Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1)
Configuration of IM and Presence Server for Partitioned Intradomain Federation
Download this chapter
Configuration of IM and Presence Server for Partitioned Intradomain FederationConfiguration of IM and Presence Server for Partitioned Intradomain Federation
Download the complete book
Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1)Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager Release 9.1(1) (PDF - 4 MB)
 Feedback

Configuration of IM and Presence Server for Partitioned Intradomain Federation

Configure Partitioned Intradomain Federation options

The following procedure describes how to enable Partitioned Intradomain Federation on IM and Presence and select a routing mode.


Note

If you have a multicluster deployment, you must perform this procedure on each cluster. When you enable Partitioned Intradomain Federation or select a routing mode, these settings are enabled cluster-wide; therefore you only need to enable them on the IM and Presence publisher node within any given cluster.

Procedure
    Step 1   Select Cisco Unified CM IM and Presence Administration > Presence > Settings.
    Step 2   Check Enable Partitioned Intradomain Federation with LCS/OCS/Lync.
    Step 3   Read the warning message and select OK.
    Step 4   Select one of the following from the Partitioned Intradomain Federation Routing Mode drop-down list:
    • Select Basic Routing Mode (default) when you have unlicensed IM and Presence Service request recipients within the IM and Presence Service domain. In Basic Routing mode, IM and Presence Service routes requests for these recipients to Lync/OCS/LCS.
    • Select Advanced Routing Mode when you have request recipients within the IM and Presence Service domain who are licensed and have a valid Microsoft Lync or Microsoft Office Communicator SIP address stored in the IM and Presence Service database. Select Advanced Routing only if Cisco Unified Communications Manager synchronizes users from the same Active Directory that Lync/OCS/LCS uses.
      Note   

      The list of users synchronized from Active Directory must include all Microsoft Lync or Microsoft Office Communicator users.

    Step 5   Select Save.
    Step 6   After you enable Partitioned Intradomain Federation or select a routing mode, you must restart the Cisco CP Router on all IM and Presence nodes in the cluster. To restart the Cisco XCP Router, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Network Services.
    Note   

    You are prompted to restart the SIP proxy when you enable partitioned federation.

    Related References

    Configure static routes

    The following procedure describes how to configure static routes to enable Partitioned Intradomain Federation routing between IM and Presence, Microsoft Lync and Microsoft Live Communications Server (LCS) or Microsoft Office Communications Server (OCS). You must add an individual static route for each Lync/OCS/LCS presence domain. See topics related to IM and Presence Service to Lync\OCS\LCS request routing, and basic and advanced routing modes for more information.

    For the Lync/OCS/LCS presence domain static route, note the following:

    • For Standard Edition Lync/OCS/LCS, the static route must point to the IP address of a specific Standard Edition server.
    • For Enterprise Edition Lync/OCS/LCS:
      • If you are planning to route federation traffic from the IM and Presence cluster through a front-end load balancer, the static route must point to the IP address of that front-end load balancer.
      • If you are planning to route federation traffic from the IM and Presence cluster directly to one of the front-end Lync/OCS/LCS servers, the static route must point to the IP address of that front-end server.

    IM and Presence has been tested with the Cisco Application Control Engine (ACE) as the Lync/OCS/LCS front-end load balancer. Other load balancers can be used in place of ACE; see the following URL for a list of approved load balancers: http:/​/​technet.microsoft.com/​en-us/​office/​ocs/​cc843611. However, it is your responsibility to ensure that those load balancers are deployed and managed correctly.


    Note

    Cisco does not support the configuration of static routes to point to load balancers other than ACE.

    In deployments in which ACE is not the configured front-end load balancer, Cisco recommends that you configure static routes to bypass the front-end load balancer.

    For high availability purposes, you can configure additional backup static routes for each Lync/OCS/LCS presence domain.

    The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.


    Note

    If you have a multicluster deployment, you must perform this procedure on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence publisher node within any given cluster.

    Procedure
      Step 1   Select Cisco Unified CM IM and Presence Administration > Presence > Routing > Static Routes.
      Step 2   Select Add New.
      Step 3   Enter the Destination Pattern value so that the domain is reversed. For example, if the domain is "domaina.com", the Destination Pattern value must be ".com.domaina"
      Step 4   Select domain for the Route Type.
      Step 5   Enter the IP address of the Lync/OCS/LCS server in the Next Hop field.
      Step 6   Set the Next Hop Port and the Protocol Type as follows:
      • For TLS Encryption:
        • Next Hop Port number is 5061
        • Protocol Type is TLS
      • For TCP:
        • Next Hop Port number is 5060
        • Protocol Type is TCP
      Step 7   Enter the Priority value as follows:
      • For primary static routes, enter the default Priority value of 1.
      • For backup static routes, enter a Priority value of greater than 1. (The lower the value, the higher the priority of the static route).
      Step 8   Select the default values for all other parameters.
      Step 9   Select Save.

      Configure Incoming Access Control List

      The following procedure describes how to configure entries in the Incoming Access Control List (ACL) to ensure that Lync/OCS/LCS servers can access the IM and Presence server without authentication.

      How you configure the Incoming ACLs depends on how strictly you wish to control access to IM and Presence:

      • If you wish to allow open access to IM and Presence, you can add an entry with an address pattern of All.
      • If you wish to allow access to IM and Presence from specific network domains, you can add entries with an address pattern matching the specific domain. For example, to allow access from any server within foo.com, enter foo.com as the address pattern.
      • If you wish to allow access to IM and Presence from specific servers, you can add entries with an address pattern matching the specific IP address or FQDN of those servers. For example, to allow access from a specific server, ocs1.foo.com, enter ocs1.foo.com as the address pattern.

      For Partitioned Intradomain Federation, if you decide to restrict access to IM and Presence to OCS FQDNs or IP addresses only, you must add ACL entries for the following entities:

      • Each Lync/OCS/LCS Enterprise Edition front-end or Standard Edition server
      • Each Lync/OCS/LCS pool FQDN (Enterprise Edition only)

      Note

      If you have a multicluster deployment, you must perform this procedure on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence publisher node within any given cluster.

      Procedure
        Step 1   Select Cisco Unifed CM IM and Presence Administration > System > Security > Incoming ACL.
        Step 2   Select Add New.
        Step 3   In the Description field, enter a description of the entry, for example, OCS Server.
        Step 4   In the Address Pattern field, enter one of the following:
        • All
        • <domain_name>
        • <IP_Address>
        • <FQDN>
        Step 5   Select Save.

        TLS encryption configuration

        You must complete the procedures in this section to configure TLS encryption between IM and Presence and Lync/OCS/LCS. TLS encryption is optional for OCS and LCS servers; however, TLS encryption is mandatory for Partitioned Intradomain Federation with Lync servers.


        Note

        If you have a multicluster deployment, you must perform each of these procedures on each cluster. These settings are cluster-wide; therefore you need to set them only on the IM and Presence publisher node within any given cluster.

        Configure Application Listeners

        IM and Presence performs peer (mutual) TLS authentication on port 5062 by default. You must modify this default setting so that peer TLS authentication takes place on port 5061. The following procedure describes how to make this modification.

        Procedure
          Step 1   Select Cisco Unified CM IM and Presence Administration > System > Application Listeners.
          Step 2   If they are not already displayed, select Find to display all application listeners.
          Step 3   Select Default Cisco SIP Proxy TLS Listener – Server Auth.
          Step 4   Change the Port value to 5063.
          Step 5   Select Save and select OK on the popup window that appears.
          Step 6   From the Related Links drop-down list, select Back to Find/List and select OK to return to the Application Listeners list.
          Step 7   Select Default Cisco SIP Proxy TLS Listener – Peer Auth.
          Step 8   Change the Port value to 5061.
          Step 9   Select Save and select OK on the popup window that appears.
          Step 10   From the Related Links drop-down list, select Back to Find/List and select OK to return to the Application Listeners list.
          Step 11   Select Default Cisco SIP Proxy TLS Listener – Server Auth.
          Step 12   Change the Port value from 5063 to 5062.
          Step 13   Select Save.
          Step 14   Restart the SIP Proxy service on all IM and Presence nodes in the cluster. To restart the SIP Proxy service, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Feature Services.
          What to Do Next

          Configure TLS Peer Subjects

          Related Information

          Configure TLS Peer Subjects

          For Peer TLS authentication, IM and Presence requires that the Subject Common Name (CN) from the security certificate that is presented by the peer is included in a TLS Peer Subject list.

          Note

          Include only the Subject CN in the TLS Peer Subject list. Do not include Subject Alternative Name (SAN) entries in the TLS Peer Subject list.

          The following procedure describes the steps to add a Subject CN to this list.

          For Partitioned Intradomain Federation, you must add a TLS Peer Subject for the following entities:

          • Each Lync/OCS/LCS Enterprise Edition front-end or Standard Edition server
          • Each Lync/OCS/LCS pool Fully Qualified Domain Name (FQDN) (Enterprise Edition only)
          Procedure
            Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Peer Subjects.
            Step 2   Select Add New.
            Step 3   Enter the Peer Subject Name.
            • For a Lync/OCS/LCS Enterprise Edition front-end or Standard Edition server, enter the FQDN of the server.
            • For a Lync/OCS/LCS pool Fully Qualified Domain Name (FQDN), enter the subject CN of the certificate that is presented to IM and Presence.
            Step 4   In the Description field, enter a description of the subject, for example, OCS Server.
            Step 5   Select Save.
            Step 6   Restart the SIP Proxy service on all IM and Presence nodes in the cluster. To restart the SIP Proxy service, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Feature Services.
            What to Do Next

            Configure Peer Authentication TLS Context

            Related Information

            Configure Peer Authentication TLS Context

            To support TLS encryption between IM and Presence and Lync/OCS/LCS, you must modify Peer Authentication TLS Context configuration on IM and Presence.

            Procedure
              Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
              Step 2   Select Find.
              Step 3   Select Default Cisco SIP Proxy Peer Auth TLS Context.
              Step 4   Ensure that Disable Empty TLS Fragments is unchecked.
              Step 5   From the list of Available TLS Ciphers, select all ciphers.
              Step 6   Select the Move Right arrow to move these cipher selections to the Selected TLS Ciphers list.
              Step 7   From the list of Available TLS Peer Subjects, select the TLS peer subject that you configured in Configure TLS Peer Subjects.
              Step 8   Select the Move Right arrow to move the selected TLS peer subject to the Selected TLS Peer Subjects list.
              Step 9   Select Save.
              Step 10   Restart the SIP Proxy service on all IM and Presence nodes in the cluster. To restart the SIP Proxy service, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Feature Services.
              What to Do Next

              Import root certificate of Certificate Authority

              Related Information

              Import root certificate of Certificate Authority

              All Lync/OCS/LCS security certificates are generally signed by a Certificate Authority (CA). IM and Presence certificates should also be signed by the same Certificate Authority used by Lync/OCS/LCS. In order for IM and Presence to use a certificate signed by the Lync/OCS/LCS CA, and to accept Lync/OCS/LCS certificates signed by that same CA, the root certificate of the CA must be uploaded into the IM and Presence trust store.

              Before You Begin

              Before importing the root certificate, retrieve the certificate from the certificate authority and copy it to your local computer.

              Procedure
                Step 1   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
                Step 2   Select Upload Certificate.
                Step 3   For the Certificate Name drop-down list, select cup-trust.
                Step 4   Leave the Root Certificate field blank.
                Step 5   In the Description field, enter a description for the certificate, for example, Certificate Authority Root Certificate.
                Step 6   Select Browse to find the root certificate on your local computer.
                Step 7   Select Upload File to upload the certificate to the IM and Presence server.
                Step 8   Restart the SIP Proxy service on all IM and Presence nodes in the cluster. To restart the SIP Proxy service, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Feature Services.
                What to Do Next

                Request signed certificate from Certificate Authority

                Related Information

                Request signed certificate from Certificate Authority

                IM and Presence certificates should be signed by the same CA used by Lync/OCS/LCS. You must complete the following two-step process to obtain a CA signed certificate:

                1. Generate an IM and Presence Certificate Signing Request (CSR).
                2. Upload the CA signed certificate onto IM and Presence.

                The following procedure describes how to generate and download a CSR from IM and Presence. IM and Presence CSRs are 2048 bit.

                Procedure
                  Step 1   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
                  Step 2   Select Generate CSR.
                  Step 3   From the Certificate Name drop-down list, select cup.
                  Step 4   Select Generate CSR.
                  Step 5   When the Status shows "Success: Certificate Signing Request Generated" select Close.
                  Step 6   Select Download CSR.
                  Step 7   From the Certificate Name drop-down list, select cup.
                  Step 8   Select Download CSR to download the certificate to your local computer.
                  Step 9   After the certificate has downloaded, select Close.
                  Note   

                  After you download the CSR, you can use it to request a signed certificate from your chosen CA. This can be a well-known public CA or an internal CA.

                  What to Do Next

                  Import signed certificate from Certificate Authority

                  Related Information

                  Import signed certificate from Certificate Authority

                  The following procedure describes how to upload the CA signed certificate to IM and Presence.

                  Before You Begin

                  Generate and download a CSR from IM and Presence. See Request signed certificate from Certificate Authority.

                  Procedure
                    Step 1   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
                    Step 2   Select Upload Certificate.
                    Step 3   From the Certificate Name drop-down list, select cup.
                    Step 4   In the Root Certificate field, enter the filename of the CA root certificate that you downloaded in Request signed certificate from Certificate Authority.
                    Step 5   In the Description field, enter a description of the certificate, for example, CA Signed Certificate.
                    Step 6   Select Browse to find the certificate file on your local computer.
                    Step 7   Select Upload File to upload the certificate to the IM and Presence server.
                    Step 8   After the certificate has uploaded, restart the SIP Proxy service on all IM and Presence nodes in the cluster. To restart the SIP Proxy service, select Cisco Unified IM and Presence Serviceability > Tools > Control Center – Feature Services.
                    Related Information

                    Deactivate feature services on Routing IM and Presence Server

                    To ensure that a Routing IM and Presence server has the capacity to handle SIP traffic from Lync/OCS/LCS, you must not assign any users to the Routing IM and Presence server. This means that a number of the IM and Presence feature services that support assigned users can be deactivated on the Routing IM and Presence server. When you deactivate these services, the Routing IM and Presence server will have extra processing capacity to support its SIP routing role. The following procedure describes how to deactivate feature services.

                    Procedure
                      Step 1   Select Cisco Unified IM and Presence Serviceability > Tools > Service Activation.
                      Step 2   From the Server menu, select the Routing IM and Presence server.
                      Step 3   Uncheck each of the following feature services:
                      • Cisco Presence Engine
                      • Cisco XCP Text Conference Manager
                      • Cisco XCP Web Connection Manager
                      • Cisco XCP Connection Manager
                      • Cisco XCP SIP Federation Connection Manager
                      • Cisco XCP XMPP Federation Connection Manager
                      • Cisco XCP Message Archiver
                      • Cisco XCP Directory Service
                      • Cisco XCP Authentication Service
                      Step 4   Select Save.
                      Related References