Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
IM and Presence Service Node Configuration for Partitioned Intradomain Federation
Downloads: This chapterpdf (PDF - 1.29MB) The complete bookPDF (PDF - 4.15MB) | The complete bookePub (ePub - 767.0KB) | Feedback

IM and Presence Service Node Configuration for Partitioned Intradomain Federation

IM and Presence Service Node Configuration for Partitioned Intradomain Federation

Configure Partitioned Intradomain Federation Options

The following procedure describes how to enable Partitioned Intradomain Federation on the IM and Presence Service and choose a routing mode.

If you have a multicluster deployment, you must perform this procedure on each cluster. When you enable Partitioned Intradomain Federation or choose a routing mode, these settings are enabled cluster-wide; therefore you only need to enable them on the IM and Presence Service publisher node within any given cluster.


Caution


Email Address for Federation is not supported in deployments where Partitioned Intradomain Federation is configured. Email Address for Federation is also not supported for Interdomain Federation if your deployment uses the interdomain federation capabilities of Lync/OCS/LCS. Confirm that Email Address for Federation is not enabled anywhere in the deployment in these deployment scenarios and ensure that the Enable use of Email Address when Federating option is not checked for the clusters.


Procedure
    Step 1   Log in to the Cisco Unified Communications Manager IM and Presence Administration user interface. Choose Presence > Settings.
    Step 2   Check the Enable Partitioned Intradomain Federation with LCS/OCS/Lync check box.
    Step 3   Read the warning message and click OK.
    Step 4   Choose one of the following from the Partitioned Intradomain Federation Routing Mode drop-down list:
    • Basic Routing Mode (default) when you have unlicensed IM and Presence Service request recipients within the IM and Presence Service domain. In Basic Routing mode, the IM and Presence Service routes requests for these recipients to the Microsoft server.

    • Advanced Routing Mode when you have request recipients within the IM and Presence Service domain who are licensed and have a valid Microsoft Lync or Microsoft Office Communicator SIP address stored in the IM and Presence Service database. Choose Advanced Routing only if Cisco Unified Communications Manager synchronizes users from the same Active Directory that the Microsoft server uses.

      Note   

      The list of users synchronized from Active Directory must include all Microsoft Lync or Microsoft Office Communicator users.

    Step 5   Click Save.
    Step 6   After you enable Partitioned Intradomain Federation or choose a routing mode, you must restart the Cisco CP Router on all IM and Presence Service nodes in the cluster. To restart the Cisco XCP Router, log in to the Cisco Unified IM and Presence Serviceability user interface and choose Tools > Control Center – Network Services.
    Note   

    You are prompted to restart the SIP proxy when you enable partitioned federation.


    Configure Static Routes

    The following procedure describes how to configure static routes to enable Partitioned Intradomain Federation routing between the IM and Presence Service and Lync/OCS/LCS. You must add an individual static route for each Microsoft server presence domain. Static routes can have a common next hop address. See topics related to IM and Presence Service to Microsoft server request routing, and basic and advanced routing modes for more information.


    Note


    If you are integrating Partitioned Intradomain Federation with the interdomain federation capabilities of Microsoft servers, then you must configure static routes on the IM and Presence Service for each remote domain. For more information, see topics related to configuring static routes for remote domains.


    For the Microsoft server presence domain static route, note the following:

    • For Standard Edition Microsoft servers, the static route must point to the IP address of a specific Standard Edition server.
    • For Enterprise Edition Microsoft servers, to route federation traffic from the IM and Presence Service cluster directly to one of the front-end Microsoft servers, the static route must point to the IP address of that front-end server

    See the following URL for a list of approved load balancers: http:/​/​technet.microsoft.com/​en-us/​office/​ocs/​cc843611. It is your responsibility to ensure that those load balancers are deployed and managed correctly.


    Note


    Cisco does not support the configuration of static routes to point to load balancers. Cisco recommends that you configure static routes to bypass the front-end load balancer.


    For high availability purposes, you can configure additional backup static routes for each Microsoft server presence domain.

    The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.


    Note


    If you have a multicluster deployment, you must perform this procedure on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence Service database publisher node within any given cluster.


    Procedure
      Step 1   Log in to the Cisco Unified Communications Manager M and Presence Administration user interface. Choose Presence > Routing > Static Routes.
      Step 2   Click Add New.
      Step 3   Enter the Destination Pattern value so that the domain is reversed. For example, if the domain is domaina.com, the Destination Pattern value must be .com.domaina
      Step 4   Enter the IP address of the Microsoft server in the Next Hop field.
      Step 5   Choose domain for the Route Type.
      Note   

      The default setting for Route Type is user.

      Step 6   Set the Next Hop Port and the Protocol Type as follows:
      • For TLS Encryption:

        • Next Hop Port number is 5061

        • Protocol Type is TLS

      • For TCP:

        • Next Hop Port number is 5060

        • Protocol Type is TCP

      Step 7   Enter the Priority value as follows:
      • For primary static routes, enter the default Priority value of 1.

      • For backup static routes, enter a Priority value of greater than 1. (The lower the value, the higher the priority of the static route).

      Step 8   Leave the default values for all other parameters.
      Step 9   Click Save.

      What to Do Next

      Create an additional static route with the Destination Pattern FQDN in reverse order and with the Next Hop the Microsoft Lync server IP address. For example, if the domain is lyncserver.domaina.com, the Destination Pattern value must be .com.domaina.lyncserver

      Configure an Incoming Access Control List

      The following procedure describes how to configure entries in the Incoming Access Control List (ACL) to ensure that Lync/OCS/LCS servers can access the IM and Presence Service server without authentication.

      Note


      If you have a multicluster deployment, you must perform this procedure on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence Service publisher node within any given cluster.


      How you configure the Incoming ACLs depends on how strictly you wish to control access to the IM and Presence Service:

      • To allow open access to the IM and Presence Service, you can add an entry with an address pattern of All.

      • To allow access to the IM and Presence Service from specific network domains, you can add entries with an address pattern matching the specific domain. For example, to allow access from any server within foo.com, enter foo.com as the address pattern.

      • To allow access to the IM and Presence Service from specific servers, add ACL entries that have an address pattern matching the IP address and the FQDN of those servers. You must create two ACL entries for each server: one entry for the IP address and another entry for the FQDN. For example, to allow access from the server ocs1.foo.com (10.1.10.100) enter ocs1.foo.com as the address pattern in one ACL entry, and enter 10.1.10.100 as the address pattern in another ACL entry.

      For Partitioned Intradomain Federation, if you decide to restrict access to the IM and Presence Service for certain Microsoft server FQDNs or IP addresses only, you must add ACL entries for the following entities:

      • Each Microsoft server Enterprise Edition front-end or Standard Edition server

      • Each Microsoft server pool FQDN (Enterprise Edition only)

      If you choose to restrict access using the FQDN of the server, then you need to also add an ACL entry for any other DNS records that resolve to the same IP address as any of the front end servers or pools. For example, you can create a DNS record, such as admin.lync.com, on the Lync server to access the Lync control panel and which resolves to the same IP address as one of the Lync front end servers.

      Procedure
        Step 1   Log in to the Cisco Unified CM IM and Presence Administration user interface. Choose System > Security > Incoming ACL.
        Step 2   Click Add New.
        Step 3   In the Description field, enter a description of the entry, for example, Lync Server.
        Step 4   Enter the address pattern in the Address Pattern field. You have the following options:
        • Enter All to allow open access to the IM and Presence Service

        • Enter a specific network domain name.

        • Enter a specific IP address.

        • Enter a specific FQDN.

        Note   

        If you do not enter All as the address pattern, then you must create at least two ACL entries: one for the IP address of the server and another one for the FQDN of the server. Entering a domain name is optional.

        Step 5   Click Save.

        TLS Encryption Configuration

        You must complete the procedures in this section to configure TLS encryption between the IM and Presence Service and Lync/OCS/LCS. TLS encryption is mandatory for Partitioned Intradomain Federation with Lync servers.


        Note


        If you have a multicluster deployment, you must perform each of these procedures on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence Service publisher node within any given cluster.


        Configure Application Listener Ports

        You must change the Default Cisco SIP Proxy TLS Listener port values for both server authentication and peer authentication. The IM and Presence Service performs peer (mutual) TLS authentication on port 5062 by default. You must modify this default setting so that peer TLS authentication takes place on port 5061 and configure the server TLS authentication port value to 5062.

        Procedure
          Step 1   Log in to the Cisco Unified IM and Presence Administration user interface. Choose System > Application Listeners.
          Step 2   If they are not already displayed, click Find to display all application listeners.
          Step 3   Choose Default Cisco SIP Proxy TLS Listener – Server Auth.
          Step 4   Change the Port value to 5063.
          Step 5   Click Save and click OK on the pop-up window that appears.
          Step 6   From the Related Links drop-down list, choose Back to Find/List and click OK to return to the Application Listeners list.
          Step 7   Choose Default Cisco SIP Proxy TLS Listener – Peer Auth.
          Step 8   Change the Port value to 5061.
          Step 9   Click Save and click OK on the dialog-box that appears.
          Step 10   From the Related Links drop-down list, choose Back to Find/List and click OK to return to the Application Listeners list.
          Step 11   Choose Default Cisco SIP Proxy TLS Listener – Server Auth.
          Step 12   Change the Port value from 5063 to 5062.
          Step 13   Click Save.
          Step 14   Restart the SIP Proxy service on all IM and Presence Service nodes in the cluster. To restart the SIP Proxy service, Log in to the Cisco Unified IM and Presence Serviceability user interface, choose Tools > Control Center – Feature Services.

          What to Do Next

          Configure TLS Peer Subjects

          Related Information

          Configure TLS Peer Subjects

          For Peer TLS authentication, the IM and Presence Service requires that the Subject Common Name (CN) from the security certificate that is presented by the peer is included in a TLS Peer Subject list. Use the Cisco Unified IM and Presence Administration user interface to add a Subject CN to this list.

          Include only the Subject CN in the TLS Peer Subject list. Do not include Subject Alternative Name (SAN) entries in the TLS Peer Subject list. The following figure shows an example of a Subject CN certificate with the Subject CN highlighted.
          Figure 1. Subject Common Name Certificate



          For Partitioned Intradomain Federation, you must add a TLS Peer Subject for the following entities:

          • Each Lync/OCS/LCS Enterprise Edition front-end or Standard Edition server
          • Each Lync/OCS/LCS pool Fully Qualified Domain Name (FQDN) (Enterprise Edition only)
          Procedure
            Step 1   Log in to the Cisco Unified IM and Presence Administration user interface. Choose System > Security > TLS Peer Subjects.
            Step 2   Click Add New.
            Step 3   Enter the Peer Subject Name.
            • For a Microsoft server Enterprise Edition front-end or Standard Edition server, enter the FQDN of the server.

            • For a Microsoft server pool Fully Qualified Domain Name (FQDN), enter the subject CN of the certificate that is presented to the IM and Presence Service.

            Step 4   In the Description field, enter a description of the subject, for example, OCS Server.
            Step 5   Click Save.
            Step 6   Restart the SIP Proxy service on all IM and Presence Service nodes in the cluster. To restart the SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface and choose Tools > Control Center – Feature Services.

            What to Do Next

            Configure Peer Authentication TLS Context

            Related Information

            Configure Peer Authentication TLS Context

            To support TLS encryption between the IM and Presence Service and Lync/OCS/LCS, you must modify Peer Authentication TLS Context configuration on the IM and Presence Service.

            Procedure
              Step 1   Log in to the Cisco Unified IM and Presence Administration user interface. Choose System > Security > TLS Context Configuration.
              Step 2   Click Find.
              Step 3   Click the link for Default Cisco SIP Proxy Peer Auth TLS Context.
              Step 4   Ensure that the check box for Disable Empty TLS Fragments is checked.
              Step 5   In the TLS Cipher Mapping area list of Available TLS Ciphers, choose all of the ciphers and click the Move Right arrow to move these ciphers to the Selected TLS Ciphers list .
              Step 6   In the TLS peer Subject Mapping area list of Available TLS Peer Subjects, choose the TLS peer subject that you configured in Configure TLS Peer Subjects and click the Move Right arrow to move this TLS peer subject to the Selected TLS Peer Subjects list.
              Step 7   Click Save.
              Step 8   Restart the SIP Proxy service on all IM and Presence Service nodes in the cluster. To restart the SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface and choose Tools > Control Center – Feature Services.

              What to Do Next

              Import Root Certificate of Certificate Authority

              Related Information

              Import Root Certificate of Certificate Authority

              All Lync/OCS/LCS security certificates are generally signed by a Certificate Authority (CA). The IM and Presence Service certificates should also be signed by the same Certificate Authority used by the Microsoft server. In order for the IM and Presence Service to use a certificate signed by the Microsoft server CA, and to accept Microsoft server certificates signed by that same CA, the root certificate of the CA must be uploaded into the IM and Presence Service trust store.

              Before You Begin

              Before importing the root certificate, retrieve the certificate from the certificate authority and copy it to your local computer.

              Procedure
                Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
                Step 2   Click Upload Certificate.
                Step 3   For the Certificate Name drop-down list, choose cup-trust.
                Step 4   Leave the Root Certificate field blank.
                Step 5   In the Description field, enter a description for the certificate, for example, Certificate Authority Root Certificate.
                Step 6   Click Browse to find the root certificate on your local computer.
                Step 7   Click Upload File to upload the certificate to the IM and Presence Service node.
                Step 8   Restart the SIP Proxy service on all IM and Presence Service nodes in the cluster. To restart the SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface and choose Tools > Control Center – Feature Services.

                What to Do Next

                Generate Certificate Signing Request for IM and Presence Service

                Related Information

                Generate Certificate Signing Request for IM and Presence Service

                IM and Presence Service certificates should be signed by the same Certificate Authority (CA) that is used by Lync/OCS/LCS. You must complete the following two-step process to obtain a CA-signed certificate:

                1. Generate an IM and Presence Service Certificate Signing Request (CSR).

                2. Upload the CA signed certificate onto the IM and Presence Service.

                The following procedure describes how to generate and download a CSR from the IM and Presence Service. The IM and Presence Service CSRs are 2048 bit.

                Procedure
                  Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management on the IM and Presence Service.
                  Step 2   Click Generate CSR.
                  Step 3   From the Certificate Name drop-down list, choose cup.
                  Step 4   Click Generate CSR.
                  Step 5   When the Status shows "Success: Certificate Signing Request Generated" click Close.
                  Step 6   Click Download CSR.
                  Step 7   From the Certificate Name drop-down list, choose cup.
                  Step 8   Click Download CSR to download the certificate to your local computer.
                  Step 9   After the certificate has downloaded, click Close.

                  What to Do Next

                  After you download the CSR, you can use it to request a signed certificate from your chosen CA. This can be a well-known public CA or an internal CA.

                  Import Signed Certificate from Certificate Authority

                  Related Information

                  Import Signed Certificate from Certificate Authority

                  The following procedure describes how to upload the CA signed certificate to IM and Presence Service.

                  Before You Begin

                  Generate and download a CSR from IM and Presence Service. See Generate Certificate Signing Request for IM and Presence Service.

                  Procedure
                    Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
                    Step 2   Click Upload Certificate and the Upload Certificate/Certificate chain dialog box opens.
                    Step 3   From the Certificate Name drop-down list, choose cup.
                    Step 4   In the Description field, enter a description of the certificate, for example, CA Signed Certificate.
                    Step 5   Click Browse to find the certificate file on your local computer.
                    Step 6   Click Upload File to upload the certificate to the IM and Presence Service node.
                    Step 7   After the certificate has uploaded, restart the Cisco SIP Proxy service on all IM and Presence nodes in the cluster. To restart the Cisco SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface. Choose Tools > Control Center – Feature Services.

                    Related Information

                    Deactivate Feature Services on the Routing IM and Presence Service Node

                    To ensure that a Routing IM and Presence Service node has the capacity to handle SIP traffic from Lync/OCS/LCS, you must not assign any users to the Routing IM and Presence Service node. This means that a number of the IM and Presence Service feature services that support assigned users can be deactivated on the Routing IM and Presence Service node. When you deactivate these services, the Routing IM and Presence Service node has extra processing capacity to support its SIP routing role. The following procedure describes how to deactivate feature services.

                    Restriction:

                    The following section only applies when there is a dedicated IM and Presence Service node used only for routing of federation traffic (not used for Jabber login). This routing IM and Presence Service node is separate from an IM and Presence Service node deployed for Cisco Jabber login.

                    Procedure
                      Step 1   Log in to the Cisco Unified IM and Presence Serviceability user interface. Choose Tools > Service Activation.
                      Step 2   From the Server drop-down list, choose the Routing IM and Presence Service node.
                      Step 3   Uncheck each of the following feature services check boxes:
                      • Cisco Presence Engine

                      • Cisco XCP Text Conference Manager

                      • Cisco XCP Web Connection Manager

                      • Cisco XCP Connection Manager

                      • Cisco XCP SIP Federation Connection Manager

                      • Cisco XCP XMPP Federation Connection Manager

                      • Cisco XCP Message Archiver

                      • Cisco XCP Directory Service

                      • Cisco XCP Authentication Service

                      Step 4   Click Save.