Make sure you use the correct version of
Cisco Adaptive Security Appliance
software for your deployment. If you are configuring a new interdomain
federation deployment, refer to the IM and Presence compatibility matrix for the correct version of
Cisco Adaptive Security Appliance
Consider how you are going to set up routing in your federated network.
Consider how you route messages that are destined for a foreign domain address
from IM and Presence through the Cisco Adaptive Security Appliance to the foreign domain. You could consider deploying a
routing entity (router, switch or gateway) between the IM and Presence
enterprise deployment and Cisco Adaptive Security Appliance. The routing entity routes messages to the Cisco Adaptive Security Appliance, and Cisco Adaptive Security Appliance routes these
messages to the foreign domain.
You can also deploy Cisco Adaptive Security Appliance as a gateway between IM and Presence and
the foreign domain. If you use Cisco Adaptive Security Appliance as a gateway for IM and Presence,
within your local enterprise deployment you must consider how Cisco Unified Communications Manager, and the
IM and Presence client will access the IM and Presence
server. If Cisco Unified Communications Manager
and the IM and Presence clients are in a different subnet from IM and Presence, they
will need to access the IM and Presence using Cisco Adaptive Security Appliance.
If you deploy Cisco Adaptive Security Appliance behind an existing firewall in your network,
consider how you route traffic to Cisco Adaptive Security Appliance and to IM and Presence. On the existing firewall, configure
routes and access lists to route traffic to the public IM and Presence
address. You must also configure routes to the foreign domain using the existing
federation, you require a publicly accessible IP address for the public IM and Presence
address. If you do not have an IP address that you can assign, use the outside
interface of the Cisco Adaptive Security Appliance as the public IM and Presence
address (once you only use the Cisco Adaptive Security Appliance for availability and IM traffic).
For SIP federation with
Microsoft OCS R2, you require a single public IP address, even if you deploy
multiple IM and Presence servers. Cisco Adaptive Security Appliance routes the requests from OCS to the correct IM and Presence
server using Port Address Translation (PAT).
For XMPP federation, you can choose to either
expose a public IP address for each IM and Presence
server on which you enable XMPP federation, or expose a single public IP
If you expose multiple IP addresses, you
use NAT on Cisco Adaptive Security Appliance to convert the public addresses to private
addresses. For example, you can use NAT to convert the public addresses
x.x.x.x:5269 and y.y.y.y:5269 to the private addresses a.a.a.a:5269 and
If you expose a single IP address, you use
PAT on Cisco Adaptive Security Appliance
to map to the correct IM and Presence server. For example, the public IP
address in your deployment is x.x.x.x, and there are multiple DNS SRV
records for _xmpp-server. Each record has a different port, but all
records resolve to x.x.x.x. The foreign servers sends requests to
x.x.x.x:5269, x.x.x.x:15269, x.x.x.x.25269 through Cisco Adaptive Security Appliance. Cisco Adaptive Security Appliance performs PAT on the IP
addresses, whereby it maps each address to the corresponding internal IP
address for each IM and Presence server.
For example, the public IP address x.x.x.x:5269 maps to the private IP
address a.a.a.a:5269, the public IP address x.x.x.x:15269 maps to the
private IP address b.b.b.b.b:5269, and the public IP address x.x.x.x:25269
maps to the private IP address c.c.c.c:5269, and so on. All IP addresses map
internally to the same port (5269) on IM and Presence.
federation, request messages are routed based on the FQDN. Therefore, the FQDN
of the routing IM and Presence server (publisher) must be publicly
AOL SIP Access Gateway
SIP Access Gateway provides federated services, which permit a company’s
SIP/SIMPLE-based instant messaging servers to communicate with other instant
messaging users on the network. Using the AOL SIP Access Gateway, it is possible
for users of a company’s SIP/SIMPLE-based messaging server to obtain
availability information for, and hold conversations with, public users of the
AIM or AOL services. The AOL SIP Access Gateway also enables users of the AIM or
AOL systems to send instant messages and to display availability information for
users of the company’s internal SIP/SIMPLE-based system.
The AOL SIP Access
Gateway acts as the front end to a translator for internal AOL protocols. All
communications between the company server and AOL will use SIP. The AOL SIP
Access Gateway handles the translation into the protocols needed by internal AOL
systems. It is not necessary to add any translation capabilities to external
servers; from that perspective the AOL protocols are hidden. If the company
server communicates using SIP/SIMPLE, it should still be possible to connect to
AOL via the AOL SIP Access Gateway.
The AOL SIP Access Gateway supports connections
via TLS over TCP only. The AOL SIP Access Gateway server should be defined
within your instant messaging servers or proxies with this address:
Server Port: 5061
The server name sip.oscar.aol.com resolves to 220.127.116.11 &
If you configure these IP addresses statically anywhere in your network,
we recommend that you periodically check with AOL for potential changes
to these addresses.
We recommend that you ping the FQDN of
AOL SIP Access Gateway (sip.oscar.aol.com) to confirm the IP address
as it may be subject to change, for example ping
need to consider how you are going to configure redundancy in your federated
network. Cisco Adaptive Security Appliance
supports redundancy by providing the Active/Standby (A/S) deployment model.
If you wish to
make your IM and Presence federation capability highly available you can deploy a
load balancer in front of your designated (federation) IM and Presence
cluster. Cisco recommends you use the Cisco CSS
11500 Content Services Switch.
In the local
IM and Presence Service enterprise deployment,
IM and Presence Service must publish a DNS SRV record for the
IM and Presence Service domain to make it possible for other domains to discover the
IM and Presence Service node through DNS SRV. The DNS SRV records reside on the
DNS server in the enterprise DMZ.
For SIP federation with Microsoft OCS R2, you must publish
the DNS SRV record "_sipfederationtls". The Microsoft enterprise deployment
requires this record because you configure
IM and Presence Service as a Public IM Provider on the Access Edge server. In the
external enterprise deployment, in order for
IM and Presence Service to discover the Microsoft domain, a DNS SRV record must
exist that points to this external domain. If the
IM and Presence Service node cannot discover the Microsoft domain using DNS SRV,
you must configure a static route on
IM and Presence Service that points to the public interface of this external domain.
See the following figure for a sample DNS configuration for
the DNS SRV record "_sipfederationtls_tcp.aol.com" .
Figure 1. DNS SRV for "_xmpp-server"
For AOL federation, AOL publishes the DNS SRV record
"_sipfederationtls_tcp.aol.com" in their public DNS server for the domain
"aol.com". This resolves to "sip.oscar.aol.com" which is the AOL SIP Access
Because DNS SRV records are publicly resolvable, if you turn
on DNS forwarding in the local enterprise, DNS queries retrieve information
about public domains outside of the local enterprise. If the DNS queries rely
completely on DNS information within the local enterprise (you do not turn on
DNS forwarding in the local enterprise), you will need to publish DNS SRV
record/FQDN/IP address that points to the external domain. Alternatively. you
can configure static routes.
For XMPP federation, you must publish the DNS SRV record
"_xmpp-server". This record enables federated XMPP domains to discover the
IM and Presence Service domain so users in both domains can exchange IM and
availability information over XMPP. Similarly, foreign domains must publish the
_xmpp-server record in their public DNS server to enable
IM and Presence Service to discover the foreign domain.
See the following figure for a sample DNS configuration for
the DNS SRV record "_xmpp-server".
federation, the Cisco Adaptive Security Appliance in the IM and Presence enterprise deployment, and the foreign
enterprise deployment, share IM and availability over a secure SSL/TLS
enterprise deployment must present a certificate that is signed by an external
CA, however each enterprise deployment may using a different CA. Therefore each
enterprise deployment must download the root certificate from the external CA of
the other enterprise deployment to achieve a mutual trust between the two
For XMPP federation, you can choose whether or not to configure a
secure TLS connection. If you configure TLS, on IM and Presence you
need to upload the root certificate of the Certificate Authority (CA) that signs
the certificate of the foreign enterprise. This certificate must exist in the
certificate trust store on IM and Presence because the Cisco Adaptive Security Appliance does not terminate the TLS connections for XMPP
federation; Cisco Adaptive Security Appliance
acts as a firewall for XMPP federation.
Prerequisite configuration tasks for this integration
These prerequisite tasks apply to both SIP and
Install and configure IM and Presence as described in the Deployment Guide for
IM and Presence.
At this point,
perform the following checks to ensure that your IM and Presence is operating properly:
Run the IM and Presence Troubleshooter.
Check that you can add local
contacts to IM and Presence.
Check that your clients are
receiving availability states from the IM and Presence server.
Configure IM and Presence server with a Cisco Unified Communications Manager (CUCM) server as described in the
Deployment Guide for IM and Presence. Ensure that the IM and Presence
server is working without any issues.
Configure Cisco Adaptive Security Appliance for integration
For SIP federation, you
Cisco Adaptive Security Appliance.
For XMPP federation, you
require a firewall. You can use any firewall, including
Cisco Adaptive Security Appliance for basic firewall/NAT/PAT functionality. For XMPP
federation you do not use
Cisco Adaptive Security Appliance for TLS proxy functionality.
Install and configure
Cisco Adaptive Security Appliance. Perform the following basic configuration checks on the
Cisco Adaptive Security Appliance:
Cisco Adaptive Security Appliance either via console though a hyperterminal, or via the
web-based Adaptive Security Device Manager (ASDM).
Obtain the appropriate licenses for
Cisco Adaptive Security Appliance. Note that you will require a license for the TLS proxy on
Cisco Adaptive Security Appliance. Contact your Cisco representative for license information.
Upgrade the software (if necessary).
Configure the hostname using the command:
(config)# hostname name
Set the timezone, date and time in ASDM by selecting
Device Setup > System
Time > Clock, or via the CLI
clock set command. Note the following:
Set the clock on the Cisco ASA 5500 before configuring the TLS
We recommend that
Cisco Adaptive Security Appliance use the same NTP server as the
IM and Presence cluster. The TLS connections may fail due to
certificate validation failure if clock is out of sync between
Cisco Adaptive Security Appliance and the
IM and Presence server.
Use the command
ntp server <server_address> to
view the NTP server address, and the command
show ntp associat | status to view the
status of the NTP server.
Check the Cisco ASA 5500 modes. The Cisco ASA 5500 is configured
to use single mode and routed mode by default.
Check the current mode. This value is single mode by default.
(config)# show mode
Check the current firewall mode. This is routed mode by