UCCE - Integration

  • Log to system ECE admin Page
  • Set System\Shared Resource\Services\Unifed CCE\EAAS process to automatic and start (should go running)
  • Set System\Shared Resource\Services\Unifed CCE\Listener process to automatic and start (should go running)
  • Set Partitions\Default\Services\Unified CCE\EAAS - configure for port 38001 and set to automatic & start - the MR PG PIM connects to this (check FW is allows)
  • Set Partitions\Default\Services\Unified CCE\Listener- Set to Automatic & Start - this monitors CTI
  • How does ECE know what the address of the CTI servers are?
  • Via the UCCE AW PG2 Config - (old interface - check CTI addresses (use IP addresses) are configured)
  • The CCE Admin tomcat server accesses the ECE Gadget from the ECE Web server using HTTPS. If the Tomcat does not have the CA Certification, TLS fails to establish and you will not be able to view the ECE Admin Gadget within CCE Admin. Hence you need to add the ECE Web cert (or if signed by a CA / Intermediate cert, you would add the CA root and intermediary certs) into the CCE Java CA keystore on the CCE Admin Tomcat Servers (AW-HDS-DDS)
    • Use KeyStore Explorer (run as admin) to import CA to CA keystore (keystore is located here: C:\Program Files (x86)\Java\jre1.8.0_181\lib\security) - (the default keystore password is 'changeit'). Run keystore as an admin and make sure to save the file after importing the trusted certs.
  • Make sure the ECE Web server FQDN is set in the ECE config (also available on PCCE Admin ECE Gadget)
    • C:\ECE\eService\templates\finesse\gadget\spog\spog_config.js - uses the FQDN for web_server_name (Otherwise you will get a cert error)
    • Note - also do this for the Agent Gadget config file - C:\ECE\eService\templates\finesse\gadget\agent\ece_config.js
  • The account you use to login into CCE GUI must have its LDAP 'userPrincipalName' attribute set, as ECE looks up this attribute to search for the account via LDAP (see next LDAP setup).

  • Configure ECE SSO Partition Admin setup is configured similar to below. This is needed even if you do NOT use SSO. This is required for the PCCE ECE gadget to work. If you want to use SSL for LDAP (which you should), the ECE server verifies the cert of the LDAP server - I have a keystore file that contains the LDAP server certs or the CA cert that signed them on the ECE Server, updated it to contain the Private CA cert using KeyStore Explorer
  • Note - Spell userPrincipalName correctly! (I didn't and you get a Java error in ECE Application Logs when you try to log in on SPOG!)
  • Review the ECE Application logs to see any errors if this is not working correctly.
    • Note if you get the following error then reconfigure the LDAP integration to use Global Catalog port 3268 or 3269 (SSL)
Exception in LDAP authentication  <@> 
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=example,DC=com'
  • Note - if you want to use SSL for your LDAP lookup (recommended) do not use the certca store located in C:\ECE\jdk\lib\security - it seems to get overwritten, so i copied the cacert file and updated it with the CA certs for the LDAP servers and stored it in a different location as per screen shot below.

  • Configure Application Path List - as per the ECE PCCE Installation Guide (MultiChannel - Email, Outbound, Chat).
  • Configure CCE SQL Integration on PCCE ECE SPOG and import MultiChannel and PG and then import a Script
  • Enable Agents for ECE

To Enable Pick Pull While In Not Ready you need to set the below registry key to “1” on the UCCE Router

[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems, Inc.\ICM\ucce\RouterA\Router\CurrentVersion\Configuration\Config]

Note - to be able to search from a specific Queue - you must assign the relevant Skillgroup to the ECE Queue

  • Chat and Email Gadget → Department → Business Rules: Queues.
  • Select Queue and assign relevant SG on the “Skill Groups” tab

Pull Emails

You need to select which Queues you want to pull from when not Ready. Select Options and then select the queues as per below:

  • Create a Skillgroup in the ECE OUtbound Domain and assign all agents to it.
  • Create a Calltype
  • Create a Routing Script with the above Skillgroup (copy an inbound Email script) and assoicate with the above calltype
  • Create a Dialnumber in the ECE_Outbound MRD and assoicate the above calltype
  • Import this Dialnumber into ECE (which then becomes a ECE Queue)
  • Log agent into ECE Gadget - Test by viewing real time table for that agent and confirming it logged into ECE_Outbound MRD and try sending an email.

  • Add specific context is added to the customer object before it is passed into the StartChat()


  • Create a copy of the callback folder “C:\ECE\eService\templates\callback\Rainbows” and update the Entry Point URL to use your custom template
  • Disable Country Code from been used in Popup - by setting to 'useContryCode' to '0' in the eGain JavaScript File 'eGainLiveConfig.js'
  • Create a Calltype , and a Dialed Number ECE Data Routing Client and Voice
  • Create an ECE queue for a callback and a delayed callback and link to the Cisco Script (calltype) and map the relevant ECE variables to the CCE Call Variables as per below
  • In the ICM script - set the Desktop Layout you want to use and reset the ANI to prefix it with a '9' or whatever you need for an outside line etc, i.e. its the ANI which is presented to the script by ECE which is the callback number.

When importing users - they are imported to a specific department.

Partition → Integration → Unified CCE → Unified CCE → Configuration
Bottom Right of page → Click on the Import button.

  • Select Department Name
  • Select Users Tab
  • Select PG and Peripheral
  • Click the + button and find and import the agent

Max queue time - global setting (you can reduce it in the ICM Script by using a lower Wait timer).

  • Partition → Integration → Setting → Web Chat (in seconds).
  • Open IIS Manager
  • Select the Default Site (and then repeat for desktop and system)
  • on the Actions Windows (Right Hand side) - select Basic Settings
  • Select Test Settings

Do NOT do below - as it will break the rights on the SCHEMA folder. This prevents the Default App Pool work process from starting successful.

However if you do - to revert SCHEMA folder as it should be:

  • By switching the Default App Pool to run under LocalSystem fixed the above issue (DefaultAppPool - > Advanced Setting) but when running under the default “ApplicationPoolIdentity” is the worker process fails.
  • To fix it when using “ApplicationPoolIdentfity” - assign Read & Execute, List and Read rights to the SCHEMA folder (This is the default - but seemed to be overridden by below) -


==== Below needs to be reviewed and corrected - as you do not want or need to change the rights to the SCHEMA folder.

  • Change the owner of the Config folder and sub-folder from SYSTEM to your own account (which should be a local admin) (the one you are logged in as).
  • Right click Config→ Properties → Security → Advanced
  • Change Owner - and make sure BOTH check-boxes are selected
    • “Replace owner and sub containers & objects” and “Replace all child objects permissions….”
  • Now you can add / edit your ece account to have read access - the steps are:
  • Close Properties windows and reopen again
  • Right click Config→ Properties → Security → Advanced
  • add / edit your ECE Web server account to have read access
    • and make sure again check “Replace all child objects permissions….” check-box
  • This should now work WITHOUT an error and you can go into a sub directory and confirm if has the correct rights
  • Revert back the owner of CONFIG and sub-folders to SYSTEM as before , i.e. <computername>\SYSTEM (make sure to check the two check-boxes as before) - sub folders and child object permissions.

The ECE webserver by default sets the X-Frame-Options and Content-Security-Policy to the value set in wsname parameter (which is passed as a URl variable). This allows the gadget and Chat form to be allowed as a iframe within the Finesse Server or the customers website.

However this could be hacked to set these values to whatever you set in the wsname - hence a possible security risk. To workaround this issue - we can fix this in the ECE Web Server IIS URL rewrite module - by updating the web.config file. the below only set the parameters for an allowed whitelist of the domains (and any sub domains) of “ or”

  • Backup the web.config file
  • Edit and save the web.config file with below changes (change the / to your relevant domains).
  • Restart the IIS Server and clear your browser cache before retesting.

Find and Replace as following in the ECE IIS web.config file:






<action type="Rewrite" value="ALLOW-FROM {C:2}://{UrlDecode:{C:6}}" replace="true" />


<action type="Rewrite" value="ALLOW-FROM {C:2}://{UrlDecode:{C:6}{C:7}}" replace="true" />


<action type="Rewrite" value="frame-ancestors 'self' {C:2}://{UrlDecode:{C:6}}" replace="true" />


<action type="Rewrite" value="frame-ancestors 'self' {C:2}://{UrlDecode:{C:6}{C:7}}" replace="true" />


All of the following are required:

  • User must have 'Edit' action on 'Activity' resource or 'Manage Utilities' action on 'Utilities' resource.
  • The activity must either belong to the user's home department, or to a department in which the user is a foreign user.

In PCCE - the above permissions are added by adding in ECE → User → Relationships:

  • Manage Completed Activity

Read the readme and Run utility at the following location.

  • vendors/cisco/uc/ece.txt
  • Last modified: 2023/12/13 08:38
  • by gerardorourke