-
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
-
Overview of this integration
-
Preparations for this integration
-
Configuration workflows for interdomain federation
-
Configuration of IM and Presence for SIP federation
-
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
-
Cisco Adaptive Security Appliance configuration for SIP federation
-
Configuration of TLS Proxy on Cisco Adaptive Security Appliance
-
Configure interdomain federation to Microsoft OCS/Lync within an enterprise
-
Configuration of foreign server components for SIP federation
-
Configuration of load balancer for redundancy for SIP federation
-
Configuration of IM and Presence Service for XMPP federation
-
Security certificate configuration for XMPP federation
-
Serviceability configuration for federation
-
Federation integration verification
-
Troubleshooting a SIP federation integration
-
Troubleshooting an XMPP federation integration
-
Sample Cisco Adaptive Security Appliance configuration
-
Configuration of security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge using VeriSign
-
Integration debugging information
-
Feedback
Contents
- Configure interdomain federation to Microsoft OCS/Lync within an enterprise
- Add a Microsoft OCS domain within an enterprise
- Configuration of static routes using TCP for federation with Microsoft OCS domain
- Configure static route on IM and Presence for OCS server
- Configure static routes on OCS for IM and Presence Service
- Adding a Host Authorization entry for the IM and Presence server
- Enable port 5060 on OCS server
- Static route configuration using TLS for federation with Microsoft OCS domain
- Static route configuration for interdomain federation to Microsoft Lync within enterprise
Configure interdomain federation to Microsoft OCS/Lync within an enterprise
Note
Refer to Federation and subdomains for information about federation and subdomains. However, once the OCS and IM and Presence domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable.
- Add a Microsoft OCS domain within an enterprise
- Configuration of static routes using TCP for federation with Microsoft OCS domain
- Static route configuration using TLS for federation with Microsoft OCS domain
- Static route configuration for interdomain federation to Microsoft Lync within enterprise
Add a Microsoft OCS domain within an enterprise
ProcedureWhen you configure a federated domain entry, IM and Presence automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on IM and Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry.
Configuration of static routes using TCP for federation with Microsoft OCS domain
This section describes how to configure statics routes using TCP for direct federation between IM and Presence and Microsoft OCS. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.
Caution
The domain portion of the Routing Proxy FQDN parameter value cannot be the same as the Microsoft OCS domain. To view or edit the Routing Proxy FQDN parameter, select , and select the Cisco SIP Proxy service.
- Configure static route on IM and Presence for OCS server
- Configure static routes on OCS for IM and Presence Service
- Adding a Host Authorization entry for the IM and Presence server
- Enable port 5060 on OCS server
Configure static route on IM and Presence for OCS server
ProcedureTo configure IM and Presence Service to use TCP when exchanging IM and presence with a federated Microsoft OCS domain, you must configure a static route on IM and Presence Service that points to the OCS server (and not the external edge of Microsoft Access Edge).
You must add an individual static route for the OCS domain. The OCS domain static route should point to the IP address of a specific OCS Enterprise Edition front-end server or Standard Edition server.
For high availability purposes, you can configure additional backup static routes to each OCS domain. The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.
What to Do Next
Configure static routes on OCS for IM and Presence Service
ProcedureIf you are using direct federation from IM and Presence Service to OCS without the Access Edge server or Cisco Adaptive Security Appliance, then you need to configure a static route from OCS to IM and Presence Service.
What to Do NextAdding a Host Authorization entry for the IM and Presence server
Procedure
Static route configuration using TLS for federation with Microsoft OCS domain
Use the procedure Configure static route on IM and Presence for OCS server as a guide.
When you configure the static route on IM and Presence, select the protocol type TLS, and make sure that the static route points to port 5061.
Use the procedure Configure static routes on OCS for IM and Presence Service as a guide.
When you configure the static route on OCS, select the protocol type TLS, and make sure that the static route points to port 5061 (the default is 5062).
Note When using TLS with static routes on OCS, you must specify the FQDN of the IM and Presence server, rather than an IP address.
On IM and Presence, you must also configure the Peer Auth Listener port on OCS as 5061. You configure this by selecting. Verify that the Peer Auth Listener port is 5061. You can configure the Server Auth Listener port to be 5062.
Configure a host authorization entry for the IM and Presence FQDN
Use the procedure Adding a Host Authorization entry for the IM and Presence server as a guide.
- To retrieve the CA root certificate and the OCS signed certificate, follow these procedures, applying them to the OCS server (rather than the Access Edge server):
- In the OCS Front End Server Properties ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS).
- From the OCS Front End Server Properties, select the Certificates tab, and click Select Certificate to select the OCS signed certificate.
Configure OCS to use FIPS (TLSv1 rather than SSLv3), and import the CA root certificate.
- Open the Local Security Settings on OCS.
- In the console tree, select Local Polices.
- Select Security Options.
- Double-click System Cryptography:Use FIPS Compliant algorithms for encryption, hashing and signing.
- Enable the security setting.
- Select OK.
Note You may need to restart OCS for this to take effect.
- Import the CA root certificate for the CA that signs the IM and Presence certificate. Import the CA root certificate in to the trust store on OCS using the certificate snap-in.
- On IM and Presence, upload the root certificate for the CA that signs the OCS certificate. Note the following:
- Upload the certificate as a cup-trust certificate.
- Leave the Root Certificate field blank.
- Use the procedure Import self-signed certificate onto IM and Presence as a guide for uploading a certificate to IM and Presence.
- Generate a CSR for IM and Presence so that the IM and Presence certificate can be signed by a CA. Upload the CSR to the CA that will sign your certificate.
- When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to IM and Presence. Note the following:
- Add a TLS Peer subject on IM and Presence for the OCS server. Follow these steps Create new TLS peer subject to create the peer subject for the OCS server. Use the FQDN of the OCS server.
- Add the TLS Peer to the Selected TLS Peer Subjects list. Follow these steps Add TLS peer to selected TLS peer subjects list to add the TLS Peer to the Selected TLS Peer Subjects list. Note the following:
Static route configuration for interdomain federation to Microsoft Lync within enterprise
NoteFor interdomain federation with Microsoft Lync, you must configure TLS between IM and Presence Service and Microsoft Lync if there is more than one Lync front-end server.
This procedure uses the following sample configuration parameters:
- IM and Presence Service Server FQDN (routing IM and Presence Service node): cupserverPub.sip.com
Note
Ensure the FQDN can resolve to the correct IP address.
- IM and Presence Service Server IP Address (routing IM and Presence Service node): 10.53.57.10
- IM and Presence Service Server TCP port: 5060
Note
The TCP port value must match that configured under Cisco Unified CM IM and Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TCP Listener.
- IM and Presence Service Server TLS port: 5062
Note
The TLS port value must match that configured under Cisco Unified CM IM and Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TLS Listener - Peer Auth.
- IM and Presence Service Server domain: sip.com
- Lync Registrar server: lyncserver.lync.net
For more information about configuring static routes for Interdomain Federation to Microsoft Lync within an enterprise, see http://technet.microsoft.com/en-us/library/gg558664.aspx
Note You must create a static route to the IM and Presence Service routing node only. It is not necessary to create static routes to subscriber nodes, nor any intercluster peer nodes even if your IM and Presence Service deployment has multiple clusters.
- Sign into a computer where Lync Server Management Shell is installed. You must sign in as a member of the RTCUniversalServerAdmins group or a role-based access control (RBAC) role to which you have assigned the New-CsStaticRoute cmdlet.
- Select .
- For TLS, enter the following command:
$tlsRoute = New-CsStaticRoute -TLSRoute -Destination <FQDN of IM and Presence routing node> -Port <listening port of IM and Presence routing node> -usedefaultcertificate $true -MatchUri <destination domain>Example: $tlsRoute = New-CsStaticRoute -TLSRoute -Destination cupserverPub.sip.com -Port 5062 -usedefaultcertificate $true -MatchUri sip.com
Note To match child domains of a domain you can specify a wildcard value in the MatchUri parameter, for example, *.sip.com. That value matches any domain that ends with the suffix sip.com.
If you set -usedefaultcertificate to false, you must specify the TLSCertIssuer and TLSCertSerialNumber parameters. These parameters indicate the name of the certification authority (CA) that issue the certificate used in the static route and the serial number of the TLS certificate, respectively. See the Lync Server Management Shell for more information about these parameters.
- For TCP, enter the following command:
$tcpRoute = New-CsStaticRoute -TCPRoute -Destination <IP address or FQDN of IM and Presence routing node> -Port <SIP listening port of IM and Presence routing node> -MatchUri <destination domain>Example: $tcpRoute = New-CsStaticRoute -TCPRoute -Destination 10.53.57.10 -Port 5060 -usedefaultcertificate $true -MatchUri *sip.com
Note This step is only necessary for the routing node.
- To persist a newly created static route in the Central Management store, run one of the following: For TLS:
Set-CsStaticRoutingConfiguration -Route @{Add=$tlsRoute}For TCP:Set-CsStaticRoutingConfiguration -Route @{Add=$tcpRoute}- To verify that the command was successful, enter
get-CsStaticRoutingConfigurationCreate trusted application server pool
Note You must create a trusted application server pool for all IM and Presence Service nodes, including the routing IM and Presence Service node.
- Enter the following command to obtain the Site ID:
get-cssite- For TLS, enter the following command:
New-CsTrustedApplicationPool -Identity <FQDN of IM and Presence node> [-Registrar <Service ID or FQDN of the next hop>] -Site <Site ID for the site where you want to create the trusted application pool> TreatAsAuthenticated $true -ThrottleAsServer $trueExample:New-CsTrustedApplicationPool -Identity cupserverPub.sip.com -Registrar LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true -ThrottleAsServer $true- For TCP, enter the following command:
New-CsTrustedApplicationPool -Identity <IP address of IM and Presence node> [-Registrar <Service ID or FQDN of the next hop>] -Site <Site ID for the site where you want to create the trusted application pool> TreatAsAuthenticated $true -ThrottleAsServer $trueExample:New-CsTrustedApplicationPool -Identity 10.53.57.10 -Registrar LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true -ThrottleAsServer $trueAdd application servers to the created pool
Note You must add application servers to the created pool for all IM and Presence Service nodes, including the routing IM and Presence Service node.
- For TLS, enter the following command:
New-CsTrustedApplication -ApplicationID <application name> -TrustedApplicationPoolFqdn <FQDN of IM and Presence node> -Port <SIP listening port of IM and Presence node>Example:New-CsTrustedApplication -ApplicationID cupPub1 -TrustedApplicationPoolFqdn cupserverPub.sip.com -Port 5062- For TCP, enter the following command:
New-CsTrustedApplication -ApplicationID <application name> -TrustedApplicationPoolFqdn <IP Address of IM and Presence node> -Port <listening port of IM and Presence node> -EnableTcpExample:New-CsTrustedApplication -ApplicationID cupPub1 -TrustedApplicationPoolFqdn 10.53.57.10 -Port 5060 -EnableTcp
- In the Lync Server Management Shell enter the following command to verify the current system configuration:
Get-CSRegistrarConfiguration- Enter the following command to set the Lync server listening port:
Set-CsRegistrar registrar:<Lync_server_FQDN> -SipServerTcpPort 5060- Verify the new system configuration by entering the Get command from Step 1 again.
The parameters that you use to configure the Lync server listen port are as follows:
- Before you enable the topology, ensure that you have completed the following:
- Define a TCP/TLS route for the routing IM and Presence Service node.
- Persist the new static route for the routing IM and Presence Service node.
- Create a trusted application server pool for all IM and Presence Service nodes.
- Add application servers to the created pool for all IM and Presence Service nodes.
- Enter the following command to implement the changes you have made to the topology:
Enable-CsTopology
Note This step applies only to TCP.
- Sign into the computer where Topology Builder is installed. You must sign in as a member of the Domain Admins group and the RTCUniversalServerAdmins group.
- Select
- Select the option to download an existing topology.
- Expand the Trusted applications servers node.
- Right-click the trusted application pool that you created and select Edit Properties.
- Uncheck Enable replication of configuration data to this pool.
- Select Limit service usage to selected IP addresses and ensure that it is set to Use all configured IP addresses.
- In the Primary IP address field, enter the IP address of the SIP gateway.
- To update the topology in the Central Management store, in the console tree, select Lync Server 2010 and from the Actions pane, select Publish.
