-
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
-
Overview of this integration
-
Preparations for this integration
-
Configuration workflows for interdomain federation
-
Configuration of IM and Presence for SIP federation
-
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
-
Cisco Adaptive Security Appliance configuration for SIP federation
-
Configuration of TLS Proxy on Cisco Adaptive Security Appliance
-
Configure interdomain federation to Microsoft OCS/Lync within an enterprise
-
Configuration of foreign server components for SIP federation
-
Configuration of load balancer for redundancy for SIP federation
-
Configuration of IM and Presence Service for XMPP federation
-
Security certificate configuration for XMPP federation
-
Serviceability configuration for federation
-
Federation integration verification
-
Troubleshooting a SIP federation integration
-
Troubleshooting an XMPP federation integration
-
Sample Cisco Adaptive Security Appliance configuration
-
Configuration of security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge using VeriSign
-
Integration debugging information
-
Feedback
Contents
Configuration of TLS Proxy on Cisco Adaptive Security Appliance
Note
For up to date release information on configuring the TLS proxy, please refer to the Cisco Adaptive Security Appliance Configuration Guide at the following URL: http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_configure.html.
Note
IM and Presence Release 8.5(2) or later supports interdomain federation with Microsoft Lync. For IM and Presence Release 8.5(2) or later, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.
- TLS Proxy
- Access list configuration requirements
- Configure TLS proxy instances
- Associate access list with TLS proxy instance using class maps
- Enable TLS proxy
- Configure Cisco Adaptive Security Appliance for an intercluster deployment
TLS Proxy
Cisco Adaptive Security Appliance acts as a TLS proxy between the IM and Presence and the foreign server. This allows Cisco Adaptive Security Appliance to proxy TLS messages on behalf of the server (that initiates the TLS connection), and route the TLS messages from the proxy to the client. The TLS proxy decrypts, inspects and modifies the TLS messages as required on the incoming leg, and then re-encrypts traffic on the return leg.
NoteBefore configuring the TLS proxy, you must configure the Cisco Adaptive Security Appliance security certificates between Cisco Adaptive Security Appliance and IM and Presence, and Cisco Adaptive Security Appliance and the foreign server. Complete the procedures in the following sections to accomplish this:
- Security certificate exchange between IM and Presence and Cisco Adaptive Security Appliance
- Security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) with Microsoft CA
Related Information
Access list configuration requirements
This section lists the access list configuration requirements for a single IM and Presence deployment.
Related Tasks
Related Information
Configure TLS proxy instances
ProcedureFor this integration, you need to create two TLS proxy instances. The first TLS proxy handles the TLS connections initiated by IM and Presence, where IM and Presence is the client and the foreign domain is the server. In this case, the Cisco Adaptive Security Appliance acts as the TLS server facing the "client" which is IM and Presence. The second TLS Proxy handles the TLS connections initiated by the foreign domain, where the foreign domain is the client and IM and Presence is the server.
The TLS proxy instance defines "trustpoints" for both the server and the client. The direction from which the TLS handshake is initiated determines the trustpoint defined in the server and client commands:
- If the TLS handshake initiates from IM and Presence to the foreign domain, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate that is used in the TLS handshake between Cisco Adaptive Security Appliance and the foreign domain.
- If the handshake initiates from the foreign domain to IM and Presence, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate the TLS handshake uses between Cisco Adaptive Security Appliance and the foreign domain. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate.
Step 1 Enter config mode: >Enable >password >config tStep 2 Create a TLS proxy instance for TLS connections initiated by IM and Presence. This example creates a TLS proxy instance called cup_to_foreign: tls-proxy ent_cup_to_foreignserver trust-point cup_proxy client trust-point <trustpoint_name> client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1Step 3 Create a TLS proxy instance for TLS connections initiated by a foreign domain. This example creates a TLS proxy instance called foreign_to_cup: tls-proxy ent_foreign_to_cupserver trust-point <trustpoint_name> client trust-point cup_proxy client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
What to Do Next
Associate access list with TLS proxy instance using class maps
Associate access list with TLS proxy instance using class maps
Using the class map command, you need to associate a TLS Proxy instance to each of the foreign domain access lists you defined previously.
Before You BeginProcedureComplete the steps in Configure TLS proxy instances
Step 1 Enter config mode: >Enable >password >config tStep 2 Associate each of your access lists with the TLS proxy instance that the class map uses. The TLS proxy you select depends on whether the class-map is for messages from IM and Presence to a foreign domain, or from a foreign domain to IM and Presence. In the example below, the access list for messages sent from IM and Presence to a foreign domain is associated with the TLS proxy instance for TLS connections initiated by IM and Presence called "ent_cup_to_foreign":
class-map ent_cup_to_foreignmatch access-list ent_cup_to_foreignIn the example below, the access list for messages sent from a foreign domain to IM and Presence is associated with the TLS proxy instance for TLS connections initiated by the foreign server called "ent_foreign_to_cup":
class-map ent_foreign_to_cupmatch access-list ent_foreign_to_cupStep 3 If you are have an intercluster IM and Presence deployment, configure a class map for each IM and Presence server, and associate this with the appropriate access-list for the server that you defined previously, for example: class-map ent_second_cup_to_foreignmatch access-list ent_second_cup_to_foreign class-map ent_foreign_to_second_cup match access-list ent_foreign_to_second_cup
What to Do Next
Enable TLS proxy
Using the policy map command, you need to enable the TLS proxy for each class map you created in the previous section.
Note
You cannot use a High security sip-inspect policy map on Cisco Adaptive Security Appliance for a federated deployment because the configuration will fail. You must use a Low/Medium security policy map.
Before You BeginProcedureComplete the steps in Associate access list with TLS proxy instance using class maps
Step 1 Enter config mode: >Enable >password >config tStep 2 Define the sip-inspect policy map, for example: policy-map type inspect sip sip_inspectParameters !SIP Inspection ParametersStep 3 Define the global policy map, for example: policy-map global_policyclass ent_cup_to_foreign inspect sip sip_inspect tls-proxy ent_cup_to_foreign
Configure Cisco Adaptive Security Appliance for an intercluster deployment
ProcedureFor an intercluster IM and Presence deployment, you must perform the following configuration on the Cisco Adaptive Security Appliance for each additional IM and Presence server.
Step 1 Create an additional access list for the IM and Presence server. Step 2 Generate and import the Cisco Adaptive Security Appliance security certificate onto the IM and Presence server. Step 3 Generate and import the IM and Presence security certificate onto Cisco Adaptive Security Appliance. Step 4 Configure a class map for each foreign domain. Step 5 Include the class maps in the global policy map.
Related References
