Cisco Cisco Expressway
Go to Configuration > Unified Communications > IM and Presence Service nodes and click Refresh servers and
then save the updated configuration. If the provisioning failures persist, verify the IM and Presence Service nodes
configuration and refresh again.
then save the updated configuration. If the provisioning failures persist, verify the IM and Presence Service nodes
configuration and refresh again.
No Voicemail Service ("403 Forbidden" Response)
Ensure that the Cisco Unity Connection (CUC) hostname is included on the HTTP server allow list on the Expressway-
C.
C.
"403 Forbidden" Responses for Any Service Requests
Services may fail ("403 Forbidden" responses) if the Expressway-C and Expressway-E are not synchronized to a
reliable NTP server. Ensure that all Expressway systems are synchronized to a reliable NTP service.
reliable NTP server. Ensure that all Expressway systems are synchronized to a reliable NTP service.
Client HTTPS Requests are Dropped by Expressway
This can be caused by the automated intrusion protection feature on the Expressway-E if it detects repeated invalid
attempts (404 errors) from a client IP address to access resources through the HTTP proxy.
attempts (404 errors) from a client IP address to access resources through the HTTP proxy.
To prevent the client address from being blocked, ensure that the HTTP proxy resource access failure category
(System > Protection > Automated detection > Configuration) is disabled.
(System > Protection > Automated detection > Configuration) is disabled.
Unable to Configure IM&P Servers for Remote Access
'Failed: <address> is not a IM and Presence Server'
This error can occur when trying to configure the IM&P servers used for remote access (via Configuration > Unified
Communications > IM and Presence servers).
Communications > IM and Presence servers).
It is due to missing CA certificates on the IM&P servers and applies to systems running 9.1.1. More information and
the recommended solution is described in
the recommended solution is described in
Invalid SAML Assertions
If clients fail to authenticate via SSO, one potential reason is that invalid assertions from the IDP are being rejected by
the Expressway-C.
the Expressway-C.
Check the logs for "Invalid SAML Response".
One example is when ADFS does not have a claim rule to send the users' IDs to the Expressway-C. In this case you
will see "No uid Attribute in Assertion from IdP" in the log.
will see "No uid Attribute in Assertion from IdP" in the log.
The Expressway is expecting the user ID to be asserted by a claim from ADFS that has the identity in an attribute
called
called
uid
. You need to go into ADFS and set up a claim rule, on each relying party trust, to send the users' AD email
addresses (or sAMAccountNames, depending on your deployment) as "uid" to each relying party.
Allow List Rules File Reference
You can define rules using a CSV file. This topic provides a reference to acceptable data for each rule argument, and
demonstrates the format of the CSV rules.
demonstrates the format of the CSV rules.
54
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Allow List Rules File Reference