Unable to Sign-in to WebEx PT/WebEx Assistant or Launch WebEx Meetings

Those of you, who have upgraded their CWMS environments to version 2.7(1), please note that there was a change in the way this new version of WebEx is dealing with TLS Support. TLS 1.0 is no longer supported. “Big deal!”, you say, as TLS 1.1, TLS 1.2 and even the draft of TLS 1.3 are all out with the first two being widely supported. But then you get a user who, on a day after the upgrade to a newer version of CWMS, complains that he/she is unable to login to WebEx Assistant (a.k.a. WebEx Productivity Tools), getting the following error:

WebEx Assistant "The system is having difficulty processing your request"

The system is having difficulty processing your request. Try again a little later.

The user can login to the CWMS site, but is unable to join an existing meeting or launch a new one, getting the following error:

WebEx "Setup was unsuccessful. Please try again"

Setup was unsuccessful. Please try again.

Error [5]

Note: I’ve also seen “Error [103]” and “Error [104]” codes.

If this wasn’t enough, the user may also see this when attempting to use WebEx PT from within Outlook:

WebEx PT Cannot Access your WebEx site now

Cannot access your WebEx site now. Try again later.

The solution is to enable TLS 1.1 (and TLS 1.2, for that matter) under “Advanced” tab of IE’s Internet Options:

Internet Explorer Advanced Options TLS

The settings will take immediate effect, allowing the user to login to WebEx Assistant and launch/join a WebEx meeting.

Hope this helps someone.

CWMS 2.6 MR2 Is Here

A new maintenance release for Cisco WebEx Meetings Server 2.6 has been made available on CCO for download today. The build number for the CWMS is 2.6.1.39. Release notes have yet to be updated, but you can check the Bug Tracker for issues that were fixed with this release. More updates to follow.

UPDATE: The release notes for CWMS have been updated on April 18th, 2016. Here are the critical (sev. 2 and above) issues that were fixed in this release:

Identifier Severity Description
CSCuy07247 2 Evaluation of orion for OpenSSL January 2016
CSCuy36539 2 Evaluation of orion for glibc_feb_2016
CSCuy54028 2 Backup fails for new 2.6 Deployment for 2000 User system
CSCuy54463 2 Evaluation of orion for OpenSSL March 2016
CSCuy54464 2 Evaluation of orion for OpenSSL March 2016
CSCuz05792 2 SSlgw logs//system not purging logs older than 30 days
CSCuz08030 2 CWMS backup not working after changing NFS server

CWMS 2.5 MR6 is here

This Maintenance Release, which was made available for download on CCO today, fixes quite a number issues, so an update is recommended. One of the fixes is a minor (perceived to be almost cosmetic) change to the order of dial-in numbers for audio: since November’s MR1 the order of the dial-in numbers has been changed to alphabetical. Prior to MR1, the order of dial-in numbers were as configured/shown in CWMS Admin interface (see CSCuu97168).

Please review the Release Notes for more information.

Unable to Share Screen in CWMS

Another day, another bug: there have been reports from WebEx users that they are no longer able to share their screen or individual applications in WebEx meetings. There are no errors, no pop-ups – no indication whatsoever – when you click on the Share button, nothing happens. This is a bug identified in Bug Tracker as CSCuv36151 and affects CWMS 2.5 releases up to and including MR5.

To confirm if the workstation is affected, launch the command prompt to quickly find out whether Microsoft update KB3069392 is installed by typing in the following command:

wmic qfe | find “3069392”

If you have it installed, the output would indicate the installation date of the update and you can quickly find it under the “Installed Updates” to uninstall it.

CSCuv36151

You can also try to uninstall the update from the elevated command prompt.

First, find the package name:

DISM.exe /online /get-packages /format:table

Second, remove the package:

DISM.exe /Online /Remove-Package /PackageName:Package_for_KB3069392~31bf3856ad364e35~amd64~~6.3.1.1 /quiet /norestart

Cisco has released a patch for its MR5 on July 19th, 2015, which is available on CCO for download. Refer to the readme notes for this patch to ensure that it is installed properly (you must upgrade to MR5 prior to appying the MR5 Patch 1).

Good luck!

J4W 11.0 + CWMS 2.5 = CSCuu81060

Since Jabber 11.0 has been officially released and posted on CCO, we have done a company-wide upgrade from 10.6 to 11.0. Shortly after, our end users started complaining about inability to start or join WebEx meetings. The error (in a form of pop-up) reads as follows: “Setup was unsuccessful. Please try again. Error [110] GpcUrlRoot“:

CWMS: Setup was unsuccessful

All affected users had IE as their default browser – that was clue #1. All affected users had Jabber 11.0 installed on their workstations – clue #2. Surely, prior to this massive deployment, IT has extensively tested this and all prior (beta) Jabber 11 releases under EAP, but no one in IT had IE set as default browser (can’t blame them). Hence, this defect has not been detected.

We’ve opened a case with Cisco TAC to troubleshoot the issue further. After playing with Trusted Sites list and zone security settings, it seemed that we had found the workaround. However, the TAC engineer who was assigned to our case just advised us of the defect CSCuu81060 which reads as follows:

Symptom:
When running Jabber 11 and 2.5 MR5+, Jabber 11 changes the GPC patch to C:\Program Files (x86)\Cisco Systems\Cisco Jabber\MeetingSDK\JabberMeeting\NewDS\MyWebex\ieatgpc.dll

This is not compatible with CWMS and causes WebEx meetings to be unable to start from IE/Productivity tools due to being unable to match the activex control used by CWMS when launching a meeting from IE/PT

Conditions:

Workaround:
Use a tested compatible version of Jabber as per documentation: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_01100.html#reference_71EE5F550E5D4E89B982F64F16DCD0C2

Verified-release 11.0(1) 10.6(6)

So far, adding the FQDN of the CWMS to the Trusted Sites list seem to have done the trick for some users (you may need to tweak the Trusted Sites security zone to achieve the right effect). Another workaround is to set Chrome or Firefox as your default browser or use those browsers exclusively to launch WebEx meetings until a fix is released. Also waiting for some feedback from Cisco Jabber/CWMS Product Teams so hopefully will have an update for you soon.

Cisco WebEx Meetings Server 2.5

The Cisco WebEx Meetings Server 2.5 has been released on October 17th. This version comes with a long-awaited Multi-Data Center (MDC) support, which is essentially High Availability and load sharing between two geographically distributed areas. Be warned, though, that a separate MDC license is required (read more about MDC Licenses in CWMS 2.5 Administration Guide). The other neat feature that could be attractive to multi-national companies is the IVR language selection for system access telephone numbers (13 languages are supported).

The ISO is available from CCO. Please refer to release notes for full information.

User accounts are automatically disabled in CWMS 2.0 MR4

Update #2 07-18-2014: A hotfix cisco-webex-meetings-server-2.0.1.416.B.iso has been released for customers who are affected by the defect CSCup62113. The hotfix is available via special download only; to obtain access to it, please contact Cisco TAC.

Update #1 07-08-2014: Apparently, another outcome of the bug is that the Personal Conferencing accounts have been removed from all user profiles after users were temporarily deactivated in CWMS. There is a way to re-enable the old host/participant access codes if a user creates a new Personal Conferencing account (regardless whether the same or a new PIN is specified). The old Personal Conferencing host/access codes will not show up in the users’ profile or WebEx Productivity Tools in Outlook.

So I have upgraded our CWMS 2.0 environment to the latest maintenance release (MR4 or 2.0.1.407). Everything went well and the systems tested successfully post the upgrade. Time to remove pre-upgrade snapshots of your CWMS VMs (don’t ever forget to do this, as snapshots left behind do have an adverse effect on VM performance) and call it a night. Well, it turned out that the newest maintenance release is bugged and this time it is a big one. If you haven’t upgraded to the latest maintenance release, but plan to do it sometime soon, you’d likely want to reconsider. Read on…

So I have learned today that all but two of my 5000+ users were deactivated in CWMS with a status “disabled on LDAP” (which, of course, isn’t true). Users can still authenticate with the CallManager (with which CWMS synchronizes), so directory synchronization with LDAP and LDAP authentication isn’t a problem. Turns out, CWMS would disable any user whose record hasn’t been updated in the CallManager within the past few weeks (8 to be precise, as claimed by a Cisco TAC engineer). There is no patch or hotfix available at this point, but a workaround is as follows:

  1. Make a change (any change) for the affected end user object(s) in the CallManager (you’d likely want to make the changes in bulk using BAT).
  2. Synchronize the users in CWMS
  3. Disable periodic synchronization.

I found it easiest to bulk update user objects using a query (Bulk Administration -> Users -> Update Users -> Query). I have made a copy of an existing Service Profile and saved it under a different name, then switched all of my users to that Service Profile using a query in Bulk Administration. Use Job Scheduler to verify that all records have been updated successfully.

Job Scheduler

 

Once the batch job completes successfully and you have confirmed that all records have been updated, proceed with synchronization of users with CUCM in CWMS.

Important: Do not forget to disable periodic synchronization!

CWMS Directory SynchronizationHope you did not have to go through this. I will update the post once a hotfix or an update with a fix becomes available. You can also save the bug CSCup62113 and add email subscription to receive updates on it in Cisco’s bug tracker tool.

 

Confirmed Vulnerabilities in Cisco WRF and ARF Players

Cisco has issued a new Security Advisory confirming vulnerabilities in its WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. WebEx Business Suite (cloud) clients should upgrade their WebEx software client to the latest version. The following client builds of Cisco WebEx Business Suite (WBS27, WBS28, WBS29) and Cisco WebEx 11 correct these vulnerabilities:

  • Cisco WebEx Business Suite (WBS29) client builds T29.2 or later
  • Cisco WebEx Business Suite (WBS28) client builds T28.12 or later
  • Cisco WebEx Business Suite (WBS27) client builds T27TLSP32EP16 (27.32.16) or later
  • Cisco WebEx 11 version 1.2.10 with client builds T28.12 or later
  • Cisco WebEx Meetings Server client builds 2.0.0.1677 or later

Client builds of the Cisco WebEx Business Suite prior to T27 SP32 have reached end of support; to obtain fixed software please upgrade to the latest version.

Cisco WebEx Meetings Servers (on-prem) clients should upgrade to version 2.0 or later (the most current version is 2.0 MR3).

To read the full Security Advisory go to http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex.

A Few Words About Directory Integration in CWMS

If your organization uses Cisco WebEx Meetings Server with AD directory and AD authentication and you have configured the Directory Integration according to the CWMS Administration Guide, you may be due for a surprise within a few months of initial configuration with a number of users being turned inactive. “But why?!” you ask. Remember that setting about password aging that supposedly does not apply to AD authenticated users? I’m talking about this one:

cwms_password_aging

Well, turns out that if initially synchronized users did not login to CWMS within the default 180 days, their accounts get deactivated. Naturally, one would want to re-activate the accounts and, if you are dealing with a large number of users, you would almost always choose to activate in bulk using CSV file. A word of caution here: activating a large number of users with CSV import also triggers AD Activation Email to be sent out to all enabled users (even if the option to automatically notify users is unchecked under Users -> Directory Integration:

cwms_users.

You may want to modify the AD Activation Email template (found under Settings -> Email -> Templates) or, if you prefer WebEx Meetings Server not to reach out to end users, configure a Hub Transport rule on your Exchange server to automatically discard or redirect messages with “Action Required: Activate account” in the Subject line. Which is precisely what I have done:

[PS] C:>New-TransportRule -Name "Disable CWMS AD Activation Email" -SubjectOrBodyContainsWords "Action
Required: Activate account" -FromAddressContainsWords "cwms.ucpro.ca" -Comments "This rule disables AD Activation
 email from Cisco WebEx Meetings Server" -Enabled $true 

Name                                               State    Priority Comments
----                                               -----    -------- --------
Disable CWMS AD Activation Email                   Enabled  10       This rule disables AD Activation email from Cis...

I am not sure if disabling the password aging policy would prevent the active accounts from going inactive after 180 days (or some other value if different from default), but I recommend disabling the supposedly inapplicable password aging policy anyway.