Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1)
Configure Microsoft Lync for Partitioned Intradomain Federation
Download this chapter
Configure Microsoft Lync for Partitioned Intradomain FederationConfigure Microsoft Lync for Partitioned Intradomain Federation
Download the complete book
Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1)Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1) (PDF - 4 MB)
 Feedback

Configure Microsoft Lync for Partitioned Intradomain Federation

To configure Microsoft Lync for Partitioned Intradomain Federation, you must complete the following procedures in the order they are presented. After the configuration is complete, you must restart services on Lync servers.


Note

You must configure TLS for Partitioned Intradomain Federation with Lync. TCP is not supported.

Enable Federal Information Processing Standard Compliance on Lync

To support TLS encryption between IM and Presence and Lync, you must enable TLSv1 on Lync servers. TLSv1 is included as part of the Federal Information Processing Standard (FIPS) compliance on Windows servers. The following procedure describes how to enable FIPS compliance.

For Standard Edition, you must perform this procedure on all Standard Edition servers.

For Enterprise Edition, you must perform this procedure on all front-end servers.


Caution

If you disable FIPS, Partitioned Intradomain Federation with Lync servers will fail.

Procedure
    Step 1   On the Lync server, select Start > Programs > Administrative Tools > Local Security Policy.
    Step 2   From the console tree, select Local Policies.
    Step 3   Select Security Options.
    Step 4   Double-click System Cryptography: Use FIPS Compliant algorithms for encryption, hashing and signing.
    Step 5   Enable the security setting.
    Step 6   Select OK.
    Step 7   Close the Local Security Settings window.
    What to Do Next

    Configure Lync Static Route to Point to IM and Presence

    Related Information

    Configure Lync Static Route to Point to IM and Presence

    To allow Lync to route requests to IM and Presence, you must configure a static route on Lync servers. The static route points to an IM and Presence server. The following procedure describes how to configure the required static route.


    Note
    • For Standard Edition, you must perform this procedure on all Standard Edition servers.
    • For Enterprise Edition, you must perform this procedure on all pools.
    Procedure
      Step 1   Select Start > All Programs > Microsoft Lync Server 2010 > Lync Server Management Shell.
      Step 2   Enter the following command to configure a static route on Lync to point to IM and Presence: $tcpRoute = New-CsStaticRoute -TLSRoute -Destination <IP_address_CUPserver> -Port 5061 -MatchUri“<Line_Server_URI_domain>” -usedefaultcertificate $true
      Note   

      If you set usedefaultcertificate to false, you must specify the TLSCertIssuer and TLSCertSerialNumber parameters. These parameters indicate the name of the certification authority (CA) that issue the certificate used in the static route and the serial number of the TLS certificate, respectively. See the Lync Server Management Shell for more information about these parameters.

      Step 3   At the prompt, enter the following command to load the static route into the Lync server: Set-CsStaticRoutingConfiguration -Route @{Add=$tcpRoute}
      Parameter Description
      -Destination

      The IP address of the IM and Presence server.
      -Port

      The port to which the IM and Presence server listens. For TLS, the port is 5061.
      -MatchUri

      This value is compared to the Line Server URI value that is specified for each user in the Lync Control Panel. This MatchURI value and the Line Server URI value must both match the IM and Presence server FQDN.

      The value of this parameter must be written in double quotes, for example, -MatchUri “my-cups.my-domain.com”
      What to Do Next

      Add Host Authorization on Lync for IM and Presence and Enable Port 5061 on Lync Server

      Related Information

      Add Host Authorization on Lync for IM and Presence and Enable Port 5061 on Lync Server


      Note

      You must configure TLS for Partitioned Intradomain Federation with Lync. TCP is not supported.

      To allow Lync to accept SIP requests from IM and Presence without being prompted for authorization, you must configure host authorization entries on Lync for each IM and Presence server.

      For TLS encryption between Lync and IM and Presence, you must add two host authorization entries for each IM and Presence server, as follows:

      • The first entry must contain the IP address of the IM and Presence server.
      • The second entry must contain FQDN of the IM and Presence server.

      The following procedure describes how to add the required host authorization entries for TLS encryption.


      Note
      • For Standard Edition, you must perform this procedure on all Standard Edition servers.
      • For Enterprise Edition, you must perform this procedure on all pools.
      Procedure
        Step 1   In the Lync Server Management Shell, enter the following command to create a new pool for trusted applications: New-CsTrustedApplicationPool -Identity <new_trusted_app_pool_FQDN> -Registrar <Lync_pool_FQDN> -Site <site> -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false -Computerfqdn <first_trusted_application_computer>

        For example:

        New-CsTrustedApplicationPool -Identity trustedpool.cisco.com -Registrar lyncpool1.cisco.com -Site 1 -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false -Computerfqdn cup1.cisco.com

        where the value for the Computerfqdn parameter is as follows:
        • cup1 = the IM and Presence hostname
        • cisco.com = the IM and Presence domain
        Step 2   For each IM and Presence server, enter the following commands to add the FQDN and IP address of the server as a trusted application computer to the new application pool: New-CsTrustedApplicationComputer -Identity <CUP_IP_address> -Pool <new_trusted_app_pool_FQDN>

        New-CsTrustedApplicationComputer -Identity <CUP_FQDN> -Pool <new_trusted_app_pool_FQDN>

        For example:

        New-CsTrustedApplicationComputer -Identity 10.10.1.1 -Pool trustedpool.cisco.com

        New-CsTrustedApplicationComputer -Identity cup1.cisco.com -Pool trustedpool.cisco.com

        Step 3   Enter the following command to create a new trusted application and add it to the new application pool: New-CsTrustedApplication -ApplicationID <new_application_name> -TrustedApplicationPoolFqdn <new_trusted_app_pool_FQDN> -Port 5061

        For example:

        New-CsTrustedApplication -ApplicationID trustedapp -TrustedApplicationPoolFqdn trustedpool.cisco.com -Port 5061

        The following table describes the parameters that you use to configure the application pool.

        Parameter Description
        -Identity

        The FQDN, or IP address, of the IM and Presence server.
        -Registrar

        The FQDN of the Lync server.
        -Site

        The numeric value of the site.

        Tip   

        You can find the site ID with the Get-CsSite Management Shell command.
        -ApplicationID

        The name of the application, for example, trustedapp.
        -TrustedApplicationPoolFqdn

        The FQDN, or IP address, of the IM and Presence server.

        The value of this parameter must be written in double quotes, for example, -Identity “10.0.0.1”
        -Port

        The SIP TCP listening port of the IM and Presence server. For TLS the port is 5061.
        What to Do Next

        Publish Topology

        Related Information

        Publish Topology

        The following procedure describes how to commit the topology.

        Procedure
          Step 1   In the Lync Server Management Shell enter the following command to enable the topology: Enable-CsTopology
          Step 2   Enter the following command to output the topology to an XML file called topology.xml and save it to the C drive: Get-CsTopology -AsXml | Out-File C:\topology.xml
          Note   

          You can select any name and location to output the topology information.

          Step 3   Open the topology.xml file.
          Step 4   In the Cluster Fqdn section, change the IPAddress parameter from “<0.0.0.0>” to the IP Address for each IM and Presence server that you added to the trusted pool.
          Step 5   Save the topology.xml file.
          Step 6   Enter the following command in the Lync Server Management Shell: Publish-CsTopology -FileName C:\topology.xml
          What to Do Next

          Install Certificate Authority Root Certificates on Lync

          Install Certificate Authority Root Certificates on Lync

          TLS configuration must be used for Partitioned Intradomain Federation between IM and Presence Service and Lync servers. TCP cannot be used. To support TLS encryption between IM and Presence and Lync, each Lync server must have a signed security certificate. This signed certificate, along with the root certificate of the Certificate Authority (CA) that signed the certificate, must be installed on each Lync server.

          Cisco recommends that Lync and IM and Presence servers share the same CA. If not, the root certificate of the CA that signed the IM and Presence certificates must also be installed on each Lync server.

          Generally, the root certificate of the Lync CA is already installed on each Lync server. Therefore, if Lync and IM and Presence share the same CA, there may be no need to install a root certificate. However, if a root certificate is required, see the following details.

          If you are using Microsoft Certificate Authority, refer to the following procedures in the Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager for information about installing the root certificate from the Microsoft Certificate Authority onto Lync:

          • Downloading the CA Certification Chain
          • Installing the CA Certification Chain

          If you are using an alternative CA, the following procedure is a generic procedure for installing root certificates onto Lync servers. The procedure for downloading the root certificate from the CA differs depending on your chosen CA.


          Note

          The Integration Guide for Configuring IM and Presence for Interdomain Federation document refers to the Access Edge Server. For Partitioned Intradomain Federation, you can replace references to the Access Edge Server with Lync Standard Edition server or Enterprise Edition front-end server.

          Before You Begin

          Download the root certificate or certificate chain from your CA and save it to the hard disk of your Lync server.

          Procedure
            Step 1   On your Lync server, select Start > Run.
            Step 2   Enter mmc and select OK.
            Step 3   From the File menu, select Add/Remove Snap-in.
            Step 4   From the Add/Remove Snap-in dialog box, select Add.
            Step 5   From the list of Available Standalone Snap-ins, select Certificates and select Add.
            Step 6   Select Computer Account and select Next.
            Step 7   In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish.
            Step 8   Select Close, and then OK.
            Step 9   In the left pane of the Certificates console, expand Certificates (Local Computer).
            Step 10   Expand Trusted Root Certification Authorities.
            Step 11   Right-click Certificates and select All Tasks.
            Step 12   Select Import.
            Step 13   In the Import Wizard, select Next.
            Step 14   Select Browse and navigate to where you saved the root certificate or certificate chain.
            Step 15   Select the file and select Open.
            Step 16   Select Next.
            Step 17   Leave the default value Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears under the Certificate store.
            Step 18   Select Next and Finish.
            Step 19   Repeat Step 11 to Step 18 as necessary for other CAs.
            What to Do Next

            Validate Existing Lync Signed Certificate

            Related Information

            Validate Existing Lync Signed Certificate

            To support TLS encryption between IM and Presence and Lync, each Lync server must have a signed security certificate that supports Client Authentication. If a signed certificate is already installed on the Lync server, the following procedure describes how to check if that existing signed certificate supports Client Authentication.


            Note
            • For Standard Edition, you must perform this procedure on all Standard Edition servers.
            • For Enterprise Edition, you must perform this procedure on all front-end servers.
            Procedure
              Step 1   On your Lync server, select Start > Run.
              Step 2   Enter mmc and select OK.
              Step 3   From the File menu, select Add/Remove Snap-in.
              Step 4   From the Add/Remove Snap-in dialog box, select Add.
              Step 5   From the list of Available Standalone Snap-ins, select Certificates and select Add.
              Step 6   Select Computer Account and select Next.
              Step 7   In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish.
              Step 8   Select Close, and then OK.
              Step 9   In the left pane of the Certificates console, expand Certificates (Local Computer).
              Step 10   Expand Personal and select Certificates.
              Step 11   Find the signed certificate currently used by Lync in the right pane.
              Step 12   Ensure that Client Authentication is listed in the Intended Purposes column.
              What to Do Next

              Request Signed Certificate from Certificate Authority

              Related Information

              Request Signed Certificate from Certificate Authority

              To support TLS encryption between IM and Presence and Lync, each Lync server must have a signed security certificate that supports Client Authentication and Server Authentication. The following procedure outlines how to request a newly signed certificate from the Certificate Authority and install it onto a Lync server.

              Procedure
                Step 1   In the Lync Server Management Shell enter the following command to request the certificate:

                Request-CsCertificate -New -Type Default -Output <filename> -ClientEku $true

                Note   

                If you want to create a specific request for an internal or external certificate, use the -Type Internal or -Type External parameters instead of -Type Default.

                Step 2   Log in to the Lync server and open a web browser.
                Step 3   Open the following URL: http://<ca_server_IP_address>/certsrv (If it is SSL encrypted, use https instead of http.)
                Step 4   Select Request a Certificate and then select Advanced Certificate Request.
                Step 5   Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
                Step 6   Open the request file you created using a text editor.
                Step 7   Copy all of the text from the request file and paste it into the browser in the field Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7):
                Step 8   Select Submit.
                What to Do Next

                Download Certificate from CA Server

                Download Certificate from CA Server

                Complete the following procedure to download the certificate from the CA Server.

                Procedure
                  Step 1   Log into the CA server,
                  Step 2   Select Start > Administrative Tools > Certificate Authority to launch the CA console.
                  Step 3   Select Pending Requests.
                  Step 4   From the right pane, right-click on the certificate request that you submitted and select All Tasks > Issue.
                  Step 5   Log into the Lync server and open a web browser.
                  Step 6   Open the following URL: http://<ca_server_IP_address>/certsrv (If it is SSL encrypted, use https instead of http.)
                  Step 7   From View the Status of a Pending Certificate Request, select your certificate request.
                  Step 8   Download the certificate.
                  What to Do Next

                  Import Signed Certificate

                  Import Signed Certificate

                  Complete the following procedure to import the signed certificate.

                  Procedure
                  In the Lync Server Management Shell, enter the following command to import the signed certificate:

                  Import-CsCertificate -Path "<signed certificate>" -PrivateKeyExportable $false

                  Note   

                  If the certificate contains a private key, use the -PrivateKeyExportable $true parameter.


                  What to Do Next

                  Assign Certificate on Lync

                  Related Information

                  Assign Certificate on Lync

                  Complete the following procedure to assign the certificate.

                  Procedure
                    Step 1   Select Start > Lync Server Deployment Wizard.
                    Step 2   Select Install or Update Lync Server System.
                    Step 3   In Step 3: Request, Install or Assign Certificates select Run Again.
                    Step 4   On the Certificate Wizard window, select the default certificate.
                    Step 5   Select Assign.
                    Step 6   On the Certificate assignment window select Next.
                    Step 7   Select the imported certificate in the certificate store window and select Next.
                    Step 8   In the certificate assignment summary window select Next.
                    Step 9   On the executing commands window, wait for the task status to report Completed and then select Finish.
                    Step 10   Close the certificate wizard window.
                    What to Do Next

                    Restart services on Lync servers

                    Restart services on Lync servers

                    After you complete all the configuration steps on Lync, you must restart the Lync front-end services to ensure that the configuration takes effect.


                    Note
                    • Cisco recommends that you perform this procedure during a scheduled maintenance window.
                    • For Standard Edition, you must perform this procedure on all Standard Edition servers.
                    • For Enterprise Edition, you must perform this procedure on all front-end servers.
                    Procedure
                      Step 1   Select Start > Programs > Administrative Tools > Services.
                      Step 2   Right-click the service Lync front end server and select Restart.
                      Related Information