Product Overview¶
Last update: June 4, 2026
Product: AI-Bridge for Cisco UC
Version: v202606
Author: SARL SOURDEAU CONSULTING
Project Overview¶
What is AI-Bridge for Cisco UC¶
AI-Bridge for Cisco UC is a Model Context Protocol (MCP) server that bridges AI/LLM platforms to Cisco Unified Communications on-premises infrastructure. It enables any MCP-compatible AI agent β such as Claude Desktop, VS Code, Open Code, Cursor, or custom LLM-based tools β to interact directly with Cisco UC systems through a secure, authenticated, and auditable interface.
The server exposes Cisco UC operations (using the product API) as MCP tools, along with guided workflows as MCP prompts and reference documentation as MCP resources. AI agents consume these capabilities using the standard MCP protocol over Streamable HTTPS transport.
Key value proposition:
- π£οΈ Natural Language Control β empower Cisco UC administrators and operators with AI-assisted operations driven by natural language through your AI agent β configuration queries, security audits, health checks, report generation, and troubleshooting.
- π Faster AI Integration β a single solution to interconnect all Cisco UC products with any MCP-compatible AI agent. No Cisco UC expertise required β the MCP server provides all the context, tools, and domain-specific prompts the AI needs to interact correctly with UC products.
- π Enterprise Security & Governance β integrating the most demanding security features makes AI-Bridge suitable for regulated environments, government networks, and any organization where data sovereignty and high security are requirements.
- π Cross-Platform Workflows β orchestrate complex multi-product operations in a single natural-language request, spanning all supported Cisco UC platforms.
Use-case examples β what you can ask your AI agent:
- " Create user Marie C., assigning her a phone, a voicemail, a Jabber client, and a personal video conference room "
- " Add speed dials to Peter D.'s phone for Marie C. and David B. "
- " Create a secure video conference room named β Crisis Room - Executive Committee β "
- " Perform a security audit of all European CUCM clusters "
- " Send the following message to all phones in the Orion building: Telephone system maintenance starting at 10:00pm β "
- " Help me analyze John R.'s call issue yesterday at 9:50am "
Deployment Model¶
Hosting
AI-Bridge for Cisco UC runs on any Linux distribution with Docker support.
Recommended deployment: a Docker container hosted on your infrastructure (VMware vSphere, Hyper-V, Proxmox, Docker Engine, or equivalent).
On-premises design - Compatible air-gapped
AI-Bridge for Cisco UC is designed for fully on-premises, compatible with air-gapped deployment:
- No cloud dependency β the server runs entirely on the customer's infrastructure. No data is sent to any external service. No telemetry, no analytics, no phone-home mechanism.
- No outbound connections β the server only connects to the Cisco UC nodes explicitly configured. It never initiates connections to the internet.
- Offline licensing β licenses are RS256-signed JWT files issued offline by the editor and installed locally. No license server or online activation is required.
- Offline upgrades β upgrade packages are delivered as signed
.tar.gzarchives. Package integrity is verified via DNS-published SHA-512 checksums and RSA-PSS digital signatures. - Offline AI operation β the MCP protocol runs over the local network between the AI agent and the MCP server. If the AI agent itself runs locally (e.g., a local LLM), the entire chain operates without any internet connectivity.
- Reverse proxy support (optional) β a web reverse proxy (e.g., Nginx, Apache, HAProxy) can be placed in front of the MCP server for TLS termination and network segmentation.
- High availability β AI-Bridge supports redundancy based on the virtualization platform hosting it (e.g., VMware HA, Hyper-V failover clustering, Proxmox HA). No application-level clustering is required.
Standard deployment model
The standard deployment model is:
Text version (click to expand)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Customer Network β
β β
β βββββββββββββββ ββββββββββββ βββββββββββββββ β
β β LLM β API β AI Agent β β Web β β
β β (OpenAI, βββββββββΊβ (Claude, βββββββββΊβ Reverse- β β
β β Anthropic, β β Copilot,β β Proxy β β
β β Local LLM) β β etc.) β β (optional) β β
β βββββββββββββββ ββββββββββββ ββββββββ¬βββββββ β
β Cloud or Local β β
β β β
β βΌ β
β ββββββββββββββββ β
β β AI-Bridge β β
β β Instance 1 β β
β β (MCP Server) β β
β ββββββββ¬ββββββββ β
β β β
β ββββββββββββββ¬βββββββββββββ¬ββββββββββββ¬ββββ΄βββββββββ¬βββββββββββββ β
β βΌ βΌ βΌ βΌ βΌ βΌ β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β CUCM β β IMP β β CUC β β EXP β β CUBE β β CMS/CMM β β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Products Compatibility¶
AI-Bridge for Cisco UC currently supports the following Cisco UC products:
| Product | Full Name | Multi-Cluster | Query Protocols | Supported Versions |
|---|---|---|---|---|
| CUCM | Cisco Unified Communications Manager | β | AXL/SOAP RIS SSH |
14 15 |
| IMP | Cisco IM & Presence Service | β | AXL/SOAP SSH |
14 15 |
| CUC | Cisco Unity Connection | β | CUPI SSH |
14 15 |
Multi-cluster support: the server can manage credentials and execute operations against multiple independent clusters simultaneously.
Add-ons Compatibility Matrix¶
AI-Bridge for Cisco UC supports a modular add-on system. Add-ons are AI-guided workflows that leverage the server's tools and embedded reference resources to perform complex multistep operations.
| Add-on | Description | CUCM | IMP | CUC | Status |
|---|---|---|---|---|---|
| Security Audit | Automated configuration security audit based on Cisco Security Guide Release 15. Report with PDF export. | β | β | β | GA |
| Health Check | System health verification | π | π | π | Planned |
| Troubleshooting | AI-powered diagnostic assistance | π | π | π | Planned |
| Certificate Renewal | Automated certificate lifecycle management: inventory, expiry monitoring, CSR generation, renewal workflow. | π | π | π | Planned |
| Upgrade | Upgrade planning: version compatibility checks, pre-upgrade audit, COP file management, scheduling. | π | π | π | Planned |
Built-in modules:
| Module | Description |
|---|---|
| Reports | Markdown report generation with 9 chart types (pie, bar, donut, radar, gauge, treemap, grouped bars, waterfall, severity matrix) and PDF export via WeasyPrint. |
| Infra | HTTP endpoints for health check, Prometheus metrics, server status, and OAuth token management. |
| License Verification | RS256-signed JWT license verified at startup and monitored periodically by a background watchdog. |
| Automatic Backups | Periodic encrypted backups (RSA-4096 + AES-256-GCM) with local retention, optional SFTP export, and interactive restore. |
| Packaged-Upgrades | Signed package-based upgrade system with --dry-run preview, .env key merge, and automatic pre-upgrade backup. |
Standards & RFC Compliance¶
AI-Bridge for Cisco UC implements a comprehensive set of industry standards across its security, authentication, cryptography, and transport layers, including:
- OAuth 2.0 / 2.1 β RFC 6749 (Authorization Framework), RFC 6750 (Bearer Tokens), RFC 7009 (Token Revocation), RFC 7617 (HTTP Basic Auth), RFC 8414 (Server Metadata Discovery), RFC 9068 (JWT Access Tokens), RFC 9700 / BCP 212 (Security Best Practices)
- JWT & Cryptography β RFC 7519 (JWT), RFC 7518 (JWA / RS256), RFC 8017 (RSA-PSS & RSA-OAEP), RFC 2898 / RFC 8018 (PBKDF2), NIST FIPS 180-4 (SHA-256/512), NIST SP 800-38D (AES-256-GCM)
- TLS & HTTP Security β RFC 5280 (X.509), RFC 8446 / RFC 5246 (TLS 1.3 / 1.2), RFC 9110 (HTTP Semantics), RFC 6585 (HTTP 429)
- Logging & Integrity β RFC 8259 (JSON), RFC 5424 (Syslog Levels), CWE-117 (Log Injection Prevention), RFC 4251β4254 (SSH/SFTP)
For the complete compliance matrix with implementation details, see the Reference page.
Roadmap¶
| 202608 | 202610 | Backlog |
|---|---|---|
| Cisco Meeting support | Cisco ISR / CUBE / CME support | Assistant for troubleshooting |
| Cisco Expressway support | Assistant for certificate renewal | |
| Syslog support | Assistant for upgrades | |
| CUC CUMI Support (voicemail interactions) |
*ETA subject to change.
Versions & End-of-Life Policy¶
AI-Bridge for Cisco UC follows a calendar-based versioning scheme: vYYYYMM (e.g., v202606 for the June 2026 release).
Current release status:
| Release | Status | End of Life |
|---|---|---|
| v202605 | β GA | TBD |
| v202606 | β GA | TBD |
| v202608 | π Alpha (Next) | TBD |
Support policy:
- GA releases receive security patches, bug fixes, and compatibility updates.
- End of Life (EOL) dates are announced at least 12 months in advance.
- Only the latest GA release is actively supported. Customers are encouraged to upgrade promptly using the built-in upgrade system.
- License validity is version-agnostic β a valid license continues to work across upgrades.
For feature requests, bug reports, or EOL inquiries: support@sourdeau.com
Licensing¶
How Licensing Works¶
AI-Bridge for Cisco UC uses a simple, offline licensing model β no license server, no internet activation, no subscription portal.
A license is a digitally signed JWT file (license.jwt) issued by the editor and installed locally on the server. The server verifies the license signature at startup and periodically in the background β entirely offline.
What a License Contains¶
| Field | Description |
|---|---|
| Customer | Organization name |
| Tier | License tier (e.g., demo, standard, professional) |
| Products | List of enabled product modules (e.g., cucm, imp, cuc) |
| Max clients | Maximum number of simultaneous configured AI clients |
| Hostname binding | The license is bound to a specific server hostname β it cannot be reused on another host |
| Expiry date | License validity end date |
| Grace period | Extra period after expiry during which the server continues to operate (default: 30 days) |
License States¶
The server monitors its license continuously and operates in one of four states:
| State | Meaning | Server behavior |
|---|---|---|
| β VALID | License is current and all checks pass | Full operation |
| β οΈ GRACE | License has expired but within the grace period | Full operation β renewal reminder logged |
| β EXPIRED | License has expired and grace period is over | Product modules disabled β infra and common modules still available |
| π« INVALID | License file is missing, tampered, or hostname mismatch | Product modules not loaded |
How to Obtain a License¶
Licenses are issued by SARL SOURDEAU CONSULTING. To request a license:
- Contact contact@sourdeau.com with your organization name and intended deployment scope.
- You will receive a
license.jwtfile by secure transfer, along with installation instructions. - Drop the file into
secrets/license.jwtβ the server picks it up at next startup or on the next watchdog cycle (no restart required for renewal).
License validity is version-agnostic β a valid license continues to work across upgrades.
Demo license
A time-limited demo license is available on request to evaluate the product in your environment before purchase.
Renewal¶
License renewal follows the same process: contact the editor, receive a new license.jwt, and replace the file. The server automatically detects the new license within 24 hours without any restart.
Architecture & Design¶
High-Level Architecture¶
The following diagram illustrates the full internal architecture of AI-Bridge for Cisco UC, from the AI agent connection through the security layers down to the Cisco UC backends:
Text version (click to expand)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI Agent (MCP Client) β
β Claude Desktop / GitHub Copilot / Cursor / Custom β
ββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WEB Reverse-Proxy β
β (optional) β
ββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β MCP over Streamable HTTP (HTTPS)
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI-Bridge for Cisco UC (MCP Server) β
β β
β ββββββββββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββββββββββββ β
β β β β Transport & Security Layer β β β β
β β β β TLS 1.2+ β DNS Rebinding β Host/Origin/Content-Type β β Watch- β β
β β AUDIT β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β dogs β β
β β & β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β
β βMIDDLEWAREβ β Authentication & Authorization β ββββββββββββ β
β β β β JWT (RS256) β OAuth 2.1 β RBAC Profiles β Rate Limit β Fail2Banβ β β β
β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β License β β
β β β βββββββββββββββββ¬ββββββββββββββββ¬ββββββββββββββββ¬ββββββββββββββββ β β β
β β app.log β β β β β β ββββββββββββ β
β β audit.logβ β UC β UC β Common β Infra Module β β β β
β β β β Module 1 β Module 2 β Module β β β Integrityβ β
β β β β β β β HTTP Routes β β β β
β β β β β β Reports β /health β ββββββββββββ β ββββββββββββββ
β β β β β β Charts β /metrics β β β β β β
β β β β β β PDF Export β /status β β Backup β βββββΊβ SFTP β
β β β β β β β /token β β β β β Server β
β β β β β β β /revoke β β β β β β
β ββββββββββββ βββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββ ββββββββββββ β ββββββββββββββ
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬ββββββββββββββββ¬βββββββ΄βββββββββ¬ββββββββββββββββ¬βββββββββββββββ
βΌ βΌ βΌ βΌ βΌ βΌ
ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ
β β β β β β β β β β β β
β CUCM β β IMP β β CUC β β Expressway β β CUBE β β CMS/CMM β
β β β β β β β β β β β β
ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ
Modules¶
The following table describes all the architecture components, from the external clients down to the built-in security layers and background subsystems.
External components β not part of AI-Bridge, provided by the customer environment:
| Component | Description |
|---|---|
| LLM | Large Language Model used by the AI agent (e.g., OpenAI GPT, Anthropic Claude, or a local model). Hosted in the cloud or on-premises. |
| MCP Client | AI agent that communicates with AI-Bridge over the MCP protocol (e.g., Claude Desktop, GitHub Copilot, Cursor, VS Code, custom agent). |
| Web Reverse Proxy | Optional component placed in front of AI-Bridge for TLS termination, or network segmentation (e.g., Nginx, Apache, HAProxy). |
| SFTP Server | SFTP repository to export the application backups |
Security & middleware layers β always active, built into the server:
| Component | Description |
|---|---|
| Transport Security | ASGI middleware enforcing TLS 1.2+, DNS rebinding protection, and Host / Origin / Content-Type header validation on every incoming request. |
| Authentication & Authorization | JWT (RS256) verification, OAuth 2.1 client credentials flow, RBAC profile enforcement, per-client rate limiting, and Fail2Ban IP blocking. |
| Audit & Middleware | MCP-level middleware logging every tool call, resource read, and prompt request to audit.log with client identity, source IP, and result. |
Product modules β loaded conditionally based on license entitlements:
| Module | Namespace | MCP Tools | Description |
|---|---|---|---|
| CUCM | cucm_ |
20 | Full management of Cisco Unified Communications Manager clusters: credentials, AXL/SOAP operations, RIS real-time queries, VOS CLI commands, Phone Web Access, connectivity diagnostics. |
| IMP | imp_ |
14 | Management of Cisco IM & Presence Service nodes: credentials, AXL/SOAP operations, VOS CLI commands, connectivity diagnostics. |
| CUC | cuc_ |
13 | Management of Cisco Unity Connection nodes: credentials, CUPI REST operations (users, mailboxes, call handlers, distribution lists, restriction tables), VOS CLI commands, SSH diagnostics. |
Built-in modules β always loaded, not license-gated:
| Module | Namespace | MCP Tools | Description |
|---|---|---|---|
| Common | common_ |
3 | Cross-product report engine: Markdown report read/write, 9 chart types (pie, bar, donut, radar, gauge, treemap, grouped bars, waterfall, severity matrix), PDF export. |
| Infra | infra_ |
10 | Server infrastructure: session bootstrap, RBAC self-discovery, documentation discovery, license state, plus HTTP endpoints /health, /metrics (Prometheus), /status, /token, /revoke. |
Background watchdogs β independent threads running after startup:
| Watchdog | Interval | Description |
|---|---|---|
| License | 24 h | Check licensing compliance - Periodically re-verifies the RS256-signed license JWT |
| Integrity | 24 h | Check server integrity - Periodically re-runs manifest verification and signature check |
| Backup | 24 h | Backup execution - Periodically creates encrypted backup archives with optional SFTP export |