Table Of Contents
Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
Configuring a Static Route on Cisco Unified Presence for the OCS Server
Configuring a Static Route on OCS for the Cisco Unified Presence server
Adding a Host Authorization entry for the Cisco Unified Presence server
Enabling Port 5060 on the OCS Server
How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise
Configuring Interdomain Federation to Microsoft OCS/Lync within an Enterprise
November 17, 2011
•
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
•How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
•Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise
Note•If you configure federation within the enterprise, in addition to the static routes, you must configure a SIP federation domain on Cisco Unified Presence. See section Adding a SIP Federated Domain.
•Refer to this section Federation and Subdomains for information on federation and subdomains. However once the OCS and Cisco Unified Presence domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable.
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
This section describes how to configure statics routes using TCP for direct federation between Cisco Unified Presence and Microsoft OCS. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.
Caution The domain portion of the Routing Proxy FQDN parameter value cannot be the same as the Microsoft OCS domain. To view or edit the Routing Proxy FQDN parameter, select
Cisco Unified Presence Administration > System > Service Parameters, and select the Cisco UP SIP Proxy service.
•Configuring a Static Route on Cisco Unified Presence for the OCS Server
•Configuring a Static Route on OCS for the Cisco Unified Presence server
•Adding a Host Authorization entry for the Cisco Unified Presence server
•Enabling Port 5060 on the OCS Server
Configuring a Static Route on Cisco Unified Presence for the OCS Server
To configure Cisco Unified Presence to use TCP when exchanging IM and presence with a federated Microsoft OCS domain, you must configure a static route on Cisco Unified Presence that points to the OCS server (and not the external edge of Microsoft Access Edge).
You must add an individual static route for each of the following OCS entities:
•OCS/Cisco Unified Presence domain
•Each OCS Enterprise Edition front-end server or Standard Edition server FQDN
•Each OCS pool FQDN (Enterprise Edition only)
The OCS/Cisco Unified Presence domain static route should point to the IP address of a specific OCS Enterprise Edition front-end server or Standard Edition server. If required, the OCS pool FQDN static route should point to a front-end server within that pool.
For high availability purposes, you can configure additional backup static routes for the following:
•OCS/Cisco Unified Presence domain
•Each OCS pool FQDN (Enterprise Edition only, if bypassing any OCS front-end load balancer)
The backup route has a lower priority and is used only if the next hop address of the primary static route is unreachable.
Procedure
Step 1 Select Cisco Unified Presence Administration > Presence > Routing > Static Routes.
Step 2 Select Add New.
Step 3 Enter the destination pattern value so that the domain, or FQDN, is reversed. For example:
•If the domain is domaina.com, the Destination Pattern value must be .com.domaina.
•If the FQDN is name1.name2.domain.com, the Destination Pattern value must be .com.domain.name2.name1.
Step 4 Enter the remaining parameters as follows:
•The Next Hop value is the OCS FQDN or IP address.
•The Next Hop Port number is 5060.
•The Route Type value is domain.
•The Protocol Type is TCP.
Step 5 Select Save.
What To Do Next
Configuring a Static Route on OCS for the Cisco Unified Presence server.
Configuring a Static Route on OCS for the Cisco Unified Presence server
If you are using direct federation from Cisco Unified Presence to OCS without the Access Edge server or Cisco Adaptive Security Appliance, then you need to configure a static route from OCS to Cisco Unified Presence.
Procedure
Step 1 Click Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.
Step 2 Right-click on the Front End server.
Step 3 Select Properties > Front End Properties.
Step 4 Click the Routing tab.
Step 5 Click Add.
Step 6 Enter the domain for the Cisco Unified Presence server, for example 'cisco.com'.
Step 7 Enter the IP of the Cisco Unified Presence server for the Next Hop IP address.
Step 8 Select TCP for the Transport value.
Step 9 Enter 5060 for the Port value.
Step 10 Click OK.
What To Do Next
Adding a Host Authorization entry for the Cisco Unified Presence server
Adding a Host Authorization entry for the Cisco Unified Presence server
Procedure
Step 1 Click on the Host Authorization tab on OCS.
Step 2 Perform one of the following steps:
•Enter the IP address of the authorized host if you configured a static route on OCS that specifies the next hop computer by its IP address.
•Enter the FQDN of the authorized host if you configured a static route on OCS that specifies the next hop computer by its FQDN.
Step 3 Click Add.
Step 4 Select IP.
Step 5 Enter the IP address of the Cisco Unified Presence server.
Step 6 Check Throttle as Server.
Step 7 Check Treat as Authenticated.
Note Do not check Outbound Only.
Step 8 Click OK.
Enabling Port 5060 on the OCS Server
Procedure
Step 1 Select Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.
Step 2 Right-click on the FQDN of Front End server.
Step 3 Select Properties > Front End Properties.
Step 4 Click the General tab
Step 5 If port 5060 is not listed under Connections, select Add.
Step 6 Configure port 5060 as follows:
•Select All as the IP Address Value.
•Select 5060 as the Port Value
•Select TCP as the Transport Value
Step 7 Select OK.
How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
Step
|
Notes
|
Configure a static route on Cisco Unified Presence for OCS
|
Use the procedure Configuring a Static Route on Cisco Unified Presence for the OCS Server as a guide.
When you configure the static route on Cisco Unified Presence, select the protocol type TLS, and make sure that the static route points to port 5061.
|
Configure a static route on OCS for Cisco Unified Presence
|
Use the procedure Configuring a Static Route on OCS for the Cisco Unified Presence server as a guide.
When you configure the static route on OCS, select the protocol type TLS, and make sure that the static route points to port 5061 (the default is 5062).
Note When using TLS with static routes on OCS, you must specify the FQDN of the Cisco Unified Presence server, rather than an IP address.
On Cisco Unified Presence, you must also configure the Peer Auth Listener port on OCS as 5061. You configure this by selecting Cisco Unified Presence Administration > System > Application Listeners. Verify that the Peer Auth Listener port is 5061. You can configure the Server Auth Listener port to be 5062.
|
Configure a host authorization entry for the Cisco Unified Presence FQDN
|
Use the procedure Adding a Host Authorization entry for the Cisco Unified Presence server as a guide.
|
Configure the certificates on OCS
|
•To retrieve the CA root certificate and the OCS signed certificate, follow these procedures, applying them to the OCS server (rather than the Access Edge server):
–Downloading the CA Certification Chain
–Installing the CA Certification Chain
–Requesting a Certificate from the CA Server
–Downloading the Certificate from the CA Server
•In the OCS Front End Server Properties ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS).
•From the OCS Front End Server Properties, select the Certificates tab, and click Select Certificate to select the OCS signed certificate.
|
Configure OCS to use FIPS (TLSv1 rather than SSLv3), and import the CA root certificate.
|
1. Open the Local Security Settings on OCS.
2. In the console tree, select Local Polices.
3. Select Security Options.
4. Double-click System Cryptography:Use FIPS Compliant algorithms for encryption, hashing and signing.
5. Enable the security setting.
6. Select OK.
Note You may need to restart OCS for this to take effect.
7. Import the CA root certificate for the CA that signs the Cisco Unified Presence certificate. Import the CA root certificate in to the trust store on OCS using the certificate snap-in.
|
Configure the certificates on Cisco Unified Presence
|
•On Cisco Unified Presence, upload the root certificate for the CA that signs the OCS certificate. Note the following:
–Uploaded the certificate as a `cup-trust' certificate.
–Leave the `Root Certificate' field blank.
–Use the procedure Importing the Self Signed Certificate onto Cisco Unified Presence as a guide for uploading a certificate to Cisco Unified Presence.
•Generate a CSR for Cisco Unified Presence so that the Cisco Unified Presence certificate can be signed by a CA. Upload the CSR to the CA that will sign your certificate.
•When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to Cisco Unified Presence. Note the following:
–Upload the root certificate as a `cup-trust' certificate.
–Upload the C- signed Cisco Unified Presence certificate as a `cup' certificate. Specify the root certificate .pem file as the root certificate.
•Add a TLS Peer subject on Cisco Unified Presence for the OCS server. Follow these steps Creating a new TLS Peer Subject to create the peer subject for the OCS server. Use the FQDN of the OCS server.
•Add the TLS Peer to the Selected TLS Peer Subjects list. Follow these steps Adding the TLS Peer to the Selected TLS Peer Subjects List to add the TLS Peer to the Selected TLS Peer Subjects list. Note the following:
–Make sure that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher is selected for the TLS Context Configuration.
–Make sure that you disable empty TLS fragments.
|
Configuring Static Routes for Interdomain Federation to Microsoft Lync within an Enterprise
This procedure uses the following sample configuration parameters:
•Cisco Unified Presence Server FQDN (routing Cisco Unified Presence node): cupserverPub.sip.com
Note Ensure the FQDN can resolve to the correct IP address.
•Cisco Unified Presence Server IP Address (routing Cisco Unified Presence node): 10.53.57.10
•Cisco Unified Presence Server TCP port: 5060
Note The TCP port value must match that configured under Cisco Unified Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TCP Listener.
•Cisco Unified Presence Server TLS port: 5062
Note The TLS port value must match that configured under Cisco Unified Presence Administration > System > Application Listeners > Default Cisco SIP Proxy TLS Listener - Peer Auth.
•Cisco Unified Presence Server domain: sip.com
•Lync Registrar server: lyncserver.lync.net
For more information about configuring static routes for Interdomain Federation to Microsoft Lync within an enterprise, see http://technet.microsoft.com/en-us/library/gg558664.aspx
Step
|
Instructions
|
Define a TCP/TLS route
Note You must create a static route to the Cisco Unified Presence routing node only. It is not necessary to create static routes to subscriber nodes, nor any intercluster peer nodes even if your Cisco Unified Presence deployment has multiple clusters.
|
1. Sign into a computer where Lync Server Management Shell is installed. You must sign in as a member of the RTCUniversalServerAdmins group or a role-based access control (RBAC) role to which you have assigned the New-CsStaticRoute cmdlet.
2. Select Start > All Programs > Microsoft Lync Server 2010 > Lync Server Management Shell.
3. For TLS, enter the following command:
$tlsRoute = New-CsStaticRoute -TLSRoute -Destination <FQDN of
Cisco Unified Presence routing node> -Port <listening port of
Cisco Unified Presence routing node> -usedefaultcertificate $true
-MatchUri <destination domain>
Example:
$tlsRoute = New-CsStaticRoute -TLSRoute -Destination cupserverPub.sip.com -Port 5062 -usedefaultcertificate $true -MatchUri sip.com
Note To match child domains of a domain you can specify a wildcard value in the MatchUri parameter, for example, *.sip.com. That value matches any domain that ends with the suffix sip.com.
If you set -usedefaultcertificate to false, you must specify the TLSCertIssuer and TLSCertSerialNumber parameters. These parameters indicate the name of the certification authority (CA) that issue the certificate used in the static route and the serial number of the TLS certificate, respectively. See the Lync Server Management Shell for more information about these parameters.
4. For TCP, enter the following command:
$tcpRoute = New-CsStaticRoute -TCPRoute -Destination <IP address or
FQDN of Cisco Unified Presence routing node> -Port <SIP listening port
of Cisco Unified Presence routing node> -MatchUri <destination domain>
Example:
$tcpRoute = New-CsStaticRoute -TCPRoute -Destination 10.53.57.10 -Port 5060 -usedefaultcertificate $true -MatchUri *sip.com
|
Persist the route
Note This step is only necessary for the routing node.
|
1. To persist a newly created static route in the Central Management store, run one of the following:
For TLS:
Set-CsStaticRoutingConfiguration -Route @{Add=$tlsRoute}
For TCP:
Set-CsStaticRoutingConfiguration -Route @{Add=$tcpRoute}
2. To verify that the command was successful, enter
get-CsStaticRoutingConfiguration
|
Create trusted application server pool
Note You must create a trusted application server pool for all Cisco Unified Presence nodes, including the routing Cisco Unified Presence node.
|
1. Enter the following command to obtain the Site ID:
2. For TLS, enter the following command:
New-CsTrustedApplicationPool -Identity <FQDN of Cisco Unified Presence
node> [-Registrar <Service ID or FQDN of the next hop>] -Site <Site ID
for the site where you want to create the trusted application pool>
TreatAsAuthenticated $true -ThrottleAsServer $true
Example:
New-CsTrustedApplicationPool -Identity cupserverPub.sip.com -Registrar
LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true
-ThrottleAsServer $true
3. For TCP, enter the following command:
New-CsTrustedApplicationPool -Identity <IP address of
Cisco Unified Presence node> [-Registrar <Service ID or FQDN of the
next hop>] -Site <Site ID for the site where you want to create the
trusted application pool> TreatAsAuthenticated $true -ThrottleAsServer
$true
Example:
New-CsTrustedApplicationPool -Identity 10.53.57.10 -Registrar
LyncServer.lync.net -Site co1 -TreatAsAuthenticated $true
-ThrottleAsServer $true
|
Add application servers to the created pool
Note You must add application servers to the created pool for all Cisco Unified Presence nodes, including the routing Cisco Unified Presence node.
|
1. For TLS, enter the following command:
New-CsTrustedApplication -ApplicationID <application name>
-TrustedApplicationPoolFqdn <FQDN of Cisco Unified Presence node>
-Port <SIP listening port of Cisco Unified Presence node>
Example:
New-CsTrustedApplication -ApplicationID cupPub1
-TrustedApplicationPoolFqdn cupserverPub.sip.com -Port 5062
2. For TCP, enter the following command:
New-CsTrustedApplication -ApplicationID <application name>
-TrustedApplicationPoolFqdn <IP Address of Cisco Unified Presence
node> -Port <listening port of Cisco Unified Presence node> EnableTcp
Example:
New-CsTrustedApplication -ApplicationID cupPub1
-TrustedApplicationPoolFqdn 10.53.57.10 -Port 5060 EnableTcp
|
Enable the topology
|
1. Before you enable the topology, ensure that you have completed the following:
a. Define a TCP/TLS route for the routing Cisco Unified Presence node.
b. Persist the new static route for the routing Cisco Unified Presence node.
c. Create a trusted application server pool for all Cisco Unified Presence nodes.
d. Add application servers to the created pool for all Cisco Unified Presence nodes.
2. Enter the following command to implement the changes you have made to the topology:
|
Define Gateway IP Address
Note This step applies only to TCP.
|
1. Sign into the computer where Topology Builder is installed. You must sign in as a member of the Domain Admins group and the RTCUniversalServerAdmins group.
2. Select Start > All Programs > Microsoft Lync Server 2010 > Lync Server Topology Builder
3. Select the option to download an existing topology.
4. Expand the Trusted applications servers node.
5. Right-click the trusted application pool that you created and select Edit Properties.
6. Uncheck Enable replication of configuration data to this pool.
7. Select Limit service usage to selected IP addresses and ensure that it is set to Use all configured IP addresses.
8. In the Primary IP address field, enter the IP address of the SIP gateway.
9. To update the topology in the Central Management store, in the console tree, select Lync Server 2010 and from the Actions pane, select Publish.
|
Feedback
