The request to disable or restrict access to the corporate directory is actually quite reasonable and not uncommon. One common scenario is that the customer wants to restrict access to an internal/corporate directory from a common area phone. This request can be simply hide the Corporate Directory, hide the Personal Directory, or disable the button entirely. In pre-CUCM7x systems you can’t accomodate all of these requests but in CUCM7x you have much more flexibility. We’ll talk about the general process flow first and then discuss the pre- and post-CUCM7x options.
What is the corporate directory?
The Corporate Directory is a Cisco feature that allows users to search a repository of names and phone numbers. By default it is an application that runs on the CUCM cluster which uses data stored in the “enduser” table. You can check out the data in your “enduser” table by issuing the following query via AXL/SOAP or at the command shell:
admin:run sql select firstname,lastname,telephonenumber from enduser
firstname lastname telephonenumber
========= =================== ===============
**TELEPHONENUMBER** David Hailey 1203123 Bill Bell 1203456 Andre Wright 1203789
Data displayed in the default Corporate Directory application uses the “enduser” database table even when you have DirSync enabled. Data is replicated from your corporate LDAP to the “enduser” table.
How does the phone access the corporate directory?
When a user selects the directories button on the Cisco IP phone it is actually using a URL provided by the CUCM configuration to pull an XML document from a designated location. By default this is an application hosted on one of the CUCM cluster nodes. However, this is not required. You can write your own Corporate Directory application. As long as the application can provide a properly formatted XML document to the IP phone, you are in business.
How does one disable the corporate directory in pre-CUCM7x versions?
In a pre-CUCM7x build, if you wanted to disable the corporate directory for all phones, you simply go to System>Enterprise Parameters and scroll down to the Phone URL Parameters section and delete the URL you find in the URL Directories parameter. Click on save, reset the phones, and Corporate Directory is no more. This will also remove the Personal Directory option provided in CUCM 5x and later releases.
In most cases, you don’t want to disable the Directories URL for all phones but only specific groups of phones. In this case, you have two options.
Option 1:
Delete the Directory URL setting in Enterprise Parameters and then specify the valid Directory URL at the device level for phones you want to have it enabled on. The default is “disabled” so, if a phone has no URL defined in the device config, it uses the default.
Option 2:
With the Enterprise Parameters set to use the valid URL, you can put a bogus setting on the phone configuration page for phones you want to restrict. I have looked through some forum threads and some people like to actually put a bogus URL like: http://1.1.1.1/bogus.html or http://nodirectory or something equally trivial. This method doesn’t work so well for me. I mean, it achieves the same end goal but there is a side effect. The phone will actually try to resolve and connect to the URL. So, what you see on the phone is something like this:
Notice the erroneous request and resulting timeout. This is somewhat annoying to me. You can avoid this, at least in CUCM 6x and relevant phone firmware. If you specify a URL like “disable” or “heythere” then you can actually avoid the “Host Not Found” error. Why? Well, my guess (I didn’t write the firmware) is that the phone recognizes an invalid URL and just ignores it without kicking out an error message to the screen.
So, what about CUCM 7x?
In CUCM 7x, I found that quite a few things have changed. I messed around in the lab a little to understand the “new” behavior and I learned quite a bit. First, in CUCM 7x the various directories like Missed Calls, Received Calls, Placed Calls, etc. are now IP Phone Services. You can see them by going to Device>Device Settings>Phone Services:
Would you look at that! …What am I looking at? Basically, think of each menu item you would normally see in the “Directories” menu as a service. You can now configure them individually. One may think that they can assign/unassign directory features like they would say Extension Mobility. It isn’t that straight forward, at least by default. You will notice that there is a parameter in the tabular view called “Enterprise Subscription”. This is a key attribute.
When an IP Phone Service is setup as an Enterprise Subscription, this means that it is automatically assigned to all phones. In otherwords you can’t “unassign” the service. At least not in one step. Also, you can only toggle the Enterprise Subscription parameter when you create an IP Phone Service. So, services like Corporate Directory (which are “configured” on system build) are already enabled as an Enterprise Subscription. We’ll come back to this in a moment.
There is another, related feature that we should understand a little before playing around with the new toys. I believe the feature is called “Enhanced Service Provisioning”. It basically allows an administrator to set a parameter which tells a phone to get service configurations either internally (using TFTP config file) or externally (using service URLs).
The configuration controlling how phones behave is controlled at a system-wide level with a new Enterprise Parameter called “Service Provisioning”. This parameter can also be controlled at a device level via the “Common Phone Profile” setting on an IP phone. The default behavior is to use Internal Service Provisioning which means:
- Phone Services are provisioned using IP Phone Service settings and delivered to the phone in the configuration file (TFTP)
- Messages/Directories URL parameters are not used
When this parameter is set to use External Service Provisioning, the device will use the URL parameters as they would in pre-CUCM7x builds. So, Internal is the new method and External is the old method. You can also configure the “Service Provisioning” parameter to do both. I haven’t played with that much yet.
So, lets say you wanted to disable the Personal Directory feature from all phones in the cluster, how would you proceed? This is easy, go to Device>Device Settings>Phone Services. Click on Personal Directory and toggle the “Enable” option off. Click on Save and then Update Subscriptions. Of course, you need to soft restart IP phones for it to take effect. Once you are done, no phone in the cluster will have access to the Personal Directory.
What if you wanted to disable it on only a few phones? This is slightly tougher. By default, phones use Internal Service Provisioning. Which means that the Directory URL is ignored. Further, when using the Directory URL (i.e. “External Service Provisioning”) you don’t have the option to just filter out the Personal Directory (unless, of course, you are custom building the application – different topic). Further, the Personal Directory has the Enterprise Subscription flag enabled and you can’t disable it. This isn’t a huge deal, simply do the following:
- Take note of all of the parameters for the Personal Directory service
- Delete the Personal Directory service
- Add a new server called Personal Directory and add in all of the parameters except the Enterprise Subscription flag, make sure this is turned off
- Now, update the Subscriptions on an individual phone so they are subscribed to the Personal Directory service you just created
- You are done
This method applies to all of the directory Phone Services. So, if you wanted to disable the Corporate Directory you can do this using the same methodology.
Now, one of the problems I have heard people complain about is that they want to disable the Directories button completely. I saw this on a Netpro thread recently and when I mocked the scenario up in my lab I experienced the issue the user was having. The solution is found in the understanding of how the “Service Provisioning” parameter works with the Phone Services.
Let’s say you have 2000 phones and you want to disable the Directories button a 20 of them. There are a few approaches but I like the following best.
- In CCMAdmin go to Device>Device Settings>Common Phone Profile
- Select and copy the “Standard Common Phone Profile”
- Configure this new profile as follows:
Notice that we are specifying External Service Provisioning for this common profile. Now, proceed to assign this profile to an IP phone.
- Go to Device>Phone
- Select the “Common Phone Profile” setting and choose the new phone profile “External URL Phone Profile”
- Click on Save and Apply Config
So, what have we accomplished. We basically have told the target phone to not use the Enterprise Subscription Phone Services and to use the Messages and Directory URLs instead. Does this accomplish our goal? Assuming you have the default configuration applied for the Enterprise Parameters URL settings then you have fallen short of your goal.
Since we have told the phone to use the External Service URLs it will behave like a pre-CUCM7x phone. Which means, the device settings URL for Directory must be considered. By default, this field is blank. Which does not mean “disabled”, it simply means use the Enterprise Parameters. Now, the Enterprise Parameters will still have the xmldirectory.jsp URL configured by default. So, when you go to the phone with the “External URL Phone Profile” configured and hit the directories button, you still pull down the Directories menu.
To “fix” this, go to the System>Enterprise Parameters and delete the URL Directories parameter. Restart the IP phone and now when you hit the Directories button you will see a message “No Services Available” at the bottom of the phone screen and no menu is displayed. Now, you have successfully disabled the Directories button.
Missed Calls/Received Calls/Placed Calls
(Added 8/31/2010)
Some readers noted that when they enabled a custom corporate directory Missed Calls, Received Calls, and Placed Calls would no longer be presented as menu options. This is by design. The developer will need to modify their back-end application to accommodate presentation of these directory URLs:
- Missed Calls: “Application:Cisco/MissedCalls”
- Received Calls: “Application:Cisco/ReceivedCalls”
- Placed Calls: “Application:Cisco/PlacedCalls”
A snippet of Java code from one of my corporate directory applications:
These URLs essentially tell the phone to load a local “application”. IOW, you won’t see the phone try to resolve these URLs to a network entity. The directories are still stored on the phone itself.