Integration Guide for Configuring Cisco Unified Presence Release 8.0 and 8.5 for Interdomain Federation
Configuring Cisco Unified Presence for XMPP Federation
Downloads: This chapterpdf (PDF - 240.0KB) The complete bookPDF (PDF - 4.35MB) | Feedback

Configuring Cisco Unified Presence for XMPP Federation

Table Of Contents

Configuring Cisco Unified Presence for XMPP Federation

How to Configure the General Settings for XMPP Federation

XMPP Federation Overview

Important Notes About Restarting Services for XMPP Federation

Turning on XMPP Federation on a Node

Configuring the Security Settings for XMPP Federation

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users

How to Configure DNS for XMPP Federation

DNS SRV Records for XMPP Federation

DNS SRV Records for Chat Feature for XMPP Federation

Configuring DNS SRV Record for Chat Node for XMPP Federation

How To Configuring the Policy Settings for XMPP Federation

Policy Exception Configuration

Configuring the Policy for XMPP Federation

Configuring Cisco Adaptive Security Appliance for XMPP Federation

Turning On Email for XMPP Federation

Turning On the XMPP Federation Service


Configuring Cisco Unified Presence for XMPP Federation


June 4, 2013

How to Configure the General Settings for XMPP Federation

Configuring the Security Settings for XMPP Federation

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users

How to Configure DNS for XMPP Federation

How To Configuring the Policy Settings for XMPP Federation

Turning On Email for XMPP Federation

Turning On the XMPP Federation Service

How to Configure the General Settings for XMPP Federation

XMPP Federation Overview

Important Notes About Restarting Services for XMPP Federation

Turning on XMPP Federation on a Node

Configuring the Security Settings for XMPP Federation

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users

XMPP Federation Overview

Cisco Unified Presence Release 8.x supports XMPP federation with the following enterprises:

Cisco WebEx Connect Release 6.0

IBM Sametime Release 8.2 and 8.5

GoogleTalk

(Another) Cisco Unified Presence Release 8.x enterprise


Note Cisco Unified Presence does not support XMPP federation between a Cisco Unified Presence Release 8.x enterprise and a Cisco Unified Presence Release 7.x enterprise.


When Cisco Unified Presence is federating with Webex Enterprise, it is not possible for Webex Connect client users to invite Cisco Unified Presence users to temporary or persistent chat rooms. This is due to a design constraint on the WebEx Connect client.

To allow Cisco Unified Presence to federate over XMPP, you must enable and configure XMPP federation on Cisco Unified Presence, following the procedures we describe in this chapter.

If you have multiple Cisco Unified Presence clusters, you must enable and configure XMPP federation on at least one node per cluster. The XMPP federation configuration must be identical across clusters. The Diagnostics Troubleshooter compares the XMPP federation configuration across clusters, and reports if the XMPP federation configuration is not identical across cluster.

If you deploy Cisco Adaptive Security Appliance for firewall purposes, note the following:

See section About Integration Preparation for considerations on routing, scale, public IP addresses and the CA authority.

See section Prerequisite Configuration for Cisco Adaptive Security Appliance for information on configuring the prerequisite information such as the hostname, timezone, clock and so on.

Important Notes About Restarting Services for XMPP Federation

If you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services.

If you enable or disable XMPP federation on a node, you must restart the Cisco UP XCP Router on all nodes within a cluster, not just on the node where XMPP federation has been enabled or disabled. For all other XMPP federation settings, a Cisco UP XCP Router restart is only required on the node to which the setting is being changed.

Turning on XMPP Federation on a Node

This setting is turned off by default.

Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings.

Select On in the XMPP Federation Status menu.

Step 2 Select Save.


Troubleshooting Topics

You cannot start the XCP XMPP Federation Connection Manager service on the Cisco Unified Presence node, unless you turn on XMPP Federation on the node.

What To Do Next

Configuring the Security Settings for XMPP Federation

Configuring the Security Settings for XMPP Federation

Before You Begin

Determine whether the foreign domain that you are federating with supports TLS connections.

The TLS and SASL specific settings are only configurable if you select the SSL mode `TLS Optional' or `TLS Required'.

If you are configuring federation between Cisco Unified Presence and IBM using TLS, you must configure the SSL mode `TLS Required', and you must enable SASL.

Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings.

Step 2 Select a security mode from the menu:

No TLS—Cisco Unified Presence will not establish a TLS connection with the foreign domain. The system uses a non-encrypted connection to federate with the foreign domain, and uses the server dialback mechanism to verify the identity of the other server.

TLS Optional—Cisco Unified Presence attempts to establish a TLS connection with the foreign domain. If Cisco Unified Presence fails to establish a TLS connection, it reverts to server dialback to verify the identity of the other server.

TLS Required—The system guarantees a secure (encrypted) connection with the foreign domain.

Step 3 Check Require client-side security certificates if you want to enforce strict validation of certificates from foreign domain servers against an installed root CA certificate. This setting turns on, by default, if you select either TLS Optional or TLS Required security settings.


Note If you are configuring XMPP federation with WebEx, do not check Require client-side security certificates.


Step 4 Check Enable SASL EXTERNAL on all incoming connections to ensure that Cisco Unified Presence advertises support for SASL EXTERNAL on incoming connection attempts and will implement SASL EXTERNAL validation.

Step 5 Check Enabling SASL on outbound connections to ensure that Cisco Unified Presence sends a SASL auth id to the foreign domain if the foreign server requests SASL EXTERNAL.

Step 6 Enter the dialback secret if you want to use DNS to verify the identity of a foreign server that is attempting to connect to Cisco Unified Presence. Cisco Unified Presence will not accept any packets from the foreign server until DNS validates the identity of the foreign server.

Step 7 Select Save.


Troubleshooting Tips

For further information on the security settings, see the Online Help.

If the server is part of an intercluster deployment, then you must configure each cluster with the same security settings. Run the System Troubleshooter to ensure that your configuration is consistent on all nodes.

Related Topics

Turning on XMPP Federation on a Node

For further information on Server Dialback, see XEP:0220 in the XMPP Standards: http://xmpp.org/extensions/xep-0220.html

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users


Note This topic is only applicable if your federation deployment contains Cisco Unified Personal Communicator Release 7.x users, otherwise you do not need to explicitly configure the domains for XMPP federation.


Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings.

Step 2 Select Configure for domain(s).

Step 3 Select Add New.

Step 4 Enter the XMPP domain of the foreign server that you want to add. This must correspond to the domain configuration in DNS for the foreign enterprise. Cisco Unified Presence uses the domain in the XMPP JID/URIs of users from that domain.

Step 5 Enter a description that will help you distinguish between XMPP domain instances when you have more than one configured.

Step 6 Select Save.


Related Topics

How to Configure DNS for XMPP Federation

How to Configure DNS for XMPP Federation

DNS SRV Records for XMPP Federation

DNS SRV Records for Chat Feature for XMPP Federation

Configuring DNS SRV Record for Chat Node for XMPP Federation

DNS SRV Records for XMPP Federation

To allow Cisco Unified Presence to discover a particular XMPP federated domain, the federated enterprise must publish the DNS SRV record _xmpp-server in its public DNS server. Similarly, Cisco Unified Presence must publish the same DNS SRV record in the DNS for its domain. Both enterprises must publish the port 5269. The published FQDN must also be resolvable to an IP address in DNS.

The record required is:

_xmpp-server._tcp.<domain>

See Figure 11-1 for a sample DNS configuration for the DNS SRV record _xmpp-server.

Figure 11-1

DNS SRV for _xmpp-server

If you have remote root access to Cisco Unified Presence, you can run nslookup to determine if the federated domain is discoverable.


Tip Use this sequence of commands for performing a DNS SRV lookup:

nslookup
set type=srv
_xmpp-server._tcp.<domain> 

(<domain> is the domain of the federated enterprise.)

This command returns an output similar to this (where' example.com' is the domain of the federated server):

_xmpp-server._tcp.example.com service = 0 0 5269 hostname.example.com.

For a single cluster, you only need to enable XMPP federation on one node in the cluster. You publish one DNS SRV record for the enterprise in the public DNS. Cisco Unified Presence routes all incoming requests from foreign domains to the node running federation. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence also routes all outgoing requests to the node running XMPP federation.

You can also publish multiple DNS SRV records, for example, for scale purposes, or if you have multiple Cisco Unified Presence clusters and you must enable XMPP federation at least once per cluster. Unlike SIP federation, XMPP federation does not require a single point of entry for the Cisco Unified Presence enterprise domain. As a result, Cisco Unified Presence can route incoming requests to any one of the published nodes in the cluster that you enable for XMPP federation.

In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign XMPP federated domain initiates a new session, it performs a DNS SRV lookup to determine where to route the request. If you publish multiple DNS SRV records, the DNS lookup returns multiple results; Cisco Unified Presence can route the request to any of the servers that DNS publishes. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence routes outgoing requests to any of the nodes running XMPP federation.

If you have multiple nodes running XMPP federation, you can still choose to publish only one node in the public DNS. With this configuration, Cisco Unified Presence routes all incoming requests to that single node, rather than load-balancing the incoming requests across the nodes running XMPP federation. Cisco Unified Presence will load-balance outgoing requests and send outgoing request from from any of the nodes running XMPP federation.

Related Topics

DNS SRV Records for Chat Feature for XMPP Federation

DNS SRV Records for Chat Feature for XMPP Federation

If you configure the Chat feature on a Cisco Unified Presence server in an XMPP federation deployment, you must publish the chat node alias in DNS.

The hostname, to which the DNS SRV record for the chat node resolves, resolves to a public IP address. Depending on your deployment, you may have a single public IP address, or a public IP address for each chat node within your network:

Single public IP address, multiple nodes internally:

To route all chat requests to the XMPP federation node, and then on to the chat node:

1. Configure the DNS SRV for the chat node alias to point to port 5269.

2. Configure a NAT command configured on Cisco Adaptive Security Appliance or firewall\NAT server that maps publicIPAddress:5269 to XMPPFederationNodePrivateIPAddress:5269.

Multiple public IP addresses, multiple nodes internally:

If you have multiple public IP addresses, you can choose to route chat requests directly to the appropriate chat node.

1. Configure the DNS SRV for the chat node to use some arbitrary port other than 5269, for example, 25269.

2. Configure a PAT command on Cisco Adaptive Security Appliance or firewall\NAT server that maps textChatServerPublicIPAddress:25269 to textChatServerPrivateIPAddress:5269.


Note To allow the chat node handle incoming federated text requests, you must turn on the Cisco UP XCP XMPP Federation Connection Manager on the chat node.



For information on configuring the Chat feature on Cisco Unified Presence, see Deployment Guide for Cisco Unified Presence Release 8.x.

Related Topics

Configuring DNS SRV Record for Chat Node for XMPP Federation

Configuring DNS SRV Record for Chat Node for XMPP Federation

Procedure


Step 1 To retrieve the chat node alias:

a. Select Cisco Unified Presence Administration > Messaging > Conference Server Alias Mapping.

b. Select Find to display a list of chat node aliases.

c. Select the chat node alias that you want to publish in DNS, for example `conference-2.StandAloneCluster.example.com'.

Step 2 In the public DNS server for the `example.com' domain, create the domain `StandAloneCluster'.

Step 3 In the domain `StandAloneCluster', create the domain `conference-2'.

Step 4 In the domain `conference-2', create the domain ` _tcp'.

Step 5 In the domain `_tcp', create a new DNS SRV record for _xmpp-server. See Figure 11-2 and Figure 11-3

for a sample DNS configuration.


Note If the text conference server alias is `conference-2-StandAloneCluster.example.com' then the domain at step 3 is `conference-2-StandAloneCluster `, and you skip step 4.


Figure 11-2 DNS SRV for _xmpp-server for Chat Feature

Figure 11-3 DNS configuration for Chat Feature

Related Topics

Deployment Guide for Cisco Unified Presence Release 8.x:

http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html

DNS SRV Records for XMPP Federation

How To Configuring the Policy Settings for XMPP Federation

Policy Exception Configuration

Configuring the Policy for XMPP Federation

Policy Exception Configuration

You can configure exceptions to the default policy for XMPP federation. In the exception, you must specify the foreign domain to which you want to apply the exception, and a direction rule for the exception. When you configure the domain name for a policy exception, note the following:

If the URI or JID of the user is `user@example.com', configure the foreign domain name in the exception as `example.com'.

If the foreign enterprise uses hostname.domain in the URI or JID of the user, for example `user@hostname.example.com', configure the foreign domain name in the exception as "hostname.example.com".

You can use a wildcard (*) for the foreign domain name in the exception. For example, the value `*.example.com' applies the policy on `example.com' and any subdomain of example.com, for example, `somewhere.example.com'.

You must also specify the direction that Cisco Unified Presence applies the policy exception. These direction options are available:

all federated packets from/to the above domain/host—Cisco Unified Presence allows or denies all traffic going to and coming from the specified domain.

only incoming federated packets from the above domain/host—Allow Cisco Unified Presence to receive inbound broadcasts from the specified domain, but Cisco Unified Presence does not send responses.

only outgoing federated packets to the above domain/host—Allow Cisco Unified Presence to send outbound broadcasts to the specified domain, but Cisco Unified Presence does not receive responses.

Related Topics

Configuring the Policy for XMPP Federation

Configuring the Policy for XMPP Federation


Caution If you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services.

Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Policy.

Step 2 Select the policy settings from the menu:

Allow - Cisco Unified Presence permits all federated traffic from XMPP federated domains, except those domains that you explicitly deny on the policy exception list.

Deny - Cisco Unified Presence denies all federated traffic from XMPP federated domains, except those domains that you explicitly permit on the policy exceptions list.

Step 3 To configure a domain on the policy exception list:

a. Select Add New.

b. Specify the domain name or the hostname of the foreign server.

c. Specify the direction to apply the policy exception.

d. Select Save on the policy exception window.

Step 4 Select Save on the policy window.


Troubleshooting Tips

See the Online Help for federation policy recommendations.

Related Topics

Policy Exception Configuration

Configuring Cisco Adaptive Security Appliance for XMPP Federation

For XMPP Federation, Cisco Adaptive Security Appliance acts as a firewall only. You must open port 5269 for both incoming and outgoing XMPP federated traffic on Cisco Adaptive Security Appliance.

These are sample access lists to open port 5269 on Cisco Adaptive Security Appliance Release 8.3.

Allow traffic from any address to any address on port 5269:

access-list ALLOW-ALL extended permit tcp any any eq 5269

 
   

Allow traffic from any address to any single node on port 5269:

access-list ALLOW-ALL extended permit tcp any host <private cup IP address> eq 5269

If you do not configure the access list above, and you publish additional XMPP federation nodes in DNS, you must configure access to each of these nodes, for example:

object network obj_host_<private cup ip address>
#host <private cup ip address>
object network obj_host_<private cup2 ip address>
#host <private cup2 ip address>
object network obj_host_<public cup ip address>
#host <public cup ip address>

....

Configure the following NAT commands:

nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> 
service
obj_udp_source_eq_5269 obj_udp_source_eq_5269
nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> 
service
obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
 
   

If you publish a single public IP address in DNS, and use arbitrary ports, configure the following:

(This example is for two additional XMPP federation nodes)

nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> 
service
obj_udp_source_eq_5269 obj_udp_source_eq_25269
nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> 
service
obj_tcp_source_eq_5269 obj_tcp_source_eq_25269
 
   
nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> 
service
obj_udp_source_eq_5269 obj_udp_source_eq_35269
nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> 
service
obj_tcp_source_eq_5269 obj_tcp_source_eq_35269
 
   

If you publish multiple public IP addresses in DNS all using port 5269, configure the following:

(This example is for two additional XMPP federation nodes)

nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> 
service
obj_udp_source_eq_5269 obj_udp_source_eq_5269
nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> 
service
obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
 
   
nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup3 IP> 
service
obj_udp_source_eq_5269 obj_udp_source_eq_5269
nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> 
service
obj_tcp_source_eq_5269 obj_tcp_source_eq_5269

Related Topics

Configuring Cisco Adaptive Security Appliance for SIP Federation

Turning On Email for XMPP Federation

When you turn on Cisco Unified Presence to use the email address for XMPP federation, Cisco Unified Presence changes the JID of the local user to the email address of the contact.

To turn on email for XMPP federation, follow the same procedure as for SIP federation, see the procedure in the Related Topics section below.

The email address for federation feature (in an XMPP federation deployment) does not currently support temporary or persistent chat rooms in a multi-cluster Cisco Unified Presence deployment. In the deployment scenario where there are multiple Cisco Unified Presence clusters in the local domain, the local users actual jid may be sent to the federated user. The only impact to the chat room is that the name that displays to the federated user is the userid of the local user, instead of the email address of the local user; all other chat room functionality operates as normal. This only occurs in temporary or persistent chat rooms with federated users.

Related Topics

Turning On Email for Federation

Turning On the XMPP Federation Service

You need to turn on the Cisco UP XCP XMPP Federation Connection Manager service on each Cisco Unified Presence node that runs XMPP federation. Once you turn on the Federation Connection Manager service from the Service Activation window, Cisco Unified Presence automatically starts the service; you do not need to manually start the service from the Control Center - Feature Services window.

Before You Begin

Turn on XMPP Federation for the node from Cisco Unified Presence Administration, see Turning on XMPP Federation on a Node.

Procedure


Step 1 Select Cisco Unified Serviceability > Tools > Service Activation.

Step 2 Select the server from the Server list box.

Step 3 Select Go.

Step 4 Select the radio button next to the Cisco UP XCP XMPP Federation Connection Manager service in the CUP Services section.

Step 5 Select Save.


Related Topics

Configuring Serviceability for Federation