-
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
-
Overview of this integration
-
Preparations for this integration
-
Configuration workflows for interdomain federation
-
Configuration of IM and Presence for SIP federation
-
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
-
Cisco Adaptive Security Appliance configuration for SIP federation
-
Configuration of TLS Proxy on Cisco Adaptive Security Appliance
-
Configure interdomain federation to Microsoft OCS/Lync within an enterprise
-
Configuration of foreign server components for SIP federation
-
Configuration of load balancer for redundancy for SIP federation
-
Configuration of IM and Presence for XMPP federation
-
Security certificate configuration for XMPP federation
-
Serviceability configuration for federation
-
Federation integration verification
-
Troubleshooting a SIP federation integration
-
Troubleshooting an XMPP federation integration
-
Sample Cisco Adaptive Security Appliance configuration
-
Configuration of security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge using VeriSign
-
Integration debugging information
-
Feedback
Contents
Sample Cisco Adaptive Security Appliance configuration
- Sample PAT commands and access list configuration for SIP federation
- Sample access list configuration for XMPP federation
- Sample NAT configuration for XMPP federation
Sample PAT commands and access list configuration for SIP federation
This section provides a sample configuration for a IM and Presence server that is federating with a foreign OCS enterprise deployment. There are two additional intercluster IM and Presence servers in the local enterprise deployment.
The following values are used in this sample configuration:
- Public IM and Presence IP Address = 10.10.10.10
- Private Routing IM and Presence IP Address = 1.1.1.1
- Private Second IM and Presence IP Address = 2.2.2.2
- Private Third IM and Presence IP Address = 3.3.3.3
- Peer Auth Listener Port on IM and Presence = 5062
- Netmask = 255.255.255.255
- Foreign Domain = abc.com
- Microsoft OCS External Interface = 20.20.20.20
These PAT commands are defined for the (routing) IM and Presence server:
(Cisco Adaptive Security Appliance Release 8.2:)
static (inside,outside) tcp 10.10.10.10 5061 1.1.1.1 5062 netmask 255.255.255.255static (inside,outside) tcp 10.10.10.10 5080 1.1.1.1 5080 netmask 255.255.255.255 static (inside,outside) tcp 10.10.10.10 5060 1.1.1.1 5060 netmask 255.255.255.255(Cisco Adaptive Security Appliance Release 8.3:)
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5061 obj_tcp_source_eq_5062 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5080 obj_tcp_source_eq_5080 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5060 obj_tcp_source_eq_5060These PAT commands are defined for the two additional intercluster IM and Presence servers in the enterprise deployment:
(Cisco Adaptive Security Appliance Release 8.2:)
static (inside,outside) tcp 10.10.10.10 45080 2.2.2.2 5080 netmask 255.255.255.255static (inside,outside) udp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255 static (inside,outside) tcp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255 static (inside,outside) udp 10.10.10.10 45062 2.2.2.2 5062 netmask 255.255.255.255 static (inside,outside) tcp 10.10.10.10 55062 3.3.3.3 5062 netmask 255.255.255.255(Cisco Adaptive Security Appliance Release 8.3:)
nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5080 obj_tcp_source_eq_45080 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_tcp_source_eq_5070 obj_tcp_source_eq_55070 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_udp_source_eq_5070 obj_udp_source_eq_55070 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 service obj_tcp_source_eq_5062 obj_tcp_source_eq_45062 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_tcp_source_eq_5062 obj_tcp_source_eq_55062The corresponding access lists for this configuration are provided below. Note that for each foreign domain that you federate with, you must add access lists similar to these access lists for the domain abc.com.
(Cisco Adaptive Security Appliance Release 8.2:)
access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061access-list ent_abc_to_cup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 5061 access-list ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061 access-list ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061 access-list ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 45061 access-list ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 55061(Cisco Adaptive Security Appliance Release 8.3:)
access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061access-list ent_abc_to_cup extended permit tcp host 20.20.20.20 host 1.1.1.1 eq 5062 access-list ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061 access-list ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061 access-list ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 2.2.2.2 eq 5062 access-list ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 3.3.3.3 eq 5062 Associate each of your access lists with the a class map: class-map ent_cup_to_abc match access-list ent_cup_to_abc class-map ent_abc_to_cup match access-list ent_abc_to_cup class-map ent_secondcup_to_abc match access-list ent_secondcup_to_abc class-map ent_thirdcup_to_abc match access-list ent_thirdcup_to_abc class-map ent_abc_to_secondcup match access-list ent_abc_to_secondcup class-map ent_abc_to_thirdcup match access-list ent_abc_to_thirdcup Update the global policy map for each class map you created. In this example, the TLS proxy instance for TLS connections initiated by IM and Presence is called "cup_to_foreign", and the TLS proxy instance for TLS connections initiated by a foreign domain is called "foreign_to_cup". policy-map global_policy class ent_cup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_abc_to_cup inspect sip sip_inspect tls-proxy ent_foreign_to_cup policy-map global_policy class ent_secondcup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_thirdcup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_abc_to_secondcup inspect sip sip_inspect tls-proxy ent_foreign_to_cup policy-map global_policy class ent_abc_to_thirdcup inspect sip sip_inspect tls-proxy ent_foreign_to_cupSample access list configuration for XMPP federation
NoteThe examples in this section are applicable to Cisco Adaptive Security Appliance Release 8.3.
Example 1: This example access list configuration allows from any address to any address on port 5269:
access-list ALLOW-ALL extended permit tcp any any eq 5269Example 2: This example access list configuration allows from any address to any single XMPP federation node on port 5269. The following values are used in this example:
- Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1
- XMPP federation listening port = 5269
access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269Example 3: This example access list configuration allows from any address to specific XMPP federation nodes published in DNS.
NoteThe public addresses are published in DNS, but the private addresses are configured in the access-list command.
The following values are used in this sample configuration:
• Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1
• Private second IM and Presence Release 9.x IP address= 2.2.2.2
• Private third IM and Presence Release 9.x IP address = 3.3.3.3
• XMPP federation listening port = 5269
access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269access-list ALLOW-ALL extended permit tcp any host 2.2.2.2 eq 5269 access-list ALLOW-ALL extended permit tcp any host 3.3.3.3 eq 5269Example 4: This example access list configuration allows only from a specific federated domain interface to specific XMPP federation nodes published in DNS.
NoteThe public addresses are published in DNS, but the private addresses are configured in the access-list command.
The following values are used in this sample configuration:
- Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1
- Private second IM and Presence Release 9.x IP address = 2.2.2.2
- Private third IM and Presence Release 9.x IP address = 3.3.3.3
- XMPP federation listening port = 5269
- External interface of the foreign XMPP enterprise = 100.100.100.100
access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 1.1.1.1 eq 5269access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 2.2.2.2 eq 5269 access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 3.3.3.3 eq 5269Sample NAT configuration for XMPP federation
Example 1: Single node with XMPP federation enabled
The following values are used in this sample configuration:
- Public IM and Presence IP address = 10.10.10.10
- Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1
- XMPP federation listening port = 5269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269Example 2: Multiple nodes with XMPP federation, each with a public IP address in DNS
The following values are used in this sample configuration:
- Public IM and Presence IP addresses = 10.10.10.10, 20.20.20.20, 30.30.30.30
- Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1
- Private second IM and Presence Release 9.x IP address = 2.2.2.2
- Private third IM and Presence Release 9.x IP address = 3.3.3.3
- XMPP federation listening port = 5269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_20.20.20.20 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_20.20.20.20 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_30.30.30.30 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_30.30.30.30 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269Example 3: Multiple nodes with XMPP federation, but a single public IP address in DNS with arbitrary
The following values are used in this sample configuration:
- Public IM and Presence IP Address = 10.10.10.10
- Private XMPP federation IM and Presence Release 9.x IP address = 1.1.1.1, port 5269
- Private second IM and Presence Release 9.x IP address = 2.2.2.2, arbitrary port 25269
- Private third IM and Presence Release 9.x IP address = 3.3.3.3, arbitrary port 35269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_25269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_25269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_35269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_35269
