Microsoft Office Communicator Call Control with Microsoft OCS for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Configuration of security between IM and Presence and Microsoft OCS
Downloads: This chapterpdf (PDF - 1.15MB) The complete bookPDF (PDF - 2.41MB) | Feedback

Configuration of security between IM and Presence and Microsoft OCS

Configuration of security between IM and Presence and Microsoft OCS

This topic is only applicable if you require a secure connection between IM and Presence and Microsoft OCS.

Security certificate configuration for Microsoft OCS

Download CA Certification Chain

Procedure
    Step 1   Select Start > Run.
    Step 2   Perform the following actions:
    1. Type http://<name of your Issuing CA Server>/certsrv.
    2. Select OK.
    Step 3   Click Download a CA certificate, certificate chain, or CRL from Select a task.
    Step 4   Select Download CA certificate chain.
    Step 5   Select Save in the File Download dialog box.
    Step 6   Save the file on a hard disk drive on your server.

    Troubleshooting Tips

    The certificate file has an extension of .p7b. If you open this .p7b file, the chain will have the following two certificates:

    • name of Standalone root CA certificate
    • name of Standalone subordinate CA certificate (if any)

    What to Do Next

    Install CA Certification Chain

    Install CA Certification Chain

    Before You Begin

    Download the CA Certification Chain.

    Procedure
      Step 1   Select Start > Run.
      Step 2   Perform the following actions:
      1. Enter mmc.
      2. Select OK.
      Step 3   Select File > Add/Remove Snap-in.
      Step 4   Select Add in the Add/Remove Snap-in dialog box.
      Step 5   Select Certificates in the list of Available Standalone Snap-ins.
      Step 6   Select Add.
      Step 7   Select Computer account.
      Step 8   Select Next.
      Step 9   Perform the following actions from the Select Computer dialog box:
      1. Ensure Local computer: (the computer this console is running on) is selected.
      2. Select Finish.
      3. Select Close
      4. Select OK.
      Step 10   Expand Certificates (Local Computer) in the left pane of the Certificates console.
      Step 11   Expand Trusted Root Certification Authorities.
      Step 12   Right-click Certificates.
      Step 13   Perform the following actions:
      1. Point to All Tasks.
      2. Select Import.
      Step 14   Select Next in the Import Wizard.
      Step 15   Select Browse and locate the certificate chain on your computer.
      Step 16   Select Open.
      Step 17   Select Next.
      Step 18   Leave the default value Place all certificates in the following store selected.
      Step 19   Ensure Trusted Root Certification Authorities appears under the Certificate store.
      Step 20   Select Next.
      Step 21   Select Finish.

      What to Do Next

      Submit certificate request on CA server

      Submit certificate request on CA server

      Before You Begin

      Install the CA Certification Chain.

      Procedure
        Step 1   On the computer requiring a certificate, open a Web browser.
        Step 2   Enter the URL http://<name of your Issuing CA server>/certsrv.
        Step 3   Select Enter.
        Step 4   Select Request a Certificate.
        Step 5   Select Advanced certificate request.
        Step 6   Select Create and submit a request to this CA.
        Step 7   Select Other in the Type of Certificate Needed list.
        Step 8   In the Name field of the Identifying Information section, enter the FQDN. The name must match the name of the Microsoft OCS, which is usually the FQDN.
        Step 9   In the OID field, type the following OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2.
        Note   

        A comma separates the two 1s in the middle of the OID.

        Step 10   Perform one of the following procedures:
        1. If you are using Windows Certificate Authority 2003, check Store certificate in the local computer certificate store in Key Options.
        2. If you are using Windows Certificate Authority 2008, refer to the workaround described in the Troubleshooting Tips of this topic.
        Step 11   Enter a friendly name.
        Step 12   Select Submit.
        Step 13   Select Yes in the Potential Scripting Violation dialog box.

        Troubleshooting Tips

        If you are using Windows Certificate Authority 2008, you no longer have the option to store the certificate in the local computer store on the certificate enrollment page. Perform the following workaround to replace Step 10 in the procedure:

        1. Sign out of the Microsoft OCS server.
        2. Sign in to the Microsoft OCS server as a Local user.
        3. Create the certificate.
        4. Approve the certificate from the CA server.
        5. Export the certificate to a file.
        6. Sign out of the Microsoft OCS server.
        7. Sign in to the Microsoft OCS server as a Domain user.
        8. Import the certificate file using the Certificate wizard. The certificate displays in the Microsoft OCS certificate tab (because it is installed in the Local Computer store).

        What to Do Next

        Approve and install certificate

        Approve and install certificate

        Before You Begin

        Submit the Certificate Request on the CA Server.

        Procedure
          Step 1   Sign in to the enterprise subordinate CA server with Domain Administrator credentials.
          Step 2   Select Start > Run.
          Step 3   Perform the following actions:
          1. Enter mmc.
          2. Select Enter.
          Step 4   Select File > Add/Remove Snap-in.
          Step 5   Select Add.
          Step 6   Select Certification Authority in Add Standalone Snap-in.
          Step 7   Select Add.
          Step 8   In Certification Authority, accept the default option Local computer (the computer this console is running on).
          Step 9   Select Finish.
          Step 10   Select Close.
          Step 11   Select OK.
          Step 12   In the MMC, expand Certification Authority and expand your issuing certificate server.
          Step 13   Select Pending request.
          Step 14   In the Details pane, perform the following actions
          1. Right-click the request identified by its request ID.
          2. Point to All Tasks.
          3. Select Issue.
          Step 15   Select Start > Run on the server from which you requested the certificate.
          Step 16   Type http://<name of your Issuing CA Server>/certsrv.
          Step 17   Select OK.
          Step 18   Select View the status of a pending certificate request from Select a task.
          Step 19   Select your certificate request.
          Step 20   Select Install this certificate.

          What to Do Next

          Configure installed certificate

          Configure installed certificate

          Before You Begin

          Approve and install the Certificate.

          Procedure
            Step 1   Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.
            Step 2   Expand the (local computer) tree on the right pane.
            Step 3   Select Default Web Site.
            Step 4   Right-click to open the Properties dialog box.
            Step 5   Select the Certificate tab from the Default Web Site Properties dialog box.
            Step 6   If a certificate has already been selected, select Delete Certificate to remove the selection
            Step 7   Select Certificate to launch the Certificate Wizard.
            Step 8   Using the Certificate Wizard, select the certificate that was installed for Microsoft OCS.
            Step 9   Launch the Microsoft Office Communications Server 2007 application.
            Step 10   In the right pane, select the server that represents the local machine.
            Step 11   Right-click on the server.
            Step 12   Select Properties > Front End Properties.
            Step 13   Select the Certificate tab.
            Step 14   Select on Select Certificate.
            Step 15   Find and select the installed certificate for Microsoft OCS.
            Note   

            If you are using Microsoft LCS, follow steps 1-7 above and then open the Microsoft Live Communications Server 2005 application. From the Administration Page, right-click on the desired server to open the Properties dialog box. Select the Security tab, select Select Certificate and select the newly installed LCS certificate.


            What to Do Next

            Configure a TLS route for IM and Presence on Microsoft OCS

            Configure a TLS route for IM and Presence on Microsoft OCS

            Procedure
              Step 1   Launch the Microsoft Office Communications Server 2007 application.
              Step 2   Right-click on Microsoft OCS Server pool in the right pane.
              Step 3   Select Properties > Front End Properties.
              Step 4   Select the Routing tab from the Front End Server Properties dialog box.
              Step 5   Select Add.
              Step 6   Perform the following actions to add a static route:
              1. Enter the hostname/FQDN for IM and Presence in the Domain field.
                Note   

                This should match with Subject CN of the IM and Presence certificate otherwise Microsoft OCS will not establish a TLS connection with IM and Presence.

              2. Select TLS from the Transport menu.
              3. Enter 5062 in the Port field. The port number 5062 is the default IM and Presence port where it listens for peer authentication TLS connections.
              4. Check Replace host in request URI.
              5. Select OK.

                Troubleshooting Tip

                You can check Subject CN of an IM and Presence certificate by selecting Cisco Unified CM IM and Presence Operating System Administration > Security > Certificate Management, and selecting a certificate entry in the certificate list.


              What to Do Next

              Configure IM and Presence as an authenticated host on Microsoft OCS

              Configure IM and Presence as an authenticated host on Microsoft OCS

              Procedure
                Step 1   Launch the Microsoft Office Communications Server 2007 application.
                Step 2   Right-click on Microsoft OCS Server pool in the right pane.
                Step 3   Select Properties > Front End Properties.
                Step 4   Select the Host Authorization tab.
                Step 5   Select Add.
                Step 6   Select FQDN and enter the CUP X.509 Subject Common Name as it appears in its certificate.
                Step 7   Check Throttle as server.
                Step 8   Check Treat as Authenticated.
                Step 9   Select OK.
                Step 10   Reboot the Microsoft OCS server.

                When the server reboots, the Microsoft OCS server pool should display the outbound static route just configured.


                What to Do Next

                Configure Microsoft OCS to use TLSv1

                Configure Microsoft OCS to use TLSv1

                IM and Presence only supports TLSv1 so you must configure Microsoft OCS to use TLSv1. This procedure describes how to configure FIPS-compliant algorithms on Microsoft OCS to ensure that Microsoft OCS sends TLSv1 with TLS cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA.

                Procedure
                  Step 1   Select Start > Administrative Tools > Local Security Policy.
                  Step 2   Select Security Settings in the console tree.
                  Step 3   Select Local Policies.
                  Step 4   Select Security Options.
                  Step 5   Double-click the FIPS security setting in the Details pane.
                  Step 6   Modify the security setting.
                  Step 7   Select OK.
                  Step 8   Restart the Windows Server for the change to the FIBS security setting to take effect.

                  What to Do Next

                  Create a new TLS peer subject for Microsoft OCS on IM and Presence

                  Create a new TLS peer subject for Microsoft OCS on IM and Presence

                  Procedure
                    Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Peer Subjects.
                    Step 2   Select Add New.
                    Step 3   Enter the subject CN of the certificate that Microsoft OCS presents in the Peer Subject Name field.
                    Step 4   Enter the name of the Microsoft OCS server in the Description field.
                    Step 5   Select Save.

                    What to Do Next

                    Add TLS peer to selected TLS peer subjects list on IM and Presence

                    Add TLS peer to selected TLS peer subjects list on IM and Presence

                    Before You Begin

                    Creating a new TLS Peer Subject for Microsoft OCS on IM and Presence.

                    Procedure
                      Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
                      Step 2   Select Find.
                      Step 3   Select Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

                      The TLS Context Configuration window displays.

                      Step 4   From the list of available TLS ciphers, select TLS_RSA_WITH_3DES_EDE_CBC_SHA.
                      Step 5   Select the right arrow to move this cipher to Selected TLS Ciphers.
                      Step 6   Check Disable Empty TLS Fragments.
                      Step 7   From the list of available TLS peer subjects, select the TLS peer subject that you configured.
                      Step 8   Select the right arrow to move it to Selected TLS Peer Subjects.
                      Step 9   Select Save.