Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Interdomain Federation to Microsoft OCS/Lync Configuration within Enterprise
Downloads: This chapterpdf (PDF - 1.48MB) The complete bookPDF (PDF - 5.12MB) | The complete bookePub (ePub - 1.28MB) | Feedback

Interdomain Federation to Microsoft OCS/Lync Configuration within Enterprise

Contents

Interdomain Federation to Microsoft OCS/Lync Configuration within Enterprise

Interdomain Federation to Microsoft Server within an Enterprise

Figure 1. Interdomain Federation to Microsoft Server within an Enterprise



When the Microsoft server and IM and Presence Service domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable. See topics related to federation and subdomains for more information.

Add a Microsoft Server Domain Within Enterprise

When you configure a federated domain entry for an OCS or Lync server, the IM and Presence Service automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on IM and Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry.

Procedure
    Step 1   Log in to the Cisco Unified CM IM and Presence Administration user interface. Choose Presence > Inter-Domain Federation > SIP Federation.
    Step 2   Click Add New.
    Step 3   Enter the federated domain name in the Domain Name field.
    Step 4   Enter a description that identifies the federated domain in the Description field.
    Step 5   Choose Inter-domain to OCS/Lync.
    Step 6   Check the Direct Federation check box.
    Step 7   Click Save.
    Step 8   After you add, edit, or delete a SIP federated domain, restart the Cisco XCP Router. Log in to the Cisco Unified IM and Presence Service Serviceability user interface. Choose Tools > Control Center - Network Services. When you restart the Cisco XCP Router, it causes a restart of all XCP services on the IM and Presence Service.

    Federated Link to Microsoft OCS Server Configuration Task List

    The following table provides an overview of the steps to configure federated links between IM and Presence Service and Microsoft OCS servers.

    If you are using direct federation from the IM and Presence Service to OCS without the Access Edge server or Cisco Adaptive Security Appliance, you must configure a TLS or TCP static route on the OCS server. The static route points to an IM and Presence Service node. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.

    • For Standard Edition, you must you must configure static routes on all Standard Edition servers.
    • For Enterprise Edition, you must you must configure static routes on all pools.
    Table 1 Task List for End-to-End Configuration of Federated Links to Microsoft OCS Server

    Step

    Description

    Configure a static route on IM and Presence Service

    TLS or TCP is supported.

    For TLS, select TLS as the Protocol Type and 5061 as the Next Hop Port number.

    For TCP, select TCP as the Protocol Type and 5060 as the Next Hop Port number.

    Configure a static route on OCS for IM and Presence Service

    TLS or TCP is supported.

    For TLS, the static route port should be 5061

    For TCP, the static route port should be 5060.

    Note   

    For TLS, the IM and Presence Service Peer Auth Listener port is set to port 5062 by default. Because the Peer Auth Listener port accepts federated traffic from the Microsoft server, you must switch the Peer Auth Listener port to 5061 to align with the Microsoft server's static route. To configure the IM and Presence Service Peer Auth Listener port as 5061, log in to Cisco Unfied CM IM and Presence Administration, choose System > Application Listeners.

    Configure a host authorization entry for the IM and Presence Service

    This procedure applies to TLS and TCP.

    For TLS, you must add two host authorization entries for each IM and Presence Service node, one entry using the IP address of the IM and Presence Service node, and the second entry using the IM and Presence Service FQDN.

    For TCP, only one host authorization entry using the IM and Presence Service IP address needs to be added for each IM and Presence Service node.

    Configure the certificates on OCS

    This procedure is only for TLS.

    To retrieve the CA root certificate and the OCS signed certificate, perform the following steps:
    • Download and install the CA certificate chain.
    • Request a certificate from the CA server
    • Download the certificate from the CA server

    In the OCS Front End Server Properties, ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS).

    From the OCS Front End Server Properties, choose the Certificates tab, and click Select Certificate to choose the OCS signed certificate.

    Configure the certificates on the IM and Presence Service

    This procedure is only for TLS.

    You must upload the root certificate for the CA that signs the OCS server certificates to IM and Presence Service. As well, generate a CSR for IM and Presence Service and have it signed by the CA. Then upload the CA-signed certificate to IM and Presence Service.

    You must then add a TLS peer subject on IM and Presence Service for the OCS Server. See topics related to setting up certificates for detailed instructions.

    Configure a Static Route on IM and Presence Service for an OCS Server

    To configure the IM and Presence Service to use TCP or TLS when exchanging IM and presence with a federated Microsoft OCS domain, you must configure a static route on IM and Presence Service that points to the OCS (and not the external edge of Microsoft Access Edge).

    You must add an individual static route for the OCS domain. The OCS domain static route should point to the IP address of a specific OCS Enterprise Edition front-end server or Standard Edition server.

    For high availability purposes, you can configure additional backup static routes to each OCS domain. The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.

    Procedure
      Step 1   Log in to the Cisco Unified CM IM and Presence Administration user interface. Choose Presence > Routing > Static Routes.
      Step 2   Click Add New.
      Step 3   Enter the destination pattern value so that the domain, or FQDN, is reversed. For example:
      • If the domain is domaina.com, enter .com.domaina.* as the Destination Pattern value.
      • If the FQDN is name1.name2.domain.com, the Destination Pattern value must be .com.domain.name2.name1.
      Step 4   Enter the remaining parameters as follows:
      1. The Next Hop value is the OCS IP address or FQDN.
      2. The Next Hop Protocol Type value and Port number.
        • For TCP, enter TCP as the Protocol Type and 5060 as the Port number.
        • For TLS, enter TLS as the Protocol Type and 5061 as the Port number.
      3. The Route Type value is domain.
      Step 5   Click Save.

      What to Do Next

      Configure static routes on OCS for IM and Presence Service.

      Configure Static Routes on OCS to Point to the IM and Presence Service

      To allow OCS to route requests to the IM and Presence, you must configure a TLS or TCP static route on the OCS server. The static route points to an IM and Presence Service node.


      Note


      • For Standard Edition, you must complete this procedure on all Standard Edition servers.
      • For Enterprise Edition, you must complete this procedure on all pools.

      Procedure
        Step 1   Choose Start > Programs > Administrative Tools > Office Communications Server 2007 R2.
        Step 2   Right-click the Enterprise Edition pool name or the Standard Edition server name, as appropriate.
        Step 3   Choose Properties > Front End Properties.
        Step 4   Choose the Routing tab and click Add.
        Step 5   Enter the domain for the IM and Presence Service node, for example, foo.com.
        Step 6   Ensure that the check box for Phone URI is unchecked.
        Step 7   Set the next hop transport, port, and IP address/FQDN values:
        • For TCP, choose TCP as the Next Hop Transport value and enter a Next Hop Port value of 5060. Enter the IP address of the IM and Presence Service node as the Next Hop IP Address.
        • For TLS, choose TLS as the Next Hop Transport value and enter a Next Hop Port value of 5061. Enter the IP address of the IM and Presence Service node as the FQDN.
          Note   
          • The port used for the TLS static route must match the Peer Auth Listener port that is configured on the IM and Presence Service node.
          • The FQDN must be resolvable by the OCS server. Ensure that the FQDN resolves to the IP address of the IM and Presence Service node.
        Step 8   Ensure that the check box for Replace host in request URI is unchecked.
        Step 9   Click OK to close the Add Static Route window. The new static route should appear in the Routing list.
        Step 10   Click OK again to close the Front End Server Properties window.

        What to Do Next

        Proceed to add the host authorization on OCS for the IM and Presence Service.

        Adding a Host Authorization Entry for the IM and Presence Service Node on OCS

        To allow OCS to accept SIP requests from the IM and Presence Service without being prompted for authorization, you must configure host authorization entries on OCS for each IM and Presence Service node.

        If you are configuring TLS encryption between OCS and the IM and Presence Service, you must add two Host Authorization entries for each IM and Presence Service node, as follows:

        • The first entry must contain the FQDN of the IM and Presence Service node.
        • The second entry must contain the IP address of the IM and Presence Service node.

        If you are not configuring TLS encryption, then you add only one host authorization entry for each IM and Presence Service node. This host authorization entry must contain the IP address of the IM and Presence Service node.

        The following procedure describes how to add the required host authorization entries.


        Note


        • For Standard Edition, you must perform this procedure on all Standard Edition servers.
        • For Enterprise Edition, you must perform this procedure on all pools.

        Procedure
          Step 1   Choose the Host Authorization tab on OCS.
          Step 2   Perform one of the following steps:
          1. Enter the IP address of the authorized host if you configured a static route on OCS that specifies the next hop computer by its IP address.
          2. Enter the FQDN of the authorized host if you configured a static route on OCS that specifies the next hop computer by its FQDN.
          Step 3   Click Add.
          Step 4   Choose IP.
          Step 5   Enter the IP address of the IM and Presence Service node.
          Step 6   Check the Throttle as Server check box.
          Step 7   Check the Treat as Authenticated check box.
          Note   

          Do not check the Outbound Only check box.

          Step 8   Click OK.

          Enable Port 5060/5061 on the OCS Server

          For TCP static routes to the OCS server, use port 5060.

          For TLS static routes to the OCS server, use port 5061.

          Procedure
            Step 1   Choose Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.
            Step 2   Right-click on the FQDN of Front End server.
            Step 3   Choose Properties > Front End Properties and choose the General tab.
            Step 4   If port 5060 or 5061 is not listed under Connections, click Add.
            Step 5   Configure port value as follows:
            1. Choose All as the IP Address Value.
            2. Choose the Port Value.
              • For TCP, choose 5060 as the Port Value.
              • For TLS, choose 5061 as the Port Value.
            3. Choose the Transport value.
              • For TCP, choose TCP as the Transport Value.
              • For TLS, choose TLS as the Transport Value.
            Step 6   Click OK.

            Federated Link to Microsoft Lync Server Configuration Task Lists

            The following tables provides an overview of the end-to-end steps to configure federated links between IM and Presence Service and Microsoft Lync servers.

            The following table provides an overview of the steps to configure static routes for federated links between IM and Presence Service nodes and Microsoft Lync servers. You must configure TLS static routes between the IM and Presence Service and Microsoft Lync for federation. For more information about configuring static routes used for federated links to Microsoft Lync servers, see http:/​/​technet.microsoft.com/​en-us/​library/​gg558664.aspx.

            Table 2 Task List to Configure Static Route for Federated Link to Microsoft Lync Server

            Step

            Description

            Configure a static route on IM and Presence Service

            Create a static route on IM and Presence Service for the Lync server. Select TLS as the Protocol Type and 5061 as the Next Hop Port number.

            Configure a static route on Lync for IM and Presence Service

            Create a static route on the Lync server for IM and Presence Service. You must create the static route only to the IM and Presence Service routing node. Do not create static routes to subscriber nodes or any intercluster peer nodes, even if your IM and Presence Service deployment has multiple clusters.

            Note   

            For TLS, the IM and Presence Service Peer Auth Listener port is set to port 5062 by default. Because the Peer Auth Listener port accepts federated traffic from the Microsoft server, you must switch the Peer Auth Listener port to 5061 to align with the Microsoft server's static route. To configure the IM and Presence Service Peer Auth Listener port as 5061, log in to Cisco Unfied CM IM and Presence Administration, choose System > Application Listeners.

            Persist the route

            This step is only necessary for the routing node.

            After you have configured your static routes, proceed to configure host authorization and publish the topology. The following table lists the tasks to set up host authorization and publish the topology.

            Table 3 Task List for Host Authorization Setup and Publishing the Topology

            Step

            Description

            Create trusted application pool

            For Enterprise Edition, you create a single trusted application pool to store the trusted application computers for the IM and Presence Service nodes.

            For Standard Edition, you must create a trusted application pool for each IM and Presence Service node.

            Add trusted application computer to the created pool

            Add a trusted application computer to the created pool for each IM and Presence Service node, except for the routing IM and Presence Service node.

            Perform this step only for Enterprise Edition deployments.

            Add trusted application server to the created pool

            For Enterprise Edition, add an application server to the pool that was created for the IM and Presence Service deployment.

            For Standard Edition, add an application server to each pool that was created for the nodes.

            Enable the topology

            Before you enable the topology, ensure that you have completed the following:
            • Define a TLS route for the routing IM and Presence Service node.
            • Persist the new static route for the routing IM and Presence Service node.
            • Create a trusted application pool for the IM and Presence Service deployment.
            • Add a trusted application computer to the created pool for each IM and Presence Service node.
            • Add a trusted application server to the created pool for the IM and Presence Service deployment.

            You must add CA-signed certificates to the Microsoft Lync server and IM and Presence Service node.

            Table 4 Task List to Configure Certificates on the Microsoft Lync Server and IM and Presence Service Node

            Step

            Description

            Configure the certificates on each Lync server

            To retrieve the CA root certificate and the Lync signed certificate, perform the following steps:
            • Download and install the CA certificate chain.
            • Request a signed certificate from the CA server.
            • Import and assign the certificate on Lync.

            See the Microsoft Lync documentation for details to import and assign the certificate on the Lync server: http:/​/​technet.microsoft.com/​en-us/​library/​gg558664.aspx.

            Configure certificates on IM and Presence Service

            You must upload the root certificate for the CA that signs the Lync server certificates to IM and Presence Service. As well, generate a CSR for IM and Presence Service and have it signed by the CA. Then upload the CA-signed certificate to IM and Presence Service.

            You must then add a TLS peer subject on IM and Presence Service for the Lync Server. See topics related to setting up certificates for detailed instructions.

            Configure a Static Route on Microsoft Lync for Federation

            The IM and Presence Service supports Transport Layer Security (TLS) for federation with Microsoft Lync servers. You must create a static route to the IM and Presence Service routing node only. It is not necessary to create static routes to subscriber nodes, nor any intercluster peer nodes even if your IM and Presence Service deployment has multiple clusters.

            The following table lists the sample configuration parameters that are used in this procedure.

            Table 5 Sample Parameters for TLS Static Route on Microsoft Lync

            Description

            Sample Parameters

            IM and Presence Service node FQDN (routing IM and Presence Service node)

            Ensure the FQDN can resolve to the correct IP address.

            impserverPub.sip.com

            IM and Presence Service node IP address (routing IM and Presence Service node)

            10.10.1.10

            IM and Presence Service node TLS port

            The TLS port value must match what is configured in the user interface. To check the value, log in to the Cisco Unified CM IM and Presence Administration user interface and choose System > Application Listeners > Default Cisco SIP Proxy TLS Listener - Peer Auth.
            Note   

            Cisco recommends port 5061; however, you can use port 5062.

            5061

            IM and Presence Service node domain

            sip.com

            Lync Registrar server

            lyncserver.synergy.com


            Note


            When using Transport Layer Security (TLS), the FQDN used in the destination pattern of the static route must be resolvable from the Lync front-end server. Ensure that the FQDN resolves to the IP address of the IM and Presence Service node to which the static route points.



            Note


            The Lync FQDN cannot match the IM and Presence Service domain that is used for Partitioned Intradomain Federation.


            Procedure
              Step 1   Log in to a computer where Lync Server Management Shell is installed.
              Tip   

              You must log in as a member of the RTCUniversalServerAdmins group or a role-based access control (RBAC) role to which you have assigned the New-CsStaticRoute cmdlet.

              Step 2   Choose Start > All Programs > Microsoft Lync Server 2010 > Lync Server Management Shell.
              Step 3   Enter the following command to define a TLS route:

              $tlsRoute = New-CsStaticRoute -TLSRoute -Destination fqdn_of_imp_routing_node -Port listening_port_imp_routing_node -usedefaultcertificate $true -MatchUri destination_domain



              Example:

              $tlsRoute = New-CsStaticRoute -TLSRoute -Destination impserverPub.sip.com -Port 5061 -usedefaultcertificate $true -MatchUri sip.com

              where:

              Parameter Description
              -Destination

              The FQDN of the IM and Presence Service routing node.

              -Port

              The listening port of the IM and Presence Service routing node.

              -MatchUri The destination IM and Presence Service domain.
              Note   

              To match child domains of a domain, you can specify a wildcard value in the -MatchUri parameter, for example, *.sip.com. That value matches any domain that ends with the suffix sip.com.

              If you set -usedefaultcertificate to false, you must specify the TLSCertIssuer and TLSCertSerialNumber parameters. These parameters indicate the name of the certificate authority (CA) that issues the certificate used in the static route and the serial number of the TLS certificate, respectively. See the Lync Server Management Shell for more information about these parameters.

              Step 4   Make the newly created static route persistent in the Central Management store. Enter the following command:

              Set-CsStaticRoutingConfiguration -Route @{Add=$tlsRoute}

              Note   

              Perform this step only for the routing IM and Presence Service node.

              Step 5   If you made the new static route persistent, verify that the command was successful. Enter the following command:

              get-CsStaticRoutingConfiguration ¦ select-object -ExpandProperty Route


              Add Host Authorization for IM and Presence Service on an Enterprise Edition Lync Server

              To allow Lync to accept SIP requests from the IM and Presence Service without being prompted for authorization, you must configure host authorization entries on Lync for each IM and Presence Service node. For Enterprise Edition, you must perform this procedure on all pools.


              Note


              You must configure TLS for Partitioned Intradomain Federation with Lync. TCP is not supported.


              To configure the required host authorization entries for TLS encryption between Lync and IM and Presence Service, you must add a host authorization entry for the FQDN of each IM and Presence Service node.

              Procedure
                Step 1   Create a trusted application server pool for the IM and Presence Service deployment using the following commands:
                Tip   

                You can enter Get-CsPool to verify the FQDN value of the Registrar service for the pool.

                New-CsTrustedApplicationPool -Identity trusted_application_pool_name_in FQDN_format -Registrar Lync_Registrar_service_FQDN -Site ID_for_the_trusted_application_pool_site -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false -Computerfqdn first_trusted_application_computer



                Example:

                New-CsTrustedApplicationPool -Identity trustedpool.sip.com -Registrar lyncserver.synergy.com -Site 1 -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false -Computerfqdn impserverPub.sip.com

                where:

                Parameter Description

                -Identity

                Enter the name of the trusted application pool for the IM and Presence Service deployment. This must be in FQDN format. For example: trustedpool.sip.com.

                Tip   

                Ignore warning messages regarding the machine not found in Active Directory and proceed to apply the changes.

                -Registrar

                The service ID or FQDN of the Registrar service for the pool. For example: lyncserver.synergy.com.

                You can check this value using the command Get-CsPool.

                -Site

                The numeric value of the site where you want to create the trusted application pool.

                Tip   

                Use the Get-CsSite Management Shell command.

                -Computerfqdn

                The FQDN of the IM and Presence Service routing node. For example: impserverPub.sip.com.
                • impserverPub = the IM and Presence Service hostname.
                • sip.com = the IM and Presence Service domain.
                Step 2   For each IM and Presence Service node, enter the following commands to add the FQDN of the node as a trusted application computer to the new application pool:

                New-CsTrustedApplicationComputer -Identity imp_FQDN -Pool new_trusted_app_pool_FQDN



                Example:

                New-CsTrustedApplicationComputer -Identity impserver2.sip.com -Pool trustedpool.sip.com

                where:
                Parameter Description

                -Identity

                The FQDN of the IM and Presence Service node. For example: impserver2.sip.com.

                Note   

                Do not add the IM and Presence Service routing node as a trusted application computer using this command.

                -Pool

                The FQDN of the trusted application pool that is used for the IM and Presence Service deployment. For example: trustedpool.sip.com.

                Step 3   Enter the following command to create a new trusted application and add it to the new application pool:

                New-CsTrustedApplication -ApplicationID new_application_name -TrustedApplicationPoolFqdn new_trusted_app_pool_FQDN -Port 5061



                Example:

                New-CsTrustedApplication -ApplicationID imptrustedapp.sip.com -TrustedApplicationPoolFqdn trustedpool.sip.com -Port 5061

                where:

                Parameter Description

                -ApplicationID

                The name of the application. This can be any value. For example: imptrustedapp.sip.com.

                -TrustedApplicationPoolFqdn

                The FQDN of the trusted application pool server for the IM and Presence Service deployment. For example: trustedpool.sip.com.

                -Port

                The SIP listening port of the IM and Presence Service node. For TLS the port is 5061.


                What to Do Next

                Proceed to publish the topology.

                Related Information

                Add Host Authorization for IM and Presence Service on Standard Edition Lync Servers

                To allow Lync to accept SIP requests from IM and Presence Service without being prompted for authorization, you must configure host authorization entries for each IM and Presence Service node on all Standard Edition Lync servers in your deployment. Create one trusted application pool for each IM and Presence Service node on the Lync server.


                Note


                You must configure TLS for Partitioned Intradomain Federation with Lync. TCP is not supported.


                To configure the required host authorization entries for TLS encryption between Lync and IM and Presence Service, you must add a host authorization entry for the FQDN of each IM and Presence Service node.

                Procedure
                  Step 1   Create a trusted application server pool for each IM and Presence Service node using the following commands:
                  Tip   

                  You can enter Get-CsPool to verify the FQDN value of the Registrar service for the pool.

                  New-CsTrustedApplicationPool -Identity fqdn_of_the_im_and_presence_service_node -Registrar fqdn_of_the_lync_registrar_service -Site site_id_for_where_you_want_to_create_trusted_app_pool -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false



                  Example:

                  New-CsTrustedApplicationPool -Identity impserverPub.sip.com -Registrar lyncserver.synergy.com -Site 1 -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false

                  where:
                  Parameter Description

                  -Identity

                  Enter the FQDN name of the IM and Presence Service node as the trusted application pool. For example: impserverPub.sip.com.

                  Tip   

                  Ignore warning messages regarding the machine not found in Active Directory and proceed to apply the changes.

                  -Registrar

                  The service ID or FQDN of the Registrar service for the pool. For example: lyncserver.synergy.com.

                  You can check this value using the command Get-CsPool.

                  -Site

                  The numeric value of the site where you want to create the trusted application pool.

                  Tip   

                  Use the Get-CsSite Management Shell command.

                  Step 2   For each IM and Presence Service node, enter the following commands to create a trusted application for the node and then assign it to the trusted application server pool of that node.

                  New-CsTrustedApplication -ApplicationID new_app_name -TrustedApplicationPoolFqdn new_trusted_app_pool_fqdn -Port 5061



                  Example:

                  New-CsTrustedApplication -ApplicationID imptrustedapp.sip.com -TrustedApplicationPoolFqdn impserverPub.sip.com -Port 5061

                  where:

                  Parameter Description

                  -ApplicationID

                  The application ID of the trusted application computer, which can also be the FQDN of the node. For example: impserverPub.sip.com.

                  -TrustedApplicationPoolFqdn

                  The FQDN of the trusted application pool that is used for the IM and Presence Service node. For example: impserverPub.sip.com.

                  -Port

                  The SIP listening port of the IM and Presence Service node. For TLS the port is 5061.


                  What to Do Next

                  Proceed to publish the topology.

                  Related Information

                  Publish Topology

                  The following procedure describes how to commit the topology.

                  Procedure
                    Step 1   In the Lync Server Management Shell enter the following command to enable the topology: Enable-CsTopology
                    Step 2   Enter the following command to output the topology to an XML file called topology.xml and save it to the C drive: Get-CsTopology -AsXml | Out-File C:\topology.xml
                    Note   

                    You can choose any name and location to output the topology information.

                    Step 3   Open the topology.xml file.
                    Step 4   In the Cluster Fqdn section, change the IPAddress parameter from “0.0.0.0” to the IP Address for each IM and Presence Service node that you added to the trusted pool.
                    Step 5   Save the topology.xml file.
                    Step 6   Enter the following command in the Lync Server Management Shell: Publish-CsTopology -FileName "C:\topology.xml"

                    What to Do Next

                    Install Certificate Authority Root Certificates on Lync

                    Set Up Certificates on IM and Presence Service for Microsoft Server

                    This procedure applies only if you have set up TLS static routes between IM and Presence Service and Microsoft servers.

                    Procedure
                      Step 1   On the IM and Presence Service, upload the root certificate for the CA that signs the Microsoft server certificate.
                      • Upload the certificate as a cup-trust certificate.
                      • Leave the Root Certificate field blank.
                      • Import the self-signed certificate onto the IM and Presence Service.
                      Step 2   Generate a CSR for the IM and Presence Service so that the IM and Presence Service certificate can be signed by a CA. Upload the CSR to the CA that signs your certificate.
                      Step 3   When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to the IM and Presence Service node.
                      • Upload the root certificate as a cup-trust certificate.
                      • Upload the CA-signed IM and Presence Service certificate as a cup certificate. Specify the root certificate .pem file as the root certificate.
                      Step 4   Add a TLS Peer subject on IM and Presence Service for the Microsoft server. Use the FQDN of the Microsoft server.
                      Step 5   Add the TLS Peer to the Selected TLS Peer Subjects list.
                      • Make sure that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher is chosen for the TLS Context Configuration.
                      • Make sure that you disable empty TLS fragments.