Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
Configuration of IM and Presence for SIP federation
Download this chapter
Configuration of IM and Presence for SIP federationConfiguration of IM and Presence for SIP federation
Download the complete book
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1) (PDF - 3 MB)
 Feedback

Contents

Configuration of IM and Presence for SIP federation


Note

IM and Presence Release 9.0 or later supports interdomain federation with Microsoft Lync. For IM and Presence Release 9.0 or later, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.

SIP proxy domain on IM and Presence

If you change the SIP proxy domain on IM and Presence before you configure federation, as part of the SIP proxy domain change procedure you must also change the Federation Routing IM and Presence FQDN parameter. Refer to the Deployment Guide for IM and Presence for the correct sequence of steps for changing the SIP proxy domain on IM and Presence.

Related Topic

Add a SIP federated domain


Note

IM and Presence Release 9.0 supports SIP federation with AOL.

When you configure a federated domain entry, IM and Presence automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on IM and Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry.

If you are configuring SIP federation with AOL, note the following:

  • The AOL network can comprise of both public communities and hosted networks. You must configure each of these domains as SIP federated domain of type AOL on IM and Presence.
  • To handle users in a hosted domain such as "user@acompany.com", you must configure a SIP federated domain of type AOL on IM and Presence for "acompany.com".
  • To handle users in domains "aol.com" and "aim.com", you only need to add one SIP federated domain for "aol.com" on IM and Presence. The AOL network allows you to address "user@aim.com" as "user@aol.com".
Procedure
    Step 1   Select Cisco Unified CM IM and Presence Administration > Presence > Inter Domain Federation > SIP Federation.
    Step 2   Select Add New.
    Step 3   Enter the federated domain name in the Domain Name field.
    Step 4   Enter a description that identifies the federated domain in the Description field. This text string is displayed to the user in the Cisco Jabber Release 8.x privacy preferences available from the Manage Domains tab. Therefore make sure you enter a domain name that is easily-recognizable to the user.
    Step 5   Select one of these integrations:
    1. Inter-domain to OCS/Lync
    2. Inter-domain to AOL
    Step 6   If you are configuring federation with Microsoft OCS, ensure that Direct Federation is unchecked.
    Step 7   Select Save.
    Step 8   After you add, edit or delete a SIP federated domain, restart the Cisco XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified IM and Presence Serviceability. When you restart Cisco XCP Router, this causes a restart of all XCP services on IM and Presence.

    Routing configuration on IM and Presence

    DNS configuration for SIP federation

    In the local IM and Presence enterprise, IM and Presence must publish a DNS SRV record for the IM and Presence domain to make it possible for other domains to discover the IM and Presence server through DNS SRV.

    The Microsoft enterprise deployment requires IM and Presence to publish a DNS SRV record for the IM and Presence domain because you configure IM and Presence as a Public IM Provider on the Access Edge server.

    In the IM and Presence enterprise deployment, you need to configure a DNS SRV record that points to _sipfederationtls._tcp.<CUP_domain> over port 5061where <CUP_domain> is the name of the IM and Presence domain. This DNS SRV should point to the public FQDN of the routing IM and Presence server. This FQDN must be publicly resolvable.

    In order for IM and Presence to discover the foreign domain, a DNS SRV record must exist in the DNS server of the foreign domain that points to the FQDN of the external interface of the foreign domain.

    If you configure SIP federation with AOL, AOL routes based on FQDN, so you just require the FQDN of the routing IM and Presence server to be publicly resolvable. AOL does not perform a DNS SRV lookup; instead it statically configures the FQDN of IM and Presence so it requires this FQDN to be publicly resolvable.


    Tip

    Use this sequence of commands for performing a DNS SRV lookup:

    nslookupset type=srv
_sipfederationtls._tcp.<domain>

    If IM and Presence cannot resolve the foreign enterprise via public DNS lookup, you must configure static routes in your deployment.

    Related Topic

    Configure static routes using TLS

    Configure static routes using TLS


    Note

    Static route configuration is only applicable to SIP federation.

    If the IM and Presence server cannot discover the external domain using DNS SRV, you must configure a static route on IM and Presence that points to the external interface of the foreign domain.

    Procedure
      Step 1   Select Cisco Unified CM IM and Presence Administration > Presence > Routing > Static Routes.
      Step 2   Configure the static route parameters as follows:
      • The destination pattern value must be configured such that the foreign enterprise domain is reversed. For example if the domain is "domaina.com" then the Destination Pattern value must be ".com.domaina.*".
      • The Next Hop value is the FQDN or IP address of the external Access Edge for federation with Microsoft OCS, or the FQDN or IP address of the AOL SIP Access Gateway for federation with AOL.
      • The Next Hop Port number is 5061.
      • The Route Type value is domain.
      • The Protocol Type is TLS.
      Step 3   Click Save.
      Related Tasks

      Configure IM and Presence Domain from CLI

      If you do not enable DHCP, use this procedure to configure the IM and Presence domain from the CLI.

      Procedure
        Step 1   Log in to the administrator CLI on IM and Presence.

        Enter this command to display the current network settings:

        show network eth0
        Step 2   If no domain exists and you do not enable DHCP, configure the domain to be the same as the IM and Presence proxy domain. Enter this command: 
        set network domain <domain name>.
        Step 3   Enter y at the prompt to confirm the changes.

        The server automatically restarts. This can take up to 5 minutes.

        Step 4   When the sever restarts, enter this command to confirm you have configured the domain: 
        show network eth0

        Configure federation routing parameter

        Before You Begin

        When you first install IM and Presence, the federation routing parameter is automatically set to the FQDN of the publisher node, and IM and Presence passes this value to each subscriber node.

        Procedure
          Step 1   Select Cisco Unified CM IM and Presence Administration > System > Service Parameters.
          Step 2   Select the IM and Presence server from the Server menu.
          Step 3   Select Cisco SIP Proxy from the Service menu.
          Step 4   Enter the public FQDN value for the Federation Routing IM and Presence FQDN parameter in the Federation Routing Parameters (Clusterwide) section.
          Note   
          • This FQDN value must correspond to the _sipfederationtls entry in the public DNS for that IM and Presence domain.
          • If you assign users to the routing IM and Presence server, this FQDN value cannot be the same as the actual FQDN of the routing IM and Presence server.
          Step 5   Select Save.
          Step 6   After you add, edit or delete a SIP federated domain, restart the Cisco XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified IM and Presence Serviceability. When you restart Cisco XCP Router, this causes a restart of all XCP services on IM and Presence.
          Related Tasks

          Configuration of security settings on IM and Presence


          Note

          This procedure is only applicable if you do not have Cisco Adaptive Security Appliance in your federation deployment, for example, if you deploy federation within your enterprise and you want a secure TLS connection.

          Create new TLS peer subject

          When you import the Cisco Adaptive Security Appliance security certificate to IM and Presence, IM and Presence automatically adds Cisco Adaptive Security Appliance as a TLS peer subject. Therefore you do not need to manually add Cisco Adaptive Security Appliance as a TLS peer subject on IM and Presence.

          Procedure
            Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Peer Subjects.
            Step 2   Click Add New.
            Step 3   Enter one of the following values:
            1. If you configure SIP federation with Microsoft OCS, enter the external FQDN of the Access Edge Server in the Peer Subject Name field. This value must match the subject CN of the certificate that the Microsoft Access Edge server presents.
            2. If you configure SIP federation with AOL, enter the external FQDN of the AOL SIP Access Gateway. This value must match the subject CN of the certificate that the AOL SIP Access Gateway presents
            Step 4   Enter the name of the foreign server in the Description field.
            Step 5   Click Save.
            What to Do Next

            Add TLS peer to selected TLS peer subjects list

            Related Tasks

            Add TLS peer to selected TLS peer subjects list

            Before You Begin

            Create a new TLS peer subject.

            Procedure
              Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
              Step 2   Click Find.
              Step 3   Click Default_Cisco_SIP_Proxy_Peer_Auth_TLS_Context.
              Step 4   Select all ciphers from the list of available TLS ciphers.
              Step 5   Click the arrow to move these cipher selections to Selected TLS Ciphers.
              Step 6   From the list of available TLS peer subjects, click the TLS peer subject that you configured in the previous section.
              Step 7   Click the arrow to move the selected TLS peer subject to Selected TLS Peer Subjects.
              Step 8   Check Disable Empty TLS Fragments when you federate with Microsoft OCS.
              Step 9   Click Save.
              Step 10   Restart the Cisco SIP Proxy service.
              Note   

              If you deploy AOL and Microsoft OCS federation on the same IM and Presence node, checking the Disable Empty TLS Fragments setting will not impact AOL federation.

              Related Tasks

              Routing information configuration for AOL federation

              Route SIP requests for SIP federation with AOL


              Note

              IM and Presence Release 9.0 supports SIP federation with AOL.

              SIP federation with AOL enables IM and Presence users to federate with the following users:

              • Users of AOL public communities, for example, aim.com, aol.com.
              • Users of an enterprise whose domain is hosted by AOL.
              • Users of a foreign enterprise that federates with AOL. IM and Presence could use AOL as a clearing house to federate with these foreign enterprises.

              For example, AOL hosts an enterprise with a domain called "hosteddomain.com", and there is an enterprise federating with AOL with a domain called "acompany.com". You can add a SIP federation domain entry for each of these domains on IM and Presence to allow IM and Presence users to federate with users@hosteddomain.com and users@acompany.com.

              The routing logic on IM and Presence is enhanced to support routing to domains that federate through AOL. When you configure SIP federation with AOL, IM and Presence routes messages based on the default federation routing domain. The default value for this domain is "aol.com".


              Note

              The routing described here is only applicable when you configure a federated domain of type "Inter-domain to AOL".

              If the federated user belongs to one of the hosted domains in AOL (a domain other than aol.com), IM and Presence performs the following steps:

              Procedure
                Step 1   Performs a lookup for a static route for the hosted domain. If no static route exists, IM and Presence will,
                Step 2   Perform a DNS SRV lookup for hosted domain. If the lookup returns nothing, IM and Presence will,
                Step 3   Perform a lookup for a static route for the default federation routing domain (aol.com by default). If no static route exists, IM and Presence will,
                Step 4   Perform a DNS SRV lookup for the default federation routing domain (aol.com by default).

                If the federated user is in the default AOL domain (user@aol.com), IM and Presence performs the following steps:

                Step 5   Performs a lookup for a static route for default AOL domain (aol.com by default). If no static route exists IM and Presence will,
                Step 6   Perform a DNS SRV lookup for default federation routing domain (aol.com by default).
                Related Tasks

                Change default federation routing domain for SIP federation with AOL


                Note

                IM and Presence Release 9.0 supports SIP federation with AOL.

                Generally you should not need to change the value of the default federation routing domain, unless the AOL enterprise changes the domain that the AOL server resolves to.

                Before You Begin

                Read the topic on routing SIP requests for SIP Federation with AOL

                Procedure
                  Step 1   Select Cisco Unified CM IM and Presence Administration > System > Service Parameters.
                  Step 2   Select the IM and Presence server from the Server menu.
                  Step 3   Select Cisco SIP Proxy from the Service menu.
                  Step 4   Verify or edit the value of the Default Federation Routing Domain parameter in the Federation Routing Parameters (Clusterwide) section.
                  Step 5   Select Save if you change the value of the Default Federation Routing Domain parameter.
                  Step 6   You need to restart the Cisco XCP Router if you change the value of the Default Federation Routing Domain parameter. In Cisco Unified IM and Presence Serviceability, select Tools > Control Center - Network Services to restart the Cisco XCP Router.
                  Related Tasks

                  Email address configuration for federation


                  Note

                  This section applies to both SIP and XMPP federation.

                  Email address for federation feature

                  When you turn on IM and Presence to use the email address for SIP federation, IM and Presence changes the SIP URI of each federated contact from "userid@domain" to the email address of the contact.

                  Before you turn on email address for interdomain federation, note the following:

                  • If you have not yet attempted to federate with the foreign domain, and you wish to turn on email for federation, we recommend that you turn on this setting before users begin to add any federated contacts.
                  • If you turn on email address for federation, and a user does not have an email address configured in Active Directory, IM and Presence uses the JID of the user for federation.
                  • A prerequisite for this feature is that the Cisco Unified Communications Manager Mail ID for each user must match the full email address for the user. If the Mail ID field for the user is empty or does not contain a full email address, IM and Presence defaults to using the IM and Presence JID of the user for federation
                  • If you turn on email address for federation, and a federated contact uses the JID of a IM and Presence user rather than using the email address, IM and Presence drops these requests (even if a valid email address is configured for the user).
                  • IM and Presence does not support email aliases for the email address for federation feature.

                  Email domain for federation

                  If the email domain for federation is different to the SIP Proxy domain value that you configure on the Cluster Topology Settings page on the Cisco Unified CM IM and Presence Administration interface, follow these steps:

                  • Configure the Federation Routing IM and Presence FQDN parameter value under Proxy Service Parameters to contain the email domain for federation rather than the SIP Proxy domain. Note that this step applies to both XMPP and SIP federation.
                  • Make sure that you publish the email domain for the federation DNS SRV records in the public DNS server:
                    • _xmpp-server._tcp.<email-domain>
                    • _sipfederationtls._tcp.<email-domain>

                  Information to provide to administrator of foreign domain

                  Before you turn on email address for federation, you must alert the system administrator of the foreign domain to the following:

                  • You are using email address for federation, and that the users in the foreign domain must specify an email address when adding a federated contact to their contact list.
                  • If you are already federating with the foreign domain, and you wish to turn on email for federation, users in the foreign domain must remove the existing federated contacts in their contact list, and add these federated contacts again specifying an email address.

                  Information to provide to IM and Presence users

                  When you turn on email address for federation, you must notify all IM and Presence users of the following:

                  • Federated contacts will now use email address rather than the user_id@domain address.
                  • When adding new contacts to their contact list, federated contacts must now use the email address for IM and Presence users, rather than the user_id@domain.
                  • Existing IM and Presence contacts (on the federated watcher's contact list) that were added with user_id@domain must be removed, and added again using the email address for the IM and Presence user.
                  • Any messages that IM and Presence receives from federated contacts to the user_id@domain address will be dropped (unless it happens to be the same as the email address configured in Active Directory, and the address configured in the users table on IM and Presence).
                  • If IM and Presence users already have federated contacts on their contact list, when these users sign in to the client again, the federated contact may get a pop-up containing the email address.

                  Note

                  When you turn on email address for federation, the IM and Presence user does NOT need to change anything on the client when they connect to IM and Presence, nor do they interact any differently with the IM and Presence server.

                  Turn on email for federation


                  Note

                  If you have an intercluster deployment, you must turn on the email address for federation on any intercluster nodes in your deployment.

                  Procedure
                    Step 1   Select Cisco Unified CM IM and Presence Administration > Presence > Settings.
                    Step 2   Check Enable use of Email Address when Federating.
                    Step 3   Read the warning message, and click OK.
                    Step 4   Click Save.
                    Step 5   After you turn on email for federation, restart the Cisco XCP Router in Cisco Unified IM and Presence Serviceability. Select Tools > Control Center - Network Services.
                    Related Tasks

                    Turn on the SIP federation service

                    You need to turn on the Cisco XCP SIP Federation Connection Manager service on each IM and Presence node. This turns on the SIP Federation feature for each user that you provision on the node. You must perform this procedure on each node in the cluster.

                    Procedure
                      Step 1   Select Cisco Unified IM and Presence Serviceability > Tools > Service Activation.
                      Step 2   Select the server from the Server list box.
                      Step 3   Select Go.
                      Step 4   Select the radio button next to the Cisco XCP SIP Federation Connection Manager service in the IM and Presence Services section.
                      Step 5   Select Save.
                      Step 6   The Cisco SIP Proxy service must be running for SIP federation to work. Select Cisco Unified IM and Presence Serviceability > Tools > Feature Servicesand verify that the Cisco SIP Proxy service is running.
                      Related Information