Category Archives: Cisco Updates


My wife and 10-year-old son just drew a picture together. No big deal, right?
He was drawing on a whiteboard in Presidio’s Newport Beach office.
She was drawing on her iPhone SE in the backseat of a car crossing the dusty no-man’s-land between California and Arizona.
Oh, and they were laughing and seeing each other in-app the whole time.
(My mother-in-law joined in on the laughter, too.)
But wait. There’s more.
There was no planning and zero training for this. They opened an app and just started using it.
How is this possible, you say?
We use Cisco Spark. It’s that simple.
Here’s how it happened.
I brought my son to work. It was going to be a fun day since we were installing Presidio’s Newport Beach Spark Board, and I wanted him to experience it. (Full disclosure: We played hooky for this.)
We walked in and and the board was on the wall asking for a 16-digit code, which I read aloud. My son typed in the code and hit the checkmark, figured out what time zone we were in and hit another checkmark, then hit a checkmark one last time to register.
(You read that right: a 10-year-old set up the Presidio Spark Board. It’s that easy.)
Spark Board Setup - 10 year old proof.

Spark Board Setup – 10 year old proof.

Less than a minute later, the Spark Board was up and running. A few minutes after that, it grabbed a newer version of code and upgraded itself. (Each upgrade took about 2 minutes, and it’s upgraded a total of four times since I had one of the first boards off the manufacturing floor.) We were ready.
On my iPhone, I opened the Spark space I use to keep in touch with my family. Yes, my wife, son, parents, brothers and in-laws are all in a “Miller Family” team in Spark. We have several “spaces” for different topics (Healthy Encouragement, Recipes, Harry Potter book club, etc.). For this conversation, I opened the general discussion space and within seconds had access to all the files in the space.
Best of all: I could whiteboard with everyone, and everyone could see and edit the whiteboard.
In real time.
From any device.
From there, my son grabbed the Spark Board pen, and he was off to the races. So my wife could experience what he was drawing (a vampire cowboy), I tapped the whiteboard twice to open a call for everyone in the space. My brother joined from his car, then my wife joined, then my mother-in-law. The party was on within seconds.
Spark Board Pen
By tapping “Share live” on the whiteboard, I was then able to push the whiteboard to everyone’s device (Android phone for my brother, iPhone SE for my wife and mother-in-law). They saw my son drawing live as he worked away on his masterpiece.
Once the vampire cowboy was completed…
The famous Vampire Cowboy...

The famous Vampire Cowboy…

…my son opened a new whiteboard and started sketching a building and nukes.
My wife (who had quietly itched to make the vampire cowboy fall in love) could no longer contain herself from balancing out the apocalyptic art theme. With one tap, she went from watching to editing the whiteboard. She drew daisies on the left while he drew nukes on the right.
Nukes on the right, daisies on the left = balance in the world?

Nukes on the right, daisies on the left = balance in the world?

If any of you have ever had kids to the office and they’ve drawn on the whiteboard, you’ve had to take pictures to preserve the memory. Not any more!  We left the office, and the drawings live on in the Spark space — still available to be continued at any time, by anyone in the space, on any device.
After a life spent in technology, I’ve come to think of technology as more of a barrier to creativity than an enabler.  It is often too complex, too cumbersome, and simply gets in the way of the creative process.  Spark changed that for me, not just because of the Spark Board, but because of the intuitive whiteboarding capability Cisco has infused into every Spark app. You don’t need a Spark Board to whiteboard with teammates anywhere, any time, and on any device.  It just makes it a LOT more fun.
I’m really excited about Spark and the Spark Board. For those who have been using Spark already, it is a natural extension of the app. For those who have been missing out on Cisco Spark, it’s time to jump in! If you’d like a demo of the Spark Board, reach out and I’d be happy to show it off to you! If you want a free account in Cisco Spark, sign up here, and hit me up in-app at

ASA Licensing Update…from a Collab guy!?


Yah, that’s what I would have thought a few years ago as well.

As the ASA is embedded in the path of my solutions more and more (aka borderless concerns) I’m finding that it is crucial to understand and be able to verify licensing on customer ASA’s.

This is true not just in the most common scenarios – ASA handling secure connectivity for a user at their house who is running any of the variety of teleworker scenarios (IP Communicator/other softphone over VPN, ASA/8xx router with fixed VPN, IP Phone with Phone Proxy, or IP Phone with VPN) but other up and coming scenarios such as IME, and IM/XMPP federation.

The ASA truly is becoming an integral device to the overall architecture to common UC deployments (not just the one you have up there for the security conscious customers).

All that said, I’ve quoted ASA licensing several times, and advised customers numerous times but I felt I had some gaps – so I sat in on an ASA Licensing training.

What is below is not a comprehensive view of ASA licensing, but rather a focus on the most common discussion points for ASA Licensing from a UC view.

First – there are four scenarios for remote employees that I mentioned above:

  1. PC/Mac/Mobile Device VPN – and a softphone on said device
  2. Physical (and usually stationary) device creating a VPN tunnel – and a physical phone behind said device
  3. IP Phone using the Phone Proxy feature (a la Cisco’s Metreos acquisition in 2006)
  4. IP Phone using SSL VPN (aka AnyConnect Premium)

Below is a bit more detail on each of the options, along with information on the licenses required.


PC/Mac/Mobile Device VPN w/ Softphone

This option is historically the most common scenario.  Softphone client options are:

  • Cisco Softphone (yah, the old CTI version)
  • Cisco IP Communicator
  • Cisco Unified Personal Communicator
  • Cisco CUCI-x (Lync, MOC, Sametime, Connect, etc.)
  • Cisco Jabber (for this discussion – essentially CUCI-Connect for Mac)
  • Third-party PC/Mac options
  • Cisco Mobile for the iPhone
  • Cisco Mobile/Jabber for Android
  • Cisco Mobile for Nokia
  • Cisco Quad UC Integration
  • And probably more I’m missing…

The solution is very flexible – VPN anyway possible to the corporate network, and you have a phone client operational.

VPN licensing can pretty much be any VPN option – SSL VPN, IPSec, etc.


Physical device creating VPN tunnel

This scenario was pretty common and is still around, but is being phased out for options that don’t require hardware at the home/small office.

Typical hardware for the remote site included:

  • Cisco PIX 501 – basically a older version of the 5505
  • Cisco ASA 5505 – nice because it included PoE for the phone
  • Cisco 8xx router – 871 seemed to be the most common, although if you wanted 911 dialing you might go with the 888SRST.  For voice quality sensitive users, this is still the best choice.
  • Cisco 1700/1800/1900 – For very small offices connecting over VPN, this would give you a bit more capability/power and handle a few users, not just a single user

Again, this solution was flexible from a VPN selection perspective – use whatever needed to provide the proper security, and keep the tunnel up and running as long as desired.


IP Phone using Phone Proxy

While I only had two customers actually use the original Metreos “Phone Proxy” appliance, Cisco did a good job of cleaning up the issues with the original rendition, and moving the code/functionality to a pretty ubiquitous platform in the ASA.

The premise is great – drop nearly any Cisco IP Phone somewhere on the Internet, plug it into a local power brick, and you are off and running.

Unfortunately, there a couple of major issues with the Phone Proxy option:

  1. Lack of geographic redundancy – when you configure the phone, you are setting up a static entry as the Alternate TFTP to get it working.  The Alternate TFTP points a specific public IP of the ASA you are connecting to.  If that ASA – or even the ISP you are getting that IP from (in the scenario of a dual-connected Internet) is unavailable, your remote phones are out of luck.
  2. Confusing licensing – Ok.  Perhaps “confusing licensing” is an oxymoron.  Let me explain…All remote phones will consume a license for EACH UCM appliance they are connecting to.  So if you have the max of three UCM’s in the phone’s list – you are going to consume 3 licenses…for 1 phone.  Err…  Oh yah, if you look at the output from a “show phone-proxy secure-phones” command – you won’t see the hidden licensing consumption.  Look instead to “show tls-proxy session” to see the real license usage.  End result – not only is the ASA pair/site/ISP a single point of failure – you essentially want to have UCM a single point of failure for remote phones too.
  3. No IP Phone Services – IP Phone Services don’t work on Phone Proxy.  Corporate Directory does…maybe.  See below.  So if you are using Extension Mobility…or um…the Berbee flight lookup tool…or an actual IP Phone Service you developed – well too bad for remote users.
  4. Cisco doesn’t want you to use it anymore… – While I can’t point to any e-mail from Chambers scolding me for using it…I can point to bugID CSCtl11930.  Go ahead.  I’ll wait…..You back?  Love that “Workaround:  download to firmware 8.5(2)…” didn’t you?  So essentially Cisco is saying – “if you want to use Phone Proxy, well fine we can’t stop you.  But we can stop you from using new firmware.”  I’m not so sure about reading tea leaves, but I’ve gotten pretty good at reading Bug notes.  That says – “stop using Phone Proxy.  Use SSL VPN instead.”  Oh yah, that is what the unnamed TAC guy said too…

The biggest benefit – it works on older phones (7940/7960’s).


IP Phone using SSL VPN (AnyConnect Premium)

That’s the last time I’m going to use the old term of SSL VPN.  I’m on the bandwagon – AnyConnect it is!

This is my personal favorite option – mainly because getting the AnyConnect infrastructure in place helps not just for remote phones, it helps for mobile devices, remote phones, remote PC/Mac’s…basically everything!

Think of AnyConnect as the IPSec of 2011-???

AnyConnect requires a couple licenses:

  • AnyConnect Premium – YES – Premium, NOT Essential!
  • AnyConnect for Cisco VPN Phone – yup, that’s a part number – L-ASA-AC-PH-<Your Model # here> in fact!

The AnyConnect Premium license is based on the number of CONCURRENT sessions.

There is even better scenarios where you can pool licenses on a single ASA, and have other ASA around the world or country grab licenses in blocks of 50 on an as needed basis.

The AnyConnect for Cisco VPN Phone licenses is per PLATFORM – throw it on the ASA and you are set.  These licenses are cheap – $100-500 based on the platform.

While you are at it, thrown in the AnyConnect for Mobile (L-ASA-AC-M-55XX) as well so you can have iPhones/iPads/Android devices (see my tweet from 10-28 btw) connect using AnyConnect.  That license is roughly the same as the AnyConnect for Cisco VPN Phone’s cost.

There are a couple big wins for this option in my book:

  • Super simple setup – especially if AnyConnect is already setup and in use on the ASA
  • Faster phone bootups (vs. Phone Proxy at least)
  • Ability to have redundant geographic datacenters – In nearly all designs I’ve seen in the past 3 years – there are geographically redundant UCM servers.  Since the clustering over the WAN requirement went to 80ms, nearly any WAN can handle this.  If there are a lot of remote users, or keeping the remote users operational is critical to the business — this is a MUST have.
  • Standardizes troubleshooting on single technology – no dealing with TLS just for Phone Proxy…

One last note for this option – it requires 8.0.4+ version of ASA code.


That’s all for now, I’ll address IME and the Federation discussion later…or not…

New CUWL changes – AGAIN!


Cisco recently announced changes to the Cisco Unified Workspace Licensing (CUWL) bundle.



–1 Year of WebEx Connect (Jabber) subscription for all Standard and PRO users

–1 Port of WebEx MeetingCenter for all 10 Pro users


Rumor has it, customers who have purchased as recently as May of 2011 are eligible to grab the freebies.


MeetingPlace is also changing again – away from the User Connect Model and back to a “buy license here, another one there, and sometimes that one too” model.


The changes to CUWL are great and needed, however I see confusion coming on how they are going to be implemented.


Here are some of the questions I have to start:

  1. What about someone who has been a CUWL customer for many years?  Do they automatically get the WebEx Connect/MC addons?
  2. What about CUWL Standard users who deployed CUPS – is there any benefit for them?
  3. What about smaller CUWL PRO users who are deployed on MeetingPlace Express?  The change allows them to move to the cloud (and a better product in WebEx MeetingCenter vs. MeetingPlace Express) but the on-premise, fixed cost model they like is still not an option.
  4. Speaking of not fixed price – how are audio minutes going to be sold?  I’ve heard rumor they are on the GPL (Cisco Partner speak for price list we can sell), but haven’t seen any pricing on it.
  5. Is the WebEx MC ports going to be able to integrate with third-party for audio minutes?


I’ll be tracking down these and more answers, and will update the post as more details are fleshed out…