Cisco Smart Licensing Deployment Models For Collaboration Explained

Summary

Cisco Smart Licensing is the only licensing method available for the newest versions of Cisco's Collaboration System Release (CSR). Below is a group of common questions that architects and engineers have to ask themselves so they can make decisions on the most effective Smart Licensing deployment model for their organization. 

• How will my Collaboration Apps access the internet?
• Will the communication path go through an HTTP Proxy?
• Do we need to open firewall ports for direct access?
• Do we want to have our own on-premise licensing portal with limited cloud access?
• Is our organization completely air-gapped with zero access to the internet for our Collaboration Applications?
• What information can we share with the Cisco Smart Licensing Portal?

The answers to these questions help determine the best Cisco Smart Licensing Deployment model for an organization. In the next section, we dig into four different Cisco Smart Licensing Deployment models that customers choose based on the answers to these common questions. 

ATC Insight

Smart Licensing Deployment Models

Cisco's Smart Licensing requires that Smart License enabled devices can connect to the Cisco Smart Software Manager (CSSM) to transmit real-time license availability, usage tracking, and some license enforcement. There are various options in Smart License deployments based on an organization's required level of security.  The four Cisco Smart Licensing deployment models that we will discuss are:

• Direct Cloud Access (Direct Internet) –Cisco products communicate to the cloud CSSM directly over the internet
• Direct Cloud Access (HTTP Proxy) – Communication to the CSSM cloud is transmitted through the customer's Proxy Server
• CSSM On-Premise – Cisco products communicate to an On-Premise instance of Smart Software Manager (SSM). The SSM will communicate to the cloud when configured to do so.
  • Automatic – For constantly connected organizations, an information exchange with the cloud CSSM happens automatically on the time interval configured.
  • Manual – For disconnected organizations with a higher security requirement, exchange with the cloud CSSM only occurs on demand
• Specific License Reservation (SLR) – For customers with the highest security requirements, information is exchanged with the cloud via a copy and paste method similar to the legacy method of registering PAKs

*There is a standard set of Information exchanged with Cisco, no matter the deployment model selected. This is a limited set of data that is sent to Cisco for license tracking purposes only.

Required information includes:

• Unique device identifier
• License entitlements currently in use
• Organization identifier ID token from Virtual Account
• IP Address and Hostname are also shared, but sharing of this information can be disabled on some CSR application platforms

Direct Cloud Access Model

This method utilizes a direct encrypted HTTPS connection from the device or application to the Cisco Smart Software Manager in Cisco's cloud datacenters. Whether through a proxy-server or direct to CSSM via internet, this is the most common method of Smart License deployment and is used by approximately 80% of Cisco's Smart License enabled customers. It is the easiest method to use since Cisco devices and applications have a direct connection to the internet. It works directly out-of-the-box with no additional VM installation or additional configuration steps. 

Requirements for Direct Access:

1. Layer 3 access to tools.cisco.com
2. Registration to CSSM
3. Enabled licensed feature
4. Verified license status

Smart Software Manager (SSM) On-Premise Model

SSM On-Prem was previously known as Smart Software Manager Satellite. It connects to Cisco Smart Software Manager in the cloud. It is ideally suited for organizations that have strict security requirements and do not want their products to communicate with the cloud licensing database over a direct Internet connection. SSM on-prem can be synchronized with CSSM daily, weekly, monthly, or totally disconnected. Without a direct internet connection, SSM On-Prem synchronizes to cloud CSSM via a file transfer process. Cisco's recommendation is to synchronize at least every 30 days. Below is a feature comparison between the previous SSM satellite version on the newest SSM On-Prem solution.

License substitution, where a license was "borrowed" from a higher tier if none were available at the lower tier, was previously only supported with CSSM. Now, this license substitution is supported with SSM On-Prem.

Install SSM on-prem is a simple process of downloading an ISO file from Cisco.com and loading the ISO to a VMware ESXi Datastore. Install the VM though the normal ESXi virtual machine installation process. VMware vSphere Web Client versions 5.5 thru 6.5 are supported.

SSM System Profiles

SSM On-Prem provides two profiles:

Standard Profile: The installer will be prompted with the default centos shell with the option to use the On-Prem console. The security provided by the Standard Profile includes a set of security features normally suitable for non-defense organizations. These features include:

1. Sha 256 signing key increased patch security with the addition of sha256 signing key
2. LDAP Secure SSM On-Prem supports tls (Transport Layer Security) and plain text login
3. LDAP forces the correct configuration of the host, port, bind dns, and password. If these parameters are incorrect or not entered, you will receive an error message.
4. Additional security features:
   1. During installation, the Administrator must update the system password.
   2. The admin password cannot be changed back to the default password.
   3. The Event Log now records when a user is added or deleted.
   4. Users that idle for 10 minutes are automatically logged out.

DISA STIG Profile: An additional new feature for SSM On-Prem for organizations with STIG compliance requirements. When you SSH into the shell, you are unable to access the root. Instead, you will only have access to a whitelisted console which limits you to white listed On-Premise console commands only. This is a necessary configuration for STIG compliance requirements for Department of Defense security systems. The features enabled with this profile selection are compliant with Security Technical Implementation Guide (STIG) standards. STIG features include:

1. Users can import their own certificates through their browser and their local directory through browser certs management.
2. Users can set password strength and password reset and recovery workflows with new tabs in the Security Widget. This included configuration for password expiry and password strength requirements.
3. Active Directory Federation Services update now supports OAuth.
4. Active Directory Federation Services also supports OAuth 2.0 Active Directory LDAP group import.

For many organizations these security posture options, or a combination of these options, are sufficient. But for some, a completely air-gapped solution is better suited to their environment. 

Specific License Reservation (SLR)

This method of licensing is new with Cisco Collaboration Cisco Unified Communication Manager 12.5. It is used by approximately 5% of Cisco's customer deployments. SLR uses a copy/paste process similar to the previous PAK registration process. However, an organization can receive the benefits of Smart License tracking and monitoring in a highly secure environment. It does not require on-going communication with Cisco.com, nor does it require additional compute or hardware on-premise. It's important to note that SLE is not available on all Cisco products. Also, when utilizing SLR, all returns (RMAs) and license updates have to be manually processed.

SLR is a feature most commonly used in highly secure networks. It provides an air-gapped, disconnected method for organizations to deploy a license on a device, like CUCM, without communicating usage information. To enable SLR on your Smart Account you must send a request to Cisco licensing. In some cases, SLR authorization codes for an end product can be pre-installed at the factory before shipment.

Currently, SLR is only available on Certain Platforms: 

*For a complete list of Cisco Smart Enabled Products and their licensing capabilities, you can visit their Smart Enabled Product Families Page which is regularly updated.

An organization can specify and reserve perpetual or term-based licenses against the Collaboration Application product. If you need to update the license changes after you have validated the authorization code, then you must resynchronize the system. The license changes are made in CSSM and a new authorization code is generated for the product. Reserved licenses remain blocked in CSSM until released from the product with a return code. 

Conclusion and Thoughts

Direct Cloud Access with HTTPS is the most common deployment model. Though HTTPS is a solid method of encryption, WWT's most security-conscious customers can choose Specific License Reservation (SLR) with an extreme air-gapped approach. With the information provided here, organizations can determine the ideal methodology for deploying Cisco Smart Licensing. Once an organization chooses a deployment model, then it is time to migrate licensing!  Please go to our ATC Insight that covers two ways to migrate to Cisco Smart Licensing.

Technologies Under Test

Cisco Smart Software Manager (CSSM), Smart Software Manager On-Premise (SSM), Specific License Reservation

Documentation

If you would like to gain a deeper understanding of Cisco Smart Licensing for Collaboration, please download the attached document written by our architects Ryan Dowdy and Damon Watson from our Infrastructure Services Organization at WWT.  This document covers a more inclusive picture of the following topics:

• Cisco Customer Smart Accounts
• Smart Licensing Deployment Models
• Smart License Migration
• Generating a Smart License Token
• Smart Licensing States
• Smart Licensing for IOS Devices
• Collaboration Applications
• IOS Devices