRemovesthemessageoftheday.
10.
4Pre-loginLegalWarningBannerIfyourorganizationrequiresalegalwarningpriortologin,MMPuserswithadminrightscanusethefollowingcommands:Command/ExamplesDescription/Noteslogin_warningDisplaysthecurrentloginwarningmessage,ifany.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference67Command/ExamplesDescription/Noteslogin_warningadd""DisplaysalegalwarningpriortologinAlternatively,amessagenolargerthan2048characterscanbeconfiguredbycopyingafilebySFTPto"login_warning".
login_warningdelDeletesthelegalwarning10.
5SNMPCommandsNote:MeetingServer2000doesnotsupportSNMP,thereforethesnmpcommandswillnotbeavailable.
10.
5.
1GeneralinformationMIBscanbedownloadedfromanyCiscoMeetingServerusingSFTP.
Foravirtualizeddeployment(CiscoMeetingServer1000,orspecificationbasedVMserver)theMIBfilesare:lACANO-MIB.
txtlACANO-SYSLOG-MIB.
txtForanAcanoX-seriesserver,theMIBfilesare:lACANO-MIB.
txtlACANO-HEALTH-MIB.
txtlACANO-SYSLOG-MIB.
txtPlacethesefilesonyourSNMPimplementation'ssearchpathTe.
g.
~/.
snmp/mibsforNet-SNMP.
Note:TheMIBswillberenamedinafuturereleasetoreflecttherebrandingtoCiscoMeetingServer.
TheMMPinterfaceonlyprovidesaminimalamountofuserconfigurationoptions.
Tohandlemorecomplexrequirements,usetheMMPinterfacetocreateaninitialuserandthenmanagetheuserdatabasedirectly-forexamplewithsnmpusmfromtheNet-SNMPpackage.
TheMeetingServersupportsbothSNMPversions1/2cand3:theconfigurationisdifferentforeach.
BeawareofthesecurityimplicationsofusingSNMPversion1/2c:itdoesnotsupportrobustauthenticationandthereforeanyonewhoknowsthecommunitystringcanquerytheserver.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference6810.
5.
2SNMPv1/2ccommandsAccesscontrolforv1/2cisbasedon"communities".
ThesecanbecreatedviatheMMPinterfacewhenSNMPisdisabled.
Command/ExamplesDescription/Notessnmpcommunityadd[IPaddress/prefix]snmpcommunitydelAccesscontrolforv1/2cisbasedon"communities".
ThesecanbecreatedanddeletedviatheMMPwhenSNMPisdisabled.
Note:OnlyusealphanumericandunderscoreintheSNMPcommunityname,other"special"characters,includingdash,willreturnanerrormessage.
snmpcommunityaddpublicAllowsaccesstothecompletetreefromanywhereusingthecommunitystring"public".
snmpcommunityaddlocal10.
1.
0.
0/16Allowsaccessbutonlyfromthespecifiedsubnet.
snmp(enable|disable)Enables/disablesSNMPv1/2csnmpwalk-v1-cACANO-HEALTH-MIB::acanoHealthsnmpwalk-v1-cpublicACANO-HEALTH-MIB::acanoHealthTotesttheconfigurationusingv1/2c,useNet-SNMP'ssnmpwalk(http://net-snmp.
sourceforge.
net/)onLinux(othertoolsareavailableonWindows)–seetheexampleontheleft.
Note:ACANO-HEALTH-MIBisonlyavailableontheAcanoX-SeriesServer,itisnotavailableonvirtualizeddeployments.
10.
5.
3SNMPv3commandsAccesscontrolforv3isbasedonusers.
ThesecanbecreatedfromtheMMPinterface.
Command/ExamplesDescription/Notessnmpuseradd(MD5|SHA)(DES|AES)Accesscontrolforv3isbasedonusers.
Createsauserwiththespecifiedpassword,usingthe"MD5"algorithmforauthenticationandthe"DES"algorithmforencryption,withaccesstothecompletetree.
Note:OnlyusealphanumericandunderscoreintheSNMPusername,other"special"characters,includingdash,willreturnanerrormessage.
snmpuserdelDeletesanSNMPuser.
snmp(enable|disable)Enables/disableSNMPv3.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference69Command/ExamplesDescription/Notessnmpwalk-v3-u-a-A-x-X-lACANO-HEALTH-MIB::acanoHealthsnmpwalk-v3-ufred-aMD5-Aexample123-xDES-Xexampl123-lauthPrivACANO-HEALTH-MIB::acanoHealthTotesttheconfigurationusingv3,useNet-SNMP'ssnmpwalk(http://net-snmp.
sourceforge.
net/)onLinux(othertoolsareavailableonWindows)–seetheexampleontheleft.
Note:ACANO-HEALTH-MIBisonlyavailableontheAcanoX-SeriesServer,itisnotavailableonvirtualizeddeployments.
10.
5.
4SNMPtrapreceiverconfigurationCommand/ExamplesDescription/NotessnmptrapenablesnmptrapdisablesnmptrapenablemyboxpublicConfiguresanSNMPtrapreceiver.
isthehostnameofmachinethatwillreceivetraps,andisthecommunitystringthatwillbeused10.
6DownloadingtheSystemLogsThesystemlogis100MBmaximum.
Whenthislimitisreached,theoldestmessagesarediscardedtomakeroomfornewones.
AnSNMPtrapisgeneratedwhenthelogreaches75%ofcapacity.
Iflogdatamustberetainedforcomplianceorotherreasons,andaremotesyslogserverisnotinuse,youcan:nConnecttotheMMPusingaSFTPtoolandcopythesystemlogfileofftheservertoalocalfilestore.
ThisleavesthecurrentcontentsintactnSavethelogfilepermanentlyusingthesyslogrotatecommand.
Theactivesystemlogisthenemptied.
ThissavedfilecanbedownloadedusingSFTPForexample:syslogrotatemylognAuserwiththeauditrolecansavetheauditlogwithsyslogauditrotate10.
7DownloadingtheLogBundleFromversion2.
2,theMeetingServercanproducealogbundlecontainingtheconfigurationandstateofvariouscomponentsintheMeetingServer.
Thislogbundleincludesthesyslogandlive.
jsonfiles,thefileswillaidCiscoSupportspeeduptheiranalysisofyourissue.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference70IfyouneedtocontactCiscosupportwithanissue,followthesestepstodownloadthelogbundlefromtheMeetingServer.
1.
ConnectyourSFTPclienttotheIPaddressoftheMMP.
2.
LoginusingthecredentialsofanMMPadminuser.
3.
Copythefilelogbundle.
tar.
gztoalocalfolder.
4.
Renamethefile,changingthelogbundlepartofthefilenametoidentifywhichserverproducedthefile.
Thisisimportantinamulti-serverdeployment.
5.
SendtherenamedfiletoyourCiscoSupportcontactforanalysis.
10.
8DiskSpaceUsageCommand/ExamplesDescription/NotesdfDisplaysdiskusageforboththeMMPandMODULE0asthepercentageusageperpartitionandthepercentageinodeusage.
10.
9BackupandRestoreSystemConfigurationNote:Backupcommandsarealsoavailableonthevirtualizedsolution.
Command/ExamplesDescription/NotesbackuplistDisplaysalistofanybackupfilesontheserver.
backupsnapshotCreatesafullMeetingServersnapshot.
Afile.
bakiscreatedfordownloadoverSFTP.
Westronglyrecommendusingthiscommandregularly.
backuprollbackRestoresthesystemforthebackedupserver,thisinvolvesrollingbacktheconfigurationfortheserver.
IfnotalreadyontheMeetingServerthebackupfilemustbeuploadedtotheMeetingServerusingSFTPpriortorunningthisrollbackcommand.
Note:Thiscommandoverwritestheexistingconfigurationaswellasthelicense.
datfileandallcertificatesandprivatekeysonthesystemandrebootstheMeetingServer.
Thereforeitshouldbeusedwithcaution.
Ifyourestorethisbackuptoanotherserver,youmustcopyyourexistinglicense.
datfileandcertificatesbeforehandbecausetheywillbeoverwrittenduringthebackuprollbackprocess.
Thelicense.
datfileiskeyedtotheserversMACaddresssowillfailwhenrestoredfromabackupfromanotherserverandwillneedtobereplacedaftertheserverisbackonline.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference7110.
10UpgradingtheMeetingServerCommand/ExamplesDescription/Notesupgrade[]UpgradestheMeetingServer.
Youmusthaveuploadedtheimagefileoftheversionthatyouwanttoupgradetobeforeissuingthiscommand.
Whenupgrading,afullsystembackupiscreatedautomatically.
Thebackupnameisderivedfromthecurrentsoftwareversion.
Forexample,iftheupgradeisfromR2.
9toR3.
0,thebackupwillbecalled2_9.
bak.
Thedefaultfilenameifoneisnotprovidedisupgrade.
imgFromversion3.
0thiscommandperformssignatureandintegritychecksbeforeproceedingwithupgradingMeetingServerwiththespecifiedimage.
Thecheckswillbecarriedouteveniftheupgradeverifycommandhasbeenpreviouslyrunonthatimage.
Updatedfromversion3.
0.
upgrade[no-backup]Usewithcaution.
upgradelistTogetalistoftheupgradeimagesonthesystemupgradedeleteupgradedeleteupgrade.
imgUpgradeimagespersistuntiltheyaredeletedusingSFTPorthisCLIcommandupgradeverifyCarriesoutalltheintegrityandsignaturechecksnormallydoneduringupgrade,butdoesnotproceedwiththeupgrade.
Thiscommandcanalsobeusedtodisplaytheimagetype.
Addedfromversion3.
0.
authenticityDisplaysallinformationrelatingtosoftwareauthenticity:howtherun-ningimagewasvalidated(keytypeandname),andthepublickeyscur-rentlyloadedalongwiththeirdetails(type,nameandsource).
Italsodisplayswhetherthekeysaretrusted:ifaSPECIALkeyisinstalled,whetheritssignaturehasbeenverifiedwiththeMASTERkey(otherkeysareinternalandalwaystrusted).
Addedfromversion3.
0.
authenticitykeyaddInstallsaSPECIALkey.
OnlyoneSPECIALkeymaybeinstalledatatime.
Addedfromversion3.
0.
authenticitykeynoneRemovestheSPECIALkeycurrentlyinstalled.
Thiscommandmustbeusedtoremoveakeybeforeinstallinganother,orwhenthekeyisnolongerinuse.
Addedfromversion3.
0.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference7210.
11ResettingtheMeetingServerCommand/ExamplesDescription/Notesfactory_reset(full|app)The"full"optionremovesalluserconfiguration:anycredentialsinstalledonthesystemwillbelost.
Afterwards,youmustdeploytheMeetingServeragain.
The"app"optionremovesActiveDirectorysyncdataandspace(coSpace),LyncandSIPconfiguration;butMMPconfigurationremains.
Afterthecommandcompletes,thesystemwillreboot.
10.
12PasswordRecovery/FirstBootfortheAcanoX-SeriesServerUsethisprocedureforthefirstconfigurationoftheAcanoX-SeriesServerorifyounolongerhavethepasswordofanMMPaccountwithadminrights.
1.
Ifnecessary,plugbothpowerunitsintothemainsusingtheappropriatepowercablesforyourlocation.
Therearenoon/offswitchessotheserverpowersupimmediately.
2.
MovingtothefrontoftheX-seriesserveryouseethetwopowerunitstatusLEDsandthestatusLEDon,indicatingthattheserverispoweredandoperational.
3.
ConnecttheConsoleporttoaterminalemulatorusingtheserialcablesuppliedinthebox.
Usebaudrate115200,8databits,noparityand1stopbit.
4.
UsingaPhilipsscrewdriverloosenthetwoscrewsonthetopfrontservicehatchandhingethecoverupwards.
Youseethefanmoduleontheleftandasmallerareaontherightwithcablesandconnectors.
Inthisareaandbehindthefrontgrillaretwosmallbuttons:onered(labeledreset)andoneblack.
5.
Carefullypressthered(reset)buttononly.
6.
Withinfourminutesofpressingthisbuttonlogintotheserverusingtheterminalemulator:useraccountis"admin",nopasswordwillberequested.
7.
Setupyouradminaccountusingthefollowingcommand.
useraddadminadminNote:Youcancreatemultipleadminlevelaccountswithdifferentaccountnames.
8.
Youarepromptedforapasswordwhichyoumustentertwice.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference73Note:Whenyouloginsubsequently,eitherviatheConsoleportortheinterfacelabeledAdminwiththeadminaccountcreatedaboveandyouwillbeaskedforthispassword.
9.
Closethehatchandpushthescrewsdowntosecurethehatch,noscrewdriverisneeded.
10MiscellaneousCommandsCiscoMeetingServerRelease2.
9:MMPCommandLineReference74CiscoLegalInformationTHESPECIFICATIONSANDINFORMATIONREGARDINGTHEPRODUCTSINTHISMANUALARESUBJECTTOCHANGEWITHOUTNOTICE.
ALLSTATEMENTS,INFORMATION,ANDRECOMMENDATIONSINTHISMANUALAREBELIEVEDTOBEACCURATEBUTAREPRESENTEDWITHOUTWARRANTYOFANYKIND,EXPRESSORIMPLIED.
USERSMUSTTAKEFULLRESPONSIBILITYFORTHEIRAPPLICATIONOFANYPRODUCTS.
THESOFTWARELICENSEANDLIMITEDWARRANTYFORTHEACCOMPANYINGPRODUCTARESETFORTHINTHEINFORMATIONPACKETTHATSHIPPEDWITHTHEPRODUCTANDAREINCORPORATEDHEREINBYTHISREFERENCE.
IFYOUAREUNABLETOLOCATETHESOFTWARELICENSEORLIMITEDWARRANTY,CONTACTYOURCISCOREPRESENTATIVEFORACOPY.
TheCiscoimplementationofTCPheadercompressionisanadaptationofaprogramdevelopedbytheUniversityofCalifornia,Berkeley(UCB)aspartofUCB'spublicdomainversionoftheUNIXoperatingsystem.
Allrightsreserved.
Copyright1981,RegentsoftheUniversityofCalifornia.
NOTWITHSTANDINGANYOTHERWARRANTYHEREIN,ALLDOCUMENTFILESANDSOFTWAREOFTHESESUPPLIERSAREPROVIDED"ASIS"WITHALLFAULTS.
CISCOANDTHEABOVE-NAMEDSUPPLIERSDISCLAIMALLWARRANTIES,EXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,THOSEOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.
INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITATION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHISMANUAL,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
AnyInternetProtocol(IP)addressesandphonenumbersusedinthisdocumentarenotintendedtobeactualaddressesandphonenumbers.
Anyexamples,commanddisplayoutput,networktopologydiagrams,andotherfiguresincludedinthedocumentareshownforillustrativepurposesonly.
AnyuseofactualIPaddressesorphonenumbersinillustrativecontentisunintentionalandcoincidental.
Allprintedcopiesandduplicatesoftcopiesofthisdocumentareconsidereduncontrolled.
Seethecurrentonlineversionforthelatestversion.
Ciscohasmorethan200officesworldwide.
AddressesandphonenumbersarelistedontheCiscowebsiteatwww.
cisco.
com/go/offices.
2016-2020CiscoSystems,Inc.
Allrightsreserved.
CiscoLegalInformationCiscoMeetingServerRelease2.
9:MMPCommandLineReference75CiscoTrademarkCiscoandtheCiscologoaretrademarksorregisteredtrademarksofCiscoand/oritsaffiliatesintheU.
S.
andothercountries.
ToviewalistofCiscotrademarks,gotothisURL:www.
cisco.
com/go/trademarks.
Third-partytrademarksmentionedarethepropertyoftheirrespectiveowners.
TheuseofthewordpartnerdoesnotimplyapartnershiprelationshipbetweenCiscoandanyothercompany.
(1721R)CiscoTrademark