Table Of Contents
Accessing the Cisco Unity Administrator
Accessing and Exiting the Cisco Unity Administrator
Logging On to the Cisco Unity Administrator
Exiting the Cisco Unity Administrator
Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator
About Cisco Unity Administrator Authentication
How Integrated Windows Authentication for the Cisco Unity Administrator Works
How Anonymous Authentication for the Cisco Unity Administrator Works
Changing the Authentication Method Used by the Cisco Unity Administrator
Cisco Unity Administrator Accounts
About the Accounts That Can Be Used to Administer Cisco Unity
Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator
Defining Subscriber Account Policies for Logons, Passwords, and Lockouts
Granting Administrative Rights to Other Cisco Unity Servers
Accessing the Cisco Unity Administrator
The Cisco Unity Administrator is a website that you use to do most administrative tasks. Administrative tasks include determining system schedules, specifying settings for individual subscribers (or for a group of subscribers by using a subscriber template), and implementing a call management plan.
See the following sections in this chapter for more information:
•Accessing and Exiting the Cisco Unity Administrator—This section explains how to access and exit the Cisco Unity Administrator.
•Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator—When multiple Cisco Unity servers are networked together, you can access the Cisco Unity Administrator on another Cisco Unity server.
•About Cisco Unity Administrator Authentication—This section explains the authentication methods that you can use with the Cisco Unity Administrator.
•Cisco Unity Administrator Accounts—This section describes the type of accounts that you can use to access the Cisco Unity Administrator, and the ways in which you create additional accounts or grant administrative rights to existing accounts so that they can be used to administer Cisco Unity. In addition, this section describes the account policy options available for Cisco Unity Administrator logons, passwords, and lockouts.
Accessing and Exiting the Cisco Unity Administrator
To learn about accessing and exiting the Cisco Unity Administrator, see the following sections:
•Logging On to the Cisco Unity Administrator
•Exiting the Cisco Unity Administrator
Logging On to the Cisco Unity Administrator
Although the way in which you log on to the Cisco Unity Administrator depends on the type of authentication that it uses, the account that you use to log on remains the same: you can use either the administration account that was selected when Cisco Unity was installed, or you can use an applicable Windows domain account. When the Cisco Unity Administrator uses the Anonymous authentication method, you have the additional option of using a Domino account that is associated with an applicable Cisco Unity subscriber account to log on. For information on which accounts can be used to access the Cisco Unity Administrator, see the "About the Accounts That Can Be Used to Administer Cisco Unity" section.
Note Until you create a Cisco Unity subscriber account for the purpose of administering Cisco Unity, you must use the Windows credentials associated with the administration account that was selected when Cisco Unity was installed to log on to the Cisco Unity Administrator.
There are potential security risks if your system is configured so that you are not prompted for a name and password when you access the Cisco Unity Administrator, and if all of the following conditions exist:
•The Cisco Unity Administrator uses the Integrated Windows authentication method
•Internet Explorer is not configured to prompt for user name and password
•You logged on to Windows in a trusted domain by using either the administration account, or an applicable Windows domain account
In this situation, we recommend that you increase security by configuring the browser to prompt for a user name and password, or by locking the workstation when it is unattended.
The length of time that the browser can be left unattended before Cisco Unity automatically logs you off is governed by the Session Timeout limit specified in IIS. When the browser session times out, you must refresh the browser, and log on to the Cisco Unity Administrator again. If the Cisco Unity Administrator uses the Anonymous authentication method, you can set the session timeout value for IIS (see the "Authentication Settings" section on page 28-11 for details). When the Cisco Unity Administrator uses the Integrated Windows authentication method, you must set session limits directly in IIS.
To log on to the Cisco Unity Administrator, use the applicable procedure in this section. Note that Cisco Unity does not permit more than five administrators to access the Cisco Unity Administrator at the same time.
To Log On to the Cisco Unity Administrator When It Uses Integrated Windows Authentication
Step 1 Log on to Windows on the Cisco Unity server (or a remote computer) by using either the administration account that was selected when Cisco Unity was installed or an applicable Windows domain account.
Step 2 If you logged on to the Cisco Unity Administrator on the Cisco Unity server, right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.
If you logged on to the Cisco Unity Administrator on a computer other than the Cisco Unity server, start Internet Explorer, and go to http://<Cisco Unity server name>/web/sa.
Step 3 If Internet Explorer prompts you, enter either the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account.
To Log On to the Cisco Unity Administrator When It Uses Anonymous Authentication
Step 1 Log on to Windows on the Cisco Unity server (or a remote computer) by using any domain account that has the right to log on locally.
Step 2 If you logged on to the Cisco Unity Administrator on the Cisco Unity server, right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.
If you logged on to the Cisco Unity Administrator on a computer other than the Cisco Unity server, start Internet Explorer, and go to http://<Cisco Unity server name>/web/sa.
Step 3 On the Cisco Unity Log On Page, do one of the following:
•Enter the full name and Internet password of a Domino account that is associated with an applicable Cisco Unity subscriber account, and click Log On.
•Click Log On Using Windows Authentication.
Step 4 On the Cisco Unity Log On page, enter either the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account, and click Log On.
Exiting the Cisco Unity Administrator
To Exit the Cisco Unity Administrator
Step 1 Click the Log Off button on the lower left area of the Cisco Unity Administrator page.
Step 2 Exit Internet Explorer.
Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator
Each Cisco Unity Administrator provides links to the Cisco Unity Administrator websites on other networked Cisco Unity servers. By clicking the links, you can access subscriber accounts and other Cisco Unity objects on another Cisco Unity server simply by browsing to the Cisco Unity Administrator on the Cisco Unity server on which those accounts and objects were created.
When you want to find a subscriber account, but do not know on which Cisco Unity server in the network the account was created, you can search for it from any subscriber page in the Cisco Unity Administrator on your local Cisco Unity server by using the Find icon.
When the Cisco Unity Administrator uses the Integrated Windows authentication method, you are not required to re-enter your Windows domain account credentials when you browse to another Cisco Unity Administrator website from your local Cisco Unity server. Note that this is true only if you log on to the Cisco Unity Administrator on your local server by using the credentials of a Windows domain account that is associated with a Cisco Unity subscriber account that has appropriate class of service (COS) rights on the remote Cisco Unity server.
Note COS rights specify which tasks, if any, administrators can do in the Cisco Unity Administrator. For example, some subscriber accounts can be associated with a COS that provides read-only access, or restricts administrators to access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords. (For more information, see the "Class of Service System Access Settings" section on page 14-5.)
However, when the Cisco Unity Administrator uses the Anonymous authentication method, you are prompted to enter authentication credentials regardless of the account you used to log on to the Cisco Unity Administrator on your local server. In this case, simply enter the applicable credentials for the Cisco Unity Administrator website that you want to access.
To Browse to Another Cisco Unity Administrator on a Networked Cisco Unity Server
Step 1 Near the bottom of the navigation bar on the left side of the Cisco Unity Administrator interface, click Unity Servers. The Server Chooser page appears.
Step 2 From the list, click the server that you want to access.
Step 3 If prompted, enter the applicable credentials to gain access to the Cisco Unity Administrator that you want to access.
Another instance of the Cisco Unity Administrator appears in a separate browser window. This is the Cisco Unity Administrator website of the Cisco Unity server that you selected.
Do the following procedure to use the Cisco Unity Administrator on your local Cisco Unity server to search for subscriber accounts on other Cisco Unity servers in the network.
To Search for Subscriber Accounts Created on a Cisco Unity Server Other than Your Local Cisco Unity Server
Step 1 In the Cisco Unity Administrator, go to any Subscribers > Subscribers page.
Step 2 Click the Find icon.
Step 3 Indicate whether to search by short name, extension, first name, or last name.
Step 4 Enter the applicable short name, extension, or name. You also can enter * to display a list of all subscribers, or enter one or more characters or values followed by * to narrow your search.
Step 5 Check the Search All Cisco Unity Servers check box.
Step 6 Click Find.
Step 7 On the list of matches, click the name of the subscriber to display the record.
Step 8 If prompted, enter the applicable credentials to gain access to the Cisco Unity Administrator that you want to access.
Another instance of the Cisco Unity Administrator appears in a separate browser window. This is the Cisco Unity Administrator website of the Cisco Unity server on which the subscriber account was created. The subscriber profile page is displayed in the new browser window.
About Cisco Unity Administrator Authentication
By default, IIS is configured so that the Cisco Unity Administrator uses the Integrated Windows authentication method (formerly called NTLM or Windows NT Challenge/Response authentication) to authenticate the user name and password. During installation, the installer determines whether to configure IIS so that the Cisco Unity Administrator uses the Anonymous authentication method instead.
Regardless of how the installer configured IIS, you can change the authentication method that the Cisco Unity Administrator currently uses at any time. (Note that the authentication method you choose to use also applies when accessing the Cisco Unity Status Monitor.) Before you make a change, however, first discuss it with the network administrator to confirm that the method you choose aligns with the existing authentication scheme in your organization, and that it addresses security concerns for your site. In addition, consider the advantages and disadvantages of using each authentication method with the Cisco Unity Administrator, as shown in Table 2-1 and Table 2-2.
Refer to the Microsoft website for general information on the strengths and weaknesses of Integrated Windows and Anonymous authentication.
Table 2-1 Using Integrated Windows Authentication with the Cisco Unity Administrator
Advantages
|
Disadvantages
|
•User credentials are not sent across the network. Instead, Internet Explorer and Windows use a challenge/response mechanism to authenticate the user.
•Integrated Windows authentication is the default in IIS; therefore, no additional setup is required.
|
•Windows cannot validate the identity of a user when the user is logged on to an untrusted domain, and therefore, denies the user access to the Cisco Unity Administrator. To mitigate this problem, configure each subscriber browser to prompt for a user name and password, allowing subscribers to enter the applicable credentials for the domain that the Cisco Unity server is in. Alternatively, you can establish trusts across domains.
•When subscribers log on to the Cisco Unity Administrator from another domain, they will be prompted to re-enter their credentials every time that they want to use the phone as a recording and playback device for the Media Master.
|
Table 2-2 Using Anonymous Authentication with the Cisco Unity Administrator
Advantages
|
Disadvantages
|
•Subscribers can choose whether to enter Domino or Windows credentials on the Cisco Unity Log On page. If subscribers use Domino credentials, they do not need to have Windows domain accounts created for them. However, if subscribers have Windows domain accounts, they can use Windows credentials to access the Cisco Unity Administrator if the Domino server goes down.
•When subscribers log on to the Cisco Unity Administrator from another domain, they can enter the applicable credentials on the Cisco Unity Log On page for the domain that the Cisco Unity server is in. Thus, you do not need to configure each subscriber browser to prompt for a user name and password, nor do you need to establish trusts across domains.
•When subscribers log on to the Cisco Unity Administrator from another domain, they are not prompted to re-enter their credentials each time that they want to use the phone as a recording and playback device for the Media Master.
|
•When a subscriber enters credentials on the Cisco Unity Log On page, the credentials are sent across the network in clear text. To solve this problem, you can set up Cisco Unity to use SSL.
•Because Integrated Windows authentication is the IIS default, you must configure the system to use Anonymous authentication.
|
If you decide to change the authentication method that is currently used by the Cisco Unity Administrator, see the "Changing the Authentication Method Used by the Cisco Unity Administrator" section. For additional information on Cisco Unity authentication, see the following sections in this chapter:
•How Integrated Windows Authentication for the Cisco Unity Administrator Works—This section offers a high-level summary of the authentication process performed by Windows.
•How Anonymous Authentication for the Cisco Unity Administrator Works—This section offers a high-level summary of the authentication process performed by Cisco Unity, including a description of the credentials required by the Cisco Unity Log On page.
In addition, you may want to review the following related sections in other chapters:
•For information on using SSL to protect user credentials and subscriber data, see the "Manually Setting Up Cisco Unity to Use SSL" chapter.
•For information on how authentication works with the Cisco Personal Communications Assistant (PCA), see the "About Cisco Personal Communications Assistant Authentication" section.
How Integrated Windows Authentication for the Cisco Unity Administrator Works
When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, Cisco Unity does not authenticate the subscriber. Instead, the identity of the user is verified by Windows, as follows:
1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity Administrator website.
2. Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.
3. IIS indicates that it cannot authenticate the user.
4. When Internet Explorer is configured to prompt for a user name and password, it displays a dialog box and waits for the subscriber to enter the Windows domain account credentials. When the subscriber enters the credentials, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it also sends IIS an encrypted message regarding the Windows domain account (based on the credentials that the subscriber entered in the dialog box).
When Internet Explorer is not configured to prompt for a user name and password, Internet Explorer tries to get the Cisco Unity Administrator web page again, but this time, it also sends IIS an encrypted message regarding the Windows domain account (based on the credentials that the subscriber had previously entered to log on to Windows).
In neither scenario is the user password—or any representation of the password—sent across the network, because authentication relies on Windows challenge/response.
5. If Windows can confirm the identity of the Windows domain user, IIS sends the user and domain name to Cisco Unity, and the process continues with Step 6.
If Windows cannot validate the identity of the Windows domain user (as would be the case if the subscriber logged on to an untrusted domain), Internet Explorer prompts the subscriber for a user name and password. Once again, the credentials are not sent across the network; instead, Internet Explorer sends IIS an encrypted message regarding the Windows domain account based on the credentials that are entered in the dialog box.
If authentication occurs, the process continues with Step 6. However, if Windows still cannot authenticate the user, Internet Explorer displays a message indicating that access to the website is denied because the domain account is unknown.
6. Cisco Unity checks to see that there is a subscriber account associated with the Windows domain account used to authenticate the subscriber, and that the subscriber account has COS rights to access the Cisco Unity Administrator.
If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco Unity Administrator website, which is displayed in the browser.
If the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page indicating that the subscriber does not have permission to view the Cisco Unity Administrator website.
How Anonymous Authentication for the Cisco Unity Administrator Works
When IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, Cisco Unity authenticates the credentials that subscribers enter on the Cisco Unity Log On page, as follows:
1. A Cisco Unity subscriber starts Internet Explorer and attempts to browse to the Cisco Unity Administrator website.
2. Internet Explorer tries to get the home page for the Cisco Unity Administrator from IIS.
3. IIS allows access to Cisco Unity based on the privileges for the IUSR_<Computer name> account. (This is the anonymous account that IIS uses by default for Anonymous authentication.)
4. Cisco Unity presents the Cisco Unity Log On page, which is displayed in the browser.
5. By default, the Log On page prompts subscribers to enter the Domino credentials, as shown in Table 2-3. However, subscribers can click the Log On Using Windows Authentication link provided on the Log On page to browse to another Log On page (as shown in Table 2-4) on which they can enter their Windows domain account credentials.
Table 2-3 Cisco Unity Log On Page for Domino Credentials
Field Name
|
Description
|
Full Name
|
Subscribers enter the full Lotus Notes user name that is associated with their Cisco Unity subscriber account.
The full name consists of the user name, any organizational units that the Domino Person document resides in, and the IBM Domino certifier domain. (For example, a subscriber enters Terry Campbell/Sales/Cisco.)
|
Password
|
Subscribers enter the Internet password for their Domino user account.
|
Table 2-4 Cisco Unity Log On Page for Windows Credentials
Field Name
|
Description
|
User Name
|
Subscribers enter the alias for the Windows domain account that is associated with their Cisco Unity subscriber account. (For example, a subscriber can enter tcampbell, or can enter the full path tcampbell@<Domain name>.)
If subscribers enter the full path, they do not need to complete the Domain field.
|
Password
|
Subscribers enter the password for their Windows domain account.
|
Domain
|
Subscribers enter the name of the domain in which their Windows domain account resides, unless they entered a full path in the User Name field, in which case they leave this field blank.
|
6. Internet Explorer sends the credentials—in clear text—to Cisco Unity. (To mitigate this security risk, you can set up Cisco Unity to use SSL.)
7. When the subscriber has entered Domino credentials on the Log On page, Cisco Unity searches the Domino Address Book for a Person document associated with the user name that the subscriber entered on the Log On page. When the user name is found, Cisco Unity retrieves the encrypted password from the Person document and compares it with the password that the subscriber entered on the Log On page. The process continues with Step 8.
Note By default, the connection between the Cisco Unity server and the Domino server is not encrypted. Refer to the Domino documentation for details on encrypting network data on a server port. It is also a good idea to discuss potential performance issues with the Domino administrator for the organization before enabling encryption on the Domino server.
When the subscriber has entered Windows credentials on the Log On page, Cisco Unity requests authentication of the credentials from Windows. The process continues with Step 9.
8. If Cisco Unity can authenticate the Domino credentials, Cisco Unity confirms that there is a subscriber account associated with the Domino Person document used to authenticate the subscriber, and that the subscriber account has the proper COS rights. If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco Unity Administrator website, which is displayed in the browser.
If the Domino credentials cannot be authenticated, or if the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page indicating that the subscriber does not have permission to view the Cisco Unity Administrator website.
9. If Cisco Unity can authenticate the Windows credentials, Cisco Unity then confirms that there is a subscriber account associated with the Windows domain account used to authenticate the subscriber, and that the subscriber account has the proper COS rights. If the subscriber account exists and it has the proper COS rights, Cisco Unity presents the first page of the Cisco Unity Administrator website, which is displayed in the browser.
If the Windows credentials cannot be authenticated, or if the subscriber account does not exist or does not have the proper COS rights, Cisco Unity presents a web page indicating that the subscriber does not have permission to view the Cisco Unity Administrator website.
Changing the Authentication Method Used by the Cisco Unity Administrator
This section contains two procedures. Do the first procedure to configure IIS so that the Cisco Unity Administrator uses the Anonymous authentication method. Do the second procedure to change back to the Integrated Windows authentication method (which is the default).
To Configure IIS So That the Cisco Unity Administrator Uses Anonymous Authentication
Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.
Step 2 In the Internet Information Services window, double-click <System-name> to expand it.
Step 3 Under Default Web Site, right-click Web, and click Properties.
Step 4 In the Web Properties dialog box, set the authentication method:
a. Click the Directory Security tab.
b. Under Anonymous Access and Authentication Control, click Edit.
c. In the Authentication Methods dialog box, check the Anonymous Access check box.
d. Uncheck the Integrated Windows Authentication check box.
e. Click OK to close the Authentication Methods dialog box.
f. Click OK to close the Web Properties dialog box.
Step 5 Under Default Web Site, right-click SAWeb, and click Properties.
Step 6 Repeat Step 4 to set the authentication method for SAWeb.
Step 7 Under Default Web Site, right-click Status, and click Properties.
Step 8 Repeat Step 4 to set the authentication method for Status.
Step 9 Under Default Web Site, click AvXML.
Step 10 In the AvXML directory, right-click AvXML.dll, and click Properties.
Step 11 Repeat Step 4 to set the authentication method for AvXML.
Step 12 Close the Internet Information Services window.
To Configure IIS So That the Cisco Unity Administrator Uses Integrated Windows Authentication
Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.
Step 2 In the Internet Information Services window, double-click <System-name> to expand it.
Step 3 Under Default Web Site, right-click Web, and click Properties.
Step 4 In the Web Properties dialog box, set the authentication method:
a. Click the Directory Security tab.
b. Under Anonymous Access and Authentication Control, click Edit.
c. In the Authentication Methods dialog box, uncheck the Anonymous Access check box.
d. Check the Integrated Windows Authentication check box.
e. Click OK to close the Authentication Methods dialog box.
f. Click OK to close the Web Properties dialog box.
Step 5 Under Default Web Site, right-click SAWeb, and click Properties.
Step 6 Repeat Step 4 to set the authentication method for SAWeb.
Step 7 Under Default Web Site, right-click Status, and click Properties.
Step 8 Repeat Step 4 to set the authentication method for Status.
Step 9 Under Default Web Site, click AvXML.
Step 10 In the AvXML directory, right-click AvXML.dll, and click Properties.
Step 11 Repeat Step 4 to set the authentication method for AvXML.
Step 12 Close the Internet Information Services window.
Cisco Unity Administrator Accounts
See the following sections:
•About the Accounts That Can Be Used to Administer Cisco Unity
•Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator
•Defining Subscriber Account Policies for Logons, Passwords, and Lockouts
•Granting Administrative Rights to Other Cisco Unity Servers
About the Accounts That Can Be Used to Administer Cisco Unity
To access the Cisco Unity Administrator, administrators can use one of the following accounts:
Administration account
|
This is the account that was selected during installation to administer Cisco Unity. The administration account is automatically associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator.
|
A Windows domain account associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator
|
In order for administrators to log on to the Cisco Unity Administrator on the Cisco Unity server, this account must be a member of one of the following Admins groups, as applicable:
•Domain Admins group (when the Cisco Unity server is a domain controller)
•Local Administrators group (when the Cisco Unity server is a member server)
Otherwise, the account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server.
|
A Domino account that is associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator
|
This option is available only when the Cisco Unity Administrator uses the Anonymous authentication method.
|
Until you create a Cisco Unity subscriber account specifically for the purpose of administering Cisco Unity, you must use the Windows credentials associated with the administration account that was selected when Cisco Unity was installed to log on to the Cisco Unity Administrator.
Consider using an alternative to the administration account, if you want to do the following:
•Limit the use of the administration account. The COS assigned to the administration account has full system access rights to the Cisco Unity Administrator. This means that not only can the administration account access all pages in the Cisco Unity Administrator, but it also has read, edit, add, and delete privileges for all Cisco Unity Administrator pages.
•Ensure that there are additional accounts available, which can be used to access the Cisco Unity Administrator if the administration account is deleted or corrupted.
The Cisco Unity subscriber accounts that are used to access the Cisco Unity Administrator must have the appropriate COS rights. COS rights specify which tasks, if any, administrators can do in the Cisco Unity Administrator. For example, some subscriber accounts can be associated with a COS that provides read-only access, or restricts administrators to access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords. (For more information, see the "Class of Service System Access Settings" section on page 14-5.) In addition to COS rights, subscriber accounts used to access the Cisco Unity Administrator must be associated with a Windows domain account when the Cisco Unity Administrator uses Integrated Windows authentication. The same is true when the Cisco Unity Administrator uses the Anonymous authentication method and administrators will use their Windows domain account credentials to access it. (When the Cisco Unity Administrator uses Anonymous authentication and administrators will use their Domino credentials to access the Cisco Unity Administrator, you do not need to create Windows domain accounts for each subscriber account that you create.)
To create additional subscriber accounts for the purposes of accessing the Cisco Unity Administrator, complete the procedures in the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section. If you prefer not to create a specific subscriber account for each administrator who needs to access the Cisco Unity Administrator, you can use the GrantUnityAccess utility to associate one or more Windows domain accounts with a single subscriber account. You can also use GrantUnityAccess to associate the Domino account of each administrator with a subscriber account that has COS rights to the Cisco Unity Administrator on a particular server. For more information about using the GrantUnityAccess utility, see the "Granting Administrative Rights to Other Cisco Unity Servers" section.
As a best practice, we recommend that Cisco Unity administrators not use the same subscriber account to log on to the Cisco Unity Administrator that they use to log on to the Cisco PCA to manage their own Cisco Unity accounts. In addition, they should not use Unity service accounts to administer Cisco Unity.
Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator
How you create additional accounts that can be used to access the Cisco Unity Administrator depends on the authentication method that the Cisco Unity Administrator uses and on the credentials that subscribers use to access it.
If the Cisco Unity Administrator uses Integrated Windows authentication (the default method), use the procedures in this section to do the following tasks:
1. Create a Windows domain account.
2. If you want the administrator to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, add the Windows domain account to the applicable Admins group. (Otherwise, the administrator can access the Cisco Unity Administrator only from another computer.)
3. Create a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator.
4. Use the GrantUnityAccess utility to associate the Windows domain account with the Cisco Unity subscriber account.
If the Cisco Unity Administrator uses Anonymous authentication and if administrators will use their Domino credentials to access the Cisco Unity Administrator, do only the "To Create the Cisco Unity Subscriber Account(s) That Will Be Used to Access the Cisco Unity Administrator" procedure.
To Create a Windows Domain Account
Step 1 On the Cisco Unity server or another computer on which Active Directory Users and Computers is installed, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Active Directory Users and Computers.
Step 3 In the left pane, expand the domain, right-click Users or the organizational unit in which you want to create the account, and click New > User.
Step 4 Follow the on-screen prompts.
Step 5 Close Active Directory Users and Computers.
If you want the administrator to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you must add the Windows domain account that you created in the previous procedure either to the local Administrators group (when the Cisco Unity server is a member server), or to the Domain Admins group (when the Cisco Unity server is a domain controller). Do one of the following two procedures, as applicable.
To Add the Windows Domain Account to the Local Administrators Group (When the Cisco Unity Server Is a Member Server)
Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Computer Management.
Step 2 In the left pane of the Computer Management MMC, expand System Tools > Local Users and Groups.
Step 3 In the left pane, click Users.
Step 4 In the right pane, double-click the administration account.
Step 5 In the Properties dialog box, click the Member Of tab.
Step 6 Click Add.
Step 7 In the Select Groups dialog box, in the top list, double-click Administrators.
Step 8 Click OK to close the Select Groups dialog box.
Step 9 Click OK to close the Properties dialog box.
Step 10 Close the Computer Management MMC.
To Add the Windows Domain Account to the Domain Admins Group (When the Cisco Unity Server Is a Domain Controller)
Step 1 On the Cisco Unity server or another server where Active Directory Users and Computers is installed, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Active Directory Users and Computers.
Step 3 In the left pane, expand the domain, and click Users.
Step 4 In the right pane, double-click the name of the administration account.
Step 5 Click the Members Of tab.
Step 6 Click Add.
Step 7 In the Select Groups dialog box, in the top list, double-click Domain Admins.
Step 8 Click OK to close the Select Groups dialog box.
Step 9 Click OK to close the Properties dialog box.
Step 10 Close Active Directory Users and Computers.
To Create the Cisco Unity Subscriber Account(s) That Will Be Used to Access the Cisco Unity Administrator
Step 1 If the Domino person that you want to use to access the Cisco Unity Administrator does not already exist, create the Person document in the Domino Administrator.
Step 2 On the Cisco Unity server, log on to Windows by using the administration account that was selected when Cisco Unity was installed.
Step 3 Right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.
Step 4 If IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication and Internet Explorer is configured to prompt you for a user name and password, enter the user name and password of the administration account in the dialog box, and press Enter. If Internet Explorer is not configured to prompt you for a user name and password, skip to Step 5.
If IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, on the Cisco Unity Log On page, click Log On Using Windows Authentication, and then enter the user name and password of the administration account, and the domain name for the Cisco Unity server.
Step 5 Create a Cisco Unity subscriber account based on the Default Administrator template by importing the Person document that you created in Step 1 or another Person document from Domino. (The Default Administrator template has COS rights to access the Cisco Unity Administrator.)
See the "Creating Subscriber Accounts" chapter for detailed procedures for creating subscriber accounts.
Because the Cisco Unity Administrator does not import Windows domain account information, the subscriber accounts that you created in the previous procedure still cannot access the Cisco Unity Administrator without corresponding Windows domain accounts (even though they have the COS rights required to access it) when either of the following statements is true:
•The Cisco Unity Administrator uses Integrated Windows authentication.
•The Cisco Unity Administrator uses Anonymous authentication and administrators will use their Windows domain account credentials to access it.
Do the following procedure to use GrantUnityAccess to associate the Windows domain account and the Cisco Unity subscriber account(s) that you created earlier in this section.
To Associate a Windows Domain Account with a Cisco Unity Subscriber Account
Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.
Step 2 In the left pane, expand Diagnostic Tools, and double-click Grant Unity Access to display a command prompt window.
Step 3 To associate a Windows domain account with a Cisco Unity subscriber account, enter:
GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias>
For example:
GrantUnityAccess -u UnityDomain\UnityAdmin -s UnityFullAdmin
Defining Subscriber Account Policies for Logons, Passwords, and Lockouts
When the Cisco Unity Administrator uses the Integrated Windows authentication method (which is the default), the account policy that is specified for each Windows domain account determines the following: how Windows handles situations when users attempt to log on to Windows and repeatedly enter incorrect passwords; the number of failed logon attempts that Windows allows before the user account cannot be used to access Windows; and the length of time that a user remains locked out.
If the Cisco Unity Administrator uses Anonymous authentication, you can use the settings on the Authentication page in the Cisco Unity Administrator to customize the logon, password, and lockout policies that Cisco Unity applies when subscribers use the Cisco Unity Administrator to access Cisco Unity. Because subscribers can use either Domino or Windows credentials to log on to the Cisco Unity Administrator, you can specify two logon and lockout policies on the Authentication pages: one that applies when subscribers use their Windows domain credentials, and another that applies when subscribers use their Domino credentials. For details, see the "Authentication Settings" section on page 28-11.
Granting Administrative Rights to Other Cisco Unity Servers
Rather than create subscriber accounts on each server for each person who needs to administer Cisco Unity, you can use the GrantUnityAccess utility to associate any number of Windows domain accounts with a single Cisco Unity subscriber account. You can also use GrantUnityAccess to associate a Domino Person document with a Cisco Unity subscriber account. GrantUnityAccess maintains a table of the associated Windows domain accounts (or Domino Person documents) and Cisco Unity subscriber accounts, which Cisco Unity references when someone tries to access the Cisco Unity Administrator (regardless of the authentication method used by the Cisco Unity Administrator). This table is used to determine whether to permit someone access to the Cisco Unity Administrator.
Before you use GrantUnityAccess, consider the following:
•The Windows domain account(s) that you want to associate with a subscriber account must either be in the same domain as the Cisco Unity server or in a trusted domain. In addition, if you want administrators to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you must add the Windows domain account to the applicable Admins group (see the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section for a detailed procedure.) Otherwise, the domain account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server.
•You can associate multiple domain accounts with a single subscriber account.
•You can associate multiple Domino Person documents with a single subscriber account.
•You can associate Windows domain account(s) or Domino Person documents with any subscriber account, as long as the subscriber account has COS rights to access the Cisco Unity Administrator. This includes the administration account that was selected when Cisco Unity was installed.
•Because the administration account is associated with a COS that offers unlimited access to the Cisco Unity Administrator, consider associating the Windows domain account(s) or Domino account(s) used by administrators with a different subscriber account that you create on each Cisco Unity server to have more limited COS rights. In this way, you can customize the level of access for the administrators in your organization. (For more information, see the "Class of Service System Access Settings" section on page 14-5.)
•If there are several servers that the administrators need access to, you can create a batch file that contains the commands to grant access to the applicable servers. In this way, you can avoid entering the commands repeatedly.
Use the following procedure to run GrantUnityAccess. Note that you cannot run GrantUnityAccess remotely across a network, so you will need to run it on each Cisco Unity server that you want to make accessible, and for each account that you want to map. See the "Sample GrantUnityAccess Arguments" section for an example of how this utility is used, and for argument syntax details.
To Use the GrantUnityAccess Utility
Step 1 Log on to Windows on the Cisco Unity server by using either the administration account that was selected when Cisco Unity was installed or a Windows domain account that is a member of the local Administrators group on the Cisco Unity server.
Step 2 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.
Step 3 In the left pane, expand Diagnostic Tools, and double-click Grant Unity Access to display a command prompt window.
Step 4 To associate a Windows domain account with a Cisco Unity subscriber account, enter:
GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias>
To associate a Domino Person document with a Cisco Unity subscriber account, enter:
GrantUnityAccess -n "<FullName>/<CertificationAuthority>" -s <UnitySubscriberShortName>
Note that the quotation marks are required around the first argument, because the full name of a Domino user will more than likely contain a space.
Sample GrantUnityAccess Arguments
For example, assume that JSmith and KChen are the aliases of administrators who need access to the Cisco Unity Administrator on another Cisco Unity server, and that their Windows domain accounts are in a domain called NewYorkDomain. To associate their Windows domain accounts with the administration account that was selected when Cisco Unity was installed, run GrantUnityAccess two times as follows:
GrantUnityAccess -u NewYorkDomain\JSmith -s <UnitySubscriberAlias for administration account>
GrantUnityAccess -u NewYorkDomain\KChen -s <UnitySubscriberAlias for administration account>
Alternatively, if you want to associate their Domino accounts with the administration account that was selected when Cisco Unity was installed, run GrantUnityAccess two times as follows:
GrantUnityAccess -n "Jane Smith/MyCert" -s <UnitySubscriberAlias for administration account>
GrantUnityAccess -n "Kevin Chen/MyCert" -s <UnitySubscriberAlias for administration account>
Rather than specifying the administration account, you could associate the Windows domain account for Neil Jones with the subscriber account for Kelly Bader instead:
GrantUnityAccess -u NewYorkDomain\NJones -s KBader
To obtain a list of accounts that have been associated with Cisco Unity subscriber accounts, enter:
GrantUnityAccess -l
To delete an association made previously using GrantUnityAccess, enter:
GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias> -d
or enter:
GrantUnityAccess -n <FullName>/<CertificationAuthority> -s <UnitySubscriberShortName> -d
To display information about these and other arguments, enter:
GrantUnityAccess -?