Integration Guide for Configuring Cisco Unified Presence Release 8.6 for Interdomain Federation
Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise
Downloads: This chapterpdf (PDF - 263.0KB) The complete bookPDF (PDF - 3.95MB) | Feedback

Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise

Table Of Contents

Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise

Adding a Microsoft OCS Domain within an Enterprise

How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

Configuring a Static Route on Cisco Unified Presence for the OCS Server

Configuring a Static Route on OCS for the Cisco Unified Presence server

Adding a Host Authorization entry for the Cisco Unified Presence server

Enabling Port 5060 on the OCS Server

How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain

Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise

Subscribe Cisco Unified Presence users to Lync/OCS


Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise


June 18, 2013

Adding a Microsoft OCS Domain within an Enterprise

How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain

Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise

Subscribe Cisco Unified Presence users to Lync/OCS


Note Refer to Federation and Subdomains for information about federation and subdomains. However, once the OCS and Cisco Unified Presence domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable.


Adding a Microsoft OCS Domain within an Enterprise

When you configure a federated domain entry, Cisco Unified Presence automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on Cisco Unified Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry.

Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter-Domain Federation > SIP Federation.

Step 2 Select Add New.

Step 3 Enter the federated domain name in the Domain Name field.

Step 4 Enter a description that identifies the federated domain in the Description field.

Step 5 Select Inter-domain to OCS/Lync.

Step 6 Check Direct Federation.

Step 7 Select Save.

Step 8 After you add, edit or delete a SIP federated domain, restart the Cisco UP XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified Serviceability. When you restart Cisco UP XCP Router, this causes a restart of all XCP services on Cisco Unified Presence.


How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

This section describes how to configure statics routes using TCP for direct federation between Cisco Unified Presence and Microsoft OCS. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.


Caution The domain portion of the Routing Proxy FQDN parameter value cannot be the same as the Microsoft OCS domain. To view or edit the Routing Proxy FQDN parameter, select Cisco Unified Presence Administration > System > Service Parameters, and select the Cisco UP SIP Proxy service.

Configuring a Static Route on Cisco Unified Presence for the OCS Server

Configuring a Static Route on OCS for the Cisco Unified Presence server

Adding a Host Authorization entry for the Cisco Unified Presence server

Enabling Port 5060 on the OCS Server

Configuring a Static Route on Cisco Unified Presence for the OCS Server

To configure Cisco Unified Presence to use TCP when exchanging IM and availability with a federated Microsoft OCS domain, you must configure a static route on Cisco Unified Presence that points to the OCS server (and not the external edge of Microsoft Access Edge).

You must add an individual static route for the OCS domain. The OCS domain static route should point to the IP address of a specific OCS Enterprise Edition front-end server or Standard Edition server.

For high availability purposes, you can configure additional backup static routes to the OCS domain. The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.

Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Routing > Static Routes.

Step 2 Select Add New.

Step 3 Enter the destination pattern value so that the domain is reversed. For example, if the domain is "domaina.com.*" the Destination Pattern value must be ".com.domaina.*"

Step 4 Enter the remaining parameters as follows:

The Next Hop value is the OCS FQDN or IP address.

The Next Hop Port number is 5060.

The Route Type value is domain.

The Protocol Type is TCP.

Step 5 Select Save.


What To Do Next

Configuring a Static Route on OCS for the Cisco Unified Presence server.

Configuring a Static Route on OCS for the Cisco Unified Presence server

If you are using direct federation from Cisco Unified Presence to OCS without the Access Edge server or Cisco Adaptive Security Appliance, then you need to configure a static route from OCS to Cisco Unified Presence.

Procedure


Step 1 Click Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.

Step 2 Right-click on the Front End server.

Step 3 Select Properties > Front End Properties.

Step 4 Click the Routing tab.

Step 5 Click Add.

Step 6 Enter the domain for the Cisco Unified Presence server, for example 'cisco.com'.

Step 7 Enter the IP of the Cisco Unified Presence server for the Next Hop IP address.

Step 8 Select TCP for the Transport value.

Step 9 Enter 5060 for the Port value.

Step 10 Click OK.


What To Do Next

Adding a Host Authorization entry for the Cisco Unified Presence server

Adding a Host Authorization entry for the Cisco Unified Presence server

Procedure


Step 1 Click on the Host Authorization tab on OCS.

Step 2 Perform one of the following steps:

Enter the IP address of the authorized host if you configured a static route on OCS that specifies the next hop computer by its IP address.

Enter the FQDN of the authorized host if you configured a static route on OCS that specifies the next hop computer by its FQDN.

Step 3 Click Add.

Step 4 Select IP.

Step 5 Enter the IP address of the Cisco Unified Presence server.

Step 6 Check Throttle as Server.

Step 7 Check Treat as Authenticated.


Note Do not check Outbound Only.


Step 8 Click OK.


Enabling Port 5060 on the OCS Server

Procedure


Step 1 Select Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.

Step 2 Right-click on the FQDN of Front End server.

Step 3 Select Properties > Front End Properties and select the General tab.

Step 4 If port 5060 is not listed under Connections, select Add.

Step 5 Configure port 5060 as follows:

Select All as the IP Address Value.

Select 5060 as the Port Value

Select TCP as the Transport Value

Step 6 Select OK.


How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain

Step
Notes  

Configure a static route on Cisco Unified Presence for OCS

Use the procedure Configuring a Static Route on Cisco Unified Presence for the OCS Server as a guide.

When you configure the static route on Cisco Unified Presence, select the protocol type TLS, and make sure that the static route points to port 5061.

Configure a static route on OCS for Cisco Unified Presence

Use the procedure Configuring a Static Route on OCS for the Cisco Unified Presence server as a guide.

When you configure the static route on OCS, select the protocol type TLS, and make sure that the static route points to port 5061 (the default is 5062).


Note When using TLS with static routes on OCS, you must specify the FQDN of the Cisco Unified Presence server, rather than an IP address.


On Cisco Unified Presence, you must also configure the Peer Auth Listener port on OCS as 5061. You configure this by selecting Cisco Unified Presence Administration > System > Application Listeners. Verify that the Peer Auth Listener port is 5061. You can configure the Server Auth Listener port to be 5062.

Configure a host authorization entry for the Cisco Unified Presence FQDN

Use the procedure Adding a Host Authorization entry for the Cisco Unified Presence server as a guide.

Configure the certificates on OCS

To retrieve the CA root certificate and the OCS signed certificate, follow these procedures, applying them to the OCS server (rather than the Access Edge server):

Downloading the CA Certification Chain

Installing the CA Certification Chain

Requesting a Certificate from the CA Server

Downloading the Certificate from the CA Server

In the OCS Front End Server Properties ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS).

From the OCS Front End Server Properties, select the Certificates tab, and click Select Certificate to select the OCS signed certificate.

Configure OCS to use FIPS (TLSv1 rather than SSLv3), and import the CA root certificate.

1. Open the Local Security Settings on OCS.

2. In the console tree, select Local Polices.

3. Select Security Options.

4. Double-click System Cryptography:Use FIPS Compliant algorithms for encryption, hashing and signing.

5. Enable the security setting.

6. Select OK.


Note You may need to restart OCS for this to take effect.


7. Import the CA root certificate for the CA that signs the Cisco Unified Presence certificate. Import the CA root certificate in to the trust store on OCS using the certificate snap-in.

Configure the certificates on Cisco Unified Presence

On Cisco Unified Presence, upload the root certificate for the CA that signs the OCS certificate. Note the following:

Uploaded the certificate as a `cup-trust' certificate.

Leave the `Root Certificate' field blank.

Use the procedure Importing the Self Signed Certificate onto Cisco Unified Presence as a guide for uploading a certificate to Cisco Unified Presence.

Generate a CSR for Cisco Unified Presence so that the Cisco Unified Presence certificate can be signed by a CA. Upload the CSR to the CA that will sign your certificate.

When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to Cisco Unified Presence. Note the following:

Upload the root certificate as a `cup-trust' certificate.

Upload the C- signed Cisco Unified Presence certificate as a `cup' certificate. Specify the root certificate .pem file as the root certificate.

Add a TLS Peer subject on Cisco Unified Presence for the OCS server. Follow these steps Creating a new TLS Peer Subject to create the peer subject for the OCS server. Use the FQDN of the OCS server.

Add the TLS Peer to the Selected TLS Peer Subjects list. Follow these steps Adding the TLS Peer to the Selected TLS Peer Subjects List to add the TLS Peer to the Selected TLS Peer Subjects list. Note the following:

Make sure that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher is selected for the TLS Context Configuration.

Make sure that you disable empty TLS fragments.


Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise


Note For interdomain federation with Microsoft Lync, you must configure TLS between Cisco Unified Presence and Microsoft Lync if there is more than one Lync front-end server.


This procedure uses the following sample configuration parameters:

Cisco Unified Presence Server FQDN (routing Cisco Unified Presence node): cupserverPub.sip.com


Note Ensure the FQDN can resolve to the correct IP address.


Cisco Unified Presence Server IP Address (routing Cisco Unified Presence node): 10.53.57.10

Cisco Unified Presence Server TCP port: 5060


Note The TCP port value must match that configured under Cisco Unified Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TCP Listener.


Cisco Unified Presence Server TLS port: 5062


Note The TLS port value must match that configured under Cisco Unified Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TLS Listener - Peer Auth.


Cisco Unified Presence Server domain: sip.com

Lync Registrar server: lyncserver.lync.net

For more information about configuring static routes for Interdomain Federation to Microsoft Lync within an enterprise, see http://technet.microsoft.com/en-us/library/gg558664(v=ocs.14).aspx .

Step
Instructions  

Define a TCP/TLS route

Note You must create a static route to the Cisco Unified Presence routing node only. It is not necessary to create static routes to subscriber nodes, nor any intercluster peer nodes even if your Cisco Unified Presence deployment has multiple clusters.

1. Sign into a computer where Lync Server Management Shell is installed. You must sign in as a member of the RTCUniversalServerAdmins group or a role-based access control (RBAC) role to which you have assigned the New-CsStaticRoute cmdlet.

2. Select Start > All Programs > Microsoft Lync Server 2010 > Lync Server Management Shell.

3. For TLS, enter the following command:

$tlsRoute = New-CsStaticRoute -TLSRoute -Destination <FQDN of 
Cisco Unified Presence routing node> -Port <listening port of 
Cisco Unified Presence routing node> -usedefaultcertificate $true 
-MatchUri <destination domain>

Example:

$tlsRoute = New-CsStaticRoute -TLSRoute -Destination cupserverPub.sip.com -Port 5062 -usedefaultcertificate $true -MatchUri sip.com


Note To match child domains of a domain you can specify a wildcard value in the MatchUri parameter, for example, *.sip.com. That value matches any domain that ends with the suffix sip.com.


If you set -usedefaultcertificate to false, you must specify the TLSCertIssuer and TLSCertSerialNumber parameters. These parameters indicate the name of the certification authority (CA) that issue the certificate used in the static route and the serial number of the TLS certificate, respectively. See the Lync Server Management Shell for more information about these parameters.

4. For TCP, enter the following command:

$tcpRoute = New-CsStaticRoute -TCPRoute -Destination <IP address or 
FQDN of Cisco Unified Presence routing node> -Port <SIP listening port 
of Cisco Unified Presence routing node> -MatchUri <destination domain>

Example:

$tcpRoute = New-CsStaticRoute -TCPRoute -Destination 10.53.57.10 -Port 5060 -usedefaultcertificate $true -MatchUri *sip.com

Persist the route

Note This step is only necessary for the routing node.

1. To persist a newly created static route in the Central Management store, run one of the following:

For TLS:

Set-CsStaticRoutingConfiguration -Route @{Add=$tlsRoute}

For TCP:

Set-CsStaticRoutingConfiguration -Route @{Add=$tcpRoute}

2. To verify that the command was successful, enter

get-CsStaticRoutingConfiguration

Create trusted application server pool

Note You must create a trusted application server pool for all Cisco Unified Presence nodes, including the routing Cisco Unified Presence node.

1. Enter the following command to obtain the Site ID:

get-cssite

2. For TLS, enter the following command:

New-CsTrustedApplicationPool -Identity <FQDN of Cisco Unified Presence 
node> [-Registrar <Service ID or FQDN of the next hop>] -Site <Site ID 
for the site where you want to create the trusted application pool> 
TreatAsAuthenticated $true -ThrottleAsServer $true

Example:

New-CsTrustedApplicationPool -Identity cupserverPub.sip.com -Registrar 
LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true 
-ThrottleAsServer $true

3. For TCP, enter the following command:

New-CsTrustedApplicationPool -Identity <IP address of 
Cisco Unified Presence node> [-Registrar <Service ID or FQDN of the 
next hop>] -Site <Site ID for the site where you want to create the 
trusted application pool> TreatAsAuthenticated $true -ThrottleAsServer 
$true

Example:

New-CsTrustedApplicationPool -Identity 10.53.57.10 -Registrar 
LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true 
-ThrottleAsServer $true

Add application servers to the created pool

Note You must add application servers to the created pool for all Cisco Unified Presence nodes, including the routing Cisco Unified Presence node.

1. For TLS, enter the following command:

New-CsTrustedApplication -ApplicationID <application name> 
-TrustedApplicationPoolFqdn <FQDN of Cisco Unified Presence node> 
-Port <SIP listening port of Cisco Unified Presence node>

Example:

New-CsTrustedApplication -ApplicationID cupPub1 
-TrustedApplicationPoolFqdn cupserverPub.sip.com -Port 5062

2. For TCP, enter the following command:

New-CsTrustedApplication -ApplicationID <application name> 
-TrustedApplicationPoolFqdn <IP Address of Cisco Unified Presence 
node> -Port <listening port of Cisco Unified Presence node> -EnableTcp

Example:

New-CsTrustedApplication -ApplicationID cupPub1 
-TrustedApplicationPoolFqdn 10.53.57.10 -Port 5060 -EnableTcp

Configure the Lync Server listen port

1. In the Lync Server Management Shell enter the following command to verify the current system configuration:

Get-CSRegistrarConfiguration

2. Enter the following command to set the Lync server listening port:

Set-CsRegistrar registrar:<Lync_server_FQDN> -SipServerTcpPort 5060

3. Verify the new system configuration by entering the Get command from Step 1 again.

The parameters that you use to configure the Lync server listen port are as follows:

Set-CsRegistrar—internal command that sets the Lync server port.

registrar:—FQDN of the Lync Server

-SipServerTcpPort— SIP listening port of the Lync server. The default value is typically 5060.

Enable the topology

1. Before you enable the topology, ensure that you have completed the following:

a. Define a TCP/TLS route for the routing Cisco Unified Presence node.

b. Persist the new static route for the routing Cisco Unified Presence node.

c. Create a trusted application server pool for all Cisco Unified Presence nodes.

d. Add application servers to the created pool for all Cisco Unified Presence nodes.

2. Enter the following command to implement the changes you have made to the topology:

Enable-CsTopology

Define Gateway IP Address

Note This step applies only to TCP.

1. Sign into the computer where Topology Builder is installed. You must sign in as a member of the Domain Admins group and the RTCUniversalServerAdmins group.

2. Select Start > All Programs > Microsoft Lync Server 2010 > Lync Server Topology Builder

3. Select the option to download an existing topology.

4. Expand the Trusted applications servers node.

5. Right-click the trusted application pool that you created and select Edit Properties.

6. Uncheck Enable replication of configuration data to this pool.

7. Select Limit service usage to selected IP addresses and ensure that it is set to Use all configured IP addresses.

8. In the Primary IP address field, enter the IP address of the SIP gateway.

9. To update the topology in the Central Management store, in the console tree, select Lync Server 2010 and from the Actions pane, select Publish.


Subscribe Cisco Unified Presence users to Lync/OCS

It might happen that a Cisco Unified Presence user, after subscribing to Lync/OCS receives a SIP 403 error message "subscribe presence verification failed". To avoid that, Cisco Unified Presence should be configured as an IM provider on the access edge and removed from the allow list in Lync configuration. Follow the procedure below to configure Cisco Unified Presence.


Step 1 Remove Cisco Unified Presence domain from Lync control Panel > External user access > Federated domains. This tab should only be used for Microsoft Federation.

Step 2 Configure Cisco Unified Presence as an IM provider in Lync control panel > External user access > Provider.