- Overview
- Architecture
- Deployment Overview
- Webex Hybrid Directory Service Deployment Process
- 1. Deploy Microsoft Windows Server hosts for Cisco Directory Connector.
- 2. Enable directory synchronization and download Cisco Directory Connector software from the Webex Control Hub.
- 3. Install Cisco Directory Connector on the Windows Server host.
- 4. Configure Directory Connector and complete the initial synchronization.
- 5. Schedule periodic incremental and full synchronizations.
- 6. Manage imported users and provision them for Webex services.
Cisco Webex Hybrid Directory Service
Cisco Webex Hybrid Services enable Webex Teams customers to connect on-premises collaboration services to Webex. Integrating directory services between the on-premises LDAP directory and the identity service within the customer's Webex Teams organization adds value by simplifying user on-boarding.
Overview
The Webex Hybrid Directory Service high-level architecture, depicted in Figure 2-1, allows the Webex Teams customer to synchronize their corporate Microsoft Active Directory with the identity store of their organization in Webex. This makes Webex Teams user on-boarding and service provisioning simple and consistent.
Figure 2-1 Cisco Webex Hybrid Directory Service High-Level Architecture
Prerequisites
Prior to implementing and deploying Webex Hybrid Directory Service, perform the following requirements:
- Deploy Microsoft Active Directory within the organization and populate it with user information.
- Make sure Cisco Unified Communications Manager (Unified CM) is fully integrated with Microsoft Active Directory (directory synchronization and authentication).
- If the on-premises network is behind a firewall, ensure that outbound access to the Internet through HTTPS on port 443 is available either directly or by way of an HTTP proxy.
Core Components
The core components for Cisco Webex Hybrid Directory Service include:
Recommended Deployment
To deploy Webex Hybrid Directory Service in the PA for Webex Hybrid Services, we recommend the following:
- Ensure that the end-user account mail ID field in the Unified CM End User database contains the user's email address. Webex Teams users correlate to Cisco Unified CM end users by means of email addresses. With LDAP directory integration, the mail ID field for Unified CM end users is typically mapped from the mail field of the LDAP directory during synchronization.
- Install Cisco Directory Connector on a separate Windows server from the Active Directory Domain Service or Active Directory Lightweight Directory Services.
- Run a first synchronization after the Directory Connector installation finishes. Then configure full synchronization and incremental synchronization schedules to keep the Directory Connector (and in turn Webex) updated when resource and user information changes (resource or user update, deletion, or addition) within Microsoft Active Directory.
Key Benefits
Webex Hybrid Directory Service provides the following benefits:
- Synchronization of identities, users, resources, and groups from the corporate Microsoft Active Directory to the cloud, and the creation of Webex Teams user accounts from this corporate directory source.
- HTTPS outbound connection from the enterprise to Webex on standard port 443, which is typically allowed by organizations and thus should not require additional configuration to open ports on the firewall. The organization's existing HTTP proxy may also be leveraged as required.
- Automatic, scheduled synchronization of users and resources from the enterprise Active Directory to Webex through the Cisco Directory Connector.
- Incremental synchronization and full synchronization to facilitate management of resource and user identity information.
- Custom attribute mappings between Microsoft Active Directory and Cisco Directory Connector for maximum flexibility.
Architecture
Figure 2-2 shows the Webex Hybrid Directory Service integration to the enterprise directory. This integration relies on the Cisco Directory Connectors, which are co-located in the central site with the Microsoft Active Directory. Cisco Directory Connector is deployed on two Microsoft Windows Servers for redundancy and high availability.
Figure 2-2 Architecture for Integration of Webex Hybrid Directory Service with the Enterprise Directory
Cisco Directory Connector relies on Microsoft Active Directory application programming interfaces (APIs) to pull user information from the Microsoft Active Directory. The APIs are based on the Microsoft.NET framework. Directory Connector uses HTTPS to push user information to the organization's Webex identity store.
Role of Cisco Directory Connector
Cisco Directory Connector plays the role of synchronization agent between the corporate Microsoft Active Directory and the organization's identity store in Webex. The Directory Connector initially populates Webex with user and resource information from the Active Directory and maintains this information with subsequent synchronizations to update the organization's Webex identity store with the latest moves, adds, changes, and deletions occurring on the enterprise Active Directory.
Role of Microsoft Active Directory
Microsoft Active Directory is the enterprise resource and user repository and the single source of validation for that information. The directory administrator maintains the enterprise resource and user information contained within the directory with moves, adds, changes, and deletions. Any updates to this information in Active Directory are propagated to the Cisco Directory Connector (and in turn to Webex) during synchronization.
Deployment Overview
Figure 2-3 shows the high-level steps required to deploy Webex Hybrid Directory Service. Virtual Microsoft Windows Servers are created and deployed in the enterprise data center (step 1). After the Windows servers are deployed, the administrator logs into the Webex Control Hub at https://admin.webex.com to enable directory synchronization and download the Cisco Directory Connector software installation package (step 2). Next, Directory Connector is installed on the Windows servers (step 3). After Directory Connector is installed, the administrator configures the connector (step 4), and an initial synchronization occurs between Microsoft Active Directory and the Directory Connector (step 4A) and between the Directory Connector and Webex (step 4B).
Figure 2-3 Webex Hybrid Directory Service Deployment Overview
Once the initial synchronization completes, the administrator configures the schedule for periodic incremental and full synchronizations (step 5). After that, the administrator manages users and provisions them for cloud services as appropriate (step 6).
High Availability
As shown in Figure 2-4, two Cisco Directory Connectors are deployed. These Windows Servers virtual machines are deployed on separate hosts in separate buildings or data centers to provide high availability and redundancy. Directory Connectors are deployed as a pair, and both are capable of synchronizing directory information between the enterprise directory and the cloud. However, under normal operation, one Directory Connector (primary) handles directory synchronization while the other (backup) maintains connectivity to Webex but does not perform any synchronization. In the event that the primary Directory Connector fails, the backup Directory Connector will continue to handle synchronization operations based on the configured failover interval.
Figure 2-4 Webex Hybrid Directory Service High Availability
Note In cases where only a single Cisco Directory Connector is deployed (non-redundant deployments), if the Directory Connector fails, user information is no longer synchronized between Active Directory and the Webex identity store. The administrator is able to manage existing users and to provision them for services while the Directory Connector is down, but no users or resources can be added or removed from the Webex identity store until the Directory Connector is returned to service.
In addition to Cisco Directory Connector high availability considerations, also consider providing redundancy for other aspects of the integration such as the Active Directory services, connectivity to Webex (HTTPS), and availability of cloud services.
Microsoft components (Active Directory, Domain Controllers, and other Microsoft enterprise network services) should be deployed in a redundant fashion. Consult Microsoft product documentation for information on high availability.
Highly available network connectivity to the Internet is also required to ensure that Webex Teams and other Webex services are reachable from the enterprise. Redundant physical Internet connections, preferably from different providers, are recommended.
Webex services are highly available because those services and components are deployed across multiple physical data centers on elastic compute platforms.
Scalability
The primary sizing and scalability considerations for Webex Hybrid Directory Service is the size of the synchronization. The larger the enterprise directory and the search base in terms of number of resources and users, the longer a synchronization will take to complete. For this reason it is important to monitor synchronization operations initially to ensure that both incremental and full synchronizations are completing prior to the beginning of the next synchronization period. We recommend running the Directory Connector on a dedicated Windows server host. Additional load on the Windows server can reduce performance and increase overall system response and synchronization times.
For more information on Webex Hybrid Directory Service scaling, see the chapter on Sizing Cisco Webex Hybrid Services.
Webex Hybrid Directory Service Deployment Process
Webex Hybrid Directory Service requires the deployment of the Cisco Directory Connector and synchronization between the on-premises directory and the organizations Webex identity store.
Directory synchronization allows corporate users and resources to be imported into Webex. Directory synchronization is facilitated using the Webex Control Hub and Cisco Directory Connector. The Directory Connector allows for automatic synchronization of corporate directory information with Webex. Without Directory Connector, users and resources must be imported manually to Webex using a .csv file.
Note This section presents high-level guidance for deploying Webex Hybrid Directory Service. This guidance should be used in conjunction with the detailed instructions provided in the latest version of the Deployment Guide for Cisco Directory Connector, available at https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html.
The deployment of Webex Hybrid Directory Service starts with the Windows Server installation followed by the download, installation, and initial configuration of Cisco Directory Connector. To deploy Webex Hybrid Directory Service, perform the following tasks in the order listed here:
1. Deploy Microsoft Windows Server hosts for Cisco Directory Connector.
2. Enable directory synchronization and download Cisco Directory Connector software from the Webex Control Hub.
3. Install Cisco Directory Connector on the Windows Server host.
4. Configure Directory Connector and complete the initial synchronization.
5. Schedule periodic incremental and full synchronizations.
6. Manage imported users and provision them for Webex services.
1. Deploy Microsoft Windows Server hosts for Cisco Directory Connector.
The Cisco Directory Connector runs on a trusted Microsoft Windows domain server deployed in the corporate network. The server joins the Active Directory domain and needs an administrator read-only account to authenticate the Cisco Directory Connector server to the on-premises domain.
Deploy a new Microsoft Windows Server and join the corporate Microsoft Active Directory domain. To ensure a highly available deployment of Webex Hybrid Directory Service, install a second domain Microsoft Windows Server on a separate host.
For information about the specific Microsoft Windows Server and Microsoft Active Directory versions supported for Webex Hybrid Directory Service, refer to the latest version of the Deployment Guide for Cisco Directory Connector, available at
https://www.cisco.com/c/en/us/support/unified-communications/spark/products-installation-guides-list.html
Note Microsoft Windows Servers should be deployed and configured according to corporate standards and policies and should adhere to any requirements around virus and malware protection, device management, and security.
2. Enable directory synchronization and download Cisco Directory Connector software from the Webex Control Hub.
Log into the Webex Control Hub at https://admin.webex.com from the web browser on the Windows Server host you deployed in Step 1. Use your Webex Teams organization administrator credentials.
On the Webex Control Hub, enable directory synchronization by navigating to Users and clicking Manage Users. Next, click Enable Directory Synchronization and choose Next to continue. Then click the Download and Install link to save the Cisco Directory Connector installation .zip file (for example, DirectoryConnector.zip) to the local server.
3. Install Cisco Directory Connector on the Windows Server host.
Locate the .zip file saved to the host server in Step 2. Unzip the file, navigate to the setup folder, and run the .msi file (for example, CiscoDirectoryConnector.msi) in the setup folder to launch the Cisco Directory Connector Setup wizard.
Select I accept the terms in the License Agreement and click Next to accept the license agreement. Click Next to accept the default installation location.
Select the Domain Account option for the service account and enter the username and password for the domain account. In the Username field include the Active Directory domain and username with the format <domain> \ <user_name> (for example, ENT-PA\administrator). Click Next to save the domain account information.
Then click Install to start the installation of Cisco Directory Connector.
When the installation completes, repeat this step on the second Windows Server host to install a redundant Directory Connector.
4. Configure Directory Connector and complete the initial synchronization.
Launch Cisco Directory Connector and sign into the Webex Teams organization by entering the email address and password of the administrator account for the organization. Note that this is the same email address and password used to log into the Webex Control Hub management portal. Click to confirm the Webex Teams organization and domain.
Next, perform initial configuration of Directory Connector. From the Directory Connector dashboard click the Configuration tab.
Note If a configuration tab or field value is not mentioned here, then the default setting and value should be assumed.
Navigate the tabs on the Configuration screen and configure the settings as shown in Table 2-1 .
Click Apply to save and apply the configuration settings.
Once Directory Connector is installed and configured as above, perform an initial full synchronization to pull directory information from the corporate Microsoft Active Directory and push it to the organization's Webex identity store.
On the redundant Cisco Directory Connector, configure the same settings shown in Table 2-1 , but use a unique name for the Connector Name setting (for example, DIRSYNC2).
5. Schedule periodic incremental and full synchronizations.
After the initial synchronization, it is important to keep the organization's Webex identity store updated with moves, adds, and changes that occur in the corporate Active Directory.
To keep Webex up to date with corporate directory changes, configure periodic incremental and full synchronizations on one of the Directory Connectors. Return to the Directory Connector Configuration tab and select Schedule. Then configure synchronization settings as shown in Table 2-2 .
The settings in Table 2-2 are shared and apply to both Directory Connectors in the deployment.
6. Manage imported users and provision them for Webex services.
After the enterprise directory user information has been propagated to Webex, the administrator is able to provision users for cloud services and manage those service features and settings by using the Webex Control Hub.
Use your Webex organization administrator credentials to log into the Webex Control Hub at https://admin.webex.com from a web browser.
On the Webex Control Hub, begin managing and provisioning user services by navigating to Users and then clicking Manage Users. Once directory synchronization is enabled, there are multiple ways to modify users and the services they use. Users can be modified individually or in bulk.
To modify large numbers of users in bulk, choose either Export and modify users with a CSV file or Modify all synchronized users. The CSV file method is good for modifying groups of users in bulk (up to 1,100 users at a time); however, preparing the CSV file for bulk modification is a manual process.
To enable a feature or service for all users, click Modify all synchronized users and click Next. If prompted, acknowledge that users will automatically be sent an email by clicking Next. On the next screen, wait for the system to synchronize the list of users from the latest synchronization agreement, and then click Next.
On the subsequent screen, provision users for Message, Meeting, and other services including Hybrid Services. Once you have selected the services, click Next to start the update of user accounts. When the update is complete, users can begin to use the added services and features.
Note Valid licenses are required to add and enable licensed services and features.