Partitioned Intradomain Federation for Cisco Unified Presence Release 8.6 - Configure Microsoft Live Communications Server for Partitioned Intradomain Federation [Cisco Unified Presence]

Table Of Contents

Configure Microsoft Live Communications Server for Partitioned Intradomain Federation

Enable Port 5060 on the LCS Server

Configure LCS Static Route to Point to Cisco Unified Presence

Add Host Authorization on LCS for Cisco Unified Presence

Restart Services on LCS Servers

Configure TLS Encryption

Enable Federal Information Processing Standard Compliance on LCS

Configure Mutual TLS Authentication on LCS

Install Certificate Authority Root Certificates on LCS

Validate Existing LCS Signed Certificate

Request Signed Certificate from Certificate Authority

Install Signed Certificate on LCS Server

Select Installed Certificate for TLS Negotiation

Configure Microsoft Live Communications Server for Partitioned Intradomain Federation

•Enable Port 5060 on the LCS Server

•Configure LCS Static Route to Point to Cisco Unified Presence

•Add Host Authorization on LCS for Cisco Unified Presence

•Restart Services on LCS Servers

•Configure TLS Encryption

Enable Port 5060 on the LCS Server

If you want to use unencrypted TCP connections for SIP traffic between Cisco Unified Presence and Microsoft Live Communications Server (LCS), then LCS must be configured to listen on TCP SIP port 5060. The following procedure describes how to enable port 5060 on LCS servers.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all front-end servers.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Properties.

Step 3 Click the General tab.

Step 4 If port 5060 is not listed under Connections, select Add.

Step 5 Select All available IP Addresses.

Step 6 Select TCP as the Transport Value.

Step 7 Select 5060 as the Port Value and select OK to close the Add Connection window. Port 5060 should now be listed under the Connections list.

Step 8 Select OK to close the Properties window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Configure LCS Static Route to Point to Cisco Unified Presence

Configure LCS Static Route to Point to Cisco Unified Presence

To allow LCS to route requests to Cisco Unified Presence, you must configure a static route on LCS servers. The static route points to a Cisco Unified Presence server. The following procedure describes how to configure the required static route.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all pools.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the Enterprise Edition pool name or Standard Edition server name, as appropriate.

Step 3 Select Properties.

Step 4 Select the Routing tab and select Add.

Step 5 Enter * (asterisk) as the User value.

Step 6 Enter the domain of the Cisco Unified Presence server, for example, foo.com.

Step 7 Ensure that Phone URI is unchecked.

Step 8 If you are entering an FQDN, select Network Address and enter the FQDN of the Cisco Unified Presence server. For example, cup1.foo.com.

Step 9 If you are entering an IP address, select IP Address and enter the IP address of the Cisco Unified Presence server. For example, 10.x.x.x.

Step 10 Select TCP for the Transport value.

Step 11 Enter 5060 for the Port value.

Step 12 Ensure that Replace host in request URI is unchecked and select OK. The new static route should appear in the Routing list.

Step 13 Select OK to close the Properties window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Add Host Authorization on LCS for Cisco Unified Presence

Add Host Authorization on LCS for Cisco Unified Presence

To allow LCS to accept SIP requests from Cisco Unified Presence without being prompted for authorization, you must configure host authorization entries on LCS for each Cisco Unified Presence server.

If you are configuring TLS encryption between LCS and Cisco Unified Presence, you must add two host authorization entries for each Cisco Unified Presence server, as follows:

•The first entry must contain the FQDN of the Cisco Unified Presence server.

•The second entry must contain the IP address of the Cisco Unified Presence server.

If you are not configuring TLS encryption, you add only one host authorization entry for each Cisco Unified Presence server. This host authorization entry must contain the IP address of the Cisco Unified Presence server.

The following procedure describes how to add the required host authorization entries.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all pools.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the Enterprise Edition pool name or Standard Edition server name, as appropriate.

Step 3 Select Properties.

Step 4 Select the Host Authorization tab and select Add.

Step 5 If you are entering an FQDN, select Network Address and enter the FQDN of the Cisco Unified Presence server. For example, cup1.foo.com.

Step 6 If you are entering an IP address, select IP Address and enter the IP address of the Cisco Unified Presence server. For example, 10.x.x.x.

Step 7 Ensure that Outbound Only is unchecked.

Step 8 Check Throttle as Server.

Step 9 Check Treat as Authenticated.

Step 10 Select OK to close the Add Authorized Host window.

Step 11 Repeat Step 4 to Step 10 for each Cisco Unified Presence server.

Step 12 After you enter all the Host Authorization entries, select OK to close the Properties window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Restart Services on LCS Servers

Restart Services on LCS Servers

After you complete all the configuration steps on LCS, you must restart the LCS services to ensure that the configuration takes effect.

Note•Cisco recommends that you perform this procedure during a scheduled maintenance window.
•For Standard Edition, you must perform this procedure on all Standard Edition servers.

•For Enterprise Edition, you must perform this procedure on all front-end servers.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Stop.

Step 3 After the services stop, right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Start.

Related Topic

Troubleshooting Partitioned Intradomain Federation

Configure TLS Encryption

You must complete the following procedures to configure TLS encryption between Cisco Unified Presence and LCS:

•Enable Federal Information Processing Standard Compliance on LCS

•Configure Mutual TLS Authentication on LCS

•Install Certificate Authority Root Certificates on LCS

•Validate Existing LCS Signed Certificate

•Request Signed Certificate from Certificate Authority

After the TLS configuration is complete, you must restart services on LCS servers, see Restart Services on LCS Servers.

Enable Federal Information Processing Standard Compliance on LCS

To support TLS encryption between Cisco Unified Presence and LCS, you must enable TLSv1 on LCS servers. TLSv1 is included as part of the Federal Information Processing Standard (FIPS) compliance on Windows servers. The following procedure describes how to enable FIPS compliance.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all front-end servers.

Procedure

Step 1 On the LCS server, select Start > Programs > Administrative Tools > Local Security Policy.

Step 2 From the console tree, select Local Policies.

Step 3 Select Security Options.

Step 4 Double-click System Cryptography: Use FIPS Compliant algorithms for encryption, hashing and signing.

Step 5 Enable the security setting.

Step 6 Select OK.

Step 7 Close the Local Security Settings window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Configure Mutual TLS Authentication on LCS

Configure Mutual TLS Authentication on LCS

To configure TLS encryption between Cisco Unified Presence and LCS, you must configure port 5061 on the LCS servers for Mutual TLS authentication. The following procedure describes how to configure port 5061 for Mutual TLS authentication.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all front-end servers.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the FQDN of the Standard Edition server or Enterprise front-end server and select Properties.

Step 3 Select the General tab.

Step 4 If the Transport associated with Port 5061 is Mutual TLS, go to Step 8.

Step 5 If the Transport associated with Port 5061 is not Mutual TLS, select Edit.

Step 6 Check Authenticate remote server (Mutual TLS).

Step 7 Select OK to close the Edit Connection window. The Transport associated with Port 5061 should now be Mutual TLS.

Step 8 Select OK to close the Properties window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Install Certificate Authority Root Certificates on LCS

Install Certificate Authority Root Certificates on LCS

To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate. This signed certificate, along with the root certificate of the Certificate Authority (CA) that signed the certificate, must be installed on each LCS server.

Cisco recommends that LCS and Cisco Unified Presence servers share the same CA. If not, the root certificate of the CA that signed the Cisco Unified Presence certificates must also be installed on each LCS server.

Generally, the root certificate of the LCS CA is already installed on each LCS server. Therefore, if LCS and Cisco Unified Presence share the same CA, there may be no need to install a root certificate. However, if a root certificate is required, see the following details.

If you are using Microsoft Certificate Authority, refer to the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation for information about installing the root certificate from the Microsoft Certificate Authority onto LCS:

•Downloading the CA Certification Chain

•Installing the CA Certification Chain

If you are using an alternative CA, the following procedure is a generic procedure for installing root certificates onto LCS servers. The procedure for downloading the root certificate from the CA differs depending on your chosen CA.

Before You Begin

Download the root certificate or certificate chain from your CA and save it to the hard disk of your LCS server.

Procedure

Step 1 On your LCS server, select Start > Run.

Step 2 Enter mmc and select OK.

Step 3 From the File menu, select Add/Remove Snap-in.

Step 4 In the Add/Remove Snap-in dialog box, select Add.

Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add.

Step 6 Select Computer Account and select Next.

Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish.

Step 8 Select Close, and then OK.

Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer).

Step 10 Expand Trusted Root Certification Authorities.

Step 11 Right-click Certificates and select All Tasks.

Step 12 Select Import.

Step 13 In the Import Wizard, select Next.

Step 14 Select Browse and navigate to where you saved the root certificate or certificate chain.

Step 15 Select the file and select Open.

Step 16 Select Next.

Step 17 Leave the default value Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears under the Certificate store.

Step 18 Select Next and Finish.

Step 19 Repeat Step 11 to Step 18 as necessary for other CAs.

Related Topics

•Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation:

http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html

Note The Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation document refers to the Access Edge Server. For Partitioned Intradomain Federation, you can replace references to the Access Edge Server with LCS Standard Edition server or Enterprise Edition front-end server.

•Troubleshooting Partitioned Intradomain Federation

What To Do Next

Validate Existing LCS Signed Certificate

Validate Existing LCS Signed Certificate

To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate that supports Client Authentication. If a signed certificate is already installed on the LCS server, the following procedure describes how to check if that existing signed certificate supports Client Authentication.

Note•For Standard Edition, you must perform this procedure on all Standard Edition servers.
•For Enterprise Edition, you must perform this procedure on all front-end servers.

Procedure

Step 1 On your LCS server, select Start > Run.

Step 2 Enter mmc and select OK.

Step 3 From the File menu, select Add/Remove Snap-in.

Step 4 From the Add/Remove Snap-in dialog box, select Add.

Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add.

Step 6 Select Computer Account and select Next.

Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish.

Step 8 Select Close, and then OK.

Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer).

Step 10 Expand Personal and select Certificates.

Step 11 Find the signed certificate that is currently used by LCS in the right pane.

Step 12 Ensure that Client Authentication is listed in the Intended Purposes column.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Request Signed Certificate from Certificate Authority

Request Signed Certificate from Certificate Authority

This section describes the following procedures:

•Install Signed Certificate on LCS Server

•Select Installed Certificate for TLS Negotiation

Note The procedures in this section are necessary only if no signed certificate exists on an LCS server or the existing certificate does not support Client Authentication.

To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate that supports Client Authentication. If that is not the case on any LCS server, the following procedures outline how to request a newly signed certificate from the Certificate Authority and install it onto that specific LCS server.

The Subject Common Name (CN) used in Certificate Signing Requests (CSR) from LCS differs depending on LCS deployment:

•For Standard Edition servers, use the FQDN of the Standard Edition server as the Subject CN.

•For Enterprise Edition front-end servers, use the FQDN of the pool to which the front-end server belongs as the Subject CN.

Standalone Microsoft Certificate Authority

If you are using a Standalone Microsoft Certificate Authority, see the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation to request a signed certificate from the CA for the LCS server:

•Requesting a Certificate from the CA Server

•Downloading the Certificate from the CA Server

Note You can find the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation here: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html
This document refers to the Access Edge Server. For Partitioned Intradomain Federation, you can replace references to the Access Edge Server with LCS Standard Edition server or Enterprise Edition front-end server.

Enterprise Microsoft Certificate Authority

If you are using an Enterprise Microsoft Certificate Authority, see the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation to generate the required template on the CA and request a signed certificate from the CA for the LCS server:

•Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority

•Requesting the Site Server Signing Certificate

Alternative Certificate Authority

If you are using an alternative CA, the following is a generic procedure for installing signed certificates onto LCS servers. The procedure for requesting a signed certificate differs depending on your chosen CA.

Install Signed Certificate on LCS Server

Before You Begin

Download the signed certificate from your CA and save it to the hard disk of your LCS server.

Procedure

Step 1 On your LCS server, select Start > Run.

Step 2 Enter mmc and select OK.

Step 3 From the File menu, select Add/Remove Snap-in.

Step 4 From the Add/Remove Snap-in dialog box, select Add.

Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add.

Step 6 Select Computer Account and select Next.

Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish.

Step 8 Select Close, and then OK.

Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer).

Step 10 Expand Personal.

Step 11 Right-click Certificates and select All Tasks.

Step 12 Select Import.

Step 13 In the Import Wizard, select Next.

Step 14 Select Browse and navigate to where you saved the signed certificate.

Step 15 Select the file and select Open.

Step 16 Select Next.

Step 17 Leave the default value Place all certificates in the following store and ensure that Personal appears under the Certificate store.

Step 18 Select Next and Finish.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Select Installed Certificate for TLS Negotiation

Select Installed Certificate for TLS Negotiation

Regardless of which CA is used, after the signed certificate is installed onto the LCS server, you must perform the following procedure to select the installed certificate for use by LCS in TLS negotiation with Cisco Unified Presence.

Procedure

Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005.

Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Properties.

Step 3 Select the Security tab and select Select Certificate.

Step 4 From the list of installed certificates, select the newly signed certificate and select OK to close the Select Certificate window.

Step 5 Select OK to close the Properties window.

Related Topic

Troubleshooting Partitioned Intradomain Federation

What To Do Next

Restart Services on LCS Servers

	Partitioned Intradomain Federation for Cisco Unified Presence Release 8.6
	Configure Microsoft Live Communications Server for Partitioned Intradomain Federation
Partitioned Intradomain Federation for Cisco Unified Presence Release 8.6 Overview of this Integration Planning for this Integration Planning for User Migration Configuration Workflows for Partitioned Intradomain Federation Configure Cisco Unified Presence for Partitioned Intradomain Federation Configure Microsoft Lync for Partitioned Intradomain Federation Configure Microsoft Office Communications Server for Partitioned Intradomain Federation Configure Microsoft Live Communications Server for Partitioned Intradomain Federation User Migration Configure Cisco Unified Presence to Integrate with Interdomain Federation Capability of Intradomain Lync/OCS/LCS Troubleshooting this Integration	Download this chapter Configure Microsoft Live Communications Server for Partitioned Intradomain Federation Download the complete book Partitioned Intradomain Federation for Cisco Unified Presence Release 8.6 (PDF - 3 MB) Feedback Table Of Contents Configure Microsoft Live Communications Server for Partitioned Intradomain Federation Enable Port 5060 on the LCS Server Configure LCS Static Route to Point to Cisco Unified Presence Add Host Authorization on LCS for Cisco Unified Presence Restart Services on LCS Servers Configure TLS Encryption Enable Federal Information Processing Standard Compliance on LCS Configure Mutual TLS Authentication on LCS Install Certificate Authority Root Certificates on LCS Validate Existing LCS Signed Certificate Request Signed Certificate from Certificate Authority Install Signed Certificate on LCS Server Select Installed Certificate for TLS Negotiation Configure Microsoft Live Communications Server for Partitioned Intradomain Federation •Enable Port 5060 on the LCS Server •Configure LCS Static Route to Point to Cisco Unified Presence •Add Host Authorization on LCS for Cisco Unified Presence •Restart Services on LCS Servers •Configure TLS Encryption Enable Port 5060 on the LCS Server If you want to use unencrypted TCP connections for SIP traffic between Cisco Unified Presence and Microsoft Live Communications Server (LCS), then LCS must be configured to listen on TCP SIP port 5060. The following procedure describes how to enable port 5060 on LCS servers. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all front-end servers. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Properties. Step 3 Click the General tab. Step 4 If port 5060 is not listed under Connections, select Add. Step 5 Select All available IP Addresses. Step 6 Select TCP as the Transport Value. Step 7 Select 5060 as the Port Value and select OK to close the Add Connection window. Port 5060 should now be listed under the Connections list. Step 8 Select OK to close the Properties window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Configure LCS Static Route to Point to Cisco Unified Presence Configure LCS Static Route to Point to Cisco Unified Presence To allow LCS to route requests to Cisco Unified Presence, you must configure a static route on LCS servers. The static route points to a Cisco Unified Presence server. The following procedure describes how to configure the required static route. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all pools. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the Enterprise Edition pool name or Standard Edition server name, as appropriate. Step 3 Select Properties. Step 4 Select the Routing tab and select Add. Step 5 Enter * (asterisk) as the User value. Step 6 Enter the domain of the Cisco Unified Presence server, for example, foo.com. Step 7 Ensure that Phone URI is unchecked. Step 8 If you are entering an FQDN, select Network Address and enter the FQDN of the Cisco Unified Presence server. For example, cup1.foo.com. Step 9 If you are entering an IP address, select IP Address and enter the IP address of the Cisco Unified Presence server. For example, 10.x.x.x. Step 10 Select TCP for the Transport value. Step 11 Enter 5060 for the Port value. Step 12 Ensure that Replace host in request URI is unchecked and select OK. The new static route should appear in the Routing list. Step 13 Select OK to close the Properties window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Add Host Authorization on LCS for Cisco Unified Presence Add Host Authorization on LCS for Cisco Unified Presence To allow LCS to accept SIP requests from Cisco Unified Presence without being prompted for authorization, you must configure host authorization entries on LCS for each Cisco Unified Presence server. If you are configuring TLS encryption between LCS and Cisco Unified Presence, you must add two host authorization entries for each Cisco Unified Presence server, as follows: •The first entry must contain the FQDN of the Cisco Unified Presence server. •The second entry must contain the IP address of the Cisco Unified Presence server. If you are not configuring TLS encryption, you add only one host authorization entry for each Cisco Unified Presence server. This host authorization entry must contain the IP address of the Cisco Unified Presence server. The following procedure describes how to add the required host authorization entries. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all pools. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the Enterprise Edition pool name or Standard Edition server name, as appropriate. Step 3 Select Properties. Step 4 Select the Host Authorization tab and select Add. Step 5 If you are entering an FQDN, select Network Address and enter the FQDN of the Cisco Unified Presence server. For example, cup1.foo.com. Step 6 If you are entering an IP address, select IP Address and enter the IP address of the Cisco Unified Presence server. For example, 10.x.x.x. Step 7 Ensure that Outbound Only is unchecked. Step 8 Check Throttle as Server. Step 9 Check Treat as Authenticated. Step 10 Select OK to close the Add Authorized Host window. Step 11 Repeat Step 4 to Step 10 for each Cisco Unified Presence server. Step 12 After you enter all the Host Authorization entries, select OK to close the Properties window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Restart Services on LCS Servers Restart Services on LCS Servers After you complete all the configuration steps on LCS, you must restart the LCS services to ensure that the configuration takes effect. Note•Cisco recommends that you perform this procedure during a scheduled maintenance window. •For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all front-end servers. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Stop. Step 3 After the services stop, right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Start. Related Topic Troubleshooting Partitioned Intradomain Federation Configure TLS Encryption You must complete the following procedures to configure TLS encryption between Cisco Unified Presence and LCS: •Enable Federal Information Processing Standard Compliance on LCS •Configure Mutual TLS Authentication on LCS •Install Certificate Authority Root Certificates on LCS •Validate Existing LCS Signed Certificate •Request Signed Certificate from Certificate Authority After the TLS configuration is complete, you must restart services on LCS servers, see Restart Services on LCS Servers. Enable Federal Information Processing Standard Compliance on LCS To support TLS encryption between Cisco Unified Presence and LCS, you must enable TLSv1 on LCS servers. TLSv1 is included as part of the Federal Information Processing Standard (FIPS) compliance on Windows servers. The following procedure describes how to enable FIPS compliance. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all front-end servers. Procedure Step 1 On the LCS server, select Start > Programs > Administrative Tools > Local Security Policy. Step 2 From the console tree, select Local Policies. Step 3 Select Security Options. Step 4 Double-click System Cryptography: Use FIPS Compliant algorithms for encryption, hashing and signing. Step 5 Enable the security setting. Step 6 Select OK. Step 7 Close the Local Security Settings window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Configure Mutual TLS Authentication on LCS Configure Mutual TLS Authentication on LCS To configure TLS encryption between Cisco Unified Presence and LCS, you must configure port 5061 on the LCS servers for Mutual TLS authentication. The following procedure describes how to configure port 5061 for Mutual TLS authentication. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all front-end servers. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the FQDN of the Standard Edition server or Enterprise front-end server and select Properties. Step 3 Select the General tab. Step 4 If the Transport associated with Port 5061 is Mutual TLS, go to Step 8. Step 5 If the Transport associated with Port 5061 is not Mutual TLS, select Edit. Step 6 Check Authenticate remote server (Mutual TLS). Step 7 Select OK to close the Edit Connection window. The Transport associated with Port 5061 should now be Mutual TLS. Step 8 Select OK to close the Properties window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Install Certificate Authority Root Certificates on LCS Install Certificate Authority Root Certificates on LCS To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate. This signed certificate, along with the root certificate of the Certificate Authority (CA) that signed the certificate, must be installed on each LCS server. Cisco recommends that LCS and Cisco Unified Presence servers share the same CA. If not, the root certificate of the CA that signed the Cisco Unified Presence certificates must also be installed on each LCS server. Generally, the root certificate of the LCS CA is already installed on each LCS server. Therefore, if LCS and Cisco Unified Presence share the same CA, there may be no need to install a root certificate. However, if a root certificate is required, see the following details. If you are using Microsoft Certificate Authority, refer to the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation for information about installing the root certificate from the Microsoft Certificate Authority onto LCS: •Downloading the CA Certification Chain •Installing the CA Certification Chain If you are using an alternative CA, the following procedure is a generic procedure for installing root certificates onto LCS servers. The procedure for downloading the root certificate from the CA differs depending on your chosen CA. Before You Begin Download the root certificate or certificate chain from your CA and save it to the hard disk of your LCS server. Procedure Step 1 On your LCS server, select Start > Run. Step 2 Enter mmc and select OK. Step 3 From the File menu, select Add/Remove Snap-in. Step 4 In the Add/Remove Snap-in dialog box, select Add. Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add. Step 6 Select Computer Account and select Next. Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish. Step 8 Select Close, and then OK. Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer). Step 10 Expand Trusted Root Certification Authorities. Step 11 Right-click Certificates and select All Tasks. Step 12 Select Import. Step 13 In the Import Wizard, select Next. Step 14 Select Browse and navigate to where you saved the root certificate or certificate chain. Step 15 Select the file and select Open. Step 16 Select Next. Step 17 Leave the default value Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears under the Certificate store. Step 18 Select Next and Finish. Step 19 Repeat Step 11 to Step 18 as necessary for other CAs. Related Topics •Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html Note The Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation document refers to the Access Edge Server. For Partitioned Intradomain Federation, you can replace references to the Access Edge Server with LCS Standard Edition server or Enterprise Edition front-end server. •Troubleshooting Partitioned Intradomain Federation What To Do Next Validate Existing LCS Signed Certificate Validate Existing LCS Signed Certificate To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate that supports Client Authentication. If a signed certificate is already installed on the LCS server, the following procedure describes how to check if that existing signed certificate supports Client Authentication. Note•For Standard Edition, you must perform this procedure on all Standard Edition servers. •For Enterprise Edition, you must perform this procedure on all front-end servers. Procedure Step 1 On your LCS server, select Start > Run. Step 2 Enter mmc and select OK. Step 3 From the File menu, select Add/Remove Snap-in. Step 4 From the Add/Remove Snap-in dialog box, select Add. Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add. Step 6 Select Computer Account and select Next. Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish. Step 8 Select Close, and then OK. Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer). Step 10 Expand Personal and select Certificates. Step 11 Find the signed certificate that is currently used by LCS in the right pane. Step 12 Ensure that Client Authentication is listed in the Intended Purposes column. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Request Signed Certificate from Certificate Authority Request Signed Certificate from Certificate Authority This section describes the following procedures: •Install Signed Certificate on LCS Server •Select Installed Certificate for TLS Negotiation Note The procedures in this section are necessary only if no signed certificate exists on an LCS server or the existing certificate does not support Client Authentication. To support TLS encryption between Cisco Unified Presence and LCS, each LCS server must have a signed security certificate that supports Client Authentication. If that is not the case on any LCS server, the following procedures outline how to request a newly signed certificate from the Certificate Authority and install it onto that specific LCS server. The Subject Common Name (CN) used in Certificate Signing Requests (CSR) from LCS differs depending on LCS deployment: •For Standard Edition servers, use the FQDN of the Standard Edition server as the Subject CN. •For Enterprise Edition front-end servers, use the FQDN of the pool to which the front-end server belongs as the Subject CN. Standalone Microsoft Certificate Authority If you are using a Standalone Microsoft Certificate Authority, see the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation to request a signed certificate from the CA for the LCS server: •Requesting a Certificate from the CA Server •Downloading the Certificate from the CA Server Note You can find the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation here: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html This document refers to the Access Edge Server. For Partitioned Intradomain Federation, you can replace references to the Access Edge Server with LCS Standard Edition server or Enterprise Edition front-end server. Enterprise Microsoft Certificate Authority If you are using an Enterprise Microsoft Certificate Authority, see the following procedures in the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation to generate the required template on the CA and request a signed certificate from the CA for the LCS server: •Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority •Requesting the Site Server Signing Certificate Alternative Certificate Authority If you are using an alternative CA, the following is a generic procedure for installing signed certificates onto LCS servers. The procedure for requesting a signed certificate differs depending on your chosen CA. Install Signed Certificate on LCS Server Before You Begin Download the signed certificate from your CA and save it to the hard disk of your LCS server. Procedure Step 1 On your LCS server, select Start > Run. Step 2 Enter mmc and select OK. Step 3 From the File menu, select Add/Remove Snap-in. Step 4 From the Add/Remove Snap-in dialog box, select Add. Step 5 From the list of Available Standalone Snap-ins, select Certificates and select Add. Step 6 Select Computer Account and select Next. Step 7 In the Select Computer dialog box, check <Local Computer> (the computer this console is running on) and select Finish. Step 8 Select Close, and then OK. Step 9 In the left pane of the Certificates console, expand Certificates (Local Computer). Step 10 Expand Personal. Step 11 Right-click Certificates and select All Tasks. Step 12 Select Import. Step 13 In the Import Wizard, select Next. Step 14 Select Browse and navigate to where you saved the signed certificate. Step 15 Select the file and select Open. Step 16 Select Next. Step 17 Leave the default value Place all certificates in the following store and ensure that Personal appears under the Certificate store. Step 18 Select Next and Finish. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Select Installed Certificate for TLS Negotiation Select Installed Certificate for TLS Negotiation Regardless of which CA is used, after the signed certificate is installed onto the LCS server, you must perform the following procedure to select the installed certificate for use by LCS in TLS negotiation with Cisco Unified Presence. Procedure Step 1 Select Start > Programs > Administrative Tools > Live Communications Server 2005. Step 2 Right-click the FQDN of the Standard Edition server or Enterprise Edition front-end server and select Properties. Step 3 Select the Security tab and select Select Certificate. Step 4 From the list of installed certificates, select the newly signed certificate and select OK to close the Select Certificate window. Step 5 Select OK to close the Properties window. Related Topic Troubleshooting Partitioned Intradomain Federation What To Do Next Restart Services on LCS Servers
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks