Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Load Balancer Configuration for Redundancy for SIP Federation
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 5.13MB) | The complete bookePub (ePub - 1.28MB) | Feedback

Load Balancer Configuration for Redundancy for SIP Federation

Load Balancer Configuration for Redundancy for SIP Federation

About the Load Balancer

For redundancy and high availability purposes, you can incorporate a load balancer into the federated network. Cisco recommends the Cisco CSS 11500 Content Services Switch, which is placed between the IM and Presence Service node and the Cisco Adaptive Security Appliance (see High Availability for SIP Federation).

The load balancer terminates incoming TLS connections from Cisco Adaptive Security Appliance, and initiates a new TLS connection to route the content to the appropriate backend IM and Presence Service node.

IM and Presence Service Node Updates

When using a load balancer for redundancy, you must update settings on the IM and Presence Service publisher and subscriber nodes.

Procedure

Task

Procedure

Update the federation routing parameter

Log in to Cisco Unified IM and Presence Administration, choose System > Service Parameters > Cisco SIP Proxy from the Service menu and enter these values:

  • Virtual IP Address - enter the virtual IP address set on the load balancer
    1. Server Name - set to the FQDN of the load balancer
    2. Federation Routing IM and Presence FQDN - set to the FQDN of the load balancer.

Create a new TLS peer subject

  1. Log in to Cisco Unified IM and Presence Administration, choose System > Security > TLS Peer Subjects.
  2. Click Add New and enter these values:
    • Peer Subject Name - enter the external FQDN of the load balancer
    • Description - enter the name of the load balancer

Add the TLS peer to the TLS peer subjects list

  1. Log in to Cisco Unified IM and Presence Administration, choose System > Security > TLS Context Configuration.
  2. Click Find.
  3. Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.
  4. Move the load balancer federation-TLS peer subject for the load balancer to the TLS peer subjects list.

Cisco Adaptive Security Appliance Updates

When using a load balancer, the external domain still sends messages to the public IM and Presence Service address, but the Cisco Adaptive Security Appliance maps that address to a virtual IP address on the load balancer. Thus, when the Cisco Adaptive Security Appliance receives messages from the external domain, it forwards it to the load balancer. The load balancer then passes it on to the appropriate IM and Presence Service nodes.

To support this configuration, you must make some changes to the Cisco Adaptive Security Appliance:

Static PAT Message Updates

You must update the static PAT messages to include the load balancer details.

Procedure

Task

Cisco Adaptive Security Appliance Release 8.2 Command

Cisco Adaptive Security Appliance Release 8.3 Command

Changes Required for the IM and Presence Service Publisher

 

Change the static PAT to use an arbitrary, unused port for the public IM and Presence Service address.

Change:

static (inside,outside) tcp public_imp_ip_address 5061 routing_imp_private_ip_address 5062 netmask 255.255.255.255

to:

static (inside,outside) tcp public_imp_ip_address 55061 routing_imp_publisher_ private_ip_address 5062 netmask 255.255.255.255

Change:

object service obj_tcp_source_eq_5061 # service tcp source eq 5061

nat (inside,outside) source static obj_host_routing_imp_private_ip_address obj_host_public_imp_ip_address service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061

to

object service obj_tcp_source_eq_55061 # service tcp source eq 55061

nat (inside,outside) source static obj_host_routing_imp_private_ip_address obj_host_public_imp_ip_address service obj_tcp_source_eq_5062 obj_tcp_source_eq_55061

Add a new static PAT to allow messages sent to the public IM and Presence Service address to be forwarded to the virtual port address (on whichever port the load balancer is listening for TLS messages).

static (inside,outside) tcp public_imp_address 5061 load_balancer_vip 5062 netmask 255.255.255.255

object network obj_host_load_balancer_vip # host routing_imp_private_address

object service obj_tcp_source_eq_5061 # service tcp source eq 5061

nat (inside,outside) source static obj_host_load_balancer_vip obj_host_public_imp_ip_address service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061

Changes Required for IM and Presence Service Subscriber

Add a new access list for the load balancer virtual IP address. You must add an access list for each external domain that IM and Presence Service needs to access.

access-list ent_lber_to_external_ocs extended permit tcp host subscriber_private_ip_address host external_domain_public_ip_address 5061

access-list ent_lcs_to_lber_routg_imp extended permit tcp host external_domain_public_ip_address host imp_public_ip_address 65061

Add a new access list for a extended permit tcp hosexternal domain to initiate messages to a IM and Presence Service server when the load balancer virtual IP address is in place. You must add an access list for each external domain that needs to access IM and Presence Service.

Related Information

Access List Updates

To support the load balancer, you also need to update the access lists on the Cisco Adaptive Security Appliance specific to your deployment scenario.


Note


The IM and Presence Service public IP address refers to the public IP address of the IM and Presence Service domain as configured on the Cisco Adaptive Security Appliance, and as it appears in the DNS record. This record shows the FQDN of the load balancer containing the public IP of the Cisco Adaptive Security Appliance.


Procedures

Deployment Scenario: An IM and Presence Service node federating with one or more external domains

Task

Configuration Example

Add a new access list for the new load balancer virtual IP address. You must add an access list for each external domain that IM and Presence Service needs to access.

Publisher:

Cisco Adaptive Security Appliance Release 8.2 and 8.3 Command:

access-list ent_lber_to_external_ocs extended permit tcp host virtual_IP_address host external_domain_public_ip_address eq 5061

Add a new access list for an external domain to initiate messages to a IM and Presence Service node when the load balancer virtual IP address is in place. You must add an access list for each external domain that needs to access IM and Presence Service.

Publisher:

Cisco Adaptive Security Appliance Release 8.2 Command:

access-list ent_lcs_to_lber_routgimp extended permit tcp host external_domain_public_ip_address host imp_public_ip_address eq 5062

Cisco Adaptive Security Appliance Release 8.3 Command:

access-list ent_external_server_to_lb extended permit tcp host external_public_address host loadbalancer_virtual_ip_address eq 5062

For each access list, add a new class to incorporate the new access list.

class ent_lber_to_external_ocs match access-list ent_lber_to_external_ocs

For each class, make an entry in the policy-map global_policy for messages initiated by the IM and Presence Service.

policy-map global_policy class ent_lber_to_external_ocs inspect sip sip_inspect tls-proxy ent_imp_to_external

For each class, make an entry in the policy-map global_policy for messages initiated on an external domain.

policy-map global_policy class ent_lcs_to_lber_routgimp inspect sip sip_inspect tls-proxy ent_external_to_imp

Deployment Scenario: IM and Presence Service to IM and Presence Service Federation, where the external domain has added one or more intercluster IM and Presence Service nodes

Task

Configuration Example

The external domain Adaptive Security Appliance must allow access to the arbitrary ports that were selected for our local domain publisher and subscriber.

access-list ent_imp_to_externalPubimpwlber extended permit tcp host external_domain_private_imp_address host public_imp_address_local_domain 55061

access-list ent_imp_to_externalSubimpwlber extended permit tcp host external_domain_private_imp_address host public_imp_address_local_domain 65061

For each access list, add a new class to incorporate the new access list.

For each class, make an entry in the policy-map global_policy.

TLS Proxy Instance Updates

Update the TLS proxy instances on the Cisco Adaptive Security Appliance.

Procedure

Change:

tls-proxy ent_external_to_imp server trust-point msoft_public_fqdn

client trust-point imp_proxy

client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

tls-proxy ent_imp_to_external

server trust-point imp_proxy

client trust-point msoft_public_fqdn

client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

to:

tls-proxy ent_external_to_imp server trust-point msoft_public_fqdn

client trust-point msoft_public_fqdn

client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

tls-proxy ent_imp_to_external

server trust-point msoft_public_fqdn

client trust-point msoft_public_fqdn

client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

CA-Signed Security Certificate Updates

When adding the load balancer to the configuration, you must also generate CA-signed security certificates between the load balancer, the Cisco Adaptive Security Appliance, and the IM and Presence Service node as described in these sections:

Security Certificate Configuration Between the Load Balancer and Cisco Adaptive Security Appliance

This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the Cisco Adaptive Security Appliance. For details, refer to Cisco CSS 11500 Content Services Switch documentation: http:/​/​www.cisco.com/​en/​US/​products/​hw/​contnetw/​ps792/​products_​installation_​and_​configuration_​guides_​list.html

Procedure

Task

Procedure

Generate CA-signed certificate for the load balancer on the Cisco Adaptive Security Appliance.

Use the crypto ca enroll command and specify the FQDN of the load balancer.

Import the CA-signed certificate from the Cisco Adaptive Security Appliance to the load balancer.

Use the copy ssl command.

Generate a CA-signed certificate for the Cisco Adaptive Security Appliance on the load balancer.

These steps provide an overview but refer to the CSS SSL Configuration Guide for details:

  1. Enter global configuration mode (configure terminal).
  2. Generate the RSA key pair used in the exchange (ssl genrsa).
  3. Associate the generated RSA key pair with a file (ssl associate)
  4. Generate the Certificate Signing Request (ssl gencsr).
  5. Obtain a root CA certificate from the CA.
  6. Transfer the CSR to the CA.
  7. Re-import the signed certificate into the load balancer (copy ssl and ssl associate).

Import the CA-signed certificate from the load balancer to the Cisco Adaptive Security Appliance

Use the crypto ca trustpoint command.

To verify that the certificate was imported, use the show crypto ca certificate command.

Security Certificate Configuration Between the Load Balancer and IM and Presence Service Node

This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the IM and Presence Service nodes.

Procedure

Task

Procedure

Generate a CA-signed certificate on both the publisher and subscriber nodes.

Follow the instructions to exchange certificates using CA-signed certificates.

Import the CA-signed certificates (from the publisher and subscriber nodes) to the load balancer

Use the copy ssl and ssl associate commands.

Microsoft Component Updates

You must update some Microsoft components with the load balancer details.

Procedure

Task

Procedure

Update all instances of the FQDN to correspond to the load balancer FQDN.

Update the domain name in the IM Provider list with the load balancer.

  1. On the external Access Edge server, choose Start > Administrative Tools > Computer Management.
  2. In the left pane, right-click Microsoft Office Communications Server 2007.
  3. Click the IM Provider tab.
  4. Click Add.
  5. Check the check box for Allow the IM service provider.

Define the network address of the IM service provider as the public FQDN of the load balancer

AOL Component Updates

If you incorporate a load balancer into your AOL federation deployment, you must provide AOL with some details about the load balancer. Refer to the section in the Related Topics for details.

Load Balancer Configuration

This topic gives an overview of the necessary tasks for configuring the Cisco CSS 11500 Content Services Switch for this integration. The Cisco CSS 11500 Content Services Switch must have an SSL Accelerator Module installed and configured in back-end SSL mode. For detailed information on each task, refer to the Cisco CSS 11500 Content Services Switch documentation at the following URL:

http:/​/​www.cisco.com/​en/​US/​products/​hw/​contnetw/​ps792/​products_​installation_​and_​configuration_​guides_​list.html

Procedure

Task

Additional Notes

Configure certificate exchange between the Cisco CSS 11500 Content Services Switch and IM and Presence Service.

  • CA or self-signed certificates can be used in the SSL module.
  • You need to generate a certificate for the Cisco CSS 11500 Content Services Switch, and import this onto the remote server.
  • You need to import the certificate from the remote server onto the Cisco CSS 11500 Content Services Switch.

Configure certificate exchange between the Cisco CSS 11500 Content Services Switch and Cisco Adaptive Security Appliance.

You must define a virtual SSL server in an SSL proxy list for an SSL module to properly process and terminate SSL communications from the client and initiate a HTTP connection to the server.

  • You must specify the IP address and port number that the Cisco Adaptive Security Appliance points to.
  • You must specify the name of the existing certificate and key pair for the Cisco Adaptive Security Appliance.

Create a Back-End SSL server entry in SSL Proxy List for each IM and Presence Service node.

  • You must specify the IM and Presence Service node address. Note that the IM and Presence Service nodes (back-end servers) must be on a different subnet than the VIP address.
  • The back-end server connection can be a different TLS cipher suite than the front-end, or can be TCP.
  • You must specify the port to receive the TLS traffic on the Cisco CSS 11500 Content Services Switch.
  • You must specify the port to send the TLS traffic to the IM and Presence Service nodes.

Create an SSL service for SSL termination for each IM and Presence Service node.

  • When specifying the keepalive port, ensure that the port number is the same as those you configured for the Back-End SSL server entries.
  • The keepalive message type value should be "tcp".

Create the SSL module.

  • You must specify the physical slot number of the SSL module. Use the CSS command "show chassis" to retrieve this slot number.
  • In the SSL module you must associate a IM and Presence Service node with an SSL service, for example add ssl-proxy-list called ssl_list1.

Create an internal content rule to route the decrypted data from the Cisco Adaptive Security Appliance to the IM and Presence Service node.

Create content rule to route TLS data to the SSL module for decryption and load-balancing.

Create a NAT association between the VIP and the back-end IM and Presence Service nodes.

When using a Cisco CSS 11500 Content Services Switch directly between IM and Presence Service and Microsoft OCS (no Cisco Adaptive Security Appliance), you must be able to resolve the certificate Subject Common Name for the IM and Presence Service node to IM and Presence Service IP address from OCS. Also each IM and Presence Service node Subject Common Name must be in the OCS host authorization list.